From 75be32d8d0acf1a6078dcfb120685090176a84f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20W=C3=BCst?= Date: Thu, 22 Jan 2026 14:53:21 +0100 Subject: [PATCH 01/21] chore: Deploy Homarr Service --- inventories/vagrant/host_vars/backend/homarr.yml | 11 +++++++++++ inventories/vagrant/host_vars/backend/traefik.yml | 4 ++++ inventories/vagrant/hosts.yml | 4 ++++ playbooks/site.yml | 6 ++++++ 4 files changed, 25 insertions(+) create mode 100644 inventories/vagrant/host_vars/backend/homarr.yml diff --git a/inventories/vagrant/host_vars/backend/homarr.yml b/inventories/vagrant/host_vars/backend/homarr.yml new file mode 100644 index 0000000..6244c57 --- /dev/null +++ b/inventories/vagrant/host_vars/backend/homarr.yml @@ -0,0 +1,11 @@ +homarr_domain: "home.local.test" + +homarr_secret_dir: "{{ playbook_dir }}/secrets/{{ inventory_hostname }}" +homarr_secret_file: "homarr_secret_encryption_key" +homarr_secret_length: 64 + +homarr_secret_encryption_key: >- + {{ lookup('ansible.builtin.password', + homarr_secret_dir ~ '/' ~ homarr_secret_file, + length=homarr_secret_length, + chars='hexdigits') }} diff --git a/inventories/vagrant/host_vars/backend/traefik.yml b/inventories/vagrant/host_vars/backend/traefik.yml index 5aa720e..3e1e5b7 100644 --- a/inventories/vagrant/host_vars/backend/traefik.yml +++ b/inventories/vagrant/host_vars/backend/traefik.yml @@ -24,6 +24,10 @@ traefik_dmz_exposed_services: domain: authentik.local.test port: 443 protocol: https + - name: homarr + domain: home.local.test + port: 443 + protocol: https # Example: Add more services as you deploy them # - name: forgejo # domain: git.example.com diff --git a/inventories/vagrant/hosts.yml b/inventories/vagrant/hosts.yml index e3bf998..5f438b8 100644 --- a/inventories/vagrant/hosts.yml +++ b/inventories/vagrant/hosts.yml @@ -58,5 +58,9 @@ all: backend: nextcloud_servers: + hosts: + backend: + + homarr_servers: hosts: backend: \ No newline at end of file diff --git a/playbooks/site.yml b/playbooks/site.yml index ffbb9c4..8749439 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -41,6 +41,12 @@ roles: - digitalboard.core.authentik +- name: Deploy homarr service + hosts: homarr_servers + become: yes + roles: + - digitalboard.core.homarr + - name: Configure reverse proxy on DMZ servers hosts: traefik_servers_dmz become: yes From 2063268ed6bd52ac8193692da353a10dcf3c6fc7 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 27 Feb 2026 13:35:37 +0100 Subject: [PATCH 02/21] feat: add keycloak oidc provisioning tasks Signed-off-by: Bert-Jan Fikse --- .../vagrant/host_vars/backend/authentik.yml | 2 +- .../vagrant/host_vars/backend/keycloak.yml | 74 ++++++++++++++++++- .../vagrant/host_vars/backend/nextcloud.yml | 31 +++++++- 3 files changed, 104 insertions(+), 3 deletions(-) diff --git a/inventories/vagrant/host_vars/backend/authentik.yml b/inventories/vagrant/host_vars/backend/authentik.yml index 1a7633f..bff6b13 100644 --- a/inventories/vagrant/host_vars/backend/authentik.yml +++ b/inventories/vagrant/host_vars/backend/authentik.yml @@ -31,7 +31,7 @@ authentik_oidc_apps: client_id_env: NEXTCLOUD_OIDC_CLIENT_ID client_secret_env: NEXTCLOUD_OIDC_CLIENT_SECRET redirect_uris: - - url: "https://nextcloud.local.test/login/generic_oauth" + - url: "https://nextcloud.local.test/apps/user_oidc/code" matching_mode: strict signing_key_name: "authentik Self-signed Certificate" flows: diff --git a/inventories/vagrant/host_vars/backend/keycloak.yml b/inventories/vagrant/host_vars/backend/keycloak.yml index a83f8dc..7b0f5d5 100644 --- a/inventories/vagrant/host_vars/backend/keycloak.yml +++ b/inventories/vagrant/host_vars/backend/keycloak.yml @@ -1 +1,73 @@ -keycloak_admin_password: admin \ No newline at end of file +# Keycloak configuration for vagrant environment +keycloak_domain: keycloak.local.test +keycloak_admin_password: admin + +# Enable provisioning via Keycloak Admin API +keycloak_provisioning_enabled: true + +# Realm configuration +keycloak_realm: "vagrant" +keycloak_realm_display_name: "Vagrant Test Realm" + +# Groups to provision +keycloak_groups: + - name: admins + - name: users + - name: developers + +# Local users to provision +keycloak_local_users: + - username: testadmin + first_name: "Test" + last_name: "Admin" + email: "admin@local.test" + password: "admin" + groups: + - name: admins + - username: testuser + first_name: "Test" + last_name: "User" + email: "user@local.test" + password: "user" + groups: + - name: users + +# OIDC clients to provision +keycloak_oidc_clients: + - client_id: nextcloud + name: "Nextcloud" + client_secret: "nextcloud-secret-change-in-production" + redirect_uris: + - "https://nextcloud.local.test/apps/user_oidc/code" + default_client_scopes: + - openid + - email + - profile + - client_id: httpbin + name: "HTTPBin Test App" + client_secret: "httpbin-secret-change-in-production" + redirect_uris: + - "https://httpbin.local.test/callback" + default_client_scopes: + - openid + - email + - profile + +# Identity providers (external login sources) +# Uncomment and configure for production use with real credentials +# keycloak_identity_providers: +# - alias: entra-id +# display_name: "Login with Microsoft" +# provider_id: oidc +# config: +# clientId: "your-entra-client-id" +# clientSecret: "your-entra-client-secret" +# authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize" +# tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token" +# defaultScope: "openid profile email" + +# Resources to remove (for cleanup when removing items from above lists) +keycloak_removed_users: [] +keycloak_removed_groups: [] +keycloak_removed_clients: [] +keycloak_removed_identity_providers: [] \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/nextcloud.yml b/inventories/vagrant/host_vars/backend/nextcloud.yml index 09f7846..5343040 100644 --- a/inventories/vagrant/host_vars/backend/nextcloud.yml +++ b/inventories/vagrant/host_vars/backend/nextcloud.yml @@ -1,4 +1,6 @@ nextcloud_collabora_disable_cert_verification: true +nextcloud_allow_local_remote_servers: true # Allow requests to local network in Vagrant +nextcloud_oidc_allow_selfsigned: true # Allow self-signed certs for OIDC in Vagrant # S3 storage configuration using Garage nextcloud_use_s3_storage: true @@ -12,4 +14,31 @@ nextcloud_s3_usepath_style: true # Extra hosts for container DNS resolution (Vagrant only) nextcloud_extra_hosts: - - "storage.local.test:192.168.56.11" \ No newline at end of file + - "storage.local.test:192.168.56.11" + - "keycloak.local.test:192.168.56.11" + - "authentik.local.test:192.168.56.11" + +# OIDC providers for login +nextcloud_oidc_providers: + - identifier: keycloak + display_name: "Login with Keycloak" + client_id: "nextcloud" + client_secret: "nextcloud-secret-change-in-production" + discovery_url: "https://keycloak.local.test/realms/vagrant/.well-known/openid-configuration" + scope: "openid email profile" + unique_uid: true + mapping: + uid: preferred_username + display_name: name + email: email + - identifier: authentik + display_name: "Login with Authentik" + client_id: "test1234" + client_secret: "test1234" + discovery_url: "https://authentik.local.test/application/o/nextcloud/.well-known/openid-configuration" + scope: "openid email profile" + unique_uid: true + mapping: + uid: preferred_username + display_name: name + email: email \ No newline at end of file From ccb5b0dad5f64853bae66efec8024ab1ff5cc954 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 27 Feb 2026 13:36:28 +0100 Subject: [PATCH 03/21] chore: run traefik role on all traefik servers Signed-off-by: Bert-Jan Fikse --- playbooks/site.yml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/playbooks/site.yml b/playbooks/site.yml index ffbb9c4..99773a1 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -5,8 +5,8 @@ roles: - digitalboard.core.base -- name: Configure reverse proxy on application servers - hosts: traefik_servers_backend +- name: Configure reverse proxies + hosts: traefik_servers become: yes roles: - digitalboard.core.traefik @@ -39,10 +39,4 @@ hosts: authentik_servers become: yes roles: - - digitalboard.core.authentik - -- name: Configure reverse proxy on DMZ servers - hosts: traefik_servers_dmz - become: yes - roles: - - digitalboard.core.traefik + - digitalboard.core.authentik \ No newline at end of file From 09f9ae104a25275c5946eafc7c00ec0919e9608a Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 27 Feb 2026 13:37:48 +0100 Subject: [PATCH 04/21] chore: add .vagrant/ folder to .gitignore Signed-off-by: Bert-Jan Fikse --- .gitignore | 35 +---------------------------------- 1 file changed, 1 insertion(+), 34 deletions(-) diff --git a/.gitignore b/.gitignore index 9dd7ed4..061b691 100644 --- a/.gitignore +++ b/.gitignore @@ -14,37 +14,4 @@ /.idea/ # Ansible /collections/ansible_collections/ -/.vagrant/bundler/global.sol -/.vagrant/machines/backend/libvirt/action_provision -/.vagrant/machines/backend/libvirt/box_meta -/.vagrant/machines/backend/libvirt/created_networks -/.vagrant/machines/backend/libvirt/creator_uid -/.vagrant/machines/backend/libvirt/id -/.vagrant/machines/backend/libvirt/index_uuid -/.vagrant/machines/backend/libvirt/private_key -/.vagrant/machines/backend/libvirt/synced_folders -/.vagrant/machines/backend/libvirt/vagrant_cwd -/.vagrant/machines/backend2/libvirt/action_provision -/.vagrant/machines/backend2/libvirt/box_meta -/.vagrant/machines/backend2/libvirt/created_networks -/.vagrant/machines/backend2/libvirt/creator_uid -/.vagrant/machines/backend2/libvirt/id -/.vagrant/machines/backend2/libvirt/index_uuid -/.vagrant/machines/backend2/libvirt/private_key -/.vagrant/machines/backend2/libvirt/synced_folders -/.vagrant/machines/backend2/libvirt/vagrant_cwd -/.vagrant/machines/dmz/libvirt/logs/ssh-forwarding-*_8080-192.168.121.139_80.log -/.vagrant/machines/dmz/libvirt/logs/ssh-forwarding-*_8443-192.168.121.139_443.log -/.vagrant/machines/dmz/libvirt/pids/ssh_8080.pid -/.vagrant/machines/dmz/libvirt/pids/ssh_8443.pid -/.vagrant/machines/dmz/libvirt/action_provision -/.vagrant/machines/dmz/libvirt/box_meta -/.vagrant/machines/dmz/libvirt/created_networks -/.vagrant/machines/dmz/libvirt/creator_uid -/.vagrant/machines/dmz/libvirt/id -/.vagrant/machines/dmz/libvirt/index_uuid -/.vagrant/machines/dmz/libvirt/private_key -/.vagrant/machines/dmz/libvirt/synced_folders -/.vagrant/machines/dmz/libvirt/vagrant_cwd -/.