From 3653b3111acf9c2e5a1f4162ef8ca4f43950a465 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Tue, 22 Apr 2025 12:50:48 +0200 Subject: [PATCH] Added wordpress disourse draft --- group_vars/all/07_applications.yml | 788 ------------------ roles/docker-discourse/tasks/main.yml | 33 +- roles/docker-wordpress/README.md | 5 +- .../tasks/discourse/README.md | 4 + .../tasks/discourse/generate-api-key.yml | 37 + .../install.yml} | 13 + roles/docker-wordpress/tasks/main.yml | 8 +- roles/docker-wordpress/tasks/oidc/README.md | 2 + .../tasks/{oidc.yml => oidc/install.yml} | 9 +- .../{oidc_settings.yml => oidc/settings.yml} | 0 .../tasks/setup-discourse-api-key.yml | 23 - roles/docker-wordpress/vars/discourse.yml | 9 + roles/docker-wordpress/vars/wp_discourse.yml | 10 - templates/vars/applications.yml.j2 | 2 +- 14 files changed, 110 insertions(+), 833 deletions(-) delete mode 100644 group_vars/all/07_applications.yml create mode 100644 roles/docker-wordpress/tasks/discourse/README.md create mode 100644 roles/docker-wordpress/tasks/discourse/generate-api-key.yml rename roles/docker-wordpress/tasks/{wp_discourse.yml => discourse/install.yml} (65%) create mode 100644 roles/docker-wordpress/tasks/oidc/README.md rename roles/docker-wordpress/tasks/{oidc.yml => oidc/install.yml} (79%) rename roles/docker-wordpress/tasks/{oidc_settings.yml => oidc/settings.yml} (100%) delete mode 100644 roles/docker-wordpress/tasks/setup-discourse-api-key.yml create mode 100644 roles/docker-wordpress/vars/discourse.yml delete mode 100644 roles/docker-wordpress/vars/wp_discourse.yml diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml deleted file mode 100644 index de079883..00000000 --- a/group_vars/all/07_applications.yml +++ /dev/null @@ -1,788 +0,0 @@ - -# Docker Applications - -## Docker Role Specific Parameters -docker_restart_policy: "unless-stopped" - -############################################## -## Applications Configuration -############################################## - -# Keep in mind, that this configuration should in general just apply to the roles which set the applications up. -# If other applications depend on this variables, propably it makes sense to define it in e.g. IMA or other variable files. - -# helper -_applications_nextcloud_oidc_flavor: "{{ applications.nextcloud.oidc.flavor | default('oidc_login' if applications.nextcloud.features.ldap | default(true) else 'sociallogin') }}" - -# applications - -defaults_applications: - - ## Akaunting - akaunting: - version: "latest" - company_name: "{{primary_domain}}" - company_email: "{{users.administrator.email}}" - setup_admin_email: "{{users.administrator.email}}" - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - database: True # Enables use of central database - - ## Assets Server - assets_server: - source_directory: "{{ playbook_dir }}/assets" # Directory from which the assets will be copied - url: "https://{{domains.file_server}}/assets" # Public address of the assets directory - ## Attendize - attendize: - version: "latest" - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - database: True # Enables use of central database - - ## Baserow - baserow: - version: "latest" - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: True # Allows embedding via iframe on landing page - database: True # Enables use of central database - - ## Big Blue Button - bigbluebutton: - enable_greenlight: "true" - setup: false # Set to true in inventory file for initial setup -# @todo LDAP needs to get propper implemented and tested, just set values during refactoring - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: True # Allows embedding via iframe on landing page - ldap: False # Enables LDAP integration and networking - oidc: True # Enables OpenID Connect (OIDC) authentication - database: True # Enables use of central database - credentials: -# shared_secret: # Needs to be defined in inventory file -# etherpad_api_key: # Needs to be defined in inventory file -# rails_secret: # Needs to be defined in inventory file -# postgresql_secret: # Needs to be defined in inventory file -# fsesl_password: # Needs to be defined in inventory file -# turn_secret: # Needs to be defined in inventory file - urls: - api: "https://{{domains.bigbluebutton}}/bigbluebutton/" # API Address used by Nextcloud Integration - - ## Bluesky - bluesky: - users: - administrator: - email: "{{users.administrator.email}}" - pds: - version: "latest" - #jwt_secret: # Needs to be defined in inventory file - Use: openssl rand -base64 64 | tr -d '\n' - #plc_rotation_key_k256_private_key_hex: # Needs to be defined in inventory file - Use: openssl rand -hex 32 - #admin_password: # Needs to be defined in inventory file - Use: openssl rand -base64 16 - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: True # Allows embedding via iframe on landing page - database: True # Enables use of central database - - # Chromium Browser - chromium: - plugins: # Plugins to be installed in Chromium - - "cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx" # U-Block Origine Plugin - - "oboonakemofpalcgghocfoadofidjkkk;https://clients2.google.com/service/update2/crx" # KeepassXC Plugin - - coturn: # @todo implement - credentials: - user: turnuser - # password: # Need to be defined in invetory file - # secret: # Need to be defined in invetory file - - ## Discourse: - discourse: - network: "discourse_default" # Name of the docker network - container: "discourse_application" # Name of the container application - repository: "discourse_repository" # Name of the repository folder - credentials: - database: -# password: # Needs to be defined in inventory file - master_api: -# key: # Needs to be defined in inventory file - username: "{{ users.administrator.username }}" # Username for the Master API - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: True # Allows embedding via iframe on landing page - oidc: True # Enables OpenID Connect (OIDC) authentication - database: True # Enables use of central database - - ## File Server - file_server: - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: True # Allows embedding via iframe on landing page - - # Firefox Browser - firefox: - plugins: # Plugins to be installed in Firefox - - "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi" # U-Block Origine Plugin - - "https://addons.mozilla.org/firefox/downloads/latest/keepassxc-browser/latest.xpi" # KeepassXC Plugin - - ## Friendica - friendica: - version: "latest" - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: True # Allows embedding via iframe on landing page - oidc: True # Enables OpenID Connect (OIDC) authentication - database: True # Enables use of central database - - ## Funkwhale - funkwhale: - version: "1.4.0" - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: True # Allows embedding via iframe on landing page - ldap: True # Enables LDAP integration and networking - database: True # Enables use of central database - - ## Gitea - gitea: - version: "latest" # Use latest docker image - configuration: - repository: - enable_push_create_user: True # Allow users to push local repositories to Gitea and have them automatically created for a user. - default_private: last # Default private when creating a new repository: last, private, public - default_push_create_private: True # Default private when creating a new repository with push-to-create. - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: True # Allows embedding via iframe on landing page - database: True # Enables use of central database - - ## Gitlab - gitlab: - version: "latest" - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: True # Allows embedding via iframe on landing page - database: True # Enables use of central database - - ## Gnome - gnome: - plugins: - - [enable,nasa_apod@elinvention.ovh,https://github.com/Elinvention/gnome-shell-extension-nasa-apod.git] - - [disable,dash-to-dock@micxgx.gmail.com,''] - - [enable, dash-to-panel@jderose9.github.com,''] - - ## Joomla - joomla: - version: "latest" - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: True # Allows embedding via iframe on landing page - - ## HTML Server - html_server: - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - - ## Keycloak - keycloak: - version: "latest" - users: - administrator: - username: "{{users.administrator.username}}" # Administrator Username for Keycloak - import_realm: True # If True realm will be imported. If false skip. -# database_password: # Needs to be defined in inventory file -# administrator_password: # Needs to be defined in inventory file - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: True # Allows embedding via iframe on landing page - ldap: True # Enables LDAP integration and networking - database: True # Enables use of central database - - # LDAP Account Manager - lam: - version: "latest" -# administrator_password: "{{users.administrator.initial_password}}" # CHANGE for security reasons - oauth2_proxy: - application: application # Needs to be the same as webinterface - port: 80 # application port -# cookie_secret: None # Set via openssl rand -hex 16 - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: True # Allows embedding via iframe on landing page - ldap: True # Enables LDAP integration and networking - oauth2: False # Enables OAuth2 proxy integration - database: False # Enables use of central database - - ## LDAP - ldap: - version: "latest" - network: - local: True # Activates local network to allow other docker containers to connect - public: False # Set to true in inventory file if you want to expose the LDAP port to the internet - hostname: "ldap" # Hostname of the LDAP Server in the central_ldap network - webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin - users: - administrator: - username: "{{users.administrator.username}}" # Administrator username - # administrator_password: # CHANGE for security reasons in inventory file - # administrator_database_password: # CHANGE for security reasons in inventory file - force_import: False # Forces the import of the LDIF files - features: - ldap: True # Enables LDAP integration and networking - - ## Libre Office - libreoffice: - flavor: "fresh" # Libre Office flavor, fresh for new, still for stable - - ## Listmonk - listmonk: - users: - administrator: - username: "{{users.administrator.username}}" # Listmonk administrator