Bundle of cross-role changes for the gymb services deployment:
- Traefik routers: OR-combine opnform/homarr/bookstack Host rules with new
*_extra_domains (internal *.int.* FQDNs for a DMZ reverseproxy), and emit
tls.certresolver only when traefik_cert_mode == acme (drawio, homarr,
opnform, send).
- Split-horizon: bookstack_extra_hosts / opnform_extra_hosts add container
/etc/hosts overrides so containers reach the IdP public FQDN over the LAN.
- bookstack: assert the OIDC issuer resolves concretely (reject "//v2.0"),
allowing non-Entra IdPs that override bookstack_oidc_issuer.
- homarr: derive the bcrypt salt from the password digest so the admin hash
is idempotent — no spurious template changes / container restarts.
- opnform: PATCH an existing OIDC connection instead of skipping (applies
corrected inventory on re-run); add OIDC_FORCE_LOGIN (enabled only after
bootstrap) and an optional direct-SSO ingress entrypoint.
Docs: READMEs and meta/argument_specs.yml updated for all new variables.
Each of the five roles touched in this branch now ships:
* meta/argument_specs.yml: typed schema for every variable in
defaults/main.yml plus the optional inputs surfaced via this
branch (traefik_extra_hosts, authentik_host_rewrite_domains,
authentik_proxy_apps.mode / .allowed_groups, drawio_extra_domains,
drawio_authentik_forward_auth*, garage_webui_authentik_forward_auth*).
All five specs load cleanly through ansible-core's
ArgumentSpecValidator.
* README.md: replaces the ansible-galaxy boilerplate (where it was
still in place) with a focused write-up — service vars, required
secrets, ForwardAuth/idempotency notes, dependencies, and a working
example playbook. authentik and garage READMEs are rewritten to cover
the new knobs while preserving their existing content.
Add drawio_extra_domains (list, default empty). The traefik Host rule
on the drawio router now expands to Host(<canonical>) || Host(<extra>)
... so the same container can answer on additional FQDNs — e.g. an
internal *.int.* name so a DMZ reverse-proxy can reach drawio via a
backend hostname covered by the local traefik cert.
Empty by default; behaviour unchanged for existing inventories.
Add `*_authentik_forward_auth` + `*_authentik_forward_auth_url` knobs to
both roles. When enabled:
* drawio: traefik attaches a ForwardAuth middleware pointing at the
authentik embedded outpost; unauthenticated requests get redirected
to log in and downstream sees X-Authentik-* identity headers.
* garage WebUI: same ForwardAuth wiring, and `AUTH_USER_PASS` is dropped
from the container env so authentik is the only gate. Tasks now key
the htpasswd hash workflow off `_garage_webui_htpasswd_active`
(`webui_enabled AND NOT authentik_forward_auth`); when authentik
fronts the UI we skip hashing entirely. htpasswd hash is also now
cached on disk and re-verified via `htpasswd -vbB` so unchanged
passwords stop showing as `changed=true` on every run.
Both knobs default to `false`, preserving existing htpasswd/plain behaviour.
- Drop `recreate: always` from collabora/drawio/homarr/opencloud/traefik
handlers and the authentik_outpost_ldap start task. `up -d` with
`state: present` already recreates exactly the services whose
compose definition changed; the blanket recreate was forcing
restarts even when nothing relevant moved.
- Rewrite the `*_domains` Traefik Host loop to the `Host(\`a\`) ||
Host(\`b\`)` form across authentik/collabora/garage/nextcloud so the
rule still matches when traefik can't normalize the comma-form into
the same canonical shape.
- Traefik: add `traefik_acme_tcp_only` (sets LEGO_EXPERIMENTAL_DNS_TCP_ONLY)
and `traefik_acme_disable_ans_checks` (disables lego's authoritative-NS
propagation check) for environments where the DNS path between the
traefik container and the zone's nameservers is constrained.
- Traefik DMZ collector: two-step merge so a `traefik_dmz_exposed_services`
entry that sets its own `backend_host` wins over the host fallback;
lets a route target an internal FQDN covered by the backend cert's
SANs instead of the raw IP.
- Nextcloud: add `nextcloud_notify_push_domain` override for the
`occ notify_push:setup` call so the setup check can hit an internal
FQDN instead of hairpinning through the DMZ. Push router now matches
every entry in `nextcloud_domains`.
- Nextcloud: also %2F-escape slashes in the postgres user/password
inside the notify_push DATABASE_URL.
