diff --git a/.gitignore b/.gitignore index e510871..85e7c1d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1 @@ /.idea/ -__pycache__/ -*.pyc - -plugins/lookup/__pycache__/ - -# Local Ansible collection cache (galaxy/collection resolver) -/.ansible/ diff --git a/README.md b/README.md index f3c3168..5106324 100644 --- a/README.md +++ b/README.md @@ -1,68 +1,3 @@ -# Ansible Collection — digitalboard.core +# Ansible Collection - digitalboard.core -This collection bundles the Ansible roles used to deploy the -[Digitalboard](https://git.digitalboard.ch/Digitalboard) platform: a set of -self-hosted, Docker-Compose-based services running behind Traefik, with -single sign-on provided by authentik or Keycloak. - -Each role provisions one service (or building block) as a self-contained -Docker Compose stack. Roles are consumed from the deployment repository -[reference-ansible](https://git.digitalboard.ch/Digitalboard/reference-ansible), -where inventories and playbooks tie the roles to concrete hosts. - -## Roles - -| Role | Description | -| --- | --- | -| `base` | Host baseline: Docker, apt packages and convenience tooling on Debian/Ubuntu. | -| `traefik` | Traefik v3 reverse proxy as a public DMZ proxy (file provider) or backend proxy (docker provider). | -| `authentik` | [authentik](https://goauthentik.io) IdP (server + worker + Postgres); resources via blueprints. | -| `authentik_outpost_ldap` | authentik LDAP outpost exposing an LDAP interface for apps that cannot speak OIDC. | -| `keycloak` | [Keycloak](https://www.keycloak.org/) IdP with a PostgreSQL backend. | -| `389ds` | [389 Directory Server](https://www.port389.org/) LDAP directory via Docker Compose. | -| `nextcloud` | [Nextcloud](https://nextcloud.com/) (fpm) + Postgres + Redis, optional Collabora/draw.io/notify_push. | -| `opencloud` | [OpenCloud](https://opencloud.eu/) file platform via Docker Compose. | -| `collabora` | [Collabora Online](https://www.collaboraonline.com/) (CODE), used as the WOPI backend for Nextcloud. | -| `bookstack` | [BookStack](https://www.bookstackapp.com/) wiki (LSIO + MariaDB) with OIDC SSO and daily backups. | -| `drawio` | [draw.io](https://www.drawio.com/) diagram editor, with optional authentik ForwardAuth gating. | -| `homarr` | [Homarr](https://github.com/homarr-labs/homarr) dashboard with seeded admin user and OIDC group. | -| `opnform` | [OpnForm](https://github.com/OpnForm/OpnForm) self-hosted form builder (api + ui + db + redis). | -| `send` | [Send](https://github.com/timvisee/send) (timvisee fork) file sharing with a Redis backend. | -| `garage` | [Garage](https://garagehq.deuxfleurs.fr/) S3-compatible object storage with key/bucket provisioning. | -| `httpbin` | [httpbin](https://httpbin.org/) HTTP request/response testing service for validating Traefik ingress. | - -## Usage - -Roles are not run from this repository directly. They are consumed from the -deployment repository -[reference-ansible](https://git.digitalboard.ch/Digitalboard/reference-ansible), -which holds the inventories, group/host variables and playbooks. See that -repository's `docs/` directory for getting-started instructions, how to run -Ansible and how secrets are managed. - -Per-role variables and their defaults are documented in each role's own -`README.md` and `meta/argument_specs.yml`. - -## Requirements - -- A Debian/Ubuntu target host (the `base` role bootstraps Docker there). -- ansible-core 2.15 or newer on the controller. -- The `community.docker` collection (used by nearly every role) and - `community.general` (used by the `keycloak` role). Both are declared as - `dependencies` in `galaxy.yml` and pulled in automatically when this - collection is installed via `ansible-galaxy`. - -The role READMEs use `community.hashi_vault` lookups in their examples to source -secrets from HashiCorp Vault. That is a documented convention, not a hard -dependency of the roles — supply the variables however you prefer. - -## Role ordering - -Within a play, apply the roles in dependency order: `base` first (Docker and the -host baseline), then `traefik` (the shared reverse proxy and its Docker network), -then the individual service roles (`authentik`, `keycloak`, `nextcloud`, …), -which attach to Traefik's network and expect Docker to be present. - -## License - -MIT-0. See individual roles for per-role license metadata. +Documentation for the collection. diff --git a/galaxy.yml b/galaxy.yml index 3413a07..91cd337 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -19,16 +19,15 @@ readme: README.md authors: - Bert-Jan Fikse - Tobias Wüst -- Simon Bärlocher ### OPTIONAL but strongly recommended # A short summary description of the collection -description: Ansible roles to deploy the Digitalboard self-hosted service platform (Docker Compose + Traefik + SSO) +description: your collection description # Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only # accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file' license: -- MIT-0 +- GPL-2.0-or-later # The path to the license file for the collection. This path is relative to the root of the collection. This key is # mutually exclusive with 'license' @@ -36,36 +35,25 @@ license_file: '' # A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character # requirements as 'namespace' and 'name' -tags: - - digitalboard - - docker - - traefik - - sso - - selfhosted +tags: [] # Collections that this collection requires to be installed for it to be usable. The key of the dict is the # collection label 'namespace.name'. The value is a version range # L(specifiers,https://python-semanticversion.readthedocs.io/en/latest/#requirement-specification). Multiple version # range specifiers can be set and are separated by ',' -dependencies: - # Used by nearly every role: docker_compose_v2, docker_container, - # docker_container_exec, docker_network. Hard runtime dependency. - community.docker: '>=3.0.0' - # Used by the keycloak role (keycloak_realm/client/group/user and - # related modules) in roles/keycloak/tasks/provisioning.yml. - community.general: '>=7.0.0' +dependencies: {} # The URL of the originating SCM repository repository: https://git.digitalboard.ch/Digitalboard/digitalboard.core # The URL to any online docs -documentation: https://git.digitalboard.ch/Digitalboard/digitalboard.core +documentation: http://docs.example.com # The URL to the homepage of the collection/project -homepage: https://git.digitalboard.ch/Digitalboard/digitalboard.core +homepage: http://example.com # The URL to the collection issue tracker -issues: https://git.digitalboard.ch/Digitalboard/digitalboard.core/issues +issues: http://example.com/issue/tracker # A list of file glob-like patterns used to filter any files or directories that should not be included in the build # artifact. A pattern is matched from the relative path of the file or directory of the collection directory. This diff --git a/meta/runtime.yml b/meta/runtime.yml index aafe589..936cae9 100644 --- a/meta/runtime.yml +++ b/meta/runtime.yml @@ -1,9 +1,8 @@ #SPDX-License-Identifier: MIT-0 --- # Collections must specify a minimum required ansible version to upload -# to galaxy. Aligned with the highest min_ansible_version declared by the -# roles (the traefik role requires ansible-core 2.15). -requires_ansible: '>=2.15.0' +# to galaxy +# requires_ansible: '>=2.9.10' # Content that Ansible needs to load from another location or that has # been deprecated/removed diff --git a/plugins/README.md b/plugins/README.md index ca7a63d..74076b6 100644 --- a/plugins/README.md +++ b/plugins/README.md @@ -1,32 +1,31 @@ -# Collection Plugins — digitalboard.core +# Collections Plugins Directory -This collection ships a small number of custom plugins that support the roles. -They are addressed by their fully qualified name, `digitalboard.core.`. +This directory can be used to ship various plugins inside an Ansible collection. Each plugin is placed in a folder that +is named after the type of plugin it is in. It can also include the `module_utils` and `modules` directory that +would contain module utils and modules respectively. -## Filter plugins (`filter/`) +Here is an example directory of the majority of plugins currently supported by Ansible: -`homarr_layout` — computes Homarr dashboard grid layouts (desktop / tablet / -mobile breakpoints) from a list of apps, returning a ready-to-render data -structure for the SQL seed. Used by the `homarr` role. - -```yaml -- name: Compute Homarr app layouts - ansible.builtin.set_fact: - homarr_layout: "{{ homarr_apps | digitalboard.core.homarr_compute_layouts }}" +``` +└── plugins + ├── action + ├── become + ├── cache + ├── callback + ├── cliconf + ├── connection + ├── filter + ├── httpapi + ├── inventory + ├── lookup + ├── module_utils + ├── modules + ├── netconf + ├── shell + ├── strategy + ├── terminal + ├── test + └── vars ``` -## Lookup plugins (`lookup/`) - -`garage_credentials` — returns S3 credentials (`key_id`, `secret_key`) for a -named Garage key by executing a docker command on the target host. Used to wire -Garage object storage into consuming roles such as `nextcloud`. - -```yaml -nextcloud_s3_key: >- - {{ lookup('digitalboard.core.garage_credentials', 'nextcloud', host='backend')['key_id'] }} -nextcloud_s3_secret: >- - {{ lookup('digitalboard.core.garage_credentials', 'nextcloud', host='backend')['secret_key'] }} -``` - -No other plugin types (modules, action, callback, inventory, etc.) are currently -shipped by this collection. +A full list of plugin types can be found at [Working With Plugins](https://docs.ansible.com/ansible-core/2.19/plugins/plugins.html). diff --git a/plugins/filter/homarr_layout.py b/plugins/filter/homarr_layout.py deleted file mode 100644 index 6650709..0000000 --- a/plugins/filter/homarr_layout.py +++ /dev/null @@ -1,140 +0,0 @@ -# -*- coding: utf-8 -*- -# SPDX-License-Identifier: MIT-0 - -"""Custom Ansible filter plugin for computing Homarr grid layouts. - -The Homarr SQL seed needs item_layout rows for three breakpoints -(desktop / tablet / mobile). Rather than embedding the packing -algorithm in Jinja with namespace gymnastics, this filter does the -computation in Python and hands the seed template a ready-to-render -data structure. - -Usage in tasks: - - - name: Compute Homarr app layouts - ansible.builtin.set_fact: - homarr_layout: "{{ homarr_apps | homarr_compute_layouts }}" - -The result is a dict with two keys: - - apps — original homarr_apps in order, each enriched with - 'desktop', 'tablet', 'mobile' sub-dicts of - {'x', 'y', 'w', 'h'} ready for SQL templating. - section_height — dict with 'desktop', 'tablet', 'mobile' keys - giving the minimum height (in grid cells) the - parent section must have to fit all tiles. -""" - -from ansible.errors import AnsibleFilterError - - -def _pack(apps, cols): - """Greedy left-to-right packing into a fixed-column grid. - - Width values larger than the grid are clamped to the grid width - rather than overflowing — so a tile declared with width=8 still - renders on the 6-column tablet grid (as a full-width tile) and on - the 2-column mobile grid (as a full-width tile) without breaking - the layout. - - Returns (placements, total_height) where placements is a list of - {'id', 'x', 'y', 'w', 'h'} dicts, one per input app, in the same - order. total_height is the y-coordinate of the bottom of the last - occupied row (i.e. max(y + h) across placements). - """ - x = 0 - y = 0 - row_h = 0 - max_y = 0 - placements = [] - - for app in apps: - w = min(int(app.get('width', 1)), cols) - h = int(app.get('height', 1)) - - # Wrap to the next row when the tile would overflow the grid. - if x + w > cols: - x = 0 - y += row_h - row_h = 0 - - placements.append({ - 'id': app['id'], - 'x': x, - 'y': y, - 'w': w, - 'h': h, - }) - - x += w - if h > row_h: - row_h = h - if y + h > max_y: - max_y = y + h - - return placements, max_y - - -def homarr_compute_layouts(apps, desktop_cols=10, tablet_cols=6, - mobile_cols=2): - """Compute responsive layouts for a list of Homarr apps. - - Input validation is intentionally strict — a malformed apps list - should fail the play with a clear message rather than produce a - broken SQL seed and a silently misconfigured dashboard. - - Note: uniqueness of app ids is NOT checked here. The role's - `Validate homarr_apps have unique ids` assert task runs earlier - and is the single source of truth for that check. - """ - if not isinstance(apps, list): - raise AnsibleFilterError( - "homarr_compute_layouts: expected a list of apps, " - "got {0}".format(type(apps).__name__) - ) - - for index, app in enumerate(apps): - if not isinstance(app, dict): - raise AnsibleFilterError( - "homarr_compute_layouts: app at index {0} is not a " - "dict (got {1})".format(index, type(app).__name__) - ) - for required in ('id', 'width'): - if required not in app: - raise AnsibleFilterError( - "homarr_compute_layouts: app at index {0} is " - "missing required key '{1}'".format(index, required) - ) - - desktop, h_desktop = _pack(apps, desktop_cols) - tablet, h_tablet = _pack(apps, tablet_cols) - mobile, h_mobile = _pack(apps, mobile_cols) - - enriched = [] - for src, d, t, m in zip(apps, desktop, tablet, mobile): - enriched.append({ - **src, - 'desktop': {'x': d['x'], 'y': d['y'], 'w': d['w'], 'h': d['h']}, - 'tablet': {'x': t['x'], 'y': t['y'], 'w': t['w'], 'h': t['h']}, - 'mobile': {'x': m['x'], 'y': m['y'], 'w': m['w'], 'h': m['h']}, - }) - - # Floor section height at 1 so the section stays visible even - # when homarr_apps is empty. - return { - 'apps': enriched, - 'section_height': { - 'desktop': max(h_desktop, 1), - 'tablet': max(h_tablet, 1), - 'mobile': max(h_mobile, 1), - }, - } - - -class FilterModule(object): - """Ansible filter plugin entry point.""" - - def filters(self): - return { - 'homarr_compute_layouts': homarr_compute_layouts, - } diff --git a/roles/389ds/README.md b/roles/389ds/README.md index 65564f6..225dd44 100644 --- a/roles/389ds/README.md +++ b/roles/389ds/README.md @@ -1,43 +1,38 @@ -# 389ds +Role Name +========= -Deploys [389 Directory Server](https://www.port389.org/) (`389ds/dirsrv`) -as an LDAP directory via Docker Compose. After the container starts, the -role creates the configured suffix and a set of base organizational -units (e.g. `users`, `groups`). +A brief description of the role goes here. -## Requirements +Requirements +------------ -- Docker and Docker Compose on the target host (e.g. via - `digitalboard.core.base`) -- Ansible collection: `community.docker` +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. -## Role variables +Role Variables +-------------- -| Variable | Default | Description | -| --- | --- | --- | -| `ds389_image` | `docker.io/389ds/dirsrv:3.1` | Container image. | -| `ds389_suffix` | `dc=example,dc=com` | Root suffix of the directory. | -| `ds389_root_dn` | `cn=Directory Manager` | Directory Manager bind DN. | -| `ds389_root_password` | `changeme` | Directory Manager password — **override this**. | -| `ds389_instance_name` | `localhost` | Directory server instance name (slapd config dir). | -| `ds389_hostname` | `389ds` | Container hostname (defaults to `ds389_service_name`). | -| `ds389_backend_network` | `backend` | Docker network LDAP clients connect over (created by Compose). | -| `ds389_ldap_port` | `3389` | Published LDAP port (container port 3389). | -| `ds389_ldaps_port` | `3636` | Published LDAPS port (container port 3636). | -| `ds389_base_ous` | `[users, groups]` | Base OUs created after startup. | +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. -## Example +Dependencies +------------ -```yaml -- hosts: directory - become: true - roles: - - role: digitalboard.core.389ds - vars: - ds389_suffix: "dc=example,dc=org" - ds389_root_password: "{{ vault_ds389_root_password }}" -``` +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. -## License +Example Playbook +---------------- -MIT-0 +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/389ds/meta/main.yml b/roles/389ds/meta/main.yml index 37925db..6f91fd3 100644 --- a/roles/389ds/meta/main.yml +++ b/roles/389ds/meta/main.yml @@ -1,26 +1,35 @@ #SPDX-License-Identifier: MIT-0 galaxy_info: - author: digitalboard - description: Deploy 389 Directory Server (LDAP) via Docker Compose - company: Digitalboard - license: MIT-0 + author: your name + description: your role description + company: your company (optional) - min_ansible_version: "2.14" + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker - platforms: - - name: Debian - versions: - - bookworm - - name: Ubuntu - versions: - - jammy - - noble + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) - galaxy_tags: - - 389ds - - ldap - - directory - - docker - - digitalboard + min_ansible_version: 2.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/authentik/README.md b/roles/authentik/README.md index 2b909df..8311190 100644 --- a/roles/authentik/README.md +++ b/roles/authentik/README.md @@ -1,136 +1,28 @@ # Authentik -Deploys [authentik](https://goauthentik.io) (server + worker + Postgres) -as a Docker Compose stack behind Traefik, with all resources provisioned -via templated blueprints. - -## What this role does - -- Renders the Compose stack with traefik labels and an optional - split-horizon host rewrite (see below) -- Provisions local users, groups, OIDC apps, Proxy/ForwardAuth apps, - LDAP apps and outposts, and Entra ID OAuth sources via blueprints -- Configures the login screen (visible sources, local login fields) -- Supports declarative cleanup via `authentik_removed_*` lists +Deploys Authentik identity provider with Docker Compose. ## Variables -Full spec with types and defaults: `meta/argument_specs.yml`. The most -common overrides: +See `defaults/main.yml` for all available variables. -### Service - -- `authentik_domains` (required, list): FQDNs the router accepts. First - entry is the canonical hostname; further entries cover internal - `*.int.*` names for server-to-server traffic. -- `authentik_secret_key` (required): PG fernet / signing secret. - Generate with `openssl rand -base64 60`. -- `authentik_postgres_password` (required). -- `authentik_image`, `authentik_port`, `authentik_log_level`. - -### Split-horizon host rewrite - -`authentik_host_rewrite_domains` lists hostnames that should reach the -authentik container but make it generate URLs (OIDC issuer, password -reset links, etc.) as if the request had arrived on -`authentik_domains[0]`. - -For each entry the role: - -- Creates a dedicated traefik router on that hostname -- Routes it to a URL-based loadbalancer service that disables - `passHostHeader`, so the upstream Host header becomes the canonical - FQDN -- Pins `X-Forwarded-Host` via middleware so the iss claim stays aligned - with the public hostname browsers see - -Use case: an internal `auth.int.example.com` keeps server-to-server -traffic in the LAN, but Keycloak/Nextcloud/etc. still receive issuer -URLs matching `auth.example.com`. - -### Blueprints +## Blueprints The role renders blueprints for: - - Local users (`authentik_local_users`) -- Groups (`authentik_groups`) - OIDC applications (`authentik_oidc_apps`) - Proxy applications (`authentik_proxy_apps`) - Proxy outposts (`authentik_proxy_outposts`) -- LDAP applications (`authentik_ldap_apps`) -- LDAP outpost (`authentik_ldap_outpost`) - Entra ID sources (`authentik_entra_sources`) -- Login-screen source visibility (`authentik_login_sources`) +- Login screen sources (`authentik_login_source_ids`) -Secrets are passed via the `authentik_blueprint_env` env-var indirection -so they never land in rendered blueprint YAML on disk. - -#### Proxy apps: mode and group restrictions - -Each entry in `authentik_proxy_apps` supports: - -- `mode` (default `forward_single`): one of `proxy`, `forward_single`, - `forward_domain` -- `allowed_groups`: when set, a `PolicyBinding` is emitted per group on - the application. authentik OR-evaluates bindings, so users in any - listed group pass and users in none are denied. - -Example: - -```yaml -authentik_proxy_apps: - - slug: drawio - name: drawio - external_host: "https://drawio.example.com" - mode: forward_single - allowed_groups: - - drawio-users - - admins -``` +Secrets are passed via `authentik_blueprint_env` using environment variable references. ## Removing resources -Move slugs from the active list to the matching removal list: - +To remove resources from Authentik, move slugs to the removal lists: - `authentik_removed_oidc_apps` - `authentik_removed_proxy_apps` - `authentik_removed_local_users` -After authentik has applied the deletion blueprint, remove the slug -from the list to keep state clean. - -## Dependencies - -- Run `digitalboard.core.base` first (Docker) and have the `community.docker` - collection installed; the role drives the stack via - `community.docker.docker_compose_v2`. -- Traefik network (`authentik_traefik_network`, default `proxy`) must exist - beforehand (e.g. created by the traefik role); it is referenced as an - external network in the Compose file. -- Internal backend network (`authentik_backend_network`, default `backend`). - -## Example playbook - -```yaml -- hosts: identity_servers - roles: - - role: digitalboard.core.authentik - vars: - authentik_domains: - - "auth.example.com" - - "auth.int.example.com" - authentik_host_rewrite_domains: - - "auth.int.example.com" - authentik_secret_key: "{{ vault_authentik_secret_key }}" - authentik_postgres_password: "{{ vault_authentik_pg_password }}" - authentik_proxy_apps: - - slug: drawio - name: drawio - external_host: "https://drawio.example.com" - mode: forward_single - allowed_groups: [drawio-users] -``` - -## License - -MIT-0 +After confirming deletion, remove the slug from the list. \ No newline at end of file diff --git a/roles/authentik/defaults/main.yml b/roles/authentik/defaults/main.yml index 880734e..460ba2d 100644 --- a/roles/authentik/defaults/main.yml +++ b/roles/authentik/defaults/main.yml @@ -12,21 +12,8 @@ authentik_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ authentik_servic authentik_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ authentik_service_name }}" # Authentik service configuration -# FQDNs the authentik router accepts. The first entry is the canonical -# domain; further entries cover internal *.int.* names used for -# server-to-server traffic so backend calls don't hairpin via DMZ. -authentik_domains: - - "authentik.local.test" - -# Hostnames that should reach authentik but make it generate URLs (OIDC -# issuer, password reset links, etc.) as if requested from the canonical -# `authentik_domains[0]` instead. Used for split-horizon setups where an -# internal FQDN (e.g. `auth.int.example.com`) keeps server-to-server -# traffic in the LAN but the iss claim must still match the public -# hostname that browsers see. Traefik handles each entry via a separate -# router that rewrites the Host header before forwarding to authentik. -authentik_host_rewrite_domains: [] -authentik_image: "ghcr.io/goauthentik/server:2026.2.2" +authentik_domain: "authentik.local.test" +authentik_image: "ghcr.io/goauthentik/server:2025.12.0" authentik_port: 9000 authentik_secret_key: "changeme-generate-a-random-string" @@ -70,29 +57,11 @@ authentik_proxy_outposts: [] # authentik_host_browser: "https://authentik.local.test/" # log_level: "info" -authentik_ldap_apps: [] -# - slug: ldap -# name: LDAP -# base_dn: "dc=local,dc=test" -# search_mode: cached # cached | direct -# bind_mode: cached # cached | direct -# search_group: null # optional: group name whose members can search -# certificate: null # optional: certificate name for LDAPS -# uid_start_number: 2000 -# gid_start_number: 4000 - -authentik_ldap_outpost: {} -# name: "ldap-outpost" -# token: "changeme" # known token for outpost authentication -# config: -# authentik_host: "https://authentik.local.test/" -# log_level: "info" - authentik_oidc_apps: [] # - slug: grafana # name: Grafana -# client_id: "grafana" -# client_secret: "changeme" +# client_id_env: GRAFANA_OIDC_CLIENT_ID +# client_secret_env: GRAFANA_OIDC_CLIENT_SECRET # redirect_uris: # - url: "https://grafana.example.com/login/generic_oauth" # matching_mode: strict @@ -102,14 +71,21 @@ authentik_oidc_apps: [] # invalidation_slug: default-provider-invalidation-flow # scopes: [openid, email, profile, offline_access] +authentik_blueprint_env: [] +# GRAFANA_OIDC_CLIENT_ID: "grafana" +# GRAFANA_OIDC_CLIENT_SECRET: "{{ vault_grafana_oidc_secret }}" +# ENTRA_TENANT_ID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" +# ENTRA_CLIENT_ID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" +# ENTRA_CLIENT_SECRET: "{{ vault_entra_client_secret }}" + # Oauth sources authentik_entra_sources: [] # - slug: entra-id # name: "Login with Entra" # tenant_mode: single # single | common -# tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -# client_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -# client_secret: "changeme" +# tenant_id_env: ENTRA_TENANT_ID +# client_id_env: ENTRA_CLIENT_ID +# client_secret_env: ENTRA_CLIENT_SECRET # scopes: # - openid # - profile @@ -129,19 +105,12 @@ authentik_login_user_fields: - username - email -# Groups to provision -authentik_groups: [] -# - name: admins -# - name: editors -# is_superuser: false -# parent: null - # Local users to provision authentik_local_users: [] # - username: admin # name: "Admin User" # email: "admin@example.com" -# password: "changeme" +# password_env: AUTHENTIK_ADMIN_PASSWORD # reference env var in authentik_blueprint_env # is_active: true # groups: # - authentik Admins diff --git a/roles/authentik/meta/argument_specs.yml b/roles/authentik/meta/argument_specs.yml deleted file mode 100644 index 936778e..0000000 --- a/roles/authentik/meta/argument_specs.yml +++ /dev/null @@ -1,193 +0,0 @@ ---- -argument_specs: - main: - short_description: Deploy authentik (server + worker + Postgres) via Docker Compose. - description: - - Renders a Compose stack for authentik with traefik labels, optional - TLS and a configurable split-horizon host-rewrite that keeps the OIDC - issuer URL on the canonical public hostname even when traffic enters - on an internal FQDN. - - Provisions resources through templated blueprints - (local users, groups, OIDC/Proxy/LDAP apps, outposts, OAuth sources). - options: - docker_compose_base_dir: - type: path - default: /etc/docker/compose - docker_volume_base_dir: - type: path - default: /srv/data - authentik_service_name: - type: str - default: authentik - authentik_docker_compose_dir: - type: path - description: Defaults to C({{ docker_compose_base_dir }}/{{ authentik_service_name }}). - authentik_docker_volume_dir: - type: path - description: Defaults to C({{ docker_volume_base_dir }}/{{ authentik_service_name }}). - - authentik_domains: - type: list - elements: str - required: true - description: - - FQDNs the authentik router accepts. The first entry is the - canonical (public) hostname and is used for the network alias, - the X-Forwarded-Host rewrite target, and as the default OIDC - issuer. Further entries cover internal C(*.int.*) names used - for server-to-server traffic. - authentik_host_rewrite_domains: - type: list - elements: str - default: [] - description: - - Hostnames that should reach authentik but make it generate URLs - (OIDC issuer, password reset links, etc.) as if the request had - arrived on C(authentik_domains[0]). - - Each entry gets its own traefik router and a URL-based - loadbalancer service that disables passHostHeader and pins - X-Forwarded-Host via middleware. Used for split-horizon setups - where the LAN keeps server-to-server traffic but the iss claim - must match the public hostname browsers see. - authentik_image: - type: str - default: ghcr.io/goauthentik/server:2026.2.2 - authentik_port: - type: int - default: 9000 - authentik_secret_key: - type: str - required: true - description: PG fernet key / signing secret. Generate with C(openssl rand -base64 60). - - authentik_postgres_image: - type: str - default: postgres:16-alpine - authentik_postgres_db: - type: str - default: authentik - authentik_postgres_user: - type: str - default: authentik - authentik_postgres_password: - type: str - required: true - - authentik_traefik_network: - type: str - default: proxy - authentik_backend_network: - type: str - default: backend - authentik_use_ssl: - type: bool - default: true - - authentik_log_level: - type: str - choices: [trace, debug, info, warning, error] - default: info - authentik_error_reporting_enabled: - type: bool - default: false - - authentik_proxy_apps: - type: list - elements: dict - default: [] - description: - - Proxy/ForwardAuth applications rendered via the - C(blueprint-proxy-app.yaml.j2) template. - options: - slug: - type: str - required: true - name: - type: str - required: true - internal_host: - type: str - description: Required when C(mode=proxy). - external_host: - type: str - required: true - mode: - type: str - choices: [proxy, forward_single, forward_domain] - default: forward_single - description: - - "C(proxy): the outpost itself proxies traffic to internal_host." - - "C(forward_single): a single app behind an external reverse - proxy via ForwardAuth." - - "C(forward_domain): wildcard mode — one provider guards every - host on a cookie domain." - allowed_groups: - type: list - elements: str - description: - - If set, PolicyBindings are emitted (one per group, OR-evaluated). - Users in none of the listed groups are denied. - skip_path_regex: - type: str - flows: - type: dict - description: Authentication / authorization / invalidation flow slugs. - - authentik_proxy_outposts: - type: list - elements: dict - default: [] - - authentik_ldap_apps: - type: list - elements: dict - default: [] - authentik_ldap_outpost: - type: dict - default: {} - - authentik_oidc_apps: - type: list - elements: dict - default: [] - - authentik_entra_sources: - type: list - elements: dict - default: [] - authentik_login_sources: - type: list - elements: dict - default: [] - authentik_identification_stage_name: - type: str - default: default-authentication-identification - authentik_login_user_fields: - type: list - elements: str - choices: [username, email, upn] - default: [username, email] - description: Local login fields shown on the login screen. Empty list hides local login. - - authentik_groups: - type: list - elements: dict - default: [] - authentik_local_users: - type: list - elements: dict - default: [] - - authentik_removed_oidc_apps: - type: list - elements: str - default: [] - description: OIDC application slugs scheduled for deletion. - authentik_removed_proxy_apps: - type: list - elements: str - default: [] - authentik_removed_local_users: - type: list - elements: str - default: [] diff --git a/roles/authentik/meta/main.yml b/roles/authentik/meta/main.yml index b8aef66..6f91fd3 100644 --- a/roles/authentik/meta/main.yml +++ b/roles/authentik/meta/main.yml @@ -1,28 +1,35 @@ #SPDX-License-Identifier: MIT-0 galaxy_info: - author: digitalboard - description: Deploy authentik (server + worker + Postgres) via Docker Compose with blueprint-provisioned resources - company: Digitalboard - license: MIT-0 + author: your name + description: your role description + company: your company (optional) - min_ansible_version: "2.14" + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker - platforms: - - name: Debian - versions: - - bookworm - - name: Ubuntu - versions: - - jammy - - noble + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) - galaxy_tags: - - authentik - - oidc - - sso - - idp - - docker - - traefik - - digitalboard + min_ansible_version: 2.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/authentik/tasks/blueprints.yml b/roles/authentik/tasks/blueprints.yml index 18ef7f5..e40b774 100644 --- a/roles/authentik/tasks/blueprints.yml +++ b/roles/authentik/tasks/blueprints.yml @@ -9,17 +9,17 @@ register: existing_blueprints - name: Build list of expected blueprint files - vars: - _oidc: "{{ authentik_oidc_apps | map(attribute='slug') | map('regex_replace', '^', '50-oidc-') | map('regex_replace', '$', '.yaml') | list }}" - _ldap: "{{ authentik_ldap_apps | map(attribute='slug') | map('regex_replace', '^', '55-ldap-') | map('regex_replace', '$', '.yaml') | list }}" - _proxy: "{{ authentik_proxy_apps | map(attribute='slug') | map('regex_replace', '^', '60-proxy-') | map('regex_replace', '$', '.yaml') | list }}" - _outpost: "{{ authentik_proxy_outposts | map(attribute='name') | map('regex_replace', '^', '70-outpost-') | map('regex_replace', '$', '.yaml') | list }}" - _entra: "{{ authentik_entra_sources | map(attribute='slug') | map('regex_replace', '^', '40-source-entra-') | map('regex_replace', '$', '.yaml') | list }}" - _ldap_out: "{{ ['75-outpost-ldap.yaml'] if authentik_ldap_outpost.name is defined else [] }}" - _users: "{{ ['10-local-users.yaml'] if (authentik_local_users | length > 0 or authentik_groups | length > 0) else [] }}" - _cleanup: "{{ ['00-cleanup.yaml'] if (authentik_removed_oidc_apps + authentik_removed_proxy_apps + authentik_removed_local_users) | length > 0 else [] }}" set_fact: - expected_blueprints: "{{ _oidc + _ldap + _proxy + _outpost + _entra + ['45-login-sources.yaml'] + _ldap_out + _users + _cleanup }}" + expected_blueprints: >- + {{ + (authentik_oidc_apps | map(attribute='slug') | map('regex_replace', '^(.*)$', '50-oidc-\1.yaml') | list) + + (authentik_proxy_apps | map(attribute='slug') | map('regex_replace', '^(.*)$', '60-proxy-\1.yaml') | list) + + (authentik_proxy_outposts | map(attribute='name') | map('regex_replace', '^(.*)$', '70-outpost-\1.yaml') | list) + + (authentik_entra_sources | map(attribute='slug') | map('regex_replace', '^(.*)$', '40-source-entra-\1.yaml') | list) + + ['45-login-sources.yaml'] + + ((authentik_local_users | length > 0) | ternary(['10-local-users.yaml'], [])) + + (((authentik_removed_oidc_apps | length > 0) or (authentik_removed_proxy_apps | length > 0) or (authentik_removed_local_users | length > 0)) | ternary(['00-cleanup.yaml'], [])) + }} - name: Remove stale blueprint files file: @@ -36,14 +36,6 @@ loop: "{{ authentik_oidc_apps }}" register: oidc_templates -- name: Render LDAP blueprints - ansible.builtin.template: - src: blueprints/blueprint-ldap-app.yaml.j2 - dest: "{{ authentik_docker_volume_dir }}/blueprints/55-ldap-{{ item.slug }}.yaml" - mode: "0644" - loop: "{{ authentik_ldap_apps }}" - register: ldap_templates - - name: Render Proxy blueprints ansible.builtin.template: src: blueprints/blueprint-proxy-app.yaml.j2 @@ -60,14 +52,6 @@ loop: "{{ authentik_proxy_outposts }}" register: outpost_bp -- name: Render LDAP outpost blueprint - ansible.builtin.template: - src: blueprints/outpost-ldap.yaml.j2 - dest: "{{ authentik_docker_volume_dir }}/blueprints/75-outpost-ldap.yaml" - mode: "0644" - when: authentik_ldap_outpost.name is defined - register: ldap_outpost_bp - - name: Render Entra source blueprints ansible.builtin.template: src: blueprints/blueprint-source-entra.yaml.j2 @@ -88,7 +72,7 @@ src: blueprints/blueprint-local-users.yaml.j2 dest: "{{ authentik_docker_volume_dir }}/blueprints/10-local-users.yaml" mode: "0644" - when: authentik_local_users | length > 0 or authentik_groups | length > 0 + when: authentik_local_users | length > 0 register: local_users_bp - name: Render cleanup blueprint @@ -104,10 +88,8 @@ blueprints_changed: >- {{ (oidc_templates is defined and (oidc_templates.results | selectattr('changed') | list | length > 0)) - or (ldap_templates is defined and (ldap_templates.results | selectattr('changed') | list | length > 0)) or (proxy_templates is defined and (proxy_templates.results | selectattr('changed') | list | length > 0)) or (outpost_bp is defined and (outpost_bp.results | selectattr('changed') | list | length > 0)) - or (ldap_outpost_bp.changed | default(false)) or (entra_bp is defined and (entra_bp.results | selectattr('changed') | list | length > 0)) or (login_bp is defined and login_bp.changed) or (local_users_bp.changed | default(false)) diff --git a/roles/authentik/tasks/main.yml b/roles/authentik/tasks/main.yml index 1471836..aa14bd3 100644 --- a/roles/authentik/tasks/main.yml +++ b/roles/authentik/tasks/main.yml @@ -2,18 +2,44 @@ --- # tasks file for authentik -- name: Create authentik directories +- name: Create docker compose directory file: - path: "{{ item }}" + path: "{{ authentik_docker_compose_dir }}" state: directory mode: '0755' - loop: - - "{{ authentik_docker_compose_dir }}" - - "{{ authentik_docker_volume_dir }}/data" - - "{{ authentik_docker_volume_dir }}/certs" - - "{{ authentik_docker_volume_dir }}/templates" - - "{{ authentik_docker_volume_dir }}/postgresql" - - "{{ authentik_docker_volume_dir }}/blueprints" + +- name: Create authentik data directory + file: + path: "{{ authentik_docker_volume_dir }}/data" + state: directory + mode: '0755' + +- name: Create authentik certs directory + file: + path: "{{ authentik_docker_volume_dir }}/certs" + state: directory + mode: '0755' + +- name: Create authentik templates directory + file: + path: "{{ authentik_docker_volume_dir }}/templates" + state: directory + mode: '0755' + +- name: Create postgres data directory + file: + path: "{{ authentik_docker_volume_dir }}/postgresql" + state: directory + mode: '0755' + +- name: Create blueprints directory + file: + path: "{{ authentik_docker_volume_dir }}/blueprints" + state: directory + mode: '0755' + +- name: Render blueprints + import_tasks: blueprints.yml - name: Create docker-compose file for authentik template: @@ -25,46 +51,6 @@ community.docker.docker_compose_v2: project_src: "{{ authentik_docker_compose_dir }}" state: present + recreate: "{{ blueprints_changed | ternary('always', 'auto') }}" wait: true - wait_timeout: 300 - -- name: Render blueprints - import_tasks: blueprints.yml - -- name: Render blueprint wait script - template: - src: wait-for-blueprints.py.j2 - dest: "{{ authentik_docker_volume_dir }}/data/wait-for-blueprints.py" - mode: '0644' - -- name: Wait for custom blueprints to be applied - community.docker.docker_compose_v2_exec: - project_src: "{{ authentik_docker_compose_dir }}" - service: server - command: ak shell -c "exec(open('/data/wait-for-blueprints.py').read())" - register: blueprint_wait_result - changed_when: "'changed' in blueprint_wait_result.stdout" - retries: 30 - delay: 10 - until: blueprint_wait_result.rc == 0 - when: blueprints_changed - -- name: Render LDAP outpost token script - template: - src: set-outpost-token.py.j2 - dest: "{{ authentik_docker_volume_dir }}/data/set-outpost-token.py" - mode: '0644' - when: authentik_ldap_outpost.name is defined - register: ldap_token_script - -- name: Set known token for LDAP outpost - community.docker.docker_compose_v2_exec: - project_src: "{{ authentik_docker_compose_dir }}" - service: server - command: ak shell -c "exec(open('/data/set-outpost-token.py').read())" - register: ldap_token_result - changed_when: "'changed' in ldap_token_result.stdout" - retries: 30 - delay: 10 - until: ldap_token_result.rc == 0 - when: authentik_ldap_outpost.name is defined and (blueprints_changed or ldap_token_script.changed) \ No newline at end of file + wait_timeout: 300 \ No newline at end of file diff --git a/roles/authentik/templates/blueprints/blueprint-ldap-app.yaml.j2 b/roles/authentik/templates/blueprints/blueprint-ldap-app.yaml.j2 deleted file mode 100644 index 6747d95..0000000 --- a/roles/authentik/templates/blueprints/blueprint-ldap-app.yaml.j2 +++ /dev/null @@ -1,124 +0,0 @@ -# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json -version: 1 -metadata: - name: "ldap-{{ item.slug }}" - labels: - blueprints.goauthentik.io/instantiate: "true" - blueprints.goauthentik.io/description: "LDAP provider + application for {{ item.slug }}" - -entries: - # Simple password-only flow for LDAP bind (no browser policies) - - model: authentik_stages_password.passwordstage - id: ldap-password-stage - identifiers: - name: ldap-bind-password - attrs: - name: ldap-bind-password - backends: - - authentik.core.auth.InbuiltBackend - - authentik.core.auth.TokenBackend - - authentik.sources.ldap.auth.LDAPBackend - - - model: authentik_stages_identification.identificationstage - id: ldap-identification-stage - identifiers: - name: ldap-bind-identification - attrs: - name: ldap-bind-identification - user_fields: - - username - - email - password_stage: !KeyOf ldap-password-stage - - - model: authentik_stages_user_login.userloginstage - id: ldap-login-stage - identifiers: - name: ldap-bind-login - attrs: - name: ldap-bind-login - - - model: authentik_flows.flow - id: ldap-bind-flow - identifiers: - slug: ldap-bind - attrs: - name: LDAP Bind - slug: ldap-bind - title: LDAP Bind - designation: authentication - authentication: none - - - model: authentik_flows.flowstagebinding - identifiers: - target: !KeyOf ldap-bind-flow - stage: !KeyOf ldap-identification-stage - order: 0 - attrs: - target: !KeyOf ldap-bind-flow - stage: !KeyOf ldap-identification-stage - order: 0 - - - model: authentik_flows.flowstagebinding - identifiers: - target: !KeyOf ldap-bind-flow - stage: !KeyOf ldap-login-stage - order: 10 - attrs: - target: !KeyOf ldap-bind-flow - stage: !KeyOf ldap-login-stage - order: 10 - -{% if item.search_group is defined and item.search_group %} - - model: authentik_rbac.role - id: ldap-search-role-{{ item.slug }} - identifiers: - name: ldap-search-{{ item.slug }} - attrs: - name: ldap-search-{{ item.slug }} -{% endif %} - - - model: authentik_providers_ldap.ldapprovider - id: ldap-provider-{{ item.slug }} - identifiers: - name: {{ item.name }} - attrs: - name: {{ item.name }} - base_dn: "{{ item.base_dn }}" - authorization_flow: !KeyOf ldap-bind-flow - invalidation_flow: !Find [authentik_flows.flow, [slug, {{ item.invalidation_flow_slug | default('default-provider-invalidation-flow') }}]] - authentication_flow: !KeyOf ldap-bind-flow - search_mode: {{ item.search_mode | default('cached') }} - bind_mode: {{ item.bind_mode | default('direct') }} -{% if item.certificate is defined and item.certificate %} - certificate: !Find [authentik_crypto.certificatekeypair, [name, {{ item.certificate }}]] -{% endif %} -{% if item.uid_start_number is defined %} - uid_start_number: {{ item.uid_start_number }} -{% endif %} -{% if item.gid_start_number is defined %} - gid_start_number: {{ item.gid_start_number }} -{% endif %} -{% if item.search_group is defined and item.search_group %} - permissions: - - permission: authentik_providers_ldap.search_full_directory - role: !KeyOf ldap-search-role-{{ item.slug }} -{% endif %} - -{% if item.search_group is defined and item.search_group %} - # Assign the LDAP search role to the search group - - model: authentik_core.group - identifiers: - name: {{ item.search_group }} - attrs: - roles: - - !KeyOf ldap-search-role-{{ item.slug }} -{% endif %} - - - model: authentik_core.application - id: app-{{ item.slug }} - identifiers: - slug: {{ item.slug }} - attrs: - name: "{{ item.name | default(item.slug) }}" - slug: {{ item.slug }} - provider: !KeyOf ldap-provider-{{ item.slug }} diff --git a/roles/authentik/templates/blueprints/blueprint-local-users.yaml.j2 b/roles/authentik/templates/blueprints/blueprint-local-users.yaml.j2 index 8a158b0..d40454b 100644 --- a/roles/authentik/templates/blueprints/blueprint-local-users.yaml.j2 +++ b/roles/authentik/templates/blueprints/blueprint-local-users.yaml.j2 @@ -4,24 +4,9 @@ metadata: name: "local-users" labels: blueprints.goauthentik.io/instantiate: "true" - blueprints.goauthentik.io/description: "Local groups and user accounts" + blueprints.goauthentik.io/description: "Local user accounts" entries: -{% for group in authentik_groups %} - - model: authentik_core.group - id: group-{{ group.name | regex_replace('[^a-zA-Z0-9]', '-') }} - identifiers: - name: {{ group.name }} - attrs: - name: {{ group.name }} -{% if group.is_superuser is defined %} - is_superuser: {{ group.is_superuser | lower }} -{% endif %} -{% if group.parent is defined and group.parent %} - parent: !Find [authentik_core.group, [name, {{ group.parent }}]] -{% endif %} - -{% endfor %} {% for user in authentik_local_users %} - model: authentik_core.user id: user-{{ user.username }} @@ -32,8 +17,8 @@ entries: name: "{{ user.name | default(user.username) }}" email: "{{ user.email | default('') }}" is_active: {{ user.is_active | default(true) | lower }} -{% if user.password is defined %} - password: "{{ user.password }}" +{% if user.password_env is defined %} + password: !Env {{ user.password_env }} {% endif %} {% if user.groups is defined and user.groups | length > 0 %} groups: diff --git a/roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2 b/roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2 index 8bddb41..acbb635 100644 --- a/roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2 +++ b/roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2 @@ -16,10 +16,8 @@ entries: {% for field in authentik_login_user_fields %} - {{ field }} {% endfor %} -{% if authentik_login_sources %} # OAuth/social login sources (use !Find to reference sources from other blueprints) sources: {% for src in authentik_login_sources %} - !Find [authentik_sources_oauth.oauthsource, [slug, {{ src.slug }}]] {% endfor %} -{% endif %} diff --git a/roles/authentik/templates/blueprints/blueprint-oidc-app.yaml.j2 b/roles/authentik/templates/blueprints/blueprint-oidc-app.yaml.j2 index b5813a8..7270de8 100644 --- a/roles/authentik/templates/blueprints/blueprint-oidc-app.yaml.j2 +++ b/roles/authentik/templates/blueprints/blueprint-oidc-app.yaml.j2 @@ -13,11 +13,9 @@ entries: name: {{ item.slug }} attrs: name: {{ item.slug }} - client_type: {{ item.client_type | default('confidential') }} - client_id: "{{ item.client_id }}" -{% if item.client_type | default('confidential') == 'confidential' %} - client_secret: "{{ item.client_secret }}" -{% endif %} + client_type: confidential + client_id: !Env {{ item.client_id_env }} + client_secret: !Env {{ item.client_secret_env }} redirect_uris: {% for ru in item.redirect_uris %} diff --git a/roles/authentik/templates/blueprints/blueprint-proxy-app.yaml.j2 b/roles/authentik/templates/blueprints/blueprint-proxy-app.yaml.j2 index acfc7a9..5e29756 100644 --- a/roles/authentik/templates/blueprints/blueprint-proxy-app.yaml.j2 +++ b/roles/authentik/templates/blueprints/blueprint-proxy-app.yaml.j2 @@ -20,16 +20,6 @@ entries: internal_host: "{{ item.internal_host }}" external_host: "{{ item.external_host }}" -{# Provider mode controls how authentik treats the proxy app: - - proxy : the outpost itself proxies traffic to internal_host - - forward_single : a single app behind an external reverse proxy - (traefik forwardauth talks to authentik per-domain) - - forward_domain : wildcard mode — one provider guards every host on a - cookie domain; configure forward_auth_mode=domain on - the outpost in that case. Default to forward_single - since that's the common ForwardAuth-with-traefik - pattern. #} - mode: {{ item.mode | default('forward_single') }} {% if item.skip_path_regex is defined and item.skip_path_regex|length > 0 %} skip_path_regex: | @@ -44,20 +34,3 @@ entries: name: "{{ item.name | default(item.slug) }}" slug: {{ item.slug }} provider: !KeyOf proxy-provider-{{ item.slug }} - -{% if item.allowed_groups is defined and item.allowed_groups | length > 0 %} -{# Restrict access to listed groups: one PolicyBinding per group, all bound - to the application. Authentik treats multiple bindings on the same target - as OR (a user matching any binding passes), and a request from a user in - none of the bound groups is denied. #} -{% for group_name in item.allowed_groups %} - - model: authentik_policies.policybinding - identifiers: - target: !KeyOf app-{{ item.slug }} - order: {{ loop.index0 }} - group: !Find [authentik_core.group, [name, "{{ group_name }}"]] - attrs: - enabled: true - negate: false -{% endfor %} -{% endif %} diff --git a/roles/authentik/templates/blueprints/blueprint-source-entra.yaml.j2 b/roles/authentik/templates/blueprints/blueprint-source-entra.yaml.j2 index 00bf902..acab07b 100644 --- a/roles/authentik/templates/blueprints/blueprint-source-entra.yaml.j2 +++ b/roles/authentik/templates/blueprints/blueprint-source-entra.yaml.j2 @@ -15,12 +15,12 @@ entries: name: "{{ item.name | default('Microsoft Entra ID') }}" slug: {{ item.slug }} - # Authentik's OAuth sources support vendor-specific types. - # Entra guide calls it "Entra ID OAuth Source". + # Authentik’s OAuth sources support vendor-specific types. + # Entra guide calls it “Entra ID OAuth Source”. provider_type: entraid - consumer_key: "{{ item.client_id }}" - consumer_secret: "{{ item.client_secret }}" + consumer_key: !Env {{ item.client_id_env }} + consumer_secret: !Env {{ item.client_secret_env }} scopes: {% for s in (item.scopes | default(['openid','profile','email'])) %} @@ -28,10 +28,10 @@ entries: {% endfor %} {% if (item.tenant_mode | default('single')) == 'single' %} - authorization_url: "https://login.microsoftonline.com/{{ item.tenant_id }}/oauth2/v2.0/authorize" - access_token_url: "https://login.microsoftonline.com/{{ item.tenant_id }}/oauth2/v2.0/token" + authorization_url: !Format ["https://login.microsoftonline.com/%s/oauth2/v2.0/authorize", !Env {{ item.tenant_id_env }}] + access_token_url: !Format ["https://login.microsoftonline.com/%s/oauth2/v2.0/token", !Env {{ item.tenant_id_env }}] profile_url: "https://graph.microsoft.com/v1.0/me" - oidc_jwks_url: "https://login.microsoftonline.com/{{ item.tenant_id }}/discovery/v2.0/keys" + oidc_jwks_url: !Format ["https://login.microsoftonline.com/%s/discovery/v2.0/keys", !Env {{ item.tenant_id_env }}] {% else %} authorization_url: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize" access_token_url: "https://login.microsoftonline.com/common/oauth2/v2.0/token" diff --git a/roles/authentik/templates/blueprints/outpost-ldap.yaml.j2 b/roles/authentik/templates/blueprints/outpost-ldap.yaml.j2 deleted file mode 100644 index e1d5fbf..0000000 --- a/roles/authentik/templates/blueprints/outpost-ldap.yaml.j2 +++ /dev/null @@ -1,27 +0,0 @@ -# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json -version: 1 -metadata: - name: "outpost-{{ authentik_ldap_outpost.name }}" - labels: - blueprints.goauthentik.io/instantiate: "true" - -entries: - - model: authentik_outposts.outpost - identifiers: - name: "{{ authentik_ldap_outpost.name }}" - attrs: - name: "{{ authentik_ldap_outpost.name }}" - type: ldap - service_connection: null - - providers: -{% for app in authentik_ldap_apps %} - - !Find [authentik_providers_ldap.ldapprovider, [name, {{ app.name }}]] -{% endfor %} - -{% if authentik_ldap_outpost.config is defined %} - config: -{% for k, v in authentik_ldap_outpost.config.items() %} - {{ k }}: {{ v | tojson }} -{% endfor %} -{% endif %} diff --git a/roles/authentik/templates/docker-compose.yml.j2 b/roles/authentik/templates/docker-compose.yml.j2 index cd3ef1e..6daa2a1 100644 --- a/roles/authentik/templates/docker-compose.yml.j2 +++ b/roles/authentik/templates/docker-compose.yml.j2 @@ -35,6 +35,11 @@ services: AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_postgres_password }} AUTHENTIK_LOG_LEVEL: {{ authentik_log_level }} AUTHENTIK_ERROR_REPORTING__ENABLED: "{{ authentik_error_reporting_enabled | lower }}" +{% if authentik_blueprint_env|length > 0 %} +{% for k, v in authentik_blueprint_env.items() %} + {{ k }}: "{{ v }}" +{% endfor %} +{% endif %} volumes: - {{ authentik_docker_volume_dir }}/blueprints:/blueprints/custom - {{ authentik_docker_volume_dir }}/data:/data @@ -43,58 +48,19 @@ services: postgres: condition: service_healthy networks: - {{ authentik_backend_network }}: {} - # No alias for the public FQDN here: that would shadow `/etc/hosts` - # pins (extra_hosts) in other containers sharing this network and - # break OIDC discovery for Node-based clients (c-ares-based - # resolvers consult Docker DNS before /etc/hosts). The URL-based - # service below addresses this container by its compose service - # name `server`, which Docker exposes as an alias on every network - # the container joins. - {{ authentik_traefik_network }}: {} + - {{ authentik_backend_network }} + - {{ authentik_traefik_network }} labels: - traefik.enable=true - traefik.docker.network={{ authentik_traefik_network }} - - traefik.http.routers.{{ authentik_service_name }}.rule={% for d in authentik_domains %}Host(`{{ d }}`){% if not loop.last %} || {% endif %}{% endfor +%} - - traefik.http.routers.{{ authentik_service_name }}.service={{ authentik_service_name }} + - traefik.http.routers.{{ authentik_service_name }}.rule=Host(`{{ authentik_domain }}`) {% if authentik_use_ssl %} - traefik.http.routers.{{ authentik_service_name }}.entrypoints=websecure - traefik.http.routers.{{ authentik_service_name }}.tls=true -{% if traefik_cert_mode | default('selfsigned') == 'acme' %} - - traefik.http.routers.{{ authentik_service_name }}.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }} -{% endif %} {% else %} - traefik.http.routers.{{ authentik_service_name }}.entrypoints=web {% endif %} - traefik.http.services.{{ authentik_service_name }}.loadbalancer.server.port={{ authentik_port }} -{% if authentik_host_rewrite_domains | length > 0 %} - # Server-to-server entry: a separate service points at this very - # container by its compose service name `server` and disables - # passHostHeader so the upstream Host header becomes - # `{{ authentik_domains[0] }}`. Authentik builds OIDC issuer URLs - # from X-Forwarded-Host (not Host), so we also pin that header via - # middleware. Together this keeps the iss claim aligned with the - # public hostname browsers see during login, even when the request - # itself arrived on an internal *.int.* FQDN. - - traefik.http.services.{{ authentik_service_name }}-rewrite.loadbalancer.server.url=http://server:{{ authentik_port }} - - traefik.http.services.{{ authentik_service_name }}-rewrite.loadbalancer.passhostheader=false - - traefik.http.middlewares.{{ authentik_service_name }}-xfh-rewrite.headers.customrequestheaders.X-Forwarded-Host={{ authentik_domains[0] }} -{% for d in authentik_host_rewrite_domains %} - - traefik.http.routers.{{ authentik_service_name }}-rewrite-{{ loop.index0 }}.rule=Host(`{{ d }}`) - - traefik.http.routers.{{ authentik_service_name }}-rewrite-{{ loop.index0 }}.priority=100 - - traefik.http.routers.{{ authentik_service_name }}-rewrite-{{ loop.index0 }}.service={{ authentik_service_name }}-rewrite - - traefik.http.routers.{{ authentik_service_name }}-rewrite-{{ loop.index0 }}.middlewares={{ authentik_service_name }}-xfh-rewrite -{% if authentik_use_ssl %} - - traefik.http.routers.{{ authentik_service_name }}-rewrite-{{ loop.index0 }}.entrypoints=websecure - - traefik.http.routers.{{ authentik_service_name }}-rewrite-{{ loop.index0 }}.tls=true -{% if traefik_cert_mode | default('selfsigned') == 'acme' %} - - traefik.http.routers.{{ authentik_service_name }}-rewrite-{{ loop.index0 }}.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }} -{% endif %} -{% else %} - - traefik.http.routers.{{ authentik_service_name }}-rewrite-{{ loop.index0 }}.entrypoints=web -{% endif %} -{% endfor %} -{% endif %} worker: image: {{ authentik_image }} @@ -109,6 +75,11 @@ services: AUTHENTIK_POSTGRESQL__PASSWORD: {{ authentik_postgres_password }} AUTHENTIK_LOG_LEVEL: {{ authentik_log_level }} AUTHENTIK_ERROR_REPORTING__ENABLED: "{{ authentik_error_reporting_enabled | lower }}" +{% if authentik_blueprint_env|length > 0 %} +{% for k, v in authentik_blueprint_env.items() %} + {{ k }}: "{{ v }}" +{% endfor %} +{% endif %} volumes: - {{ authentik_docker_volume_dir }}/data:/data - {{ authentik_docker_volume_dir }}/certs:/certs diff --git a/roles/authentik/templates/set-outpost-token.py.j2 b/roles/authentik/templates/set-outpost-token.py.j2 deleted file mode 100644 index 0b61705..0000000 --- a/roles/authentik/templates/set-outpost-token.py.j2 +++ /dev/null @@ -1,10 +0,0 @@ -from authentik.outposts.models import Outpost -from authentik.core.models import Token -o = Outpost.objects.get(name='{{ authentik_ldap_outpost.name }}') -t = Token.objects.get(identifier=o.token_identifier) -if t.key != '{{ authentik_ldap_outpost.token }}': - t.key = '{{ authentik_ldap_outpost.token }}' - t.save(update_fields=['key']) - print('changed') -else: - print('ok') diff --git a/roles/authentik/templates/wait-for-blueprints.py.j2 b/roles/authentik/templates/wait-for-blueprints.py.j2 deleted file mode 100644 index ff78f24..0000000 --- a/roles/authentik/templates/wait-for-blueprints.py.j2 +++ /dev/null @@ -1,20 +0,0 @@ -from authentik.blueprints.models import BlueprintInstance -from authentik.blueprints.v1.importer import Importer - -failed = list(BlueprintInstance.objects.filter(enabled=True, path__startswith="custom/").exclude(status="successful").order_by("path")) -if not failed: - print("ok") -else: - for bp in failed: - content = bp.retrieve() - importer = Importer.from_string(content) - valid, _ = importer.validate() - if valid: - importer.apply() - bp.status = "successful" - bp.save() - still_failed = BlueprintInstance.objects.filter(enabled=True, path__startswith="custom/").exclude(status="successful") - if still_failed.exists(): - names = ", ".join(bp.name for bp in still_failed) - raise Exception(f"Blueprints still failing: {names}") - print("changed") diff --git a/roles/authentik_outpost_ldap/README.md b/roles/authentik_outpost_ldap/README.md index 430a4a0..225dd44 100644 --- a/roles/authentik_outpost_ldap/README.md +++ b/roles/authentik_outpost_ldap/README.md @@ -1,44 +1,38 @@ -# authentik_outpost_ldap +Role Name +========= -Deploys an [authentik](https://goauthentik.io) LDAP outpost via Docker -Compose. The outpost exposes an LDAP interface backed by authentik, so -applications that cannot speak OIDC (e.g. Nextcloud or OpenCloud LDAP -backends) can still authenticate against the central IdP. +A brief description of the role goes here. -The outpost connects back to an authentik server using an outpost token -issued in the authentik admin interface. The image version must match -the authentik server version. +Requirements +------------ -## Requirements +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. -- Docker and Docker Compose on the target host (e.g. via - `digitalboard.core.base`) -- Ansible collection: `community.docker` +Role Variables +-------------- -## Role variables +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. -| Variable | Default | Description | -| --- | --- | --- | -| `authentik_outpost_ldap_image` | `ghcr.io/goauthentik/ldap:2026.2.2` | Outpost image (match the server version). | -| `authentik_outpost_ldap_host` | `https://authentik.local.test` | URL of the authentik server. | -| `authentik_outpost_ldap_token` | `changeme` | Outpost token — **override this**. | -| `authentik_outpost_ldap_insecure` | `"true"` | Skip TLS verification toward the authentik server. | -| `authentik_outpost_ldap_network` | `ldap` | Docker network LDAP clients connect over (created by the role). | -| `authentik_outpost_ldap_authentik_network` | _unset_ | Optional extra external network to the authentik server. | -| `authentik_outpost_ldap_extra_hosts` | `[]` | Extra `host:ip` entries for in-container DNS. | +Dependencies +------------ -## Example +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. -```yaml -- hosts: directory - become: true - roles: - - role: digitalboard.core.authentik_outpost_ldap - vars: - authentik_outpost_ldap_host: "https://auth.example.com" - authentik_outpost_ldap_token: "{{ vault_authentik_ldap_outpost_token }}" -``` +Example Playbook +---------------- -## License +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: -MIT-0 + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/authentik_outpost_ldap/defaults/main.yml b/roles/authentik_outpost_ldap/defaults/main.yml index 8942bf2..0222b44 100644 --- a/roles/authentik_outpost_ldap/defaults/main.yml +++ b/roles/authentik_outpost_ldap/defaults/main.yml @@ -1,26 +1,3 @@ #SPDX-License-Identifier: MIT-0 --- # defaults file for authentik_outpost_ldap - -# Base directory configuration (inherited from base role or defined here) -docker_compose_base_dir: /etc/docker/compose -docker_volume_base_dir: /srv/data - -# Service configuration -authentik_outpost_ldap_service_name: authentik-outpost-ldap -authentik_outpost_ldap_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ authentik_outpost_ldap_service_name }}" - -# Container image (must match authentik server version) -authentik_outpost_ldap_image: "ghcr.io/goauthentik/ldap:2026.2.2" - -# Connection to authentik server -authentik_outpost_ldap_host: "https://authentik.local.test" -authentik_outpost_ldap_token: "changeme" -authentik_outpost_ldap_insecure: "true" - -# Dedicated network for LDAP clients (nextcloud, opencloud, etc.) -authentik_outpost_ldap_network: "ldap" - -# Extra hosts for DNS resolution within the container -authentik_outpost_ldap_extra_hosts: [] -# - "authentik.local.test:192.168.56.11" diff --git a/roles/authentik_outpost_ldap/meta/main.yml b/roles/authentik_outpost_ldap/meta/main.yml index 5f2a051..6f91fd3 100644 --- a/roles/authentik_outpost_ldap/meta/main.yml +++ b/roles/authentik_outpost_ldap/meta/main.yml @@ -1,27 +1,35 @@ #SPDX-License-Identifier: MIT-0 galaxy_info: - author: digitalboard - description: Deploy an authentik LDAP outpost via Docker Compose for applications that cannot use OIDC - company: Digitalboard - license: MIT-0 + author: your name + description: your role description + company: your company (optional) - min_ansible_version: "2.14" + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker - platforms: - - name: Debian - versions: - - bookworm - - name: Ubuntu - versions: - - jammy - - noble + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) - galaxy_tags: - - authentik - - ldap - - outpost - - sso - - docker - - digitalboard + min_ansible_version: 2.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/authentik_outpost_ldap/tasks/main.yml b/roles/authentik_outpost_ldap/tasks/main.yml index 79a350a..36d90a4 100644 --- a/roles/authentik_outpost_ldap/tasks/main.yml +++ b/roles/authentik_outpost_ldap/tasks/main.yml @@ -1,31 +1,3 @@ #SPDX-License-Identifier: MIT-0 --- # tasks file for authentik_outpost_ldap - -- name: Create LDAP network - community.docker.docker_network: - name: "{{ authentik_outpost_ldap_network }}" - state: present - -- name: Create docker compose directory - file: - path: "{{ authentik_outpost_ldap_docker_compose_dir }}" - state: directory - mode: '0755' - -- name: Create docker-compose file for authentik LDAP outpost - template: - src: docker-compose.yml.j2 - dest: "{{ authentik_outpost_ldap_docker_compose_dir }}/docker-compose.yml" - mode: '0644' - -- name: Start authentik LDAP outpost container - community.docker.docker_compose_v2: - project_src: "{{ authentik_outpost_ldap_docker_compose_dir }}" - state: present - wait: true - wait_timeout: 120 - retries: 3 - delay: 15 - register: result - until: result is not failed diff --git a/roles/authentik_outpost_ldap/templates/docker-compose.yml.j2 b/roles/authentik_outpost_ldap/templates/docker-compose.yml.j2 deleted file mode 100644 index fcff9fc..0000000 --- a/roles/authentik_outpost_ldap/templates/docker-compose.yml.j2 +++ /dev/null @@ -1,27 +0,0 @@ -services: - ldap: - image: {{ authentik_outpost_ldap_image }} - restart: unless-stopped - environment: - AUTHENTIK_HOST: {{ authentik_outpost_ldap_host }} - AUTHENTIK_TOKEN: {{ authentik_outpost_ldap_token }} - AUTHENTIK_INSECURE: "{{ authentik_outpost_ldap_insecure }}" -{% if authentik_outpost_ldap_extra_hosts | length > 0 %} - extra_hosts: -{% for host in authentik_outpost_ldap_extra_hosts %} - - "{{ host }}" -{% endfor %} -{% endif %} - networks: - - {{ authentik_outpost_ldap_network }} -{% if authentik_outpost_ldap_authentik_network is defined %} - - {{ authentik_outpost_ldap_authentik_network }} -{% endif %} - -networks: - {{ authentik_outpost_ldap_network }}: - external: true -{% if authentik_outpost_ldap_authentik_network is defined %} - {{ authentik_outpost_ldap_authentik_network }}: - external: true -{% endif %} diff --git a/roles/base/README.md b/roles/base/README.md index 4d67213..225dd44 100644 --- a/roles/base/README.md +++ b/roles/base/README.md @@ -1,45 +1,38 @@ -# base +Role Name +========= -Host baseline for the Digitalboard platform. Installs Docker (engine, -CLI, containerd, buildx, compose plugin) and a small set of apt and -convenience packages on Debian/Ubuntu, and sets the shared directory -layout every other role builds on. +A brief description of the role goes here. -This role is intended to run first on every host, before any -service role. +Requirements +------------ -## What it does +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. -- Installs Docker prerequisites (`apt-transport-https`, `ca-certificates`, - `curl`, `gnupg`, `lsb-release`, `apache2-utils` for `htpasswd`) plus - convenience packages (`htop`, `ncdu`, `vim`) and Docker itself - (`docker-ce`, `docker-ce-cli`, `containerd.io`, `docker-buildx-plugin`, - `docker-compose-plugin`). -- Optionally configures Docker registry mirrors via `/etc/docker/daemon.json`. -- Starts and enables the Docker service and writes a custom `/etc/motd`. +Role Variables +-------------- -This role defines the shared directory-layout variables -(`docker_compose_base_dir`, `docker_volume_base_dir`) that every service -role consumes, but the per-service subdirectories are created by the -respective service roles, not here. +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. -## Role variables +Dependencies +------------ -| Variable | Default | Description | -| --- | --- | --- | -| `docker_compose_base_dir` | `/etc/docker/compose` | Root directory for per-service Compose projects. | -| `docker_volume_base_dir` | `/srv/data` | Root directory for per-service persistent volumes. | -| `docker_registry_mirrors` | `[]` | Optional list of registry mirror URLs; empty disables mirrors. | +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. -## Example +Example Playbook +---------------- -```yaml -- hosts: all - become: true - roles: - - digitalboard.core.base -``` +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: -## License + - hosts: servers + roles: + - { role: username.rolename, x: 42 } -MIT-0 +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/base/meta/main.yml b/roles/base/meta/main.yml index 4e2a015..36b9858 100644 --- a/roles/base/meta/main.yml +++ b/roles/base/meta/main.yml @@ -1,25 +1,35 @@ #SPDX-License-Identifier: MIT-0 galaxy_info: - author: digitalboard - description: Host baseline — install Docker, required apt packages and convenience tooling on Debian/Ubuntu - company: Digitalboard - license: MIT-0 + author: your name + description: your role description + company: your company (optional) - min_ansible_version: "2.14" + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker - platforms: - - name: Debian - versions: - - bookworm - - name: Ubuntu - versions: - - jammy - - noble + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) - galaxy_tags: - - base - - docker - - bootstrap - - digitalboard + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/bookstack/README.md b/roles/bookstack/README.md deleted file mode 100644 index 83e0164..0000000 --- a/roles/bookstack/README.md +++ /dev/null @@ -1,154 +0,0 @@ -# Ansible Role: bookstack - -Deploys [BookStack](https://www.bookstackapp.com/) as a self-contained Docker -Compose stack behind Traefik, with its own MariaDB container, OIDC SSO -(Entra ID by default) and a daily systemd-timer driven backup of database -and uploads. - -## Requirements - -- Docker Engine + Compose plugin on the target host -- Traefik already running, with the external network referenced by - `bookstack_traefik_network` (default: `proxy`) -- `community.docker` collection on the controller -- DNS for `bookstack_domain` pointing at the Traefik host - -## Required variables - -The role asserts these are set; the play fails fast if any is empty: - -| Variable | Description | -|---|---| -| `bookstack_db_root_password` | MariaDB root password | -| `bookstack_db_password` | MariaDB user password | -| `bookstack_admin_password` | Initial local admin password | -| `bookstack_oidc_client_id` | OIDC client ID (if OIDC on) | -| `bookstack_oidc_client_secret` | OIDC client secret (if OIDC on) | - -When OIDC is on, the role also asserts that `bookstack_oidc_issuer` -resolves to a concrete URL. For Entra ID this means setting -`bookstack_entra_tenant_id` (the default issuer interpolates it; an unset -tenant leaves `//v2.0` and fails the assert). For other IdPs (Authentik, -Keycloak) set `bookstack_oidc_issuer` directly instead. - -Provide via OpenBao lookup, Ansible Vault or `--extra-vars`. Never commit -real secrets. - -## Optional variables - -See `defaults/main.yml`. Frequently overridden: - -- `bookstack_domain`, `bookstack_base_url` -- `bookstack_extra_domains` (extra Host-rule hostnames, e.g. an internal - `*.int.*` FQDN for a DMZ reverseproxy) -- `bookstack_extra_hosts` (container `/etc/hosts` overrides for - split-horizon IdP access; entries as `host:ip`) -- `bookstack_image`, `bookstack_db_image` (pin in production) -- `bookstack_oidc_enabled` (set `false` to disable OIDC entirely) -- `bookstack_oidc_auto_initiate` (`true` redirects straight to IdP) -- `bookstack_oidc_user_to_groups` (`true` syncs roles from Entra groups) -- `bookstack_backup_enabled`, `bookstack_backup_schedule`, - `bookstack_backup_retention_days` - -## Entra ID app registration - -1. Azure Portal → Entra ID → App registrations → New registration -2. Redirect URI (Web): `https:///oidc/callback` -3. Front-channel logout URL: `https:///logout` -4. Certificates & secrets → New client secret → - `bookstack_oidc_client_secret` -5. For group sync (`bookstack_oidc_user_to_groups: true`): - - Token configuration → Add groups claim → Security groups - - In BookStack, create roles whose **External Auth ID** equals the - Entra group Object ID, so the mapping resolves on first login. - -## What the role does - -| Phase | Action | -|---|---| -| Validate | `assert` all required secrets are set | -| Prepare | install packages, create volume dirs, generate persistent `APP_KEY`, verify Traefik network | -| Deploy | render `docker-compose.yml`, pull images, bring stack up | -| Configure | wait for the app, create the initial local admin via `php artisan bookstack:create-admin` (idempotent) | -| Backup | render `/usr/local/bin/bookstack-backup.sh` + systemd timer (daily 03:00, 14-day retention) | - -## Example playbook - -```yaml -- name: Deploy BookStack service - hosts: bookstack_servers - become: true - roles: - - digitalboard.core.bookstack -``` - -With inventory variables: - -```yaml -# group_vars/bookstack_servers.yml -bookstack_domain: wiki.digitalboard.ch -bookstack_base_url: "https://wiki.digitalboard.ch" -bookstack_entra_tenant_id: "{{ lookup('community.hashi_vault.vault_kv2_get', - 'digitalboard/bookstack', - mount_point='kv').data.data.tenant_id }}" -bookstack_oidc_client_id: "{{ lookup('community.hashi_vault.vault_kv2_get', - 'digitalboard/bookstack', - mount_point='kv').data.data.client_id }}" -bookstack_oidc_client_secret: "{{ lookup('community.hashi_vault.vault_kv2_get', - 'digitalboard/bookstack', - mount_point='kv').data.data.client_secret }}" -bookstack_db_root_password: "{{ lookup('community.hashi_vault.vault_kv2_get', - 'digitalboard/bookstack', - mount_point='kv').data.data.db_root_password }}" -bookstack_db_password: "{{ lookup('community.hashi_vault.vault_kv2_get', - 'digitalboard/bookstack', - mount_point='kv').data.data.db_password }}" -bookstack_admin_password: "{{ lookup('community.hashi_vault.vault_kv2_get', - 'digitalboard/bookstack', - mount_point='kv').data.data.admin_password }}" -``` - -## Backup / restore - -Backups land in `{{ bookstack_backup_dir }}` (default -`/srv/data/bookstack/backup`) with three files per run: - -- `bookstack-db-.sql.gz` — mariadb-dump -- `bookstack-files-.tar.gz` — uploads, attachments -- `bookstack-appkey-.txt` — APP_KEY (required for restore!) - -Manual trigger: `systemctl start bookstack-backup.service` -Timer status: `systemctl list-timers bookstack-backup.timer` - -Restore procedure: - -1. Stop the stack: `docker compose down` in `bookstack_docker_compose_dir` -2. Restore the APP_KEY: copy the `.txt` content to - `{{ bookstack_docker_volume_dir }}/.app_key` (the key MUST match or - encrypted DB values become unreadable) -3. Start only the DB container, then load the dump: - ```bash - gunzip -c bookstack-db-.sql.gz \ - | docker exec -i bookstack-db \ - mariadb -u root -p"" bookstack - ``` -4. Extract the files: `tar -xzf bookstack-files-.tar.gz -C - {{ bookstack_appdata_dir }}/www/` -5. Bring the stack back up: `docker compose up -d` - -## Notes - -- `bookstack_oidc_auto_initiate: false` (default) shows a login page - with an SSO button alongside the local login form. With `true`, users - go straight to the IdP — the local admin then has to use - `https:///login?email_login=1`. -- `bookstack_oidc_user_to_groups: true` only makes sense once BookStack - roles with the correct **External Auth IDs** (= Entra group Object - IDs) exist; otherwise users lose their role assignment on every login. -- Image tags default to pinned versions; bump them deliberately rather - than chasing `latest`. -- BookStack officially supports MySQL/MariaDB only — no PostgreSQL. - -## License - -MIT-0 diff --git a/roles/bookstack/defaults/main.yml b/roles/bookstack/defaults/main.yml deleted file mode 100644 index ac464b8..0000000 --- a/roles/bookstack/defaults/main.yml +++ /dev/null @@ -1,93 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# defaults file for bookstack - -# Base directory configuration (inherited from base role or defined here) -docker_compose_base_dir: /etc/docker/compose -docker_volume_base_dir: /srv/data - -# bookstack-specific configuration -bookstack_service_name: bookstack -bookstack_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ bookstack_service_name }}" -bookstack_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ bookstack_service_name }}" -bookstack_appdata_dir: "{{ bookstack_docker_volume_dir }}/appdata" -bookstack_db_data_dir: "{{ bookstack_docker_volume_dir }}/db" -bookstack_backup_dir: "{{ bookstack_docker_volume_dir }}/backup" - -# Service configuration -bookstack_domain: "wiki.local.test" -# Additional hostnames the bookstack router answers on (e.g. an internal -# *.int.* FQDN so a DMZ reverseproxy can hit a backend hostname covered -# by the cert). -bookstack_extra_domains: [] -# Container-level /etc/hosts overrides — useful in split-horizon setups -# where the BookStack container needs to reach an IdP's public FQDN -# (used in the OIDC `iss` claim) over the LAN rather than via the DMZ. -bookstack_extra_hosts: [] -bookstack_base_url: "https://{{ bookstack_domain }}" - -# Images — pin via inventory in production -bookstack_image: "lscr.io/linuxserver/bookstack:version-v26.03.3" -bookstack_db_image: "lscr.io/linuxserver/mariadb:11.4.9" - -# Traefik configuration -bookstack_traefik_network: "proxy" -bookstack_traefik_certresolver: "le" - -# Timezone / UID -bookstack_tz: "Europe/Zurich" -bookstack_puid: "1000" -bookstack_pgid: "1000" - -# Database configuration -bookstack_db_name: "bookstack" -bookstack_db_user: "bookstack" - -# REQUIRED SECRETS — empty defaults force `assert` to fail until set. -# Provide via OpenBao lookup, Ansible Vault, or extra-vars. -# Never commit real secrets to version control. -# -# Generate with: -# bookstack_db_root_password: openssl rand -base64 32 | tr -d '/+=' -# bookstack_db_password: openssl rand -base64 32 | tr -d '/+=' -# bookstack_admin_password: openssl rand -base64 24 | tr -d '/+=' -bookstack_db_root_password: "" -bookstack_db_password: "" -bookstack_admin_password: "" -bookstack_oidc_client_secret: "" - -# APP_KEY is generated automatically on first run and persisted on the host. -# Set explicitly only if restoring an existing instance. -bookstack_app_key: "" - -# Initial local admin (fallback account, lives alongside OIDC) -bookstack_admin_name: "Admin" -bookstack_admin_email: "admin@local.test" -bookstack_artisan_path: "/app/www/artisan" - -# Mail configuration -bookstack_mail_driver: "smtp" -bookstack_mail_host: "smtp.local.test" -bookstack_mail_port: 587 -bookstack_mail_encryption: "tls" -bookstack_mail_from: "bookstack@local.test" -bookstack_mail_from_name: "BookStack" -bookstack_mail_username: "" -bookstack_mail_password: "" - -# OIDC configuration (Entra ID by default; override `bookstack_oidc_issuer` -# for Keycloak or any other provider) -bookstack_oidc_enabled: false -bookstack_oidc_name: "SSO" -bookstack_entra_tenant_id: "" -bookstack_oidc_issuer: "https://login.microsoftonline.com/{{ bookstack_entra_tenant_id }}/v2.0" -bookstack_oidc_client_id: "" -bookstack_oidc_auto_initiate: false -bookstack_oidc_user_to_groups: false -bookstack_oidc_groups_claim: "groups" -bookstack_oidc_additional_scopes: "openid profile email" - -# Backup configuration -bookstack_backup_enabled: true -bookstack_backup_retention_days: 14 -bookstack_backup_schedule: "*-*-* 03:00:00" diff --git a/roles/bookstack/handlers/main.yml b/roles/bookstack/handlers/main.yml deleted file mode 100644 index eb6a769..0000000 --- a/roles/bookstack/handlers/main.yml +++ /dev/null @@ -1,19 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# handlers file for bookstack - -- name: stop bookstack - community.docker.docker_compose_v2: - project_src: "{{ bookstack_docker_compose_dir }}" - state: stopped - listen: restart bookstack - -- name: start bookstack - community.docker.docker_compose_v2: - project_src: "{{ bookstack_docker_compose_dir }}" - state: present - listen: restart bookstack - -- name: reload systemd - ansible.builtin.systemd: - daemon_reload: true diff --git a/roles/bookstack/meta/argument_specs.yml b/roles/bookstack/meta/argument_specs.yml deleted file mode 100644 index 07f0c06..0000000 --- a/roles/bookstack/meta/argument_specs.yml +++ /dev/null @@ -1,212 +0,0 @@ ---- -argument_specs: - main: - short_description: Deploy BookStack (LSIO image + MariaDB) via Docker Compose. - description: - - Renders a Compose stack for the linuxserver.io BookStack image - with a sibling MariaDB container behind Traefik, then bootstraps - the initial admin user via C(php artisan bookstack:create-admin) - and optionally enables OIDC SSO (Entra ID by default). - - "Persists the Laravel C(APP_KEY) on the host so the same key is - re-used across deploys (a fresh key would orphan all encrypted - database values: 2FA secrets, API tokens, OIDC client_secret)." - - Ships an optional systemd timer that backs up the database dump, - uploads tarball and APP_KEY daily with configurable retention. - options: - docker_compose_base_dir: - type: path - default: /etc/docker/compose - docker_volume_base_dir: - type: path - default: /srv/data - bookstack_service_name: - type: str - default: bookstack - bookstack_docker_compose_dir: - type: path - bookstack_docker_volume_dir: - type: path - bookstack_appdata_dir: - type: path - bookstack_db_data_dir: - type: path - bookstack_backup_dir: - type: path - - bookstack_domain: - type: str - default: wiki.local.test - description: Hostname used in the Traefik Host rule. - bookstack_extra_domains: - type: list - elements: str - default: [] - description: - - Additional hostnames the Traefik router answers on, OR-combined - with C(bookstack_domain). Useful for an internal C(*.int.*) FQDN - so a DMZ reverseproxy can reach a backend hostname covered by the - cert. - bookstack_extra_hosts: - type: list - elements: str - default: [] - description: - - Container-level C(/etc/hosts) overrides (Compose C(extra_hosts) - entries, C("host:ip")). Useful in split-horizon setups where the - BookStack container must reach an IdP's public FQDN (used in the - OIDC C(iss) claim) over the LAN rather than via the DMZ. - bookstack_base_url: - type: str - description: Defaults to C("https://{{ bookstack_domain }}"). - - bookstack_image: - type: str - default: "lscr.io/linuxserver/bookstack:version-v26.03.3" - bookstack_db_image: - type: str - default: "lscr.io/linuxserver/mariadb:11.4.9" - - bookstack_traefik_network: - type: str - default: proxy - bookstack_traefik_certresolver: - type: str - default: le - - bookstack_tz: - type: str - default: Europe/Zurich - bookstack_puid: - type: str - default: "1000" - bookstack_pgid: - type: str - default: "1000" - - bookstack_db_name: - type: str - default: bookstack - bookstack_db_user: - type: str - default: bookstack - bookstack_db_root_password: - type: str - required: true - description: MariaDB C(root) password. Override per-inventory. - bookstack_db_password: - type: str - required: true - description: MariaDB C(bookstack_db_user) password. Override per-inventory. - - bookstack_admin_password: - type: str - required: true - description: - - Password for the local admin user that the role creates via - C(bookstack:create-admin). Lives alongside any OIDC users. - - bookstack_app_key: - type: str - default: '' - description: - - When empty the role generates a persistent C(APP_KEY) on first - run and stores it under C({{ bookstack_docker_volume_dir }}/.app_key). - Override only when restoring an existing instance — a mismatching - key orphans all encrypted database values. - - bookstack_admin_name: - type: str - default: Admin - bookstack_admin_email: - type: str - default: admin@local.test - bookstack_artisan_path: - type: path - default: /app/www/artisan - description: - - Path to BookStack's C(artisan) script inside the container. The - LSIO image's C(WORKDIR) is not the app directory, so this must - be absolute. - - bookstack_mail_driver: - type: str - choices: [smtp, log, sendmail, mailgun, ses, postmark] - default: smtp - bookstack_mail_host: - type: str - default: smtp.local.test - bookstack_mail_port: - type: int - default: 587 - bookstack_mail_encryption: - type: str - choices: [tls, ssl, ''] - default: tls - bookstack_mail_from: - type: str - default: bookstack@local.test - bookstack_mail_from_name: - type: str - default: BookStack - bookstack_mail_username: - type: str - default: '' - bookstack_mail_password: - type: str - default: '' - - bookstack_oidc_enabled: - type: bool - default: false - bookstack_oidc_name: - type: str - default: SSO - description: Display name of the SSO button on the login page. - bookstack_entra_tenant_id: - type: str - default: '' - description: Entra tenant UUID. Required when C(bookstack_oidc_enabled=true). - bookstack_oidc_issuer: - type: str - description: - - OIDC issuer URL. Defaults to the Entra v2 issuer template - built from C(bookstack_entra_tenant_id). Override for - Keycloak or any other provider. - bookstack_oidc_client_id: - type: str - default: '' - description: Required when C(bookstack_oidc_enabled=true). - bookstack_oidc_client_secret: - type: str - default: '' - description: Required when C(bookstack_oidc_enabled=true). - bookstack_oidc_auto_initiate: - type: bool - default: false - description: - - When true users are redirected straight to the IdP and the - local login is reachable only via C(?email_login=1). - bookstack_oidc_user_to_groups: - type: bool - default: false - description: - - When true BookStack syncs roles from the IdP groups claim - on every login. Requires BookStack roles whose - C(External Auth ID) matches the IdP group's Object ID. - bookstack_oidc_groups_claim: - type: str - default: groups - bookstack_oidc_additional_scopes: - type: str - default: openid profile email - - bookstack_backup_enabled: - type: bool - default: true - bookstack_backup_retention_days: - type: int - default: 14 - bookstack_backup_schedule: - type: str - default: "*-*-* 03:00:00" - description: systemd C(OnCalendar) expression for the backup timer. diff --git a/roles/bookstack/meta/main.yml b/roles/bookstack/meta/main.yml deleted file mode 100644 index dad0716..0000000 --- a/roles/bookstack/meta/main.yml +++ /dev/null @@ -1,25 +0,0 @@ -galaxy_info: - author: digitalboard - description: Deploy BookStack as a self-contained Docker Compose stack behind Traefik - company: digitalboard - license: MIT-0 - - min_ansible_version: "2.14" - - platforms: - - name: Debian - versions: - - bookworm - - name: Ubuntu - versions: - - jammy - - noble - - galaxy_tags: - - docker - - bookstack - - wiki - - documentation - - digitalboard - -dependencies: [] diff --git a/roles/bookstack/tasks/main.yml b/roles/bookstack/tasks/main.yml deleted file mode 100644 index 73218d2..0000000 --- a/roles/bookstack/tasks/main.yml +++ /dev/null @@ -1,229 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# tasks file for bookstack - -# ===================================================================== -# 1. VALIDATE REQUIRED SECRETS -# ===================================================================== - -- name: Assert required secrets are set - ansible.builtin.assert: - that: - - bookstack_db_root_password | length > 0 - - bookstack_db_password | length > 0 - - bookstack_admin_password | length > 0 - - (not bookstack_oidc_enabled) or (bookstack_oidc_client_id | length > 0) - - (not bookstack_oidc_enabled) or (bookstack_oidc_client_secret | length > 0) - # Issuer URL must resolve to something concrete. The Entra default - # interpolates bookstack_entra_tenant_id; an unset tenant leaves - # "//v2.0" in the URL. Allow non-Entra IdPs (Authentik, Keycloak) - # that override bookstack_oidc_issuer directly. - - (not bookstack_oidc_enabled) or - (bookstack_oidc_issuer | length > 0 and - '//v2.0' not in bookstack_oidc_issuer) - fail_msg: >- - One or more required secrets are unset. Provide them via OpenBao - lookup, Ansible Vault or --extra-vars. See README for the full list. - quiet: true - -# ===================================================================== -# 2. PREPARATION: Packages, directories, APP_KEY -# ===================================================================== - -- name: Ensure required packages are installed - ansible.builtin.package: - name: - - python3-docker - - python3-requests - state: present - -- name: Create docker compose directory - ansible.builtin.file: - path: "{{ bookstack_docker_compose_dir }}" - state: directory - mode: '0755' - -- name: Create BookStack data directories - ansible.builtin.file: - path: "{{ item }}" - state: directory - owner: "{{ bookstack_puid }}" - group: "{{ bookstack_pgid }}" - mode: '0755' - loop: - - "{{ bookstack_docker_volume_dir }}" - - "{{ bookstack_appdata_dir }}" - - "{{ bookstack_db_data_dir }}" - - "{{ bookstack_backup_dir }}" - -- name: Verify Traefik network exists - community.docker.docker_network_info: - name: "{{ bookstack_traefik_network }}" - register: _traefik_net - failed_when: not _traefik_net.exists - -- name: Check whether APP_KEY has been generated before - ansible.builtin.stat: - path: "{{ bookstack_docker_volume_dir }}/.app_key" - register: _app_key_file - -- name: Generate persistent APP_KEY on first