Replace ansible-galaxy init placeholders across the collection and
correct documentation that drifted from the code, after a multi-agent
review of every role README against its defaults, tasks and templates.
Collection level:
- README: role table for all 16 roles, requirements and role-ordering
- galaxy.yml: declare community.docker and community.general deps,
real description/tags/urls; normalize license to MIT-0
- meta/runtime.yml: requires_ansible '>=2.15.0'
- plugins/README: document the homarr_layout filter and
garage_credentials lookup instead of scaffold boilerplate
Per-role meta/main.yml and README for the placeholder roles
(389ds, authentik, authentik_outpost_ldap, base, collabora, drawio,
garage, homarr, httpbin, keycloak, nextcloud, opencloud, traefik).
Correctness fixes found during review:
- keycloak: wrong domain default, drop invented keycloak_cert_resolver,
document the provisioning feature
- garage: root_domain is .s3.<first-entry>, not the bare domain
- opnform: jwt/front_api secrets use `openssl rand -hex 32`; align the
validation fail_msg in tasks/main.yml accordingly
- send: S3 example references garage_s3_domains[0] (was singular)
- opencloud: document required opencloud_wopi_domain
License normalized to MIT-0 across galaxy.yml, role meta and READMEs to
match the SPDX headers.
Add `*_authentik_forward_auth` + `*_authentik_forward_auth_url` knobs to
both roles. When enabled:
* drawio: traefik attaches a ForwardAuth middleware pointing at the
authentik embedded outpost; unauthenticated requests get redirected
to log in and downstream sees X-Authentik-* identity headers.
* garage WebUI: same ForwardAuth wiring, and `AUTH_USER_PASS` is dropped
from the container env so authentik is the only gate. Tasks now key
the htpasswd hash workflow off `_garage_webui_htpasswd_active`
(`webui_enabled AND NOT authentik_forward_auth`); when authentik
fronts the UI we skip hashing entirely. htpasswd hash is also now
cached on disk and re-verified via `htpasswd -vbB` so unchanged
passwords stop showing as `changed=true` on every run.
Both knobs default to `false`, preserving existing htpasswd/plain behaviour.
- Refactor: collapse `*_domain` + `*_extra_domains` into a single
`*_domains` list across authentik, collabora, garage and nextcloud
roles. First entry is the canonical FQDN (used for OVERWRITEHOST,
BASE_URL, notify_push setup and garage root_domain).
- Authentik blueprint: guard the OAuth sources block so an empty
`authentik_login_sources` no longer renders an invalid YAML key.
- Nextcloud: introduce `nextcloud_collabora_public_domain` and set
Collabora's `public_wopi_url` separately from the server-to-server
`wopi_url` so browsers can reach Collabora via the public name while
Nextcloud still talks to it on the internal one.
- Nextcloud: URL-encode the postgres user/password in DATABASE_URL.
