chore: Deploy Homarr Service

.gitignore

@@ -14,4 +14,37 @@
 /.idea/
 # Ansible
 /collections/ansible_collections/
-.vagrant/
+/.vagrant/bundler/global.sol
+/.vagrant/machines/backend/libvirt/action_provision
+/.vagrant/machines/backend/libvirt/box_meta
+/.vagrant/machines/backend/libvirt/created_networks
+/.vagrant/machines/backend/libvirt/creator_uid
+/.vagrant/machines/backend/libvirt/id
+/.vagrant/machines/backend/libvirt/index_uuid
+/.vagrant/machines/backend/libvirt/private_key
+/.vagrant/machines/backend/libvirt/synced_folders
+/.vagrant/machines/backend/libvirt/vagrant_cwd
+/.vagrant/machines/backend2/libvirt/action_provision
+/.vagrant/machines/backend2/libvirt/box_meta
+/.vagrant/machines/backend2/libvirt/created_networks
+/.vagrant/machines/backend2/libvirt/creator_uid
+/.vagrant/machines/backend2/libvirt/id
+/.vagrant/machines/backend2/libvirt/index_uuid
+/.vagrant/machines/backend2/libvirt/private_key
+/.vagrant/machines/backend2/libvirt/synced_folders
+/.vagrant/machines/backend2/libvirt/vagrant_cwd
+/.vagrant/machines/dmz/libvirt/logs/ssh-forwarding-*_8080-192.168.121.139_80.log
+/.vagrant/machines/dmz/libvirt/logs/ssh-forwarding-*_8443-192.168.121.139_443.log
+/.vagrant/machines/dmz/libvirt/pids/ssh_8080.pid
+/.vagrant/machines/dmz/libvirt/pids/ssh_8443.pid
+/.vagrant/machines/dmz/libvirt/action_provision
+/.vagrant/machines/dmz/libvirt/box_meta
+/.vagrant/machines/dmz/libvirt/created_networks
+/.vagrant/machines/dmz/libvirt/creator_uid
+/.vagrant/machines/dmz/libvirt/id
+/.vagrant/machines/dmz/libvirt/index_uuid
+/.vagrant/machines/dmz/libvirt/private_key
+/.vagrant/machines/dmz/libvirt/synced_folders
+/.vagrant/machines/dmz/libvirt/vagrant_cwd
+/.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory
+/.vagrant/rgloader/loader.rb

inventories/vagrant/host_vars/backend/389ds.yml

@@ -1,3 +0,0 @@
-# 389ds LDAP configuration for vagrant environment
-ds389_suffix: "dc=local,dc=test"
-ds389_root_password: "admin"

inventories/vagrant/host_vars/backend/authentik.yml

@@ -31,7 +31,7 @@ authentik_oidc_apps:
     client_id_env: NEXTCLOUD_OIDC_CLIENT_ID
     client_secret_env: NEXTCLOUD_OIDC_CLIENT_SECRET
     redirect_uris:
-      - url: "https://nextcloud.local.test/apps/user_oidc/code"
+      - url: "https://nextcloud.local.test/login/generic_oauth"
         matching_mode: strict
     signing_key_name: "authentik Self-signed Certificate"
     flows:

inventories/vagrant/host_vars/backend/collabora.yml

@@ -1,15 +0,0 @@
-collabora_domain: "office.local.test"
-collabora_ssl_verification: false
-
-# Allowed WOPI host domains
-collabora_allowed_domains:
-  - "nextcloud.local.test"
-  - "wopi.opencloud.local.test"
-
-# Domains allowed to embed Collabora in an iframe
-collabora_frame_ancestors:
-  - "nextcloud.local.test"
-  - "opencloud.local.test"
-
-collabora_extra_hosts:
-  - "wopi.opencloud.local.test:host-gateway"

inventories/vagrant/host_vars/backend/drawio.yml

@@ -1 +0,0 @@
-drawio_domain: "drawio.local.test"

inventories/vagrant/host_vars/backend/garage.yml

@@ -17,8 +17,4 @@ garage_s3_keys:
    - name: "nextcloud-backup"
      buckets:
        - name: "nextcloud"
-         permissions: ["read"]
-   - name: "opencloud"
-     buckets:
-       - name: "opencloud"
-         permissions: ["read", "write"]
+         permissions: ["read"]

