digitalboard.core/roles/bookstack/defaults/main.yml

#SPDX-License-Identifier: MIT-0
---
# defaults file for bookstack

# Base directory configuration (inherited from base role or defined here)
docker_compose_base_dir: /etc/docker/compose
docker_volume_base_dir: /srv/data

# bookstack-specific configuration
bookstack_service_name: bookstack
bookstack_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ bookstack_service_name }}"
bookstack_docker_volume_dir: "{{ docker_volume_base_dir }}/{{ bookstack_service_name }}"
bookstack_appdata_dir: "{{ bookstack_docker_volume_dir }}/appdata"
bookstack_db_data_dir: "{{ bookstack_docker_volume_dir }}/db"
bookstack_backup_dir: "{{ bookstack_docker_volume_dir }}/backup"

# Service configuration
bookstack_domain: "wiki.local.test"
# Additional hostnames the bookstack router answers on (e.g. an internal
# *.int.* FQDN so a DMZ reverseproxy can hit a backend hostname covered
# by the cert).
bookstack_extra_domains: []
# Container-level /etc/hosts overrides — useful in split-horizon setups
# where the BookStack container needs to reach an IdP's public FQDN
# (used in the OIDC `iss` claim) over the LAN rather than via the DMZ.
bookstack_extra_hosts: []
bookstack_base_url: "https://{{ bookstack_domain }}"

# Images — pin via inventory in production
bookstack_image: "lscr.io/linuxserver/bookstack:version-v26.03.3"
bookstack_db_image: "lscr.io/linuxserver/mariadb:11.4.9"

# Traefik configuration
bookstack_traefik_network: "proxy"
bookstack_traefik_certresolver: "le"

# Timezone / UID
bookstack_tz: "Europe/Zurich"
bookstack_puid: "1000"
bookstack_pgid: "1000"

# Database configuration
bookstack_db_name: "bookstack"
bookstack_db_user: "bookstack"

# REQUIRED SECRETS — empty defaults force `assert` to fail until set.
# Provide via OpenBao lookup, Ansible Vault, or extra-vars.
# Never commit real secrets to version control.
#
# Generate with:
#   bookstack_db_root_password:  openssl rand -base64 32 | tr -d '/+='
#   bookstack_db_password:       openssl rand -base64 32 | tr -d '/+='
#   bookstack_admin_password:    openssl rand -base64 24 | tr -d '/+='
bookstack_db_root_password: ""
bookstack_db_password: ""
bookstack_admin_password: ""
bookstack_oidc_client_secret: ""

# APP_KEY is generated automatically on first run and persisted on the host.
# Set explicitly only if restoring an existing instance.
bookstack_app_key: ""

# Initial local admin (fallback account, lives alongside OIDC)
bookstack_admin_name: "Admin"
bookstack_admin_email: "admin@local.test"
bookstack_artisan_path: "/app/www/artisan"

# Mail configuration
bookstack_mail_driver: "smtp"
bookstack_mail_host: "smtp.local.test"
bookstack_mail_port: 587
bookstack_mail_encryption: "tls"
bookstack_mail_from: "bookstack@local.test"
bookstack_mail_from_name: "BookStack"
bookstack_mail_username: ""
bookstack_mail_password: ""

# OIDC configuration (Entra ID by default; override `bookstack_oidc_issuer`
# for Keycloak or any other provider)
bookstack_oidc_enabled: false
bookstack_oidc_name: "SSO"
bookstack_entra_tenant_id: ""
bookstack_oidc_issuer: "https://login.microsoftonline.com/{{ bookstack_entra_tenant_id }}/v2.0"
bookstack_oidc_client_id: ""
bookstack_oidc_auto_initiate: false
bookstack_oidc_user_to_groups: false
bookstack_oidc_groups_claim: "groups"
bookstack_oidc_additional_scopes: "openid profile email"

# Backup configuration
bookstack_backup_enabled: true
bookstack_backup_retention_days: 14
bookstack_backup_schedule: "*-*-* 03:00:00"