run - ansible.builtin.shell: | - set -o pipefail - umask 077 - echo "base64:$(openssl rand -base64 32)" > {{ bookstack_docker_volume_dir }}/.app_key - args: - executable: /bin/bash - creates: "{{ bookstack_docker_volume_dir }}/.app_key" - when: - - not _app_key_file.stat.exists - - bookstack_app_key | length == 0 - -- name: Write inventory-provided APP_KEY - ansible.builtin.copy: - content: "{{ bookstack_app_key }}\n" - dest: "{{ bookstack_docker_volume_dir }}/.app_key" - mode: '0600' - when: - - not _app_key_file.stat.exists - - bookstack_app_key | length > 0 - no_log: true - -- name: Read APP_KEY back into a fact - ansible.builtin.slurp: - src: "{{ bookstack_docker_volume_dir }}/.app_key" - register: _app_key_slurp - no_log: true - -- name: Register APP_KEY fact - ansible.builtin.set_fact: - bookstack_resolved_app_key: "{{ _app_key_slurp.content | b64decode | trim }}" - no_log: true - -# ===================================================================== -# 3. DEPLOY: Render compose, bring stack up -# ===================================================================== - -- name: Render docker-compose.yml for BookStack - ansible.builtin.template: - src: docker-compose.yml.j2 - dest: "{{ bookstack_docker_compose_dir }}/docker-compose.yml" - mode: '0640' - notify: restart bookstack - -- name: Start BookStack containers - community.docker.docker_compose_v2: - project_src: "{{ bookstack_docker_compose_dir }}" - state: present - pull: always - wait: true - -# ===================================================================== -# 4. CONFIGURE: Wait for app and seed initial admin user -# ===================================================================== - -- name: Wait for BookStack to be ready - ansible.builtin.command: - cmd: docker exec {{ bookstack_service_name }} curl -sf -o /dev/null -w "%{http_code}" http://localhost/login - register: _bookstack_health - retries: 30 - delay: 5 - until: _bookstack_health.stdout == "200" - changed_when: false - -- name: Wait for BookStack migrations to be complete - community.docker.docker_container_exec: - container: "{{ bookstack_service_name }}-db" - argv: - - mariadb - - --protocol=tcp - - -h - - 127.0.0.1 - - -u - - "{{ bookstack_db_user }}" - - "-p{{ bookstack_db_password }}" - - "{{ bookstack_db_name }}" - - -Nse - - "SHOW TABLES LIKE 'users';" - register: _users_table - retries: 30 - delay: 5 - until: _users_table.stdout | trim == 'users' - changed_when: false - no_log: true - -- name: Check whether the initial admin already exists - community.docker.docker_container_exec: - container: "{{ bookstack_service_name }}-db" - argv: - - mariadb - - --protocol=tcp - - -h - - 127.0.0.1 - - -u - - "{{ bookstack_db_user }}" - - "-p{{ bookstack_db_password }}" - - "{{ bookstack_db_name }}" - - -Nse - - "SELECT COUNT(*) FROM users WHERE email = '{{ bookstack_admin_email }}';" - register: _admin_exists - changed_when: false - no_log: true - -- name: Create initial admin user - community.docker.docker_container_exec: - container: "{{ bookstack_service_name }}" - argv: - - php - - "{{ bookstack_artisan_path }}" - - bookstack:create-admin - - "--email={{ bookstack_admin_email }}" - - "--name={{ bookstack_admin_name }}" - - "--password={{ bookstack_admin_password }}" - when: (_admin_exists.stdout | trim | int) == 0 - no_log: true - -# ===================================================================== -# 5. BACKUP: systemd timer for daily DB + uploads dump -# ===================================================================== - -- name: Render backup script - ansible.builtin.template: - src: backup.sh.j2 - dest: /usr/local/bin/bookstack-backup.sh - owner: root - group: root - mode: '0750' - when: bookstack_backup_enabled | bool - -- name: Render backup systemd service - ansible.builtin.template: - src: bookstack-backup.service.j2 - dest: /etc/systemd/system/bookstack-backup.service - mode: '0644' - when: bookstack_backup_enabled | bool - notify: reload systemd - -- name: Render backup systemd timer - ansible.builtin.template: - src: bookstack-backup.timer.j2 - dest: /etc/systemd/system/bookstack-backup.timer - mode: '0644' - when: bookstack_backup_enabled | bool - notify: reload systemd - -- name: Enable and start backup timer - ansible.builtin.systemd: - name: bookstack-backup.timer - enabled: true - state: started - daemon_reload: true - when: bookstack_backup_enabled | bool - -- name: Disable backup timer when feature is off - ansible.builtin.systemd: - name: bookstack-backup.timer - enabled: false - state: stopped - when: not (bookstack_backup_enabled | bool) - failed_when: false diff --git a/roles/bookstack/templates/backup.sh.j2 b/roles/bookstack/templates/backup.sh.j2 deleted file mode 100644 index 65217c2..0000000 --- a/roles/bookstack/templates/backup.sh.j2 +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/bash -# {{ ansible_managed }} -set -euo pipefail - -BACKUP_DIR="{{ bookstack_backup_dir }}" -RETENTION_DAYS={{ bookstack_backup_retention_days }} -APPDATA_DIR="{{ bookstack_appdata_dir }}" -STAMP="$(date +%Y%m%d-%H%M%S)" - -mkdir -p "$BACKUP_DIR" - -# --- DB dump (mariadb-dump from inside the DB container) --- -# Use the app user via TCP because root@localhost is unix_socket-auth only -# in the LSIO MariaDB image and root@% does not exist. -docker exec {{ bookstack_service_name }}-db \ - mariadb-dump \ - --protocol=tcp -h 127.0.0.1 \ - -u "{{ bookstack_db_user }}" -p"{{ bookstack_db_password }}" \ - --single-transaction --routines --triggers --quick \ - "{{ bookstack_db_name }}" \ - | gzip -9 > "$BACKUP_DIR/bookstack-db-$STAMP.sql.gz" - -# --- File uploads (images, attachments) --- -# LSIO BookStack stores user uploads under /config/www/{uploads,storage/uploads,files}. -tar --warning=no-file-changed \ - -czf "$BACKUP_DIR/bookstack-files-$STAMP.tar.gz" \ - -C "$APPDATA_DIR/www" \ - uploads storage/uploads files 2>/dev/null || true - -# --- APP_KEY backup (critical for restore!) --- -install -m 0600 "{{ bookstack_docker_volume_dir }}/.app_key" \ - "$BACKUP_DIR/bookstack-appkey-$STAMP.txt" - -# --- Retention --- -find "$BACKUP_DIR" -type f \ - \( -name 'bookstack-db-*.sql.gz' \ - -o -name 'bookstack-files-*.tar.gz' \ - -o -name 'bookstack-appkey-*.txt' \) \ - -mtime +"$RETENTION_DAYS" -delete - -echo "Backup complete: $STAMP" \ No newline at end of file diff --git a/roles/bookstack/templates/bookstack-backup.service.j2 b/roles/bookstack/templates/bookstack-backup.service.j2 deleted file mode 100644 index cb63795..0000000 --- a/roles/bookstack/templates/bookstack-backup.service.j2 +++ /dev/null @@ -1,12 +0,0 @@ -# {{ ansible_managed }} -[Unit] -Description=BookStack backup (DB + uploads) -Requires=docker.service -After=docker.service - -[Service] -Type=oneshot -ExecStart=/usr/local/bin/bookstack-backup.sh -Nice=10 -IOSchedulingClass=best-effort -IOSchedulingPriority=7 diff --git a/roles/bookstack/templates/bookstack-backup.timer.j2 b/roles/bookstack/templates/bookstack-backup.timer.j2 deleted file mode 100644 index e13238d..0000000 --- a/roles/bookstack/templates/bookstack-backup.timer.j2 +++ /dev/null @@ -1,11 +0,0 @@ -# {{ ansible_managed }} -[Unit] -Description=Daily BookStack backup - -[Timer] -OnCalendar={{ bookstack_backup_schedule }} -Persistent=true -RandomizedDelaySec=300 - -[Install] -WantedBy=timers.target diff --git a/roles/bookstack/templates/docker-compose.yml.j2 b/roles/bookstack/templates/docker-compose.yml.j2 deleted file mode 100644 index 3300826..0000000 --- a/roles/bookstack/templates/docker-compose.yml.j2 +++ /dev/null @@ -1,93 +0,0 @@ -#---------------------------------------------------------------------# -# BookStack - Self-hosted wiki / knowledge base. # -#---------------------------------------------------------------------# ---- -services: - {{ bookstack_service_name }}: - image: {{ bookstack_image }} - container_name: {{ bookstack_service_name }} - restart: unless-stopped - environment: - PUID: "{{ bookstack_puid }}" - PGID: "{{ bookstack_pgid }}" - TZ: "{{ bookstack_tz }}" - APP_URL: "{{ bookstack_base_url }}" - APP_KEY: "{{ bookstack_resolved_app_key }}" - DB_HOST: "{{ bookstack_service_name }}-db" - DB_PORT: "3306" - DB_DATABASE: "{{ bookstack_db_name }}" - DB_USERNAME: "{{ bookstack_db_user }}" - DB_PASSWORD: "{{ bookstack_db_password }}" - MAIL_DRIVER: "{{ bookstack_mail_driver }}" - MAIL_HOST: "{{ bookstack_mail_host }}" - MAIL_PORT: "{{ bookstack_mail_port }}" - MAIL_USERNAME: "{{ bookstack_mail_username }}" - MAIL_PASSWORD: "{{ bookstack_mail_password }}" - MAIL_ENCRYPTION: "{{ bookstack_mail_encryption }}" - MAIL_FROM: "{{ bookstack_mail_from }}" - MAIL_FROM_NAME: "{{ bookstack_mail_from_name }}" -{% if bookstack_oidc_enabled %} - AUTH_METHOD: "oidc" - AUTH_AUTO_INITIATE: "{{ bookstack_oidc_auto_initiate | string | lower }}" - OIDC_NAME: "{{ bookstack_oidc_name }}" - OIDC_DISPLAY_NAME_CLAIMS: "name" - OIDC_CLIENT_ID: "{{ bookstack_oidc_client_id }}" - OIDC_CLIENT_SECRET: "{{ bookstack_oidc_client_secret }}" - OIDC_ISSUER: "{{ bookstack_oidc_issuer }}" - OIDC_ISSUER_DISCOVER: "true" - OIDC_END_SESSION_ENDPOINT: "true" - OIDC_ADDITIONAL_SCOPES: "{{ bookstack_oidc_additional_scopes }}" - OIDC_USER_TO_GROUPS: "{{ bookstack_oidc_user_to_groups | string | lower }}" - OIDC_GROUPS_CLAIM: "{{ bookstack_oidc_groups_claim }}" -{% endif %} - volumes: - - {{ bookstack_appdata_dir }}:/config - networks: - - {{ bookstack_traefik_network }} - - internal -{% if bookstack_extra_hosts | length > 0 %} - extra_hosts: -{% for host in bookstack_extra_hosts %} - - "{{ host }}" -{% endfor %} -{% endif %} - depends_on: - {{ bookstack_service_name }}-db: - condition: service_healthy - labels: - - "traefik.enable=true" - - "traefik.docker.network={{ bookstack_traefik_network }}" - - "traefik.http.routers.{{ bookstack_service_name }}.rule={% set _all_domains = [bookstack_domain] + (bookstack_extra_domains | default([])) %}{% for d in _all_domains %}Host(`{{ d }}`){% if not loop.last %} || {% endif %}{% endfor +%}" - - "traefik.http.routers.{{ bookstack_service_name }}.entrypoints=websecure" - - "traefik.http.routers.{{ bookstack_service_name }}.tls=true" - - "traefik.http.routers.{{ bookstack_service_name }}.tls.certresolver={{ bookstack_traefik_certresolver }}" - - "traefik.http.services.{{ bookstack_service_name }}.loadbalancer.server.port=80" - - {{ bookstack_service_name }}-db: - image: {{ bookstack_db_image }} - container_name: {{ bookstack_service_name }}-db - restart: unless-stopped - environment: - PUID: "{{ bookstack_puid }}" - PGID: "{{ bookstack_pgid }}" - TZ: "{{ bookstack_tz }}" - MYSQL_ROOT_PASSWORD: "{{ bookstack_db_root_password }}" - MYSQL_DATABASE: "{{ bookstack_db_name }}" - MYSQL_USER: "{{ bookstack_db_user }}" - MYSQL_PASSWORD: "{{ bookstack_db_password }}" - volumes: - - {{ bookstack_db_data_dir }}:/config - networks: - - internal - healthcheck: - test: ["CMD-SHELL", "mariadb-admin ping -h 127.0.0.1 -u root --password=\"$$MYSQL_ROOT_PASSWORD\" --silent"] - interval: 10s - timeout: 5s - retries: 12 - start_period: 60s - -networks: - {{ bookstack_traefik_network }}: - external: true - internal: - driver: bridge diff --git a/roles/bookstack/tests/inventory b/roles/bookstack/tests/inventory deleted file mode 100644 index 2fbb50c..0000000 --- a/roles/bookstack/tests/inventory +++ /dev/null @@ -1 +0,0 @@ -localhost diff --git a/roles/bookstack/tests/test.yml b/roles/bookstack/tests/test.yml deleted file mode 100644 index 15b9be3..0000000 --- a/roles/bookstack/tests/test.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: localhost - remote_user: root - roles: - - bookstack diff --git a/roles/collabora/README.md b/roles/collabora/README.md index d216c49..225dd44 100644 --- a/roles/collabora/README.md +++ b/roles/collabora/README.md @@ -1,42 +1,38 @@ -# collabora +Role Name +========= -Deploys [Collabora Online](https://www.collaboraonline.com/) (CODE, -`collabora/code`) via Docker Compose behind Traefik. Collabora is the -WOPI backend that renders office documents for Nextcloud and OpenCloud. +A brief description of the role goes here. -The role templates `coolwsd.xml` to declare which WOPI hosts may call -Collabora and which origins may embed it in an iframe. +Requirements +------------ -## Role variables +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. -| Variable | Default | Description | -| --- | --- | --- | -| `collabora_domains` | `[office.local.test]` | FQDNs the router accepts; first is canonical. | -| `collabora_image` | `collabora/code:latest` | Container image. | -| `collabora_port` | `9980` | Container port Traefik forwards to. | -| `collabora_traefik_network` | `proxy` | Docker network shared with Traefik. | -| `collabora_use_ssl` | `true` | Enable the TLS resolver on the router. | -| `collabora_ssl_verification` | `true` | Verify TLS on WOPI callbacks (false for self-signed). | -| `collabora_allowed_domains` | `[nextcloud.local.test]` | WOPI hosts allowed to call Collabora (regex). | -| `collabora_frame_ancestors` | `[nextcloud.local.test]` | Origins allowed to embed Collabora in an iframe. | -| `collabora_extra_hosts` | `[]` | Extra `host:ip` entries for in-container DNS. | +Role Variables +-------------- -## Example +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. -```yaml -- hosts: services - become: true - roles: - - role: digitalboard.core.collabora - vars: - collabora_domains: - - "office.example.com" - collabora_allowed_domains: - - "cloud.example.com" - collabora_frame_ancestors: - - "cloud.example.com" -``` +Dependencies +------------ -## License +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. -MIT-0 +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/collabora/defaults/main.yml b/roles/collabora/defaults/main.yml index 11aa468..3cfb559 100644 --- a/roles/collabora/defaults/main.yml +++ b/roles/collabora/defaults/main.yml @@ -12,11 +12,7 @@ collabora_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ collabora_servic collabora_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ collabora_service_name }}" # Service configuration -# FQDNs the collabora router accepts. The first entry is the canonical -# domain; further entries cover internal *.int.* names used for -# server-to-server WOPI discovery. -collabora_domains: - - "office.local.test" +collabora_domain: "office.local.test" collabora_image: "collabora/code:latest" collabora_port: 9980 collabora_extra_hosts: [] diff --git a/roles/collabora/handlers/main.yml b/roles/collabora/handlers/main.yml index 3364bcc..bfd2b02 100644 --- a/roles/collabora/handlers/main.yml +++ b/roles/collabora/handlers/main.yml @@ -5,4 +5,4 @@ - name: restart collabora community.docker.docker_compose_v2: project_src: "{{ collabora_docker_compose_dir }}" - state: present \ No newline at end of file + state: restarted \ No newline at end of file diff --git a/roles/collabora/meta/main.yml b/roles/collabora/meta/main.yml index 0dc353e..6f91fd3 100644 --- a/roles/collabora/meta/main.yml +++ b/roles/collabora/meta/main.yml @@ -1,27 +1,35 @@ #SPDX-License-Identifier: MIT-0 galaxy_info: - author: digitalboard - description: Deploy Collabora Online (CODE) as a WOPI backend via Docker Compose behind Traefik - company: Digitalboard - license: MIT-0 + author: your name + description: your role description + company: your company (optional) - min_ansible_version: "2.14" + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker - platforms: - - name: Debian - versions: - - bookworm - - name: Ubuntu - versions: - - jammy - - noble + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) - galaxy_tags: - - collabora - - office - - wopi - - nextcloud - - docker - - digitalboard + min_ansible_version: 2.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/collabora/templates/docker-compose.yml.j2 b/roles/collabora/templates/docker-compose.yml.j2 index 353a08b..c0f589e 100644 --- a/roles/collabora/templates/docker-compose.yml.j2 +++ b/roles/collabora/templates/docker-compose.yml.j2 @@ -20,14 +20,11 @@ services: labels: - traefik.enable=true - traefik.docker.network={{ collabora_traefik_network }} - - traefik.http.routers.{{ collabora_service_name }}.rule={% for d in collabora_domains %}Host(`{{ d }}`){% if not loop.last %} || {% endif %}{% endfor +%} + - traefik.http.routers.{{ collabora_service_name }}.rule=Host(`{{ collabora_domain }}`) - traefik.http.services.{{ collabora_service_name }}.loadbalancer.server.port={{ collabora_port }} {% if collabora_use_ssl %} - traefik.http.routers.{{ collabora_service_name }}.entrypoints=websecure - traefik.http.routers.{{ collabora_service_name }}.tls=true -{% if traefik_cert_mode | default('selfsigned') == 'acme' %} - - traefik.http.routers.{{ collabora_service_name }}.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }} -{% endif %} {% else %} - traefik.http.routers.{{ collabora_service_name }}.entrypoints=web {% endif %} diff --git a/roles/coturn/README.md b/roles/coturn/README.md deleted file mode 100644 index 13d1c3e..0000000 --- a/roles/coturn/README.md +++ /dev/null @@ -1,69 +0,0 @@ -# coturn - -Deploys a [coturn](https://github.com/coturn/coturn) TURN/STUN server with `network_mode: host`, -optionally accompanied by an `acme.sh` sidecar that obtains and renews a public TLS certificate -via RFC2136 (`nsupdate`) and restarts coturn on renewal. - -This is the recommended pairing for `digitalboard.core.talk` (Nextcloud Talk HPB). - -## What it does - -- Renders `/etc/docker/compose/coturn/docker-compose.yml` -- (acme mode) Deploys the TSIG key from `playbooks/secrets/{{ inventory_hostname }}/nsupdate.key` -- (selfsigned mode) Generates an ECC keypair + selfsigned cert in `{{ coturn_cert_dir }}` -- Starts the stack via `community.docker.docker_compose_v2` - -## Required variables - -| Variable | Description | -|---|---| -| `coturn_realm` | Public DNS name used as realm + cert CN (e.g. `stun.digitalboard.ch`) | -| `coturn_external_ip` | Mapping for `--external-ip`, format `PUBLIC[/PRIVATE]` | -| `coturn_static_auth_secret` | Shared secret for HMAC-based credentials; **must match** `talk_turn_secret` on the HPB host | - -## Important variables - -| Variable | Default | Description | -|---|---|---| -| `coturn_cert_mode` | `file` | One of `acme`, `file`, `selfsigned` | -| `coturn_listening_port` | `443` | TCP/UDP non-TLS port | -| `coturn_tls_listening_port` | `443` | TLS port (shared with non-TLS via STUN mux) | -| `coturn_min_relay_port` / `coturn_max_relay_port` | `49160` / `49200` | UDP relay range | -| `coturn_internal_realm` | `""` | Optional second SAN for split-horizon DNS | -| `coturn_image` | `coturn/coturn:4.6.2-r5-alpine` | Pinned by default; override as needed | - -## ACME / nsupdate mode - -When `coturn_cert_mode: acme` is set, also configure: - -```yaml -coturn_acme_email: "admin@digitalboard.ch" -coturn_acme_nsupdate_server: "ns1.digitalboard.ch" -coturn_acme_nsupdate_server_ip: "172.16.9.169" # optional pin -coturn_acme_nsupdate_zone: "digitalboard._acme.digitalboard.ch" -# optional: override the auto-built challenge alias mapping -coturn_acme_challenge_aliases: - - name: stun.digitalboard.ch - alias: stun.digitalboard._acme.digitalboard.ch - - name: stun.int.digitalboard.ch - alias: stun.int.digitalboard._acme.digitalboard.ch -``` - -Place your TSIG key at `playbooks/secrets/{{ inventory_hostname }}/nsupdate.key` (mode 0600). - -## Secrets - -Place the static auth secret at: - -``` -playbooks/secrets/{{ inventory_hostname }}/coturn_static_auth_secret -``` - -Mode 0600. The same value must be deployed to the HPB host as `talk_turn_secret`. - -## Firewall - -The role does not manage firewall rules. Ensure the host has: - -- `443/tcp` and `443/udp` reachable from the internet -- UDP `{{ coturn_min_relay_port }}-{{ coturn_max_relay_port }}` reachable from the internet diff --git a/roles/coturn/defaults/main.yml b/roles/coturn/defaults/main.yml deleted file mode 100644 index 580d9da..0000000 --- a/roles/coturn/defaults/main.yml +++ /dev/null @@ -1,77 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# defaults file for coturn - -# Base directories (inherited from base role) -docker_compose_base_dir: /etc/docker/compose -docker_volume_base_dir: /srv/data - -# Service-specific paths -coturn_service_name: coturn -coturn_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ coturn_service_name }}" -coturn_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ coturn_service_name }}" - -# Container images (pin per host_vars in production) -coturn_image: "coturn/coturn:4.6.2-r5-alpine" -coturn_acme_image: "neilpang/acme.sh:3.1.0" - -# Public DNS name used for the realm and the public certificate -coturn_realm: "stun.example.test" -# Optional second DNS name issued on the same certificate (for split-horizon "internal" name) -coturn_internal_realm: "" # e.g. "stun.int.example.test" - -# Ports -# Defaults follow IANA standards (3478/TURN, 5349/TURNS) so coturn can -# co-exist with a Traefik instance on the same host. Override to 443/443 -# in restrictive-network environments where punching through firewalls matters. -coturn_listening_port: 3478 # TURN / STUN (TCP+UDP) -coturn_tls_listening_port: 5349 # TURNS (TCP+UDP) -coturn_min_relay_port: 49160 -coturn_max_relay_port: 49200 - -# IP advertisement: must be set in host_vars for production -# Format follows coturn's --external-ip: "PUBLIC_IP" or "PUBLIC_IP/PRIVATE_IP" -coturn_external_ip: "" # e.g. "203.0.113.10/172.18.0.2" -coturn_listening_ip: "0.0.0.0" - -# Shared secret used by HPB to mint short-lived TURN credentials. -# Loaded by default from a plain file in playbooks/secrets/{host}/coturn_static_auth_secret -# Override per host_vars if you want to use a vault or different lookup. -coturn_static_auth_secret: "{{ lookup('file', playbook_dir ~ '/secrets/' ~ inventory_hostname ~ '/coturn_static_auth_secret') }}" - -# Additional CLI flags (list of strings, appended verbatim to command:) -coturn_extra_args: [] - -# --- TLS certificate --- -# 'acme' : run an acme.sh sidecar that issues + renews via RFC2136 / nsupdate, restarts coturn -# 'file' : assume a certificate already lives at {{ coturn_cert_dir }}/{{ coturn_cert_file }} on the host (you manage it) -# 'selfsigned' : generate a selfsigned cert on first run (for vagrant/dev only) -coturn_cert_mode: "file" - -coturn_cert_dir: "{{ docker_volume_base_dir }}/acme/certs" -coturn_cert_file: "fullchain.cer" -coturn_key_file: "{{ coturn_realm }}.key" - -# --- acme.sh sidecar (only used when coturn_cert_mode == 'acme') --- -coturn_acme_email: "admin@example.test" -coturn_acme_directory: "https://acme-v02.api.letsencrypt.org/directory" -# Stage URL for testing: "https://acme-staging-v02.api.letsencrypt.org/directory" -coturn_acme_keylength: "ec-256" -coturn_acme_dnssleep: 60 -coturn_acme_data_dir: "{{ docker_volume_base_dir }}/acme/acme" - -# DNS-01 RFC2136 / nsupdate configuration -coturn_acme_nsupdate_server: "" # e.g. "ns1.example.test" -coturn_acme_nsupdate_server_ip: "" # optional extra_hosts pin (string IP) for the server -coturn_acme_nsupdate_zone: "" # e.g. "example._acme.example.test" -# Per-name challenge alias zones (one entry per SAN) -# When empty (default), built automatically as "{{ realm }}._acme.{{ zone-tail }}" -coturn_acme_challenge_aliases: [] -# Example: -# - name: stun.example.test -# alias: stun.example._acme.example.test -# - name: stun.int.example.test -# alias: stun.int.example._acme.example.test - -# Path of the TSIG key file inside the container (mounted from secrets) -coturn_acme_nsupdate_key_src: "{{ playbook_dir }}/secrets/{{ inventory_hostname }}/nsupdate.key" diff --git a/roles/coturn/handlers/main.yml b/roles/coturn/handlers/main.yml deleted file mode 100644 index 0abd12f..0000000 --- a/roles/coturn/handlers/main.yml +++ /dev/null @@ -1,10 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# handlers file for coturn - -- name: Restart coturn container - community.docker.docker_compose_v2: - project_src: "{{ coturn_docker_compose_dir }}" - state: restarted - services: - - coturn diff --git a/roles/coturn/meta/argument_specs.yml b/roles/coturn/meta/argument_specs.yml deleted file mode 100644 index 55a9b3e..0000000 --- a/roles/coturn/meta/argument_specs.yml +++ /dev/null @@ -1,148 +0,0 @@ ---- -argument_specs: - main: - short_description: Deploy a coturn TURN/STUN server with optional acme.sh sidecar. - description: - - "Renders a Docker Compose stack for coturn running in - C(network_mode: host), with an optional C(acme.sh) sidecar that - issues + renews a public TLS certificate via RFC2136 / nsupdate - and restarts coturn on renewal." - - Designed to be paired with the C(digitalboard.core.talk) role - (Nextcloud Talk High Performance Backend). - options: - docker_compose_base_dir: - type: path - default: /etc/docker/compose - docker_volume_base_dir: - type: path - default: /srv/data - coturn_service_name: - type: str - default: coturn - coturn_docker_compose_dir: - type: path - coturn_docker_volume_dir: - type: path - - coturn_image: - type: str - default: "coturn/coturn:4.6.2-r5-alpine" - coturn_acme_image: - type: str - default: "neilpang/acme.sh:3.1.0" - - coturn_realm: - type: str - default: stun.example.test - description: Public DNS name used for the TURN realm and the public certificate. - coturn_internal_realm: - type: str - default: '' - description: - - Optional second DNS name issued on the same certificate, used for - split-horizon internal access (e.g. C(stun.int.example.test)). - - coturn_listening_port: - type: int - default: 3478 - description: TURN/STUN port (TCP + UDP). IANA standard is 3478. - coturn_tls_listening_port: - type: int - default: 5349 - description: TURNS port (TCP + UDP). IANA standard is 5349. - coturn_min_relay_port: - type: int - default: 49160 - coturn_max_relay_port: - type: int - default: 49200 - - coturn_external_ip: - type: str - default: '' - description: - - coturn C(--external-ip) value. Format C("PUBLIC_IP") or - C("PUBLIC_IP/PRIVATE_IP"). Must be set in host_vars for production. - coturn_listening_ip: - type: str - default: '0.0.0.0' - - coturn_static_auth_secret: - type: str - required: true - description: - - Shared secret used by the HPB signaling server to mint short-lived - TURN credentials. Default lookup reads - C(playbooks/secrets//coturn_static_auth_secret). - - coturn_extra_args: - type: list - elements: str - default: [] - description: Additional CLI flags appended verbatim to the container C(command:). - - coturn_cert_mode: - type: str - choices: [acme, file, selfsigned] - default: file - description: - - C(acme) runs an acme.sh sidecar that issues + renews via RFC2136 - and restarts coturn. C(file) assumes a certificate already lives - on the host (you manage it). C(selfsigned) generates one on first - run (vagrant/dev only). - coturn_cert_dir: - type: path - coturn_cert_file: - type: str - default: fullchain.cer - coturn_key_file: - type: str - description: Defaults to C("{{ coturn_realm }}.key"). - - coturn_acme_email: - type: str - default: admin@example.test - coturn_acme_directory: - type: str - default: https://acme-v02.api.letsencrypt.org/directory - coturn_acme_keylength: - type: str - default: ec-256 - choices: [ec-256, ec-384, '2048', '3072', '4096'] - coturn_acme_dnssleep: - type: int - default: 60 - coturn_acme_data_dir: - type: path - - coturn_acme_nsupdate_server: - type: str - default: '' - description: Authoritative nameserver acme.sh sends C(nsupdate) packets to. - coturn_acme_nsupdate_server_ip: - type: str - default: '' - description: Optional C(extra_hosts) pin (string IP) for the nsupdate server. - coturn_acme_nsupdate_zone: - type: str - default: '' - description: Delegated challenge zone (e.g. C(example._acme.example.test)). - coturn_acme_challenge_aliases: - type: list - elements: dict - default: [] - description: - - Per-name challenge alias zones (one entry per SAN). When empty, - built automatically as C({{ realm }}._acme.{{ zone-tail }}). - options: - name: - type: str - required: true - description: SAN the challenge is for. - alias: - type: str - required: true - description: CNAME target where the C(_acme-challenge) TXT lives. - coturn_acme_nsupdate_key_src: - type: path - description: Path of the TSIG key file on the controller, mounted into the acme container. diff --git a/roles/coturn/meta/main.yml b/roles/coturn/meta/main.yml deleted file mode 100644 index 68d93a9..0000000 --- a/roles/coturn/meta/main.yml +++ /dev/null @@ -1,15 +0,0 @@ -#SPDX-License-Identifier: MIT-0 -galaxy_info: - author: Digital Board Team - description: Deploy a coturn TURN/STUN server with optional acme.sh sidecar (RFC2136/nsupdate) - company: digitalboard.ch - license: GPL-2.0-or-later - min_ansible_version: "2.14" - galaxy_tags: - - turn - - stun - - coturn - - webrtc - - nextcloud - - talk -dependencies: [] diff --git a/roles/coturn/tasks/main.yml b/roles/coturn/tasks/main.yml deleted file mode 100644 index cf9c15a..0000000 --- a/roles/coturn/tasks/main.yml +++ /dev/null @@ -1,110 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# tasks file for coturn - -- name: Assert minimum configuration - ansible.builtin.assert: - that: - - coturn_realm | length > 0 - - coturn_external_ip | length > 0 - - coturn_static_auth_secret | length > 0 - fail_msg: > - coturn_realm, coturn_external_ip and coturn_static_auth_secret must be set. - Provide them in host_vars or via a secrets file. - -- name: Create coturn compose directory - ansible.builtin.file: - path: "{{ coturn_docker_compose_dir }}" - state: directory - mode: "0755" - -- name: Create coturn data directory - ansible.builtin.file: - path: "{{ coturn_docker_volume_dir }}" - state: directory - mode: "0755" - -- name: Create certificate directory - ansible.builtin.file: - path: "{{ coturn_cert_dir }}" - state: directory - mode: "0755" - -# --- TLS certificate provisioning ------------------------------------------------- - -- name: Configure acme.sh sidecar (TSIG key + acme data dir) - when: coturn_cert_mode == 'acme' - block: - - name: Create acme.sh data directory - ansible.builtin.file: - path: "{{ coturn_acme_data_dir }}" - state: directory - mode: "0700" - - - name: Deploy nsupdate TSIG key - ansible.builtin.copy: - src: "{{ coturn_acme_nsupdate_key_src }}" - dest: "{{ coturn_docker_compose_dir }}/nsupdate.key" - mode: "0600" - no_log: true - notify: Restart coturn container - - - name: Build effective challenge alias list (default if not provided) - ansible.builtin.set_fact: - _coturn_challenge_aliases: >- - {{ coturn_acme_challenge_aliases - if coturn_acme_challenge_aliases | length > 0 - else ( - [{'name': coturn_realm, - 'alias': (coturn_realm.split('.')[:-2] | join('.')) ~ '.' ~ coturn_acme_nsupdate_zone }] - + ([{'name': coturn_internal_realm, - 'alias': (coturn_internal_realm.split('.')[:-2] | join('.')) ~ '.' ~ coturn_acme_nsupdate_zone }] - if coturn_internal_realm | length > 0 else []) - ) - }} - -- name: Generate selfsigned certificate (vagrant / dev only) - when: coturn_cert_mode == 'selfsigned' - block: - - name: Ensure openssl is available - ansible.builtin.package: - name: openssl - state: present - - - name: Generate selfsigned private key - community.crypto.openssl_privatekey: - path: "{{ coturn_cert_dir }}/{{ coturn_key_file }}" - type: ECC - curve: secp256r1 - mode: "0600" - - - name: Generate selfsigned CSR - community.crypto.openssl_csr: - path: "{{ coturn_cert_dir }}/{{ coturn_realm }}.csr" - privatekey_path: "{{ coturn_cert_dir }}/{{ coturn_key_file }}" - common_name: "{{ coturn_realm }}" - subject_alt_name: - - "DNS:{{ coturn_realm }}" - mode: "0644" - - - name: Issue selfsigned certificate - community.crypto.x509_certificate: - path: "{{ coturn_cert_dir }}/{{ coturn_cert_file }}" - privatekey_path: "{{ coturn_cert_dir }}/{{ coturn_key_file }}" - csr_path: "{{ coturn_cert_dir }}/{{ coturn_realm }}.csr" - provider: selfsigned - mode: "0644" - -# --- Compose + start -------------------------------------------------------------- - -- name: Generate docker-compose.yml for coturn - ansible.builtin.template: - src: docker-compose.yml.j2 - dest: "{{ coturn_docker_compose_dir }}/docker-compose.yml" - mode: "0644" - notify: Restart coturn container - -- name: Start coturn stack - community.docker.docker_compose_v2: - project_src: "{{ coturn_docker_compose_dir }}" - state: present diff --git a/roles/coturn/templates/docker-compose.yml.j2 b/roles/coturn/templates/docker-compose.yml.j2 deleted file mode 100644 index 42bdcb5..0000000 --- a/roles/coturn/templates/docker-compose.yml.j2 +++ /dev/null @@ -1,78 +0,0 @@ -services: - coturn: - image: {{ coturn_image }} - container_name: {{ coturn_service_name }} - restart: always - network_mode: host - volumes: - - {{ coturn_cert_dir }}:/certs:ro - command: - - --use-auth-secret - - --static-auth-secret={{ coturn_static_auth_secret }} - - --realm={{ coturn_realm }} - - --fingerprint - - --no-multicast-peers - - --no-cli - - --listening-ip={{ coturn_listening_ip }} - - --listening-port={{ coturn_listening_port }} - - --tls-listening-port={{ coturn_tls_listening_port }} - - --min-port={{ coturn_min_relay_port }} - - --max-port={{ coturn_max_relay_port }} - - --cert=/certs/{{ coturn_cert_file }} - - --pkey=/certs/{{ coturn_key_file }} - - --external-ip={{ coturn_external_ip }} -{% for arg in coturn_extra_args %} - - {{ arg }} -{% endfor %} - -{% if coturn_cert_mode == 'acme' %} - acme: - image: {{ coturn_acme_image }} - container_name: acme-{{ coturn_service_name }} - restart: always - environment: - NSUPDATE_SERVER: "{{ coturn_acme_nsupdate_server }}" - NSUPDATE_KEY: "/acme.sh/nsupdate.key" - ACME_DIRECTORY: "{{ coturn_acme_directory }}" - NSUPDATE_ZONE: "{{ coturn_acme_nsupdate_zone }}" -{% if coturn_acme_nsupdate_server_ip | length > 0 %} - extra_hosts: - - "{{ coturn_acme_nsupdate_server }}:{{ coturn_acme_nsupdate_server_ip }}" -{% endif %} - volumes: - - {{ coturn_cert_dir }}:/certs - - /var/run/docker.sock:/var/run/docker.sock - - {{ coturn_docker_compose_dir }}/nsupdate.key:/acme.sh/nsupdate.key:ro - - {{ coturn_acme_data_dir }}:/acme.sh - entrypoint: - - /bin/sh - - -c - - | - set -eu - acme.sh --set-default-ca --server "$$ACME_DIRECTORY" - acme.sh --register-account -m {{ coturn_acme_email }} || true - set +e - acme.sh --issue \ -{% for san in _coturn_challenge_aliases %} - -d {{ san.name }} \ - --challenge-alias {{ san.alias }} \ -{% endfor %} - --dns dns_nsupdate \ - --keylength {{ coturn_acme_keylength }} \ - --dnssleep {{ coturn_acme_dnssleep }} - rc=$$? - set -e - if [ "$$rc" -eq 0 ]; then - echo "Issue: success" - elif [ "$$rc" -eq 2 ]; then - echo "Issue: not due, continuing" - else - echo "Issue: failed with rc=$$rc" - exit "$$rc" - fi - acme.sh --install-cert -d {{ coturn_realm }} --ecc \ - --fullchain-file /certs/{{ coturn_cert_file }} \ - --key-file /certs/{{ coturn_key_file }} \ - --reloadcmd 'curl --fail --silent --show-error --unix-socket /var/run/docker.sock -X POST http://localhost/v1.41/containers/{{ coturn_service_name }}/restart' || true - exec crond -f -{% endif %} diff --git a/roles/coturn/tests/inventory b/roles/coturn/tests/inventory deleted file mode 100644 index eec845d..0000000 --- a/roles/coturn/tests/inventory +++ /dev/null @@ -1,2 +0,0 @@ -#SPDX-License-Identifier: MIT-0 -localhost \ No newline at end of file diff --git a/roles/coturn/tests/tests.yml b/roles/coturn/tests/tests.yml deleted file mode 100644 index 828e0fb..0000000 --- a/roles/coturn/tests/tests.yml +++ /dev/null @@ -1,6 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -- hosts: localhost - remote_user: root - roles: - - coturn diff --git a/roles/drawio/README.md b/roles/drawio/README.md index ca8275a..225dd44 100644 --- a/roles/drawio/README.md +++ b/roles/drawio/README.md @@ -1,60 +1,38 @@ -# Drawio +Role Name +========= -Ansible role to deploy [draw.io](https://www.drawio.com/) (the -self-hosted `jgraph/drawio` container) via Docker Compose behind -Traefik, with optional authentik ForwardAuth gating. +A brief description of the role goes here. -## Requirements +Requirements +------------ -- Docker and Docker Compose installed on the target host -- Ansible collection: `community.docker` -- Traefik with a shared `drawio_traefik_network` (default `proxy`) -- For ForwardAuth: a reachable authentik embedded outpost endpoint +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. -## Role variables +Role Variables +-------------- -Full spec with types and defaults: `meta/argument_specs.yml`. The most -common overrides: +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. -### Service +Dependencies +------------ -- `drawio_domain`: canonical hostname used in the traefik Host rule - (default `drawio.local.test`). -- `drawio_extra_domains`: additional hostnames the same container - should answer on (e.g. an internal `*.int.*` FQDN so a DMZ proxy - can reach drawio via a backend hostname). -- `drawio_image`, `drawio_port`, `drawio_use_ssl`. +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. -### Authentik ForwardAuth +Example Playbook +---------------- -- `drawio_authentik_forward_auth`: set to `true` to gate the editor - behind authentik. -- `drawio_authentik_forward_auth_url`: full URL of the embedded - outpost ForwardAuth endpoint, e.g. - `https://auth.example.com/outpost.goauthentik.io/auth/traefik`. +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: -When enabled, traefik redirects unauthenticated requests to authentik -for login and forwards the resulting `X-Authentik-*` identity headers -downstream. + - hosts: servers + roles: + - { role: username.rolename, x: 42 } -## Dependencies +License +------- -- Traefik network (`drawio_traefik_network`, default `proxy`) -- Optional: authentik with a Proxy/ForwardAuth provider for drawio - (see the `authentik` role's `authentik_proxy_apps`). +BSD -## Example playbook +Author Information +------------------ -```yaml -- hosts: app_servers - roles: - - role: digitalboard.core.drawio - vars: - drawio_domain: "drawio.example.com" - drawio_authentik_forward_auth: true - drawio_authentik_forward_auth_url: "https://auth.example.com/outpost.goauthentik.io/auth/traefik" -``` - -## License - -MIT-0 +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/drawio/defaults/main.yml b/roles/drawio/defaults/main.yml index 22b9238..7b67976 100644 --- a/roles/drawio/defaults/main.yml +++ b/roles/drawio/defaults/main.yml @@ -11,21 +11,10 @@ drawio_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ drawio_service_name # Service configuration drawio_domain: "drawio.local.test" -# Additional hostnames the same drawio container should answer on -# (e.g. an internal *.int.* FQDN so a DMZ reverseproxy can reach -# drawio via a backend hostname covered by the local traefik cert). -drawio_extra_domains: [] drawio_image: "jgraph/drawio:latest" drawio_port: 8080 drawio_extra_hosts: [] # Traefik configuration drawio_traefik_network: "proxy" -drawio_use_ssl: true - -# Optional Authentik ForwardAuth (set to true and provide the URL to gate -# drawio behind an authentik proxy provider). Expects the authentik -# embedded outpost to expose the /outpost.goauthentik.io/auth/traefik -# endpoint on the configured URL (typically the public auth.* FQDN). -drawio_authentik_forward_auth: false -drawio_authentik_forward_auth_url: "" \ No newline at end of file +drawio_use_ssl: true \ No newline at end of file diff --git a/roles/drawio/handlers/main.yml b/roles/drawio/handlers/main.yml index b68633d..f1ef0da 100644 --- a/roles/drawio/handlers/main.yml +++ b/roles/drawio/handlers/main.yml @@ -5,4 +5,4 @@ - name: restart drawio community.docker.docker_compose_v2: project_src: "{{ drawio_docker_compose_dir }}" - state: present \ No newline at end of file + state: restarted \ No newline at end of file diff --git a/roles/drawio/meta/argument_specs.yml b/roles/drawio/meta/argument_specs.yml deleted file mode 100644 index f5f1e41..0000000 --- a/roles/drawio/meta/argument_specs.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -argument_specs: - main: - short_description: Deploy draw.io diagram editor via Docker Compose behind Traefik. - description: - - Renders a Compose stack for jgraph/drawio with traefik labels, optional - TLS and optional authentik ForwardAuth gating. - options: - docker_compose_base_dir: - type: path - default: /etc/docker/compose - drawio_service_name: - type: str - default: drawio - drawio_docker_compose_dir: - type: path - description: Defaults to C({{ docker_compose_base_dir }}/{{ drawio_service_name }}). - - drawio_domain: - type: str - default: drawio.local.test - description: Canonical hostname used in the traefik Host rule. - drawio_extra_domains: - type: list - elements: str - default: [] - description: - - Additional hostnames the same drawio container should answer on, - e.g. an internal C(*.int.*) FQDN so a DMZ reverse-proxy can reach - drawio via a backend hostname covered by the local traefik cert. - drawio_image: - type: str - default: jgraph/drawio:latest - drawio_port: - type: int - default: 8080 - drawio_extra_hosts: - type: list - elements: str - default: [] - description: C(extra_hosts) entries injected into the container (Docker C(host:ip) syntax). - - drawio_traefik_network: - type: str - default: proxy - drawio_use_ssl: - type: bool - default: true - - drawio_authentik_forward_auth: - type: bool - default: false - description: - - When true, traefik attaches a ForwardAuth middleware pointing at - the authentik embedded outpost. Unauthenticated requests are - redirected to authentik for login and the resulting - C(X-Authentik-*) identity headers are forwarded downstream. - drawio_authentik_forward_auth_url: - type: str - default: '' - description: - - URL of the authentik ForwardAuth endpoint, typically - C(https://auth.example.com/outpost.goauthentik.io/auth/traefik). - Required when C(drawio_authentik_forward_auth=true). diff --git a/roles/drawio/meta/main.yml b/roles/drawio/meta/main.yml index b61826f..6f91fd3 100644 --- a/roles/drawio/meta/main.yml +++ b/roles/drawio/meta/main.yml @@ -1,26 +1,35 @@ #SPDX-License-Identifier: MIT-0 galaxy_info: - author: digitalboard - description: Deploy the draw.io diagram editor via Docker Compose behind Traefik, with optional authentik ForwardAuth - company: Digitalboard - license: MIT-0 + author: your name + description: your role description + company: your company (optional) - min_ansible_version: "2.14" + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker - platforms: - - name: Debian - versions: - - bookworm - - name: Ubuntu - versions: - - jammy - - noble + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) - galaxy_tags: - - drawio - - diagrams - - docker - - traefik - - digitalboard + min_ansible_version: 2.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/drawio/templates/docker-compose.yml.j2 b/roles/drawio/templates/docker-compose.yml.j2 index a7e44b7..b6b9ef5 100644 --- a/roles/drawio/templates/docker-compose.yml.j2 +++ b/roles/drawio/templates/docker-compose.yml.j2 @@ -14,26 +14,14 @@ services: labels: - traefik.enable=true - traefik.docker.network={{ drawio_traefik_network }} - - traefik.http.routers.{{ drawio_service_name }}.rule={% set _all_domains = [drawio_domain] + (drawio_extra_domains | default([])) %}{% for d in _all_domains %}Host(`{{ d }}`){% if not loop.last %} || {% endif %}{% endfor +%} + - traefik.http.routers.{{ drawio_service_name }}.rule=Host(`{{ drawio_domain }}`) - traefik.http.services.{{ drawio_service_name }}.loadbalancer.server.port={{ drawio_port }} {% if drawio_use_ssl %} - traefik.http.routers.{{ drawio_service_name }}.entrypoints=websecure - traefik.http.routers.