chore: add new role for OpnForm

roles/OpnForm/tasks/main.yml

@@ -0,0 +1,117 @@
+#SPDX-License-Identifier: MIT-0
+---
+# tasks file for opnform
+
+# =====================================================================
+# 0. VALIDATION
+# =====================================================================
+
+- name: Validate required secrets
+  ansible.builtin.assert:
+    that:
+      - opnform_app_key | length > 0
+      - opnform_app_key is match('^base64:[A-Za-z0-9+/=]+$')
+      - opnform_jwt_secret | length > 0
+      - opnform_front_api_secret | length > 0
+      - opnform_db_password | length > 0
+    fail_msg: >-
+      OpnForm requires opnform_app_key (prefix 'base64:'), opnform_jwt_secret,
+      opnform_front_api_secret and opnform_db_password.
+      Generate with: openssl rand -base64 32
+      The app_key MUST be prefixed with "base64:"
+      Provide via OpenBao, Ansible Vault or extra-vars.
+    success_msg: Secrets validation passed
+
+- name: Validate OIDC configuration when enabled
+  ansible.builtin.assert:
+    that:
+      - opnform_oidc_client_secret | length > 0
+    fail_msg: >-
+      opnform_oidc_client_secret must be set when opnform_oidc_enabled is true.
+  when: opnform_oidc_enabled | bool
+
+# =====================================================================
+# 1. PREPARATION
+# =====================================================================
+
+- name: Ensure required packages are installed
+  ansible.builtin.package:
+    name:
+      - python3-docker
+    state: present
+
+- name: Create docker compose directory
+  ansible.builtin.file:
+    path: "{{ opnform_docker_compose_dir }}"
+    state: directory
+    mode: '0755'
+
+- name: Create OpnForm data directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+  loop:
+    - "{{ opnform_docker_volume_dir }}"
+    - "{{ opnform_storage_dir }}"
+    - "{{ opnform_db_data_dir }}"
+    - "{{ opnform_redis_data_dir }}"
+
+# =====================================================================
+# 2. CONFIGURATION FILES
+# =====================================================================
+
+- name: Deploy nginx ingress configuration
+  ansible.builtin.template:
+    src: nginx.conf.j2
+    dest: "{{ opnform_docker_compose_dir }}/nginx.conf"
+    mode: '0644'
+  notify: restart opnform
+
+- name: Deploy docker-compose file
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: "{{ opnform_docker_compose_dir }}/docker-compose.yml"
+    mode: '0644'
+  notify: restart opnform
+
+# =====================================================================
+# 3. CONTAINER STARTUP
+# =====================================================================
+
+- name: Start opnform containers
+  community.docker.docker_compose_v2:
+    project_src: "{{ opnform_docker_compose_dir }}"
+    state: present
+    wait: true
+    wait_timeout: 180
+
+# =====================================================================
+# 4. WAIT FOR API READINESS
+# =====================================================================
+
+- name: Wait for API container to be healthy
+  ansible.builtin.command:
+    cmd: docker inspect --format='{% raw %}{{.State.Health.Status}}{% endraw %}' opnform-api
+  register: api_health
+  until: api_health.stdout == "healthy"
+  retries: 30
+  delay: 10
+  changed_when: false
+
+- name: Display deployment info
+  ansible.builtin.debug:
+    msg: |-
+      OpnForm deployed at {{ opnform_base_url }}
+
+      Default credentials (from API container logs on first start):
+        Email: admin@opnform.com
+        Password: password
+
+      On first login you will be prompted to change email and password.
+
+      If login does not respond, the DB seed may have failed. Run:
+        docker compose -f {{ opnform_docker_compose_dir }}/docker-compose.yml exec api php artisan migrate:refresh --seed
+        docker compose -f {{ opnform_docker_compose_dir }}/docker-compose.yml exec api php artisan app:init-project
+
+      OIDC: {% if opnform_oidc_enabled %}enabled (configure via Admin UI){% else %}disabled{% endif %}