518d80ec71
Bundle of cross-role changes for the gymb services deployment: - Traefik routers: OR-combine opnform/homarr/bookstack Host rules with new *_extra_domains (internal *.int.* FQDNs for a DMZ reverseproxy), and emit tls.certresolver only when traefik_cert_mode == acme (drawio, homarr, opnform, send). - Split-horizon: bookstack_extra_hosts / opnform_extra_hosts add container /etc/hosts overrides so containers reach the IdP public FQDN over the LAN. - bookstack: assert the OIDC issuer resolves concretely (reject "//v2.0"), allowing non-Entra IdPs that override bookstack_oidc_issuer. - homarr: derive the bcrypt salt from the password digest so the admin hash is idempotent — no spurious template changes / container restarts. - opnform: PATCH an existing OIDC connection instead of skipping (applies corrected inventory on re-run); add OIDC_FORCE_LOGIN (enabled only after bootstrap) and an optional direct-SSO ingress entrypoint. Docs: READMEs and meta/argument_specs.yml updated for all new variables.
212 lines
6.8 KiB
YAML
212 lines
6.8 KiB
YAML
---
|
|
argument_specs:
|
|
main:
|
|
short_description: Deploy BookStack (LSIO image + MariaDB) via Docker Compose.
|
|
description:
|
|
- Renders a Compose stack for the linuxserver.io BookStack image
|
|
with a sibling MariaDB container behind Traefik, then bootstraps
|
|
the initial admin user via C(php artisan bookstack:create-admin)
|
|
and optionally enables OIDC SSO (Entra ID by default).
|
|
- "Persists the Laravel C(APP_KEY) on the host so the same key is
|
|
re-used across deploys (a fresh key would orphan all encrypted
|
|
database values: 2FA secrets, API tokens, OIDC client_secret)."
|
|
- Ships an optional systemd timer that backs up the database dump,
|
|
uploads tarball and APP_KEY daily with configurable retention.
|
|
options:
|
|
docker_compose_base_dir:
|
|
type: path
|
|
default: /etc/docker/compose
|
|
docker_volume_base_dir:
|
|
type: path
|
|
default: /srv/data
|
|
bookstack_service_name:
|
|
type: str
|
|
default: bookstack
|
|
bookstack_docker_compose_dir:
|
|
type: path
|
|
bookstack_docker_volume_dir:
|
|
type: path
|
|
bookstack_appdata_dir:
|
|
type: path
|
|
bookstack_db_data_dir:
|
|
type: path
|
|
bookstack_backup_dir:
|
|
type: path
|
|
|
|
bookstack_domain:
|
|
type: str
|
|
default: wiki.local.test
|
|
description: Hostname used in the Traefik Host rule.
|
|
bookstack_extra_domains:
|
|
type: list
|
|
elements: str
|
|
default: []
|
|
description:
|
|
- Additional hostnames the Traefik router answers on, OR-combined
|
|
with C(bookstack_domain). Useful for an internal C(*.int.*) FQDN
|
|
so a DMZ reverseproxy can reach a backend hostname covered by the
|
|
cert.
|
|
bookstack_extra_hosts:
|
|
type: list
|
|
elements: str
|
|
default: []
|
|
description:
|
|
- Container-level C(/etc/hosts) overrides (Compose C(extra_hosts)
|
|
entries, C("host:ip")). Useful in split-horizon setups where the
|
|
BookStack container must reach an IdP's public FQDN (used in the
|
|
OIDC C(iss) claim) over the LAN rather than via the DMZ.
|
|
bookstack_base_url:
|
|
type: str
|
|
description: Defaults to C("https://{{ bookstack_domain }}").
|
|
|
|
bookstack_image:
|
|
type: str
|
|
default: "lscr.io/linuxserver/bookstack:version-v26.03.3"
|
|
bookstack_db_image:
|
|
type: str
|
|
default: "lscr.io/linuxserver/mariadb:11.4.9"
|
|
|
|
bookstack_traefik_network:
|
|
type: str
|
|
default: proxy
|
|
bookstack_traefik_certresolver:
|
|
type: str
|
|
default: le
|
|
|
|
bookstack_tz:
|
|
type: str
|
|
default: Europe/Zurich
|
|
bookstack_puid:
|
|
type: str
|
|
default: "1000"
|
|
bookstack_pgid:
|
|
type: str
|
|
default: "1000"
|
|
|
|
bookstack_db_name:
|
|
type: str
|
|
default: bookstack
|
|
bookstack_db_user:
|
|
type: str
|
|
default: bookstack
|
|
bookstack_db_root_password:
|
|
type: str
|
|
required: true
|
|
description: MariaDB C(root) password. Override per-inventory.