{{ drawio_service_name }}.tls=true -{% if traefik_cert_mode | default('selfsigned') == 'acme' %} - - traefik.http.routers.{{ drawio_service_name }}.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }} -{% endif %} {% else %} - traefik.http.routers.{{ drawio_service_name }}.entrypoints=web {% endif %} -{% if drawio_authentik_forward_auth | default(false) %} - # ForwardAuth via the authentik embedded outpost. Unauthenticated - # requests get redirected to authentik to log in; authentik then - # sets X-Authentik-* headers traefik forwards downstream. - - traefik.http.middlewares.{{ drawio_service_name }}-authentik.forwardauth.address={{ drawio_authentik_forward_auth_url }} - - traefik.http.middlewares.{{ drawio_service_name }}-authentik.forwardauth.trustForwardHeader=true - - traefik.http.middlewares.{{ drawio_service_name }}-authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version - - traefik.http.routers.{{ drawio_service_name }}.middlewares={{ drawio_service_name }}-authentik -{% endif %} networks: {{ drawio_traefik_network }}: diff --git a/roles/garage/README.md b/roles/garage/README.md index 35fdc04..a369527 100644 --- a/roles/garage/README.md +++ b/roles/garage/README.md @@ -1,118 +1,113 @@ -# Garage +Garage +====== -Ansible role to deploy [Garage](https://garagehq.deuxfleurs.fr/) S3-compatible -object storage via Docker Compose, with declarative key/bucket -provisioning and an optional WebUI behind htpasswd or authentik -ForwardAuth. +Ansible role to deploy Garage S3-compatible object storage using Docker Compose. -## Requirements +Requirements +------------ - Docker and Docker Compose installed on the target host - Ansible collection: `community.docker` -- `htpasswd` (from `apache2-utils` / `httpd-tools`) when the WebUI is - enabled and authentik ForwardAuth is *not* used -- Traefik with a shared `garage_traefik_network` (default `proxy`) +- Traefik reverse proxy (for external access) -## Role variables +Role Variables +-------------- -Full spec with types and defaults: `meta/argument_specs.yml`. The most -common overrides: +Key variables defined in `defaults/main.yml`: -### Service +**Base Configuration:** +- `docker_compose_base_dir`: Base directory for Docker Compose files (default: `/etc/docker/compose`) +- `docker_volume_base_dir`: Base directory for Docker volumes (default: `/srv/data`) -- `garage_s3_domains`: FQDNs the S3 router accepts. The first entry is the - canonical hostname; `garage.toml` derives the virtual-hosted-style S3 - `root_domain` from it as `.s3.` (so buckets resolve under - `.s3.`). -- `garage_web_domain`, `garage_webui_domain`: separate hostnames for - the S3-website endpoint and the console. -- `garage_image`, `garage_replication_factor`, `garage_db_engine`, - `garage_s3_region`. +**Garage Configuration:** +- `garage_service_name`: Service name (default: `garage`) +- `garage_image`: Garage Docker image (default: `dxflrs/garage:v2.1.0`) +- `garage_s3_domain`: Domain for S3 API endpoint (default: `storage.local.test`) +- `garage_web_domain`: Domain for S3 web endpoint (default: `web.storage.local.test`) +- `garage_webui_domain`: Domain for web console (default: `console.storage.local.test`) -### Required secrets +**Garage Storage Configuration:** +- `garage_replication_factor`: Replication factor (default: `1`) +- `garage_compression_level`: Compression level (default: `1`) +- `garage_db_engine`: Database engine (default: `lmdb`) +- `garage_s3_region`: S3 region (default: `us-east-1`) -Generate with `openssl rand -hex 32` (32 bytes / 64 hex chars): +**Garage Ports:** +- `garage_s3_api_port`: S3 API port (default: `3900`) +- `garage_s3_web_port`: S3 web port (default: `3902`) +- `garage_admin_port`: Admin API port (default: `3903`) +- `garage_rpc_port`: RPC port (default: `3901`) -- `garage_rpc_secret`: node-to-node RPC secret -- `garage_admin_token`: admin API token -- `garage_metrics_token`: metrics endpoint token +**Garage Security:** +- `garage_rpc_secret`: RPC secret for node communication +- `garage_admin_token`: Admin API token +- `garage_metrics_token`: Metrics API token -### WebUI authentication +**Garage WebUI Configuration:** +- `garage_webui_enabled`: Enable web UI (default: `true`) +- `garage_webui_image`: WebUI Docker image (default: `khairul169/garage-webui:latest`) +- `garage_webui_port`: WebUI port (default: `3909`) +- `garage_webui_username`: WebUI username (default: `admin`) +- `garage_webui_password`: WebUI password in plaintext (default: `admin`) -Three modes: +**Traefik Configuration:** +- `garage_traefik_network`: Traefik network name (default: `proxy`) +- `garage_internal_network`: Internal network name (default: `internal`) +- `garage_use_ssl`: Enable SSL (default: `true`) -1. **htpasswd** (default): `garage_webui_username` / `garage_webui_password` - in plaintext. The role hashes the password with - `htpasswd -nbBC 10`, persists the hash on disk, and re-verifies with - `htpasswd -vbB` so unchanged passwords don't churn the play. -2. **authentik ForwardAuth**: set - `garage_webui_authentik_forward_auth: true` and - `garage_webui_authentik_forward_auth_url: - "https://auth.example.com/outpost.goauthentik.io/auth/traefik"`. - `AUTH_USER_PASS` is dropped from the container env so authentik is - the only gate. -3. **Disabled**: `garage_webui_enabled: false`. +Dependencies +------------ -### Layout bootstrap +This role requires: +- Traefik reverse proxy to be configured and the `proxy` network to be created +- `htpasswd` utility (from `apache2-utils` package) for generating bcrypt password hashes -Setting `garage_bootstrap_enabled: true` runs the bootstrap task, which -joins the local node to the layout (`zone: garage_bootstrap_zone`, -capacity: `garage_bootstrap_capacity`) on the first run. The check -tolerates the 16-char truncation that `garage layout show` performs. - -### Declarative S3 keys and buckets - -```yaml -garage_s3_keys: - - name: nextcloud - buckets: - - name: nextcloud-data - permissions: [read, write] - - name: backup - buckets: - - name: restic-prod - permissions: [read, write, owner] -``` - -The role: - -- Lists existing keys (`garage key list`), creates missing ones -- Lists existing buckets (`garage bucket list`), creates missing ones -- Reads current permissions via `garage bucket info` and runs - `garage bucket allow` only when the current RWO flags for the key - don't already match the desired permissions - -`stdout` parsing is hardened against ANSI escapes and interleaved INFO -log lines, so probe noise no longer produces spurious changes. - -## Dependencies - -- Traefik network (`garage_traefik_network`, default `proxy`) -- Internal network (`garage_internal_network`, default `internal`) - -## Example playbook +Example Playbook +---------------- ```yaml - hosts: storage_servers roles: - - role: digitalboard.core.garage + - role: garage vars: - garage_s3_domains: - - "storage.example.com" - - "storage.int.example.com" - garage_rpc_secret: "{{ vault_garage_rpc_secret }}" - garage_admin_token: "{{ vault_garage_admin_token }}" - garage_metrics_token: "{{ vault_garage_metrics_token }}" - garage_bootstrap_enabled: true - garage_webui_authentik_forward_auth: true - garage_webui_authentik_forward_auth_url: "https://auth.example.com/outpost.goauthentik.io/auth/traefik" - garage_s3_keys: - - name: nextcloud - buckets: - - name: nextcloud-data - permissions: [read, write] + garage_s3_domain: "storage.example.com" + garage_rpc_secret: "your-secure-rpc-secret" + garage_admin_token: "your-admin-token" + garage_webui_enabled: true + garage_webui_username: "admin" + garage_webui_password: "secure-password" ``` -## License +**Note:** The WebUI password is specified in plaintext and will be automatically hashed using bcrypt during deployment. The role uses `htpasswd` to generate a secure bcrypt hash that is then properly escaped for use in Docker Compose. -MIT-0 +Post-Installation +----------------- + +After deployment, you need to configure the Garage cluster: + +1. Connect to the node and get the node ID: + ```bash + docker exec -ti garage /garage node id + ``` + +2. Configure the node layout: + ```bash + docker exec -ti garage /garage layout assign -z dc1 -c 1G + docker exec -ti garage /garage layout apply --version 1 + ``` + +3. Create a key for S3 access: + ```bash + docker exec -ti garage /garage key create my-key + ``` + +4. Create a bucket: + ```bash + docker exec -ti garage /garage bucket create my-bucket + docker exec -ti garage /garage bucket allow my-bucket --read --write --key my-key + ``` + +License +------- + +MIT-0 \ No newline at end of file diff --git a/roles/garage/defaults/main.yml b/roles/garage/defaults/main.yml index 3820a03..495317e 100644 --- a/roles/garage/defaults/main.yml +++ b/roles/garage/defaults/main.yml @@ -13,12 +13,7 @@ garage_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ garage_service_name } # Garage service configuration garage_image: "dxflrs/garage:v2.1.0" -# FQDNs the garage S3 router accepts. The first entry is the canonical -# domain; garage.toml derives the virtual-hosted-style S3 root_domain -# from it as ".s3."; further entries cover internal -# *.int.* names. -garage_s3_domains: - - "storage.local.test" +garage_s3_domain: "storage.local.test" garage_web_domain: "web.storage.local.test" garage_webui_domain: "console.storage.local.test" @@ -26,20 +21,10 @@ garage_webui_domain: "console.storage.local.test" garage_webui_enabled: true garage_webui_image: "khairul169/garage-webui:latest" garage_webui_port: 3909 -# WebUI basic auth credentials (plaintext, will be hashed automatically). -# Ignored when garage_webui_authentik_forward_auth is true — in that case -# authentik handles authentication via the ForwardAuth middleware below. +# WebUI basic auth credentials (plaintext, will be hashed automatically) garage_webui_username: "admin" garage_webui_password: "admin" -# Optional Authentik ForwardAuth in front of the WebUI. When true: -# - the AUTH_USER_PASS env-var is dropped from the container so htpasswd -# isn't enforced; authentik is the only gate. -# - traefik attaches a ForwardAuth middleware pointing at the URL below. -# Leave false to keep classic htpasswd protection. -garage_webui_authentik_forward_auth: false -garage_webui_authentik_forward_auth_url: "" - # Garage ports garage_s3_api_port: 3900 garage_s3_web_port: 3902 diff --git a/roles/garage/meta/argument_specs.yml b/roles/garage/meta/argument_specs.yml deleted file mode 100644 index b5cb0f5..0000000 --- a/roles/garage/meta/argument_specs.yml +++ /dev/null @@ -1,169 +0,0 @@ ---- -argument_specs: - main: - short_description: Deploy Garage S3-compatible object storage via Docker Compose. - description: - - Renders a Compose stack for Garage with traefik labels, configures the - node layout on first run, and (optionally) provisions S3 keys, buckets - and per-key permissions declaratively. - - The optional WebUI can be protected by classic htpasswd or by - authentik ForwardAuth. - options: - docker_compose_base_dir: - type: path - default: /etc/docker/compose - docker_volume_base_dir: - type: path - default: /srv/data - garage_service_name: - type: str - default: garage - garage_docker_compose_dir: - type: path - description: Defaults to C({{ docker_compose_base_dir }}/{{ garage_service_name }}). - garage_docker_volume_dir: - type: path - description: Defaults to C({{ docker_volume_base_dir }}/{{ garage_service_name }}). - - garage_image: - type: str - default: dxflrs/garage:v2.1.0 - - garage_s3_domains: - type: list - elements: str - default: ['storage.local.test'] - description: - - FQDNs the garage S3 router accepts. The first entry is the - canonical domain; C(garage.toml) derives the virtual-hosted-style - S3 C(root_domain) from it as C(.s3.). Further entries - cover internal C(*.int.*) names. - garage_web_domain: - type: str - default: web.storage.local.test - description: Hostname serving the S3-website endpoint. - garage_webui_domain: - type: str - default: console.storage.local.test - description: Hostname serving the WebUI console. - - garage_webui_enabled: - type: bool - default: true - garage_webui_image: - type: str - default: khairul169/garage-webui:latest - garage_webui_port: - type: int - default: 3909 - garage_webui_username: - type: str - default: admin - description: htpasswd username. Ignored when C(garage_webui_authentik_forward_auth=true). - garage_webui_password: - type: str - default: admin - description: - - Plaintext password; hashed with C(htpasswd -nbBC 10) and persisted - on disk so re-runs don't churn. Ignored when authentik ForwardAuth - is enabled. - garage_webui_authentik_forward_auth: - type: bool - default: false - description: - - When true the C(AUTH_USER_PASS) env-var is dropped from the WebUI - container and traefik attaches a ForwardAuth middleware pointing - at the URL below. authentik is then the only gate; htpasswd is - disabled. - garage_webui_authentik_forward_auth_url: - type: str - default: '' - description: - - Required when C(garage_webui_authentik_forward_auth=true). - Typically C(https://auth.example.com/outpost.goauthentik.io/auth/traefik). - - garage_s3_api_port: - type: int - default: 3900 - garage_s3_web_port: - type: int - default: 3902 - garage_admin_port: - type: int - default: 3903 - garage_rpc_port: - type: int - default: 3901 - - garage_replication_factor: - type: int - default: 1 - garage_compression_level: - type: int - default: 1 - garage_db_engine: - type: str - choices: [lmdb, sqlite, sled] - default: lmdb - garage_s3_region: - type: str - default: us-east-1 - garage_rpc_secret: - type: str - required: true - description: Hex secret for node-to-node RPC. Generate with C(openssl rand -hex 32). - garage_admin_token: - type: str - required: true - garage_metrics_token: - type: str - required: true - - garage_traefik_network: - type: str - default: proxy - garage_internal_network: - type: str - default: internal - garage_use_ssl: - type: bool - default: true - - garage_bootstrap_enabled: - type: bool - default: false - description: When true the bootstrap task ensures the node is in the layout. - garage_bootstrap_zone: - type: str - default: dc1 - description: Zone label assigned during layout bootstrap. - garage_bootstrap_capacity: - type: str - default: 1G - description: Capacity string passed to C(garage layout assign -c). - - garage_s3_keys: - type: list - elements: dict - default: [] - description: - - Declarative key + bucket + permission provisioning. The role - creates missing keys, missing buckets, and runs C(bucket allow) - only when the current RWO flags for a given key don't match. - options: - name: - type: str - required: true - buckets: - type: list - elements: dict - description: Buckets this key gets access to. - options: - name: - type: str - required: true - permissions: - type: list - elements: str - choices: [read, write, owner] - required: true diff --git a/roles/garage/meta/main.yml b/roles/garage/meta/main.yml index 5442c5f..36b9858 100644 --- a/roles/garage/meta/main.yml +++ b/roles/garage/meta/main.yml @@ -1,27 +1,35 @@ #SPDX-License-Identifier: MIT-0 galaxy_info: - author: digitalboard - description: Deploy Garage S3-compatible object storage via Docker Compose, with declarative key/bucket provisioning - company: Digitalboard - license: MIT-0 + author: your name + description: your role description + company: your company (optional) - min_ansible_version: "2.14" + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker - platforms: - - name: Debian - versions: - - bookworm - - name: Ubuntu - versions: - - jammy - - noble + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) - galaxy_tags: - - garage - - s3 - - storage - - object-storage - - docker - - digitalboard + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/garage/tasks/bootstrap.yml b/roles/garage/tasks/bootstrap.yml index 5dc7e6e..6cab2cf 100644 --- a/roles/garage/tasks/bootstrap.yml +++ b/roles/garage/tasks/bootstrap.yml @@ -7,27 +7,21 @@ container: "{{ garage_service_name }}" command: /garage node id -q register: _garage_node_id - changed_when: false - name: Extract short node ID ansible.builtin.set_fact: _garage_node_id_short: "{{ _garage_node_id.stdout.split('@')[0] }}" -- name: Extract truncated node ID (first 16 chars, matches `garage layout show` output) - ansible.builtin.set_fact: - _garage_node_id_truncated: "{{ _garage_node_id_short[:16] }}" - - name: Check if node layout is configured community.docker.docker_container_exec: container: "{{ garage_service_name }}" command: /garage layout show register: _garage_layout_show failed_when: false - changed_when: false - name: Check if node is in layout ansible.builtin.set_fact: - _node_in_layout: "{{ (_garage_node_id_truncated in _garage_layout_show.stdout) or (_garage_node_id_short in _garage_layout_show.stdout) }}" + _node_in_layout: "{{ _garage_node_id_short in _garage_layout_show.stdout }}" - name: Configure garage node layout community.docker.docker_container_exec: diff --git a/roles/garage/tasks/main.yml b/roles/garage/tasks/main.yml index 4478f51..4aebbeb 100644 --- a/roles/garage/tasks/main.yml +++ b/roles/garage/tasks/main.yml @@ -26,77 +26,12 @@ dest: "{{ garage_docker_compose_dir }}/garage.toml" mode: '0644' -- name: Set webui htpasswd activation fact - ansible.builtin.set_fact: - # htpasswd only runs when the WebUI is enabled AND authentik ForwardAuth - # is not handling authentication. When authentik is in front, the - # compose template drops AUTH_USER_PASS so no hash is needed. - _garage_webui_htpasswd_active: >- - {{ - garage_webui_enabled - and not (garage_webui_authentik_forward_auth | default(false)) - }} - -- name: Read cached webui htpasswd hash - ansible.builtin.slurp: - src: "{{ garage_docker_compose_dir }}/webui.htpasswd" - register: _garage_webui_htpasswd_cached - failed_when: false - changed_when: false - when: _garage_webui_htpasswd_active - -- name: Verify cached webui htpasswd hash still matches password - ansible.builtin.command: - argv: - - htpasswd - - -vbB - - "{{ garage_docker_compose_dir }}/webui.htpasswd" - - "{{ garage_webui_username }}" - - "{{ garage_webui_password }}" - register: _garage_webui_htpasswd_verify - failed_when: false - changed_when: false - no_log: true - when: - - _garage_webui_htpasswd_active - - _garage_webui_htpasswd_cached.content is defined - - name: Generate bcrypt hash for webui password using htpasswd - ansible.builtin.command: - argv: - - htpasswd - - -nbBC - - "10" - - "{{ garage_webui_username }}" - - "{{ garage_webui_password }}" - register: _garage_webui_password_hash_new - changed_when: true - when: - - _garage_webui_htpasswd_active - - (_garage_webui_htpasswd_cached.content is not defined) - or (_garage_webui_htpasswd_verify.rc | default(1) != 0) - -- name: Persist webui htpasswd hash on disk - ansible.builtin.copy: - content: "{{ _garage_webui_password_hash_new.stdout }}\n" - dest: "{{ garage_docker_compose_dir }}/webui.htpasswd" - mode: '0600' - when: - - _garage_webui_htpasswd_active - - _garage_webui_password_hash_new is changed - -- name: Load current webui htpasswd hash - ansible.builtin.slurp: - src: "{{ garage_docker_compose_dir }}/webui.htpasswd" - register: _garage_webui_htpasswd_current + ansible.builtin.shell: | + htpasswd -nbBC 10 "{{ garage_webui_username }}" "{{ garage_webui_password }}" + register: _garage_webui_password_hash changed_when: false - when: _garage_webui_htpasswd_active - -- name: Expose current webui htpasswd hash to template - ansible.builtin.set_fact: - _garage_webui_password_hash: - stdout: "{{ (_garage_webui_htpasswd_current.content | b64decode).strip() }}" - when: _garage_webui_htpasswd_active + when: garage_webui_enabled - name: Create docker-compose file for garage template: diff --git a/roles/garage/tasks/provision.yml b/roles/garage/tasks/provision.yml index dacf2c0..1c2628e 100644 --- a/roles/garage/tasks/provision.yml +++ b/roles/garage/tasks/provision.yml @@ -4,17 +4,11 @@ container: "{{ garage_service_name }}" command: /garage key list register: _existing_keys_output - changed_when: false when: garage_s3_keys | length > 0 - name: Parse existing key names ansible.builtin.set_fact: - # `garage key list` columns: ID Created Name Expiration. - # Data rows begin with a GK key ID; header is "ID Created ..." - # and INFO log lines may interleave on stderr (kept separate by - # docker_container_exec). Strip ANSI escapes defensively, filter to - # GK-prefixed rows, then take the 3rd whitespace-separated field. - _existing_keys: "{{ _existing_keys_output.stdout_lines | map('regex_replace', '\\x1b\\[[0-9;]*m', '') | select('match', '^GK[0-9a-fA-F]+') | map('regex_replace', '^\\S+\\s+\\S+\\s+(\\S+).*$', '\\1') | list }}" + _existing_keys: "{{ _existing_keys_output.stdout_lines[1:] | select('match', '^GK') | map('regex_replace', '^\\S+\\s+\\S+\\s+(\\S+)\\s+.*$', '\\1') | list }}" when: garage_s3_keys | length > 0 - name: Create S3 keys @@ -33,7 +27,6 @@ command: /garage key info {{ item.name }} loop: "{{ garage_s3_keys }}" register: _key_info_results - changed_when: false when: garage_s3_keys | length > 0 - name: Extract key IDs from info @@ -49,21 +42,11 @@ container: "{{ garage_service_name }}" command: /garage bucket list register: _existing_buckets_output - changed_when: false when: garage_s3_keys | length > 0 - name: Parse existing bucket names ansible.builtin.set_fact: - # `garage bucket list` columns: ID Created Global aliases Local aliases - # Data rows start with a hex bucket ID; filter to those and take the - # third whitespace-separated field (the global alias = bucket name). - _existing_buckets: >- - {{ - _existing_buckets_output.stdout_lines - | select('match', '^[0-9a-f]{16}\\s') - | map('regex_replace', '^\\S+\\s+\\S+\\s+(\\S+).*$', '\\1') - | list - }} + _existing_buckets: "{{ _existing_buckets_output.stdout_lines[2:] | map('split') | map('first') | list }}" when: garage_s3_keys | length > 0 - name: Get unique bucket names @@ -81,37 +64,12 @@ - item not in _existing_buckets failed_when: false -- name: Get current bucket permissions - community.docker.docker_container_exec: - container: "{{ garage_service_name }}" - command: /garage bucket info {{ item.1.name }} - loop: "{{ garage_s3_keys | subelements('buckets', skip_missing=True) }}" - loop_control: - label: "{{ item.1.name }}" - register: _bucket_info_results - changed_when: false - when: garage_s3_keys | length > 0 - - name: Set bucket permissions using key IDs community.docker.docker_container_exec: container: "{{ garage_service_name }}" - command: /garage bucket allow {{ item.item.1.name }} {% for perm in item.item.1.permissions %}--{{ perm }} {% endfor %}--key {{ _key_id_map[item.item.0.name] }} - loop: "{{ _bucket_info_results.results }}" - loop_control: - label: "{{ item.item.1.name }} -> {{ item.item.0.name }}" - when: - - garage_s3_keys | length > 0 - - >- - (item.stdout | regex_search( - '(?m)^\s*' ~ _wanted_flags ~ '\s+' ~ _key_id_map[item.item.0.name] - )) is none - vars: - _wanted_flags: >- - {{ - ('R' if 'read' in item.item.1.permissions else '-') - ~ ('W' if 'write' in item.item.1.permissions else '-') - ~ ('O' if 'owner' in item.item.1.permissions else '-') - }} + command: /garage bucket allow {{ item.1.name }} {% for perm in item.1.permissions %}--{{ perm }} {% endfor %}--key {{ _key_id_map[item.0.name] }} + loop: "{{ garage_s3_keys | subelements('buckets', skip_missing=True) }}" + when: garage_s3_keys | length > 0 # Export key credentials for use by other roles - name: Get detailed key information for all keys @@ -120,7 +78,6 @@ command: /garage key info {{ item.name }} --show-secret loop: "{{ garage_s3_keys }}" register: _key_details_results - changed_when: false when: garage_s3_keys | length > 0 - name: Build garage S3 credentials map diff --git a/roles/garage/templates/docker-compose.yml.j2 b/roles/garage/templates/docker-compose.yml.j2 index 7b1c017..9e3e862 100644 --- a/roles/garage/templates/docker-compose.yml.j2 +++ b/roles/garage/templates/docker-compose.yml.j2 @@ -14,13 +14,10 @@ services: - traefik.enable=true - traefik.docker.network={{ garage_traefik_network }} # S3 API endpoint - - traefik.http.routers.{{ garage_service_name }}.rule={% for d in garage_s3_domains %}Host(`{{ d }}`){% if not loop.last %} || {% endif %}{% endfor +%} + - traefik.http.routers.{{ garage_service_name }}.rule=Host(`{{ garage_s3_domain }}`) {% if garage_use_ssl %} - traefik.http.routers.{{ garage_service_name }}.entrypoints=websecure - traefik.http.routers.{{ garage_service_name }}.tls=true -{% if traefik_cert_mode | default('selfsigned') == 'acme' %} - - traefik.http.routers.{{ garage_service_name }}.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }} -{% endif %} {% else %} - traefik.http.routers.{{ garage_service_name }}.entrypoints=web {% endif %} @@ -38,9 +35,7 @@ services: environment: API_BASE_URL: "http://{{ garage_service_name }}:{{ garage_admin_port }}" S3_ENDPOINT_URL: "http://{{ garage_service_name }}:{{ garage_s3_api_port }}" -{% if not (garage_webui_authentik_forward_auth | default(false)) %} AUTH_USER_PASS: '{{ _garage_webui_password_hash.stdout | replace("$", "$$") }}' -{% endif %} volumes: - {{ garage_docker_compose_dir }}/garage.toml:/etc/garage.toml:ro networks: @@ -53,25 +48,12 @@ services: {% if garage_use_ssl %} - traefik.http.routers.{{ garage_service_name }}-console.entrypoints=websecure - traefik.http.routers.{{ garage_service_name }}-console.tls=true -{% if traefik_cert_mode | default('selfsigned') == 'acme' %} - - traefik.http.routers.{{ garage_service_name }}-console.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }} -{% endif %} {% else %} - traefik.http.routers.{{ garage_service_name }}-console.entrypoints=web {% endif %} - traefik.http.routers.{{ garage_service_name }}-console.service={{ garage_service_name }}-console - traefik.http.routers.{{ garage_service_name }}-console.priority=10 - traefik.http.services.{{ garage_service_name }}-console.loadbalancer.server.port={{ garage_webui_port }} -{% if garage_webui_authentik_forward_auth | default(false) %} - # ForwardAuth via the authentik embedded outpost. Unauthenticated - # requests are redirected to authentik; authentik then forwards - # X-Authentik-* identity headers downstream. htpasswd is disabled - # in the env block above so authentik is the only gate. - - traefik.http.middlewares.{{ garage_service_name }}-console-authentik.forwardauth.address={{ garage_webui_authentik_forward_auth_url }} - - traefik.http.middlewares.{{ garage_service_name }}-console-authentik.forwardauth.trustForwardHeader=true - - traefik.http.middlewares.{{ garage_service_name }}-console-authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version - - traefik.http.routers.{{ garage_service_name }}-console.middlewares={{ garage_service_name }}-console-authentik -{% endif %} {% endif %} networks: diff --git a/roles/garage/templates/garage.toml.j2 b/roles/garage/templates/garage.toml.j2 index 06b1164..897ebcd 100644 --- a/roles/garage/templates/garage.toml.j2 +++ b/roles/garage/templates/garage.toml.j2 @@ -14,7 +14,7 @@ rpc_secret = "{{ garage_rpc_secret }}" [s3_api] s3_region = "{{ garage_s3_region }}" api_bind_addr = "[::]:{{ garage_s3_api_port }}" -root_domain = ".s3.{{ garage_s3_domains[0] }}" +root_domain = ".s3.{{ garage_s3_domain }}" [s3_web] bind_addr = "[::]:{{ garage_s3_web_port }}" diff --git a/roles/homarr/README.md b/roles/homarr/README.md deleted file mode 100644 index a1e1dcf..0000000 --- a/roles/homarr/README.md +++ /dev/null @@ -1,251 +0,0 @@ -# homarr - -Deploy [Homarr](https://github.com/homarr-labs/homarr) as a self-contained -Docker Compose stack behind Traefik, with seeded admin user, OIDC group -and customizable application tiles. - -## What this role does - -- Deploys the official Homarr container with Traefik labels -- Seeds the SQLite database with: - - server settings (locale, analytics, crawling, default board) - - a default board with the three layouts (desktop/tablet/mobile) - - a local admin user with bcrypt-hashed password - - OIDC and credentials admin groups with full permissions - - application tiles defined in `homarr_apps`, auto-laid-out across all - three screen sizes via the bundled `homarr_compute_layouts` filter -- Skips the onboarding wizard so the instance is usable right after deploy -- Restarts the container via handler when the seed or compose file changes - -## What this role does NOT do - -- Does not configure OIDC end-to-end — set `homarr_oidc_*` variables and - configure the corresponding client in your identity provider -- Does not migrate existing Homarr databases — only seeds empty ones -- Does not create users beyond the single local admin (OIDC users are - provisioned on first login) - -## Required variables - -Provide via OpenBao, Ansible Vault, or extra-vars. **Never commit real -secrets to version control.** - -| Variable | Format | Generate with | -|---|---|---| -| `homarr_secret_encryption_key` | 64-char hex string | `openssl rand -hex 32` | -| `homarr_admin_password` | strong password | `openssl rand -base64 24` | -| `homarr_oidc_client_secret` | from your identity provider | — | - -`homarr_oidc_client_secret` is only required when `oidc` is in -`homarr_auth_providers`; the role asserts it then. The encryption key is -always required — the `assert` task at the top of the role fails fast if it -is missing or malformed. - -## Configurable variables - -See `defaults/main.yml` for the full list. Most useful overrides: - -| Variable | Default | Purpose | -|---|---|---| -| `homarr_domain` | `homarr.local.test` | Traefik Host rule | -| `homarr_extra_domains` | `[]` | Extra Host-rule hostnames (OR-combined), e.g. internal `*.int.*` FQDN | -| `homarr_extra_hosts` | `[]` | Container `/etc/hosts` overrides (`host:ip`) — pin IdP FQDN to LAN IP | -| `homarr_base_url` | `https://home.local.test` | NEXTAUTH_URL / BASE_URL | -| `homarr_auth_providers` | `credentials` | `credentials`, `oidc`, or both | -| `homarr_oidc_issuer` | empty | Identity provider issuer URL | -| `homarr_oidc_client_id` | empty | OIDC client id | -| `homarr_oidc_admin_group` | `homarr-admins` | Group granting admin role | -| `homarr_apps` | `[]` | List of application tiles, see below | - -## Application tiles - -`homarr_apps` is a list of tile definitions that are seeded into the -default board. Each entry needs: - -| Field | Required | Description | -|---|---|---| -| `id` | yes | Unique slug, used as `app-` and `item-` | -| `name` | yes | Display name | -| `icon` | yes | Icon URL | -| `href` | yes | Click target | -| `width` | yes | Tile width in grid cells (1–10) | -| `description` | no | Tooltip / subtitle | -| `height` | no | Tile height (default `1`) | - -The role validates that all `id` values are unique. - -### Auto-layout - -Tiles are packed left-to-right into three layouts: - -- **Desktop**: 10 columns -- **Tablet**: 6 columns -- **Mobile**: 2 columns - -When a tile does not fit the remaining width of a row, it wraps to the -next row. Tile width is clamped to the grid width (a tile with -`width: 8` becomes `width: 6` on tablet and `width: 2` on mobile). - -### Example - -```yaml -homarr_apps: - - id: nextcloud - name: Nextcloud - description: Cloud Storage & Collaboration - icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/nextcloud.png - href: https://cloud.example.com - width: 2 - - id: keycloak - name: Keycloak - description: Identity & Access Management - icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/keycloak.png - href: https://auth.example.com - width: 2 -``` - -## Layout filter plugin - -The grid-packing algorithm that places tiles on the desktop, tablet -and mobile layouts lives in `filter_plugins/homarr_layout.py` rather -than inside the Jinja seed template. This keeps the SQL template -readable and lets the algorithm be unit-tested in isolation. - -The filter is invoked once from `tasks/main.yml`: - -```yaml -- name: Compute Homarr app layouts - ansible.builtin.set_fact: - homarr_layout: "{{ homarr_apps | digitalboard.core.homarr_compute_layouts }}" -``` - -This produces a `homarr_layout` fact with two keys, both consumed by -`templates/homarr_seed.sql.j2`: - -| Key | Shape | Purpose | -|---|---|---| -| `apps` | list, same order as `homarr_apps` | each entry gains `desktop`/`tablet`/`mobile` dicts of `{x, y, w, h}` | -| `section_height` | dict with `desktop`, `tablet`, `mobile` | minimum height of the parent section so all tiles fit | - -The filter signature accepts custom column counts if Homarr ever -changes the breakpoint widths: - -```jinja -{{ homarr_apps | digitalboard.core.homarr_compute_layouts(desktop_cols=12, tablet_cols=8, mobile_cols=4) }} -``` - -To debug a layout without running the full deploy, run the play with -`-vv` — the `Show computed app layouts` task dumps the full -`homarr_layout` fact. - -### Running the filter tests - -The filter is covered by unit tests in -`filter_plugins/tests/test_homarr_layout.py`: - -```bash -pip install pytest ansible-core -pytest filter_plugins/tests/ -``` - -15 tests cover packing, width clamping, height/section-height, -input validation and custom grid sizes. - -## First login - -After the role completes, log in at `{{ homarr_base_url }}` with: - -- Username: value of `homarr_admin_username` (default `admin`) -- Password: value of `homarr_admin_password` - -OIDC users are provisioned on first login if their identity provider -group matches `homarr_oidc_admin_group`. They receive admin permissions -automatically through the seeded `group-oidc-admins` group. - -## Example playbook - -```yaml -- name: Deploy Homarr service - hosts: homarr_servers - become: true - roles: - - digitalboard.core.homarr -``` - -With inventory variables: - -```yaml -# inventories//group_vars/homarr_servers.yml -homarr_domain: home.digitalboard.ch -homarr_base_url: "https://home.digitalboard.ch" - -homarr_auth_providers: "credentials,oidc" -homarr_oidc_issuer: "https://auth.digitalboard.ch/realms/Digitalboard" -homarr_oidc_client_id: "homarr-digitalboard" -homarr_oidc_client_name: "Digitalboard" - -homarr_secret_encryption_key: >- - {{ lookup('community.hashi_vault.vault_kv2_get', - 'digitalboard/homarr', - mount_point='kv').data.data.encryption_key }} -homarr_admin_password: >- - {{ lookup('community.hashi_vault.vault_kv2_get', - 'digitalboard/homarr', - mount_point='kv').data.data.admin_password }} -homarr_oidc_client_secret: >- - {{ lookup('community.hashi_vault.vault_kv2_get', - 'digitalboard/homarr', - mount_point='kv').data.data.oidc_client_secret }} - -homarr_apps: - - id: nextcloud - name: Nextcloud - description: Cloud Storage - icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/nextcloud.png - href: https://cloud.digitalboard.ch - width: 2 - - id: keycloak - name: Keycloak - description: Identity & Access Management - icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/keycloak.png - href: https://auth.digitalboard.ch - width: 2 -``` - -## Re-running the role - -The role is idempotent for the typical re-run case: - -- The seed only runs when no local admin user exists in the database -- The compose file and seed template are deployed via `template`, - which only changes content when the inputs change -- The restart handler only fires when one of those templates changes - -If you need to re-seed an existing database (for example after deleting -the database file to apply schema changes), the role will detect the -fresh database and seed it again on the next run. - -## Troubleshooting - -**Login fails after deploy.** Verify that the bcrypt hash was written -correctly: - -```bash -sqlite3 /srv/data/homarr/homarr/appdata/db/db.sqlite \ - "SELECT id, name, email, length(password), provider FROM user;" -``` - -Expected: one row with `user-local-admin`, password length 60, -provider `credentials`. - -**Encryption key validation fails.** The key must be exactly 64 -characters and contain only hex digits (`[a-fA-F0-9]`). Both upper- -and lowercase are accepted. - -**App tiles overlap.** Check `homarr_apps` for duplicate `id` values. -The role validates this, but if you bypass the check, the seed will -still run and Homarr will display only one of the duplicates. - -## License - -MIT-0 diff --git a/roles/homarr/defaults/main.yml b/roles/homarr/defaults/main.yml deleted file mode 100644 index a7b2f2b..0000000 --- a/roles/homarr/defaults/main.yml +++ /dev/null @@ -1,82 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# defaults file for homarr - -# Base directory configuration (inherited from base role or defined here) -docker_compose_base_dir: /etc/docker/compose -docker_volume_base_dir: /srv/data - -# homarr-specific configuration -homarr_base_path: /srv/data/homarr -homarr_docker_compose_dir: "{{ docker_compose_base_dir }}/homarr" -homarr_docker_volume_dir: "{{ docker_volume_base_dir }}/homarr" -homarr_appdata_dir: "{{ homarr_docker_volume_dir }}/homarr/appdata" -homarr_db: "{{ homarr_appdata_dir }}/db/db.sqlite" - -# Service configuration -homarr_domain: "homarr.local.test" -# Additional hostnames the homarr router answers on (e.g. an internal -# *.int.