19864d79b2
Bundle of cross-role changes for the gymb services deployment: - Traefik routers: OR-combine opnform/homarr/bookstack Host rules with new *_extra_domains (internal *.int.* FQDNs for a DMZ reverseproxy), and emit tls.certresolver only when traefik_cert_mode == acme (drawio, homarr, opnform, send). - Split-horizon: bookstack_extra_hosts / opnform_extra_hosts add container /etc/hosts overrides so containers reach the IdP public FQDN over the LAN. - bookstack: assert the OIDC issuer resolves concretely (reject "//v2.0"), allowing non-Entra IdPs that override bookstack_oidc_issuer. - homarr: derive the bcrypt salt from the password digest so the admin hash is idempotent — no spurious template changes / container restarts. - opnform: PATCH an existing OIDC connection instead of skipping (applies corrected inventory on re-run); add OIDC_FORCE_LOGIN (enabled only after bootstrap) and an optional direct-SSO ingress entrypoint. Docs: READMEs and meta/argument_specs.yml updated for all new variables.
40 lines
No EOL
2.2 KiB
Django/Jinja
40 lines
No EOL
2.2 KiB
Django/Jinja
services:
|
|
drawio:
|
|
image: {{ drawio_image }}
|
|
container_name: {{ drawio_service_name }}
|
|
restart: unless-stopped
|
|
networks:
|
|
- {{ drawio_traefik_network }}
|
|
{% if drawio_extra_hosts is defined and drawio_extra_hosts | length > 0 %}
|
|
extra_hosts:
|
|
{% for host in drawio_extra_hosts %}
|
|
- "{{ host }}"
|
|
{% endfor %}
|
|
{% endif %}
|
|
labels:
|
|
- traefik.enable=true
|
|
- traefik.docker.network={{ drawio_traefik_network }}
|
|
- traefik.http.routers.{{ drawio_service_name }}.rule={% set _all_domains = [drawio_domain] + (drawio_extra_domains | default([])) %}{% for d in _all_domains %}Host(`{{ d }}`){% if not loop.last %} || {% endif %}{% endfor +%}
|
|
- traefik.http.services.{{ drawio_service_name }}.loadbalancer.server.port={{ drawio_port }}
|
|
{% if drawio_use_ssl %}
|
|
- traefik.http.routers.{{ drawio_service_name }}.entrypoints=websecure
|
|
- traefik.http.routers.{{ drawio_service_name }}.tls=true
|
|
{% if traefik_cert_mode | default('selfsigned') == 'acme' %}
|
|
- traefik.http.routers.{{ drawio_service_name }}.tls.certresolver={{ traefik_ssl_cert_resolver | default('dns') }}
|
|
{% endif %}
|
|
{% else %}
|
|
- traefik.http.routers.{{ drawio_service_name }}.entrypoints=web
|
|
{% endif %}
|
|
{% if drawio_authentik_forward_auth | default(false) %}
|
|
# ForwardAuth via the authentik embedded outpost. Unauthenticated
|
|
# requests get redirected to authentik to log in; authentik then
|
|
# sets X-Authentik-* headers traefik forwards downstream.
|
|
- traefik.http.middlewares.{{ drawio_service_name }}-authentik.forwardauth.address={{ drawio_authentik_forward_auth_url }}
|
|
- traefik.http.middlewares.{{ drawio_service_name }}-authentik.forwardauth.trustForwardHeader=true
|
|
- traefik.http.middlewares.{{ drawio_service_name }}-authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
|
|
- traefik.http.routers.{{ drawio_service_name }}.middlewares={{ drawio_service_name }}-authentik
|
|
{% endif %}
|
|
|
|
networks:
|
|
{{ drawio_traefik_network }}:
|
|
external: true |