|
|
bookstack_db_password:
|
|
type: str
|
|
required: true
|
|
description: MariaDB C(bookstack_db_user) password. Override per-inventory.
|
|
|
|
bookstack_admin_password:
|
|
type: str
|
|
required: true
|
|
description:
|
|
- Password for the local admin user that the role creates via
|
|
C(bookstack:create-admin). Lives alongside any OIDC users.
|
|
|
|
bookstack_app_key:
|
|
type: str
|
|
default: ''
|
|
description:
|
|
- When empty the role generates a persistent C(APP_KEY) on first
|
|
run and stores it under C({{ bookstack_docker_volume_dir }}/.app_key).
|
|
Override only when restoring an existing instance — a mismatching
|
|
key orphans all encrypted database values.
|
|
|
|
bookstack_admin_name:
|
|
type: str
|
|
default: Admin
|
|
bookstack_admin_email:
|
|
type: str
|
|
default: admin@local.test
|
|
bookstack_artisan_path:
|
|
type: path
|
|
default: /app/www/artisan
|
|
description:
|
|
- Path to BookStack's C(artisan) script inside the container. The
|
|
LSIO image's C(WORKDIR) is not the app directory, so this must
|
|
be absolute.
|
|
|
|
bookstack_mail_driver:
|
|
type: str
|
|
choices: [smtp, log, sendmail, mailgun, ses, postmark]
|
|
default: smtp
|
|
bookstack_mail_host:
|
|
type: str
|
|
default: smtp.local.test
|
|
bookstack_mail_port:
|
|
type: int
|
|
default: 587
|
|
bookstack_mail_encryption:
|
|
type: str
|
|
choices: [tls, ssl, '']
|
|
default: tls
|
|
bookstack_mail_from:
|
|
type: str
|
|
default: bookstack@local.test
|
|
bookstack_mail_from_name:
|
|
type: str
|
|
default: BookStack
|
|
bookstack_mail_username:
|
|
type: str
|
|
default: ''
|
|
bookstack_mail_password:
|
|
type: str
|
|
default: ''
|
|
|
|
bookstack_oidc_enabled:
|
|
type: bool
|
|
default: false
|
|
bookstack_oidc_name:
|
|
type: str
|
|
default: SSO
|
|
description: Display name of the SSO button on the login page.
|
|
bookstack_entra_tenant_id:
|
|
type: str
|
|
default: ''
|
|
description: Entra tenant UUID. Required when C(bookstack_oidc_enabled=true).
|
|
bookstack_oidc_issuer:
|
|
type: str
|
|
description:
|
|
- OIDC issuer URL. Defaults to the Entra v2 issuer template
|
|
built from C(bookstack_entra_tenant_id). Override for
|
|
Keycloak or any other provider.
|
|
bookstack_oidc_client_id:
|
|
type: str
|
|
default: ''
|
|
description: Required when C(bookstack_oidc_enabled=true).
|
|
bookstack_oidc_client_secret:
|
|
type: str
|
|
default: ''
|
|
description: Required when C(bookstack_oidc_enabled=true).
|
|
bookstack_oidc_auto_initiate:
|
|
type: bool
|
|
default: false
|
|
description:
|
|
- When true users are redirected straight to the IdP and the
|
|
local login is reachable only via C(?email_login=1).
|
|
bookstack_oidc_user_to_groups:
|
|
type: bool
|
|
default: false
|
|
description:
|
|
- When true BookStack syncs roles from the IdP groups claim
|
|
on every login. Requires BookStack roles whose
|
|
C(External Auth ID) matches the IdP group's Object ID.
|
|
bookstack_oidc_groups_claim:
|
|
type: str
|
|
default: groups
|
|
bookstack_oidc_additional_scopes:
|
|
type: str
|
|
default: openid profile email
|
|
|
|
bookstack_backup_enabled:
|
|
type: bool
|
|
default: true
|
|
bookstack_backup_retention_days:
|
|
type: int
|
|
default: 14
|
|
bookstack_backup_schedule:
|
|
type: str
|
|
default: "*-*-* 03:00:00"
|
|
description: systemd C(OnCalendar) expression for the backup timer.
|