* FQDN so a DMZ reverseproxy can hit a backend hostname covered -# by the cert). -homarr_extra_domains: [] -# Extra /etc/hosts entries inside the homarr container (format "host:ip"). -# Used to pin the IdP's public FQDN to a LAN IP so OIDC discovery stays -# in-network while the issuer URL matches what browsers see. -homarr_extra_hosts: [] -homarr_image: "ghcr.io/homarr-labs/homarr:latest" -homarr_port: 7575 -homarr_use_docker: false - -# REQUIRED: 64-character hex string used to encrypt integration credentials. -# Generate with: openssl rand -hex 32 -# Provide via OpenBao lookup, Ansible Vault, or extra-vars. -# Never commit a real key to version control. -homarr_secret_encryption_key: "" - -# URL — used for BASE_URL, NEXTAUTH_URL and the completion message -homarr_base_url: "https://home.local.test" - -# Auth providers (comma-separated): credentials, oidc, ldap -homarr_auth_providers: "credentials" - -# OIDC configuration (only used when 'oidc' is in homarr_auth_providers) -homarr_oidc_issuer: "" -homarr_oidc_client_id: "" -homarr_oidc_client_name: "" -homarr_oidc_scopes: "openid profile email groups" -homarr_oidc_groups_attribute: "groups" -homarr_oidc_client_secret: "" -homarr_oidc_auto_login: "false" - -# OIDC admin group (must exist in the identity provider) -homarr_oidc_admin_group: "homarr-admins" - -# Board configuration -homarr_default_board_name: "Home" -homarr_default_board_public: true - -# Traefik configuration -homarr_traefik_network: "proxy" -homarr_use_ssl: true - -# Local admin (override in inventory or via vault) -homarr_admin_username: "admin" -homarr_admin_email: "admin@example.com" -homarr_admin_password: "ChangeMe123!" - -# Applications shown on the default board. -# Override in your project/inventory vars. Each app needs: -# id, name, icon, href, width (1-10). Optional: description, height (default 1). -# Apps are automatically packed left-to-right into the desktop grid (10 cols), -# scaled to tablet (6 cols) and mobile (2 cols). -# -# Example: -# homarr_apps: -# - id: nextcloud -# name: Nextcloud -# description: Cloud Storage & Collaboration -# icon: https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/nextcloud.png -# href: https://cloud.example.com -# width: 2 -# height: 1 -homarr_apps: [] \ No newline at end of file diff --git a/roles/homarr/filter_plugins/tests/test_homarr_layout.py b/roles/homarr/filter_plugins/tests/test_homarr_layout.py deleted file mode 100644 index a96d672..0000000 --- a/roles/homarr/filter_plugins/tests/test_homarr_layout.py +++ /dev/null @@ -1,182 +0,0 @@ -# -*- coding: utf-8 -*- -# SPDX-License-Identifier: MIT-0 - -"""Unit tests for the homarr_layout filter plugin. - -Run from the role root: - - pytest filter_plugins/tests/ - -Requires `pytest` and `ansible-core` in the environment. -""" - -import os -import sys - -# Make the filter importable without having Ansible auto-discovery in -# the way (it would only run during a real `ansible-playbook` invocation). -sys.path.insert( - 0, - os.path.join(os.path.dirname(__file__), '..', '..', '..', '..', - 'plugins', 'filter') -) - -import pytest # noqa: E402 - -from ansible.errors import AnsibleFilterError # noqa: E402 -from homarr_layout import homarr_compute_layouts # noqa: E402 - - -def _app(app_id, width, height=1): - """Build a minimal app dict for tests.""" - return { - 'id': app_id, - 'name': app_id.title(), - 'icon': 'https://example.com/{0}.png'.format(app_id), - 'href': 'https://{0}.example.com'.format(app_id), - 'width': width, - 'height': height, - } - - -# --------------------------------------------------------------------- -# Happy-path packing -# --------------------------------------------------------------------- - -def test_empty_apps_returns_empty_list_and_min_height(): - result = homarr_compute_layouts([]) - assert result['apps'] == [] - # Even an empty grid keeps section_height >= 1 so the section - # renders in the UI. - assert result['section_height'] == { - 'desktop': 1, 'tablet': 1, 'mobile': 1, - } - - -def test_single_app_positioned_at_origin_in_all_grids(): - result = homarr_compute_layouts([_app('a', width=2)]) - a = result['apps'][0] - assert a['desktop'] == {'x': 0, 'y': 0, 'w': 2, 'h': 1} - assert a['tablet'] == {'x': 0, 'y': 0, 'w': 2, 'h': 1} - assert a['mobile'] == {'x': 0, 'y': 0, 'w': 2, 'h': 1} - - -def test_original_app_keys_are_preserved(): - apps = [_app('nextcloud', width=2)] - apps[0]['description'] = 'Cloud Storage' - result = homarr_compute_layouts(apps) - a = result['apps'][0] - # Original fields survive the layout enrichment. - assert a['name'] == 'Nextcloud' - assert a['description'] == 'Cloud Storage' - assert a['icon'] == 'https://example.com/nextcloud.png' - - -def test_desktop_wraps_after_filling_row(): - # 5 apps of width 2 fill the 10-col desktop row exactly; 6th wraps. - apps = [_app('a{0}'.format(i), width=2) for i in range(6)] - result = homarr_compute_layouts(apps) - assert result['apps'][4]['desktop'] == {'x': 8, 'y': 0, 'w': 2, 'h': 1} - assert result['apps'][5]['desktop'] == {'x': 0, 'y': 1, 'w': 2, 'h': 1} - - -def test_mobile_wraps_after_every_app(): - # Mobile is only 2 cols wide → every app of width 2 starts a new row. - apps = [_app('a{0}'.format(i), width=2) for i in range(3)] - result = homarr_compute_layouts(apps) - assert [a['mobile']['y'] for a in result['apps']] == [0, 1, 2] - - -# --------------------------------------------------------------------- -# Width clamping -# --------------------------------------------------------------------- - -def test_width_clamped_per_grid(): - result = homarr_compute_layouts([_app('big', width=8)]) - # Desktop has room (8 <= 10), tablet clamps to 6, mobile clamps to 2. - a = result['apps'][0] - assert a['desktop']['w'] == 8 - assert a['tablet']['w'] == 6 - assert a['mobile']['w'] == 2 - - -def test_width_larger_than_desktop_still_clamps(): - # A pathological width=20 still works — it just becomes a full-width - # tile on every grid. - result = homarr_compute_layouts([_app('huge', width=20)]) - a = result['apps'][0] - assert a['desktop']['w'] == 10 - assert a['tablet']['w'] == 6 - assert a['mobile']['w'] == 2 - - -# --------------------------------------------------------------------- -# Height handling -# --------------------------------------------------------------------- - -def test_section_height_grows_with_rows(): - # 6 apps of width 2 on desktop → 5 in row 1, 1 in row 2. - apps = [_app('a{0}'.format(i), width=2) for i in range(6)] - result = homarr_compute_layouts(apps) - assert result['section_height']['desktop'] == 2 - # On mobile every app is on its own row. - assert result['section_height']['mobile'] == 6 - - -def test_tall_app_extends_row_height(): - apps = [ - _app('tall', width=2, height=3), - _app('short', width=2, height=1), - ] - result = homarr_compute_layouts(apps) - # Both fit in row 0 horizontally, but the section must be 3 tall. - assert result['section_height']['desktop'] == 3 - - -def test_tall_app_pushes_subsequent_row_down(): - # tall (h=3) fills full desktop width → next app wraps to y=3. - result = homarr_compute_layouts([ - _app('tall', width=10, height=3), - _app('next', width=2, height=1), - ]) - assert result['apps'][1]['desktop'] == {'x': 0, 'y': 3, 'w': 2, 'h': 1} - - -# --------------------------------------------------------------------- -# Input validation -# --------------------------------------------------------------------- - -def test_rejects_non_list_input(): - with pytest.raises(AnsibleFilterError, match='expected a list'): - homarr_compute_layouts('not a list') - - -def test_rejects_non_dict_entry(): - with pytest.raises(AnsibleFilterError, match='not a dict'): - homarr_compute_layouts(['just a string']) - - -def test_rejects_app_without_id(): - with pytest.raises(AnsibleFilterError, match="missing required key 'id'"): - homarr_compute_layouts([{'name': 'no id', 'width': 2}]) - - -def test_rejects_app_without_width(): - with pytest.raises(AnsibleFilterError, - match="missing required key 'width'"): - homarr_compute_layouts([{'id': 'no-width', 'name': 'x'}]) - - -# --------------------------------------------------------------------- -# Configurable grid sizes -# --------------------------------------------------------------------- - -def test_custom_grid_sizes(): - # If Homarr ever switches to 12-col desktop, the filter still works. - result = homarr_compute_layouts( - [_app('a', width=4), _app('b', width=4), _app('c', width=4)], - desktop_cols=12, tablet_cols=8, mobile_cols=4, - ) - # All three fit in desktop row 0 (4+4+4 = 12). - assert [a['desktop']['x'] for a in result['apps']] == [0, 4, 8] - assert result['section_height']['desktop'] == 1 diff --git a/roles/homarr/handlers/main.yml b/roles/homarr/handlers/main.yml deleted file mode 100644 index da74ed4..0000000 --- a/roles/homarr/handlers/main.yml +++ /dev/null @@ -1,8 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# handlers file for homarr - -- name: restart homarr - community.docker.docker_compose_v2: - project_src: "{{ homarr_docker_compose_dir }}" - state: present \ No newline at end of file diff --git a/roles/homarr/meta/main.yml b/roles/homarr/meta/main.yml deleted file mode 100644 index 4818e67..0000000 --- a/roles/homarr/meta/main.yml +++ /dev/null @@ -1,27 +0,0 @@ -#SPDX-License-Identifier: MIT-0 -galaxy_info: - author: digitalboard - description: Deploy the Homarr dashboard via Docker Compose behind Traefik, with seeded admin user and OIDC group - company: Digitalboard - license: MIT-0 - - min_ansible_version: "2.14" - - platforms: - - name: Debian - versions: - - bookworm - - name: Ubuntu - versions: - - jammy - - noble - - galaxy_tags: - - homarr - - dashboard - - oidc - - docker - - traefik - - digitalboard - -dependencies: [] diff --git a/roles/homarr/tasks/main.yml b/roles/homarr/tasks/main.yml deleted file mode 100644 index c7e4cea..0000000 --- a/roles/homarr/tasks/main.yml +++ /dev/null @@ -1,162 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# tasks file for homarr - -# ===================================================================== -# 0. VALIDATION -# ===================================================================== - -- name: Validate encryption key - ansible.builtin.assert: - that: - - homarr_secret_encryption_key | length == 64 - - homarr_secret_encryption_key is match('^[a-fA-F0-9]+$') - fail_msg: >- - homarr_secret_encryption_key must be a 64-character hex string. - Generate with: openssl rand -hex 32 - Provide via OpenBao, Ansible Vault or extra-vars. - success_msg: Encryption key validation passed - -- name: Validate OIDC configuration when enabled - ansible.builtin.assert: - that: - - homarr_oidc_client_secret | length > 0 - fail_msg: >- - homarr_oidc_client_secret must be set when 'oidc' is in homarr_auth_providers. - Set via OpenBao or remove 'oidc' from homarr_auth_providers. - when: "'oidc' in homarr_auth_providers" - -- name: Validate homarr_apps have unique ids - ansible.builtin.assert: - that: - - homarr_apps | map(attribute='id') | list | length == - homarr_apps | map(attribute='id') | unique | list | length - fail_msg: >- - homarr_apps contains duplicate ids. - Each app must have a unique 'id'. Got: - {{ homarr_apps | map(attribute='id') | list }} - success_msg: All app ids are unique - when: homarr_apps | length > 0 - -# ===================================================================== -# 1. PREPARATION: packages and directories before container start -# ===================================================================== - -- name: Ensure required packages are installed - ansible.builtin.package: - name: - - sqlite3 - - python3-docker - state: present - -- name: Create docker compose directory - ansible.builtin.file: - path: "{{ homarr_docker_compose_dir }}" - state: directory - mode: '0755' - -- name: Create Homarr data directories - ansible.builtin.file: - path: "{{ item }}" - state: directory - owner: "1000" - group: "1000" - mode: "0755" - loop: - - "{{ homarr_appdata_dir }}" - - "{{ homarr_appdata_dir }}/db" - -- name: Check if database already exists - ansible.builtin.stat: - path: "{{ homarr_db }}" - register: db_exists - -# ===================================================================== -# 2. START CONTAINER -# ===================================================================== - -- name: Create docker-compose file for homarr - ansible.builtin.template: - src: docker-compose.yml.j2 - dest: "{{ homarr_docker_compose_dir }}/docker-compose.yml" - mode: '0644' - -- name: Start homarr containers - community.docker.docker_compose_v2: - project_src: "{{ homarr_docker_compose_dir }}" - state: present - -# ===================================================================== -# 3. WAIT FOR DATABASE -# ===================================================================== - -- name: Wait for database to be created by Homarr - ansible.builtin.wait_for: - path: "{{ homarr_db }}" - state: present - timeout: 60 - when: not db_exists.stat.exists - -- name: Wait for database schema to be initialized - ansible.builtin.command: - cmd: sqlite3 "{{ homarr_db }}" "SELECT name FROM sqlite_master WHERE type='table' AND name='board';" - register: schema_check - until: schema_check.stdout == "board" - retries: 30 - delay: 2 - changed_when: false - when: not db_exists.stat.exists - -# ===================================================================== -# 4. GENERATE BCRYPT HASH (on controller, not on target) -# ===================================================================== - -- name: Generate bcrypt hash for admin password - ansible.builtin.set_fact: - # Deterministic salt derived from the password's SHA-256 digest so the - # hash stays stable across runs (idempotent — no spurious template - # changes / container restarts when the password is unchanged). The - # bcrypt salt alphabet is [./A-Za-z0-9]; the digest's hex chars are - # a strict subset, so we just take the first 22. - homarr_bcrypt_hash: >- - {{ homarr_admin_password - | password_hash('bcrypt', rounds=10, - salt=(homarr_admin_password - | hash('sha256'))[:22]) }} - no_log: true - -# ===================================================================== -# 5. COMPUTE APP LAYOUTS -# ===================================================================== -# Packing is done by the homarr_compute_layouts filter plugin (Python) -# rather than inline Jinja, so the seed template stays readable and the -# packing algorithm can be unit-tested in isolation. - -- name: Compute Homarr app layouts - ansible.builtin.set_fact: - homarr_layout: "{{ homarr_apps | digitalboard.core.homarr_compute_layouts }}" - -- name: Show computed app layouts - ansible.builtin.debug: - var: homarr_layout - verbosity: 1 - -# ===================================================================== -# 6. SEED DATABASE (only if local admin user does not exist yet) -# ===================================================================== - -- name: Check if local admin user exists - ansible.builtin.command: - cmd: sqlite3 "{{ homarr_db }}" "SELECT id FROM user WHERE id='user-local-admin';" - register: admin_exists - changed_when: false - failed_when: false - -- name: Seed Homarr database - ansible.builtin.command: - cmd: sqlite3 "{{ homarr_db }}" - stdin: "{{ lookup('template', 'homarr_seed.sql.j2') }}" - register: seed_result - changed_when: seed_result.rc == 0 - when: admin_exists.stdout == "" - notify: restart homarr diff --git a/roles/homarr/templates/docker-compose.yml.j2 b/roles/homarr/templates/docker-compose.yml.j2 deleted file mode 100644 index 2021de0..0000000 --- a/roles/homarr/templates/docker-compose.yml.j2 +++ /dev/null @@ -1,51 +0,0 @@ -#---------------------------------------------------------------------# -# Homarr — A simple, yet powerful dashboard for your server. # -#---------------------------------------------------------------------# -services: - homarr: - container_name: homarr - image: {{ homarr_image }} - restart: unless-stopped - volumes: -{% if homarr_use_docker %} - - /var/run/docker.sock:/var/run/docker.sock -{% endif %} - - {{ homarr_docker_volume_dir }}/homarr/appdata:/appdata - environment: - TZ: "Europe/Zurich" - BASE_URL: "{{ homarr_base_url }}" - NEXTAUTH_URL: "{{ homarr_base_url }}" - SECRET_ENCRYPTION_KEY: "{{ homarr_secret_encryption_key }}" - AUTH_PROVIDERS: "{{ homarr_auth_providers }}" - AUTH_OIDC_ISSUER: "{{ homarr_oidc_issuer }}" - AUTH_OIDC_CLIENT_ID: "{{ homarr_oidc_client_id }}" - AUTH_OIDC_CLIENT_SECRET: "{{ homarr_oidc_client_secret }}" - AUTH_OIDC_CLIENT_NAME: "{{ homarr_oidc_client_name | default('Keycloak') }}" - AUTH_OIDC_SCOPE_OVERWRITE: "{{ homarr_oidc_scopes | default('openid email profile groups') }}" - AUTH_OIDC_GROUPS_ATTRIBUTE: "{{ homarr_oidc_groups_attribute | default('groups') }}" - AUTH_OIDC_AUTO_LOGIN: "{{ homarr_oidc_auto_login | default('false') }}" - networks: - - {{ homarr_traefik_network }} -{% if homarr_extra_hosts | default([]) | length > 0 %} - extra_hosts: -{% for h in homarr_extra_hosts %} - - "{{ h }}" -{% endfor %} -{% endif %} - labels: - - traefik.enable=true - - traefik.docker.network={{ homarr_traefik_network }} - - traefik.http.routers.homarr.rule={% set _all_domains = [homarr_domain] + (homarr_extra_domains | default([])) %}{% for d in _all_domains %}Host(`{{ d }}`){% if not loop.last %} || {% endif %}{% endfor +%} -{% if homarr_use_ssl %} - - traefik.http.routers.homarr.entrypoints=websecure - - traefik.http.routers.homarr.tls=true -{% if traefik_cert_mode | default('selfsigned') == 'acme' %} - - traefik.http.routers.homarr.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }} -{% endif %} -{% else %} - - traefik.http.routers.homarr.entrypoints=web -{% endif %} - - traefik.http.services.homarr.loadbalancer.server.port={{ homarr_port }} -networks: - {{ homarr_traefik_network }}: - external: true \ No newline at end of file diff --git a/roles/homarr/templates/homarr_seed.sql.j2 b/roles/homarr/templates/homarr_seed.sql.j2 deleted file mode 100644 index 1d2526b..0000000 --- a/roles/homarr/templates/homarr_seed.sql.j2 +++ /dev/null @@ -1,175 +0,0 @@ -{#- - Homarr database seed. - - The packing algorithm previously lived in this template as a Jinja - `pack()` macro with from_json/to_json round-trips. It has been - extracted to the `homarr_compute_layouts` filter plugin (see - filter_plugins/homarr_layout.py) and the result is provided as the - `homarr_layout` fact set in tasks/main.yml. This template therefore - only renders SQL — no logic. --#} -BEGIN TRANSACTION; - --- ===================================================================== --- SERVER SETTINGS --- ===================================================================== - -INSERT OR REPLACE INTO serverSetting (setting_key, value) -VALUES - ('analytics', '{"json": {"enableGeneral": false, "enableWidgetData": false, "enableIntegrationData": false, "enableUserData": false}}'), - ('culture', '{"json": {"defaultLocale": "de"}}'), - ('crawling', '{"json": {"crawlingEnabled": false}}'), - ('board', '{"json": {"homeBoardId": "board-default", "mobileHomeBoardId": "board-default", "enableStatusByDefault": true, "forceDisableStatus": false, "defaultBoardId": "board-default"}}'); - --- Skip onboarding wizard -UPDATE onboarding SET step = 'finish', previous_step = 'settings'; - --- ===================================================================== --- GROUPS (must exist before groupMember) --- ===================================================================== - --- OIDC admin group -INSERT OR IGNORE INTO "group" (id, name, owner_id, position) -VALUES ('group-oidc-admins', '{{ homarr_oidc_admin_group }}', NULL, 0); - -INSERT OR IGNORE INTO groupPermission (group_id, permission) -VALUES - ('group-oidc-admins', 'admin'), - ('group-oidc-admins', 'board-create'), - ('group-oidc-admins', 'board-full-access'), - ('group-oidc-admins', 'integration-create'), - ('group-oidc-admins', 'integration-full-access'); - --- Credentials admin group -INSERT OR IGNORE INTO "group" (id, name, owner_id, position) -VALUES ('group-credentials-admin', 'credentials-admin', NULL, 1); - -INSERT OR IGNORE INTO groupPermission (group_id, permission) -VALUES - ('group-credentials-admin', 'admin'), - ('group-credentials-admin', 'board-create'), - ('group-credentials-admin', 'board-full-access'), - ('group-credentials-admin', 'integration-create'), - ('group-credentials-admin', 'integration-full-access'); - --- ===================================================================== --- LOCAL ADMIN USER --- ===================================================================== - -INSERT OR IGNORE INTO user (id, name, email, password, email_verified, provider) -VALUES ( - 'user-local-admin', - '{{ homarr_admin_username }}', - '{{ homarr_admin_email }}', - '{{ homarr_bcrypt_hash }}', - 1, - 'credentials' -); - --- Assign admin user to groups -INSERT OR IGNORE INTO groupMember (group_id, user_id) -VALUES - ('group-credentials-admin', 'user-local-admin'), - ('group-oidc-admins', 'user-local-admin'); - --- ===================================================================== --- BOARD --- ===================================================================== - -INSERT OR IGNORE INTO board ( - id, name, is_public, - primary_color, secondary_color, opacity, - background_image_attachment, background_image_repeat, background_image_size, - item_radius, disable_status -) -VALUES ( - 'board-default', - '{{ homarr_default_board_name }}', - {% if homarr_default_board_public %}1{% else %}0{% endif %}, - '#fa5252', - '#fd7e14', - 100, - 'fixed', - 'no-repeat', - 'cover', - 'lg', - 0 -); - --- Layouts -INSERT OR IGNORE INTO layout (id, name, board_id, column_count, breakpoint) -VALUES - ('layout-desktop', 'Desktop', 'board-default', 10, 0), - ('layout-tablet', 'Tablet', 'board-default', 6, 768), - ('layout-mobile', 'Mobile', 'board-default', 2, 480); - --- Set home board for admin user (board exists now) -UPDATE user SET home_board_id = 'board-default', mobile_home_board_id = 'board-default' -WHERE id = 'user-local-admin'; - --- ===================================================================== --- SECTION --- ===================================================================== - -DELETE FROM section_layout WHERE section_id = 'section-apps'; -DELETE FROM item_layout WHERE section_id = 'section-apps'; -DELETE FROM section WHERE id = 'section-apps'; - -INSERT INTO section (id, board_id, kind, x_offset, y_offset, name, options) -VALUES ( - 'section-apps', - 'board-default', - 'empty', - 0, - 0, - 'Applications', - '{"json": {}}' -); - --- Section height is sized to fit the computed layout (see --- homarr_compute_layouts filter). It grows automatically when more --- apps or taller tiles are added. -INSERT OR REPLACE INTO section_layout (section_id, layout_id, parent_section_id, x_offset, y_offset, width, height) -VALUES - ('section-apps', 'layout-desktop', NULL, 0, 0, 10, {{ homarr_layout.section_height.desktop }}), - ('section-apps', 'layout-tablet', NULL, 0, 0, 6, {{ homarr_layout.section_height.tablet }}), - ('section-apps', 'layout-mobile', NULL, 0, 0, 2, {{ homarr_layout.section_height.mobile }}); - --- Board permissions -INSERT OR IGNORE INTO boardGroupPermission (board_id, group_id, permission) -VALUES - ('board-default', 'group-oidc-admins', 'full-access'), - ('board-default', 'group-credentials-admin', 'full-access'); - --- ===================================================================== --- APPS (positions pre-computed by homarr_compute_layouts filter) --- ===================================================================== - -{% for app in homarr_layout.apps %} --- {{ app.name }} -INSERT OR IGNORE INTO app (id, name, description, icon_url, href) -VALUES ( - 'app-{{ app.id }}', - '{{ app.name }}', - '{{ app.description | default("") }}', - '{{ app.icon }}', - '{{ app.href }}' -); - -INSERT OR IGNORE INTO item (id, board_id, kind, options, advanced_options) -VALUES ( - 'item-{{ app.id }}', - 'board-default', - 'app', - '{"json": {"appId": "app-{{ app.id }}"}}', - '{"json": {}}' -); - -INSERT OR REPLACE INTO item_layout (item_id, section_id, layout_id, x_offset, y_offset, width, height) -VALUES - ('item-{{ app.id }}', 'section-apps', 'layout-desktop', {{ app.desktop.x }}, {{ app.desktop.y }}, {{ app.desktop.w }}, {{ app.desktop.h }}), - ('item-{{ app.id }}', 'section-apps', 'layout-tablet', {{ app.tablet.x }}, {{ app.tablet.y }}, {{ app.tablet.w }}, {{ app.tablet.h }}), - ('item-{{ app.id }}', 'section-apps', 'layout-mobile', {{ app.mobile.x }}, {{ app.mobile.y }}, {{ app.mobile.w }}, {{ app.mobile.h }}); - -{% endfor %} -COMMIT; diff --git a/roles/httpbin/README.md b/roles/httpbin/README.md index 45f9286..225dd44 100644 --- a/roles/httpbin/README.md +++ b/roles/httpbin/README.md @@ -1,30 +1,38 @@ -# httpbin +Role Name +========= -Deploys [httpbin](https://httpbin.org/) (`kennethreitz/httpbin`) via -Docker Compose behind Traefik. Useful as a throwaway endpoint to verify -that the Traefik ingress path, TLS and routing work end to end. +A brief description of the role goes here. -## Role variables +Requirements +------------ -| Variable | Default | Description | -| --- | --- | --- | -| `httpbin_domain` | `httpbin.local.test` | FQDN the Traefik router matches. | -| `httpbin_image` | `kennethreitz/httpbin` | Container image. | -| `httpbin_port` | `80` | Container port Traefik forwards to. | -| `httpbin_traefik_network` | `proxy` | Docker network shared with Traefik. | -| `httpbin_use_ssl` | `true` | Route via the `websecure` entrypoint with `tls=true` (otherwise `web`). | +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. -## Example +Role Variables +-------------- -```yaml -- hosts: services - become: true - roles: - - role: digitalboard.core.httpbin - vars: - httpbin_domain: "httpbin.example.com" -``` +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. -## License +Dependencies +------------ -MIT-0 +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/httpbin/meta/main.yml b/roles/httpbin/meta/main.yml index 81e9ee6..36b9858 100644 --- a/roles/httpbin/meta/main.yml +++ b/roles/httpbin/meta/main.yml @@ -1,27 +1,35 @@ #SPDX-License-Identifier: MIT-0 galaxy_info: - author: digitalboard - description: Deploy httpbin HTTP request/response testing service via Docker Compose behind Traefik - company: Digitalboard - license: MIT-0 + author: your name + description: your role description + company: your company (optional) - min_ansible_version: "2.14" + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker - platforms: - - name: Debian - versions: - - bookworm - - name: Ubuntu - versions: - - jammy - - noble + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) - galaxy_tags: - - httpbin - - testing - - debug - - docker - - traefik - - digitalboard + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md index a94689f..860a0b1 100644 --- a/roles/keycloak/README.md +++ b/roles/keycloak/README.md @@ -1,119 +1,65 @@ -# Keycloak +Keycloak +========= -Ansible role to deploy Keycloak with a PostgreSQL backend via Docker -Compose, published behind Traefik. Optionally provisions realm resources -(groups, users, OIDC clients, identity providers, LDAP user federations) -through the `community.general` Keycloak modules. +Ansible role to deploy Keycloak with PostgreSQL database using Docker Compose. -## Requirements +Requirements +------------ -- Docker and Docker Compose on the target host (e.g. via - `digitalboard.core.base`) -- Ansible collections: `community.docker`, and `community.general` when - `keycloak_provisioning_enabled` is true -- Traefik reverse proxy with the `proxy` network already created (for - external access) +- Docker and Docker Compose installed on the target host +- Ansible collection: `community.docker` +- Traefik reverse proxy (for external access) -## Role variables +Role Variables +-------------- -Key variables from `defaults/main.yml`: +Key variables defined in `defaults/main.yml`: -### Base configuration +**Base Configuration:** +- `docker_compose_base_dir`: Base directory for Docker Compose files (default: `/etc/docker/compose`) +- `docker_volume_base_dir`: Base directory for Docker volumes (default: `/srv/data`) -| Variable | Default | Description | -| --- | --- | --- | -| `docker_compose_base_dir` | `/etc/docker/compose` | Base dir for Compose projects. | -| `docker_volume_base_dir` | `/srv/data` | Base dir for persistent volumes. | -| `keycloak_service_name` | `keycloak` | Compose/service name; builds the per-service paths. | +**Keycloak Configuration:** +- `keycloak_service_name`: Service name (default: `keycloak`) +- `keycloak_domain`: Domain name for Keycloak (default: `auth.digitalboard.ch`) +- `keycloak_image`: Keycloak Docker image (default: `quay.io/keycloak/keycloak:24.0.1`) +- `keycloak_port`: Internal Keycloak port (default: `8080`) +- `keycloak_admin_user`: Admin username (default: `admin`) +- `keycloak_admin_password`: Admin password (default: `changeme`) +- `keycloak_log_level`: Log level (default: `INFO`) +- `keycloak_proxy_mode`: Proxy mode (default: `edge`) -### Keycloak +**PostgreSQL Configuration:** +- `keycloak_postgres_image`: PostgreSQL Docker image (default: `postgres:15`) +- `keycloak_postgres_db`: Database name (default: `keycloak`) +- `keycloak_postgres_user`: Database user (default: `keycloak`) +- `keycloak_postgres_password`: Database password (default: `changeme`) -| Variable | Default | Description | -| --- | --- | --- | -| `keycloak_domain` | `keycloak.local.test` | Host rule and `KC_HOSTNAME`. | -| `keycloak_image` | `quay.io/keycloak/keycloak:24.0.1` | Keycloak image. | -| `keycloak_port` | `8080` | Internal HTTP port advertised to Traefik. | -| `keycloak_admin_user` | `admin` | Bootstrap admin user. | -| `keycloak_admin_password` | `changeme` | Admin password — **override this**. | -| `keycloak_log_level` | `INFO` | `KC_LOG_LEVEL`. | -| `keycloak_proxy_mode` | `edge` | `KC_PROXY` mode. | -| `keycloak_gzip_enabled` | `false` | Toggle Keycloak GZIP response encoding. | -| `keycloak_truststore_certificates` | `[]` | Host PEM paths mounted into the truststore (`KC_TRUSTSTORE_PATHS`). | -| `keycloak_extra_hosts` | `[]` | Extra `host:ip` entries for the container. | +**Traefik Configuration:** +- `keycloak_traefik_network`: Traefik network name (default: `proxy`) +- `keycloak_backend_network`: Backend network name (default: `backend`) +- `keycloak_use_ssl`: Enable SSL (default: `true`) +- `keycloak_cert_resolver`: Certificate resolver name (default: `dns`) -### PostgreSQL +Dependencies +------------ -| Variable | Default | Description | -| --- | --- | --- | -| `keycloak_postgres_image` | `postgres:15` | PostgreSQL image. | -| `keycloak_postgres_db` | `keycloak` | Database name. | -| `keycloak_postgres_user` | `keycloak` | Database user. | -| `keycloak_postgres_password` | `changeme` | Database password — **override this**. | +This role requires the Traefik reverse proxy to be configured and the `proxy` network to be created. -### Traefik - -| Variable | Default | Description | -| --- | --- | --- | -| `keycloak_traefik_network` | `proxy` | External Traefik network. | -| `keycloak_backend_network` | `backend` | Internal network to PostgreSQL. | -| `keycloak_use_ssl` | `true` | Route on `websecure` with `tls=true` instead of `web`. | - -TLS is requested from Traefik via `tls=true`; the role does not set a -certificate resolver, so Traefik issues/serves the certificate according -to its own configuration. - -### Provisioning (optional) - -Provisioning runs only when `keycloak_provisioning_enabled` is true. The -tasks wait for the `/health/ready` endpoint and then call the -`community.general.keycloak_*` modules, delegated to `localhost` against -`keycloak_auth_url` (derived from `keycloak_use_ssl` + `keycloak_domain`). - -| Variable | Default | Description | -| --- | --- | --- | -| `keycloak_provisioning_enabled` | `false` | Enable realm provisioning. | -| `keycloak_realm` | `default` | Target realm; created unless `master`. | -| `keycloak_realm_display_name` | `Default Realm` | Realm display name. | -| `keycloak_auth_url` | derived | API base URL for provisioning. | -| `keycloak_groups` | `[]` | Groups to create. | -| `keycloak_local_users` | `[]` | Local users to create. | -| `keycloak_oidc_clients` | `[]` | OIDC clients to create. | -| `keycloak_identity_providers` | `[]` | Identity providers (e.g. Entra ID). | -| `keycloak_user_federations` | `[]` | LDAP user federations. | -| `keycloak_removed_users` | `[]` | Usernames to delete. | -| `keycloak_removed_groups` | `[]` | Group names to delete. | -| `keycloak_removed_clients` | `[]` | Client IDs to delete. | -| `keycloak_removed_identity_providers` | `[]` | IdP aliases to delete. | -| `keycloak_removed_user_federations` | `[]` | Federation names to delete. | - -See `defaults/main.yml` for the full entry shape of each list. - -## Dependencies - -This role requires the Traefik reverse proxy to be configured and the -`proxy` network to be created beforehand (it is referenced as an external -network in the Compose file). The `backend` network is created by the -Compose project itself. - -## Example playbook +Example Playbook +---------------- ```yaml - hosts: backend_servers roles: - - role: digitalboard.core.keycloak + - role: keycloak vars: keycloak_domain: "auth.example.com" - keycloak_admin_password: "{{ vault_keycloak_admin_password }}" - keycloak_postgres_password: "{{ vault_keycloak_pg_password }}" - keycloak_provisioning_enabled: true - keycloak_oidc_clients: - - client_id: nextcloud - name: "Nextcloud" - client_secret: "{{ vault_nextcloud_client_secret }}" - redirect_uris: - - "https://nextcloud.example.com/apps/user_oidc/code" + keycloak_admin_password: "secure_password" + keycloak_postgres_password: "secure_db_password" ``` -## License +License +------- MIT-0 diff --git a/roles/keycloak/meta/main.yml b/roles/keycloak/meta/main.yml index fc62b75..36b9858 100644 --- a/roles/keycloak/meta/main.yml +++ b/roles/keycloak/meta/main.yml @@ -1,27 +1,35 @@ #SPDX-License-Identifier: MIT-0 galaxy_info: - author: digitalboard - description: Deploy Keycloak with a PostgreSQL backend via Docker Compose behind Traefik - company: Digitalboard - license: MIT-0 + author: your name + description: your role description + company: your company (optional) - min_ansible_version: "2.14" + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker - platforms: - - name: Debian - versions: - - bookworm - - name: Ubuntu - versions: - - jammy - - noble + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) - galaxy_tags: - - keycloak - - oidc - - sso - - docker - - traefik - - digitalboard + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/knot/README.md b/roles/knot/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/knot/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/opnform/vars/main.yml b/roles/knot/defaults/main.yml similarity index 59% rename from roles/opnform/vars/main.yml rename to roles/knot/defaults/main.yml index 94900f8..426eeb2 100644 --- a/roles/opnform/vars/main.yml +++ b/roles/knot/defaults/main.yml @@ -1,3 +1,3 @@ #SPDX-License-Identifier: MIT-0 --- -# vars file for opnform \ No newline at end of file +# defaults file for knot diff --git a/roles/knot/handlers/main.yml b/roles/knot/handlers/main.yml new file mode 100644 index 0000000..8bad0a6 --- /dev/null +++ b/roles/knot/handlers/main.yml @@ -0,0 +1,3 @@ +#SPDX-License-Identifier: MIT-0 +--- +# handlers file for knot diff --git a/roles/knot/meta/main.yml b/roles/knot/meta/main.yml new file mode 100644 index 0000000..6f91fd3 --- /dev/null +++ b/roles/knot/meta/main.yml @@ -0,0 +1,35 @@ +#SPDX-License-Identifier: MIT-0 +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/send/vars/main.yml b/roles/knot/tasks/main.yml similarity index 62% rename from roles/send/vars/main.yml rename to roles/knot/tasks/main.yml index b2a6b30..3d4e3d2 100644 --- a/roles/send/vars/main.yml +++ b/roles/knot/tasks/main.yml @@ -1,3 +1,3 @@ #SPDX-License-Identifier: MIT-0 --- -# vars file for send +# tasks file for knot diff --git a/roles/homarr/tests/inventory b/roles/knot/tests/inventory similarity index 97% rename from roles/homarr/tests/inventory rename to roles/knot/tests/inventory index 712db59..03ca42f 100644 --- a/roles/homarr/tests/inventory +++ b/roles/knot/tests/inventory @@ -1,2 +1,3 @@ #SPDX-License-Identifier: MIT-0 localhost + diff --git a/roles/talk/tests/test.yml b/roles/knot/tests/test.yml similarity index 88% rename from roles/talk/tests/test.yml rename to roles/knot/tests/test.yml index a3c7d07..a97d461 100644 --- a/roles/talk/tests/test.yml +++ b/roles/knot/tests/test.yml @@ -3,4 +3,4 @@ - hosts: localhost remote_user: root roles: - - talk + - knot diff --git a/roles/talk/vars/main.yml b/roles/knot/vars/main.yml similarity index 63% rename from roles/talk/vars/main.yml rename to roles/knot/vars/main.yml index a131766..7d700ba 100644 --- a/roles/talk/vars/main.yml +++ b/roles/knot/vars/main.yml @@ -1,3 +1,3 @@ #SPDX-License-Identifier: MIT-0 --- -# vars file for talk +# vars file for knot diff --git a/roles/nextcloud/README.md b/roles/nextcloud/README.md deleted file mode 100644 index f4cafa9..0000000 --- a/roles/nextcloud/README.md +++ /dev/null @@ -1,124 +0,0 @@ -# Nextcloud - -Ansible role to deploy [Nextcloud](https://nextcloud.com/) (fpm) with -Postgres and Redis via Docker Compose, optional Collabora WOPI -integration, optional draw.io integration, optional notify_push -companion, optional S3 primary storage, plus OIDC and LDAP user -backends. - -## What this role does - -- Renders the Compose stack with traefik labels and TLS -- Installs and enables a configurable list of Nextcloud apps idempotently -- Configures Collabora (richdocuments), draw.io, OIDC providers and - LDAP via `occ` — every setting is read first and only written when - the stored value differs, so re-runs don't churn -- Sets up notify_push (when enabled) -- Applies an in-container PHP source workaround for the upstream - `UserConfig::getValueBool` TypeError (nextcloud/server#59629, fixed in - master via PR #59646 with no stable33 backport before 33.0.4). - Idempotent via grep guard; remove the patch task once - `nextcloud_image` is >= 33.0.4. - -## Requirements - -- Docker and Docker Compose installed on the target host -- Ansible collection: `community.docker` -- Traefik with a shared `nextcloud_traefik_network` (default `proxy`) - -## Role variables - -Full spec with types and defaults: `meta/argument_specs.yml`. The most -common overrides: - -### Service - -- `nextcloud_domains`: FQDNs the router accepts. First entry is the - canonical hostname (used for `OVERWRITEHOST` and notify_push setup). - Further entries cover internal `*.int.*` names so Collabora's WOPI - callback hits the instance on a name with a valid cert. -- `nextcloud_admin_password`, `nextcloud_postgres_password` (required). -- `nextcloud_memory_limit_mb`, `nextcloud_upload_limit_mb`. - -### Collabora - -- `nextcloud_enable_collabora`: toggle integration with a separately - deployed Collabora server (see the `collabora` role). -- `nextcloud_collabora_domain`: server-to-server hostname. -- `nextcloud_collabora_public_domain` (optional): browser-facing - hostname when split-horizon uses different names. - -### Draw.io - -- `nextcloud_enable_drawio`: enable the `integration_drawio` app. -- `nextcloud_drawio_url`: public draw.io URL. -- `nextcloud_drawio_theme`, `nextcloud_drawio_offline`. - -### Notify push - -- `nextcloud_enable_notify_push`: deploy the notify_push companion. -- `nextcloud_notify_push_domain` (optional): override the hostname - used by `occ notify_push:setup` to avoid hairpinning through the DMZ. - -### S3 primary storage - -Set `nextcloud_use_s3_storage: true` plus the `nextcloud_s3_*` block to -point Nextcloud at an external S3-compatible store (e.g. Garage, MinIO). - -### OIDC - -`nextcloud_oidc_providers` is a list of OIDC providers registered with -`user_oidc`. Required fields per entry: `identifier`, `display_name`, -`client_id`, `client_secret`, `discovery_url`. - -### LDAP - -Set `nextcloud_ldap_enabled: true` and provide `nextcloud_ldap_config` -as a dict of `occ ldap:set-config s01 KEY VALUE` pairs. The role reads -the current LDAP config via `occ ldap:show-config s01 --output=json` -and only calls `ldap:set-config` for keys whose stored value differs. - -## Dependencies - -- Traefik network (`nextcloud_traefik_network`, default `proxy`) -- Optional: `collabora`, `drawio`, `garage` roles for the corresponding - integrations -- Optional: an OIDC provider (Keycloak, authentik) reachable from - Nextcloud and a 389ds LDAP server when using `user_ldap` - -## Example playbook - -```yaml -- hosts: app_servers - roles: - - role: digitalboard.core.nextcloud - vars: - nextcloud_domains: - - "cloud.example.com" - - "cloud.int.example.com" - nextcloud_admin_password: "{{ vault_nextcloud_admin_password }}" - nextcloud_postgres_password: "{{ vault_nextcloud_pg_password }}" - - nextcloud_enable_collabora: true - nextcloud_collabora_domain: "office.int.example.com" - nextcloud_collabora_public_domain: "office.example.com" - - nextcloud_enable_notify_push: true - nextcloud_notify_push_domain: "cloud.int.example.com" - - nextcloud_oidc_providers: - - identifier: authentik - display_name: "Login with Authentik" - client_id: nextcloud - client_secret: "{{ vault_nextcloud_oidc_secret }}" - discovery_url: "https://auth.example.com/application/o/nextcloud/.well-known/openid-configuration" - mapping: - uid: preferred_username - display_name: name - email: email - groups: groups -``` - -## License - -MIT-0 diff --git a/roles/nextcloud/defaults/main.yml b/roles/nextcloud/defaults/main.yml index a5decb1..0adf71e 100644 --- a/roles/nextcloud/defaults/main.yml +++ b/roles/nextcloud/defaults/main.yml @@ -9,17 +9,11 @@ nextcloud_service_name: nextcloud nextcloud_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ nextcloud_service_name }}" nextcloud_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ nextcloud_service_name }}" -# FQDNs the nextcloud router accepts. The first entry is the canonical -# domain (used for OVERWRITEHOST and the notify_push setup); further -# entries cover internal *.int.* names so collabora's WOPI callback -# hits us on a name with a valid cert. -nextcloud_domains: - - "nextcloud.local.test" +nextcloud_domain: "nextcloud.local.test" nextcloud_image: "nextcloud:fpm" nextcloud_redis_image: "redis:latest" nextcloud_port: 80 nextcloud_extra_hosts: [] -nextcloud_extra_networks: [] nextcloud_allow_local_remote_servers: false # Set to true to allow requests to local network (dev only) nextcloud_postgres_image: "postgres:15" @@ -64,33 +58,6 @@ nextcloud_trusted_proxies: "172.16.0.0/12" # File locking and real-time push notifications nextcloud_enable_notify_push: false -nextcloud_notify_push_image: "icewind1991/notify_push:1.3.1" -# Domain used when calling `occ notify_push:setup`. Defaults to the -# first nextcloud_domains entry (the canonical public name). Override -# with an internal FQDN to avoid hairpinning the setup check through -# the DMZ; the FQDN must also be in nextcloud_domains so the push -# router matches it. -# nextcloud_notify_push_domain: "cloud.int.example.com" - -# Nextcloud Talk: register external HPB signaling + TURN + STUN -# Set to true to run tasks/talk.yml after Nextcloud is up. -nextcloud_enable_talk: false - -# HPB signaling servers to register. -# Each item: { server: "https://signaling.example.test", secret: "", verify: true } -nextcloud_talk_signaling_servers: [] -# Hostnames/URLs to remove via `talk:signaling:delete` before adding the new set. -nextcloud_talk_signaling_servers_removed: [] - -# TURN servers to register. -# Each item: { server: "stun.example.test:443", secret: "", schemes: "turn,turns", protocols: "udp,tcp" } -nextcloud_talk_turn_servers: [] -# Clear the spreed.turn_servers config key before re-adding (single source of truth) -nextcloud_talk_turn_reset_before_add: true - -# Plain STUN endpoints (host:port). Optional; usually not needed if TURN servers handle STUN too. -nextcloud_talk_stun_servers: [] -nextcloud_talk_stun_servers_removed: [] # Non-default apps to install and enable nextcloud_apps_to_install: diff --git a/roles/nextcloud/meta/argument_specs.yml b/roles/nextcloud/meta/argument_specs.yml deleted file mode 100644 index b314889..0000000 --- a/roles/nextcloud/meta/argument_specs.yml +++ /dev/null @@ -1,253 +0,0 @@ ---- -argument_specs: - main: - short_description: Deploy Nextcloud (fpm) + Redis + Postgres via Docker Compose. - description: - - Renders a Compose stack for Nextcloud with traefik labels, optional - Collabora WOPI integration, optional draw.io integration, optional - notify_push companion, optional S3 primary storage, OIDC providers - and LDAP user backend. - - "All C(occ)-driven configuration tasks are idempotent: each setting - is read with C(config:app:get) (or C(ldap:show-config)) first and - only written when the stored value differs." - options: - docker_compose_base_dir: - type: path - default: /etc/docker/compose - docker_volume_base_dir: - type: path - default: /srv/data - nextcloud_service_name: - type: str - default: nextcloud - nextcloud_docker_compose_dir: - type: path - nextcloud_docker_volume_dir: - type: path - - nextcloud_domains: - type: list - elements: str - default: ['nextcloud.local.test'] - description: - - FQDNs the nextcloud router accepts. The first entry is the - canonical domain (used for C(OVERWRITEHOST) and the - C(notify_push) setup). Further entries cover internal C(*.int.