Digitalboard/digitalboard.core
6
2
Fork 0
Code Pull requests 1 Releases Packages Activity Actions
digitalboard.core/roles/drawio/README.md
Simon Bärlocher 14c81657d7
docs(roles): add argument_specs and README for traefik, authentik, drawio, garage, nextcloud 
Each of the five roles touched in this branch now ships:

* meta/argument_specs.yml: typed schema for every variable in
  defaults/main.yml plus the optional inputs surfaced via this
  branch (traefik_extra_hosts, authentik_host_rewrite_domains,
  authentik_proxy_apps.mode / .allowed_groups, drawio_extra_domains,
  drawio_authentik_forward_auth*, garage_webui_authentik_forward_auth*).
  All five specs load cleanly through ansible-core's
  ArgumentSpecValidator.

* README.md: replaces the ansible-galaxy boilerplate (where it was
  still in place) with a focused write-up — service vars, required
  secrets, ForwardAuth/idempotency notes, dependencies, and a working
  example playbook. authentik and garage READMEs are rewritten to cover
  the new knobs while preserving their existing content.
2026-05-26 14:16:47 +02:00

1.8 KiB
Raw Blame History

Drawio

Ansible role to deploy draw.io (the self-hosted jgraph/drawio container) via Docker Compose behind Traefik, with optional authentik ForwardAuth gating.

Requirements

  • Docker and Docker Compose installed on the target host
  • Ansible collection: community.docker
  • Traefik with a shared drawio_traefik_network (default proxy)
  • For ForwardAuth: a reachable authentik embedded outpost endpoint

Role variables

Full spec with types and defaults: meta/argument_specs.yml. The most common overrides:

Service

  • drawio_domain: canonical hostname used in the traefik Host rule (default drawio.local.test).
  • drawio_extra_domains: additional hostnames the same container should answer on (e.g. an internal *.int.* FQDN so a DMZ proxy can reach drawio via a backend hostname).
  • drawio_image, drawio_port, drawio_use_ssl.

Authentik ForwardAuth

  • drawio_authentik_forward_auth: set to true to gate the editor behind authentik.
  • drawio_authentik_forward_auth_url: full URL of the embedded outpost ForwardAuth endpoint, e.g. https://auth.example.com/outpost.goauthentik.io/auth/traefik.

When enabled, traefik redirects unauthenticated requests to authentik for login and forwards the resulting X-Authentik-* identity headers downstream.

Dependencies

  • Traefik network (drawio_traefik_network, default proxy)
  • Optional: authentik with a Proxy/ForwardAuth provider for drawio (see the authentik role's authentik_proxy_apps).

Example playbook

- hosts: app_servers
  roles:
    - role: digitalboard.core.drawio
      vars:
        drawio_domain: "drawio.example.com"
        drawio_authentik_forward_auth: true
        drawio_authentik_forward_auth_url: "https://auth.example.com/outpost.goauthentik.io/auth/traefik"

License

MIT-0