c27584cd9c
Add `*_authentik_forward_auth` + `*_authentik_forward_auth_url` knobs to both roles. When enabled: * drawio: traefik attaches a ForwardAuth middleware pointing at the authentik embedded outpost; unauthenticated requests get redirected to log in and downstream sees X-Authentik-* identity headers. * garage WebUI: same ForwardAuth wiring, and `AUTH_USER_PASS` is dropped from the container env so authentik is the only gate. Tasks now key the htpasswd hash workflow off `_garage_webui_htpasswd_active` (`webui_enabled AND NOT authentik_forward_auth`); when authentik fronts the UI we skip hashing entirely. htpasswd hash is also now cached on disk and re-verified via `htpasswd -vbB` so unchanged passwords stop showing as `changed=true` on every run. Both knobs default to `false`, preserving existing htpasswd/plain behaviour.
27 lines
No EOL
901 B
YAML
27 lines
No EOL
901 B
YAML
#SPDX-License-Identifier: MIT-0
|
|
---
|
|
# defaults file for drawio
|
|
|
|
# Base directory configuration (inherited from base role or defined here)
|
|
docker_compose_base_dir: /etc/docker/compose
|
|
|
|
# Drawio-specific configuration
|
|
drawio_service_name: drawio
|
|
drawio_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ drawio_service_name }}"
|
|
|
|
# Service configuration
|
|
drawio_domain: "drawio.local.test"
|
|
drawio_image: "jgraph/drawio:latest"
|
|
drawio_port: 8080
|
|
drawio_extra_hosts: []
|
|
|
|
# Traefik configuration
|
|
drawio_traefik_network: "proxy"
|
|
drawio_use_ssl: true
|
|
|
|
# Optional Authentik ForwardAuth (set to true and provide the URL to gate
|
|
# drawio behind an authentik proxy provider). Expects the authentik
|
|
# embedded outpost to expose the /outpost.goauthentik.io/auth/traefik
|
|
# endpoint on the configured URL (typically the public auth.* FQDN).
|
|
drawio_authentik_forward_auth: false
|
|
drawio_authentik_forward_auth_url: "" |