docs(reference-ansible): add docs/ tree and document repo, playbooks, Makefile

Addresses the WKS PoC review (Notion 2026-05-26). All docs in English. - README: purpose, docs table of contents, annotated repo tree - docs/getting_started.md: prerequisites (WKS account, OIDC, SSH, VPN) + first deploy - docs/ansible.md: playbook table, "Running Ansible", service parameters, cheatsheet - docs/secrets.md: canonical Bao login (moved out of README) + demo defaults - docs/operations.md: full Makefile reference - docs/inventories.md: repo layout, topology, standard folder structure, walkthrough - docs/testing.md: static checks, inventory resolution, smoke test / dry run - remove ARCHITECTURE.md (architecture docs live externally) Also includes the gymburgdorf inventory build-out (bookstack, homarr, opnform, send) and scripts/bao-seed.sh. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 18:08:52 +02:00 · 2026-05-27 18:08:52 +02:00 · ae4eb799bb
commit ae4eb799bb
parent b59b2df82a
25 changed files with 1530 additions and 517 deletions
--- a/inventories/demo-gymburgdorf/host_vars/application/bookstack.yml
+++ b/inventories/demo-gymburgdorf/host_vars/application/bookstack.yml
@ -0,0 +1,43 @@
+---
+# Bao secret <mount>/data/bookstack expected to contain:
+#   db_root_password, db_password, admin_password, oidc_client_secret,
+#   app_key (optional — only set when restoring)
+_bookstack: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/bookstack', url=vault_addr) }}"
+
+bookstack_domain: "wiki.gymb.souveredu.ch"
+bookstack_extra_domains:
+  - "wiki.int.gymb.souveredu.ch"
+bookstack_base_url: "https://wiki.gymb.souveredu.ch"
+
+# Override the role-default certresolver ("le") with the value used
+# across this demo (matches traefik_ssl_cert_resolver in group_vars).
+bookstack_traefik_certresolver: "dns"
+
+bookstack_db_root_password: "{{ _bookstack.db_root_password }}"
+bookstack_db_password: "{{ _bookstack.db_password }}"
+bookstack_admin_password: "{{ _bookstack.admin_password }}"
+bookstack_admin_email: "admin@gymb.souveredu.ch"
+bookstack_admin_name: "BookStack Admin"
+
+# OIDC against Authentik. BookStack compares OIDC_ISSUER strictly against
+# the `iss` claim in the discovery response. Authentik emits the public
+# auth.gymb.* hostname there (host-rewrite middleware ensures the claim
+# matches what browsers see during login), so the issuer URL must use the
+# public FQDN. Pinning auth.gymb.* in /etc/hosts below keeps the actual
+# server-to-server traffic on the LAN.
+bookstack_oidc_enabled: true
+bookstack_oidc_name: "Authentik"
+bookstack_oidc_issuer: "https://auth.gymb.souveredu.ch/application/o/bookstack/"
+bookstack_oidc_client_id: "bookstack"
+bookstack_oidc_client_secret: "{{ _bookstack.oidc_client_secret }}"
+bookstack_oidc_additional_scopes: "openid profile email"
+bookstack_oidc_user_to_groups: true
+bookstack_oidc_groups_claim: "groups"
+bookstack_oidc_auto_initiate: false
+
+# Pin auth.gymb.* to the application host so server-to-server OIDC calls
+# (discovery, token, userinfo, jwks) stay in the LAN and reach authentik
+# directly without hairpinning through the DMZ (which has no NAT loop
+# back to its own public IP).
+bookstack_extra_hosts:
+  - "auth.gymb.souveredu.ch:172.16.19.101"