*) - names so Collabora's WOPI callback hits the instance on a name - with a valid certificate. - nextcloud_image: - type: str - default: nextcloud:fpm - nextcloud_redis_image: - type: str - default: redis:latest - nextcloud_port: - type: int - default: 80 - nextcloud_extra_hosts: - type: list - elements: str - default: [] - nextcloud_extra_networks: - type: list - elements: str - default: [] - nextcloud_allow_local_remote_servers: - type: bool - default: false - description: Allow requests to local network from Nextcloud (dev only). - - nextcloud_postgres_image: - type: str - default: postgres:15 - nextcloud_postgres_db: - type: str - default: nextcloud - nextcloud_postgres_user: - type: str - default: nextcloud - nextcloud_postgres_password: - type: str - required: true - - nextcloud_backend_network: - type: str - default: nextcloud-internal - nextcloud_traefik_network: - type: str - default: proxy - nextcloud_use_ssl: - type: bool - default: true - - nextcloud_enable_collabora: - type: bool - default: true - nextcloud_collabora_domain: - type: str - default: office.local.test - description: Hostname Nextcloud uses to talk to Collabora server-to-server. - nextcloud_collabora_public_domain: - type: str - description: - - Optional browser-facing hostname for Collabora; defaults to - C(nextcloud_collabora_domain) when unset. Set when split-horizon - uses different names for browser and server traffic. - nextcloud_collabora_disable_cert_verification: - type: bool - default: false - - nextcloud_enable_drawio: - type: bool - default: false - description: Enable the integration_drawio Nextcloud app and configure the URL/theme. - nextcloud_drawio_url: - type: str - default: '' - description: Public draw.io URL used by the integration_drawio app. - nextcloud_drawio_theme: - type: str - choices: [kennedy, atlas, dark, sketch, min] - default: kennedy - nextcloud_drawio_offline: - type: str - choices: ['yes', 'no'] - default: 'yes' - - nextcloud_use_s3_storage: - type: bool - default: false - description: Use S3 primary object storage instead of the local data dir. - nextcloud_s3_key: - type: str - default: changeme - nextcloud_s3_secret: - type: str - default: changeme - nextcloud_s3_region: - type: str - default: us-east-1 - nextcloud_s3_bucket: - type: str - default: nextcloud - nextcloud_s3_host: - type: str - default: s3.example.com - nextcloud_s3_port: - type: int - default: 443 - nextcloud_s3_ssl: - type: bool - default: true - nextcloud_s3_usepath_style: - type: bool - default: true - nextcloud_s3_autocreate: - type: bool - default: false - - nextcloud_admin_user: - type: str - default: admin - nextcloud_admin_password: - type: str - required: true - nextcloud_memory_limit_mb: - type: int - default: 1024 - nextcloud_upload_limit_mb: - type: int - default: 2048 - nextcloud_scale_factor: - type: int - default: 2 - - nextcloud_trusted_proxies: - type: str - default: '172.16.0.0/12' - description: Trusted proxy CIDR(s) — by default the Docker internal range. - - nextcloud_enable_notify_push: - type: bool - default: false - nextcloud_notify_push_image: - type: str - default: icewind1991/notify_push:1.3.1 - nextcloud_notify_push_domain: - type: str - description: - - Hostname used when calling C(occ notify_push:setup). Defaults to - the first C(nextcloud_domains) entry. Override with an internal - FQDN to avoid hairpinning the setup check through the DMZ; the - FQDN must also be in C(nextcloud_domains). - - nextcloud_apps_to_install: - type: list - elements: str - default: - - groupfolders - - richdocuments - - spreed - - user_ldap - - user_oidc - - whiteboard - - files_lock - - notify_push - description: - - Non-default Nextcloud apps to install + enable. - Install/enable detection is idempotent — re-runs report C(ok) - when the app is already present and enabled. - - nextcloud_oidc_allow_selfsigned: - type: bool - default: false - nextcloud_oidc_providers: - type: list - elements: dict - default: [] - description: OIDC providers registered with the user_oidc app. - options: - identifier: - type: str - required: true - display_name: - type: str - required: true - client_id: - type: str - required: true - client_secret: - type: str - required: true - discovery_url: - type: str - required: true - scope: - type: str - default: openid email profile - unique_uid: - type: bool - default: true - check_bearer: - type: bool - default: false - send_id_token_hint: - type: bool - default: true - mapping: - type: dict - nextcloud_oidc_providers_removed: - type: list - elements: str - default: [] - - nextcloud_ldap_enabled: - type: bool - default: false - nextcloud_ldap_config: - type: dict - default: {} - description: - - Key/value pairs passed to C(occ ldap:set-config s01 KEY VALUE). - The role reads the current config first and only invokes - C(set-config) when a stored value differs. diff --git a/roles/nextcloud/meta/main.yml b/roles/nextcloud/meta/main.yml deleted file mode 100644 index 1acd37d..0000000 --- a/roles/nextcloud/meta/main.yml +++ /dev/null @@ -1,28 +0,0 @@ -#SPDX-License-Identifier: MIT-0 -galaxy_info: - author: digitalboard - description: Deploy Nextcloud (fpm) + Redis + Postgres via Docker Compose behind Traefik - company: Digitalboard - license: MIT-0 - - min_ansible_version: "2.14" - - platforms: - - name: Debian - versions: - - bookworm - - name: Ubuntu - versions: - - jammy - - noble - - galaxy_tags: - - nextcloud - - files - - collabora - - oidc - - docker - - traefik - - digitalboard - -dependencies: [] diff --git a/roles/nextcloud/tasks/collabora.yml b/roles/nextcloud/tasks/collabora.yml index d9d4f62..05c56e4 100644 --- a/roles/nextcloud/tasks/collabora.yml +++ b/roles/nextcloud/tasks/collabora.yml @@ -1,55 +1,22 @@ #SPDX-License-Identifier: MIT-0 --- # tasks file for configuring Collabora in Nextcloud -- name: Read current richdocuments config values - community.docker.docker_container_exec: - container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" - command: php /var/www/html/occ config:app:get richdocuments {{ item }} - loop: - - wopi_url - - public_wopi_url - - disable_certificate_verification - - wopi_allowlist - register: _richdocuments_current - changed_when: false - failed_when: false - -- name: Build map of current richdocuments config - ansible.builtin.set_fact: - _richdocuments_cfg: "{{ _richdocuments_cfg | default({}) | combine({item.item: (item.stdout | default('')).strip()}) }}" - loop: "{{ _richdocuments_current.results }}" - loop_control: - label: "{{ item.item }}" - -- name: Configure Collabora WOPI URL (server-to-server) +- name: Configure Collabora WOPI URL community.docker.docker_container_exec: container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" command: php /var/www/html/occ config:app:set richdocuments wopi_url --value=https://{{ nextcloud_collabora_domain }} - when: _richdocuments_cfg.wopi_url != ('https://' ~ nextcloud_collabora_domain) - -- name: Configure Collabora public WOPI URL (browser-facing) - community.docker.docker_container_exec: - container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" - command: php /var/www/html/occ config:app:set richdocuments public_wopi_url --value=https://{{ nextcloud_collabora_public_domain }} - when: - - nextcloud_collabora_public_domain is defined - - nextcloud_collabora_public_domain != nextcloud_collabora_domain - - _richdocuments_cfg.public_wopi_url != ('https://' ~ nextcloud_collabora_public_domain) - name: Configure certificate verification for Collabora community.docker.docker_container_exec: container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" command: php /var/www/html/occ config:app:set richdocuments disable_certificate_verification --value={{ nextcloud_collabora_disable_cert_verification | ternary('yes', 'no') }} - when: _richdocuments_cfg.disable_certificate_verification != (nextcloud_collabora_disable_cert_verification | ternary('yes', 'no')) - name: Set Collabora WOPI allowlist community.docker.docker_container_exec: container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" command: php /var/www/html/occ config:app:set richdocuments wopi_allowlist --value='' - when: _richdocuments_cfg.wopi_allowlist | default('') != '' - name: Activate richdocuments configuration (fetch discovery from Collabora) community.docker.docker_container_exec: container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" - command: php /var/www/html/occ richdocuments:activate-config - changed_when: false \ No newline at end of file + command: php /var/www/html/occ richdocuments:activate-config \ No newline at end of file diff --git a/roles/nextcloud/tasks/drawio.yml b/roles/nextcloud/tasks/drawio.yml index e693862..bd2e17e 100644 --- a/roles/nextcloud/tasks/drawio.yml +++ b/roles/nextcloud/tasks/drawio.yml @@ -2,41 +2,18 @@ --- # tasks file for configuring draw.io in Nextcloud -- name: Read current drawio config values - community.docker.docker_container_exec: - container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" - command: php /var/www/html/occ config:app:get drawio {{ item }} - loop: - - DrawioUrl - - DrawioTheme - - DrawioOffline - register: _drawio_current - changed_when: false - failed_when: false - -- name: Build map of current drawio config - ansible.builtin.set_fact: - _drawio_cfg: "{{ _drawio_cfg | default({}) | combine({item.item: (item.stdout | default('')).strip()}) }}" - loop: "{{ _drawio_current.results }}" - loop_control: - label: "{{ item.item }}" - - name: Configure draw.io URL community.docker.docker_container_exec: container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" command: php /var/www/html/occ config:app:set drawio DrawioUrl --value={{ nextcloud_drawio_url }} - when: - - nextcloud_drawio_url | length > 0 - - _drawio_cfg.DrawioUrl != nextcloud_drawio_url + when: nextcloud_drawio_url | length > 0 - name: Configure draw.io theme community.docker.docker_container_exec: container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" command: php /var/www/html/occ config:app:set drawio DrawioTheme --value={{ nextcloud_drawio_theme }} - when: _drawio_cfg.DrawioTheme != (nextcloud_drawio_theme | string) - name: Configure draw.io offline mode community.docker.docker_container_exec: container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" - command: php /var/www/html/occ config:app:set drawio DrawioOffline --value={{ nextcloud_drawio_offline }} - when: _drawio_cfg.DrawioOffline != (nextcloud_drawio_offline | string) \ No newline at end of file + command: php /var/www/html/occ config:app:set drawio DrawioOffline --value={{ nextcloud_drawio_offline }} \ No newline at end of file diff --git a/roles/nextcloud/tasks/ldap.yml b/roles/nextcloud/tasks/ldap.yml index 89618d5..dcb2392 100644 --- a/roles/nextcloud/tasks/ldap.yml +++ b/roles/nextcloud/tasks/ldap.yml @@ -15,24 +15,6 @@ command: php /var/www/html/occ ldap:create-empty-config when: "'s01' not in ldap_show_config.stdout" -- name: Read current LDAP config for s01 - community.docker.docker_container_exec: - container: "{{ nextcloud_service_name }}-nextcloud-1" - command: php /var/www/html/occ ldap:show-config s01 --output=json - register: _ldap_show_s01 - changed_when: false - failed_when: false - -- name: Parse current LDAP config - ansible.builtin.set_fact: - _ldap_current: >- - {{ - (_ldap_show_s01.stdout | from_json) if ( - (_ldap_show_s01.stdout | default('') | trim) is match('^[\\[{]') - ) else {} - }} - when: _ldap_show_s01.rc | default(1) == 0 - - name: Configure LDAP settings community.docker.docker_container_exec: container: "{{ nextcloud_service_name }}-nextcloud-1" @@ -47,7 +29,6 @@ loop_control: label: "{{ item.key }}" no_log: true - when: ((_ldap_current | default({})).get(item.key) | default(none) | string) != (item.value | string) - name: Test LDAP configuration community.docker.docker_container_exec: diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index c43bc4d..530baf7 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -19,12 +19,6 @@ state: directory mode: '0755' -- name: Ensure extra networks exist - community.docker.docker_network: - name: "{{ item }}" - state: present - loop: "{{ nextcloud_extra_networks }}" - - name: Create docker-compose file for nextcloud template: src: docker-compose.yml.j2 @@ -49,61 +43,6 @@ project_src: "{{ nextcloud_docker_compose_dir }}" state: present -# nextcloud/server#59629: UserConfig::getValueBool() passes a non-string from -# getTypedValue() into strtolower() under PHP 8.x + OPcache, throwing a -# TypeError on every authenticated request once user_ldap is involved. Fix -# is in master (PR #59646) but no stable33 backport landed before 33.0.4. -# Apply the (string) cast in-container; idempotent via grep guard. Remove -# this block once nextcloud_image >= 33.0.4. -- name: Discover nextcloud php containers needing the UserConfig patch - ansible.builtin.shell: - cmd: >- - docker ps --filter "label=com.docker.compose.project={{ nextcloud_docker_compose_dir | basename }}" - --filter "label=com.docker.compose.service=nextcloud" - --format '{% raw %}{{.Names}}{% endraw %}' - register: _nextcloud_php_containers - changed_when: false - -- name: Check UserConfig.php patch status per container - ansible.builtin.shell: - # rc 0 -> already patched; rc 1 -> still the unpatched original; rc 2 -> - # neither marker present (upstream drift -> the guard task below fails loud). - cmd: >- - docker exec {{ item }} sh -c ' - grep -q "strtolower((string)\$this->getTypedValue" /var/www/html/lib/private/Config/UserConfig.php && exit 0; - grep -q "strtolower(\$this->getTypedValue" /var/www/html/lib/private/Config/UserConfig.php && exit 1; - exit 2' - loop: "{{ _nextcloud_php_containers.stdout_lines }}" - register: _nextcloud_userconfig_check - changed_when: false - failed_when: false - -- name: Fail if the UserConfig.php source drifted from the expected upstream line - ansible.builtin.fail: - msg: >- - Neither the patched nor the expected original strtolower($this->getTypedValue(...)) - line was found in {{ item.item }}:/var/www/html/lib/private/Config/UserConfig.php. - The nextcloud/server#59629 workaround can no longer locate its target — the upstream - source likely changed. Re-verify whether the fix shipped (then drop this block) or - update the sed expression. Silently skipping would let the TypeError regress. - loop: "{{ _nextcloud_userconfig_check.results }}" - loop_control: - label: "{{ item.item }}" - when: - - item.rc | default(2) == 2 - -- name: Apply UserConfig::getValueBool string-cast workaround - ansible.builtin.shell: - cmd: >- - docker exec {{ item.item }} - sed -i 's|$b = strtolower($this->getTypedValue|$b = strtolower((string)$this->getTypedValue|' - /var/www/html/lib/private/Config/UserConfig.php - loop: "{{ _nextcloud_userconfig_check.results }}" - loop_control: - label: "{{ item.item }}" - when: - - item.rc | default(2) == 1 - - name: Wait for Nextcloud to be ready ansible.builtin.shell: cmd: docker compose exec -T nextcloud php /var/www/html/occ status --output=json @@ -146,7 +85,3 @@ - name: Configure OIDC providers ansible.builtin.include_tasks: oidc.yml when: nextcloud_oidc_providers | length > 0 or nextcloud_oidc_providers_removed | length > 0 - -- name: Configure Nextcloud Talk (HPB + TURN + STUN) - ansible.builtin.include_tasks: talk.yml - when: nextcloud_enable_talk diff --git a/roles/nextcloud/tasks/notify_push.yml b/roles/nextcloud/tasks/notify_push.yml index 2fba4d9..18dbb8b 100644 --- a/roles/nextcloud/tasks/notify_push.yml +++ b/roles/nextcloud/tasks/notify_push.yml @@ -2,16 +2,7 @@ --- # tasks file for configuring notify_push in Nextcloud -- name: Read current notify_push base endpoint - community.docker.docker_container_exec: - container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" - command: php /var/www/html/occ config:app:get notify_push base_endpoint - register: _notify_push_current - changed_when: false - failed_when: false - - name: Configure notify_push base endpoint community.docker.docker_container_exec: container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" - command: php /var/www/html/occ notify_push:setup https://{{ nextcloud_notify_push_domain | default(nextcloud_domains[0]) }}/push - when: (_notify_push_current.stdout | default('') | trim) != ('https://' ~ (nextcloud_notify_push_domain | default(nextcloud_domains[0])) ~ '/push') \ No newline at end of file + command: php /var/www/html/occ notify_push:setup https://{{ nextcloud_domain }}/push \ No newline at end of file diff --git a/roles/nextcloud/tasks/plugins.yml b/roles/nextcloud/tasks/plugins.yml index a93e37c..2a6d8a5 100644 --- a/roles/nextcloud/tasks/plugins.yml +++ b/roles/nextcloud/tasks/plugins.yml @@ -8,9 +8,7 @@ chdir: "{{ nextcloud_docker_compose_dir }}" loop: "{{ nextcloud_apps_to_install }}" register: app_install_result - changed_when: - - "'already installed' not in app_install_result.stdout" - - "'installed' in app_install_result.stdout" + changed_when: "'installed' in app_install_result.stdout" failed_when: - app_install_result.rc != 0 - "'already installed' not in app_install_result.stdout" @@ -21,9 +19,7 @@ chdir: "{{ nextcloud_docker_compose_dir }}" loop: "{{ nextcloud_apps_to_install }}" register: app_enable_result - changed_when: - - "'already enabled' not in app_enable_result.stdout" - - "'enabled' in app_enable_result.stdout" + changed_when: "'enabled' in app_enable_result.stdout" failed_when: - app_enable_result.rc != 0 - "'already enabled' not in app_enable_result.stdout" diff --git a/roles/nextcloud/tasks/talk.yml b/roles/nextcloud/tasks/talk.yml deleted file mode 100644 index aaf67e3..0000000 --- a/roles/nextcloud/tasks/talk.yml +++ /dev/null @@ -1,70 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# tasks file for configuring Nextcloud Talk HPB + TURN + STUN registration - -# --- HPB / signaling ----------------------------------------------------------- - -- name: Remove HPB signaling servers no longer in use - community.docker.docker_container_exec: - container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" - command: php /var/www/html/occ talk:signaling:delete {{ item }} - loop: "{{ nextcloud_talk_signaling_servers_removed }}" - register: _talk_sig_removed - changed_when: "'deleted' in (_talk_sig_removed.stdout | default(''))" - failed_when: - - _talk_sig_removed.rc != 0 - - "'is not configured' not in (_talk_sig_removed.stderr | default(''))" - -- name: Register HPB signaling servers - community.docker.docker_container_exec: - container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" - command: > - php /var/www/html/occ talk:signaling:add - {{ item.server }} - {{ item.secret }} - {% if item.verify | default(true) %}--verify{% endif %} - loop: "{{ nextcloud_talk_signaling_servers }}" - no_log: true - -# --- TURN ---------------------------------------------------------------------- -# `talk:turn:add` appends without deduplication, so on each run we first clear -# the list via the underlying app config key (turn_servers, JSON array) and -# then re-add the declared set. This keeps the host_vars list as the single -# source of truth. - -- name: Reset TURN server list before re-applying - community.docker.docker_container_exec: - container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" - command: php /var/www/html/occ config:app:set spreed turn_servers --value='[]' - when: nextcloud_talk_turn_reset_before_add | bool - -- name: Register TURN servers - community.docker.docker_container_exec: - container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" - command: > - php /var/www/html/occ talk:turn:add - {{ item.schemes | default('turn,turns') }} - {{ item.server }} - {{ item.protocols | default('udp,tcp') }} - --secret={{ item.secret }} - loop: "{{ nextcloud_talk_turn_servers }}" - no_log: true - -# --- STUN ---------------------------------------------------------------------- - -- name: Remove STUN servers no longer in use - community.docker.docker_container_exec: - container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" - command: php /var/www/html/occ talk:stun:delete {{ item }} - loop: "{{ nextcloud_talk_stun_servers_removed }}" - register: _talk_stun_removed - changed_when: "'deleted' in (_talk_stun_removed.stdout | default(''))" - failed_when: - - _talk_stun_removed.rc != 0 - - "'is not configured' not in (_talk_stun_removed.stderr | default(''))" - -- name: Register STUN servers - community.docker.docker_container_exec: - container: "{{ nextcloud_docker_compose_dir | basename }}-nextcloud-1" - command: php /var/www/html/occ talk:stun:add {{ item }} - loop: "{{ nextcloud_talk_stun_servers }}" diff --git a/roles/nextcloud/templates/docker-compose.yml.j2 b/roles/nextcloud/templates/docker-compose.yml.j2 index 365a766..9a98033 100644 --- a/roles/nextcloud/templates/docker-compose.yml.j2 +++ b/roles/nextcloud/templates/docker-compose.yml.j2 @@ -35,13 +35,10 @@ services: labels: - traefik.enable=true - traefik.docker.network={{ nextcloud_traefik_network }} - - traefik.http.routers.{{ nextcloud_service_name }}.rule={% for d in nextcloud_domains %}Host(`{{ d }}`){% if not loop.last %} || {% endif %}{% endfor +%} + - traefik.http.routers.{{ nextcloud_service_name }}.rule=Host(`{{ nextcloud_domain }}`) {% if nextcloud_use_ssl %} - traefik.http.routers.{{ nextcloud_service_name }}.entrypoints=websecure - traefik.http.routers.{{ nextcloud_service_name }}.tls=true -{% if traefik_cert_mode | default('selfsigned') == 'acme' %} - - traefik.http.routers.{{ nextcloud_service_name }}.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }} -{% endif %} {% else %} - traefik.http.routers.{{ nextcloud_service_name }}.entrypoints=web {% endif %} @@ -63,21 +60,12 @@ services: PHP_MEMORY_LIMIT: {{ nextcloud_memory_limit_mb }}M PHP_UPLOAD_LIMIT: {{ nextcloud_upload_limit_mb }}M OVERWRITEPROTOCOL: https - OVERWRITEHOST: {{ nextcloud_domains[0] }} + OVERWRITEHOST: {{ nextcloud_domain }} TRUSTED_PROXIES: "{{ nextcloud_trusted_proxies }}" volumes: - {{ nextcloud_docker_volume_dir }}/nextcloud/:/var/www/html networks: - {{ nextcloud_backend_network }} -{% for net in nextcloud_extra_networks %} - - {{ net }} -{% endfor %} -{% if nextcloud_extra_hosts is defined and nextcloud_extra_hosts | length > 0 %} - extra_hosts: -{% for host in nextcloud_extra_hosts %} - - "{{ host }}" -{% endfor %} -{% endif %} nextcloud: image: {{ nextcloud_image }} @@ -91,13 +79,13 @@ services: POSTGRES_DB: {{ nextcloud_postgres_db }} POSTGRES_USER: {{ nextcloud_postgres_user }} POSTGRES_PASSWORD: {{ nextcloud_postgres_password }} - NEXTCLOUD_ADMIN_USER: {{ nextcloud_admin_user }} - NEXTCLOUD_ADMIN_PASSWORD: {{ nextcloud_admin_password }} + NEXTCLOUD_ADMIN_USER: {{ nextcloud_admin_user }} + NEXTCLOUD_ADMIN_PASSWORD: {{ nextcloud_admin_password }} REDIS_HOST: redis PHP_MEMORY_LIMIT: {{ nextcloud_memory_limit_mb }}M PHP_UPLOAD_LIMIT: {{ nextcloud_upload_limit_mb }}M OVERWRITEPROTOCOL: https - OVERWRITEHOST: {{ nextcloud_domains[0] }} + OVERWRITEHOST: {{ nextcloud_domain }} TRUSTED_PROXIES: "{{ nextcloud_trusted_proxies }}" {% if nextcloud_use_s3_storage %} OBJECTSTORE_S3_KEY: {{ nextcloud_s3_key }} @@ -114,9 +102,6 @@ services: - {{ nextcloud_docker_volume_dir }}/nextcloud/:/var/www/html networks: - {{ nextcloud_backend_network }} -{% for net in nextcloud_extra_networks %} - - {{ net }} -{% endfor %} {% if nextcloud_extra_hosts is defined and nextcloud_extra_hosts | length > 0 %} extra_hosts: {% for host in nextcloud_extra_hosts %} @@ -126,7 +111,7 @@ services: {% if nextcloud_enable_notify_push %} notify-push: - image: {{ nextcloud_notify_push_image }} + image: icewind1991/notify_push restart: always depends_on: - redis @@ -136,7 +121,7 @@ services: environment: PORT: "7867" REDIS_URL: "redis://redis:6379" - DATABASE_URL: "postgres://{{ nextcloud_postgres_user | urlencode | replace('/', '%2F') }}:{{ nextcloud_postgres_password | urlencode | replace('/', '%2F') }}@db:5432/{{ nextcloud_postgres_db }}" + DATABASE_URL: "postgres://{{ nextcloud_postgres_user }}:{{ nextcloud_postgres_password }}@db:5432/{{ nextcloud_postgres_db }}" DATABASE_PREFIX: "oc_" NEXTCLOUD_URL: "http://nginx" networks: @@ -145,14 +130,11 @@ services: labels: - traefik.enable=true - traefik.docker.network={{ nextcloud_traefik_network }} - - traefik.http.routers.{{ nextcloud_service_name }}-push.rule=({% for d in nextcloud_domains %}Host(`{{ d }}`){% if not loop.last %} || {% endif %}{% endfor %}) && PathPrefix(`/push`) + - traefik.http.routers.{{ nextcloud_service_name }}-push.rule=Host(`{{ nextcloud_domain }}`) && PathPrefix(`/push`) - traefik.http.services.{{ nextcloud_service_name }}-push.loadbalancer.server.port=7867 {% if nextcloud_use_ssl %} - traefik.http.routers.{{ nextcloud_service_name }}-push.entrypoints=websecure - traefik.http.routers.{{ nextcloud_service_name }}-push.tls=true -{% if traefik_cert_mode | default('selfsigned') == 'acme' %} - - traefik.http.routers.{{ nextcloud_service_name }}-push.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }} -{% endif %} {% else %} - traefik.http.routers.{{ nextcloud_service_name }}-push.entrypoints=web {% endif %} @@ -163,8 +145,4 @@ services: networks: {{ nextcloud_backend_network }}: {{ nextcloud_traefik_network }}: - external: true -{% for net in nextcloud_extra_networks %} - {{ net }}: - external: true -{% endfor %} \ No newline at end of file + external: true \ No newline at end of file diff --git a/roles/opencloud/README.md b/roles/opencloud/README.md index 6969124..225dd44 100644 --- a/roles/opencloud/README.md +++ b/roles/opencloud/README.md @@ -1,43 +1,38 @@ -# opencloud +Role Name +========= -Deploys [OpenCloud](https://opencloud.eu/) (`opencloudeu/opencloud`) as a -self-contained file platform via Docker Compose behind Traefik. Supports -the built-in IdP or external OIDC, optional S3 storage, external LDAP, -Collabora and draw.io integration, and OIDC-claim-based role assignment. +A brief description of the role goes here. -## Role variables +Requirements +------------ -A selection of the most relevant variables — see -[defaults/main.yml](defaults/main.yml) for the full set. +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. -| Variable | Default | Description | -| --- | --- | --- | -| `opencloud_domain` | `opencloud.local.test` | FQDN the Traefik router matches. | -| `opencloud_image` | `opencloudeu/opencloud:latest` | Container image. | -| `opencloud_port` | `9200` | Container port Traefik forwards to. | -| `opencloud_admin_password` | `admin` | Initial admin password — **override this**. | -| `opencloud_traefik_network` | `proxy` | Docker network shared with Traefik. | -| `opencloud_use_ssl` | `true` | Enable the TLS resolver on the router. | -| `opencloud_oidc_issuer` | `""` | External OIDC issuer; empty uses the built-in IdP. | -| `opencloud_use_s3_storage` | `false` | Use S3 storage instead of local disk. | -| `opencloud_ldap_uri` | `""` | External LDAP URI; empty uses the built-in directory. | -| `opencloud_collabora_domain` | `""` | Collabora server domain; set with `opencloud_wopi_domain` to enable editing. | -| `opencloud_wopi_domain` | `""` | WOPI server FQDN; required alongside `opencloud_collabora_domain`. | -| `opencloud_drawio_url` | `""` | draw.io URL; set to enable diagram editing. | -| `opencloud_role_assignment_driver` | `default` | Set to `oidc` to map OIDC claims to roles. | +Role Variables +-------------- -## Example +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. -```yaml -- hosts: services - become: true - roles: - - role: digitalboard.core.opencloud - vars: - opencloud_domain: "opencloud.example.com" - opencloud_admin_password: "{{ vault_opencloud_admin_password }}" -``` +Dependencies +------------ -## License +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. -MIT-0 +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/opencloud/defaults/main.yml b/roles/opencloud/defaults/main.yml index 1e102bf..137ece8 100644 --- a/roles/opencloud/defaults/main.yml +++ b/roles/opencloud/defaults/main.yml @@ -18,7 +18,6 @@ opencloud_port: 9200 opencloud_admin_password: "admin" opencloud_log_level: "warn" opencloud_extra_hosts: [] -opencloud_extra_networks: [] # Traefik configuration opencloud_traefik_network: "proxy" diff --git a/roles/opencloud/handlers/main.yml b/roles/opencloud/handlers/main.yml index 7cbc094..95b6986 100644 --- a/roles/opencloud/handlers/main.yml +++ b/roles/opencloud/handlers/main.yml @@ -5,4 +5,4 @@ - name: restart opencloud community.docker.docker_compose_v2: project_src: "{{ opencloud_docker_compose_dir }}" - state: present \ No newline at end of file + state: restarted \ No newline at end of file diff --git a/roles/opencloud/meta/main.yml b/roles/opencloud/meta/main.yml index 3322149..6f91fd3 100644 --- a/roles/opencloud/meta/main.yml +++ b/roles/opencloud/meta/main.yml @@ -1,27 +1,35 @@ #SPDX-License-Identifier: MIT-0 galaxy_info: - author: digitalboard - description: Deploy OpenCloud file platform via Docker Compose behind Traefik - company: Digitalboard - license: MIT-0 + author: your name + description: your role description + company: your company (optional) - min_ansible_version: "2.14" + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker - platforms: - - name: Debian - versions: - - bookworm - - name: Ubuntu - versions: - - jammy - - noble + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) - galaxy_tags: - - opencloud - - files - - storage - - docker - - traefik - - digitalboard + min_ansible_version: 2.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/opencloud/tasks/main.yml b/roles/opencloud/tasks/main.yml index 358abb7..9de9625 100644 --- a/roles/opencloud/tasks/main.yml +++ b/roles/opencloud/tasks/main.yml @@ -69,12 +69,6 @@ when: opencloud_drawio_url | length > 0 notify: restart opencloud -- name: Ensure extra networks exist - community.docker.docker_network: - name: "{{ item }}" - state: present - loop: "{{ opencloud_extra_networks }}" - - name: Create docker-compose file for opencloud template: src: docker-compose.yml.j2 diff --git a/roles/opencloud/templates/docker-compose.yml.j2 b/roles/opencloud/templates/docker-compose.yml.j2 index b731526..10d8d22 100644 --- a/roles/opencloud/templates/docker-compose.yml.j2 +++ b/roles/opencloud/templates/docker-compose.yml.j2 @@ -103,9 +103,6 @@ services: {% endif %} networks: - {{ opencloud_traefik_network }} -{% for net in opencloud_extra_networks %} - - {{ net }} -{% endfor %} {% if opencloud_extra_hosts is defined and opencloud_extra_hosts | length > 0 %} extra_hosts: {% for host in opencloud_extra_hosts %} @@ -138,8 +135,4 @@ services: networks: {{ opencloud_traefik_network }}: - external: true -{% for net in opencloud_extra_networks %} - {{ net }}: - external: true -{% endfor %} \ No newline at end of file + external: true \ No newline at end of file diff --git a/roles/opnform/README.md b/roles/opnform/README.md deleted file mode 100644 index 707d736..0000000 --- a/roles/opnform/README.md +++ /dev/null @@ -1,225 +0,0 @@ -# opnform - -Deploy [OpnForm](https://github.com/OpnForm/OpnForm) as a self-contained -Docker Compose stack behind Traefik. - -## What this role does - -- Deploys the full official OpnForm stack: `api`, `api-worker`, `api-scheduler`, - `ui`, `db` (Postgres), `redis`, and `ingress` (nginx) -- Configures all environment variables for self-hosted production use -- Integrates the ingress container with an existing Traefik proxy network -- Waits for the API container to become healthy before returning - -## What this role does NOT do - -- Does not migrate existing OpnForm databases — only bootstraps fresh - installs (admin registration + OIDC connection are idempotent) - -## Architecture note: why two reverse proxies? - -``` -Browser → Traefik (TLS, host routing) → ingress-nginx → api (PHP-FPM) / ui (Nuxt) -``` - -The `ingress` container looks like a redundant proxy next to Traefik but -does a different job. OpnForm's `api` image is **PHP-FPM only** — it -speaks the FastCGI protocol on port 9000, not HTTP. Traefik cannot -translate FastCGI, so the ingress nginx is required to: - -- Translate HTTP `/api/*` requests into FastCGI calls to `api:9000` -- Rewrite request URIs via the `$api_uri` map -- Set Laravel-specific FastCGI params (`SCRIPT_FILENAME`, `REQUEST_URI`) -- Reverse-proxy `/` to the Nuxt UI container on port 3000 - -Both containers run on the same Docker network on the same host, so the -performance overhead of the extra hop is negligible (in-kernel memory -copy, not a real network round-trip). Removing the ingress would require -a custom OpnForm image with a built-in HTTP server, which is out of -scope for this role. - -## Required variables - -Provide via OpenBao, Ansible Vault, or extra-vars. **Never commit real -secrets to version control.** - -| Variable | Format | Generate with | -|---|---|---| -| `opnform_app_key` | `base64:<32 bytes base64>` | `echo "base64:$(openssl rand -base64 32)"` | -| `opnform_jwt_secret` | 32-byte hex string | `openssl rand -hex 32` | -| `opnform_front_api_secret` | 32-byte hex string | `openssl rand -hex 32` | -| `opnform_db_password` | strong password | `openssl rand -base64 24` | - -`opnform_app_key` MUST keep the `base64:` prefix — the validation task -asserts it. `opnform_jwt_secret` and `opnform_front_api_secret` have no -enforced format; any sufficiently random value works. - -When `opnform_oidc_enabled` is `true`: - -| Variable | Source | -|---|---| -| `opnform_oidc_client_secret` | from your Keycloak/Authentik client | - -The `assert` task at the top of the role will fail fast if any secret is -missing or malformed. - -## First login - -OpnForm in self-hosted mode does **not** ship a pre-seeded admin user. -The first user to register becomes the owner of the default workspace, -and further public registration is disabled afterwards (additional -users must be invited via the Admin UI). - -This role supports two ways to create that first user: - -### Option A — automated bootstrap (recommended) - -Set `opnform_admin_email` and `opnform_admin_password` (ideally from -Vault / OpenBao). The role then POSTs to `/api/register` after the -API container is healthy, skipping the setup page entirely. The task -is idempotent: it does a login check first and only registers if the -user does not already exist. - -```yaml -opnform_admin_name: "Administrator" # default -opnform_admin_email: "admin@example.com" -opnform_admin_password: "{{ vault_opnform_admin_password }}" -``` - -Password rules enforced by OpnForm: minimum 8 characters, at least one -letter, one digit, and one of `@$!%*#?&-_+=.,:;<>^()[]{}|~`. - -### Option B — manual setup page - -Leave `opnform_admin_email` / `opnform_admin_password` empty. Visit -`opnform_base_url` and complete the setup page in the browser. - -## OIDC setup - -Set `opnform_oidc_enabled: true` and the role provisions an -IdentityConnection on the admin's default workspace via -`POST /api/open/workspaces/{id}/oidc-connections`. OpnForm enforces a -single OIDC connection per workspace, so the task is idempotent: it GETs -existing connections first, then either POSTs a new one or PATCHes the -existing one to the desired state. PATCHing (rather than skipping when -one exists) keeps inventory changes — e.g. a corrected issuer — applied -on re-runs instead of leaving stale values in the DB. - -**Prerequisite**: the admin bootstrap must be configured -(`opnform_admin_email` + `opnform_admin_password`). The OIDC API -requires an authenticated admin token; the role logs in with those -credentials to make the call. The validation block fails fast if OIDC -is enabled without admin credentials. - -### Required when `opnform_oidc_enabled: true` - -| Variable | Notes | -|---|---| -| `opnform_oidc_client_secret` | from your IdP, never commit | -| `opnform_oidc_domain` | email domain that triggers OIDC (e.g. `example.com`) | - -### Tunables (defaults shown) - -```yaml -opnform_oidc_issuer: "https://auth.digitalboard.ch/realms/Digitalboard" -opnform_oidc_client_id: "opnform-digitalboard" -opnform_oidc_client_name: "Digitalboard" # display name in UI -opnform_oidc_slug: "oidc" # used in /auth/{slug}/callback -opnform_oidc_scopes: [openid, profile, email, groups] -``` - -### Group → role mapping - -Two ways, the list takes precedence: - -```yaml -# Option 1: full list (any number of mappings) -opnform_oidc_group_role_mappings: - - idp_group: "opnform-admins" - role: admin - - idp_group: "opnform-editors" - role: editor - -# Option 2: convenience — single admin group -opnform_oidc_admin_group: "opnform-admins" # mapped to role=admin -``` - -Valid roles: `owner`, `admin`, `editor`, `member`. - -### Force OIDC-only login - -```yaml -opnform_oidc_force_login: true # default false -``` - -Sets `OIDC_FORCE_LOGIN=true` on the API: password login is disabled and -every user must authenticate via OIDC. The role keeps force-login **off** -during the first deploy (the admin/OIDC bootstrap is password-based) and -switches it on only after the OIDC connection is provisioned, recreating -the API containers. Ensure all real users have addresses under -`opnform_oidc_domain` before enabling — there is no password fallback. - -### Direct-SSO entrypoint - -OpnForm has no native way to skip the email login form and jump straight -to the IdP. When enabled, the ingress serves a tiny redirect page that -calls `/api/auth/{slug}/redirect` (no domain check) and forwards the -browser to the IdP authorize URL. - -```yaml -opnform_oidc_sso_entrypoint: true # default false -opnform_oidc_sso_path: "/sso" # link users to https:///sso -opnform_oidc_sso_redirect_root: true # default false — root URL 302s to -``` - -With `opnform_oidc_sso_redirect_root` enabled both the bare hostname -and `/login` jump straight to the IdP. Public form deep-links -(`/forms/`, `/admin/...`) are not touched. The email form remains -reachable as a break-glass path via `/login?bypass=1`. - -## Networking / split-horizon - -```yaml -opnform_extra_domains: [] # extra Host-rule hostnames (OR-combined) -opnform_extra_hosts: [] # API container /etc/hosts overrides ("host:ip") -``` - -`opnform_extra_domains` adds internal `*.int.*` FQDNs so a DMZ -reverseproxy can reach a backend hostname covered by the cert. -`opnform_extra_hosts` lets the API containers reach the IdP's public FQDN -(used in the OIDC `iss` claim) over the LAN when the DMZ has no NAT -loopback. - -## Example playbook - -```yaml -- name: Deploy OpnForm service - hosts: opnform_servers - become: true - roles: - - digitalboard.core.opnform -``` - -With inventory variables: - -```yaml -# group_vars/opnform_servers.yml -opnform_domain: forms.digitalboard.ch -opnform_base_url: "https://forms.digitalboard.ch" -opnform_app_key: "{{ lookup('community.hashi_vault.vault_kv2_get', - 'digitalboard/opnform', - mount_point='kv').data.data.app_key }}" -opnform_jwt_secret: "{{ lookup('community.hashi_vault.vault_kv2_get', - 'digitalboard/opnform', - mount_point='kv').data.data.jwt_secret }}" -opnform_front_api_secret: "{{ lookup('community.hashi_vault.vault_kv2_get', - 'digitalboard/opnform', - mount_point='kv').data.data.front_api_secret }}" -opnform_db_password: "{{ lookup('community.hashi_vault.vault_kv2_get', - 'digitalboard/opnform', - mount_point='kv').data.data.db_password }}" -``` - -## License - -MIT-0 diff --git a/roles/opnform/defaults/main.yml b/roles/opnform/defaults/main.yml deleted file mode 100644 index 25529a5..0000000 --- a/roles/opnform/defaults/main.yml +++ /dev/null @@ -1,142 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# defaults file for opnform - -# Base directory configuration (inherited from base role or defined here) -docker_compose_base_dir: /etc/docker/compose -docker_volume_base_dir: /srv/data - -# opnform-specific configuration -opnform_service_name: opnform -opnform_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ opnform_service_name }}" -opnform_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ opnform_service_name }}" -opnform_storage_dir: "{{ opnform_docker_volume_dir }}/storage" -opnform_db_data_dir: "{{ opnform_docker_volume_dir }}/db" -opnform_redis_data_dir: "{{ opnform_docker_volume_dir }}/redis" - -# Service configuration -opnform_domain: "forms.local.test" -# Additional hostnames the opnform router answers on (e.g. an internal -# *.int.* FQDN so a DMZ reverseproxy can hit a backend hostname covered -# by the cert). -opnform_extra_domains: [] -# Container-level /etc/hosts overrides for the API containers — needed in -# split-horizon setups where the OpnForm API must reach the IdP's public -# FQDN (used in the OIDC discovery/iss claim) over the LAN rather than -# hairpinning through a DMZ that has no NAT loopback to its own public IP. -opnform_extra_hosts: [] -opnform_base_url: "https://forms.local.test" - -# Images -opnform_api_image: "jhumanj/opnform-api:latest" -opnform_client_image: "jhumanj/opnform-client:latest" -opnform_redis_image: "redis:7" -opnform_db_image: "postgres:16" -opnform_ingress_image: "nginx:1" - -# REQUIRED SECRETS — must be overridden per-inventory. -# Provide via OpenBao lookup, Ansible Vault or extra-vars. -# Never commit real keys to version control. -# -# Generate with: -# opnform_app_key: echo "base64:$(openssl rand -base64 32)" -# opnform_jwt_secret: openssl rand -hex 32 -# opnform_front_api_secret: openssl rand -hex 32 -# -# opnform_app_key MUST start with the prefix "base64:" — the validate -# task at the top of tasks/main.yml enforces this. -opnform_app_key: "" -opnform_jwt_secret: "" -opnform_front_api_secret: "" - -# Database credentials. opnform_db_password must be overridden; the -# validate task fails fast on an empty value. -opnform_db_name: "opnform" -opnform_db_user: "opnform" -opnform_db_password: "" - -# Admin bootstrap — when email+password are set, the role creates the -# first user via OpnForm's /api/register endpoint, skipping the -# self-hosted setup page. Leave both empty to keep the manual setup flow. -# Password must satisfy OpnForm's rules: min 8 chars, contain a letter, -# a digit and one of @$!%*#?&-_+=.,:;<>^()[]{}|~ -# Provide via OpenBao, Ansible Vault or extra-vars. -opnform_admin_name: "Administrator" -opnform_admin_email: "" -opnform_admin_password: "" -opnform_admin_hear_about_us: "ansible" - -# PHP configuration -opnform_php_memory_limit: "1G" -opnform_php_max_execution_time: "600" -opnform_php_upload_max_filesize: "64M" -opnform_php_post_max_size: "64M" - -# Nginx ingress -opnform_nginx_max_body_size: "64m" - -# Mail configuration (optional — defaults to log driver) -opnform_mail_mailer: "log" -opnform_mail_host: "" -opnform_mail_port: "" -opnform_mail_username: "" -opnform_mail_password: "" -opnform_mail_encryption: "" -opnform_mail_from_address: "noreply@digitalboard.ch" -opnform_mail_from_name: "OpnForm" - -# OIDC configuration — when enabled, the role auto-creates an -# IdentityConnection in the first workspace via OpnForm's API after the -# admin bootstrap. Requires opnform_admin_email/_password to be set -# (the API call needs an authenticated admin token). -opnform_oidc_enabled: false -opnform_oidc_issuer: "https://auth.digitalboard.ch/realms/Digitalboard" -opnform_oidc_client_id: "opnform-digitalboard" -opnform_oidc_client_secret: "" -opnform_oidc_client_name: "Digitalboard" -# OpnForm-side identifier used in /auth/{slug}/callback. Lowercase -# alphanumeric + hyphens, unique across all identity_connections. -opnform_oidc_slug: "oidc" -# Email domain that triggers OIDC login for matching users (e.g. users -# with @example.com emails are redirected to the IdP). Required when -# opnform_oidc_enabled is true. -opnform_oidc_domain: "" -# When true, sets OIDC_FORCE_LOGIN on the api: password-based login is -# disabled entirely and every user must authenticate via OIDC. Only -# rendered when opnform_oidc_enabled is also true. Make sure all real -# users have addresses under opnform_oidc_domain before enabling — there -# is no password fallback once this is on. -opnform_oidc_force_login: false -opnform_oidc_scopes: - - openid - - profile - - email - - groups -# Convenience: maps a single IdP group to the OpnForm "admin" role. -# Ignored when opnform_oidc_group_role_mappings is non-empty. -opnform_oidc_admin_group: "opnform-admins" -# Full group-to-role mapping list. Takes precedence over the convenience -# var. Each item: {idp_group: "", role: "owner|admin|editor|member"} -opnform_oidc_group_role_mappings: [] - -# Direct-SSO entrypoint. OpnForm has no built-in way to skip the email -# login form and jump straight to the IdP (verified: config/oidc.php only -# exposes force_login; the login form always routes by email domain). When -# this is enabled the ingress serves a tiny page at opnform_oidc_sso_path -# that calls OpnForm's /api/auth/{slug}/redirect endpoint (which performs -# no domain check) and forwards the browser to the returned authorize URL -# — nonce/state included. Link users to https:// instead -# of /login. Requires opnform_oidc_enabled. -opnform_oidc_sso_entrypoint: false -opnform_oidc_sso_path: "/sso" - -# When true, the ingress 302-redirects the root URL (exact-match on `/`) -# to opnform_oidc_sso_path so visiting https:/// jumps straight -# to the IdP login without showing OpnForm's email form. Public form -# deep-links (`/forms/`, `/login`, etc.) are untouched. -# Requires opnform_oidc_sso_entrypoint=true. -opnform_oidc_sso_redirect_root: false - -# Traefik configuration -opnform_traefik_network: "proxy" -opnform_use_ssl: true diff --git a/roles/opnform/handlers/main.yml b/roles/opnform/handlers/main.yml deleted file mode 100644 index 03c44b9..0000000 --- a/roles/opnform/handlers/main.yml +++ /dev/null @@ -1,18 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# handlers file for opnform - -- name: restart opnform - community.docker.docker_compose_v2: - project_src: "{{ opnform_docker_compose_dir }}" - state: restarted - -# nginx.conf is bind-mounted into the ingress container and rendered to -# /etc/nginx/conf.d/default.conf by the envsubst entrypoint on container -# start. Plain `docker restart` re-runs that entrypoint, so the new -# template is picked up without bouncing db/redis/api/ui. -- name: restart opnform ingress - community.docker.docker_container: - name: opnform-ingress - state: started - restart: true diff --git a/roles/opnform/meta/argument_specs.yml b/roles/opnform/meta/argument_specs.yml deleted file mode 100644 index 1f91e71..0000000 --- a/roles/opnform/meta/argument_specs.yml +++ /dev/null @@ -1,275 +0,0 @@ ---- -argument_specs: - main: - short_description: Deploy OpnForm (api + ui + db + redis + ingress) via Docker Compose. - description: - - Renders a Compose stack for the full OpnForm setup (PHP-FPM api, - Nuxt ui, Postgres, Redis, nginx ingress) and exposes it through - Traefik. - - Optionally bootstraps the first admin user via the OpnForm - C(/api/register) endpoint (skipping the self-hosted setup page) - and provisions a single OIDC identity connection in the default - workspace via the workspace API. Both bootstraps are idempotent. - options: - docker_compose_base_dir: - type: path - default: /etc/docker/compose - docker_volume_base_dir: - type: path - default: /srv/data - opnform_service_name: - type: str - default: opnform - opnform_docker_compose_dir: - type: path - description: Defaults to C({{ docker_compose_base_dir }}/{{ opnform_service_name }}). - opnform_docker_volume_dir: - type: path - description: Defaults to C({{ docker_volume_base_dir }}/{{ opnform_service_name }}). - opnform_storage_dir: - type: path - description: OpnForm storage volume mounted into the api container. - opnform_db_data_dir: - type: path - opnform_redis_data_dir: - type: path - - opnform_domain: - type: str - default: forms.local.test - description: Hostname used in the traefik Host rule. - opnform_extra_domains: - type: list - elements: str - default: [] - description: - - Additional hostnames the Traefik router answers on, OR-combined - with C(opnform_domain). Useful for an internal C(*.int.