Digitalboard/digitalboard.core

Fork 0

feat(bookstack): add role for self-hosted BookStack deployment #5

Merged

Simon merged 2 commits from feature/bookstack into main

2026-05-26 13:33:21 +00:00

Tobias-Wuest commented

2026-05-20 15:44:51 +00:00

Owner

Deploy BookStack with linuxserver.io images behind Traefik, including
Entra ID OIDC SSO support and a daily backup timer.

Stack:

lscr.io/linuxserver/bookstack:version-v26.03.3
lscr.io/linuxserver/mariadb:11.4.9
Traefik labels for websecure entrypoint on internal network
Healthcheck via mariadb-admin ping (LSIO image lacks healthcheck.sh)

Features:

Persistent APP_KEY generated on first run, stored in volume dir
Optional OIDC SSO via Microsoft Entra ID (configurable per-instance)
Idempotent admin user creation with DB-based existence check
Daily systemd timer backup (DB dump + uploads tar + APP_KEY)
with configurable retention

Implementation notes:

DB queries use --protocol=tcp with the app user because root@localhost
uses unix_socket auth in the LSIO MariaDB image (no password) and
root@% does not exist
docker_container_exec uses argv: (list) instead of command: (string)
to avoid argument-splitting issues
Migration-wait task ensures users table exists before admin check,
since /login returns 200 before Laravel migrations complete
no_log: true on all tasks that reference DB or admin passwords
artisan absolute path (/app/www/artisan) because LSIO image WORKDIR
is not the app directory

Adds bookstack route to DMZ Traefik service registry.

Deploy BookStack with linuxserver.io images behind Traefik, including Entra ID OIDC SSO support and a daily backup timer. Stack: - lscr.io/linuxserver/bookstack:version-v26.03.3 - lscr.io/linuxserver/mariadb:11.4.9 - Traefik labels for websecure entrypoint on internal network - Healthcheck via mariadb-admin ping (LSIO image lacks healthcheck.sh) Features: - Persistent APP_KEY generated on first run, stored in volume dir - Optional OIDC SSO via Microsoft Entra ID (configurable per-instance) - Idempotent admin user creation with DB-based existence check - Daily systemd timer backup (DB dump + uploads tar + APP_KEY) with configurable retention Implementation notes: - DB queries use --protocol=tcp with the app user because root@localhost uses unix_socket auth in the LSIO MariaDB image (no password) and root@% does not exist - docker_container_exec uses argv: (list) instead of command: (string) to avoid argument-splitting issues - Migration-wait task ensures users table exists before admin check, since /login returns 200 before Laravel migrations complete - no_log: true on all tasks that reference DB or admin passwords - artisan absolute path (/app/www/artisan) because LSIO image WORKDIR is not the app directory Adds bookstack route to DMZ Traefik service registry.

Tobias-Wuest self-assigned this 2026-05-20 15:44:51 +00:00

Tobias-Wuest added 1 commit 2026-05-20 15:44:52 +00:00

feat(bookstack): add role for self-hosted BookStack deployment 9d539d0da4

Deploy BookStack with linuxserver.io images behind Traefik, including
Entra ID OIDC SSO support and a daily backup timer.

Stack:
- lscr.io/linuxserver/bookstack:version-v26.03.3
- lscr.io/linuxserver/mariadb:11.4.9
- Traefik labels for websecure entrypoint on internal network
- Healthcheck via mariadb-admin ping (LSIO image lacks healthcheck.sh)

Features:
- Persistent APP_KEY generated on first run, stored in volume dir
- Optional OIDC SSO via Microsoft Entra ID (configurable per-instance)
- Idempotent admin user creation with DB-based existence check
- Daily systemd timer backup (DB dump + uploads tar + APP_KEY)
  with configurable retention

Implementation notes:
- DB queries use --protocol=tcp with the app user because root@localhost
  uses unix_socket auth in the LSIO MariaDB image (no password) and
  root@% does not exist
- docker_container_exec uses argv: (list) instead of command: (string)
  to avoid argument-splitting issues
- Migration-wait task ensures users table exists before admin check,
  since /login returns 200 before Laravel migrations complete
- no_log: true on all tasks that reference DB or admin passwords
- artisan absolute path (/app/www/artisan) because LSIO image WORKDIR
  is not the app directory

Adds bookstack route to DMZ Traefik service registry.

requested review from Simon

2026-05-20 15:45:00 +00:00

Simon approved these changes 2026-05-26 10:30:37 +00:00

Simon added 2 commits 2026-05-26 13:14:00 +00:00

fix(bookstack): drop hardcoded secrets from defaults 1dbeece5f0

bookstack_db_root_password, bookstack_db_password and
bookstack_admin_password shipped as real strings in defaults, despite
the comment two lines above promising 'empty defaults force assert to
fail until set'. The Validate task in tasks/main.yml asserts each is
non-empty, so set them to '' and let the assert do its job.

Mirror the docstring comment to show how to generate each one with
openssl rand.

docs(bookstack): add meta/argument_specs.yml 5e53ff3e28

47 typed options covering the full defaults file plus the OIDC and
backup-timer subsystems. The three secrets the role asserts on
(db_root_password, db_password, admin_password) are marked
required: true so ansible refuses the play with a clear error before
the validate task even runs.

Loads cleanly through ansible-core's ArgumentSpecValidator with 100%
defaults/spec coverage. Matches the spec convention used by traefik,
authentik, drawio, garage, nextcloud, opnform, coturn, talk and send.

Simon force-pushed feature/bookstack from 5e53ff3e28 to 2c2dbbc648

2026-05-26 13:31:26 +00:00

Compare

Simon merged commit 2c2dbbc648 into main

2026-05-26 13:33:21 +00:00

Simon deleted branch feature/bookstack

2026-05-26 13:33:21 +00:00

No reviewers

No labels

No milestone

No project

No assignees

2 participants

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Digitalboard/digitalboard.core#5

No description provided.

Rows
Columns