From 12a267827db3da74460b3c2be48befa692b6ea49 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Wed, 27 Aug 2025 21:57:04 +0200 Subject: [PATCH] Refactor websocket and Taiga variables - Introduce WEBSOCKET_PROTOCOL derived from WEB_PROTOCOL (wss if https, else ws). - Replace hardcoded websocket URLs in EspoCRM, Nextcloud and Taiga with {{ WEBSOCKET_PROTOCOL }}. - Fix mautrix-imessage to use ws:// for internal synapse:8008. - Standardize Pixelfed OIDC env spacing. - Refactor Taiga variables to TAIGA_* naming convention and clean up EMAIL_BACKEND definition. See: https://chatgpt.com/share/68af62fa-4dcc-800f-9aaf-cff746daab1e --- group_vars/all/00_general.yml | 3 ++ roles/web-app-espocrm/config/main.yml | 2 +- .../templates/docker-compose.yml.j2 | 2 +- .../templates/mautrix/imessage.config.yml.j2 | 2 +- roles/web-app-nextcloud/config/main.yml | 4 +-- roles/web-app-pixelfed/templates/env.j2 | 2 +- roles/web-app-taiga/schema/main.yml | 6 ++-- roles/web-app-taiga/tasks/main.yml | 8 ++--- .../templates/docker-compose.yml.j2 | 10 +++--- roles/web-app-taiga/templates/env.j2 | 33 +++++++++---------- roles/web-app-taiga/vars/main.yml | 28 +++++++++------- 11 files changed, 53 insertions(+), 47 deletions(-) diff --git a/group_vars/all/00_general.yml b/group_vars/all/00_general.yml index 4e7e2501..acf344f0 100644 --- a/group_vars/all/00_general.yml +++ b/group_vars/all/00_general.yml @@ -26,6 +26,9 @@ HOST_DECIMAL_MARK: "," WEB_PROTOCOL: "https" # Web protocol type. Use https or http. If you run local you need to change it to http WEB_PORT: "{{ 443 if WEB_PROTOCOL == 'https' else 80 }}" # Default port web applications will listen to +# Websocket +WEBSOCKET_PROTOCOL: "{{ 'wss' if WEB_PROTOCOL == 'https' else 'ws' }}" + # Domain PRIMARY_DOMAIN: "localhost" # Primary Domain of the server diff --git a/roles/web-app-espocrm/config/main.yml b/roles/web-app-espocrm/config/main.yml index a090b21e..ccafa5ce 100644 --- a/roles/web-app-espocrm/config/main.yml +++ b/roles/web-app-espocrm/config/main.yml @@ -18,7 +18,7 @@ server: unsafe-eval: true whitelist: connect-src: - - wss://espocrm.{{ PRIMARY_DOMAIN }} + - {{ WEBSOCKET_PROTOCOL }}://espocrm.{{ PRIMARY_DOMAIN }} - "data:" frame-src: - https://s.espocrm.com/ diff --git a/roles/web-app-espocrm/templates/docker-compose.yml.j2 b/roles/web-app-espocrm/templates/docker-compose.yml.j2 index 8e8ccbbb..dde2e765 100644 --- a/roles/web-app-espocrm/templates/docker-compose.yml.j2 +++ b/roles/web-app-espocrm/templates/docker-compose.yml.j2 @@ -28,7 +28,7 @@ driver: journald environment: - ESPOCRM_CONFIG_USE_WEB_SOCKET=true - - ESPOCRM_CONFIG_WEB_SOCKET_URL=wss://{{ domains | get_domain(application_id) }}/ws + - ESPOCRM_CONFIG_WEB_SOCKET_URL={{ WEBSOCKET_PROTOCOL }}://{{ domains | get_domain(application_id) }}/ws - ESPOCRM_CONFIG_WEB_SOCKET_ZERO_M_Q_SUBSCRIBER_DSN=tcp://*:7777 - ESPOCRM_CONFIG_WEB_SOCKET_ZERO_M_Q_SUBMISSION_DSN=tcp://websocket:7777 entrypoint: docker-websocket.sh diff --git a/roles/web-app-matrix/templates/mautrix/imessage.config.yml.j2 b/roles/web-app-matrix/templates/mautrix/imessage.config.yml.j2 