account username - public_api_activated: False # Security hole. Can be used for spaming - version: "latest" # Docker Image version - setup: false # Set true in inventory file to execute the setup and initializing procedures - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: True # Allows embedding via iframe on landing page - database: True # Enables use of central database - - mailu: - version: "2024.06" # Docker Image Version - setup: false # Set true in inventory file to execute the setup and initializing procedures - oidc: - email_by_username: true # If true, then the mail is set by the username. If wrong then the OIDC user email is used - enable_user_creation: true # Users will be created if not existing - domain: "{{primary_domain}}" # The main domain from which mails will be send \ email suffix behind @ - credentials: -# secret_key: # Set to a randomly generated 16 bytes string -# database_password: # Needs to be set in inventory file -# api_token: # Configures the authentication token. The minimum length is 3 characters. This is a mandatory setting for using the RESTful API. -# initial_administrator_password: # Initial administrator password for setup - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: True # Allows embedding via iframe on landing page - oidc: True # Enables OpenID Connect (OIDC) authentication - database: False # Enables use of central database -# Deactivate central database for mailu, I don't know why the database deactivation is necessary - - ## MariaDB - mariadb: - version: "latest" - - ## Matomo - matomo: - version: "latest" - oauth2_proxy: -# cookie_secret: None # Set via openssl rand -hex 16 -# database_password: Null # Needs to be set in inventory file -# auth_token: Null # Needs to be set in inventory file - features: - matomo: False # Enables Matomo tracking - css: False # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - oauth2: False # Enables OAuth2 proxy integration - database: True # Enables use of central database - - ## Mastodon - mastodon: - version: "latest" - single_user_mode: false # Set true for initial setup - setup: false # Set true in inventory file to execute the setup and initializing procedures - credentials: -# Check out the README.md of the docker-mastodon role to get detailled instructions about how to setup the credentials -# database_password: -# secret_key_base: -# otp_secret: -# vapid: -# private_key: -# public_key: -# active_record_encryption: -# deterministic_key: -# key_derivation_salt: -# primary_key: - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - oidc: True # Enables OpenID Connect (OIDC) authentication - database: True # Enables use of central database - - ## Matrix - matrix: - users: - administrator: - username: "{{users.administrator.username}}" # Accountname of the matrix admin - playbook_tags: "setup-all,start" # For the initial update use: install-all,ensure-matrix-users-created,start - role: "compose" # Role to setup Matrix. Valid values: ansible, compose - server_name: "{{primary_domain}}" # Adress for the account names etc. - synapse: - version: "latest" - element: - version: "latest" - setup: false # Set true in inventory file to execute the setup and initializing procedures - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - oidc: False # Enables OpenID Connect (OIDC) authentication - database: True # Enables use of central database -# Deactivated OIDC due to this issue https://github.com/matrix-org/synapse/issues/10492 - - ## Moodle - moodle: - site_titel: "Global Learning Academy on {{primary_domain}}" - users: - administrator: - username: "{{users.administrator.username}}" - email: "{{users.administrator.email}}" - version: "latest" - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - database: True # Enables use of central database - - ## MyBB - mybb: - version: "latest" - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - database: True # Enables use of central database - - ## Nextcloud - nextcloud: - version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ - ldap: - enabled: True # Enables LDAP by default - oidc: - enabled: "{{ applications.nextcloud.features.oidc | default(true) }}" # Activate OIDC for Nextcloud - # floavor decides which OICD plugin should be used. - # Available options: oidc_login, sociallogin - # @see https://apps.nextcloud.com/apps/oidc_login - # @see https://apps.nextcloud.com/apps/sociallogin - flavor: "oidc_login" # Keeping on sociallogin because the other option is not implemented yet - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - ldap: True # Enables LDAP integration and networking - oidc: True # Enables OpenID Connect (OIDC) authentication - database: True # Enables use of central database - credentials: -# database_password: Null # Needs to be set in inventory file - users: - administrator: - username: "{{users.administrator.username}}" - initial_password: "{{users.administrator.initial_password}}" # Keep in mind to change the password fast after creation and activate 2FA - default_quota: '1000000000' # Quota to assign if no quota is specified in the OIDC response (bytes) - legacy_login_mask: - enabled: False # If true, then legacy