*) FQDN so - a DMZ reverseproxy can reach a backend hostname covered by the - cert. - opnform_extra_hosts: - type: list - elements: str - default: [] - description: - - Container-level C(/etc/hosts) overrides for the API containers - (Compose C(extra_hosts) entries, C("host:ip")). Needed in - split-horizon setups where the OpnForm API must reach the IdP's - public FQDN (used in the OIDC discovery / C(iss) claim) over the - LAN rather than hairpinning through a DMZ with no NAT loopback. - opnform_base_url: - type: str - default: https://forms.local.test - description: Public URL OpnForm uses for APP_URL and NUXT_PUBLIC_APP_URL. - - opnform_api_image: - type: str - default: jhumanj/opnform-api:latest - opnform_client_image: - type: str - default: jhumanj/opnform-client:latest - opnform_redis_image: - type: str - default: "redis:7" - opnform_db_image: - type: str - default: "postgres:16" - opnform_ingress_image: - type: str - default: "nginx:1" - - opnform_app_key: - type: str - required: true - description: - - Laravel application key. Must be prefixed with C(base64:). - Generate with C(echo "base64:$(openssl rand -base64 32)"). - Provide via OpenBao, Ansible Vault or extra-vars. - opnform_jwt_secret: - type: str - required: true - description: JWT signing secret. Generate with C(openssl rand -hex 32). - opnform_front_api_secret: - type: str - required: true - description: Shared secret between ui and api. Generate with C(openssl rand -hex 32). - - opnform_db_name: - type: str - default: opnform - opnform_db_user: - type: str - default: opnform - opnform_db_password: - type: str - required: true - - opnform_admin_name: - type: str - default: Administrator - opnform_admin_email: - type: str - default: '' - description: - - When non-empty (together with C(opnform_admin_password)) the role - bootstraps the first user via C(/api/register), skipping the - self-hosted setup page. Required when C(opnform_oidc_enabled=true). - opnform_admin_password: - type: str - default: '' - description: - - "Must satisfy OpnForm's policy: min 8 chars, letter + digit + - symbol from C(@$!%*#?&-_+=.,:;<>^()[]{}|~)." - opnform_admin_hear_about_us: - type: str - default: ansible - - opnform_php_memory_limit: - type: str - default: 1G - opnform_php_max_execution_time: - type: str - default: "600" - opnform_php_upload_max_filesize: - type: str - default: 64M - opnform_php_post_max_size: - type: str - default: 64M - opnform_nginx_max_body_size: - type: str - default: 64m - - opnform_mail_mailer: - type: str - default: log - choices: [log, smtp, ses, mailgun, postmark, sendmail] - opnform_mail_host: - type: str - default: '' - opnform_mail_port: - type: str - default: '' - opnform_mail_username: - type: str - default: '' - opnform_mail_password: - type: str - default: '' - opnform_mail_encryption: - type: str - default: '' - choices: ['', tls, ssl] - opnform_mail_from_address: - type: str - default: noreply@digitalboard.ch - opnform_mail_from_name: - type: str - default: OpnForm - - opnform_oidc_enabled: - type: bool - default: false - description: - - "When true the role calls the workspace API to create a single - OIDC C(identity_connection) on the default workspace after the - admin bootstrap. Requires C(opnform_admin_email) + - C(opnform_admin_password) so the role can authenticate. - Idempotent: skipped when any connection already exists." - opnform_oidc_issuer: - type: str - default: https://auth.digitalboard.ch/realms/Digitalboard - description: OIDC issuer URL. - opnform_oidc_client_id: - type: str - default: opnform-digitalboard - opnform_oidc_client_secret: - type: str - default: '' - description: Required when C(opnform_oidc_enabled=true). - opnform_oidc_client_name: - type: str - default: Digitalboard - description: Display name shown in the OpnForm UI. - opnform_oidc_slug: - type: str - default: oidc - description: - - OpnForm-side identifier used in C(/auth/{slug}/callback). Lowercase - alphanumeric + hyphens, unique across all C(identity_connections). - opnform_oidc_domain: - type: str - default: '' - description: - - Email domain that triggers OIDC for matching users. Required - when C(opnform_oidc_enabled=true). - opnform_oidc_force_login: - type: bool - default: false - description: - - "When true, sets C(OIDC_FORCE_LOGIN=true) on the api container: - password-based login is disabled and every user must authenticate - via OIDC. Only takes effect when C(opnform_oidc_enabled=true). - Ensure all real users have addresses under C(opnform_oidc_domain) - before enabling — there is no password fallback." - opnform_oidc_scopes: - type: list - elements: str - default: [openid, profile, email, groups] - opnform_oidc_admin_group: - type: str - default: opnform-admins - description: - - Convenience setting that maps a single IdP group to the OpnForm - C(admin) role. Ignored when C(opnform_oidc_group_role_mappings) - is non-empty. - opnform_oidc_group_role_mappings: - type: list - elements: dict - default: [] - description: - - Full IdP-group -> OpnForm-role mapping. Takes precedence over - C(opnform_oidc_admin_group). - options: - idp_group: - type: str - required: true - description: Group name as it appears in the IdP groups claim. - role: - type: str - required: true - choices: [owner, admin, editor, member] - opnform_oidc_sso_entrypoint: - type: bool - default: false - description: - - When true (and C(opnform_oidc_enabled=true)) the nginx ingress - serves a small redirect page at C(opnform_oidc_sso_path) that - calls OpnForm's C(/api/auth/{slug}/redirect) endpoint and - forwards the browser to the returned IdP authorize URL. Lets - you link users straight to the IdP, skipping OpnForm's - email-based login form. OpnForm has no native option for this. - opnform_oidc_sso_path: - type: str - default: /sso - description: - - Path (on C(opnform_domain)) where the direct-SSO redirect page - is served when C(opnform_oidc_sso_entrypoint=true). Must start - with C(/) and not collide with OpnForm's own routes. - opnform_oidc_sso_redirect_root: - type: bool - default: false - description: - - When true, the nginx ingress 302-redirects the root URL - (exact-match on C(/)) to C(opnform_oidc_sso_path), so visiting - C(https:///) jumps straight to the IdP without - OpnForm's email login form. Public form deep-links - (C(/forms/), C(/login), C(/admin/...)) are untouched. - Requires C(opnform_oidc_sso_entrypoint=true). - - opnform_traefik_network: - type: str - default: proxy - opnform_use_ssl: - type: bool - default: true diff --git a/roles/opnform/meta/main.yml b/roles/opnform/meta/main.yml deleted file mode 100644 index 8a56a7b..0000000 --- a/roles/opnform/meta/main.yml +++ /dev/null @@ -1,16 +0,0 @@ -#SPDX-License-Identifier: MIT-0 -galaxy_info: - author: Tobias Wüst - description: Deploy OpnForm self-hosted form builder via Docker Compose behind Traefik - company: Digitalboard - license: MIT-0 - min_ansible_version: "2.15" - - galaxy_tags: - - opnform - - forms - - docker - - traefik - - oidc - -dependencies: [] diff --git a/roles/opnform/tasks/main.yml b/roles/opnform/tasks/main.yml deleted file mode 100644 index cd5efe4..0000000 --- a/roles/opnform/tasks/main.yml +++ /dev/null @@ -1,458 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# tasks file for opnform - -# ===================================================================== -# 0. VALIDATION -# ===================================================================== - -- name: Validate required secrets - ansible.builtin.assert: - that: - - opnform_app_key | length > 0 - - opnform_app_key is match('^base64:[A-Za-z0-9+/=]+$') - - opnform_jwt_secret | length > 0 - - opnform_front_api_secret | length > 0 - - opnform_db_password | length > 0 - fail_msg: >- - OpnForm requires opnform_app_key, opnform_jwt_secret, - opnform_front_api_secret and opnform_db_password. - Generate with: - opnform_app_key='base64:'$(openssl rand -base64 32) (the 'base64:' prefix is required); - opnform_jwt_secret and opnform_front_api_secret via openssl rand -hex 32. - Provide via OpenBao, Ansible Vault or extra-vars. - success_msg: Secrets validation passed - -- name: Validate OIDC configuration when enabled - ansible.builtin.assert: - that: - - opnform_oidc_client_secret | length > 0 - - opnform_oidc_domain | length > 0 - - opnform_admin_email | length > 0 - - opnform_admin_password | length > 0 - fail_msg: >- - When opnform_oidc_enabled is true, you must set: - - opnform_oidc_client_secret - - opnform_oidc_domain (email domain that triggers OIDC) - - opnform_admin_email / opnform_admin_password - (the OIDC API requires an authenticated admin; the role logs in - with these credentials to POST the connection) - when: opnform_oidc_enabled | bool - -# ===================================================================== -# 1. PREPARATION -# ===================================================================== - -- name: Ensure required packages are installed - ansible.builtin.package: - name: - - python3-docker - state: present - -- name: Create docker compose directory - ansible.builtin.file: - path: "{{ opnform_docker_compose_dir }}" - state: directory - mode: '0755' - -- name: Create OpnForm data directories - ansible.builtin.file: - path: "{{ item }}" - state: directory - mode: "0755" - loop: - - "{{ opnform_docker_volume_dir }}" - - "{{ opnform_storage_dir }}" - - "{{ opnform_db_data_dir }}" - - "{{ opnform_redis_data_dir }}" - -# ===================================================================== -# 2. CONFIGURATION FILES -# ===================================================================== - -- name: Deploy nginx ingress configuration - ansible.builtin.template: - src: nginx.conf.j2 - dest: "{{ opnform_docker_compose_dir }}/nginx.conf" - mode: '0644' - notify: restart opnform ingress - -# OIDC_FORCE_LOGIN disables OpnForm's password login — including the -# password-based admin/OIDC bootstrap this role performs below. The -# bootstrap must therefore run with force-login OFF. To stay idempotent -# on re-runs (avoid recreating api containers on every apply), we only -# turn force-login OFF when the bootstrap is actually needed (first run -# on a fresh host, no OIDC connection yet). Once the connection exists -# we render the final force-login value straight away, so the compose -# file is byte-identical across re-runs. -- name: Probe whether OpnForm is already bootstrapped - block: - - name: Check if opnform-api container exists and is healthy - ansible.builtin.command: - cmd: docker inspect --format='{% raw %}{{.State.Health.Status}}{% endraw %}' opnform-api - register: _opnform_api_health_probe - changed_when: false - failed_when: false - - - name: Attempt admin login (only when api is healthy) - ansible.builtin.uri: - url: "https://127.0.0.1/api/login" - method: POST - headers: - Host: "{{ opnform_domain }}" - body_format: json - body: - email: "{{ opnform_admin_email }}" - password: "{{ opnform_admin_password }}" - status_code: [200, 401, 422] - validate_certs: false - register: _opnform_probe_login - no_log: true - when: - - _opnform_api_health_probe.rc == 0 - - _opnform_api_health_probe.stdout == "healthy" - - opnform_admin_email | length > 0 - - opnform_admin_password | length > 0 - - - name: Probe for existing OIDC connection - ansible.builtin.uri: - url: "https://127.0.0.1/api/open/workspaces" - method: GET - headers: - Host: "{{ opnform_domain }}" - Authorization: "Bearer {{ _opnform_probe_login.json.token }}" - status_code: 200 - validate_certs: false - register: _opnform_probe_workspaces - no_log: true - when: - - opnform_oidc_enabled | bool - - _opnform_probe_login is defined - - _opnform_probe_login.status | default(0) == 200 - - - name: Probe OIDC connections on default workspace - ansible.builtin.uri: - url: "https://127.0.0.1/api/open/workspaces/{{ _opnform_probe_workspaces.json[0].id }}/oidc-connections" - method: GET - headers: - Host: "{{ opnform_domain }}" - Authorization: "Bearer {{ _opnform_probe_login.json.token }}" - status_code: 200 - validate_certs: false - register: _opnform_probe_oidc - no_log: true - when: - - opnform_oidc_enabled | bool - - _opnform_probe_workspaces is defined - - _opnform_probe_workspaces.json | default([]) | length > 0 - -- name: Decide whether force-login can render in its final state - ansible.builtin.set_fact: - # True when force-login is desired AND admin+OIDC bootstrap has - # already completed (admin user exists with the configured password, - # OIDC connection is present). On a fresh host both checks fail and - # we fall back to false so the bootstrap below can run. - _opnform_force_login_effective: >- - {{ - (opnform_oidc_enabled | bool) - and (opnform_oidc_force_login | bool) - and (_opnform_probe_login.status | default(0) == 200) - and ((_opnform_probe_oidc.json | default([])) | length > 0) - }} - -- name: Deploy docker-compose file - ansible.builtin.template: - src: docker-compose.yml.j2 - dest: "{{ opnform_docker_compose_dir }}/docker-compose.yml" - mode: '0644' - register: _opnform_compose_rendered - notify: restart opnform - -# ===================================================================== -# 3. CONTAINER STARTUP -# ===================================================================== - -- name: Start opnform containers - community.docker.docker_compose_v2: - project_src: "{{ opnform_docker_compose_dir }}" - state: present - wait: true - wait_timeout: 180 - -# ===================================================================== -# 4. WAIT FOR API READINESS -# ===================================================================== - -- name: Wait for API container to be healthy - ansible.builtin.command: - cmd: docker inspect --format='{% raw %}{{.State.Health.Status}}{% endraw %}' opnform-api - register: api_health - until: api_health.stdout == "healthy" - retries: 30 - delay: 10 - changed_when: false - -# ===================================================================== -# 5. ADMIN BOOTSTRAP (optional) -# ===================================================================== -# Skips the self-hosted setup page by registering the first user via -# OpnForm's /api/register endpoint. Idempotent: a successful login -# attempt with the same credentials means the user already exists. -# -# Skipped entirely when force-login already rendered in its final state -# (probe in step 2 confirmed admin + connection exist). Re-running the -# /api/login probe on a force-login-enabled api would 401 and 422, so -# avoid the noise — and avoid spurious "changed" status from a register -# call that won't help anyway. - -- name: Check if OpnForm admin user already exists - ansible.builtin.uri: - url: "https://127.0.0.1/api/login" - method: POST - headers: - Host: "{{ opnform_domain }}" - body_format: json - body: - email: "{{ opnform_admin_email }}" - password: "{{ opnform_admin_password }}" - status_code: [200, 401, 422] - validate_certs: false - register: opnform_admin_login - when: - - opnform_admin_email | length > 0 - - opnform_admin_password | length > 0 - - not (_opnform_force_login_effective | bool) - -- name: Create OpnForm admin user via /api/register - ansible.builtin.uri: - url: "https://127.0.0.1/api/register" - method: POST - headers: - Host: "{{ opnform_domain }}" - body_format: json - body: - name: "{{ opnform_admin_name }}" - email: "{{ opnform_admin_email }}" - password: "{{ opnform_admin_password }}" - password_confirmation: "{{ opnform_admin_password }}" - hear_about_us: "{{ opnform_admin_hear_about_us }}" - status_code: [200, 201] - validate_certs: false - no_log: true - when: - - opnform_admin_email | length > 0 - - opnform_admin_password | length > 0 - - not (_opnform_force_login_effective | bool) - - opnform_admin_login.status | default(0) != 200 - -# ===================================================================== -# 6. OIDC IDENTITY CONNECTION (optional) -# ===================================================================== -# Provisions a single OIDC connection on the admin's default workspace. -# OpnForm enforces one OIDC connection per workspace, so we GET the -# existing connections first and then either POST a new one or PATCH the -# existing one to the desired state. PATCHing (rather than skipping when -# one exists) keeps inventory changes — e.g. a corrected issuer — applied -# on re-runs instead of leaving stale values in the DB forever. -# -# Skipped on re-applies when force-login is already enabled — the API -# password login required for these calls is disabled, and the connection -# is known to exist (otherwise force-login wouldn't have rendered in its -# final state in step 2). To intentionally re-provision the connection -# from inventory changes on such a host: temporarily set -# opnform_oidc_force_login=false, re-apply, then set it back to true. - -- name: Log in as admin to obtain OIDC API token - ansible.builtin.uri: - url: "https://127.0.0.1/api/login" - method: POST - headers: - Host: "{{ opnform_domain }}" - body_format: json - body: - email: "{{ opnform_admin_email }}" - password: "{{ opnform_admin_password }}" - status_code: 200 - validate_certs: false - register: opnform_oidc_token - no_log: true - when: - - opnform_oidc_enabled | bool - - not (_opnform_force_login_effective | bool) - -- name: Fetch admin's workspaces - ansible.builtin.uri: - url: "https://127.0.0.1/api/open/workspaces" - method: GET - headers: - Host: "{{ opnform_domain }}" - Authorization: "Bearer {{ opnform_oidc_token.json.token }}" - status_code: 200 - validate_certs: false - register: opnform_workspaces - no_log: true - when: - - opnform_oidc_enabled | bool - - not (_opnform_force_login_effective | bool) - -- name: Fetch existing OIDC connections for the default workspace - ansible.builtin.uri: - url: "https://127.0.0.1/api/open/workspaces/{{ opnform_workspaces.json[0].id }}/oidc-connections" - method: GET - headers: - Host: "{{ opnform_domain }}" - Authorization: "Bearer {{ opnform_oidc_token.json.token }}" - status_code: 200 - validate_certs: false - register: opnform_existing_oidc - no_log: true - when: - - opnform_oidc_enabled | bool - - not (_opnform_force_login_effective | bool) - -- name: Resolve OIDC group-role mappings - ansible.builtin.set_fact: - _opnform_oidc_group_role_mappings: >- - {{ - opnform_oidc_group_role_mappings - if (opnform_oidc_group_role_mappings | length > 0) - else - ([{'idp_group': opnform_oidc_admin_group, 'role': 'admin'}] - if (opnform_oidc_admin_group | length > 0) else []) - }} - when: - - opnform_oidc_enabled | bool - - not (_opnform_force_login_effective | bool) - -# Desired connection state shared by both the create (POST) and update -# (PATCH) calls below. client_secret is always sent: OpnForm's update -# endpoint only persists it when present, and on create it is required. -- name: Build desired OIDC connection body - ansible.builtin.set_fact: - _opnform_oidc_body: - name: "{{ opnform_oidc_client_name }}" - slug: "{{ opnform_oidc_slug }}" - domain: "{{ opnform_oidc_domain }}" - issuer: "{{ opnform_oidc_issuer }}" - client_id: "{{ opnform_oidc_client_id }}" - client_secret: "{{ opnform_oidc_client_secret }}" - scopes: "{{ opnform_oidc_scopes }}" - enabled: true - options: - require_state: true - group_role_mappings: "{{ _opnform_oidc_group_role_mappings }}" - no_log: true - when: - - opnform_oidc_enabled | bool - - not (_opnform_force_login_effective | bool) - -- name: Create OIDC identity connection - ansible.builtin.uri: - url: "https://127.0.0.1/api/open/workspaces/{{ opnform_workspaces.json[0].id }}/oidc-connections" - method: POST - headers: - Host: "{{ opnform_domain }}" - Authorization: "Bearer {{ opnform_oidc_token.json.token }}" - body_format: json - body: "{{ _opnform_oidc_body }}" - status_code: [201] - validate_certs: false - no_log: true - when: - - opnform_oidc_enabled | bool - - not (_opnform_force_login_effective | bool) - - opnform_existing_oidc.json | length == 0 - -# An OIDC connection already exists: PATCH it to the desired state so -# inventory changes (e.g. a corrected issuer) are applied. OpnForm allows -# exactly one connection per workspace, so the first entry is ours. -- name: Update existing OIDC identity connection - ansible.builtin.uri: - url: >- - https://127.0.0.1/api/open/workspaces/{{ opnform_workspaces.json[0].id }}/oidc-connections/{{ opnform_existing_oidc.json[0].id }} - method: PATCH - headers: - Host: "{{ opnform_domain }}" - Authorization: "Bearer {{ opnform_oidc_token.json.token }}" - body_format: json - body: "{{ _opnform_oidc_body }}" - status_code: [200] - validate_certs: false - no_log: true - when: - - opnform_oidc_enabled | bool - - not (_opnform_force_login_effective | bool) - - opnform_existing_oidc.json | length > 0 - -# ===================================================================== -# 7. ENABLE FORCE LOGIN (first-run only) -# ===================================================================== -# On the very first apply, step 2 rendered the compose file with -# force-login disabled (so the bootstrap above could use the password -# login). Now that the OIDC connection exists, re-render the compose -# file with force-login in its final state and recreate the api -# containers once. -# -# On all subsequent applies the probe in step 2 already rendered the -# final value, the compose file is byte-identical here, and this block -# is a no-op (the template task reports "ok", no recreate). -- name: Enable force login (first run, after OIDC bootstrap) - when: - - opnform_oidc_enabled | bool - - opnform_oidc_force_login | bool - - not (_opnform_force_login_effective | bool) - block: - - name: Re-render compose with force-login enabled - ansible.builtin.set_fact: - _opnform_force_login_effective: true - - - name: Deploy docker-compose file with force-login enabled - ansible.builtin.template: - src: docker-compose.yml.j2 - dest: "{{ opnform_docker_compose_dir }}/docker-compose.yml" - mode: '0644' - register: _opnform_force_login_compose - - - name: Apply force-login by recreating the api containers - community.docker.docker_compose_v2: - project_src: "{{ opnform_docker_compose_dir }}" - state: present - wait: true - wait_timeout: 180 - when: _opnform_force_login_compose is changed - - - name: Restart ingress so nginx picks up the new api container IPs - community.docker.docker_container: - name: opnform-ingress - state: started - restart: true - when: _opnform_force_login_compose is changed - -- name: Display deployment info - ansible.builtin.debug: - msg: |- - OpnForm deployed at {{ opnform_base_url }} - - {% if opnform_admin_email | length > 0 %} - Admin user bootstrapped: - Email: {{ opnform_admin_email }} - Password: (from opnform_admin_password) - {% else %} - No admin bootstrap configured — visit {{ opnform_base_url }} and - complete the self-hosted setup page to create the first user. - Set opnform_admin_email + opnform_admin_password to automate this. - {% endif %} - - {% if opnform_oidc_enabled %} - OIDC: connection "{{ opnform_oidc_client_name }}" bootstrapped - (slug: {{ opnform_oidc_slug }}, domain: {{ opnform_oidc_domain }}) - Users with @{{ opnform_oidc_domain }} addresses will be - redirected to {{ opnform_oidc_issuer }} on login. - {% if opnform_oidc_sso_entrypoint %} - Login intercept active: {{ opnform_base_url }}/login forwards - directly to the IdP. Use {{ opnform_base_url }}/login?bypass=1 - as a break-glass path for the email form when the IdP is down. - {% endif %} - {% else %} - OIDC: disabled (set opnform_oidc_enabled=true to auto-configure) - {% endif %} diff --git a/roles/opnform/templates/docker-compose.yml.j2 b/roles/opnform/templates/docker-compose.yml.j2 deleted file mode 100644 index 24ef00c..0000000 --- a/roles/opnform/templates/docker-compose.yml.j2 +++ /dev/null @@ -1,215 +0,0 @@ -#---------------------------------------------------------------------# -# OpnForm — Beautiful open-source form builder # -#---------------------------------------------------------------------# -services: - api: &api-service - image: {{ opnform_api_image }} - container_name: opnform-api - restart: unless-stopped -{% if opnform_extra_hosts | length > 0 %} - extra_hosts: -{% for host in opnform_extra_hosts %} - - "{{ host }}" -{% endfor %} -{% endif %} - volumes: - - {{ opnform_storage_dir }}:/usr/share/nginx/html/storage:rw - environment: &api-env - APP_ENV: production - APP_KEY: "{{ opnform_app_key }}" - APP_URL: "{{ opnform_base_url }}" - APP_DEBUG: "false" - SELF_HOSTED: "true" -{% if opnform_oidc_enabled and (_opnform_force_login_effective | default(false)) %} - OIDC_FORCE_LOGIN: "true" -{% endif %} - - LOG_CHANNEL: errorlog - LOG_LEVEL: info - - DB_CONNECTION: pgsql - DB_HOST: db - DB_PORT: "5432" - DB_DATABASE: "{{ opnform_db_name }}" - DB_USERNAME: "{{ opnform_db_user }}" - DB_PASSWORD: "{{ opnform_db_password }}" - - REDIS_HOST: redis - REDIS_PORT: "6379" - - CACHE_STORE: redis - CACHE_DRIVER: redis - QUEUE_CONNECTION: redis - SESSION_DRIVER: redis - SESSION_LIFETIME: "120" - BROADCAST_CONNECTION: log - - FILESYSTEM_DISK: local - FILESYSTEM_DRIVER: local - LOCAL_FILESYSTEM_VISIBILITY: public - - MAIL_MAILER: "{{ opnform_mail_mailer }}" - MAIL_HOST: "{{ opnform_mail_host }}" - MAIL_PORT: "{{ opnform_mail_port }}" - MAIL_USERNAME: "{{ opnform_mail_username }}" - MAIL_PASSWORD: "{{ opnform_mail_password }}" - MAIL_ENCRYPTION: "{{ opnform_mail_encryption }}" - MAIL_FROM_ADDRESS: "{{ opnform_mail_from_address }}" - MAIL_FROM_NAME: "{{ opnform_mail_from_name }}" - - JWT_TTL: "1440" - JWT_SECRET: "{{ opnform_jwt_secret }}" - - # Shared secret for trusted SSR requests from the Nuxt UI. The UI - # forwards JWTs server-side with its own user agent; without this - # secret the API's AuthenticateJWT middleware would reject those - # requests (UA mismatch -> token blacklisted -> the next genuine - # browser request 401s). Must match FRONT_API_SECRET on the ui - # service. - FRONT_API_SECRET: "{{ opnform_front_api_secret }}" - - PHP_MEMORY_LIMIT: "{{ opnform_php_memory_limit }}" - PHP_MAX_EXECUTION_TIME: "{{ opnform_php_max_execution_time }}" - PHP_UPLOAD_MAX_FILESIZE: "{{ opnform_php_upload_max_filesize }}" - PHP_POST_MAX_SIZE: "{{ opnform_php_post_max_size }}" - depends_on: - db: - condition: service_healthy - redis: - condition: service_healthy - healthcheck: - test: ["CMD-SHELL", "php /usr/share/nginx/html/artisan about || exit 1"] - interval: 30s - timeout: 15s - retries: 3 - start_period: 60s - networks: - - opnform-internal - - api-worker: - <<: *api-service - container_name: opnform-api-worker - command: ["php", "artisan", "queue:work"] - environment: - <<: *api-env - IS_API_WORKER: "true" - healthcheck: - test: ["CMD-SHELL", "pgrep -f 'php artisan queue:work' > /dev/null || exit 1"] - interval: 60s - timeout: 10s - retries: 3 - start_period: 30s - - api-scheduler: - <<: *api-service - container_name: opnform-api-scheduler - command: ["php", "artisan", "schedule:work"] - healthcheck: - test: - - "CMD-SHELL" - - "php /usr/share/nginx/html/artisan app:scheduler-status --mode=check --max-minutes=3 || exit 1" - interval: 60s - timeout: 30s - retries: 3 - start_period: 70s - - ui: - image: {{ opnform_client_image }} - container_name: opnform-ui - restart: unless-stopped - environment: - NUXT_PUBLIC_APP_URL: "{{ opnform_base_url }}" - NUXT_PUBLIC_API_BASE: "/api" - NUXT_PRIVATE_API_BASE: "http://ingress/api" - NUXT_PUBLIC_ENV: production - # Nuxt runtimeConfig.apiSecret is fed by NUXT_API_SECRET (Nuxt - # convention: NUXT_ populates runtimeConfig.). The UI - # injects this as `x-api-secret` on SSR-side forwards to Laravel, - # which then short-circuits the UA-fingerprint check in - # AuthenticateJWT — without it every reload would invalidate the - # JWT (UA `node` vs UA at issue time) and 401. - NUXT_API_SECRET: "{{ opnform_front_api_secret }}" - depends_on: - api: - condition: service_healthy - healthcheck: - test: ["CMD-SHELL", "wget --spider -q http://localhost:3000/login || exit 1"] - interval: 30s - timeout: 10s - retries: 3 - start_period: 45s - networks: - - opnform-internal - - redis: - image: {{ opnform_redis_image }} - container_name: opnform-redis - restart: unless-stopped - volumes: - - {{ opnform_redis_data_dir }}:/data - healthcheck: - test: ["CMD-SHELL", "redis-cli ping | grep PONG"] - interval: 30s - timeout: 5s - networks: - - opnform-internal - - db: - image: {{ opnform_db_image }} - container_name: opnform-db - restart: unless-stopped - environment: - POSTGRES_DB: "{{ opnform_db_name }}" - POSTGRES_USER: "{{ opnform_db_user }}" - POSTGRES_PASSWORD: "{{ opnform_db_password }}" - volumes: - - {{ opnform_db_data_dir }}:/var/lib/postgresql/data - healthcheck: - test: ["CMD-SHELL", "pg_isready -U {{ opnform_db_user }}"] - interval: 30s - timeout: 5s - networks: - - opnform-internal - - ingress: - image: {{ opnform_ingress_image }} - container_name: opnform-ingress - restart: unless-stopped - volumes: - - ./nginx.conf:/etc/nginx/templates/default.conf.template:ro - environment: - NGINX_MAX_BODY_SIZE: "{{ opnform_nginx_max_body_size }}" - depends_on: - api: - condition: service_started - ui: - condition: service_started - healthcheck: - test: ["CMD-SHELL", "nginx -t && curl -f http://localhost/ || exit 1"] - interval: 30s - timeout: 5s - retries: 3 - start_period: 10s - networks: - - opnform-internal - - {{ opnform_traefik_network }} - labels: - - traefik.enable=true - - traefik.docker.network={{ opnform_traefik_network }} - - traefik.http.routers.{{ opnform_service_name }}.rule={% set _all_domains = [opnform_domain] + (opnform_extra_domains | default([])) %}{% for d in _all_domains %}Host(`{{ d }}`){% if not loop.last %} || {% endif %}{% endfor +%} -{% if opnform_use_ssl %} - - traefik.http.routers.{{ opnform_service_name }}.entrypoints=websecure - - traefik.http.routers.{{ opnform_service_name }}.tls=true -{% if traefik_cert_mode | default('selfsigned') == 'acme' %} - - traefik.http.routers.{{ opnform_service_name }}.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }} -{% endif %} -{% else %} - - traefik.http.routers.{{ opnform_service_name }}.entrypoints=web -{% endif %} - - traefik.http.services.{{ opnform_service_name }}.loadbalancer.server.port=80 - -networks: - opnform-internal: - driver: bridge - {{ opnform_traefik_network }}: - external: true diff --git a/roles/opnform/templates/nginx.conf.j2 b/roles/opnform/templates/nginx.conf.j2 deleted file mode 100644 index 5aeb1bc..0000000 --- a/roles/opnform/templates/nginx.conf.j2 +++ /dev/null @@ -1,87 +0,0 @@ -map $original_uri $api_uri { - ~^/api(/.*$) $1; - default $original_uri; -} - -server { - listen 80; - server_name {{ opnform_domain }}; - root /app/public; - - client_max_body_size {% raw %}${NGINX_MAX_BODY_SIZE}{% endraw %}; - - access_log /dev/stdout; - error_log /dev/stderr error; - - index index.html index.htm index.php; - - # Re-resolve upstream container hostnames via Docker's embedded DNS - # at request time. Without this, nginx caches the first resolution - # forever; if `api` or `ui` get recreated and pick up a new IP, every - # request 502s until the ingress itself is restarted. - resolver 127.0.0.11 valid=10s ipv6=off; - set $upstream_api api; - set $upstream_ui ui; - -{% if opnform_oidc_enabled and opnform_oidc_sso_entrypoint %} - # Root → /login. Public forms live under /forms/, so the bare - # hostname only serves the authenticated dashboard — sending it - # straight to /login (which then jumps to the IdP) saves an extra - # UI-side redirect for anyone who lands there. - location = / { - return 302 /login; - } - - # /login intercept: serve a tiny HTML page that calls OpnForm's - # /api/auth/{slug}/redirect endpoint and forwards the browser to the - # IdP authorize URL — skipping the email-based login form entirely. - # Break-glass: /login?bypass=1 falls through to the UI's own login - # form so the email/password path stays reachable when the IdP is - # down. Bypass branches to a named location (`@login_bypass`) because - # `proxy_pass` inside an `if` block is invalid nginx config. - location = /login { - if ($arg_bypass = "1") { - error_page 418 = @login_bypass; - return 418; - } - default_type text/html; - return 200 'Redirecting to sign-in…

Redirecting to sign-in…

'; - } - - location @login_bypass { - proxy_http_version 1.1; - proxy_pass http://$upstream_ui:3000/login; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $server_port; - } - -{% endif %} - location / { - proxy_http_version 1.1; - proxy_pass http://$upstream_ui:3000; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - - location ~/(api|open|local\/temp|forms\/assets)/ { - set $original_uri $uri; - try_files $uri $uri/ /index.php$is_args$args; - } - - location ~ \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass $upstream_api:9000; - fastcgi_index index.php; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html/public/index.php; - fastcgi_param REQUEST_URI $api_uri; - } -} diff --git a/roles/opnform/tests/test.yml b/roles/opnform/tests/test.yml deleted file mode 100644 index 3ff9caa..0000000 --- a/roles/opnform/tests/test.yml +++ /dev/null @@ -1,6 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -- hosts: localhost - remote_user: root - roles: - - opnform \ No newline at end of file diff --git a/roles/pebble/README.md b/roles/pebble/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/pebble/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/bookstack/vars/main.yml b/roles/pebble/defaults/main.yml similarity index 57% rename from roles/bookstack/vars/main.yml rename to roles/pebble/defaults/main.yml index e04b89a..9759e3d 100644 --- a/roles/bookstack/vars/main.yml +++ b/roles/pebble/defaults/main.yml @@ -1,3 +1,3 @@ #SPDX-License-Identifier: MIT-0 --- -# vars file for bookstack +# defaults file for pebble diff --git a/roles/pebble/handlers/main.yml b/roles/pebble/handlers/main.yml new file mode 100644 index 0000000..a5e48dd --- /dev/null +++ b/roles/pebble/handlers/main.yml @@ -0,0 +1,3 @@ +#SPDX-License-Identifier: MIT-0 +--- +# handlers file for pebble diff --git a/roles/pebble/meta/main.yml b/roles/pebble/meta/main.yml new file mode 100644 index 0000000..6f91fd3 --- /dev/null +++ b/roles/pebble/meta/main.yml @@ -0,0 +1,35 @@ +#SPDX-License-Identifier: MIT-0 +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/homarr/vars/main.yml b/roles/pebble/tasks/main.yml similarity index 60% rename from roles/homarr/vars/main.yml rename to roles/pebble/tasks/main.yml index 984df2b..07d757e 100644 --- a/roles/homarr/vars/main.yml +++ b/roles/pebble/tasks/main.yml @@ -1,3 +1,3 @@ #SPDX-License-Identifier: MIT-0 --- -# vars file for homarr \ No newline at end of file +# tasks file for pebble diff --git a/roles/opnform/tests/inventory b/roles/pebble/tests/inventory similarity index 97% rename from roles/opnform/tests/inventory rename to roles/pebble/tests/inventory index 712db59..03ca42f 100644 --- a/roles/opnform/tests/inventory +++ b/roles/pebble/tests/inventory @@ -1,2 +1,3 @@ #SPDX-License-Identifier: MIT-0 localhost + diff --git a/roles/homarr/tests/test.yml b/roles/pebble/tests/test.yml similarity index 86% rename from roles/homarr/tests/test.yml rename to roles/pebble/tests/test.yml index 88ecfc1..56552f0 100644 --- a/roles/homarr/tests/test.yml +++ b/roles/pebble/tests/test.yml @@ -3,4 +3,4 @@ - hosts: localhost remote_user: root roles: - - homarr \ No newline at end of file + - pebble diff --git a/roles/coturn/vars/main.yml b/roles/pebble/vars/main.yml similarity index 61% rename from roles/coturn/vars/main.yml rename to roles/pebble/vars/main.yml index f2a4ea3..db4da23 100644 --- a/roles/coturn/vars/main.yml +++ b/roles/pebble/vars/main.yml @@ -1,3 +1,3 @@ #SPDX-License-Identifier: MIT-0 --- -# vars file for coturn +# vars file for pebble diff --git a/roles/send/README.md b/roles/send/README.md deleted file mode 100644 index fbd6362..0000000 --- a/roles/send/README.md +++ /dev/null @@ -1,64 +0,0 @@ -Send -==== - -Deploys a self-hosted [Send](https://github.com/timvisee/send) instance -(timvisee fork of the discontinued Mozilla Send) with a Redis backend -behind Traefik, using Docker Compose. - -Requirements ------------- - -- Docker + `docker compose` plugin on the target host -- Traefik (role `digitalboard.core.traefik`) reachable via an external - Docker network named `proxy` (default) -- DNS for each entry in `send_domains` pointing at the reverse proxy -- Optional: a Garage S3 bucket if `send_storage_backend: s3` - -Role Variables --------------- - -Important defaults (see `defaults/main.yml` for the full list): - -| Variable | Default | Description | -|---|---|---| -| `send_domains` | `["send.local.test"]` | FQDNs the router accepts; first entry is the canonical BASE_URL | -| `send_image` | `registry.gitlab.com/timvisee/send:latest` | Send container image | -| `send_max_file_size` | `1073741824` | Max upload size in bytes (1 GiB) | -| `send_max_expire_seconds` | `604800` | Max share lifetime (7 d) | -| `send_storage_backend` | `local` | `local` (volume) or `s3` | -| `send_s3_*` | `""` | S3 endpoint/bucket/key/secret (when backend is `s3`) | -| `send_use_ssl` | `true` | Issue Traefik labels for the `websecure` entrypoint | - -Dependencies ------------- - -None. - -Example Playbook ----------------- - -```yaml -- hosts: send_servers - become: true - roles: - - digitalboard.core.send -``` - -With S3 (Garage) backend: - -```yaml -send_storage_backend: s3 -send_s3_endpoint: "http://{{ hostvars['backend']['garage_s3_domains'][0] }}" -send_s3_bucket: "send" -send_s3_access_key: "{{ lookup('digitalboard.core.garage_credentials', 'send', host='backend')['key_id'] }}" -send_s3_secret_key: "{{ lookup('digitalboard.core.garage_credentials', 'send', host='backend')['secret_key'] }}" -``` - -When `send_storage_backend: s3`, the role asserts that `send_s3_endpoint`, -`send_s3_bucket`, `send_s3_access_key` and `send_s3_secret_key` are all set, -and fails early otherwise. - -License -------- - -MIT-0 diff --git a/roles/send/defaults/main.yml b/roles/send/defaults/main.yml deleted file mode 100644 index ba3aecc..0000000 --- a/roles/send/defaults/main.yml +++ /dev/null @@ -1,53 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# defaults file for send - -# Base directory configuration (inherited from base role or defined here) -docker_compose_base_dir: /etc/docker/compose -docker_volume_base_dir: /srv/data - -# Send-specific configuration -send_service_name: send -send_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ send_service_name }}" -send_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ send_service_name }}" - -# Service configuration -# FQDNs the send router accepts. The first entry is the canonical -# domain (used as BASE_URL); further entries cover internal *.int.* -# names so backend uploads can hit us without hairpinning via DMZ. -send_domains: - - "send.local.test" -send_image: "registry.gitlab.com/timvisee/send:latest" -send_port: 1443 -send_extra_hosts: [] - -# Redis backend -send_redis_image: "redis:7-alpine" -send_redis_service_name: "send-redis" - -# Send application configuration -# https://github.com/timvisee/send/blob/master/server/config.js -send_max_file_size: 1073741824 # 1 GiB in bytes -send_default_downloads: 1 -send_max_downloads: 100 -send_default_expire_seconds: 86400 # 24h -send_max_expire_seconds: 604800 # 7d -send_max_files_per_archive: 64 -send_download_counts: "1,2,3,4,5,20,50,100" -send_expire_times_seconds: "300,3600,86400,604800" - -# Storage backend: "local" (volume) or "s3" -send_storage_backend: "local" - -# S3 backend (only used when send_storage_backend == "s3") -send_s3_endpoint: "" -send_s3_bucket: "" -send_s3_region: "us-east-1" -send_s3_access_key: "" -send_s3_secret_key: "" -send_s3_use_path_style: true - -# Traefik configuration -send_traefik_network: "proxy" -send_internal_network: "send_internal" -send_use_ssl: true diff --git a/roles/send/handlers/main.yml b/roles/send/handlers/main.yml deleted file mode 100644 index cb83189..0000000 --- a/roles/send/handlers/main.yml +++ /dev/null @@ -1,9 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# handlers file for send - -- name: restart send - community.docker.docker_compose_v2: - project_src: "{{ send_docker_compose_dir }}" - state: present - recreate: always diff --git a/roles/send/meta/argument_specs.yml b/roles/send/meta/argument_specs.yml deleted file mode 100644 index 2e9797e..0000000 --- a/roles/send/meta/argument_specs.yml +++ /dev/null @@ -1,122 +0,0 @@ ---- -argument_specs: - main: - short_description: Deploy timvisee/send (file-sharing) with a Redis backend via Docker Compose. - description: - - Renders a Compose stack with the C(timvisee/send) container and a - Redis companion behind Traefik. Storage can be local-disk or any - S3-compatible backend (e.g. the C(garage) role). - - Uses the shared C(*_domains) list convention so the router can - accept internal C(*.int.*) hostnames alongside the canonical - BASE_URL host. - options: - docker_compose_base_dir: - type: path - default: /etc/docker/compose - docker_volume_base_dir: - type: path - default: /srv/data - send_service_name: - type: str - default: send - send_docker_compose_dir: - type: path - send_docker_volume_dir: - type: path - - send_domains: - type: list - elements: str - default: ['send.local.test'] - description: - - FQDNs the router accepts. First entry is the canonical hostname - and is used as C(BASE_URL). Further entries cover internal - C(*.int.