Digitalboard/digitalboard.core
6
2
Fork 0
Code Pull requests 1 Releases Packages Activity Actions
digitalboard.core/roles/send
History
Simon Bärlocher 19864d79b2
feat(services): multi-domain routing, split-horizon and OIDC hardening 
Bundle of cross-role changes for the gymb services deployment:

- Traefik routers: OR-combine opnform/homarr/bookstack Host rules with new
  *_extra_domains (internal *.int.* FQDNs for a DMZ reverseproxy), and emit
  tls.certresolver only when traefik_cert_mode == acme (drawio, homarr,
  opnform, send).
- Split-horizon: bookstack_extra_hosts / opnform_extra_hosts add container
  /etc/hosts overrides so containers reach the IdP public FQDN over the LAN.
- bookstack: assert the OIDC issuer resolves concretely (reject "//v2.0"),
  allowing non-Entra IdPs that override bookstack_oidc_issuer.
- homarr: derive the bcrypt salt from the password digest so the admin hash
  is idempotent — no spurious template changes / container restarts.
- opnform: PATCH an existing OIDC connection instead of skipping (applies
  corrected inventory on re-run); add OIDC_FORCE_LOGIN (enabled only after
  bootstrap) and an optional direct-SSO ingress entrypoint.

Docs: READMEs and meta/argument_specs.yml updated for all new variables.
2026-05-27 23:12:24 +02:00
..
defaults feat(send): add role for self-hosted Send file-share service 2026-05-26 15:38:34 +02:00
handlers feat(send): add role for self-hosted Send file-share service 2026-05-26 15:38:34 +02:00
meta docs(send): add meta/argument_specs.yml 2026-05-26 15:38:35 +02:00
tasks fix(send): assert S3 credentials when storage backend is s3 2026-05-26 15:40:21 +02:00
templates feat(services): multi-domain routing, split-horizon and OIDC hardening 2026-05-27 23:12:24 +02:00
vars feat(send): add role for self-hosted Send file-share service 2026-05-26 15:38:34 +02:00
README.md feat(send): add role for self-hosted Send file-share service 2026-05-26 15:38:34 +02:00

README.md

Send

Deploys a self-hosted Send instance (timvisee fork of the discontinued Mozilla Send) with a Redis backend behind Traefik, using Docker Compose.

Requirements

  • Docker + docker compose plugin on the target host
  • Traefik (role digitalboard.core.traefik) reachable via an external Docker network named proxy (default)
  • DNS for each entry in send_domains pointing at the reverse proxy
  • Optional: a Garage S3 bucket if send_storage_backend: s3

Role Variables

Important defaults (see defaults/main.yml for the full list):

Variable Default Description
send_domains ["send.local.test"] FQDNs the router accepts; first entry is the canonical BASE_URL
send_image registry.gitlab.com/timvisee/send:latest Send container image
send_max_file_size 1073741824 Max upload size in bytes (1 GiB)
send_max_expire_seconds 604800 Max share lifetime (7 d)
send_storage_backend local local (volume) or s3
send_s3_* "" S3 endpoint/bucket/key/secret (when backend is s3)
send_use_ssl true Issue Traefik labels for the websecure entrypoint

Dependencies

None.

Example Playbook

- hosts: send_servers
  become: true
  roles:
    - digitalboard.core.send

With S3 (Garage) backend:

send_storage_backend: s3
send_s3_endpoint: "http://{{ hostvars['backend']['garage_s3_domain'] }}"
send_s3_bucket: "send"
send_s3_access_key: "{{ lookup('digitalboard.core.garage_credentials', 'send', host='backend')['key_id'] }}"
send_s3_secret_key: "{{ lookup('digitalboard.core.garage_credentials', 'send', host='backend')['secret_key'] }}"

License

MIT