Refactor websocket and Taiga variables

- Introduce WEBSOCKET_PROTOCOL derived from WEB_PROTOCOL (wss if https, else ws). - Replace hardcoded websocket URLs in EspoCRM, Nextcloud and Taiga with {{ WEBSOCKET_PROTOCOL }}. - Fix mautrix-imessage to use ws:// for internal synapse:8008. - Standardize Pixelfed OIDC env spacing. - Refactor Taiga variables to TAIGA_* naming convention and clean up EMAIL_BACKEND definition. See: https://chatgpt.com/share/68af62fa-4dcc-800f-9aaf-cff746daab1e
2025-08-30 07:18:09 +02:00 · 2025-08-27 21:57:04 +02:00
parent c6cd6430bb
commit 12a267827d
11 changed files with 53 additions and 47 deletions
--- a/group_vars/all/00_general.yml
+++ b/group_vars/all/00_general.yml
@@ -26,6 +26,9 @@ HOST_DECIMAL_MARK:        ","
 WEB_PROTOCOL:           "https"       # Web protocol type. Use https or http. If you run local you need to change it to http
 WEB_PORT:               "{{ 443 if WEB_PROTOCOL == 'https' else 80 }}"  # Default port web applications will listen to
 # Websocket
 WEBSOCKET_PROTOCOL:     "{{ 'wss' if WEB_PROTOCOL == 'https' else 'ws' }}"
 # Domain
 PRIMARY_DOMAIN:         "localhost" # Primary Domain of the server
--- a/roles/web-app-espocrm/config/main.yml
+++ b/roles/web-app-espocrm/config/main.yml
@@ -18,7 +18,7 @@ server:
        unsafe-eval:    true
    whitelist:
      connect-src:
-        - wss://espocrm.{{ PRIMARY_DOMAIN }}
+        - {{ WEBSOCKET_PROTOCOL }}://espocrm.{{ PRIMARY_DOMAIN }}
        - "data:"
      frame-src:
        - https://s.espocrm.com/
--- a/roles/web-app-espocrm/templates/docker-compose.yml.j2
+++ b/roles/web-app-espocrm/templates/docker-compose.yml.j2
@@ -28,7 +28,7 @@
      driver: journald
    environment:
      - ESPOCRM_CONFIG_USE_WEB_SOCKET=true
-      - ESPOCRM_CONFIG_WEB_SOCKET_URL=wss://{{ domains | get_domain(application_id) }}/ws
+      - ESPOCRM_CONFIG_WEB_SOCKET_URL={{ WEBSOCKET_PROTOCOL }}://{{ domains | get_domain(application_id) }}/ws
      - ESPOCRM_CONFIG_WEB_SOCKET_ZERO_M_Q_SUBSCRIBER_DSN=tcp://*:7777
      - ESPOCRM_CONFIG_WEB_SOCKET_ZERO_M_Q_SUBMISSION_DSN=tcp://websocket:7777
    entrypoint: docker-websocket.sh
--- a/roles/web-app-matrix/templates/mautrix/imessage.config.yml.j2
+++ b/roles/web-app-matrix/templates/mautrix/imessage.config.yml.j2
@@ -6,7 +6,7 @@ homeserver:
    # Only the /_matrix/client/unstable/fi.mau.as_sync websocket endpoint is used on this address.
    #
    # Set to null to disable using the websocket. When not using the websocket, make sure hostname and port are set in the appservice section.
