History

Simon Bärlocher 3236ca332f docs(collection): document all roles and fix metadata drift Replace ansible-galaxy init placeholders across the collection and correct documentation that drifted from the code, after a multi-agent review of every role README against its defaults, tasks and templates. Collection level: - README: role table for all 16 roles, requirements and role-ordering - galaxy.yml: declare community.docker and community.general deps, real description/tags/urls; normalize license to MIT-0 - meta/runtime.yml: requires_ansible '>=2.15.0' - plugins/README: document the homarr_layout filter and garage_credentials lookup instead of scaffold boilerplate Per-role meta/main.yml and README for the placeholder roles (389ds, authentik, authentik_outpost_ldap, base, collabora, drawio, garage, homarr, httpbin, keycloak, nextcloud, opencloud, traefik). Correctness fixes found during review: - keycloak: wrong domain default, drop invented keycloak_cert_resolver, document the provisioning feature - garage: root_domain is .s3.<first-entry>, not the bare domain - opnform: jwt/front_api secrets use `openssl rand -hex 32`; align the validation fail_msg in tasks/main.yml accordingly - send: S3 example references garage_s3_domains[0] (was singular) - opencloud: document required opencloud_wopi_domain License normalized to MIT-0 across galaxy.yml, role meta and READMEs to match the SPDX headers.		2026-05-27 23:12:24 +02:00
..
defaults	feat(drawio): support extra hostnames via drawio_extra_domains	2026-05-27 23:12:24 +02:00
handlers	feat: drop blanket recreates, ACME-DNS knobs, notify_push override	2026-05-27 23:12:23 +02:00
meta	docs(collection): document all roles and fix metadata drift	2026-05-27 23:12:24 +02:00
tasks	feat: add drawio instance for nextcloud and opencloud	2026-03-13 14:37:02 +01:00
templates	feat(services): multi-domain routing, split-horizon and OIDC hardening	2026-05-27 23:12:24 +02:00
tests	feat: add empty role skeleton for drawio role	2026-03-13 13:44:53 +01:00
vars	feat: add empty role skeleton for drawio role	2026-03-13 13:44:53 +01:00
README.md	docs(roles): add argument_specs and README for traefik, authentik, drawio, garage, nextcloud	2026-05-27 23:12:24 +02:00

README.md

Drawio

Ansible role to deploy draw.io (the self-hosted jgraph/drawio container) via Docker Compose behind Traefik, with optional authentik ForwardAuth gating.

Requirements

Docker and Docker Compose installed on the target host
Ansible collection: community.docker
Traefik with a shared drawio_traefik_network (default proxy)
For ForwardAuth: a reachable authentik embedded outpost endpoint

Role variables

Full spec with types and defaults: meta/argument_specs.yml. The most common overrides:

Service

drawio_domain: canonical hostname used in the traefik Host rule (default drawio.local.test).
drawio_extra_domains: additional hostnames the same container should answer on (e.g. an internal *.int.* FQDN so a DMZ proxy can reach drawio via a backend hostname).
drawio_image, drawio_port, drawio_use_ssl.

Authentik ForwardAuth

drawio_authentik_forward_auth: set to true to gate the editor behind authentik.
drawio_authentik_forward_auth_url: full URL of the embedded outpost ForwardAuth endpoint, e.g. https://auth.example.com/outpost.goauthentik.io/auth/traefik.

When enabled, traefik redirects unauthenticated requests to authentik for login and forwards the resulting X-Authentik-* identity headers downstream.

Dependencies

Traefik network (drawio_traefik_network, default proxy)
Optional: authentik with a Proxy/ForwardAuth provider for drawio (see the authentik role's authentik_proxy_apps).

Example playbook

- hosts: app_servers
  roles:
    - role: digitalboard.core.drawio
      vars:
        drawio_domain: "drawio.example.com"
        drawio_authentik_forward_auth: true
        drawio_authentik_forward_auth_url: "https://auth.example.com/outpost.goauthentik.io/auth/traefik"

License

MIT-0