index babc37e2..1a71edb8 100644 --- a/roles/web-app-matrix/templates/mautrix/imessage.config.yml.j2 +++ b/roles/web-app-matrix/templates/mautrix/imessage.config.yml.j2 @@ -6,7 +6,7 @@ homeserver: # Only the /_matrix/client/unstable/fi.mau.as_sync websocket endpoint is used on this address. # # Set to null to disable using the websocket. When not using the websocket, make sure hostname and port are set in the appservice section. - websocket_proxy: wss://synapse:8008 + websocket_proxy: ws://synapse:8008 # How often should the websocket be pinged? Pinging will be disabled if this is zero. ping_interval_seconds: 0 # The domain of the homeserver (also known as server_name, used for MXIDs, etc). diff --git a/roles/web-app-nextcloud/config/main.yml b/roles/web-app-nextcloud/config/main.yml index fdca117d..bcdb5721 100644 --- a/roles/web-app-nextcloud/config/main.yml +++ b/roles/web-app-nextcloud/config/main.yml @@ -10,11 +10,11 @@ server: font-src: - "data:" connect-src: - - "wss://collabora.{{ PRIMARY_DOMAIN }}" + - "{{ WEBSOCKET_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}" - "{{ WEB_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}" frame-src: - "{{ WEB_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}" - - "wss://collabora.{{ PRIMARY_DOMAIN }}" + - "{{ WEBSOCKET_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}" domains: canonical: - "cloud.{{ PRIMARY_DOMAIN }}" diff --git a/roles/web-app-pixelfed/templates/env.j2 b/roles/web-app-pixelfed/templates/env.j2 index 7c3a8c3c..beb42fb3 100644 --- a/roles/web-app-pixelfed/templates/env.j2 +++ b/roles/web-app-pixelfed/templates/env.j2 @@ -142,7 +142,7 @@ ENABLE_CONFIG_CACHE=true PF_OIDC_ENABLED={{ applications | get_app_conf(application_id, 'features.oidc', False) | string | lower }} PF_OIDC_AUTHORIZE_URL="{{ OIDC.CLIENT.AUTHORIZE_URL }}" -PF_OIDC_TOKEN_URL="{{OIDC.CLIENT.TOKEN_URL}}" +PF_OIDC_TOKEN_URL="{{ OIDC.CLIENT.TOKEN_URL }}" PF_OIDC_PROFILE_URL="{{ OIDC.CLIENT.USER_INFO_URL }}" PF_OIDC_LOGOUT_URL="{{OIDC.CLIENT.LOGOUT_URL}}" PF_OIDC_USERNAME_FIELD="{{ OIDC.ATTRIBUTES.USERNAME }}" diff --git a/roles/web-app-taiga/schema/main.yml b/roles/web-app-taiga/schema/main.yml index 91e0b8d2..7c6418c8 100644 --- a/roles/web-app-taiga/schema/main.yml +++ b/roles/web-app-taiga/schema/main.yml @@ -1,5 +1,5 @@ credentials: secret_key: - description: "Django SECRET_KEY used for cryptographic signing in Taiga" - algorithm: "sha256" - validation: "^[a-f0-9]{64}$" \ No newline at end of file + description: "Django SECRET_KEY used for cryptographic signing in Taiga" + algorithm: "sha256" + validation: "^[a-f0-9]{64}$" \ No newline at end of file diff --git a/roles/web-app-taiga/tasks/main.yml b/roles/web-app-taiga/tasks/main.yml index 932eca13..bdc2d334 100644 --- a/roles/web-app-taiga/tasks/main.yml +++ b/roles/web-app-taiga/tasks/main.yml @@ -3,17 +3,17 @@ include_role: name: cmp-db-docker-proxy -- name: "copy templates {{ settings_files }} for taiga-contrib-oidc-auth" +- name: "copy templates {{ TAIGA_SETTING_FILES }} for