a8954f525c
The api service now also receives FRONT_API_SECRET so AuthenticateJWT accepts the UI's server-side JWT forwards instead of blacklisting them on UA mismatch. On the ui service the var is renamed FRONT_API_SECRET -> NUXT_API_SECRET so Nuxt's runtimeConfig.apiSecret is actually populated (NUXT_<key> convention) and injected as x-api-secret, short-circuiting the UA-fingerprint check that otherwise 401s every reload. |
||
|---|---|---|
| meta | ||
| plugins | ||
| roles | ||
| .gitignore | ||
| galaxy.yml | ||
| README.md | ||
Ansible Collection — digitalboard.core
This collection bundles the Ansible roles used to deploy the Digitalboard platform: a set of self-hosted, Docker-Compose-based services running behind Traefik, with single sign-on provided by authentik or Keycloak.
Each role provisions one service (or building block) as a self-contained Docker Compose stack. Roles are consumed from the deployment repository reference-ansible, where inventories and playbooks tie the roles to concrete hosts.
Roles
| Role | Description |
|---|---|
base |
Host baseline: Docker, apt packages and convenience tooling on Debian/Ubuntu. |
traefik |
Traefik v3 reverse proxy as a public DMZ proxy (file provider) or backend proxy (docker provider). |
authentik |
authentik IdP (server + worker + Postgres); resources via blueprints. |
authentik_outpost_ldap |
authentik LDAP outpost exposing an LDAP interface for apps that cannot speak OIDC. |
keycloak |
Keycloak IdP with a PostgreSQL backend. |
389ds |
389 Directory Server LDAP directory via Docker Compose. |
nextcloud |
Nextcloud (fpm) + Postgres + Redis, optional Collabora/draw.io/notify_push. |
opencloud |
OpenCloud file platform via Docker Compose. |
collabora |
Collabora Online (CODE), used as the WOPI backend for Nextcloud. |
bookstack |
BookStack wiki (LSIO + MariaDB) with OIDC SSO and daily backups. |
drawio |
draw.io diagram editor, with optional authentik ForwardAuth gating. |
homarr |
Homarr dashboard with seeded admin user and OIDC group. |
opnform |
OpnForm self-hosted form builder (api + ui + db + redis). |
send |
Send (timvisee fork) file sharing with a Redis backend. |
garage |
Garage S3-compatible object storage with key/bucket provisioning. |
httpbin |
httpbin HTTP request/response testing service for validating Traefik ingress. |
Usage
Roles are not run from this repository directly. They are consumed from the
deployment repository
reference-ansible,
which holds the inventories, group/host variables and playbooks. See that
repository's docs/ directory for getting-started instructions, how to run
Ansible and how secrets are managed.
Per-role variables and their defaults are documented in each role's own
README.md and meta/argument_specs.yml.
Requirements
- A Debian/Ubuntu target host (the
baserole bootstraps Docker there). - ansible-core 2.15 or newer on the controller.
- The
community.dockercollection (used by nearly every role) andcommunity.general(used by thekeycloakrole). Both are declared asdependenciesingalaxy.ymland pulled in automatically when this collection is installed viaansible-galaxy.
The role READMEs use community.hashi_vault lookups in their examples to source
secrets from HashiCorp Vault. That is a documented convention, not a hard
dependency of the roles — supply the variables however you prefer.
Role ordering
Within a play, apply the roles in dependency order: base first (Docker and the
host baseline), then traefik (the shared reverse proxy and its Docker network),
then the individual service roles (authentik, keycloak, nextcloud, …),
which attach to Traefik's network and expect Docker to be present.
License
MIT-0. See individual roles for per-role license metadata.