inventories/vagrant/host_vars/backend/homarr.yml

@@ -0,0 +1,11 @@
+homarr_domain: "home.local.test"
+
+homarr_secret_dir: "{{ playbook_dir }}/secrets/{{ inventory_hostname }}"
+homarr_secret_file: "homarr_secret_encryption_key"
+homarr_secret_length: 64
+
+homarr_secret_encryption_key: >-
+  {{ lookup('ansible.builtin.password',
+            homarr_secret_dir ~ '/' ~ homarr_secret_file,
+            length=homarr_secret_length,
+            chars='hexdigits') }}

inventories/vagrant/host_vars/backend/keycloak.yml

@@ -1,207 +1 @@
-# Keycloak configuration for vagrant environment
-keycloak_domain: keycloak.local.test
-keycloak_admin_password: admin
-
-# Enable provisioning via Keycloak Admin API
-keycloak_provisioning_enabled: true
-
-# Realm configuration
-keycloak_realm: "vagrant"
-keycloak_realm_display_name: "Vagrant Test Realm"
-
-# Groups to provision
-keycloak_groups:
-  - name: admins
-  - name: users
-  - name: developers
-
-# Local users to provision
-keycloak_local_users:
-  - username: admin
-    first_name: "Test"
-    last_name: "Admin"
-    email: "admin@local.test"
-    password: "admin"
-    groups:
-      - name: admins
-  - username: user
-    first_name: "Test"
-    last_name: "User"
-    email: "user@local.test"
-    password: "user"
-    groups:
-      - name: users
-
-# OIDC clients to provision
-keycloak_oidc_clients:
-  - client_id: nextcloud
-    name: "Nextcloud"
-    client_secret: "nextcloud-secret-change-in-production"
-    redirect_uris:
-      - "https://nextcloud.local.test/apps/user_oidc/code"
-    default_client_scopes:
-      - openid
-      - email
-      - profile
-  - client_id: httpbin
-    name: "HTTPBin Test App"
-    client_secret: "httpbin-secret-change-in-production"
-    redirect_uris:
-      - "https://httpbin.local.test/callback"
-    default_client_scopes:
-      - openid
-      - email
-      - profile
-  - client_id: opencloud
-    name: "OpenCloud"
-    client_secret: "opencloud-secret-change-in-production"
-    redirect_uris:
-      - "https://opencloud.local.test/"
-      - "https://opencloud.local.test/oidc-callback.html"
-      - "https://opencloud.local.test/oidc-silent-redirect.html"
-    default_client_scopes:
-      - openid
-      - email
-      - profile
-
-# Identity providers (external login sources)
-# Uncomment and configure for production use with real credentials
-# keycloak_identity_providers:
-#   - alias: entra-id
-#     display_name: "Login with Microsoft"
-#     provider_id: oidc
-#     config:
-#       clientId: "your-entra-client-id"
-#       clientSecret: "your-entra-client-secret"
-#       authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
-#       tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
-#       defaultScope: "openid profile email"
-
-# Trust the 389ds self-signed CA cert (production would use ACME certs)
-keycloak_truststore_certificates:
-  - /srv/data/389ds/data/ssca/ca.crt
-
-# Resolve 389ds hostname from inside the Keycloak container
-keycloak_extra_hosts:
-  - "389ds:192.168.56.11"
-
-# LDAP user federation (write Keycloak users to 389ds)
-keycloak_user_federations:
-  - name: ldap-389ds
-    provider_id: ldap
-    config:
-      editMode: WRITABLE
-      syncRegistrations: "true"
-      importEnabled: "true"
-      vendor: rhds
-      connectionUrl: "ldaps://389ds:3636"
-      usersDn: "ou=users,dc=local,dc=test"
-      bindDn: "cn=Directory Manager"
-      bindCredential: "admin"
-      usernameLDAPAttribute: uid
-      rdnLDAPAttribute: uid
-      uuidLDAPAttribute: nsuniqueid
-      userObjectClasses: "inetOrgPerson, organizationalPerson"
-      authType: simple
-      useTruststoreSpi: ldapsOnly
-    mappers:
-      - name: "username"
-        providerId: "user-attribute-ldap-mapper"
-        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
-        config:
-          ldap.attribute: "uid"
-          user.model.attribute: "username"
-          is.mandatory.in.ldap: "true"
-          always.read.value.from.ldap: "false"
-          read.only: "false"
-          is.binary.attribute: "false"
-      - name: "email"
-        providerId: "user-attribute-ldap-mapper"
-        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
-        config:
-          ldap.attribute: "mail"
-          user.model.attribute: "email"
-          is.mandatory.in.ldap: "false"
-          always.read.value.from.ldap: "false"
-          read.only: "false"
-          is.binary.attribute: "false"
-      - name: "first name"
-        providerId: "user-attribute-ldap-mapper"
-        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
-        config:
-          ldap.attribute: "givenName"
-          user.model.attribute: "firstName"
-          is.mandatory.in.ldap: "true"
-          always.read.value.from.ldap: "false"
-          read.only: "false"
-          is.binary.attribute: "false"
-      - name: "last name"
-        providerId: "user-attribute-ldap-mapper"
-        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
-        config:
-          ldap.attribute: "sn"
-          user.model.attribute: "lastName"
-          is.mandatory.in.ldap: "true"
-          always.read.value.from.ldap: "false"
-          read.only: "false"
-          is.binary.attribute: "false"
-      - name: "full name"
-        providerId: "full-name-ldap-mapper"
-        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
-        config:
-          ldap.full.name.attribute: "cn"
-          read.only: "false"
-          write.only: "true"
-      - name: "display name"
-        providerId: "full-name-ldap-mapper"
-        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
-        config:
-          ldap.full.name.attribute: "displayName"
-          read.only: "false"
-          write.only: "true"
-      - name: "groups"
-        providerId: "group-ldap-mapper"
-        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
-        config:
-          groups.dn: "ou=groups,dc=local,dc=test"
-          group.name.ldap.attribute: "cn"
-          group.object.classes: "groupOfNames"
-          membership.ldap.attribute: "member"
-          membership.attribute.type: "DN"
-          membership.user.ldap.attribute: "uid"
-          groups.ldap.filter: ""
-          mode: "LDAP_ONLY"
-          user.roles.retrieve.strategy: "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE"
-          memberof.ldap.attribute: "memberOf"
-          mapped.group.attributes: ""
-          drop.non.existing.groups.during.sync: "false"
-          preserve.group.inheritance: "false"
-          ignore.missing.groups: "false"
-          groups.path: "/"
-      - name: "creation date"
-        providerId: "user-attribute-ldap-mapper"
-        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
-        config:
-          ldap.attribute: "createTimestamp"
-          user.model.attribute: "createTimestamp"
-          is.mandatory.in.ldap: "false"
-          always.read.value.from.ldap: "true"
-          read.only: "true"
-          is.binary.attribute: "false"
-      - name: "modify date"
-        providerId: "user-attribute-ldap-mapper"
-        providerType: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
-        config:
-          ldap.attribute: "modifyTimestamp"
-          user.model.attribute: "modifyTimestamp"
-          is.mandatory.in.ldap: "false"
-          always.read.value.from.ldap: "true"
-          read.only: "true"
-          is.binary.attribute: "false"
-
-# Resources to remove (for cleanup when removing items from above lists)
-keycloak_removed_users: []
-keycloak_removed_groups: []
-keycloak_removed_clients: []
-keycloak_removed_identity_providers: []
-keycloak_removed_user_federations: []
+keycloak_admin_password: admin