-    websocket_proxy: wss://synapse:8008
+    websocket_proxy: ws://synapse:8008
    # How often should the websocket be pinged? Pinging will be disabled if this is zero.
    ping_interval_seconds: 0
    # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
--- a/roles/web-app-nextcloud/config/main.yml
+++ b/roles/web-app-nextcloud/config/main.yml
@@ -10,11 +10,11 @@ server:
      font-src:
        - "data:"
      connect-src:
-        - "wss://collabora.{{ PRIMARY_DOMAIN }}"
+        - "{{ WEBSOCKET_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
        - "{{ WEB_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
      frame-src:
        - "{{ WEB_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
-        - "wss://collabora.{{ PRIMARY_DOMAIN }}"
+        - "{{ WEBSOCKET_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
  domains:
    canonical:
      - "cloud.{{ PRIMARY_DOMAIN }}"
--- a/roles/web-app-pixelfed/templates/env.j2
+++ b/roles/web-app-pixelfed/templates/env.j2
@@ -142,7 +142,7 @@ ENABLE_CONFIG_CACHE=true
 PF_OIDC_ENABLED={{ applications | get_app_conf(application_id, 'features.oidc', False) | string | lower }}
 PF_OIDC_AUTHORIZE_URL="{{ OIDC.CLIENT.AUTHORIZE_URL }}"
-PF_OIDC_TOKEN_URL="{{OIDC.CLIENT.TOKEN_URL}}"
+PF_OIDC_TOKEN_URL="{{ OIDC.CLIENT.TOKEN_URL }}"
 PF_OIDC_PROFILE_URL="{{ OIDC.CLIENT.USER_INFO_URL }}"
 PF_OIDC_LOGOUT_URL="{{OIDC.CLIENT.LOGOUT_URL}}"
 PF_OIDC_USERNAME_FIELD="{{ OIDC.ATTRIBUTES.USERNAME }}"
--- a/roles/web-app-taiga/schema/main.yml
+++ b/roles/web-app-taiga/schema/main.yml
@@ -1,5 +1,5 @@
 credentials:
  secret_key:
-    description: "Django SECRET_KEY used for cryptographic signing in Taiga"
+    description:  "Django SECRET_KEY used for cryptographic signing in Taiga"
-    algorithm: "sha256"
+    algorithm:    "sha256"
-    validation: "^[a-f0-9]{64}$"
+    validation:   "^[a-f0-9]{64}$"
--- a/roles/web-app-taiga/tasks/main.yml
+++ b/roles/web-app-taiga/tasks/main.yml
@@ -3,17 +3,17 @@
  include_role: 
    name: cmp-db-docker-proxy
- name: "copy templates {{ settings_files }} for taiga-contrib-oidc-auth"
+- name: "copy templates {{ TAIGA_SETTING_FILES }} for taiga-contrib-oidc-auth"
  template:
    src:  "taiga/{{item}}.py.j2"
    dest: "{{ docker_compose.directories.config }}taiga-{{item}}.py"
  when:   applications | get_app_conf(application_id, 'features.oidc', True) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio'
  notify: docker compose up
-  loop:   "{{ settings_files }}"
+  loop:   "{{ TAIGA_SETTING_FILES }}"
- name: "create {{docker_compose_init}}"
+- name: "create {{ TAIGA_DOCKER_COMPOSE_INIT }}"
  template:
    src:  "docker-compose-inits.yml.j2"
-    dest:  "{{docker_compose_init}}"
+    dest:  "{{ TAIGA_DOCKER_COMPOSE_INIT }}"
  notify: docker compose up
--- a/roles/web-app-taiga/templates/docker-compose.yml.j2
+++ b/roles/web-app-taiga/templates/docker-compose.yml.j2
@@ -2,7 +2,7 @@
  taiga-back:
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{taiga_image_backend}}:{{ taiga_version }}"
+    image: "{{ TAIGA_DOCKER_IMAGE_BACKEND }}:{{ TAIGA_VERSION }}"
    volumes:
      # These volumens will be used by taiga-back and taiga-async.
      - static-data:/taiga-back/static
@@ -34,7 +34,7 @@
  taiga-async:
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{taiga_image_backend}}:{{ taiga_version }}"
+    image: "{{ TAIGA_DOCKER_IMAGE_BACKEND }}:{{ TAIGA_VERSION }}"
    entrypoint: ["/taiga-back/docker/async_entrypoint.sh"]
    volumes:
