Digitalboard/digitalboard.core
6
2
Fork 0
Code Pull requests 1 Releases Packages Activity Actions
digitalboard.core/roles/bookstack/defaults/main.yml
Simon Bärlocher 1dbeece5f0
fix(bookstack): drop hardcoded secrets from defaults 
bookstack_db_root_password, bookstack_db_password and
bookstack_admin_password shipped as real strings in defaults, despite
the comment two lines above promising 'empty defaults force assert to
fail until set'. The Validate task in tasks/main.yml asserts each is
non-empty, so set them to '' and let the assert do its job.

Mirror the docstring comment to show how to generate each one with
openssl rand.
2026-05-26 15:13:21 +02:00

85 lines
2.9 KiB
YAML
Raw Blame History

#SPDX-License-Identifier: MIT-0
---
# defaults file for bookstack
# Base directory configuration (inherited from base role or defined here)
docker_compose_base_dir: /etc/docker/compose
docker_volume_base_dir: /srv/data
# bookstack-specific configuration
bookstack_service_name: bookstack
bookstack_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ bookstack_service_name }}"
bookstack_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ bookstack_service_name }}"
bookstack_appdata_dir: "{{ bookstack_docker_volume_dir }}/appdata"
bookstack_db_data_dir: "{{ bookstack_docker_volume_dir }}/db"
bookstack_backup_dir: "{{ bookstack_docker_volume_dir }}/backup"
# Service configuration
bookstack_domain: "wiki.local.test"
bookstack_base_url: "https://{{ bookstack_domain }}"
# Images — pin via inventory in production
bookstack_image: "lscr.io/linuxserver/bookstack:version-v26.03.3"
bookstack_db_image: "lscr.io/linuxserver/mariadb:11.4.9"
# Traefik configuration
bookstack_traefik_network: "proxy"
bookstack_traefik_certresolver: "le"
# Timezone / UID
bookstack_tz: "Europe/Zurich"
bookstack_puid: "1000"
bookstack_pgid: "1000"
# Database configuration
bookstack_db_name: "bookstack"
bookstack_db_user: "bookstack"
# REQUIRED SECRETS — empty defaults force `assert` to fail until set.
# Provide via OpenBao lookup, Ansible Vault, or extra-vars.
# Never commit real secrets to version control.
#
# Generate with:
# bookstack_db_root_password: openssl rand -base64 32 | tr -d '/+='
# bookstack_db_password: openssl rand -base64 32 | tr -d '/+='
# bookstack_admin_password: openssl rand -base64 24 | tr -d '/+='
bookstack_db_root_password: ""
bookstack_db_password: ""
bookstack_admin_password: ""
bookstack_oidc_client_secret: ""
# APP_KEY is generated automatically on first run and persisted on the host.
# Set explicitly only if restoring an existing instance.
bookstack_app_key: ""
# Initial local admin (fallback account, lives alongside OIDC)
bookstack_admin_name: "Admin"
bookstack_admin_email: "admin@local.test"
bookstack_artisan_path: "/app/www/artisan"
# Mail configuration
bookstack_mail_driver: "smtp"
bookstack_mail_host: "smtp.local.test"
bookstack_mail_port: 587
bookstack_mail_encryption: "tls"
bookstack_mail_from: "bookstack@local.test"
bookstack_mail_from_name: "BookStack"
bookstack_mail_username: ""
bookstack_mail_password: ""
# OIDC configuration (Entra ID by default; override `bookstack_oidc_issuer`
# for Keycloak or any other provider)
bookstack_oidc_enabled: false
bookstack_oidc_name: "SSO"
bookstack_entra_tenant_id: ""
bookstack_oidc_issuer: "https://login.microsoftonline.com/{{ bookstack_entra_tenant_id }}/v2.0"
bookstack_oidc_client_id: ""
bookstack_oidc_auto_initiate: false
bookstack_oidc_user_to_groups: false
bookstack_oidc_groups_claim: "groups"
bookstack_oidc_additional_scopes: "openid profile email"
# Backup configuration
bookstack_backup_enabled: true
bookstack_backup_retention_days: 14
bookstack_backup_schedule: "*-*-* 03:00:00"
View git blame Copy permalink