inventories/vagrant/host_vars/backend/nextcloud.yml

@@ -1,23 +1,4 @@
 nextcloud_collabora_disable_cert_verification: true
-nextcloud_enable_notify_push: true
-
-# Draw.io integration
-nextcloud_enable_drawio: true
-nextcloud_drawio_url: "https://drawio.local.test"
-
-# Apps to install (override defaults to include drawio)
-nextcloud_apps_to_install:
-  - groupfolders
-  - richdocuments
-  - spreed
-  - user_ldap
-  - user_oidc
-  - whiteboard
-  - drawio
-  - files_lock
-  - notify_push
-nextcloud_allow_local_remote_servers: true  # Allow requests to local network in Vagrant
-nextcloud_oidc_allow_selfsigned: true  # Allow self-signed certs for OIDC in Vagrant
 
 # S3 storage configuration using Garage
 nextcloud_use_s3_storage: true
@@ -31,62 +12,4 @@ nextcloud_s3_usepath_style: true
 
 # Extra hosts for container DNS resolution (Vagrant only)
 nextcloud_extra_hosts:
-  - "storage.local.test:192.168.56.11"
-  - "keycloak.local.test:192.168.56.11"
-  - "authentik.local.test:192.168.56.11"
-  - "389ds:192.168.56.11"
-
-# LDAP backend (pre-create users synced from Keycloak via 389ds)
-nextcloud_ldap_enabled: true
-nextcloud_ldap_config:
-  ldapHost: "ldaps://389ds"
-  ldapPort: "3636"
-  ldapAgentName: "cn=Directory Manager"
-  ldapAgentPassword: "admin"
-  ldapBase: "dc=local,dc=test"
-  ldapBaseUsers: "ou=users,dc=local,dc=test"
-  ldapTLS: "0"
-  turnOffCertCheck: "1"
-  ldapUserFilter: "(&(objectclass=inetOrgPerson)(uid=*))"
-  ldapUserFilterObjectclass: "inetOrgPerson"
-  ldapLoginFilter: "(&(objectclass=inetOrgPerson)(uid=%uid))"
-  ldapLoginFilterUsername: "1"
-  ldapUserDisplayName: "displayName"
-  ldapEmailAttribute: "mail"
-  ldapExpertUsernameAttr: "uid"
-  ldapExpertUUIDUserAttr: "nsuniqueid"
-  ldapBaseGroups: "ou=groups,dc=local,dc=test"
-  ldapGroupFilter: "(&(objectClass=groupOfNames))"
-  ldapGroupFilterObjectclass: "groupOfNames"
-  ldapGroupDisplayName: "cn"
-  ldapGroupMemberAssocAttr: "member"
-  ldapAdminGroup: "admins"
-  ldapCacheTTL: "600"
-  ldapPagingSize: "500"
-  ldapExperiencedAdmin: "1"
-  ldapConfigurationActive: "1"
-
-# OIDC providers for login
-nextcloud_oidc_providers:
-  - identifier: keycloak
-    display_name: "Login with Keycloak"
-    client_id: "nextcloud"
-    client_secret: "nextcloud-secret-change-in-production"
-    discovery_url: "https://keycloak.local.test/realms/vagrant/.well-known/openid-configuration"
-    scope: "openid email profile"
-    unique_uid: false
-    mapping:
-      uid: preferred_username
-      display_name: name
-      email: email
-  - identifier: authentik
-    display_name: "Login with Authentik"
-    client_id: "test1234"
-    client_secret: "test1234"
-    discovery_url: "https://authentik.local.test/application/o/nextcloud/.well-known/openid-configuration"
-    scope: "openid email profile"
-    unique_uid: true
-    mapping:
-      uid: preferred_username
-      display_name: name
-      email: email
+  - "storage.local.test:192.168.56.11"

