2ba0c07cd3
Addresses the WKS PoC review (Notion 2026-05-26). All docs in English. - README: purpose, docs table of contents, annotated repo tree - docs/getting_started.md: prerequisites (WKS account, OIDC, SSH, VPN) + first deploy - docs/ansible.md: playbook table, "Running Ansible", service parameters, cheatsheet - docs/secrets.md: canonical Bao login (moved out of README) + demo defaults - docs/operations.md: full Makefile reference - docs/inventories.md: repo layout, topology, standard folder structure, walkthrough - docs/testing.md: static checks, inventory resolution, smoke test / dry run - remove ARCHITECTURE.md (architecture docs live externally) Also includes the gymburgdorf inventory build-out (bookstack, homarr, opnform, send) and scripts/bao-seed.sh. site.yml keeps a third traefik play (traefik_servers minus the vagrant _dmz/_backend split) so the demo inventories still configure their reverse proxy after the rebase onto main.
60 lines
2.8 KiB
YAML
60 lines
2.8 KiB
YAML
---
|
|
# Bao secret <mount>/data/opnform expected to contain:
|
|
# app_key (must start with "base64:"), jwt_secret, front_api_secret,
|
|
# db_password, admin_password, oidc_client_secret
|
|
_opnform: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/opnform', url=vault_addr) }}"
|
|
_authentik: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount + '/data/authentik', url=vault_addr) }}"
|
|
|
|
opnform_domain: "forms.gymb.souveredu.ch"
|
|
opnform_extra_domains:
|
|
- "forms.int.gymb.souveredu.ch"
|
|
opnform_base_url: "https://forms.gymb.souveredu.ch"
|
|
|
|
opnform_app_key: "{{ _opnform.app_key }}"
|
|
opnform_jwt_secret: "{{ _opnform.jwt_secret }}"
|
|
opnform_front_api_secret: "{{ _opnform.front_api_secret }}"
|
|
opnform_db_password: "{{ _opnform.db_password }}"
|
|
|
|
# Bootstrap admin via API on first run so the manual setup page is
|
|
# skipped. The admin credentials are also required to seed the OIDC
|
|
# IdentityConnection through OpnForm's API (only an authenticated admin
|
|
# can create connections).
|
|
opnform_admin_name: "OpnForm Admin"
|
|
opnform_admin_email: "admin@gymb.souveredu.ch"
|
|
opnform_admin_password: "{{ _opnform.admin_password }}"
|
|
|
|
# OIDC against Authentik. Discovery via the internal FQDN keeps
|
|
# server-to-server traffic in the LAN; Authentik's host-rewrite router
|
|
# rewrites the Host header to auth.gymb.* before the request reaches
|
|
# authentik so the iss claim still matches the public hostname browsers
|
|
# see during login.
|
|
opnform_oidc_enabled: true
|
|
# Issuer must use the public auth.gymb.* FQDN: OpnForm does OIDC
|
|
# discovery and then validates the token's `iss` claim against this
|
|
# value. Authentik emits the public hostname in `iss` (its host-rewrite
|
|
# middleware keeps the claim aligned with what browsers see), so an
|
|
# internal-FQDN issuer here would fail iss validation. The extra_hosts
|
|
# pin below keeps the actual discovery/token/userinfo traffic on the LAN.
|
|
opnform_oidc_issuer: "https://auth.gymb.souveredu.ch/application/o/opnform/"
|
|
opnform_oidc_client_id: "opnform"
|
|
opnform_oidc_client_secret: "{{ _opnform.oidc_client_secret }}"
|
|
opnform_oidc_client_name: "Authentik"
|
|
opnform_oidc_slug: "authentik"
|
|
opnform_oidc_domain: "gymb.souveredu.ch"
|
|
opnform_oidc_admin_group: "opnform-admins"
|
|
|
|
# Disable password login entirely — every user goes through Authentik.
|
|
# All real users have @gymb.souveredu.ch addresses (matching
|
|
# opnform_oidc_domain above), so no password fallback is needed.
|
|
opnform_oidc_force_login: true
|
|
|
|
# Serve a /sso page that jumps straight to Authentik without the email
|
|
# login form. Link users to https://forms.gymb.souveredu.ch/sso.
|
|
opnform_oidc_sso_entrypoint: true
|
|
|
|
# Pin auth.gymb.* to the application host so server-to-server OIDC
|
|
# calls (token, userinfo, jwks — endpoints discovery returns under the
|
|
# public hostname even when discovery itself is fetched via auth.int.*)
|
|
# stay in the LAN.
|
|
opnform_extra_hosts:
|
|
- "auth.gymb.souveredu.ch:172.16.19.101"
|