docs(reference-ansible): add docs/ tree and document repo, playbooks, Makefile

Addresses the WKS PoC review (Notion 2026-05-26). All docs in English. - README: purpose, docs table of contents, annotated repo tree - docs/getting_started.md: prerequisites (WKS account, OIDC, SSH, VPN) + first deploy - docs/ansible.md: playbook table, "Running Ansible", service parameters, cheatsheet - docs/secrets.md: canonical Bao login (moved out of README) + demo defaults - docs/operations.md: full Makefile reference - docs/inventories.md: repo layout, topology, standard folder structure, walkthrough - docs/testing.md: static checks, inventory resolution, smoke test / dry run - remove ARCHITECTURE.md (architecture docs live externally) Also includes the gymburgdorf inventory build-out (bookstack, homarr, opnform, send) and scripts/bao-seed.sh. site.yml keeps a third traefik play (traefik_servers minus the vagrant _dmz/_backend split) so the demo inventories still configure their reverse proxy after the rebase onto main.
2026-05-27 18:08:52 +02:00 · 2026-05-27 18:08:52 +02:00 · 49fe811011
commit 49fe811011
parent c67e9aac43
25 changed files with 1548 additions and 525 deletions
--- a/inventories/demo-gymburgdorf/host_vars/application/authentik.yml
+++ b/inventories/demo-gymburgdorf/host_vars/application/authentik.yml
@ -2,15 +2,21 @@
 # Bao secret expected at <mount>/data/authentik with keys:
 #   secret_key, postgres_password, admin_password,
 #   ldap_outpost_token,
-#   nextcloud_oidc_secret
+#   nextcloud_oidc_secret,
+#   opnform_oidc_secret, homarr_oidc_secret, bookstack_oidc_secret
 _authentik: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/authentik', url=vault_addr) }}"

-# First entry is the canonical public FQDN. Additional entries cover
-# internal *.int.* names so server-to-server traffic (e.g. the LDAP
-# outpost) hits authentik on a name with a valid internal cert and
-# skips the DMZ hop.
+# Canonical public FQDN browsers and OIDC iss-claim use.
 authentik_domains:
  - "auth.gymb.souveredu.ch"
+
+# Internal FQDN for server-to-server calls (Nextcloud OIDC discovery,
+# token, userinfo; LDAP outpost configuration pull). Traefik rewrites
+# the Host header to `authentik_domains[0]` on these routers so authentik
+# still emits issuer URLs against the public hostname — that keeps the
+# iss claim matching what the browser sees while the traffic itself
+# stays inside the LAN (the DMZ has no hairpin-NAT for the public IP).
+authentik_host_rewrite_domains:
  - "auth.int.gymb.souveredu.ch"
 authentik_secret_key: "{{ _authentik.secret_key }}"
 authentik_postgres_password: "{{ _authentik.postgres_password }}"
@ -31,6 +37,44 @@ authentik_ldap_outpost:
    authentik_host: "https://auth.int.gymb.souveredu.ch/"
    log_level: "info"

+# Proxy providers (ForwardAuth) — gate downstream services behind
+# authentik. The embedded outpost (which authentik ships out of the box)
+# hosts these providers under /outpost.goauthentik.io/auth/traefik on the
+# canonical FQDN; the service-side traefik attaches a ForwardAuth
+# middleware that talks to that endpoint.
+authentik_proxy_apps:
+  - slug: drawio
+    name: Drawio
+    external_host: "https://draw.gymb.souveredu.ch"
+    internal_host: "http://drawio:8080"
+    allowed_groups:
+      - admins
+    flows:
+      authentication_slug: default-authentication-flow
+      authorization_slug: default-provider-authorization-implicit-consent
+      invalidation_slug: default-provider-invalidation-flow
+  - slug: garage-webui
+    name: "Garage S3 Console"
+    external_host: "https://console.s3.gymb.souveredu.ch"
+    internal_host: "http://garage-webui:3909"
+    allowed_groups:
+      - admins
+    flows:
+      authentication_slug: default-authentication-flow
+      authorization_slug: default-provider-authorization-implicit-consent
+      invalidation_slug: default-provider-invalidation-flow
+
+# Bind both proxy providers to authentik's built-in embedded outpost so
+# we don't have to deploy a separate proxy outpost container. The
+# embedded outpost listens on the same host:9000 as the authentik server
+# and exposes /outpost.goauthentik.io/auth/traefik for ForwardAuth.
+authentik_proxy_outposts:
+  - name: "authentik Embedded Outpost"
+    type: proxy
+    providers:
+      - drawio
+      - garage-webui
+
 # OIDC clients
 authentik_oidc_apps:
  - slug: nextcloud
@ -45,10 +89,52 @@ authentik_oidc_apps:
      authorization_slug: default-provider-authorization-implicit-consent
      invalidation_slug: default-provider-invalidation-flow
    scopes: [openid, email, profile, offline_access]
+  - slug: opnform
+    name: OpnForm
+    client_id: opnform
+    client_secret: "{{ _authentik.opnform_oidc_secret }}"
+    redirect_uris:
+      - url: "https://forms.gymb.souveredu.ch/auth/authentik/callback"
+        matching_mode: strict
+    signing_key_name: "authentik Self-signed Certificate"
+    flows:
+      authorization_slug: default-provider-authorization-implicit-consent
+      invalidation_slug: default-provider-invalidation-flow
+    # No separate `groups` scope — authentik's default `profile` mapping
+    # already emits a `groups` claim built from request.user.groups, so
+    # OpnForm's admin-group mapping works without an extra scope.
+    scopes: [openid, email, profile]
+  - slug: homarr
+    name: Homarr
+    client_id: homarr
+    client_secret: "{{ _authentik.homarr_oidc_secret }}"
+    redirect_uris:
+      - url: "https://home.gymb.souveredu.ch/api/auth/callback/oidc"
+        matching_mode: strict
+    signing_key_name: "authentik Self-signed Certificate"
+    flows:
+      authorization_slug: default-provider-authorization-implicit-consent
+      invalidation_slug: default-provider-invalidation-flow
+    scopes: [openid, email, profile]
+  - slug: bookstack
+    name: BookStack
+    client_id: bookstack
+    client_secret: "{{ _authentik.bookstack_oidc_secret }}"
+    redirect_uris:
+      - url: "https://wiki.gymb.souveredu.ch/oidc/callback"
+        matching_mode: strict
+    signing_key_name: "authentik Self-signed Certificate"
+    flows:
+      authorization_slug: default-provider-authorization-implicit-consent
+      invalidation_slug: default-provider-invalidation-flow
+    scopes: [openid, email, profile]

 authentik_groups:
  - name: admins
  - name: users
+  - name: opnform-admins
+  - name: homarr-admins
+  - name: bookstack-admins

 authentik_local_users:
  - username: akadmin