diff --git a/.gitignore b/.gitignore index 061b691..9dd7ed4 100644 --- a/.gitignore +++ b/.gitignore @@ -14,4 +14,37 @@ /.idea/ # Ansible /collections/ansible_collections/ -.vagrant/ +/.vagrant/bundler/global.sol +/.vagrant/machines/backend/libvirt/action_provision +/.vagrant/machines/backend/libvirt/box_meta +/.vagrant/machines/backend/libvirt/created_networks +/.vagrant/machines/backend/libvirt/creator_uid +/.vagrant/machines/backend/libvirt/id +/.vagrant/machines/backend/libvirt/index_uuid +/.vagrant/machines/backend/libvirt/private_key +/.vagrant/machines/backend/libvirt/synced_folders +/.vagrant/machines/backend/libvirt/vagrant_cwd +/.vagrant/machines/backend2/libvirt/action_provision +/.vagrant/machines/backend2/libvirt/box_meta +/.vagrant/machines/backend2/libvirt/created_networks +/.vagrant/machines/backend2/libvirt/creator_uid +/.vagrant/machines/backend2/libvirt/id +/.vagrant/machines/backend2/libvirt/index_uuid +/.vagrant/machines/backend2/libvirt/private_key +/.vagrant/machines/backend2/libvirt/synced_folders +/.vagrant/machines/backend2/libvirt/vagrant_cwd +/.vagrant/machines/dmz/libvirt/logs/ssh-forwarding-*_8080-192.168.121.139_80.log +/.vagrant/machines/dmz/libvirt/logs/ssh-forwarding-*_8443-192.168.121.139_443.log +/.vagrant/machines/dmz/libvirt/pids/ssh_8080.pid +/.vagrant/machines/dmz/libvirt/pids/ssh_8443.pid +/.vagrant/machines/dmz/libvirt/action_provision +/.vagrant/machines/dmz/libvirt/box_meta +/.vagrant/machines/dmz/libvirt/created_networks +/.vagrant/machines/dmz/libvirt/creator_uid +/.vagrant/machines/dmz/libvirt/id +/.vagrant/machines/dmz/libvirt/index_uuid +/.vagrant/machines/dmz/libvirt/private_key +/.vagrant/machines/dmz/libvirt/synced_folders +/.vagrant/machines/dmz/libvirt/vagrant_cwd +/.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory +/.vagrant/rgloader/loader.rb diff --git a/inventories/vagrant/host_vars/backend/389ds.yml b/inventories/vagrant/host_vars/backend/389ds.yml deleted file mode 100644 index f6372c8..0000000 --- a/inventories/vagrant/host_vars/backend/389ds.yml +++ /dev/null @@ -1,3 +0,0 @@ -# 389ds LDAP configuration for vagrant environment -ds389_suffix: "dc=local,dc=test" -ds389_root_password: "admin" diff --git a/inventories/vagrant/host_vars/backend/authentik.yml b/inventories/vagrant/host_vars/backend/authentik.yml index bff6b13..1a7633f 100644 --- a/inventories/vagrant/host_vars/backend/authentik.yml +++ b/inventories/vagrant/host_vars/backend/authentik.yml @@ -31,7 +31,7 @@ authentik_oidc_apps: client_id_env: NEXTCLOUD_OIDC_CLIENT_ID client_secret_env: NEXTCLOUD_OIDC_CLIENT_SECRET redirect_uris: - - url: "https://nextcloud.local.test/apps/user_oidc/code" + - url: "https://nextcloud.local.test/login/generic_oauth" matching_mode: strict signing_key_name: "authentik Self-signed Certificate" flows: diff --git a/inventories/vagrant/host_vars/backend/collabora.yml b/inventories/vagrant/host_vars/backend/collabora.yml deleted file mode 100644 index 88caab8..0000000 --- a/inventories/vagrant/host_vars/backend/collabora.yml +++ /dev/null @@ -1,15 +0,0 @@ -collabora_domain: "office.local.test" -collabora_ssl_verification: false - -# Allowed WOPI host domains -collabora_allowed_domains: - - "nextcloud.local.test" - - "wopi.opencloud.local.test" - -# Domains allowed to embed Collabora in an iframe -collabora_frame_ancestors: - - "nextcloud.local.test" - - "opencloud.local.test" - -collabora_extra_hosts: - - "wopi.opencloud.local.test:host-gateway" \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/drawio.yml b/inventories/vagrant/host_vars/backend/drawio.yml deleted file mode 100644 index 45db5ad..0000000 --- a/inventories/vagrant/host_vars/backend/drawio.yml +++ /dev/null @@ -1 +0,0 @@ -drawio_domain: "drawio.local.test" \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/garage.yml b/inventories/vagrant/host_vars/backend/garage.yml index 56cb1a9..dd139e9 100644 --- a/inventories/vagrant/host_vars/backend/garage.yml +++ b/inventories/vagrant/host_vars/backend/garage.yml @@ -17,8 +17,4 @@ garage_s3_keys: - name: "nextcloud-backup" buckets: - name: "nextcloud" - permissions: ["read"] - - name: "opencloud" - buckets: - - name: "opencloud" - permissions: ["read", "write"] \ No newline at end of file + permissions: ["read"] \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/homarr.yml b/inventories/vagrant/host_vars/backend/homarr.yml new file mode 100644 index 0000000..6244c57 --- /dev/null +++ b/inventories/vagrant/host_vars/backend/homarr.yml @@ -0,0 +1,11 @@ +homarr_domain: "home.local.test" + +homarr_secret_dir: "{{ playbook_dir }}/secrets/{{ inventory_hostname }}" +homarr_secret_file: "homarr_secret_encryption_key" +homarr_secret_length: 64 + +homarr_secret_encryption_key: >- + {{ lookup('ansible.builtin.password', + homarr_secret_dir ~ '/' ~ homarr_secret_file, + length=homarr_secret_length, + chars='hexdigits') }} diff --git a/inventories/vagrant/host_vars/backend/keycloak.yml b/inventories/vagrant/host_vars/backend/keycloak.yml index 3c5e091..a83f8dc 100644 --- a/inventories/vagrant/host_vars/backend/keycloak.yml +++ b/inventories/vagrant/host_vars/backend/keycloak.yml @@ -1,207 +1 @@ -# Keycloak configuration for vagrant environment -keycloak_domain: keycloak.local.test -keycloak_admin_password: admin - -# Enable provisioning via Keycloak Admin API -keycloak_provisioning_enabled: true - -# Realm configuration -keycloak_realm: "vagrant" -keycloak_realm_display_name: "Vagrant Test Realm" - -# Groups to provision -keycloak_groups: - - name: admins - - name: users - - name: developers - -# Local users to provision -keycloak_local_users: - - username: admin - first_name: "Test" - last_name: "Admin" - email: "admin@local.test" - password: "admin" - groups: - - name: admins - - username: user - first_name: "Test" - last_name: "User" - email: "user@local.test" - password: "user" - groups: - - name: users - -# OIDC clients to provision -keycloak_oidc_clients: - - client_id: nextcloud - name: "Nextcloud" - client_secret: "nextcloud-secret-change-in-production" - redirect_uris: - - "https://nextcloud.local.test/apps/user_oidc/code" - default_client_scopes: - - openid - - email - - profile - - client_id: httpbin - name: "HTTPBin Test App" - client_secret: "httpbin-secret-change-in-production" - redirect_uris: - - "https://httpbin.local.test/callback" - default_client_scopes: - - openid - - email - - profile - - client_id: opencloud - name: "OpenCloud" - client_secret: "opencloud-secret-change-in-production" - redirect_uris: - - "https://opencloud.local.test/" - - "https://opencloud.local.test/oidc-callback.html" - - "https://opencloud.local.test/oidc-silent-redirect.html" - default_client_scopes: - - openid - - email - - profile - -# Identity providers (external login sources) -# Uncomment and configure for production use with real credentials -# keycloak_identity_providers: -# - alias: entra-id -# display_name: "Login with Microsoft" -# provider_id: oidc -# config: -# clientId: "your-entra-client-id" -# clientSecret: "your-entra-client-secret" -# authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize" -# tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token" -# defaultScope: "openid profile email" - -# Trust the 389ds self-signed CA cert (production would use ACME certs) -keycloak_truststore_certificates: - - /srv/data/389ds/data/ssca/ca.crt - -# Resolve 389ds hostname from inside the Keycloak container -keycloak_extra_hosts: - - "389ds:192.168.56.11" - -# LDAP user federation (write Keycloak users to 389ds) -keycloak_user_federations: - - name: ldap-389ds - provider_id: ldap - config: - editMode: WRITABLE - syncRegistrations: "true" - importEnabled: "true" - vendor: rhds - connectionUrl: "ldaps://389ds:3636" - usersDn: "ou=users,dc=local,dc=test" - bindDn: "cn=Directory Manager" - bindCredential: "admin" - usernameLDAPAttribute: uid - rdnLDAPAttribute: uid - uuidLDAPAttribute: nsuniqueid - userObjectClasses: "inetOrgPerson, organizationalPerson" - authType: simple - useTruststoreSpi: ldapsOnly - mappers: - - name: "username" - providerId: "user-attribute-ldap-mapper" - providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" - config: - ldap.attribute: "uid" - user.model.attribute: "username" - is.mandatory.in.ldap: "true" - always.read.value.from.ldap: "false" - read.only: "false" - is.binary.attribute: "false" - - name: "email" - providerId: "user-attribute-ldap-mapper" - providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" - config: - ldap.attribute: "mail" - user.model.attribute: "email" - is.mandatory.in.ldap: "false" - always.read.value.from.ldap: "false" - read.only: "false" - is.binary.attribute: "false" - - name: "first name" - providerId: "user-attribute-ldap-mapper" - providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" - config: - ldap.attribute: "givenName" - user.model.attribute: "firstName" - is.mandatory.in.ldap: "true" - always.read.value.from.ldap: "false" - read.only: "false" - is.binary.attribute: "false" - - name: "last name" - providerId: "user-attribute-ldap-mapper" - providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" - config: - ldap.attribute: "sn" - user.model.attribute: "lastName" - is.mandatory.in.ldap: "true" - always.read.value.from.ldap: "false" - read.only: "false" - is.binary.attribute: "false" - - name: "full name" - providerId: "full-name-ldap-mapper" - providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" - config: - ldap.full.name.attribute: "cn" - read.only: "false" - write.only: "true" - - name: "display name" - providerId: "full-name-ldap-mapper" - providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" - config: - ldap.full.name.attribute: "displayName" - read.only: "false" - write.only: "true" - - name: "groups" - providerId: "group-ldap-mapper" - providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" - config: - groups.dn: "ou=groups,dc=local,dc=test" - group.name.ldap.attribute: "cn" - group.object.classes: "groupOfNames" - membership.ldap.attribute: "member" - membership.attribute.type: "DN" - membership.user.ldap.attribute: "uid" - groups.ldap.filter: "" - mode: "LDAP_ONLY" - user.roles.retrieve.strategy: "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE" - memberof.ldap.attribute: "memberOf" - mapped.group.attributes: "" - drop.non.existing.groups.during.sync: "false" - preserve.group.inheritance: "false" - ignore.missing.groups: "false" - groups.path: "/" - - name: "creation date" - providerId: "user-attribute-ldap-mapper" - providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" - config: - ldap.attribute: "createTimestamp" - user.model.attribute: "createTimestamp" - is.mandatory.in.ldap: "false" - always.read.value.from.ldap: "true" - read.only: "true" - is.binary.attribute: "false" - - name: "modify date" - providerId: "user-attribute-ldap-mapper" - providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" - config: - ldap.attribute: "modifyTimestamp" - user.model.attribute: "modifyTimestamp" - is.mandatory.in.ldap: "false" - always.read.value.from.ldap: "true" - read.only: "true" - is.binary.attribute: "false" - -# Resources to remove (for cleanup when removing items from above lists) -keycloak_removed_users: [] -keycloak_removed_groups: [] -keycloak_removed_clients: [] -keycloak_removed_identity_providers: [] -keycloak_removed_user_federations: [] \ No newline at end of file +keycloak_admin_password: admin \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/nextcloud.yml b/inventories/vagrant/host_vars/backend/nextcloud.yml index e4a81e3..09f7846 100644 --- a/inventories/vagrant/host_vars/backend/nextcloud.yml +++ b/inventories/vagrant/host_vars/backend/nextcloud.yml @@ -1,23 +1,4 @@ nextcloud_collabora_disable_cert_verification: true -nextcloud_enable_notify_push: true - -# Draw.io integration -nextcloud_enable_drawio: true -nextcloud_drawio_url: "https://drawio.local.test" - -# Apps to install (override defaults to include drawio) -nextcloud_apps_to_install: - - groupfolders - - richdocuments - - spreed - - user_ldap - - user_oidc - - whiteboard - - drawio - - files_lock - - notify_push -nextcloud_allow_local_remote_servers: true # Allow requests to local network in Vagrant -nextcloud_oidc_allow_selfsigned: true # Allow self-signed certs for OIDC in Vagrant # S3 storage configuration using Garage nextcloud_use_s3_storage: true @@ -31,62 +12,4 @@ nextcloud_s3_usepath_style: true # Extra hosts for container DNS resolution (Vagrant only) nextcloud_extra_hosts: - - "storage.local.test:192.168.56.11" - - "keycloak.local.test:192.168.56.11" - - "authentik.local.test:192.168.56.11" - - "389ds:192.168.56.11" - -# LDAP backend (pre-create users synced from Keycloak via 389ds) -nextcloud_ldap_enabled: true -nextcloud_ldap_config: - ldapHost: "ldaps://389ds" - ldapPort: "3636" - ldapAgentName: "cn=Directory Manager" - ldapAgentPassword: "admin" - ldapBase: "dc=local,dc=test" - ldapBaseUsers: "ou=users,dc=local,dc=test" - ldapTLS: "0" - turnOffCertCheck: "1" - ldapUserFilter: "(&(objectclass=inetOrgPerson)(uid=*))" - ldapUserFilterObjectclass: "inetOrgPerson" - ldapLoginFilter: "(&(objectclass=inetOrgPerson)(uid=%uid))" - ldapLoginFilterUsername: "1" - ldapUserDisplayName: "displayName" - ldapEmailAttribute: "mail" - ldapExpertUsernameAttr: "uid" - ldapExpertUUIDUserAttr: "nsuniqueid" - ldapBaseGroups: "ou=groups,dc=local,dc=test" - ldapGroupFilter: "(&(objectClass=groupOfNames))" - ldapGroupFilterObjectclass: "groupOfNames" - ldapGroupDisplayName: "cn" - ldapGroupMemberAssocAttr: "member" - ldapAdminGroup: "admins" - ldapCacheTTL: "600" - ldapPagingSize: "500" - ldapExperiencedAdmin: "1" - ldapConfigurationActive: "1" - -# OIDC providers for login -nextcloud_oidc_providers: - - identifier: keycloak - display_name: "Login with Keycloak" - client_id: "nextcloud" - client_secret: "nextcloud-secret-change-in-production" - discovery_url: "https://keycloak.local.test/realms/vagrant/.well-known/openid-configuration" - scope: "openid email profile" - unique_uid: false - mapping: - uid: preferred_username - display_name: name - email: email - - identifier: authentik - display_name: "Login with Authentik" - client_id: "test1234" - client_secret: "test1234" - discovery_url: "https://authentik.local.test/application/o/nextcloud/.well-known/openid-configuration" - scope: "openid email profile" - unique_uid: true - mapping: - uid: preferred_username - display_name: name - email: email \ No newline at end of file + - "storage.local.test:192.168.56.11" \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/opencloud.yml b/inventories/vagrant/host_vars/backend/opencloud.yml deleted file mode 100644 index f8fcc79..0000000 --- a/inventories/vagrant/host_vars/backend/opencloud.yml +++ /dev/null @@ -1,53 +0,0 @@ -opencloud_domain: "opencloud.local.test" -opencloud_admin_password: "admin" -opencloud_extra_hosts: - - "opencloud.local.test:host-gateway" - - "keycloak.local.test:host-gateway" - - "storage.local.test:192.168.56.11" - - "office.local.test:host-gateway" - - "drawio.local.test:host-gateway" - - "389ds:192.168.56.11" - -# OIDC configuration (Keycloak) -opencloud_oidc_issuer: "https://keycloak.local.test/realms/vagrant" -opencloud_oidc_client_id: "opencloud" -opencloud_oidc_client_secret: "opencloud-secret-change-in-production" -opencloud_oidc_account_edit_url: "https://keycloak.local.test/realms/vagrant/account" -opencloud_oidc_autoprovision_accounts: false - -# S3 storage configuration using Garage -opencloud_use_s3_storage: true -opencloud_s3_endpoint: "http://{{ hostvars['backend']['garage_s3_domain'] }}" -opencloud_s3_access_key: "{{ lookup('digitalboard.core.garage_credentials', 'opencloud', host='backend')['key_id'] }}" -opencloud_s3_secret_key: "{{ lookup('digitalboard.core.garage_credentials', 'opencloud', host='backend')['secret_key'] }}" -opencloud_s3_bucket: "opencloud" - -# Collabora integration -opencloud_collabora_domain: "office.local.test" -opencloud_wopi_domain: "wopi.opencloud.local.test" - -# LDAP backend (users synced from Keycloak via 389ds) -opencloud_ldap_uri: "ldaps://389ds:3636" -opencloud_ldap_bind_dn: "cn=Directory Manager" -opencloud_ldap_bind_password: "admin" -opencloud_ldap_user_base_dn: "ou=users,dc=local,dc=test" -opencloud_ldap_group_base_dn: "ou=groups,dc=local,dc=test" - -# Draw.io integration -opencloud_drawio_url: "https://drawio.local.test" - -# Role assignment via OIDC (maps LDAP groups from Keycloak token to OpenCloud roles) -opencloud_role_assignment_driver: "oidc" -opencloud_role_mapping: - - role_name: admin - claim_value: admins - - role_name: user - claim_value: users - - role_name: user - claim_value: developers - -# CSP configuration -opencloud_csp_extra_connect_src: - - "https://keycloak.local.test/" -opencloud_csp_extra_frame_src: - - "https://drawio.local.test/" \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/traefik.yml b/inventories/vagrant/host_vars/backend/traefik.yml index e123dc1..3e1e5b7 100644 --- a/inventories/vagrant/host_vars/backend/traefik.yml +++ b/inventories/vagrant/host_vars/backend/traefik.yml @@ -16,7 +16,7 @@ traefik_dmz_exposed_services: domain: nextcloud.local.test port: 443 protocol: https - - name: collabora + - name: nextcloud-collabora domain: office.local.test port: 443 protocol: https @@ -24,12 +24,8 @@ traefik_dmz_exposed_services: domain: authentik.local.test port: 443 protocol: https - - name: opencloud - domain: opencloud.local.test - port: 443 - protocol: https - - name: drawio - domain: drawio.local.test + - name: homarr + domain: home.local.test port: 443 protocol: https # Example: Add more services as you deploy them diff --git a/inventories/vagrant/hosts.yml b/inventories/vagrant/hosts.yml index 5dcd0c6..5f438b8 100644 --- a/inventories/vagrant/hosts.yml +++ b/inventories/vagrant/hosts.yml @@ -49,10 +49,6 @@ all: hosts: backend: - ds389_servers: - hosts: - backend: - authentik_servers: hosts: backend: @@ -65,14 +61,6 @@ all: hosts: backend: - collabora_servers: - hosts: - backend: - - drawio_servers: - hosts: - backend: - - opencloud_servers: + homarr_servers: hosts: backend: \ No newline at end of file diff --git a/playbooks/site.yml b/playbooks/site.yml index 4e75791..8749439 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -5,8 +5,8 @@ roles: - digitalboard.core.base -- name: Configure reverse proxies - hosts: traefik_servers +- name: Configure reverse proxy on application servers + hosts: traefik_servers_backend become: yes roles: - digitalboard.core.traefik @@ -17,12 +17,6 @@ roles: - digitalboard.core.httpbin -- name: Deploy 389ds LDAP service - hosts: ds389_servers - become: yes - roles: - - digitalboard.core.389ds - - name: Deploy keycloak service hosts: keycloak_servers become: yes @@ -35,12 +29,6 @@ roles: - digitalboard.core.garage -- name: Deploy collabora service - hosts: collabora_servers - become: yes - roles: - - digitalboard.core.collabora - - name: Deploy nextcloud service hosts: nextcloud_servers become: yes @@ -53,14 +41,14 @@ roles: - digitalboard.core.authentik -- name: Deploy drawio service - hosts: drawio_servers +- name: Deploy homarr service + hosts: homarr_servers become: yes roles: - - digitalboard.core.drawio + - digitalboard.core.homarr -- name: Deploy opencloud service - hosts: opencloud_servers +- name: Configure reverse proxy on DMZ servers + hosts: traefik_servers_dmz become: yes roles: - - digitalboard.core.opencloud \ No newline at end of file + - digitalboard.core.traefik