      # These volumens will be used by taiga-back and taiga-async.
@@ -44,7 +44,7 @@
 {% if applications | get_app_conf(application_id, 'features.oidc', False) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio' %}
-{% for item in settings_files %}
+{% for item in TAIGA_SETTING_FILES %}
      - {{ docker_compose.directories.config }}taiga-{{ item }}.py:/taiga-back/settings/{{ item }}.py:ro
 {% endfor %}
@@ -76,12 +76,12 @@
      taiga:
  taiga-front:
-    image: "{{taiga_image_frontend}}:{{ taiga_version }}"
+    image: "{{TAIGA_DOCKER_IMAGE_FRONTEND}}:{{ TAIGA_VERSION }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
      taiga:
 #    volumes:
-#      - {{ taiga_frontend_conf_path }}:/usr/share/nginx/html/conf.json:ro
+#      - {{ TAIGA_FRONTEND_CONF_PATH }}:/usr/share/nginx/html/conf.json:ro
  taiga-events:
    image: taigaio/taiga-events:latest
--- a/roles/web-app-taiga/templates/env.j2
+++ b/roles/web-app-taiga/templates/env.j2
@@ -1,13 +1,13 @@
 # Taiga's URLs - Variables to define where Taiga should be served
-TAIGA_SITES_SCHEME  =   https          # serve Taiga using "http" or "https" (secured) connection
+TAIGA_SITES_SCHEME  =   {{ WEB_PROTOCOL }}         # serve Taiga using "http" or "https" (secured) connection
 TAIGA_SITES_DOMAIN  =   "{{ domains | get_domain(application_id) }}"   # Taiga's base URL
 TAIGA_SUBPATH       =   ""  # it'll be appended to the TAIGA_DOMAIN (use either "" or a "/subpath")
-WEBSOCKETS_SCHEME   =   wss # events connection protocol (use either "ws" or "wss")
+WEBSOCKETS_SCHEME   =   {{ WEBSOCKET_PROTOCOL }} # events connection protocol (use either "ws" or "wss")
 # Taiga's Secret Key - Variable to provide cryptographic signing
-TAIGA_SECRET_KEY    =   "{{applications | get_app_conf(application_id, 'credentials.secret_key', True)}}"
+TAIGA_SECRET_KEY    =   "{{ applications | get_app_conf(application_id, 'credentials.secret_key') }}"
-SECRET_KEY          =   "{{applications | get_app_conf(application_id, 'credentials.secret_key', True)}}"
+SECRET_KEY          =   "{{ applications | get_app_conf(application_id, 'credentials.secret_key') }}"
 # Taiga's Database settings - Variables to create the Taiga database and connect to it
 POSTGRES_USER       =   "{{ database_username }}"       # user to connect to PostgreSQL
@@ -16,18 +16,17 @@ POSTGRES_DB         =   "{{ database_name }}"
 POSTGRES_HOST       =   "{{ database_host }}"
 # Taiga's SMTP settings - Variables to send Taiga's emails to the users
-EMAIL_BACKEND       =   "{{email_backend}}"          # use an SMTP server or display the emails in the console (either "smtp" or "console")
+EMAIL_BACKEND       =   "{{ TAIGA_EMAIL_BACKEND }}"             # use an SMTP server or display the emails in the console (either "smtp" or "console")
-EMAIL_HOST          =   "{{ SYSTEM_EMAIL.HOST }}"      # SMTP server address
+EMAIL_HOST          =   "{{ SYSTEM_EMAIL.HOST }}"               # SMTP server address
-EMAIL_PORT          =   "{{ SYSTEM_EMAIL.PORT }}" # default SMTP port
+EMAIL_PORT          =   "{{ SYSTEM_EMAIL.PORT }}"               # default SMTP port
-EMAIL_HOST_USER     =   "{{ users['no-reply'].email }}"  # user to connect the SMTP server
+EMAIL_HOST_USER     =   "{{ users['no-reply'].email }}"         # user to connect the SMTP server
-EMAIL_HOST_PASSWORD =   "{{ users['no-reply'].mailu_token }}"  # SMTP user's password
+EMAIL_HOST_PASSWORD =   "{{ users['no-reply'].mailu_token }}"   # SMTP user's password
-EMAIL_DEFAULT_FROM  =   "{{ users['no-reply'].email }}"      # default email address for the automated emails
+EMAIL_DEFAULT_FROM  =   "{{ users['no-reply'].email }}"         # default email address for the automated emails
 EMAIL_BACKEND:      =   "django.core.mail.backends.{{email_backend}}.EmailBackend"
 DEFAULT_FROM_EMAIL  =   "{{ users['no-reply'].email }}"
 # EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive (only set one of those to True)
-EMAIL_USE_TLS   =   "{{ SYSTEM_EMAIL.TLS | capitalize }}"         # use TLS (secure) connection with the SMTP server
+EMAIL_USE_TLS   =   "{{ SYSTEM_EMAIL.TLS | capitalize }}"                   # use TLS (secure) connection with the SMTP server
-EMAIL_USE_SSL   =   "{{ 'False' if SYSTEM_EMAIL.START_TLS else 'True' }}" # use implicit TLS (secure) connection with the SMTP server
+EMAIL_USE_SSL   =   "{{ 'False' if SYSTEM_EMAIL.START_TLS else 'True' }}"   # use implicit TLS (secure) connection with the SMTP server
 RABBITMQ_USER=taiga
 RABBITMQ_PASS=taiga
@@ -49,7 +48,7 @@ ENABLE_TELEMETRY    =   True
 {% if applications | get_app_conf(application_id, 'features.oidc', False) %}
-{% if applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio' %}
+{% if applications | get_app_conf(application_id, 'oidc.flavor') == 'taigaio' %}
 # OIDC via taigaio official contrib
 # @See https://github.com/taigaio/taiga-contrib-oidc-auth
@@ -65,14 +64,14 @@ OIDC_OP_JWKS_ENDPOINT="{{ OIDC.CLIENT.CERTS }}"
 {% endif %}
-{% if applications | get_app_conf(application_id, 'oidc.flavor', True) == 'robrotheram' %}
+{% if TAIGA_FLAVOR_ROBROTHERAM %}
 # OIDC via robrotheram
 # @see https://github.com/robrotheram/taiga-contrib-openid-auth
 ENABLE_OPENID=True
 OPENID_URL="{{ OIDC.CLIENT.AUTHORIZE_URL }}"
-OPENID_USER_URL="{{OIDC.CLIENT.USER_INFO_URL}}"
+OPENID_USER_URL="{{ OIDC.CLIENT.USER_INFO_URL }}"
-OPENID_TOKEN_URL="{{OIDC.CLIENT.TOKEN_URL}}"
+OPENID_TOKEN_URL="{{ OIDC.CLIENT.TOKEN_URL }}"
 OPENID_CLIENT_ID="{{ OIDC.CLIENT.ID }}"
 OPENID_CLIENT_SECRET="{{ OIDC.CLIENT.SECRET }}"
 OPENID_NAME="{{ OIDC.BUTTON_TEXT }}"
--- a/roles/web-app-taiga/vars/main.yml
+++ b/roles/web-app-taiga/vars/main.yml
@@ -1,18 +1,22 @@
 # General
 application_id:             "web-app-taiga"
 database_type:              "postgres"
 # Docker
 docker_repository_address:  "https://github.com/taigaio/taiga-docker"
-email_backend:              "smtp"                                      ## use an SMTP server or display the emails in the console (either "smtp" or "console")
+docker_pull_git_repository: true
-docker_compose_init:        "{{ docker_compose.directories.instance }}docker-compose-inits.yml.j2"
+
-taiga_image_backend: >-
+# Taiga
-  {{ 'robrotheram/taiga-back-openid' if applications | get_app_conf(application_id, 'features.oidc', True) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'robrotheram'
+TAIGA_OIDC_ENABLED:           "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
-     else 'taigaio/taiga-back' }}
+TAIGA_FLAVOR_ROBROTHERAM:     "{{ applications | get_app_conf(application_id, 'oidc.flavor') == 'robrotheram' }}"
-taiga_image_frontend: >-
+TAIGA_ROBROTHERAM_ENABLED:    "{{ TAIGA_OIDC_ENABLED and TAIGA_FLAVOR_ROBROTHERAM }}"
-  {{ 'robrotheram/taiga-front-openid' if applications | get_app_conf(application_id, 'features.oidc', True) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'robrotheram'
+TAIGA_EMAIL_BACKEND:          "{{ 'smtp' if SYSTEM_EMAIL.SMTP else 'console' }}"  ## use an SMTP server or display the emails in the console (either "smtp" or "console")
-     else 'taigaio/taiga-front' }}
+TAIGA_DOCKER_COMPOSE_INIT:    "{{ [ docker_compose.directories.instance,'docker-compose-inits.yml.j2' ] | path_join }}"
-taiga_frontend_conf_path:   "{{docker_compose.directories.config}}conf.json"
+TAIGA_DOCKER_IMAGE_BACKEND:   "{{ 'robrotheram/taiga-back-openid' if TAIGA_ROBROTHERAM_ENABLED else 'taigaio/taiga-back' }}"
-docker_pull_git_repository:          true
+TAIGA_DOCKER_IMAGE_FRONTEND:  "{{ 'robrotheram/taiga-front-openid' if TAIGA_ROBROTHERAM_ENABLED else 'taigaio/taiga-front' }}"
-settings_files:
+TAIGA_FRONTEND_CONF_PATH:     "{{ [ docker_compose.directories.config,'conf.json' ] | path_join }}"
 TAIGA_SETTING_FILES:
 - urls
 - local
-taiga_version:   "{{ applications | get_app_conf(application_id, 'docker.services.taiga.version', True) }}"
+TAIGA_VERSION:   "{{ applications | get_app_conf(application_id, 'docker.services.taiga.version') }}"