2 changed files with 3 additions and 202 deletions
--- a/roles/bookstack/defaults/main.yml
+++ b/roles/bookstack/defaults/main.yml
@ -38,14 +38,9 @@ bookstack_db_user: "bookstack"
 # REQUIRED SECRETS — empty defaults force `assert` to fail until set.
 # Provide via OpenBao lookup, Ansible Vault, or extra-vars.
 # Never commit real secrets to version control.
-#
+bookstack_db_root_password: "txwmMJD9xTNz3Y73fPWSMPZTR2fEpfF5"
-# Generate with:
+bookstack_db_password: "DgLYFudJg324yLydLxS3vmgux9LQL9bb"
-#   bookstack_db_root_password:  openssl rand -base64 32 | tr -d '/+='
+bookstack_admin_password: "NE7TN7cTjCnLHJ2Y4xfiTp"
 #   bookstack_db_password:       openssl rand -base64 32 | tr -d '/+='
 #   bookstack_admin_password:    openssl rand -base64 24 | tr -d '/+='
 bookstack_db_root_password: ""
 bookstack_db_password: ""
 bookstack_admin_password: ""
 bookstack_oidc_client_secret: ""
 # APP_KEY is generated automatically on first run and persisted on the host.
--- a/roles/bookstack/meta/argument_specs.yml
+++ b/roles/bookstack/meta/argument_specs.yml
@ -1,194 +0,0 @@
 ---
 argument_specs:
  main:
    short_description: Deploy BookStack (LSIO image + MariaDB) via Docker Compose.
    description:
      - Renders a Compose stack for the linuxserver.io BookStack image
        with a sibling MariaDB container behind Traefik, then bootstraps
        the initial admin user via C(php artisan bookstack:create-admin)
        and optionally enables OIDC SSO (Entra ID by default).
      - "Persists the Laravel C(APP_KEY) on the host so the same key is
        re-used across deploys (a fresh key would orphan all encrypted
        database values: 2FA secrets, API tokens, OIDC client_secret)."
      - Ships an optional systemd timer that backs up the database dump,
        uploads tarball and APP_KEY daily with configurable retention.
    options:
      docker_compose_base_dir:
        type: path
        default: /etc/docker/compose
      docker_volume_base_dir:
        type: path
        default: /srv/data
      bookstack_service_name:
        type: str
        default: bookstack
      bookstack_docker_compose_dir:
        type: path
      bookstack_docker_volume_dir:
        type: path
      bookstack_appdata_dir:
        type: path
      bookstack_db_data_dir:
        type: path
      bookstack_backup_dir:
        type: path
      bookstack_domain:
        type: str
        default: wiki.local.test
        description: Hostname used in the Traefik Host rule.
      bookstack_base_url:
        type: str
        description: Defaults to C("https://{{ bookstack_domain }}").
      bookstack_image:
        type: str
        default: "lscr.io/linuxserver/bookstack:version-v26.03.3"
      bookstack_db_image:
        type: str
        default: "lscr.io/linuxserver/mariadb:11.4.9"
      bookstack_traefik_network:
        type: str
        default: proxy
      bookstack_traefik_certresolver:
        type: str
        default: le
      bookstack_tz:
        type: str
        default: Europe/Zurich
      bookstack_puid:
        type: str
        default: "1000"
      bookstack_pgid:
        type: str
        default: "1000"
      bookstack_db_name:
        type: str
        default: bookstack
      bookstack_db_user:
        type: str
        default: bookstack
      bookstack_db_root_password:
        type: str
        required: true
        description: MariaDB C(root) password. Override per-inventory.
      bookstack_db_password:
        type: str
        required: true
        description: MariaDB C(bookstack_db_user) password. Override per-inventory.
      bookstack_admin_password:
        type: str
        required: true
        description:
          - Password for the local admin user that the role creates via
            C(bookstack:create-admin). Lives alongside any OIDC users.
      bookstack_app_key:
        type: str
        default: ''
        description:
          - When empty the role generates a persistent C(APP_KEY) on first
            run and stores it under C({{ bookstack_docker_volume_dir }}/.app_key).
            Override only when restoring an existing instance — a mismatching
            key orphans all encrypted database values.
      bookstack_admin_name:
        type: str
        default: Admin
      bookstack_admin_email:
        type: str
        default: admin@local.test
      bookstack_artisan_path:
        type: path
        default: /app/www/artisan
        description:
          - Path to BookStack's C(artisan) script inside the container. The
            LSIO image's C(WORKDIR) is not the app directory, so this must
            be absolute.
      bookstack_mail_driver:
        type: str
        choices: [smtp, log, sendmail, mailgun, ses, postmark]
        default: smtp
      bookstack_mail_host:
        type: str
        default: smtp.local.test
      bookstack_mail_port:
        type: int
        default: 587
      bookstack_mail_encryption:
        type: str
        choices: [tls, ssl, '']
        default: tls
      bookstack_mail_from:
        type: str
        default: bookstack@local.test
      bookstack_mail_from_name:
        type: str
        default: BookStack
      bookstack_mail_username:
        type: str
        default: ''
      bookstack_mail_password:
        type: str
        default: ''
      bookstack_oidc_enabled:
        type: bool
        default: false
      bookstack_oidc_name:
        type: str
        default: SSO
        description: Display name of the SSO button on the login page.
      bookstack_entra_tenant_id:
        type: str
        default: ''
        description: Entra tenant UUID. Required when C(bookstack_oidc_enabled=true).
      bookstack_oidc_issuer:
        type: str
        description:
          - OIDC issuer URL. Defaults to the Entra v2 issuer template
            built from C(bookstack_entra_tenant_id). Override for
            Keycloak or any other provider.
      bookstack_oidc_client_id:
        type: str
        default: ''
        description: Required when C(bookstack_oidc_enabled=true).
      bookstack_oidc_client_secret:
        type: str
        default: ''
        description: Required when C(bookstack_oidc_enabled=true).
      bookstack_oidc_auto_initiate:
        type: bool
        default: false
        description:
          - When true users are redirected straight to the IdP and the
            local login is reachable only via C(?email_login=1).
      bookstack_oidc_user_to_groups:
        type: bool
        default: false
        description:
          - When true BookStack syncs roles from the IdP groups claim
            on every login. Requires BookStack roles whose
            C(External Auth ID) matches the IdP group's Object ID.
      bookstack_oidc_groups_claim:
        type: str
        default: groups
      bookstack_oidc_additional_scopes:
        type: str
        default: openid profile email
      bookstack_backup_enabled:
        type: bool
        default: true
      bookstack_backup_retention_days:
        type: int
        default: 14
      bookstack_backup_schedule:
        type: str
        default: "*-*-* 03:00:00"
        description: systemd C(OnCalendar) expression for the backup timer.