feat(services): multi-domain routing, split-horizon and OIDC hardening
Bundle of cross-role changes for the gymb services deployment: - Traefik routers: OR-combine opnform/homarr/bookstack Host rules with new *_extra_domains (internal *.int.* FQDNs for a DMZ reverseproxy), and emit tls.certresolver only when traefik_cert_mode == acme (drawio, homarr, opnform, send). - Split-horizon: bookstack_extra_hosts / opnform_extra_hosts add container /etc/hosts overrides so containers reach the IdP public FQDN over the LAN. - bookstack: assert the OIDC issuer resolves concretely (reject "//v2.0"), allowing non-Entra IdPs that override bookstack_oidc_issuer. - homarr: derive the bcrypt salt from the password digest so the admin hash is idempotent — no spurious template changes / container restarts. - opnform: PATCH an existing OIDC connection instead of skipping (applies corrected inventory on re-run); add OIDC_FORCE_LOGIN (enabled only after bootstrap) and an optional direct-SSO ingress entrypoint. Docs: READMEs and meta/argument_specs.yml updated for all new variables.
This commit is contained in:
Simon Bärlocher
parent
bb64ccf71e
commit
518d80ec71
17 changed files with 309 additions and 37 deletions
|
|
@ -15,6 +15,10 @@ homarr_db: "{{ homarr_appdata_dir }}/db/db.sqlite"
|
|||
|
||||
# Service configuration
|
||||
homarr_domain: "homarr.local.test"
|
||||
# Additional hostnames the homarr router answers on (e.g. an internal
|
||||
# *.int.* FQDN so a DMZ reverseproxy can hit a backend hostname covered
|
||||
# by the cert).
|
||||
homarr_extra_domains: []
|
||||
homarr_image: "ghcr.io/homarr-labs/homarr:latest"
|
||||
homarr_port: 7575
|
||||
homarr_use_docker: false
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue