From 1daa53017e23039ac83a0010b31603b881b176eb Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Fri, 26 Sep 2025 16:59:28 +0200
Subject: [PATCH] Refactor BigBlueButton role: - Aligned schema/main.yml
 credential definitions with consistent spacing - Changed PostgreSQL secret to
 use random_hex_32 instead of bcrypt - Improved administrator creation logic
 in tasks/02_administrator.yml:   * First try with primary password   * Retry
 with starred password if OIDC is enabled   * Fallback to user:set_admin_role
 if both fail See:
 https://chatgpt.com/share/68d6aa34-19cc-800f-828a-a5121fda589f

---
 roles/web-app-bigbluebutton/schema/main.yml   | 36 ++++++++---------
 .../tasks/02_administrator.yml                | 39 +++++++++++++------
 2 files changed, 46 insertions(+), 29 deletions(-)

diff --git a/roles/web-app-bigbluebutton/schema/main.yml b/roles/web-app-bigbluebutton/schema/main.yml
index fcee8ee6..d70d7328 100644
--- a/roles/web-app-bigbluebutton/schema/main.yml
+++ b/roles/web-app-bigbluebutton/schema/main.yml
@@ -1,25 +1,25 @@
 credentials:
   shared_secret:
-    description: "Shared secret for BigBlueButton API authentication"
-    algorithm: "sha256"
-    validation: "^[a-f0-9]{64}$"
+    description:  "Shared secret for BigBlueButton API authentication"
+    algorithm:    "sha256"
+    validation:   "^[a-f0-9]{64}$"
   etherpad_api_key:
-    description: "API key for Etherpad integration"
-    algorithm: "random_hex_32"
-    validation: "^[a-zA-Z0-9]{32}$"
+    description:  "API key for Etherpad integration"
+    algorithm:    "random_hex_32"
+    validation:   "^[a-zA-Z0-9]{32}$"
   rails_secret:
-    description: "Secret key for Rails backend"
-    algorithm: "random_hex"
-    validation: "^[a-f0-9]{128}$"
+    description:  "Secret key for Rails backend"
+    algorithm:    "random_hex"
+    validation:   "^[a-f0-9]{128}$"
   postgresql_secret:
-    description: "Password for PostgreSQL user"
-    algorithm: "bcrypt"
-    validation: "^\\$2[aby]\\$.{56}$"
+    description:  "Password for PostgreSQL user"
+    algorithm:    "random_hex_32"
+    validation:   "^[a-zA-Z0-9]{32}$"
   fsesl_password:
-    description: "Password for FreeSWITCH ESL connection"
-    algorithm: "alphanumeric_32"
-    validation: "^.{8,}$"
+    description:  "Password for FreeSWITCH ESL connection"
+    algorithm:    "alphanumeric_32"
+    validation:   "^.{8,}$"
   turn_secret:
-    description: "TURN server shared secret"
-    algorithm: "sha1"
-    validation: "^[a-f0-9]{40}$"
\ No newline at end of file
+    description:  "TURN server shared secret"
+    algorithm:    "sha1"
+    validation:   "^[a-f0-9]{40}$"
\ No newline at end of file
diff --git a/roles/web-app-bigbluebutton/tasks/02_administrator.yml b/roles/web-app-bigbluebutton/tasks/02_administrator.yml
index 081350b8..44f6553f 100644
--- a/roles/web-app-bigbluebutton/tasks/02_administrator.yml
+++ b/roles/web-app-bigbluebutton/tasks/02_administrator.yml
@@ -1,3 +1,4 @@
+---
 - name: "Wait until Greenlight is reachable via Nginx"
   uri:
     url: "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
@@ -13,19 +14,35 @@
   changed_when: false
 
 - block:
-    - name: "Create default admin"
+    - name: "Create admin with primary password"
       command:
         cmd: >
-            {{ docker_compose_command_exec }} greenlight
-            bundle exec rake admin:create['{{ users.administrator.username | upper }}','{{ users.administrator.email }}','{{ users.administrator.password }}']
+          {{ docker_compose_command_exec }}
+          greenlight
+          bundle exec rake
+          admin:create['{{ users.administrator.username | upper }}','{{ users.administrator.email }}','{{ users.administrator.password }}']
         chdir: "{{ docker_compose.directories.instance }}"
-      register: admin_creation_result
-      # Treat exit codes 0 (created) and 2 (already exists) as success
-      failed_when: admin_creation_result.rc not in [0,2]
-  rescue:
-    - name: "Make existing user administrator"
+      register: admin_create_primary
+      when: not BBB_OIDC_ENABLED | bool
+
+    - name: "Retry with starred password when invalid and OIDC enabled"
+      when: BBB_OIDC_ENABLED | bool
       command:
         cmd: >
-          {{ docker_compose_command_exec }} greenlight
-          bundle exec rake user:set_admin_role['{{ users.administrator.email }}']
-        chdir: "{{ docker_compose.directories.instance }}"
\ No newline at end of file
+          {{ docker_compose_command_exec }}
+          greenlight
+          bundle exec rake
+          admin:create['{{ users.administrator.username | upper }}','{{ users.administrator.email }}','{{ users.administrator.password ~ '*' }}']
+        chdir: "{{ docker_compose.directories.instance }}"
+      register: admin_create_retry
+      failed_when: admin_create_retry.rc not in [0, 2]
+
+  rescue:
+    - name: "Make existing user administrator (fallback)"
+      command:
+        cmd: >
+          {{ docker_compose_command_exec }}
+          greenlight
+          bundle exec rake
+          user:set_admin_role['{{ users.administrator.email }}']
+        chdir: "{{ docker_compose.directories.instance }}"