inventories/vagrant/host_vars/backend/opencloud.yml

@@ -1,53 +0,0 @@
-opencloud_domain: "opencloud.local.test"
-opencloud_admin_password: "admin"
-opencloud_extra_hosts:
-  - "opencloud.local.test:host-gateway"
-  - "keycloak.local.test:host-gateway"
-  - "storage.local.test:192.168.56.11"
-  - "office.local.test:host-gateway"
-  - "drawio.local.test:host-gateway"
-  - "389ds:192.168.56.11"
-
-# OIDC configuration (Keycloak)
-opencloud_oidc_issuer: "https://keycloak.local.test/realms/vagrant"
-opencloud_oidc_client_id: "opencloud"
-opencloud_oidc_client_secret: "opencloud-secret-change-in-production"
-opencloud_oidc_account_edit_url: "https://keycloak.local.test/realms/vagrant/account"
-opencloud_oidc_autoprovision_accounts: false
-
-# S3 storage configuration using Garage
-opencloud_use_s3_storage: true
-opencloud_s3_endpoint: "http://{{ hostvars['backend']['garage_s3_domain'] }}"
-opencloud_s3_access_key: "{{ lookup('digitalboard.core.garage_credentials', 'opencloud', host='backend')['key_id'] }}"
-opencloud_s3_secret_key: "{{ lookup('digitalboard.core.garage_credentials', 'opencloud', host='backend')['secret_key'] }}"
-opencloud_s3_bucket: "opencloud"
-
-# Collabora integration
-opencloud_collabora_domain: "office.local.test"
-opencloud_wopi_domain: "wopi.opencloud.local.test"
-
-# LDAP backend (users synced from Keycloak via 389ds)
-opencloud_ldap_uri: "ldaps://389ds:3636"
-opencloud_ldap_bind_dn: "cn=Directory Manager"
-opencloud_ldap_bind_password: "admin"
-opencloud_ldap_user_base_dn: "ou=users,dc=local,dc=test"
-opencloud_ldap_group_base_dn: "ou=groups,dc=local,dc=test"
-
-# Draw.io integration
-opencloud_drawio_url: "https://drawio.local.test"
-
-# Role assignment via OIDC (maps LDAP groups from Keycloak token to OpenCloud roles)
-opencloud_role_assignment_driver: "oidc"
-opencloud_role_mapping:
-  - role_name: admin
-    claim_value: admins
-  - role_name: user
-    claim_value: users
-  - role_name: user
-    claim_value: developers
-
-# CSP configuration
-opencloud_csp_extra_connect_src:
-  - "https://keycloak.local.test/"
-opencloud_csp_extra_frame_src:
-  - "https://drawio.local.test/"

inventories/vagrant/host_vars/backend/traefik.yml

@@ -16,7 +16,7 @@ traefik_dmz_exposed_services:
     domain: nextcloud.local.test
     port: 443
     protocol: https
-  - name: collabora
+  - name: nextcloud-collabora
     domain: office.local.test
     port: 443
     protocol: https
@@ -24,12 +24,8 @@ traefik_dmz_exposed_services:
     domain: authentik.local.test
     port: 443
     protocol: https
-  - name: opencloud
-    domain: opencloud.local.test
-    port: 443
-    protocol: https
-  - name: drawio
-    domain: drawio.local.test
+  - name: homarr
+    domain: home.local.test
     port: 443
     protocol: https
   # Example: Add more services as you deploy them

inventories/vagrant/hosts.yml

@@ -49,10 +49,6 @@ all:
       hosts:
         backend:
 
-    ds389_servers:
-      hosts:
-        backend:
-
     authentik_servers:
       hosts:
         backend:
@@ -65,14 +61,6 @@ all:
       hosts:
         backend:
 
-    collabora_servers:
-      hosts:
-        backend:
-
-    drawio_servers:
-      hosts:
-        backend:
-
-    opencloud_servers:
+    homarr_servers:
       hosts:
         backend:

playbooks/site.yml

@@ -5,8 +5,8 @@
   roles:
     - digitalboard.core.base
 
-- name: Configure reverse proxies
-  hosts: traefik_servers
+- name: Configure reverse proxy on application servers
+  hosts: traefik_servers_backend
   become: yes
   roles:
     - digitalboard.core.traefik
@@ -17,12 +17,6 @@
   roles:
     - digitalboard.core.httpbin
 
-- name: Deploy 389ds LDAP service
-  hosts: ds389_servers
-  become: yes
-  roles:
-    - digitalboard.core.389ds
-
 - name: Deploy keycloak service
   hosts: keycloak_servers
   become: yes
@@ -35,12 +29,6 @@
   roles:
     - digitalboard.core.garage
 
-- name: Deploy collabora service
-  hosts: collabora_servers
-  become: yes
-  roles:
-    - digitalboard.core.collabora
-
 - name: Deploy nextcloud service
   hosts: nextcloud_servers
   become: yes
@@ -53,14 +41,14 @@
   roles:
     - digitalboard.core.authentik
 
-- name: Deploy drawio service
-  hosts: drawio_servers
+- name: Deploy homarr service
+  hosts: homarr_servers
   become: yes
   roles:
-    - digitalboard.core.drawio
+    - digitalboard.core.homarr
 
-- name: Deploy opencloud service
-  hosts: opencloud_servers
+- name: Configure reverse proxy on DMZ servers
+  hosts: traefik_servers_dmz
   become: yes
   roles:
-    - digitalboard.core.opencloud
+    - digitalboard.core.traefik