feat(services): refine split-horizon OIDC routing and harden nextcloud patch

- authentik: address the rewrite service by compose service name instead of a network alias on the public FQDN, which shadowed extra_hosts pins and broke OIDC discovery for c-ares-based (Node) resolvers - homarr: add homarr_extra_hosts to pin the IdP FQDN to a LAN IP so OIDC discovery stays in-network while the issuer matches the browser-facing URL - opnform: add opnform_oidc_sso_redirect_root to 302 the root URL to the SSO path (deep-links untouched, /login?bypass=1 break-glass); restart ingress via container restart so envsubst re-renders nginx.conf - nextcloud: make the UserConfig sed workaround fail loud on upstream drift instead of silently skipping (nextcloud/server#59629) - gitignore: exclude the local .ansible/ collection cache
2026-06-02 13:44:08 +02:00 · 2026-06-02 13:44:08 +02:00 · 3ace667b6c
commit 3ace667b6c
parent 3236ca332f
12 changed files with 264 additions and 49 deletions
--- a/roles/homarr/README.md
+++ b/roles/homarr/README.md
@ -49,6 +49,7 @@ See `defaults/main.yml` for the full list. Most useful overrides:
 |---|---|---|
 | `homarr_domain` | `homarr.local.test` | Traefik Host rule |
 | `homarr_extra_domains` | `[]` | Extra Host-rule hostnames (OR-combined), e.g. internal `*.int.*` FQDN |
+| `homarr_extra_hosts` | `[]` | Container `/etc/hosts` overrides (`host:ip`) — pin IdP FQDN to LAN IP |
 | `homarr_base_url` | `https://home.local.test` | NEXTAUTH_URL / BASE_URL |
 | `homarr_auth_providers` | `credentials` | `credentials`, `oidc`, or both |
 | `homarr_oidc_issuer` | empty | Identity provider issuer URL |
--- a/roles/homarr/defaults/main.yml
+++ b/roles/homarr/defaults/main.yml
@ -19,6 +19,10 @@ homarr_domain: "homarr.local.test"
 # *.int.* FQDN so a DMZ reverseproxy can hit a backend hostname covered
 # by the cert).
 homarr_extra_domains: []
+# Extra /etc/hosts entries inside the homarr container (format "host:ip").
+# Used to pin the IdP's public FQDN to a LAN IP so OIDC discovery stays
+# in-network while the issuer URL matches what browsers see.
+homarr_extra_hosts: []
 homarr_image: "ghcr.io/homarr-labs/homarr:latest"
 homarr_port: 7575
 homarr_use_docker: false
--- a/roles/homarr/templates/docker-compose.yml.j2
+++ b/roles/homarr/templates/docker-compose.yml.j2
@ -26,6 +26,12 @@ services:
      AUTH_OIDC_AUTO_LOGIN: "{{ homarr_oidc_auto_login | default('false') }}"
    networks:
      - {{ homarr_traefik_network }}
+{% if homarr_extra_hosts | default([]) | length > 0 %}
+    extra_hosts:
+{% for h in homarr_extra_hosts %}
+      - "{{ h }}"
+{% endfor %}
+{% endif %}
    labels:
      - traefik.enable=true
      - traefik.docker.network={{ homarr_traefik_network }}