feat(services): multi-domain routing, split-horizon and OIDC hardening

Bundle of cross-role changes for the gymb services deployment: - Traefik routers: OR-combine opnform/homarr/bookstack Host rules with new *_extra_domains (internal *.int.* FQDNs for a DMZ reverseproxy), and emit tls.certresolver only when traefik_cert_mode == acme (drawio, homarr, opnform, send). - Split-horizon: bookstack_extra_hosts / opnform_extra_hosts add container /etc/hosts overrides so containers reach the IdP public FQDN over the LAN. - bookstack: assert the OIDC issuer resolves concretely (reject "//v2.0"), allowing non-Entra IdPs that override bookstack_oidc_issuer. - homarr: derive the bcrypt salt from the password digest so the admin hash is idempotent — no spurious template changes / container restarts. - opnform: PATCH an existing OIDC connection instead of skipping (applies corrected inventory on re-run); add OIDC_FORCE_LOGIN (enabled only after bootstrap) and an optional direct-SSO ingress entrypoint. Docs: READMEs and meta/argument_specs.yml updated for all new variables.
2026-05-27 16:18:29 +02:00 · 2026-05-27 16:18:29 +02:00 · 518d80ec71
commit 518d80ec71
parent bb64ccf71e
17 changed files with 309 additions and 37 deletions
--- a/roles/homarr/tasks/main.yml
+++ b/roles/homarr/tasks/main.yml
@ -112,19 +112,17 @@
 # =====================================================================

 - name: Generate bcrypt hash for admin password
-  ansible.builtin.shell:
-    cmd: python3 -c "import bcrypt, sys; print(bcrypt.hashpw(sys.stdin.read().encode(), bcrypt.gensalt(rounds=10)).decode())"
-    stdin: "{{ homarr_admin_password }}"
-    stdin_add_newline: false
-  delegate_to: localhost
-  become: false
-  register: bcrypt_result
-  changed_when: false
-  no_log: true
-
- name: Set bcrypt hash fact
  ansible.builtin.set_fact:
-    homarr_bcrypt_hash: "{{ bcrypt_result.stdout }}"
+    # Deterministic salt derived from the password's SHA-256 digest so the
+    # hash stays stable across runs (idempotent — no spurious template
+    # changes / container restarts when the password is unchanged). The
+    # bcrypt salt alphabet is [./A-Za-z0-9]; the digest's hex chars are
+    # a strict subset, so we just take the first 22.
+    homarr_bcrypt_hash: >-
+      {{ homarr_admin_password
+         | password_hash('bcrypt', rounds=10,
+                         salt=(homarr_admin_password
+                               | hash('sha256'))[:22]) }}
  no_log: true

 # =====================================================================
@ -161,4 +159,4 @@
  register: seed_result
  changed_when: seed_result.rc == 0
  when: admin_exists.stdout == ""
-  notify: restart homarr
+  notify: restart homarr