taiga-contrib-oidc-auth" template: src: "taiga/{{item}}.py.j2" dest: "{{ docker_compose.directories.config }}taiga-{{item}}.py" when: applications | get_app_conf(application_id, 'features.oidc', True) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio' notify: docker compose up - loop: "{{ settings_files }}" + loop: "{{ TAIGA_SETTING_FILES }}" -- name: "create {{docker_compose_init}}" +- name: "create {{ TAIGA_DOCKER_COMPOSE_INIT }}" template: src: "docker-compose-inits.yml.j2" - dest: "{{docker_compose_init}}" + dest: "{{ TAIGA_DOCKER_COMPOSE_INIT }}" notify: docker compose up diff --git a/roles/web-app-taiga/templates/docker-compose.yml.j2 b/roles/web-app-taiga/templates/docker-compose.yml.j2 index a0428778..eacae4a7 100644 --- a/roles/web-app-taiga/templates/docker-compose.yml.j2 +++ b/roles/web-app-taiga/templates/docker-compose.yml.j2 @@ -2,7 +2,7 @@ taiga-back: {% include 'roles/docker-container/templates/base.yml.j2' %} - image: "{{taiga_image_backend}}:{{ taiga_version }}" + image: "{{ TAIGA_DOCKER_IMAGE_BACKEND }}:{{ TAIGA_VERSION }}" volumes: # These volumens will be used by taiga-back and taiga-async. - static-data:/taiga-back/static @@ -34,7 +34,7 @@ taiga-async: {% include 'roles/docker-container/templates/base.yml.j2' %} - image: "{{taiga_image_backend}}:{{ taiga_version }}" + image: "{{ TAIGA_DOCKER_IMAGE_BACKEND }}:{{ TAIGA_VERSION }}" entrypoint: ["/taiga-back/docker/async_entrypoint.sh"] volumes: # These volumens will be used by taiga-back and taiga-async. @@ -44,7 +44,7 @@ {% if applications | get_app_conf(application_id, 'features.oidc', False) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio' %} -{% for item in settings_files %} +{% for item in TAIGA_SETTING_FILES %} - {{ docker_compose.directories.config }}taiga-{{ item }}.py:/taiga-back/settings/{{ item }}.py:ro {% endfor %} @@ -76,12 +76,12 @@ taiga: taiga-front: - image: "{{taiga_image_frontend}}:{{ taiga_version }}" + image: "{{TAIGA_DOCKER_IMAGE_FRONTEND}}:{{ TAIGA_VERSION }}" {% include 'roles/docker-container/templates/base.yml.j2' %} {% include 'roles/docker-container/templates/networks.yml.j2' %} taiga: # volumes: -# - {{ taiga_frontend_conf_path }}:/usr/share/nginx/html/conf.json:ro +# - {{ TAIGA_FRONTEND_CONF_PATH }}:/usr/share/nginx/html/conf.json:ro taiga-events: image: taigaio/taiga-events:latest diff --git a/roles/web-app-taiga/templates/env.j2 b/roles/web-app-taiga/templates/env.j2 index 8b2a8ec9..5a3ef44f 100644 --- a/roles/web-app-taiga/templates/env.j2 +++ b/roles/web-app-taiga/templates/env.j2 @@ -1,13 +1,13 @@ # Taiga's URLs - Variables to define where Taiga should be served -TAIGA_SITES_SCHEME = https # serve Taiga using "http" or "https" (secured) connection +TAIGA_SITES_SCHEME = {{ WEB_PROTOCOL }} # serve Taiga using "http" or "https" (secured) connection TAIGA_SITES_DOMAIN = "{{ domains | get_domain(application_id) }}" # Taiga's base URL TAIGA_SUBPATH = "" # it'll be appended to the TAIGA_DOMAIN (use either "" or a "/subpath") -WEBSOCKETS_SCHEME = wss # events connection protocol (use either "ws" or "wss") +WEBSOCKETS_SCHEME = {{ WEBSOCKET_PROTOCOL }} # events connection protocol (use either "ws" or "wss") # Taiga's Secret Key - Variable to provide cryptographic signing -TAIGA_SECRET_KEY = "{{applications | get_app_conf(application_id, 'credentials.secret_key', True)}}" -SECRET_KEY = "{{applications | get_app_conf(application_id, 'credentials.secret_key', True)}}" +TAIGA_SECRET_KEY = "{{ applications | get_app_conf(application_id, 'credentials.secret_key') }}" +SECRET_KEY = "{{ applications | get_app_conf(application_id, 'credentials.secret_key') }}" # Taiga's Database settings - Variables to create the Taiga database and connect to it POSTGRES_USER = "{{ database_username }}" # user to connect to PostgreSQL @@ -16,18 +16,17 @@ POSTGRES_DB = "{{ database_name }}" POSTGRES_HOST = "{{ database_host }}" # Taiga's SMTP settings - Variables to send Taiga's emails to the users -EMAIL_BACKEND = "{{email_backend}}" # use an SMTP server or display the emails in the console (either "smtp" or "console") -EMAIL_HOST = "{{ SYSTEM_EMAIL.HOST }}" # SMTP server address -EMAIL_PORT = "{{ SYSTEM_EMAIL.PORT }}" # default SMTP port -EMAIL_HOST_USER = "{{ users['no-reply'].email }}" # user to connect the SMTP server -EMAIL_HOST_PASSWORD = "{{ users['no-reply'].mailu_token }}" # SMTP user's password -EMAIL_DEFAULT_FROM = "{{ users['no-reply'].email }}" # default email address for the automated emails -EMAIL_BACKEND: = "django.core.mail.backends.{{email_backend}}.EmailBackend" +EMAIL_BACKEND = "{{ TAIGA_EMAIL_BACKEND }}" # use an SMTP server or display the emails in the console (either "smtp" or "console") +EMAIL_HOST = "{{ SYSTEM_EMAIL.HOST }}" # SMTP server address +EMAIL_PORT = "{{ SYSTEM_EMAIL.PORT }}" # default SMTP port +EMAIL_HOST_USER = "{{ users['no-reply'].email }}" # user to connect the SMTP server +EMAIL_HOST_PASSWORD = "{{ users['no-reply'].mailu_token }}" # SMTP user's password +EMAIL_DEFAULT_FROM = "{{ users['no-reply'].email }}" # default email address for the automated emails DEFAULT_FROM_EMAIL = "{{ users['no-reply'].email }}" # EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive (only set one of those to True) -EMAIL_USE_TLS = "{{ SYSTEM_EMAIL.TLS | capitalize }}" # use TLS (secure) connection with the SMTP server -EMAIL_USE_SSL = "{{ 'False' if SYSTEM_EMAIL.START_TLS else 'True' }}" # use implicit TLS (secure) connection with the SMTP server +EMAIL_USE_TLS = "{{ SYSTEM_EMAIL.TLS | capitalize }}" # use TLS (secure) connection with the SMTP server +EMAIL_USE_SSL = "{{ 'False' if SYSTEM_EMAIL.START_TLS else 'True' }}" # use implicit TLS (secure) connection with the SMTP server RABBITMQ_USER=taiga RABBITMQ_PASS=taiga @@ -49,7 +48,7 @@ ENABLE_TELEMETRY = True {% if applications | get_app_conf(application_id, 'features.oidc', False) %} -{% if applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio' %} +{% if applications | get_app_conf(application_id, 'oidc.flavor') == 'taigaio' %} # OIDC via taigaio official contrib # @See https://github.com/taigaio/taiga-contrib-oidc-auth @@ -65,14 +64,14 @@ OIDC_OP_JWKS_ENDPOINT="{{ OIDC.CLIENT.CERTS }}" {% endif %} -{% if applications | get_app_conf(application_id, 'oidc.flavor', True) == 'robrotheram' %} +{% if TAIGA_FLAVOR_ROBROTHERAM %} # OIDC via robrotheram # @see https://github.com/robrotheram/taiga-contrib-openid-auth ENABLE_OPENID=True OPENID_URL="{{ OIDC.CLIENT.AUTHORIZE_URL }}" -OPENID_USER_URL="{{OIDC.CLIENT.USER_INFO_URL}}" -OPENID_TOKEN_URL="{{OIDC.CLIENT.TOKEN_URL}}" +OPENID_USER_URL="{{ OIDC.CLIENT.USER_INFO_URL }}" +OPENID_TOKEN_URL="{{ OIDC.CLIENT.TOKEN_URL }}" OPENID_CLIENT_ID="{{ OIDC.CLIENT.ID }}" OPENID_CLIENT_SECRET="{{ OIDC.CLIENT.SECRET }}" OPENID_NAME="{{ OIDC.BUTTON_TEXT }}" diff --git a/roles/web-app-taiga/vars/main.yml b/roles/web-app-taiga/vars/main.yml index 07c83e3d..4ec7567c 100644 --- a/roles/web-app-taiga/vars/main.yml +++ b/roles/web-app-taiga/vars/main.yml @@ -1,18 +1,22 @@ +# General application_id: "web-app-taiga" database_type: "postgres" + +# Docker docker_repository_address: "https://github.com/taigaio/taiga-docker" -email_backend: "smtp" ## use an SMTP server or display the emails in the console (either "smtp" or "console") -docker_compose_init: "{{ docker_compose.directories.instance }}docker-compose-inits.yml.j2" -taiga_image_backend: >- - {{ 'robrotheram/taiga-back-openid' if applications | get_app_conf(application_id, 'features.oidc', True) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'robrotheram' - else 'taigaio/taiga-back' }} -taiga_image_frontend: >- - {{ 'robrotheram/taiga-front-openid' if applications | get_app_conf(application_id, 'features.oidc', True) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'robrotheram' - else 'taigaio/taiga-front' }} -taiga_frontend_conf_path: "{{docker_compose.directories.config}}conf.json" -docker_pull_git_repository: true -settings_files: +docker_pull_git_repository: true + +# Taiga +TAIGA_OIDC_ENABLED: "{{ applications | get_app_conf(application_id, 'features.oidc') }}" +TAIGA_FLAVOR_ROBROTHERAM: "{{ applications | get_app_conf(application_id, 'oidc.flavor') == 'robrotheram' }}" +TAIGA_ROBROTHERAM_ENABLED: "{{ TAIGA_OIDC_ENABLED and TAIGA_FLAVOR_ROBROTHERAM }}" +TAIGA_EMAIL_BACKEND: "{{ 'smtp' if SYSTEM_EMAIL.SMTP else 'console' }}" ## use an SMTP server or display the emails in the console (either "smtp" or "console") +TAIGA_DOCKER_COMPOSE_INIT: "{{ [ docker_compose.directories.instance,'docker-compose-inits.yml.j2' ] | path_join }}" +TAIGA_DOCKER_IMAGE_BACKEND: "{{ 'robrotheram/taiga-back-openid' if TAIGA_ROBROTHERAM_ENABLED else 'taigaio/taiga-back' }}" +TAIGA_DOCKER_IMAGE_FRONTEND: "{{ 'robrotheram/taiga-front-openid' if TAIGA_ROBROTHERAM_ENABLED else 'taigaio/taiga-front' }}" +TAIGA_FRONTEND_CONF_PATH: "{{ [ docker_compose.directories.config,'conf.json' ] | path_join }}" +TAIGA_SETTING_FILES: - urls - local -taiga_version: "{{ applications | get_app_conf(application_id, 'docker.services.taiga.version', True) }}" \ No newline at end of file +TAIGA_VERSION: "{{ applications | get_app_conf(application_id, 'docker.services.taiga.version') }}" \ No newline at end of file