feat(services): refine split-horizon OIDC routing and harden nextcloud patch
- authentik: address the rewrite service by compose service name instead of a network alias on the public FQDN, which shadowed extra_hosts pins and broke OIDC discovery for c-ares-based (Node) resolvers - homarr: add homarr_extra_hosts to pin the IdP FQDN to a LAN IP so OIDC discovery stays in-network while the issuer matches the browser-facing URL - opnform: add opnform_oidc_sso_redirect_root to 302 the root URL to the SSO path (deep-links untouched, /login?bypass=1 break-glass); restart ingress via container restart so envsubst re-renders nginx.conf - nextcloud: make the UserConfig sed workaround fail loud on upstream drift instead of silently skipping (nextcloud/server#59629) - gitignore: exclude the local .ansible/ collection cache
This commit is contained in:
Simon Bärlocher
parent
3236ca332f
commit
3ace667b6c
12 changed files with 264 additions and 49 deletions
|
|
@ -66,13 +66,32 @@
|
|||
|
||||
- name: Check UserConfig.php patch status per container
|
||||
ansible.builtin.shell:
|
||||
# rc 0 -> already patched; rc 1 -> still the unpatched original; rc 2 ->
|
||||
# neither marker present (upstream drift -> the guard task below fails loud).
|
||||
cmd: >-
|
||||
docker exec {{ item }} grep -q "strtolower((string)" /var/www/html/lib/private/Config/UserConfig.php
|
||||
docker exec {{ item }} sh -c '
|
||||
grep -q "strtolower((string)\$this->getTypedValue" /var/www/html/lib/private/Config/UserConfig.php && exit 0;
|
||||
grep -q "strtolower(\$this->getTypedValue" /var/www/html/lib/private/Config/UserConfig.php && exit 1;
|
||||
exit 2'
|
||||
loop: "{{ _nextcloud_php_containers.stdout_lines }}"
|
||||
register: _nextcloud_userconfig_check
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
|
||||
- name: Fail if the UserConfig.php source drifted from the expected upstream line
|
||||
ansible.builtin.fail:
|
||||
msg: >-
|
||||
Neither the patched nor the expected original strtolower($this->getTypedValue(...))
|
||||
line was found in {{ item.item }}:/var/www/html/lib/private/Config/UserConfig.php.
|
||||
The nextcloud/server#59629 workaround can no longer locate its target — the upstream
|
||||
source likely changed. Re-verify whether the fix shipped (then drop this block) or
|
||||
update the sed expression. Silently skipping would let the TypeError regress.
|
||||
loop: "{{ _nextcloud_userconfig_check.results }}"
|
||||
loop_control:
|
||||
label: "{{ item.item }}"
|
||||
when:
|
||||
- item.rc | default(2) == 2
|
||||
|
||||
- name: Apply UserConfig::getValueBool string-cast workaround
|
||||
ansible.builtin.shell:
|
||||
cmd: >-
|
||||
|
|
@ -83,7 +102,7 @@
|
|||
loop_control:
|
||||
label: "{{ item.item }}"
|
||||
when:
|
||||
- item.rc | default(1) != 0
|
||||
- item.rc | default(2) == 1
|
||||
|
||||
- name: Wait for Nextcloud to be ready
|
||||
ansible.builtin.shell:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue