Refactor BigBlueButton role:

- Aligned schema/main.yml credential definitions with consistent spacing - Changed PostgreSQL secret to use random_hex_32 instead of bcrypt - Improved administrator creation logic in tasks/02_administrator.yml: * First try with primary password * Retry with starred password if OIDC is enabled * Fallback to user:set_admin_role if both fail See: https://chatgpt.com/share/68d6aa34-19cc-800f-828a-a5121fda589f
2025-10-10 10:48:10 +02:00 · 2025-09-26 16:59:28 +02:00
parent 9082443753
commit 1daa53017e
2 changed files with 46 additions and 29 deletions
--- a/roles/web-app-bigbluebutton/schema/main.yml
+++ b/roles/web-app-bigbluebutton/schema/main.yml
@@ -1,25 +1,25 @@
 credentials:
  shared_secret:
-    description: "Shared secret for BigBlueButton API authentication"
-    algorithm: "sha256"
-    validation: "^[a-f0-9]{64}$"
+    description:  "Shared secret for BigBlueButton API authentication"
+    algorithm:    "sha256"
+    validation:   "^[a-f0-9]{64}$"
  etherpad_api_key:
-    description: "API key for Etherpad integration"
-    algorithm: "random_hex_32"
-    validation: "^[a-zA-Z0-9]{32}$"
+    description:  "API key for Etherpad integration"
+    algorithm:    "random_hex_32"
+    validation:   "^[a-zA-Z0-9]{32}$"
  rails_secret:
-    description: "Secret key for Rails backend"
-    algorithm: "random_hex"
-    validation: "^[a-f0-9]{128}$"
+    description:  "Secret key for Rails backend"
+    algorithm:    "random_hex"
+    validation:   "^[a-f0-9]{128}$"
  postgresql_secret:
-    description: "Password for PostgreSQL user"
-    algorithm: "bcrypt"
-    validation: "^\\$2[aby]\\$.{56}$"
+    description:  "Password for PostgreSQL user"
+    algorithm:    "random_hex_32"
+    validation:   "^[a-zA-Z0-9]{32}$"
  fsesl_password:
-    description: "Password for FreeSWITCH ESL connection"
-    algorithm: "alphanumeric_32"
-    validation: "^.{8,}$"
+    description:  "Password for FreeSWITCH ESL connection"
+    algorithm:    "alphanumeric_32"
+    validation:   "^.{8,}$"
  turn_secret:
-    description: "TURN server shared secret"
-    algorithm: "sha1"
-    validation: "^[a-f0-9]{40}$"
+    description:  "TURN server shared secret"
+    algorithm:    "sha1"
+    validation:   "^[a-f0-9]{40}$"
--- a/roles/web-app-bigbluebutton/tasks/02_administrator.yml
+++ b/roles/web-app-bigbluebutton/tasks/02_administrator.yml
@@ -1,3 +1,4 @@
+---
 - name: "Wait until Greenlight is reachable via Nginx"
  uri:
    url: "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
@@ -13,19 +14,35 @@
  changed_when: false

 - block:
-    - name: "Create default admin"
+    - name: "Create admin with primary password"
      command:
        cmd: >
-            {{ docker_compose_command_exec }} greenlight
-            bundle exec rake admin:create['{{ users.administrator.username | upper }}','{{ users.administrator.email }}','{{ users.administrator.password }}']
+          {{ docker_compose_command_exec }}
+          greenlight
+          bundle exec rake
+          admin:create['{{ users.administrator.username | upper }}','{{ users.administrator.email }}','{{ users.administrator.password }}']
        chdir: "{{ docker_compose.directories.instance }}"
-      register: admin_creation_result
-      # Treat exit codes 0 (created) and 2 (already exists) as success
-      failed_when: admin_creation_result.rc not in [0,2]
-  rescue:
-    - name: "Make existing user administrator"
+      register: admin_create_primary
+      when: not BBB_OIDC_ENABLED | bool
+
+    - name: "Retry with starred password when invalid and OIDC enabled"
+      when: BBB_OIDC_ENABLED | bool
      command:
        cmd: >
-          {{ docker_compose_command_exec }} greenlight
-          bundle exec rake user:set_admin_role['{{ users.administrator.email }}']
-        chdir: "{{ docker_compose.directories.instance }}"
+          {{ docker_compose_command_exec }}
+          greenlight
+          bundle exec rake
+          admin:create['{{ users.administrator.username | upper }}','{{ users.administrator.email }}','{{ users.administrator.password ~ '*' }}']
+        chdir: "{{ docker_compose.directories.instance }}"
+      register: admin_create_retry
+      failed_when: admin_create_retry.rc not in [0, 2]
+
+  rescue:
+    - name: "Make existing user administrator (fallback)"
+      command:
+        cmd: >
+          {{ docker_compose_command_exec }}
+          greenlight
+          bundle exec rake
+          user:set_admin_role['{{ users.administrator.email }}']
+        chdir: "{{ docker_compose.directories.instance }}"