feat(bookstack): add role for self-hosted BookStack deployment
Deploy BookStack with linuxserver.io images behind Traefik, including Entra ID OIDC SSO support and a daily backup timer. Stack: - lscr.io/linuxserver/bookstack:version-v26.03.3 - lscr.io/linuxserver/mariadb:11.4.9 - Traefik labels for websecure entrypoint on internal network - Healthcheck via mariadb-admin ping (LSIO image lacks healthcheck.sh) Features: - Persistent APP_KEY generated on first run, stored in volume dir - Optional OIDC SSO via Microsoft Entra ID (configurable per-instance) - Idempotent admin user creation with DB-based existence check - Daily systemd timer backup (DB dump + uploads tar + APP_KEY) with configurable retention Implementation notes: - DB queries use --protocol=tcp with the app user because root@localhost uses unix_socket auth in the LSIO MariaDB image (no password) and root@% does not exist - docker_container_exec uses argv: (list) instead of command: (string) to avoid argument-splitting issues - Migration-wait task ensures users table exists before admin check, since /login returns 200 before Laravel migrations complete - no_log: true on all tasks that reference DB or admin passwords - artisan absolute path (/app/www/artisan) because LSIO image WORKDIR is not the app directory Adds bookstack route to DMZ Traefik service registry.
This commit is contained in:
parent
78095cca1d
commit
9d539d0da4
16 changed files with 659 additions and 2 deletions
80
roles/bookstack/defaults/main.yml
Normal file
80
roles/bookstack/defaults/main.yml
Normal file
|
|
@ -0,0 +1,80 @@
|
|||
#SPDX-License-Identifier: MIT-0
|
||||
---
|
||||
# defaults file for bookstack
|
||||
|
||||
# Base directory configuration (inherited from base role or defined here)
|
||||
docker_compose_base_dir: /etc/docker/compose
|
||||
docker_volume_base_dir: /srv/data
|
||||
|
||||
# bookstack-specific configuration
|
||||
bookstack_service_name: bookstack
|
||||
bookstack_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ bookstack_service_name }}"
|
||||
bookstack_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ bookstack_service_name }}"
|
||||
bookstack_appdata_dir: "{{ bookstack_docker_volume_dir }}/appdata"
|
||||
bookstack_db_data_dir: "{{ bookstack_docker_volume_dir }}/db"
|
||||
bookstack_backup_dir: "{{ bookstack_docker_volume_dir }}/backup"
|
||||
|
||||
# Service configuration
|
||||
bookstack_domain: "wiki.local.test"
|
||||
bookstack_base_url: "https://{{ bookstack_domain }}"
|
||||
|
||||
# Images — pin via inventory in production
|
||||
bookstack_image: "lscr.io/linuxserver/bookstack:version-v26.03.3"
|
||||
bookstack_db_image: "lscr.io/linuxserver/mariadb:11.4.9"
|
||||
|
||||
# Traefik configuration
|
||||
bookstack_traefik_network: "proxy"
|
||||
bookstack_traefik_certresolver: "le"
|
||||
|
||||
# Timezone / UID
|
||||
bookstack_tz: "Europe/Zurich"
|
||||
bookstack_puid: "1000"
|
||||
bookstack_pgid: "1000"
|
||||
|
||||
# Database configuration
|
||||
bookstack_db_name: "bookstack"
|
||||
bookstack_db_user: "bookstack"
|
||||
|
||||
# REQUIRED SECRETS — empty defaults force `assert` to fail until set.
|
||||
# Provide via OpenBao lookup, Ansible Vault, or extra-vars.
|
||||
# Never commit real secrets to version control.
|
||||
bookstack_db_root_password: "txwmMJD9xTNz3Y73fPWSMPZTR2fEpfF5"
|
||||
bookstack_db_password: "DgLYFudJg324yLydLxS3vmgux9LQL9bb"
|
||||
bookstack_admin_password: "NE7TN7cTjCnLHJ2Y4xfiTp"
|
||||
bookstack_oidc_client_secret: ""
|
||||
|
||||
# APP_KEY is generated automatically on first run and persisted on the host.
|
||||
# Set explicitly only if restoring an existing instance.
|
||||
bookstack_app_key: ""
|
||||
|
||||
# Initial local admin (fallback account, lives alongside OIDC)
|
||||
bookstack_admin_name: "Admin"
|
||||
bookstack_admin_email: "admin@local.test"
|
||||
bookstack_artisan_path: "/app/www/artisan"
|
||||
|
||||
# Mail configuration
|
||||
bookstack_mail_driver: "smtp"
|
||||
bookstack_mail_host: "smtp.local.test"
|
||||
bookstack_mail_port: 587
|
||||
bookstack_mail_encryption: "tls"
|
||||
bookstack_mail_from: "bookstack@local.test"
|
||||
bookstack_mail_from_name: "BookStack"
|
||||
bookstack_mail_username: ""
|
||||
bookstack_mail_password: ""
|
||||
|
||||
# OIDC configuration (Entra ID by default; override `bookstack_oidc_issuer`
|
||||
# for Keycloak or any other provider)
|
||||
bookstack_oidc_enabled: false
|
||||
bookstack_oidc_name: "SSO"
|
||||
bookstack_entra_tenant_id: ""
|
||||
bookstack_oidc_issuer: "https://login.microsoftonline.com/{{ bookstack_entra_tenant_id }}/v2.0"
|
||||
bookstack_oidc_client_id: ""
|
||||
bookstack_oidc_auto_initiate: false
|
||||
bookstack_oidc_user_to_groups: false
|
||||
bookstack_oidc_groups_claim: "groups"
|
||||
bookstack_oidc_additional_scopes: "openid profile email"
|
||||
|
||||
# Backup configuration
|
||||
bookstack_backup_enabled: true
|
||||
bookstack_backup_retention_days: 14
|
||||
bookstack_backup_schedule: "*-*-* 03:00:00"
|
||||
Loading…
Add table
Add a link
Reference in a new issue