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory -/.vagrant/rgloader/loader.rb +.vagrant/ From 15a2d321b0241f3d370dec4b25bc31d54f61bd28 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 27 Feb 2026 14:59:19 +0100 Subject: [PATCH 05/21] feat: add basic opencloud deployment Signed-off-by: Bert-Jan Fikse --- inventories/vagrant/host_vars/backend/traefik.yml | 4 ++++ inventories/vagrant/hosts.yml | 4 ++++ playbooks/site.yml | 8 +++++++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/inventories/vagrant/host_vars/backend/traefik.yml b/inventories/vagrant/host_vars/backend/traefik.yml index 5aa720e..9f93d46 100644 --- a/inventories/vagrant/host_vars/backend/traefik.yml +++ b/inventories/vagrant/host_vars/backend/traefik.yml @@ -24,6 +24,10 @@ traefik_dmz_exposed_services: domain: authentik.local.test port: 443 protocol: https + - name: opencloud + domain: opencloud.local.test + port: 443 + protocol: https # Example: Add more services as you deploy them # - name: forgejo # domain: git.example.com diff --git a/inventories/vagrant/hosts.yml b/inventories/vagrant/hosts.yml index e3bf998..dd0bb12 100644 --- a/inventories/vagrant/hosts.yml +++ b/inventories/vagrant/hosts.yml @@ -58,5 +58,9 @@ all: backend: nextcloud_servers: + hosts: + backend: + + opencloud_servers: hosts: backend: \ No newline at end of file diff --git a/playbooks/site.yml b/playbooks/site.yml index 99773a1..67b417c 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -39,4 +39,10 @@ hosts: authentik_servers become: yes roles: - - digitalboard.core.authentik \ No newline at end of file + - digitalboard.core.authentik + +- name: Deploy opencloud service + hosts: opencloud_servers + become: yes + roles: + - digitalboard.core.opencloud \ No newline at end of file From ad1f8a1999b8ebcfb02844d903980c732d7aaa5d Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Thu, 5 Mar 2026 15:36:12 +0100 Subject: [PATCH 06/21] feat: add oidc provisioning for opencloud Signed-off-by: Bert-Jan Fikse --- .../vagrant/host_vars/backend/keycloak.yml | 11 +++++++++++ .../vagrant/host_vars/backend/opencloud.yml | 15 +++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 inventories/vagrant/host_vars/backend/opencloud.yml diff --git a/inventories/vagrant/host_vars/backend/keycloak.yml b/inventories/vagrant/host_vars/backend/keycloak.yml index 7b0f5d5..dd14440 100644 --- a/inventories/vagrant/host_vars/backend/keycloak.yml +++ b/inventories/vagrant/host_vars/backend/keycloak.yml @@ -52,6 +52,17 @@ keycloak_oidc_clients: - openid - email - profile + - client_id: opencloud + name: "OpenCloud" + client_secret: "opencloud-secret-change-in-production" + redirect_uris: + - "https://opencloud.local.test/" + - "https://opencloud.local.test/oidc-callback.html" + - "https://opencloud.local.test/oidc-silent-redirect.html" + default_client_scopes: + - openid + - email + - profile # Identity providers (external login sources) # Uncomment and configure for production use with real credentials diff --git a/inventories/vagrant/host_vars/backend/opencloud.yml b/inventories/vagrant/host_vars/backend/opencloud.yml new file mode 100644 index 0000000..286befe --- /dev/null +++ b/inventories/vagrant/host_vars/backend/opencloud.yml @@ -0,0 +1,15 @@ +opencloud_domain: "opencloud.local.test" +opencloud_admin_password: "admin" +opencloud_extra_hosts: + - "opencloud.local.test:host-gateway" + - "keycloak.local.test:host-gateway" + +# OIDC configuration (Keycloak) +opencloud_oidc_issuer: "https://keycloak.local.test/realms/vagrant" +opencloud_oidc_client_id: "opencloud" +opencloud_oidc_client_secret: "opencloud-secret-change-in-production" +opencloud_oidc_account_edit_url: "https://keycloak.local.test/realms/vagrant/account" + +# Allow OpenCloud to connect to Keycloak for OIDC discovery +opencloud_csp_extra_connect_src: + - "https://keycloak.local.test/" \ No newline at end of file From 6e115c20c7352f02becd3f553b886ba2d1339480 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Thu, 5 Mar 2026 16:24:12 +0100 Subject: [PATCH 07/21] feat: add s3 storage provisioning for opencloud Signed-off-by: Bert-Jan Fikse --- inventories/vagrant/host_vars/backend/garage.yml | 6 +++++- inventories/vagrant/host_vars/backend/opencloud.yml | 8 ++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/inventories/vagrant/host_vars/backend/garage.yml b/inventories/vagrant/host_vars/backend/garage.yml index dd139e9..56cb1a9 100644 --- a/inventories/vagrant/host_vars/backend/garage.yml +++ b/inventories/vagrant/host_vars/backend/garage.yml @@ -17,4 +17,8 @@ garage_s3_keys: - name: "nextcloud-backup" buckets: - name: "nextcloud" - permissions: ["read"] \ No newline at end of file + permissions: ["read"] + - name: "opencloud" + buckets: + - name: "opencloud" + permissions: ["read", "write"] \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/opencloud.yml b/inventories/vagrant/host_vars/backend/opencloud.yml index 286befe..627e601 100644 --- a/inventories/vagrant/host_vars/backend/opencloud.yml +++ b/inventories/vagrant/host_vars/backend/opencloud.yml @@ -3,6 +3,7 @@ opencloud_admin_password: "admin" opencloud_extra_hosts: - "opencloud.local.test:host-gateway" - "keycloak.local.test:host-gateway" + - "storage.local.test:192.168.56.11" # OIDC configuration (Keycloak) opencloud_oidc_issuer: "https://keycloak.local.test/realms/vagrant" @@ -10,6 +11,13 @@ opencloud_oidc_client_id: "opencloud" opencloud_oidc_client_secret: "opencloud-secret-change-in-production" opencloud_oidc_account_edit_url: "https://keycloak.local.test/realms/vagrant/account" +# S3 storage configuration using Garage +opencloud_use_s3_storage: true +opencloud_s3_endpoint: "http://{{ hostvars['backend']['garage_s3_domain'] }}" +opencloud_s3_access_key: "{{ lookup('digitalboard.core.garage_credentials', 'opencloud', host='backend')['key_id'] }}" +opencloud_s3_secret_key: "{{ lookup('digitalboard.core.garage_credentials', 'opencloud', host='backend')['secret_key'] }}" +opencloud_s3_bucket: "opencloud" + # Allow OpenCloud to connect to Keycloak for OIDC discovery opencloud_csp_extra_connect_src: - "https://keycloak.local.test/" \ No newline at end of file From dd087fb5e2179add1b4ff5b5e0f0b17f5846fce9 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Thu, 5 Mar 2026 17:09:06 +0100 Subject: [PATCH 08/21] chore: add central collabora service instead of providing one for owncloud and nextcloud separately Signed-off-by: Bert-Jan Fikse --- inventories/vagrant/host_vars/backend/collabora.yml | 6 ++++++ inventories/vagrant/host_vars/backend/traefik.yml | 2 +- inventories/vagrant/hosts.yml | 4 ++++ playbooks/site.yml | 6 ++++++ 4 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 inventories/vagrant/host_vars/backend/collabora.yml diff --git a/inventories/vagrant/host_vars/backend/collabora.yml b/inventories/vagrant/host_vars/backend/collabora.yml new file mode 100644 index 0000000..29bae6e --- /dev/null +++ b/inventories/vagrant/host_vars/backend/collabora.yml @@ -0,0 +1,6 @@ +collabora_domain: "office.local.test" + +# Allowed WOPI host domains +collabora_allowed_domains: + - "nextcloud.local.test" + - "opencloud.local.test" \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/traefik.yml b/inventories/vagrant/host_vars/backend/traefik.yml index 9f93d46..795fd2e 100644 --- a/inventories/vagrant/host_vars/backend/traefik.yml +++ b/inventories/vagrant/host_vars/backend/traefik.yml @@ -16,7 +16,7 @@ traefik_dmz_exposed_services: domain: nextcloud.local.test port: 443 protocol: https - - name: nextcloud-collabora + - name: collabora domain: office.local.test port: 443 protocol: https diff --git a/inventories/vagrant/hosts.yml b/inventories/vagrant/hosts.yml index dd0bb12..207f8de 100644 --- a/inventories/vagrant/hosts.yml +++ b/inventories/vagrant/hosts.yml @@ -61,6 +61,10 @@ all: hosts: backend: + collabora_servers: + hosts: + backend: + opencloud_servers: hosts: backend: \ No newline at end of file diff --git a/playbooks/site.yml b/playbooks/site.yml index 67b417c..b7af5f4 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -29,6 +29,12 @@ roles: - digitalboard.core.garage +- name: Deploy collabora service + hosts: collabora_servers + become: yes + roles: + - digitalboard.core.collabora + - name: Deploy nextcloud service hosts: nextcloud_servers become: yes From d1eea7f7176f782d7db18e29e445dacffc56431a Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 6 Mar 2026 14:40:55 +0100 Subject: [PATCH 09/21] chore: rename testadmin and testuser to admin and user for simplicity Signed-off-by: Bert-Jan Fikse --- inventories/vagrant/host_vars/backend/keycloak.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inventories/vagrant/host_vars/backend/keycloak.yml b/inventories/vagrant/host_vars/backend/keycloak.yml index dd14440..5205cfe 100644 --- a/inventories/vagrant/host_vars/backend/keycloak.yml +++ b/inventories/vagrant/host_vars/backend/keycloak.yml @@ -17,14 +17,14 @@ keycloak_groups: # Local users to provision keycloak_local_users: - - username: testadmin + - username: admin first_name: "Test" last_name: "Admin" email: "admin@local.test" password: "admin" groups: - name: admins - - username: testuser + - username: user first_name: "Test" last_name: "User" email: "user@local.test" From ef2462a26a477e4ab967423857de8c30aae27a04 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 6 Mar 2026 17:00:33 +0100 Subject: [PATCH 10/21] chore: ensure we can use the same collabora instance for multiple cloud instances Signed-off-by: Bert-Jan Fikse --- inventories/vagrant/host_vars/backend/collabora.yml | 11 ++++++++++- inventories/vagrant/host_vars/backend/opencloud.yml | 5 +++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/inventories/vagrant/host_vars/backend/collabora.yml b/inventories/vagrant/host_vars/backend/collabora.yml index 29bae6e..88caab8 100644 --- a/inventories/vagrant/host_vars/backend/collabora.yml +++ b/inventories/vagrant/host_vars/backend/collabora.yml @@ -1,6 +1,15 @@ collabora_domain: "office.local.test" +collabora_ssl_verification: false # Allowed WOPI host domains collabora_allowed_domains: - "nextcloud.local.test" - - "opencloud.local.test" \ No newline at end of file + - "wopi.opencloud.local.test" + +# Domains allowed to embed Collabora in an iframe +collabora_frame_ancestors: + - "nextcloud.local.test" + - "opencloud.local.test" + +collabora_extra_hosts: + - "wopi.opencloud.local.test:host-gateway" \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/opencloud.yml b/inventories/vagrant/host_vars/backend/opencloud.yml index 627e601..5656f4d 100644 --- a/inventories/vagrant/host_vars/backend/opencloud.yml +++ b/inventories/vagrant/host_vars/backend/opencloud.yml @@ -4,6 +4,7 @@ opencloud_extra_hosts: - "opencloud.local.test:host-gateway" - "keycloak.local.test:host-gateway" - "storage.local.test:192.168.56.11" + - "office.local.test:host-gateway" # OIDC configuration (Keycloak) opencloud_oidc_issuer: "https://keycloak.local.test/realms/vagrant" @@ -18,6 +19,10 @@ opencloud_s3_access_key: "{{ lookup('digitalboard.core.garage_credentials', 'ope opencloud_s3_secret_key: "{{ lookup('digitalboard.core.garage_credentials', 'opencloud', host='backend')['secret_key'] }}" opencloud_s3_bucket: "opencloud" +# Collabora integration +opencloud_collabora_domain: "office.local.test" +opencloud_wopi_domain: "wopi.opencloud.local.test" + # Allow OpenCloud to connect to Keycloak for OIDC discovery opencloud_csp_extra_connect_src: - "https://keycloak.local.test/" \ No newline at end of file From eb3cc1390be30e4b83ca768dff080b4d3f11ee3f Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 6 Mar 2026 17:54:07 +0100 Subject: [PATCH 11/21] feat: add basic ds389 docker setup and configuration Signed-off-by: Bert-Jan Fikse --- inventories/vagrant/host_vars/backend/389ds.yml | 3 +++ inventories/vagrant/hosts.yml | 4 ++++ playbooks/site.yml | 6 ++++++ 3 files changed, 13 insertions(+) create mode 100644 inventories/vagrant/host_vars/backend/389ds.yml diff --git a/inventories/vagrant/host_vars/backend/389ds.yml b/inventories/vagrant/host_vars/backend/389ds.yml new file mode 100644 index 0000000..f6372c8 --- /dev/null +++ b/inventories/vagrant/host_vars/backend/389ds.yml @@ -0,0 +1,3 @@ +# 389ds LDAP configuration for vagrant environment +ds389_suffix: "dc=local,dc=test" +ds389_root_password: "admin" diff --git a/inventories/vagrant/hosts.yml b/inventories/vagrant/hosts.yml index 207f8de..27cf21d 100644 --- a/inventories/vagrant/hosts.yml +++ b/inventories/vagrant/hosts.yml @@ -49,6 +49,10 @@ all: hosts: backend: + ds389_servers: + hosts: + backend: + authentik_servers: hosts: backend: diff --git a/playbooks/site.yml b/playbooks/site.yml index b7af5f4..51e1004 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -23,6 +23,12 @@ roles: - digitalboard.core.keycloak +- name: Deploy 389ds LDAP service + hosts: ds389_servers + become: yes + roles: + - digitalboard.core.389ds + - name: Deploy garage service hosts: garage_servers become: yes From f6dc1d82615fdcd25b885901ec92875c569540ca Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 13 Mar 2026 10:46:49 +0100 Subject: [PATCH 12/21] feat: add ldap provisioning to nextcloud Signed-off-by: Bert-Jan Fikse --- .../vagrant/host_vars/backend/nextcloud.yml | 28 ++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/inventories/vagrant/host_vars/backend/nextcloud.yml b/inventories/vagrant/host_vars/backend/nextcloud.yml index 5343040..22b5435 100644 --- a/inventories/vagrant/host_vars/backend/nextcloud.yml +++ b/inventories/vagrant/host_vars/backend/nextcloud.yml @@ -17,6 +17,32 @@ nextcloud_extra_hosts: - "storage.local.test:192.168.56.11" - "keycloak.local.test:192.168.56.11" - "authentik.local.test:192.168.56.11" + - "389ds:192.168.56.11" + +# LDAP backend (pre-create users synced from Keycloak via 389ds) +nextcloud_ldap_enabled: true +nextcloud_ldap_config: + ldapHost: "ldaps://389ds" + ldapPort: "3636" + ldapAgentName: "cn=Directory Manager" + ldapAgentPassword: "admin" + ldapBase: "dc=local,dc=test" + ldapBaseUsers: "ou=users,dc=local,dc=test" + ldapBaseGroups: "dc=local,dc=test" + ldapTLS: "0" + turnOffCertCheck: "1" + ldapUserFilter: "(&(objectclass=inetOrgPerson)(uid=*))" + ldapUserFilterObjectclass: "inetOrgPerson" + ldapLoginFilter: "(&(objectclass=inetOrgPerson)(uid=%uid))" + ldapLoginFilterUsername: "1" + ldapUserDisplayName: "displayName" + ldapEmailAttribute: "mail" + ldapExpertUsernameAttr: "uid" + ldapExpertUUIDUserAttr: "nsuniqueid" + ldapCacheTTL: "600" + ldapPagingSize: "500" + ldapExperiencedAdmin: "1" + ldapConfigurationActive: "1" # OIDC providers for login nextcloud_oidc_providers: @@ -26,7 +52,7 @@ nextcloud_oidc_providers: client_secret: "nextcloud-secret-change-in-production" discovery_url: "https://keycloak.local.test/realms/vagrant/.well-known/openid-configuration" scope: "openid email profile" - unique_uid: true + unique_uid: false mapping: uid: preferred_username display_name: name From f1811068861a20d1902fdb2d956fdfb0d033561a Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 13 Mar 2026 10:58:40 +0100 Subject: [PATCH 13/21] feat: add 389ds ldap backend to keycloak Signed-off-by: Bert-Jan Fikse --- .../vagrant/host_vars/backend/keycloak.yml | 106 +++++++++++++++++- playbooks/site.yml | 12 +- 2 files changed, 111 insertions(+), 7 deletions(-) diff --git a/inventories/vagrant/host_vars/backend/keycloak.yml b/inventories/vagrant/host_vars/backend/keycloak.yml index 5205cfe..6692a21 100644 --- a/inventories/vagrant/host_vars/backend/keycloak.yml +++ b/inventories/vagrant/host_vars/backend/keycloak.yml @@ -77,8 +77,112 @@ keycloak_oidc_clients: # tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token" # defaultScope: "openid profile email" +# Trust the 389ds self-signed CA cert (production would use ACME certs) +keycloak_truststore_certificates: + - /srv/data/389ds/data/ssca/ca.crt + +# Resolve 389ds hostname from inside the Keycloak container +keycloak_extra_hosts: + - "389ds:192.168.56.11" + +# LDAP user federation (write Keycloak users to 389ds) +keycloak_user_federations: + - name: ldap-389ds + provider_id: ldap + config: + editMode: WRITABLE + syncRegistrations: "true" + importEnabled: "true" + vendor: rhds + connectionUrl: "ldaps://389ds:3636" + usersDn: "ou=users,dc=local,dc=test" + bindDn: "cn=Directory Manager" + bindCredential: "admin" + usernameLDAPAttribute: uid + rdnLDAPAttribute: uid + uuidLDAPAttribute: nsuniqueid + userObjectClasses: "inetOrgPerson, organizationalPerson" + authType: simple + useTruststoreSpi: ldapsOnly + mappers: + - name: "username" + providerId: "user-attribute-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + ldap.attribute: "uid" + user.model.attribute: "username" + is.mandatory.in.ldap: "true" + always.read.value.from.ldap: "false" + read.only: "false" + is.binary.attribute: "false" + - name: "email" + providerId: "user-attribute-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + ldap.attribute: "mail" + user.model.attribute: "email" + is.mandatory.in.ldap: "false" + always.read.value.from.ldap: "false" + read.only: "false" + is.binary.attribute: "false" + - name: "first name" + providerId: "user-attribute-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + ldap.attribute: "givenName" + user.model.attribute: "firstName" + is.mandatory.in.ldap: "true" + always.read.value.from.ldap: "false" + read.only: "false" + is.binary.attribute: "false" + - name: "last name" + providerId: "user-attribute-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + ldap.attribute: "sn" + user.model.attribute: "lastName" + is.mandatory.in.ldap: "true" + always.read.value.from.ldap: "false" + read.only: "false" + is.binary.attribute: "false" + - name: "full name" + providerId: "full-name-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + ldap.full.name.attribute: "cn" + read.only: "false" + write.only: "true" + - name: "display name" + providerId: "full-name-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + ldap.full.name.attribute: "displayName" + read.only: "false" + write.only: "true" + - name: "creation date" + providerId: "user-attribute-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + ldap.attribute: "createTimestamp" + user.model.attribute: "createTimestamp" + is.mandatory.in.ldap: "false" + always.read.value.from.ldap: "true" + read.only: "true" + is.binary.attribute: "false" + - name: "modify date" + providerId: "user-attribute-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + ldap.attribute: "modifyTimestamp" + user.model.attribute: "modifyTimestamp" + is.mandatory.in.ldap: "false" + always.read.value.from.ldap: "true" + read.only: "true" + is.binary.attribute: "false" + # Resources to remove (for cleanup when removing items from above lists) keycloak_removed_users: [] keycloak_removed_groups: [] keycloak_removed_clients: [] -keycloak_removed_identity_providers: [] \ No newline at end of file +keycloak_removed_identity_providers: [] +keycloak_removed_user_federations: [] \ No newline at end of file diff --git a/playbooks/site.yml b/playbooks/site.yml index 51e1004..807dc31 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -17,18 +17,18 @@ roles: - digitalboard.core.httpbin -- name: Deploy keycloak service - hosts: keycloak_servers - become: yes - roles: - - digitalboard.core.keycloak - - name: Deploy 389ds LDAP service hosts: ds389_servers become: yes roles: - digitalboard.core.389ds +- name: Deploy keycloak service + hosts: keycloak_servers + become: yes + roles: + - digitalboard.core.keycloak + - name: Deploy garage service hosts: garage_servers become: yes From e976ff37c9fbb388114ca4934350c400aef252d3 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 13 Mar 2026 11:43:11 +0100 Subject: [PATCH 14/21] feat: add ldap backend to opencloud Signed-off-by: Bert-Jan Fikse --- inventories/vagrant/host_vars/backend/opencloud.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/inventories/vagrant/host_vars/backend/opencloud.yml b/inventories/vagrant/host_vars/backend/opencloud.yml index 5656f4d..72e1538 100644 --- a/inventories/vagrant/host_vars/backend/opencloud.yml +++ b/inventories/vagrant/host_vars/backend/opencloud.yml @@ -5,6 +5,7 @@ opencloud_extra_hosts: - "keycloak.local.test:host-gateway" - "storage.local.test:192.168.56.11" - "office.local.test:host-gateway" + - "389ds:192.168.56.11" # OIDC configuration (Keycloak) opencloud_oidc_issuer: "https://keycloak.local.test/realms/vagrant" @@ -23,6 +24,13 @@ opencloud_s3_bucket: "opencloud" opencloud_collabora_domain: "office.local.test" opencloud_wopi_domain: "wopi.opencloud.local.test" +# LDAP backend (users synced from Keycloak via 389ds) +opencloud_ldap_uri: "ldaps://389ds:3636" +opencloud_ldap_bind_dn: "cn=Directory Manager" +opencloud_ldap_bind_password: "admin" +opencloud_ldap_user_base_dn: "ou=users,dc=local,dc=test" +opencloud_ldap_group_base_dn: "ou=groups,dc=local,dc=test" + # Allow OpenCloud to connect to Keycloak for OIDC discovery opencloud_csp_extra_connect_src: - "https://keycloak.local.test/" \ No newline at end of file From 4811b4657fd80d928f3f405c3caeb0c19dc79418 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 13 Mar 2026 14:37:02 +0100 Subject: [PATCH 15/21] feat: add drawio