*) names so backend uploads can hit Send without - hairpinning via the DMZ. - send_image: - type: str - default: "registry.gitlab.com/timvisee/send:latest" - send_port: - type: int - default: 1443 - send_extra_hosts: - type: list - elements: str - default: [] - description: C(extra_hosts) entries injected into the send container (Docker C(host:ip) syntax). - - send_redis_image: - type: str - default: "redis:7-alpine" - send_redis_service_name: - type: str - default: send-redis - - send_max_file_size: - type: int - default: 1073741824 - description: Max upload size in bytes. Default is 1 GiB. - send_default_downloads: - type: int - default: 1 - send_max_downloads: - type: int - default: 100 - send_default_expire_seconds: - type: int - default: 86400 - description: Default share lifetime in seconds (24 h). - send_max_expire_seconds: - type: int - default: 604800 - description: Maximum share lifetime in seconds (7 d). - send_max_files_per_archive: - type: int - default: 64 - send_download_counts: - type: str - default: "1,2,3,4,5,20,50,100" - description: Comma-separated list of download-count options shown in the UI. - send_expire_times_seconds: - type: str - default: "300,3600,86400,604800" - description: Comma-separated list of expire-time options (seconds) shown in the UI. - - send_storage_backend: - type: str - choices: [local, s3] - default: local - description: - - C(local) keeps uploads in a host volume. C(s3) uses an - S3-compatible backend (any of the C(send_s3_*) variables is - required when this is set). - - send_s3_endpoint: - type: str - default: '' - send_s3_bucket: - type: str - default: '' - send_s3_region: - type: str - default: us-east-1 - send_s3_access_key: - type: str - default: '' - send_s3_secret_key: - type: str - default: '' - send_s3_use_path_style: - type: bool - default: true - description: Required for most non-AWS S3-compatible backends (Garage, MinIO). - - send_traefik_network: - type: str - default: proxy - send_internal_network: - type: str - default: send_internal - send_use_ssl: - type: bool - default: true diff --git a/roles/send/meta/main.yml b/roles/send/meta/main.yml deleted file mode 100644 index defda67..0000000 --- a/roles/send/meta/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -#SPDX-License-Identifier: MIT-0 -galaxy_info: - author: digitalboard - description: Deploy a self-hosted Send (timvisee fork) instance with Redis via Docker Compose - license: MIT-0 - - min_ansible_version: "2.14" - - galaxy_tags: - - send - - filesharing - - docker - -dependencies: [] diff --git a/roles/send/tasks/main.yml b/roles/send/tasks/main.yml deleted file mode 100644 index 2ed91c9..0000000 --- a/roles/send/tasks/main.yml +++ /dev/null @@ -1,42 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# tasks file for send - -- name: Assert S3 backend configuration when enabled - ansible.builtin.assert: - that: - - send_s3_endpoint | length > 0 - - send_s3_bucket | length > 0 - - send_s3_access_key | length > 0 - - send_s3_secret_key | length > 0 - fail_msg: >- - send_storage_backend is 's3' but one or more of send_s3_endpoint, - send_s3_bucket, send_s3_access_key, send_s3_secret_key is unset. - Provide via OpenBao, Ansible Vault or extra-vars — or switch - send_storage_backend to 'local'. - when: send_storage_backend == "s3" - -- name: Create docker compose directory - ansible.builtin.file: - path: "{{ send_docker_compose_dir }}" - state: directory - mode: '0755' - -- name: Create local upload directory - ansible.builtin.file: - path: "{{ send_docker_volume_dir }}/uploads" - state: directory - mode: '0755' - when: send_storage_backend == "local" - -- name: Create docker-compose file for send - ansible.builtin.template: - src: docker-compose.yml.j2 - dest: "{{ send_docker_compose_dir }}/docker-compose.yml" - mode: '0644' - notify: restart send - -- name: Start send container - community.docker.docker_compose_v2: - project_src: "{{ send_docker_compose_dir }}" - state: present diff --git a/roles/send/templates/docker-compose.yml.j2 b/roles/send/templates/docker-compose.yml.j2 deleted file mode 100644 index 28f1eaa..0000000 --- a/roles/send/templates/docker-compose.yml.j2 +++ /dev/null @@ -1,72 +0,0 @@ -services: - {{ send_service_name }}: - image: {{ send_image }} - container_name: {{ send_service_name }} - restart: unless-stopped - depends_on: - - {{ send_redis_service_name }} - networks: - - {{ send_traefik_network }} - - {{ send_internal_network }} -{% if send_extra_hosts is defined and send_extra_hosts | length > 0 %} - extra_hosts: -{% for host in send_extra_hosts %} - - "{{ host }}" -{% endfor %} -{% endif %} - environment: -{% if send_use_ssl %} - BASE_URL: "https://{{ send_domains[0] }}" -{% else %} - BASE_URL: "http://{{ send_domains[0] }}" -{% endif %} - REDIS_HOST: "{{ send_redis_service_name }}" - REDIS_PORT: "6379" - MAX_FILE_SIZE: "{{ send_max_file_size }}" - DEFAULT_DOWNLOADS: "{{ send_default_downloads }}" - MAX_DOWNLOADS: "{{ send_max_downloads }}" - DEFAULT_EXPIRE_SECONDS: "{{ send_default_expire_seconds }}" - MAX_EXPIRE_SECONDS: "{{ send_max_expire_seconds }}" - MAX_FILES_PER_ARCHIVE: "{{ send_max_files_per_archive }}" - DOWNLOAD_COUNTS: "{{ send_download_counts }}" - EXPIRE_TIMES_SECONDS: "{{ send_expire_times_seconds }}" -{% if send_storage_backend == "s3" %} - S3_BUCKET: "{{ send_s3_bucket }}" - S3_ENDPOINT: "{{ send_s3_endpoint }}" - S3_USE_PATH_STYLE_ENDPOINT: "{{ 'true' if send_s3_use_path_style else 'false' }}" - AWS_ACCESSKEYID: "{{ send_s3_access_key }}" - AWS_SECRETACCESSKEY: "{{ send_s3_secret_key }}" - AWS_REGION: "{{ send_s3_region }}" -{% else %} - FILE_DIR: "/uploads" - volumes: - - {{ send_docker_volume_dir }}/uploads:/uploads -{% endif %} - labels: - - traefik.enable=true - - traefik.docker.network={{ send_traefik_network }} - - traefik.http.routers.{{ send_service_name }}.rule={% for d in send_domains %}Host(`{{ d }}`){% if not loop.last %} || {% endif %}{% endfor +%} - - traefik.http.services.{{ send_service_name }}.loadbalancer.server.port={{ send_port }} -{% if send_use_ssl %} - - traefik.http.routers.{{ send_service_name }}.entrypoints=websecure - - traefik.http.routers.{{ send_service_name }}.tls=true -{% if traefik_cert_mode | default('selfsigned') == 'acme' %} - - traefik.http.routers.{{ send_service_name }}.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }} -{% endif %} -{% else %} - - traefik.http.routers.{{ send_service_name }}.entrypoints=web -{% endif %} - - {{ send_redis_service_name }}: - image: {{ send_redis_image }} - container_name: {{ send_redis_service_name }} - restart: unless-stopped - networks: - - {{ send_internal_network }} - volumes: - - {{ send_docker_volume_dir }}/redis:/data - -networks: - {{ send_internal_network }}: - {{ send_traefik_network }}: - external: true diff --git a/roles/talk/README.md b/roles/talk/README.md deleted file mode 100644 index 28652be..0000000 --- a/roles/talk/README.md +++ /dev/null @@ -1,78 +0,0 @@ -# talk - -Deploys the Nextcloud Talk High Performance Backend (HPB) stack: - -- `nextcloud-spreed-signaling` (Strukturag) -- `janus-gateway` (canyan build, WebRTC MCU) -- `nats` (internal message broker) - -Designed to be paired with the `digitalboard.core.coturn` role (TURN/STUN) and registered in -Nextcloud via the new `digitalboard.core.nextcloud` `talk.yml` task. - -## Required variables - -| Variable | Description | -|---|---| -| `talk_domain` | Public host name (e.g. `signaling.digitalboard.ch`) | -| `talk_nextcloud_url` | Base URL of the Nextcloud instance the HPB talks back to | -| `talk_janus_public_ip` | Public IP used by Janus for ICE candidate gathering (nat_1_1_mapping) | -| `talk_backend_secret` | HMAC secret shared with Nextcloud Talk; loaded from `secrets/{host}/talk_backend_secret` | -| `talk_turn_secret` | Shared secret with coturn; loaded from `secrets/{host}/talk_turn_secret` (must equal `coturn_static_auth_secret`) | -| `talk_session_hashkey` | 32-byte hex; loaded from `secrets/{host}/talk_session_hashkey` | -| `talk_session_blockkey` | 32-byte hex; loaded from `secrets/{host}/talk_session_blockkey` | - -## Important variables - -| Variable | Default | Description | -|---|---|---| -| `talk_internal_domain` | `""` | Optional split-horizon FQDN (matches the second SAN on the coturn cert) | -| `talk_turn_servers` | `turns:.../443?transport=tcp,turn:.../443` | Comma-separated TURN URI list passed to the signaling server | -| `talk_turn_realm` | `stun.example.test` | Realm advertised to clients | -| `talk_janus_stun_server` | `stun.int.example.test` | STUN endpoint Janus uses for its own ICE; default points at the internal coturn name | -| `talk_janus_rtp_port_min/max` | `20000`/`21000` | UDP/TCP relay range opened on the Janus container | -| `talk_nextcloud_extra_host_ip` | `""` | Optional pin: bind the Nextcloud FQDN to a specific backend IP (bypasses hairpin/SNI) | -| `talk_signaling_image` | `strukturag/nextcloud-spreed-signaling:1.3.4` | Pinned | -| `talk_janus_image` | `canyan/janus-gateway:1.2.4` | Pinned | -| `talk_nats_image` | `nats:2.10-alpine` | Pinned | - -All defaults can be overridden per host_vars. The configurable image variables exist explicitly because -this stack is still under active development upstream and you may want to roll forward independently. - -## Secrets - -The role expects these files under `playbooks/secrets/{{ inventory_hostname }}/`, mode 0600: - -``` -talk_backend_secret # shared with Nextcloud Talk app (HPB shared secret) -talk_turn_secret # = coturn_static_auth_secret on the TURN host -talk_session_hashkey # 32-byte hex (openssl rand -hex 32) -talk_session_blockkey # 32-byte hex (openssl rand -hex 32) -``` - -If you prefer a different secret store, override the variables directly in host_vars. - -## What gets registered in Nextcloud - -The matching `digitalboard.core.nextcloud` task `talk.yml` runs: - -- `php occ talk:signaling:add ` — register HPB -- `php occ talk:turn:add` for each entry in `nextcloud_talk_turn_servers` — register TURN - -That part lives in the **nextcloud** role and runs when `nextcloud_enable_talk: true`. - -## Traefik - -The role assumes a `digitalboard.core.traefik` instance in `backend` mode runs on the same host -(picks up Docker container labels). The public `talk_domain` then needs to be exposed via the -**DMZ Traefik**, by adding an entry to `traefik_dmz_exposed_services` in the signaling host's -`host_vars`: - -```yaml -traefik_dmz_exposed_services: - - name: signaling - domain: signaling.digitalboard.ch - port: 443 - protocol: https -``` - -(The DMZ proxy aggregates exposed services from all `backend_servers` host_vars.) diff --git a/roles/talk/defaults/main.yml b/roles/talk/defaults/main.yml deleted file mode 100644 index 79a3a00..0000000 --- a/roles/talk/defaults/main.yml +++ /dev/null @@ -1,74 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# defaults file for talk (Nextcloud Talk High Performance Backend) - -# Base directories (inherited from base role) -docker_compose_base_dir: /etc/docker/compose -docker_volume_base_dir: /srv/data - -talk_service_name: signaling -talk_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ talk_service_name }}" -talk_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ talk_service_name }}" - -# --- Container images (pinned) --- -talk_signaling_image: "strukturag/nextcloud-spreed-signaling:1.3.4" -talk_janus_image: "canyan/janus-gateway:1.2.4" -talk_nats_image: "nats:2.10-alpine" - -# --- Networking --- -talk_traefik_network: "proxy" -talk_internal_network: "hpb_internal" - -# --- Public exposure --- -talk_use_ssl: true -talk_cert_resolver: "dns" -talk_domain: "signaling.example.test" # public domain (over DMZ Traefik) -talk_internal_domain: "" # optional split-horizon "int" domain (e.g. signaling.int.example.test) - -# --- Backend (Nextcloud) registration --- -# Nextcloud base URL the HPB talks back to. Must be reachable from the HPB container. -talk_nextcloud_url: "https://cloud.example.test" -# Pin Nextcloud domain to a backend IP via extra_hosts to bypass DMZ hairpin/SNI issues -talk_nextcloud_extra_host_ip: "" # e.g. "172.16.9.88" — empty disables the pin - -# Backend HMAC secret shared with Nextcloud Talk. -# Pattern follows playbooks/secrets/{host}/; override the lookup with vault if desired. -talk_backend_secret: "{{ lookup('file', playbook_dir ~ '/secrets/' ~ inventory_hostname ~ '/talk_backend_secret') }}" - -# --- TURN integration --- -# Shared secret with coturn (--static-auth-secret). Must match coturn_static_auth_secret on the TURN host. -talk_turn_secret: "{{ lookup('file', playbook_dir ~ '/secrets/' ~ inventory_hostname ~ '/talk_turn_secret') }}" -# TURN server URI list as understood by the signaling server. -# Defaults follow IANA standards (3478/5349). Override to ":443" in restrictive -# network environments where coturn binds on 443. -talk_turn_servers: "turns:stun.example.test:5349?transport=tcp,turn:stun.example.test:3478" -talk_turn_realm: "stun.example.test" -talk_turn_apikey: "" # optional; if empty a random one is generated on first run - -# --- Session keys (server.conf [sessions]) --- -# 32-byte hex strings. Loaded from secrets dir like the other shared secrets. -talk_session_hashkey: "{{ lookup('file', playbook_dir ~ '/secrets/' ~ inventory_hostname ~ '/talk_session_hashkey') }}" -talk_session_blockkey: "{{ lookup('file', playbook_dir ~ '/secrets/' ~ inventory_hostname ~ '/talk_session_blockkey') }}" - -# --- MCU (Janus) --- -talk_mcu_type: "janus" -talk_janus_public_ip: "" # set in host_vars; goes into janus nat_1_1_mapping -talk_janus_rtp_port_min: 20000 -talk_janus_rtp_port_max: 21000 -# STUN server Janus uses for its own ICE candidate gathering. Default points to internal coturn DNS name. -talk_janus_stun_server: "stun.int.example.test" -talk_janus_stun_port: 5349 -talk_janus_ice_lite: true -talk_janus_ice_tcp: true - -# --- Trusted proxies / allowed hosts for the signaling [app] section --- -talk_trusted_proxies: - - "172.16.0.0/12" - - "192.168.0.0/16" - - "10.0.0.0/8" -talk_allowed_hosts: - - "172.16.0.0/12" - -# --- Extra hosts forwarded to all three containers --- -# Pre-populated with the Nextcloud pin if talk_nextcloud_extra_host_ip is set; you can append more here. -talk_extra_hosts: [] diff --git a/roles/talk/handlers/main.yml b/roles/talk/handlers/main.yml deleted file mode 100644 index 645244d..0000000 --- a/roles/talk/handlers/main.yml +++ /dev/null @@ -1,8 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# handlers file for talk - -- name: Restart signaling stack - community.docker.docker_compose_v2: - project_src: "{{ talk_docker_compose_dir }}" - state: restarted diff --git a/roles/talk/meta/argument_specs.yml b/roles/talk/meta/argument_specs.yml deleted file mode 100644 index 9117ea8..0000000 --- a/roles/talk/meta/argument_specs.yml +++ /dev/null @@ -1,161 +0,0 @@ ---- -argument_specs: - main: - short_description: Deploy the Nextcloud Talk High Performance Backend (HPB) stack. - description: - - Renders a Docker Compose stack with C(nextcloud-spreed-signaling) - (Strukturag), C(janus-gateway) (canyan build) and C(nats) (internal - message broker) behind Traefik. - - Designed to be paired with the C(digitalboard.core.coturn) role - (TURN/STUN) and registered in Nextcloud via - C(digitalboard.core.nextcloud)'s C(talk.yml) task. - options: - docker_compose_base_dir: - type: path - default: /etc/docker/compose - docker_volume_base_dir: - type: path - default: /srv/data - talk_service_name: - type: str - default: signaling - talk_docker_compose_dir: - type: path - talk_docker_volume_dir: - type: path - - talk_signaling_image: - type: str - default: "strukturag/nextcloud-spreed-signaling:1.3.4" - talk_janus_image: - type: str - default: "canyan/janus-gateway:1.2.4" - talk_nats_image: - type: str - default: "nats:2.10-alpine" - - talk_traefik_network: - type: str - default: proxy - talk_internal_network: - type: str - default: hpb_internal - - talk_use_ssl: - type: bool - default: true - talk_cert_resolver: - type: str - default: dns - talk_domain: - type: str - default: signaling.example.test - description: Public domain (typically routed through the DMZ Traefik). - talk_internal_domain: - type: str - default: '' - description: - - Optional split-horizon C(*.int.*) domain for server-to-server - traffic (e.g. C(signaling.int.example.test)). - - talk_nextcloud_url: - type: str - default: https://cloud.example.test - description: Nextcloud base URL the HPB talks back to. Must be reachable from the HPB container. - talk_nextcloud_extra_host_ip: - type: str - default: '' - description: - - Pin the Nextcloud hostname to a backend IP via C(extra_hosts) to bypass - DMZ hairpin / SNI issues. Empty disables the pin. - - talk_backend_secret: - type: str - required: true - description: - - HMAC secret shared with Nextcloud Talk. Default lookup reads - C(playbooks/secrets//talk_backend_secret). - - talk_turn_secret: - type: str - required: true - description: - - Shared secret with coturn (must match C(coturn_static_auth_secret) - on the TURN host). Default lookup reads - C(playbooks/secrets//talk_turn_secret). - talk_turn_servers: - type: str - default: "turns:stun.example.test:5349?transport=tcp,turn:stun.example.test:3478" - description: - - TURN server URI list as understood by the signaling server. - Override to C(:443) when coturn binds on 443 in restrictive networks. - talk_turn_realm: - type: str - default: stun.example.test - talk_turn_apikey: - type: str - default: '' - description: Optional explicit API key; when empty a random one is generated on first run. - - talk_session_hashkey: - type: str - required: true - description: - - 32-byte hex string. Default lookup reads - C(playbooks/secrets//talk_session_hashkey). - talk_session_blockkey: - type: str - required: true - description: - - 32-byte hex string. Default lookup reads - C(playbooks/secrets//talk_session_blockkey). - - talk_mcu_type: - type: str - choices: [janus] - default: janus - talk_janus_public_ip: - type: str - default: '' - description: Must be set in host_vars. Goes into janus C(nat_1_1_mapping). - talk_janus_rtp_port_min: - type: int - default: 20000 - talk_janus_rtp_port_max: - type: int - default: 21000 - talk_janus_stun_server: - type: str - default: stun.int.example.test - description: STUN server janus uses for its own ICE candidate gathering. - talk_janus_stun_port: - type: int - default: 5349 - talk_janus_ice_lite: - type: bool - default: true - talk_janus_ice_tcp: - type: bool - default: true - - talk_trusted_proxies: - type: list - elements: str - default: - - "172.16.0.0/12" - - "192.168.0.0/16" - - "10.0.0.0/8" - talk_allowed_hosts: - type: list - elements: str - default: - - "172.16.0.0/12" - - talk_extra_hosts: - type: list - elements: str - default: [] - description: - - Extra C(host:ip) entries forwarded to all three containers. - Pre-populated with the Nextcloud pin when - C(talk_nextcloud_extra_host_ip) is set. diff --git a/roles/talk/meta/main.yml b/roles/talk/meta/main.yml deleted file mode 100644 index 7857f43..0000000 --- a/roles/talk/meta/main.yml +++ /dev/null @@ -1,15 +0,0 @@ -#SPDX-License-Identifier: MIT-0 -galaxy_info: - author: Digital Board Team - description: Deploy Nextcloud Talk High Performance Backend (nextcloud-spreed-signaling + Janus + NATS) - company: digitalboard.ch - license: GPL-2.0-or-later - min_ansible_version: "2.14" - galaxy_tags: - - nextcloud - - talk - - signaling - - hpb - - janus - - webrtc -dependencies: [] diff --git a/roles/talk/tasks/main.yml b/roles/talk/tasks/main.yml deleted file mode 100644 index 3a984cf..0000000 --- a/roles/talk/tasks/main.yml +++ /dev/null @@ -1,85 +0,0 @@ -#SPDX-License-Identifier: MIT-0 ---- -# tasks file for talk (HPB) - -- name: Assert minimum configuration - ansible.builtin.assert: - that: - - talk_domain | length > 0 - - talk_nextcloud_url | length > 0 - - talk_backend_secret | length > 0 - - talk_turn_secret | length > 0 - - talk_janus_public_ip | length > 0 - - talk_session_hashkey | length > 0 - - talk_session_blockkey | length > 0 - fail_msg: > - Required talk_* variables missing. - Set talk_domain, talk_nextcloud_url, talk_janus_public_ip in host_vars - and place backend/turn/session secrets in playbooks/secrets/{{ inventory_hostname }}/. - -- name: Create talk compose directory - ansible.builtin.file: - path: "{{ talk_docker_compose_dir }}" - state: directory - mode: "0755" - -- name: Create signaling subdirectories (signaling + janus configs) - ansible.builtin.file: - path: "{{ talk_docker_compose_dir }}/{{ item }}" - state: directory - mode: "0755" - loop: - - signaling - - janus - -- name: Create signaling data directory - ansible.builtin.file: - path: "{{ talk_docker_volume_dir }}/signaling/data" - state: directory - mode: "0755" - -- name: Ensure proxy network exists (created externally by Traefik role normally) - community.docker.docker_network: - name: "{{ talk_traefik_network }}" - state: present - -- name: Render signaling server.conf - ansible.builtin.template: - src: server.conf.j2 - dest: "{{ talk_docker_compose_dir }}/signaling/server.conf" - mode: "0640" - no_log: true - notify: Restart signaling stack - -- name: Render Janus main config - ansible.builtin.template: - src: janus.jcfg.j2 - dest: "{{ talk_docker_compose_dir }}/janus/janus.jcfg" - mode: "0644" - notify: Restart signaling stack - -- name: Render Janus websockets transport config - ansible.builtin.template: - src: janus.transport.websockets.jcfg.j2 - dest: "{{ talk_docker_compose_dir }}/janus/janus.transport.websockets.jcfg" - mode: "0644" - notify: Restart signaling stack - -- name: Render Janus logger config - ansible.builtin.template: - src: janus.logger.jcfg.j2 - dest: "{{ talk_docker_compose_dir }}/janus/janus.logger.jcfg" - mode: "0644" - notify: Restart signaling stack - -- name: Render docker-compose.yml - ansible.builtin.template: - src: docker-compose.yml.j2 - dest: "{{ talk_docker_compose_dir }}/docker-compose.yml" - mode: "0644" - notify: Restart signaling stack - -- name: Start signaling stack - community.docker.docker_compose_v2: - project_src: "{{ talk_docker_compose_dir }}" - state: present diff --git a/roles/talk/templates/docker-compose.yml.j2 b/roles/talk/templates/docker-compose.yml.j2 deleted file mode 100644 index f207186..0000000 --- a/roles/talk/templates/docker-compose.yml.j2 +++ /dev/null @@ -1,124 +0,0 @@ -{# Build the effective extra_hosts list once #} -{% set _extra_hosts = [] %} -{% if talk_nextcloud_extra_host_ip | length > 0 %} -{% set _ = _extra_hosts.append((talk_nextcloud_url | urlsplit('hostname')) ~ ':' ~ talk_nextcloud_extra_host_ip) %} -{% endif %} -{% for h in talk_extra_hosts %} -{% set _ = _extra_hosts.append(h) %} -{% endfor %} -networks: - {{ talk_traefik_network }}: - external: true - {{ talk_internal_network }}: - driver: bridge - -services: - nats: - image: {{ talk_nats_image }} - container_name: nats - restart: unless-stopped -{% if _extra_hosts | length > 0 %} - extra_hosts: -{% for h in _extra_hosts %} - - "{{ h }}" -{% endfor %} -{% endif %} - command: > - -js - -m 8222 - -p 4222 - healthcheck: - test: ["CMD", "nc", "-z", "localhost", "4222"] - interval: 10s - timeout: 3s - retries: 10 - networks: - - {{ talk_internal_network }} - - janus: - image: {{ talk_janus_image }} - container_name: janus - restart: unless-stopped -{% if _extra_hosts | length > 0 %} - extra_hosts: -{% for h in _extra_hosts %} - - "{{ h }}" -{% endfor %} -{% endif %} - environment: - PUBLIC_IP: "{{ talk_janus_public_ip }}" - RTP_RANGE: "{{ talk_janus_rtp_port_min }}-{{ talk_janus_rtp_port_max }}" - volumes: - - ./janus/janus.jcfg:/usr/local/etc/janus/janus.jcfg:ro - - ./janus/janus.transport.websockets.jcfg:/usr/local/etc/janus/janus.transport.websockets.jcfg:ro - - ./janus/janus.logger.jcfg:/usr/local/etc/janus/janus.logger.jcfg:ro - networks: - - {{ talk_internal_network }} - ports: - - "{{ talk_janus_rtp_port_min }}-{{ talk_janus_rtp_port_max }}:{{ talk_janus_rtp_port_min }}-{{ talk_janus_rtp_port_max }}/udp" - - "{{ talk_janus_rtp_port_min }}-{{ talk_janus_rtp_port_max }}:{{ talk_janus_rtp_port_min }}-{{ talk_janus_rtp_port_max }}/tcp" - ulimits: - nofile: - soft: 65536 - hard: 65536 - - signaling: - image: {{ talk_signaling_image }} - container_name: signaling - restart: unless-stopped - depends_on: - nats: - condition: service_healthy -{% if _extra_hosts | length > 0 %} - extra_hosts: -{% for h in _extra_hosts %} - - "{{ h }}" -{% endfor %} -{% endif %} - volumes: - - ./signaling/server.conf:/config/server.conf:ro - - {{ talk_docker_volume_dir }}/signaling/data:/var/lib/signaling - networks: - - {{ talk_traefik_network }} - - {{ talk_internal_network }} - labels: - - traefik.enable=true - - traefik.docker.network={{ talk_traefik_network }} - - # Public WebSocket route (/spreed) - - traefik.http.routers.signal-public.rule=Host(`{{ talk_domain }}`) && PathPrefix(`/spreed`) - - traefik.http.routers.signal-public.entrypoints={{ 'websecure' if talk_use_ssl else 'web' }} -{% if talk_use_ssl %} - - traefik.http.routers.signal-public.tls=true - - traefik.http.routers.signal-public.tls.certresolver={{ talk_cert_resolver }} -{% endif %} - - traefik.http.routers.signal-public.service=signal-svc - - traefik.http.routers.signal-public.middlewares=signal-ws - - # Public backend API route (/api/) - - traefik.http.routers.signal-backend.rule=Host(`{{ talk_domain }}`) && PathPrefix(`/api/`) - - traefik.http.routers.signal-backend.entrypoints={{ 'websecure' if talk_use_ssl else 'web' }} -{% if talk_use_ssl %} - - traefik.http.routers.signal-backend.tls=true - - traefik.http.routers.signal-backend.tls.certresolver={{ talk_cert_resolver }} -{% endif %} - - traefik.http.routers.signal-backend.service=signal-svc - -{% if talk_internal_domain | length > 0 %} - # Internal split-horizon route (full host on int domain, WebSocket-aware) - - traefik.http.routers.signal-int.rule=Host(`{{ talk_internal_domain }}`) - - traefik.http.routers.signal-int.entrypoints={{ 'websecure' if talk_use_ssl else 'web' }} -{% if talk_use_ssl %} - - traefik.http.routers.signal-int.tls=true - - traefik.http.routers.signal-int.tls.certresolver={{ talk_cert_resolver }} -{% endif %} - - traefik.http.routers.signal-int.service=signal-svc - - traefik.http.routers.signal-int.middlewares=signal-ws -{% endif %} - - # Common service - - traefik.http.services.signal-svc.loadbalancer.server.port=8181 - - # WebSocket upgrade headers - - traefik.http.middlewares.signal-ws.headers.customrequestheaders.Upgrade=websocket - - traefik.http.middlewares.signal-ws.headers.customrequestheaders.Connection=Upgrade diff --git a/roles/talk/templates/janus.jcfg.j2 b/roles/talk/templates/janus.jcfg.j2 deleted file mode 100644 index 7c0a3bc..0000000 --- a/roles/talk/templates/janus.jcfg.j2 +++ /dev/null @@ -1,28 +0,0 @@ -general: { - configs_folder = "/usr/local/etc/janus" - log_to_stdout = true -} - -nat: { - nat_1_1_mapping = "{{ talk_janus_public_ip }}" - ice_lite = {{ talk_janus_ice_lite | string | lower }} - ice_tcp = {{ talk_janus_ice_tcp | string | lower }} - - stun_server = "{{ talk_janus_stun_server }}" - stun_port = {{ talk_janus_stun_port }} - - rtp_port_range = "{{ talk_janus_rtp_port_min }}-{{ talk_janus_rtp_port_max }}" -} - -media: { - rtp_port_range = "{{ talk_janus_rtp_port_min }}-{{ talk_janus_rtp_port_max }}" -} - -transports: { - websockets: { - ws = true - ws_port = 8188 - ws_interface = "0.0.0.0" - ws_ip = "0.0.0.0" - } -} diff --git a/roles/talk/templates/janus.logger.jcfg.j2 b/roles/talk/templates/janus.logger.jcfg.j2 deleted file mode 100644 index 6e1c4e4..0000000 --- a/roles/talk/templates/janus.logger.jcfg.j2 +++ /dev/null @@ -1,3 +0,0 @@ -general: { - enabled = true -} diff --git a/roles/talk/templates/janus.transport.websockets.jcfg.j2 b/roles/talk/templates/janus.transport.websockets.jcfg.j2 deleted file mode 100644 index b5cb5a7..0000000 --- a/roles/talk/templates/janus.transport.websockets.jcfg.j2 +++ /dev/null @@ -1,7 +0,0 @@ -general: { - ws = true - ws_port = 8188 - ws_interface = "0.0.0.0" - ws_pingpong_trigger = 60 - ws_pingpong_timeout = 30 -} diff --git a/roles/talk/templates/server.conf.j2 b/roles/talk/templates/server.conf.j2 deleted file mode 100644 index 6d86c0a..0000000 --- a/roles/talk/templates/server.conf.j2 +++ /dev/null @@ -1,33 +0,0 @@ -[http] -listen = 0.0.0.0:8181 -base_url = https://{{ talk_domain }} - -[backend] -backends = cloud - -[cloud] -secret = {{ talk_backend_secret }} -url = {{ talk_nextcloud_url }} - -[nats] -url = nats://nats:4222 - -[mcu] -type = {{ talk_mcu_type }} -url = ws://janus:8188/ - -[sessions] -hashkey = {{ talk_session_hashkey }} -blockkey = {{ talk_session_blockkey }} - -[turn] -servers = {{ talk_turn_servers }} -realm = {{ talk_turn_realm }} -{% if talk_turn_apikey | length > 0 %} -apikey = {{ talk_turn_apikey }} -{% endif %} -secret = {{ talk_turn_secret }} - -[app] -trustedproxies = {{ talk_trusted_proxies | join(',') }} -allowedhosts = {{ talk_allowed_hosts | join(',') }} diff --git a/roles/talk/tests/inventory b/roles/talk/tests/inventory deleted file mode 100644 index eec845d..0000000 --- a/roles/talk/tests/inventory +++ /dev/null @@ -1,2 +0,0 @@ -#SPDX-License-Identifier: MIT-0 -localhost \ No newline at end of file diff --git a/roles/traefik/README.md b/roles/traefik/README.md index b5d8226..225dd44 100644 --- a/roles/traefik/README.md +++ b/roles/traefik/README.md @@ -1,103 +1,38 @@ -# Traefik +Role Name +========= -Ansible role to deploy Traefik v3 as a reverse proxy via Docker Compose, -either as a public-facing DMZ proxy (file provider) or as a backend -application proxy (docker provider). +A brief description of the role goes here. -## Requirements +Requirements +------------ -- Docker and Docker Compose installed on the target host -- Ansible collection: `community.docker` -- For ACME DNS-01: an RFC2136-capable nameserver with a delegated zone - for `_acme-challenge` records and a TSIG key +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. -## Role variables +Role Variables +-------------- -Full list with types and defaults: `meta/argument_specs.yml`. The most -common overrides: +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. -### Deployment mode +Dependencies +------------ -- `traefik_mode`: `dmz` (file provider, routes to external backends) or - `backend` (docker provider, discovers local containers). Default `backend`. -- `traefik_backend_servers_to_proxy`: in `dmz` mode, restrict which - inventory hosts the DMZ aggregates services from. Empty = all members - of `backend_servers`. +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. -### Networking +Example Playbook +---------------- -- `traefik_network`: docker network connecting traefik to its containers - (default `proxy`). -- `traefik_extra_hosts`: list of `host:ip` entries injected as the - container's `extra_hosts`. Use when a downstream middleware - (e.g. ForwardAuth to authentik on a sibling LAN) must resolve a public - FQDN to an internal IP because the DMZ does not hairpin the public - address back inside. +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: -### Certificates + - hosts: servers + roles: + - { role: username.rolename, x: 42 } -- `traefik_cert_mode`: `acme` (Let's Encrypt via DNS-01) or `selfsigned` - (local wildcard). Default `selfsigned`. -- `traefik_acme_dns_zone`, `traefik_acme_dns_nameserver`, - `traefik_acme_tsig_key`, `traefik_acme_tsig_secret`: RFC2136 / TSIG - configuration for the ACME DNS-01 challenge. -- `traefik_acme_tcp_only`: force lego's DNS lookups onto TCP/53 when the - container cannot reach the nameserver over UDP. -- `traefik_acme_disable_ans_checks`: skip the authoritative-NS - propagation check when the SOA-listed NS resolves to an unreachable IP. +License +------- -### Dashboard +BSD -- `traefik_enable_dashboard`: expose the traefik dashboard. -- `traefik_dashboard_domain`: when set, publish the dashboard on this - Host rule instead of the insecure port. +Author Information +------------------ -## Dependencies - -- Run `digitalboard.core.base` first (or otherwise install Docker and the - `community.docker` collection); this role manages containers and networks - through `community.docker`. -- The Traefik network (`traefik_network`, default `proxy`) is created by - this role (`community.docker.docker_network`, state present), so no - pre-creation is required. -- In `dmz` mode, backend hosts advertise the services to aggregate via the - `traefik_dmz_exposed_services` host_var; `traefik_services` defines extra - routes directly on the DMZ host (each entry must set `backend_host`). - -## Example playbook - -Backend mode (one app server per host, docker provider): - -```yaml -- hosts: app_servers - roles: - - role: digitalboard.core.traefik - vars: - traefik_mode: backend - traefik_cert_mode: acme - traefik_ssl_email: ops@example.com - traefik_acme_dns_zone: "_acme.example.com." - traefik_acme_dns_nameserver: "10.0.0.53:53" - traefik_acme_tsig_key: "acme-key" - traefik_acme_tsig_secret: "{{ vault_traefik_tsig_secret }}" -``` - -DMZ mode (aggregates services from `backend_servers`): - -```yaml -- hosts: dmz_servers - roles: - - role: digitalboard.core.traefik - vars: - traefik_mode: dmz - traefik_cert_mode: acme - traefik_backend_servers_to_proxy: - - app01 - - app02 - traefik_extra_hosts: - - "auth.example.com:172.16.19.101" -``` - -## License - -MIT-0 +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml index ffc237e..3e43412 100644 --- a/roles/traefik/defaults/main.yml +++ b/roles/traefik/defaults/main.yml @@ -11,13 +11,6 @@ service_name: traefik docker_compose_dir: "{{ docker_compose_base_dir }}/{{ service_name }}" docker_volume_dir: "{{ docker_volume_base_dir }}/{{ service_name }}" -# Optional /etc/hosts entries injected into the traefik container. Useful -# when downstream middlewares (e.g. ForwardAuth to an authentik instance -# running on a sibling LAN) need a public FQDN to resolve to an internal -# IP because the DMZ doesn't hairpin the public address back inside. -# Example: ["auth.example.com:172.16.19.101"] -traefik_extra_hosts: [] - # Deployment mode: 'dmz' or 'backend' # - dmz: Public-facing reverse proxy that routes to backend servers using file provider # - backend: Application server with docker provider for local container discovery @@ -40,18 +33,6 @@ traefik_acme_tsig_secret: "" # TSIG secret traefik_acme_propagation_timeout: "120" traefik_acme_polling_interval: "2" traefik_acme_ttl: "60" -# Force lego's DNS lookups (SOA resolution, propagation checks) onto -# TCP instead of UDP. Useful when container egress can reach the -# nameserver on TCP/53 but UDP/53 is blocked or unreliable. Sets the -# upstream env var LEGO_EXPERIMENTAL_DNS_TCP_ONLY=true on the -# traefik container. -traefik_acme_tcp_only: false -# Disable lego's propagation check against the zone's authoritative -# nameservers. Use when the SOA-listed NS hostname resolves to an -# address that isn't reachable from this traefik host (e.g. a DMZ -# box that can only see the internal NS IP, not the public one). -# lego still polls via the configured `resolvers:` list. -traefik_acme_disable_ans_checks: false # Self-signed certificate configuration (for vagrant/testing) traefik_selfsigned_cert_dir: "{{ docker_volume_dir }}/certs" diff --git a/roles/traefik/handlers/main.yml b/roles/traefik/handlers/main.yml index 8af7aac..4abd95a 100644 --- a/roles/traefik/handlers/main.yml +++ b/roles/traefik/handlers/main.yml @@ -5,4 +5,4 @@ - name: restart traefik community.docker.docker_compose_v2: project_src: "{{ docker_compose_dir }}" - state: present + state: restarted diff --git a/roles/traefik/meta/argument_specs.yml b/roles/traefik/meta/argument_specs.yml deleted file mode 100644 index d9443ff..0000000 --- a/roles/traefik/meta/argument_specs.yml +++ /dev/null @@ -1,216 +0,0 @@ ---- -argument_specs: - main: - short_description: Deploy Traefik v3 as DMZ or backend reverse proxy via Docker Compose. - description: - - Renders a Docker Compose stack for Traefik with either the file provider - (DMZ mode, routes to external backends) or the docker provider (backend - mode, discovers local containers via labels). - - Supports ACME DNS-01 issuance (RFC2136 / TSIG) or a self-signed cert - bundle for local/Vagrant setups. - options: - docker_compose_base_dir: - type: path - default: /etc/docker/compose - description: Base directory under which the per-service compose dir is created. - docker_volume_base_dir: - type: path - default: /srv/data - description: Base directory under which the per-service volume dir is created. - service_name: - type: str - default: traefik - description: Compose project / service name; also used to build the per-service paths. - docker_compose_dir: - type: path - description: Compose project directory; defaults to C({{ docker_compose_base_dir }}/{{ service_name }}). - docker_volume_dir: - type: path - description: Per-service volume directory; defaults to C({{ docker_volume_base_dir }}/{{ service_name }}). - - traefik_extra_hosts: - type: list - elements: str - default: [] - description: - - Entries injected as C(extra_hosts) on the traefik container. - - Each entry has the Docker syntax C("host:ip"). - - Useful when a downstream middleware (e.g. ForwardAuth to authentik - on a sibling LAN) must resolve a public FQDN to an internal IP - because the DMZ does not hairpin the public address. - - traefik_mode: - type: str - choices: [dmz, backend] - default: backend - description: - - C(dmz) configures the file provider so the proxy forwards to - backend hosts (typically aggregated from the C(backend_servers) group). - - C(backend) configures the docker provider for local container discovery. - - traefik_use_ssl: - type: bool - default: true - description: Toggle TLS on the websecure entrypoint. - traefik_ssl_email: - type: str - default: admin@example.com - description: Contact e-mail used by the ACME resolver. - traefik_ssl_cert_resolver: - type: str - default: dns - description: Certificate resolver name referenced in router labels. - traefik_cert_mode: - type: str - choices: [acme, selfsigned] - default: selfsigned - description: C(acme) for Let's Encrypt via DNS-01, C(selfsigned) for a locally generated bundle. - - traefik_acme_dns_zone: - type: str - default: '' - description: Delegated zone used for the TSIG-signed updates (e.g. C(_acme.example.com.)). - traefik_acme_dns_nameserver: - type: str - default: '' - description: Nameserver lego talks to for the DNS challenge (C(host:port)). - traefik_acme_tsig_algorithm: - type: str - default: hmac-sha256 - description: TSIG algorithm. - traefik_acme_tsig_key: - type: str - default: '' - description: TSIG key name. - traefik_acme_tsig_secret: - type: str - default: '' - description: TSIG secret (base64). - traefik_acme_propagation_timeout: - type: str - default: '120' - description: lego DNS propagation timeout in seconds. - traefik_acme_polling_interval: - type: str - default: '2' - description: lego DNS propagation polling interval in seconds. - traefik_acme_ttl: - type: str - default: '60' - description: TTL applied to the C(_acme-challenge) TXT records. - traefik_acme_tcp_only: - type: bool - default: false - description: - - Sets C(LEGO_EXPERIMENTAL_DNS_TCP_ONLY=true) on the container so SOA - resolution and propagation checks use TCP/53. Use when UDP/53 is - blocked or unreliable on the container egress path. - traefik_acme_disable_ans_checks: - type: bool - default: false - description: - - "Sets C(propagation.disableANSChecks) to true on the ACME resolver - in the static config, disabling lego's propagation check against - the zone's authoritative nameservers. Use when the SOA-listed NS - hostname resolves to an address the proxy host cannot reach; lego - still polls via the configured C(resolvers) list." - - traefik_selfsigned_cert_dir: - type: path - description: Output directory for the self-signed bundle. - traefik_selfsigned_cert_days: - type: int - default: 365 - description: Validity in days for the self-signed bundle. - traefik_selfsigned_common_name: - type: str - default: '*.local.test' - description: CN/SAN of the self-signed wildcard cert. - - traefik_enable_dashboard: - type: bool - default: false - description: Expose the traefik dashboard. - traefik_dashboard_domain: - type: str - default: '' - description: - - When non-empty, the dashboard is published on this Host rule instead - of the insecure port 8080. - - traefik_enable_access_logs: - type: bool - default: true - traefik_access_log_format: - type: str - choices: [common, json] - default: common - traefik_log_level: - type: str - choices: [DEBUG, INFO, WARN, ERROR, FATAL, PANIC] - default: INFO - - traefik_network: - type: str - default: proxy - description: Docker network connecting traefik to its routable containers. - - traefik_dmz_exposed_services: - type: list - elements: dict - default: [] - description: - - In C(dmz) mode, services collected from backend host_vars are - published via the file provider. Each entry needs C(name), - C(domain), C(port); C(protocol) and C(backend_host) are optional. - options: - name: - type: str - required: true - domain: - type: str - required: true - port: - type: int - required: true - protocol: - type: str - choices: [http, https] - default: http - backend_host: - type: str - description: Override the auto-selected backend host. - - traefik_services: - type: list - elements: dict - default: [] - description: - - Services defined directly on the DMZ proxy (not auto-discovered - from a backend host). Each entry must set C(backend_host). - options: - name: - type: str - required: true - domain: - type: str - required: true - backend_host: - type: str - required: true - port: - type: int - required: true - protocol: - type: str - choices: [http, https] - default: http - - traefik_backend_servers_to_proxy: - type: list - elements: str - default: [] - description: - - In C(dmz) mode, explicit list of backend hosts the DMZ proxy - should aggregate exposed services from. Empty means all members - of the C(backend_servers) inventory group. diff --git a/roles/traefik/meta/main.yml b/roles/traefik/meta/main.yml index c5ed5b1..7c2fc0d 100644 --- a/roles/traefik/meta/main.yml +++ b/roles/traefik/meta/main.yml @@ -1,26 +1,33 @@ #SPDX-License-Identifier: MIT-0 galaxy_info: - author: digitalboard - description: Deploy Traefik v3 as a DMZ or backend reverse proxy via Docker Compose - company: Digitalboard - license: MIT-0 + author: your name + description: your role description + company: your company (optional) - min_ansible_version: "2.14" + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker - platforms: - - name: Debian - versions: - - bookworm - - name: Ubuntu - versions: - - jammy - - noble + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) - galaxy_tags: - - traefik - - reverseproxy - - ingress - - docker - - digitalboard + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. dependencies: [] diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml index 8934037..159ba8f 100644 --- a/roles/traefik/tasks/main.yml +++ b/roles/traefik/tasks/main.yml @@ -9,18 +9,7 @@ - name: Build service registry from backend servers (DMZ mode) set_fact: - # Two-step merge so a service entry's own `backend_host` wins: - # entries that set it pass through unchanged, entries that don't - # get the backend host's ansible_host as fallback. The override - # lets a route target an internal FQDN covered by the backend - # cert's SANs instead of the raw IP (which would fail backend - # TLS verification at the proxy hop). - proxied_services: >- - {{ - proxied_services | default([]) - + (hostvars[item].traefik_dmz_exposed_services | default([]) | selectattr('backend_host', 'defined') | list) - + (hostvars[item].traefik_dmz_exposed_services | default([]) | rejectattr('backend_host', 'defined') | map('combine', {'backend_host': hostvars[item].ansible_host | default(item)}) | list) - }} + proxied_services: "{{ proxied_services | default([]) + hostvars[item].traefik_dmz_exposed_services | default([]) | map('combine', {'backend_host': hostvars[item].ansible_host | default(item)}) | list }}" loop: "{{ _backend_servers | default([]) }}" when: traefik_mode == 'dmz' diff --git a/roles/traefik/templates/docker-compose.yml.j2 b/roles/traefik/templates/docker-compose.yml.j2 index 9463e58..e45578b 100644 --- a/roles/traefik/templates/docker-compose.yml.j2 +++ b/roles/traefik/templates/docker-compose.yml.j2 @@ -12,9 +12,6 @@ services: RFC2136_PROPAGATION_TIMEOUT: "{{ traefik_acme_propagation_timeout }}" RFC2136_POLLING_INTERVAL: "{{ traefik_acme_polling_interval }}" RFC2136_TTL: "{{ traefik_acme_ttl }}" -{% if traefik_acme_tcp_only | default(false) %} - LEGO_EXPERIMENTAL_DNS_TCP_ONLY: "true" -{% endif %} {% endif %} ports: - "80:80" @@ -33,12 +30,6 @@ services: {% endif %} networks: - {{ traefik_network }} -{% if traefik_extra_hosts | default([]) | length > 0 %} - extra_hosts: -{% for h in traefik_extra_hosts %} - - "{{ h }}" -{% endfor %} -{% endif %} networks: {{ traefik_network }}: diff --git a/roles/traefik/templates/traefik.yml.j2 b/roles/traefik/templates/traefik.yml.j2 index 1900bbb..64bf351 100644 --- a/roles/traefik/templates/traefik.yml.j2 +++ b/roles/traefik/templates/traefik.yml.j2 @@ -48,10 +48,6 @@ certificatesResolvers: provider: rfc2136 resolvers: - "{{ traefik_acme_dns_nameserver }}" -{% if traefik_acme_disable_ans_checks | default(false) %} - propagation: - disableANSChecks: true -{% endif %} {% endif %} {% if traefik_use_ssl %}