#SPDX-License-Identifier: MIT-0 --- # defaults file for opnform # Base directory configuration (inherited from base role or defined here) docker_compose_base_dir: /etc/docker/compose docker_volume_base_dir: /srv/data # opnform-specific configuration opnform_service_name: opnform opnform_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ opnform_service_name }}" opnform_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ opnform_service_name }}" opnform_storage_dir: "{{ opnform_docker_volume_dir }}/storage" opnform_db_data_dir: "{{ opnform_docker_volume_dir }}/db" opnform_redis_data_dir: "{{ opnform_docker_volume_dir }}/redis" # Service configuration opnform_domain: "forms.local.test" opnform_base_url: "https://forms.local.test" # Images opnform_api_image: "jhumanj/opnform-api:latest" opnform_client_image: "jhumanj/opnform-client:latest" opnform_redis_image: "redis:7" opnform_db_image: "postgres:16" opnform_ingress_image: "nginx:1" # REQUIRED SECRETS — must be overridden per-inventory. # Provide via OpenBao lookup, Ansible Vault or extra-vars. # Never commit real keys to version control. # # Generate with: # opnform_app_key: echo "base64:$(openssl rand -base64 32)" # opnform_jwt_secret: openssl rand -hex 32 # opnform_front_api_secret: openssl rand -hex 32 # # opnform_app_key MUST start with the prefix "base64:" — the validate # task at the top of tasks/main.yml enforces this. opnform_app_key: "" opnform_jwt_secret: "" opnform_front_api_secret: "" # Database credentials. opnform_db_password must be overridden; the # validate task fails fast on an empty value. opnform_db_name: "opnform" opnform_db_user: "opnform" opnform_db_password: "" # Admin bootstrap — when email+password are set, the role creates the # first user via OpnForm's /api/register endpoint, skipping the # self-hosted setup page. Leave both empty to keep the manual setup flow. # Password must satisfy OpnForm's rules: min 8 chars, contain a letter, # a digit and one of @$!%*#?&-_+=.,:;<>^()[]{}|~ # Provide via OpenBao, Ansible Vault or extra-vars. opnform_admin_name: "Administrator" opnform_admin_email: "" opnform_admin_password: "" opnform_admin_hear_about_us: "ansible" # PHP configuration opnform_php_memory_limit: "1G" opnform_php_max_execution_time: "600" opnform_php_upload_max_filesize: "64M" opnform_php_post_max_size: "64M" # Nginx ingress opnform_nginx_max_body_size: "64m" # Mail configuration (optional — defaults to log driver) opnform_mail_mailer: "log" opnform_mail_host: "" opnform_mail_port: "" opnform_mail_username: "" opnform_mail_password: "" opnform_mail_encryption: "" opnform_mail_from_address: "noreply@digitalboard.ch" opnform_mail_from_name: "OpnForm" # OIDC configuration — when enabled, the role auto-creates an # IdentityConnection in the first workspace via OpnForm's API after the # admin bootstrap. Requires opnform_admin_email/_password to be set # (the API call needs an authenticated admin token). opnform_oidc_enabled: false opnform_oidc_issuer: "https://auth.digitalboard.ch/realms/Digitalboard" opnform_oidc_client_id: "opnform-digitalboard" opnform_oidc_client_secret: "" opnform_oidc_client_name: "Digitalboard" # OpnForm-side identifier used in /auth/{slug}/callback. Lowercase # alphanumeric + hyphens, unique across all identity_connections. opnform_oidc_slug: "oidc" # Email domain that triggers OIDC login for matching users (e.g. users # with @example.com emails are redirected to the IdP). Required when # opnform_oidc_enabled is true. opnform_oidc_domain: "" opnform_oidc_scopes: - openid - profile - email - groups # Convenience: maps a single IdP group to the OpnForm "admin" role. # Ignored when opnform_oidc_group_role_mappings is non-empty. opnform_oidc_admin_group: "opnform-admins" # Full group-to-role mapping list. Takes precedence over the convenience # var. Each item: {idp_group: "", role: "owner|admin|editor|member"} opnform_oidc_group_role_mappings: [] # Traefik configuration opnform_traefik_network: "proxy" opnform_use_ssl: true