instance for nextcloud and opencloud Signed-off-by: Bert-Jan Fikse --- inventories/vagrant/host_vars/backend/drawio.yml | 1 + .../vagrant/host_vars/backend/nextcloud.yml | 14 ++++++++++++++ .../vagrant/host_vars/backend/opencloud.yml | 10 ++++++++-- inventories/vagrant/host_vars/backend/traefik.yml | 4 ++++ inventories/vagrant/hosts.yml | 4 ++++ playbooks/site.yml | 6 ++++++ 6 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 inventories/vagrant/host_vars/backend/drawio.yml diff --git a/inventories/vagrant/host_vars/backend/drawio.yml b/inventories/vagrant/host_vars/backend/drawio.yml new file mode 100644 index 0000000..45db5ad --- /dev/null +++ b/inventories/vagrant/host_vars/backend/drawio.yml @@ -0,0 +1 @@ +drawio_domain: "drawio.local.test" \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/nextcloud.yml b/inventories/vagrant/host_vars/backend/nextcloud.yml index 22b5435..cbd8825 100644 --- a/inventories/vagrant/host_vars/backend/nextcloud.yml +++ b/inventories/vagrant/host_vars/backend/nextcloud.yml @@ -1,4 +1,18 @@ nextcloud_collabora_disable_cert_verification: true + +# Draw.io integration +nextcloud_enable_drawio: true +nextcloud_drawio_url: "https://drawio.local.test" + +# Apps to install (override defaults to include drawio) +nextcloud_apps_to_install: + - groupfolders + - richdocuments + - spreed + - user_ldap + - user_oidc + - whiteboard + - drawio nextcloud_allow_local_remote_servers: true # Allow requests to local network in Vagrant nextcloud_oidc_allow_selfsigned: true # Allow self-signed certs for OIDC in Vagrant diff --git a/inventories/vagrant/host_vars/backend/opencloud.yml b/inventories/vagrant/host_vars/backend/opencloud.yml index 72e1538..a40c9c1 100644 --- a/inventories/vagrant/host_vars/backend/opencloud.yml +++ b/inventories/vagrant/host_vars/backend/opencloud.yml @@ -5,6 +5,7 @@ opencloud_extra_hosts: - "keycloak.local.test:host-gateway" - "storage.local.test:192.168.56.11" - "office.local.test:host-gateway" + - "drawio.local.test:host-gateway" - "389ds:192.168.56.11" # OIDC configuration (Keycloak) @@ -31,6 +32,11 @@ opencloud_ldap_bind_password: "admin" opencloud_ldap_user_base_dn: "ou=users,dc=local,dc=test" opencloud_ldap_group_base_dn: "ou=groups,dc=local,dc=test" -# Allow OpenCloud to connect to Keycloak for OIDC discovery +# Draw.io integration +opencloud_drawio_url: "https://drawio.local.test" + +# CSP configuration opencloud_csp_extra_connect_src: - - "https://keycloak.local.test/" \ No newline at end of file + - "https://keycloak.local.test/" +opencloud_csp_extra_frame_src: + - "https://drawio.local.test/" \ No newline at end of file diff --git a/inventories/vagrant/host_vars/backend/traefik.yml b/inventories/vagrant/host_vars/backend/traefik.yml index 795fd2e..e123dc1 100644 --- a/inventories/vagrant/host_vars/backend/traefik.yml +++ b/inventories/vagrant/host_vars/backend/traefik.yml @@ -28,6 +28,10 @@ traefik_dmz_exposed_services: domain: opencloud.local.test port: 443 protocol: https + - name: drawio + domain: drawio.local.test + port: 443 + protocol: https # Example: Add more services as you deploy them # - name: forgejo # domain: git.example.com diff --git a/inventories/vagrant/hosts.yml b/inventories/vagrant/hosts.yml index 27cf21d..5dcd0c6 100644 --- a/inventories/vagrant/hosts.yml +++ b/inventories/vagrant/hosts.yml @@ -69,6 +69,10 @@ all: hosts: backend: + drawio_servers: + hosts: + backend: + opencloud_servers: hosts: backend: \ No newline at end of file diff --git a/playbooks/site.yml b/playbooks/site.yml index 807dc31..4e75791 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -53,6 +53,12 @@ roles: - digitalboard.core.authentik +- name: Deploy drawio service + hosts: drawio_servers + become: yes + roles: + - digitalboard.core.drawio + - name: Deploy opencloud service hosts: opencloud_servers become: yes From 912f1b99e8010cfcd3a064f4bf9246c60b9b19f7 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 13 Mar 2026 15:22:09 +0100 Subject: [PATCH 16/21] feat: add file_lock and notify_push configuration to nextcloud role Signed-off-by: Bert-Jan Fikse --- inventories/vagrant/host_vars/backend/nextcloud.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/inventories/vagrant/host_vars/backend/nextcloud.yml b/inventories/vagrant/host_vars/backend/nextcloud.yml index cbd8825..2b6d1d0 100644 --- a/inventories/vagrant/host_vars/backend/nextcloud.yml +++ b/inventories/vagrant/host_vars/backend/nextcloud.yml @@ -1,4 +1,5 @@ nextcloud_collabora_disable_cert_verification: true +nextcloud_enable_notify_push: true # Draw.io integration nextcloud_enable_drawio: true From 0b336aa8f8588497507e6318701071f29d3008b9 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 13 Mar 2026 15:36:33 +0100 Subject: [PATCH 17/21] feat: add group mapper to keycloak ldap backend so we can assign groups in keycloak. Maybe search for an easier way to do this... Signed-off-by: Bert-Jan Fikse --- .../vagrant/host_vars/backend/keycloak.