Digitalboard/reference-ansible
6
1
Fork 0
Code Pull requests Activity Actions
reference-ansible/inventories/demo-gymburgdorf/host_vars/application/drawio.yml
Simon Bärlocher 2ba0c07cd3
docs(reference-ansible): add docs/ tree and document repo, playbooks, Makefile 
Addresses the WKS PoC review (Notion 2026-05-26). All docs in English.
- README: purpose, docs table of contents, annotated repo tree
- docs/getting_started.md: prerequisites (WKS account, OIDC, SSH, VPN) + first deploy
- docs/ansible.md: playbook table, "Running Ansible", service parameters, cheatsheet
- docs/secrets.md: canonical Bao login (moved out of README) + demo defaults
- docs/operations.md: full Makefile reference
- docs/inventories.md: repo layout, topology, standard folder structure, walkthrough
- docs/testing.md: static checks, inventory resolution, smoke test / dry run
- remove ARCHITECTURE.md (architecture docs live externally)

Also includes the gymburgdorf inventory build-out (bookstack, homarr,
opnform, send) and scripts/bao-seed.sh. site.yml keeps a third traefik
play (traefik_servers minus the vagrant _dmz/_backend split) so the demo
inventories still configure their reverse proxy after the rebase onto main.
2026-05-28 11:20:54 +02:00

19 lines
996 B
YAML
Raw Blame History

---
drawio_domain: "draw.gymb.souveredu.ch"
# Internal FQDN the DMZ reverseproxy uses as backend host so its TLS
# verify matches a cert SAN (the canonical IP-only route has no SAN
# and breaks with "cannot validate certificate ... no IP SANs"). Same
# split-horizon pattern as cloud.int.* / auth.int.* / office.int.*.
drawio_extra_domains:
- "draw.int.gymb.souveredu.ch"
# Gate drawio behind the authentik embedded outpost (admins-only —
# enforced by the policy-binding on the authentik proxy application).
# ForwardAuth talks to the embedded outpost on the authentik server's
# in-network address. Going via the public FQDN routes through a second
# traefik hop that strips/rewrites X-Forwarded-Host, which breaks
# authentik's provider matching (it returns 404). Plain HTTP to the
# container is the path docs recommend for the embedded outpost.
drawio_authentik_forward_auth: true
drawio_authentik_forward_auth_url: "http://authentik-server-1:9000/outpost.goauthentik.io/auth/traefik"
View git blame Copy permalink