Digitalboard/digitalboard.core
6
2
Fork 0
Code Pull requests 1 Releases Packages Activity Actions
digitalboard.core/roles/drawio
History
Simon Bärlocher 518d80ec71
feat(services): multi-domain routing, split-horizon and OIDC hardening 
Bundle of cross-role changes for the gymb services deployment:

- Traefik routers: OR-combine opnform/homarr/bookstack Host rules with new
  *_extra_domains (internal *.int.* FQDNs for a DMZ reverseproxy), and emit
  tls.certresolver only when traefik_cert_mode == acme (drawio, homarr,
  opnform, send).
- Split-horizon: bookstack_extra_hosts / opnform_extra_hosts add container
  /etc/hosts overrides so containers reach the IdP public FQDN over the LAN.
- bookstack: assert the OIDC issuer resolves concretely (reject "//v2.0"),
  allowing non-Entra IdPs that override bookstack_oidc_issuer.
- homarr: derive the bcrypt salt from the password digest so the admin hash
  is idempotent — no spurious template changes / container restarts.
- opnform: PATCH an existing OIDC connection instead of skipping (applies
  corrected inventory on re-run); add OIDC_FORCE_LOGIN (enabled only after
  bootstrap) and an optional direct-SSO ingress entrypoint.

Docs: READMEs and meta/argument_specs.yml updated for all new variables.
2026-05-27 16:18:29 +02:00
..
defaults feat(drawio): support extra hostnames via drawio_extra_domains 2026-05-26 14:16:23 +02:00
handlers feat: drop blanket recreates, ACME-DNS knobs, notify_push override 2026-05-20 22:44:41 +02:00
meta docs(roles): add argument_specs and README for traefik, authentik, drawio, garage, nextcloud 2026-05-26 14:16:47 +02:00
tasks feat: add drawio instance for nextcloud and opencloud 2026-03-13 14:37:02 +01:00
templates feat(services): multi-domain routing, split-horizon and OIDC hardening 2026-05-27 16:18:29 +02:00
tests feat: add empty role skeleton for drawio role 2026-03-13 13:44:53 +01:00
vars feat: add empty role skeleton for drawio role 2026-03-13 13:44:53 +01:00
README.md docs(roles): add argument_specs and README for traefik, authentik, drawio, garage, nextcloud 2026-05-26 14:16:47 +02:00

README.md

Drawio

Ansible role to deploy draw.io (the self-hosted jgraph/drawio container) via Docker Compose behind Traefik, with optional authentik ForwardAuth gating.

Requirements

  • Docker and Docker Compose installed on the target host
  • Ansible collection: community.docker
  • Traefik with a shared drawio_traefik_network (default proxy)
  • For ForwardAuth: a reachable authentik embedded outpost endpoint

Role variables

Full spec with types and defaults: meta/argument_specs.yml. The most common overrides:

Service

  • drawio_domain: canonical hostname used in the traefik Host rule (default drawio.local.test).
  • drawio_extra_domains: additional hostnames the same container should answer on (e.g. an internal *.int.* FQDN so a DMZ proxy can reach drawio via a backend hostname).
  • drawio_image, drawio_port, drawio_use_ssl.

Authentik ForwardAuth

  • drawio_authentik_forward_auth: set to true to gate the editor behind authentik.
  • drawio_authentik_forward_auth_url: full URL of the embedded outpost ForwardAuth endpoint, e.g. https://auth.example.com/outpost.goauthentik.io/auth/traefik.

When enabled, traefik redirects unauthenticated requests to authentik for login and forwards the resulting X-Authentik-* identity headers downstream.

Dependencies

  • Traefik network (drawio_traefik_network, default proxy)
  • Optional: authentik with a Proxy/ForwardAuth provider for drawio (see the authentik role's authentik_proxy_apps).

Example playbook

- hosts: app_servers
  roles:
    - role: digitalboard.core.drawio
      vars:
        drawio_domain: "drawio.example.com"
        drawio_authentik_forward_auth: true
        drawio_authentik_forward_auth_url: "https://auth.example.com/outpost.goauthentik.io/auth/traefik"

License

MIT-0