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/inventories/vagrant/host_vars/backend/keycloak.yml b/inventories/vagrant/host_vars/backend/keycloak.yml index 6692a21..3c5e091 100644 --- a/inventories/vagrant/host_vars/backend/keycloak.yml +++ b/inventories/vagrant/host_vars/backend/keycloak.yml @@ -159,6 +159,25 @@ keycloak_user_federations: ldap.full.name.attribute: "displayName" read.only: "false" write.only: "true" + - name: "groups" + providerId: "group-ldap-mapper" + providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" + config: + groups.dn: "ou=groups,dc=local,dc=test" + group.name.ldap.attribute: "cn" + group.object.classes: "groupOfNames" + membership.ldap.attribute: "member" + membership.attribute.type: "DN" + membership.user.ldap.attribute: "uid" + groups.ldap.filter: "" + mode: "LDAP_ONLY" + user.roles.retrieve.strategy: "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE" + memberof.ldap.attribute: "memberOf" + mapped.group.attributes: "" + drop.non.existing.groups.during.sync: "false" + preserve.group.inheritance: "false" + ignore.missing.groups: "false" + groups.path: "/" - name: "creation date" providerId: "user-attribute-ldap-mapper" providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" From cd4d54e33c02fd745ae4bbfbdc939dc117a09cca Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 13 Mar 2026 15:37:32 +0100 Subject: [PATCH 18/21] feat: nextcloud ability to get groups from ldap backend Signed-off-by: Bert-Jan Fikse --- inventories/vagrant/host_vars/backend/nextcloud.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/inventories/vagrant/host_vars/backend/nextcloud.yml b/inventories/vagrant/host_vars/backend/nextcloud.yml index 2b6d1d0..c2810c6 100644 --- a/inventories/vagrant/host_vars/backend/nextcloud.yml +++ b/inventories/vagrant/host_vars/backend/nextcloud.yml @@ -43,7 +43,6 @@ nextcloud_ldap_config: ldapAgentPassword: "admin" ldapBase: "dc=local,dc=test" ldapBaseUsers: "ou=users,dc=local,dc=test" - ldapBaseGroups: "dc=local,dc=test" ldapTLS: "0" turnOffCertCheck: "1" ldapUserFilter: "(&(objectclass=inetOrgPerson)(uid=*))" @@ -54,6 +53,12 @@ nextcloud_ldap_config: ldapEmailAttribute: "mail" ldapExpertUsernameAttr: "uid" ldapExpertUUIDUserAttr: "nsuniqueid" + ldapBaseGroups: "ou=groups,dc=local,dc=test" + ldapGroupFilter: "(&(objectClass=groupOfNames))" + ldapGroupFilterObjectclass: "groupOfNames" + ldapGroupDisplayName: "cn" + ldapGroupMemberAssocAttr: "member" + ldapAdminGroup: "admins" ldapCacheTTL: "600" ldapPagingSize: "500" ldapExperiencedAdmin: "1" From c4df67ccf15a12c16228d79035c379512c2ad0f1 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 13 Mar 2026 15:54:45 +0100 Subject: [PATCH 19/21] fix: add files_lock and notify_push to nextcloud_apps_to_install Signed-off-by: Bert-Jan Fikse --- inventories/vagrant/host_vars/backend/nextcloud.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/inventories/vagrant/host_vars/backend/nextcloud.yml b/inventories/vagrant/host_vars/backend/nextcloud.yml index c2810c6..e4a81e3 100644 --- a/inventories/vagrant/host_vars/backend/nextcloud.yml +++ b/inventories/vagrant/host_vars/backend/nextcloud.yml @@ -14,6 +14,8 @@ nextcloud_apps_to_install: - user_oidc - whiteboard - drawio + - files_lock + - notify_push nextcloud_allow_local_remote_servers: true # Allow requests to local network in Vagrant nextcloud_oidc_allow_selfsigned: true # Allow self-signed certs for OIDC in Vagrant From 096cda6d4a4f6023529272669d56e38fd8f1ec48 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 13 Mar 2026 16:20:28 +0100 Subject: [PATCH 20/21] fix: do not provision user accounts from oidc in opencloud should be done by ldap Signed-off-by: Bert-Jan Fikse --- inventories/vagrant/host_vars/backend/opencloud.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/inventories/vagrant/host_vars/backend/opencloud.yml b/inventories/vagrant/host_vars/backend/opencloud.yml index a40c9c1..6dd6dc7 100644 --- a/inventories/vagrant/host_vars/backend/opencloud.yml +++ b/inventories/vagrant/host_vars/backend/opencloud.yml @@ -13,6 +13,7 @@ opencloud_oidc_issuer: "https://keycloak.local.test/realms/vagrant" opencloud_oidc_client_id: "opencloud" opencloud_oidc_client_secret: "opencloud-secret-change-in-production" opencloud_oidc_account_edit_url: "https://keycloak.local.test/realms/vagrant/account" +opencloud_oidc_autoprovision_accounts: false # S3 storage configuration using Garage opencloud_use_s3_storage: true From 2c1c01a2d7fc1bc64823ca3561d75dd77468f6c1 Mon Sep 17 00:00:00 2001 From: Bert-Jan Fikse Date: Fri, 13 Mar 2026 16:43:02 +0100 Subject: [PATCH 21/21] feat: opencloud group provisioning via oidc Signed-off-by: Bert-Jan Fikse --- inventories/vagrant/host_vars/backend/opencloud.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/inventories/vagrant/host_vars/backend/opencloud.yml b/inventories/vagrant/host_vars/backend/opencloud.yml index 6dd6dc7..f8fcc79 100644 --- a/inventories/vagrant/host_vars/backend/opencloud.yml +++ b/inventories/vagrant/host_vars/backend/opencloud.yml @@ -36,6 +36,16 @@ opencloud_ldap_group_base_dn: "ou=groups,dc=local,dc=test" # Draw.io integration opencloud_drawio_url: "https://drawio.local.test" +# Role assignment via OIDC (maps LDAP groups from Keycloak token to OpenCloud roles) +opencloud_role_assignment_driver: "oidc" +opencloud_role_mapping: + - role_name: admin + claim_value: admins + - role_name: user + claim_value: users + - role_name: user + claim_value: developers + # CSP configuration opencloud_csp_extra_connect_src: - "https://keycloak.local.test/"