login mask is shown. Otherwise just SSO - container: - application: "nextcloud-application" # Nextcloud application container name - proxy: "nextcloud-web" # Nextcloud Proxy Container Name - performance: - php: - memory_limit: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory limit - upload_limit: "5G" # Set upload limit to 5GB for big media files - opcache_memory_consumption: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory consumption - plugins: - # List for Nextcloud Plugin Routine - # Decides if plugins should be activated or deactivated - appointments: - # Nextcloud appointments: handles scheduling and appointment management (https://apps.nextcloud.com/apps/appointments) - enabled: true - bbb: - # Nextcloud BigBlueButton integration: enables video conferencing using BigBlueButton (https://apps.nextcloud.com/apps/bbb) - enabled: "{{ 'bigbluebutton' in group_names | lower }}" - #- bookmarks - # # Nextcloud Bookmarks: manage and share your bookmarks easily (https://apps.nextcloud.com/apps/bookmarks) - # enabled: false - calendar: - # Nextcloud calendar: manages calendar events and scheduling (https://apps.nextcloud.com/apps/calendar) - enabled: true - cfg_share_links: - # Nextcloud share links configuration: customizes sharing settings and link options (https://apps.nextcloud.com/apps/cfg_share_links) - enabled: true - collectives: - # Nextcloud collectives: supports collaborative group management and sharing (https://apps.nextcloud.com/apps/collectives) - enabled: true - contacts: - # Nextcloud contacts: manages address book and contact information (https://apps.nextcloud.com/apps/contacts) - enabled: true - cospend: - # Nextcloud cospend: manages shared expenses and spending tracking (https://apps.nextcloud.com/apps/cospend) - enabled: true - deck: - # Nextcloud Deck: organizes tasks and projects using Kanban boards (https://apps.nextcloud.com/apps/deck) - # When Taiga is activated, this plugin is deactivated, because Taiga is the prefered application. - enabled: "{{ 'taiga' not in group_names | lower }}" - drawio: - # Nextcloud draw.io: integrates diagram creation and editing tools (https://apps.nextcloud.com/apps/drawio) - enabled: true - duplicatefinder: - # Nextcloud duplicate finder: scans and identifies duplicate files (https://apps.nextcloud.com/apps/duplicatefinder) - enabled: true - emlviewer: - # Nextcloud EML Viewer: previews and manages EML email files (https://apps.nextcloud.com/apps/emlviewer) - enabled: true - event_update_notification: - # Nextcloud event update notification: sends alerts when events are updated (https://apps.nextcloud.com/apps/event_update_notification) - enabled: true - epubviewer: - # Nextcloud EPUB Viewer: enables reading and previewing EPUB e-books (https://apps.nextcloud.com/apps/epubviewer) - enabled: true - external: - # Nextcloud External: Adds links to external services (https://apps.nextcloud.com/apps/external) - enabled: true - #files_accesscontrol - # # Nextcloud Files Access Control: restricts file access based on defined rules (https://apps.nextcloud.com/apps/files_accesscontrol) - # enabled: false - #files_archive - # # Nextcloud Files Archive: compresses and archives files for efficient storage (https://apps.nextcloud.com/apps/files_archive) - # enabled: false - #files_automatedtagging - # # Nextcloud Files Automated Tagging: automatically tags files to improve organization (https://apps.nextcloud.com/apps/files_automatedtagging) - # enabled: false - files_bpm: - # Nextcloud Files BPM: integrates business process management for file workflows (https://apps.nextcloud.com/apps/files_bpm) - enabled: true - files_downloadactivity: - # Nextcloud Files Download Activity: tracks and logs file download events (https://apps.nextcloud.com/apps/files_downloadactivity) - enabled: true - files_linkeditor: - # Nextcloud files link editor: allows customization of shared file links (https://apps.nextcloud.com/apps/files_linkeditor) - enabled: true - files_mindmap: - # Nextcloud Files Mindmap: visualizes file relationships as mind maps (https://apps.nextcloud.com/apps/files_mindmap) - enabled: true - files_texteditor: - # Nextcloud Files Text Editor: provides an online editor for text files (https://apps.nextcloud.com/apps/files_texteditor) - # Not available for Nextcloud < 27 - enabled: false - fileslibreofficeedit: - # Nextcloud LibreOffice integration: allows online editing of documents with LibreOffice (https://apps.nextcloud.com/apps/fileslibreofficeedit) - enabled: true - forms: - # Nextcloud forms: facilitates creation of forms and surveys (https://apps.nextcloud.com/apps/forms) - enabled: true - gestion: - # Nextcloud Gestion: manages administrative tasks and workflows (https://apps.nextcloud.com/apps/gestion) - enabled: true - groupfolders: - # Nextcloud Group Folders: centralizes shared folders for group collaboration (https://apps.nextcloud.com/apps/groupfolders) - enabled: true - gpxpod: - # Nextcloud GPX pod: visualizes GPS tracks and GPX data (https://apps.nextcloud.com/apps/gpxpod) - enabled: true - integration_discourse: - # Nextcloud Integration Discourse: connects Nextcloud with Discourse forums (https://apps.nextcloud.com/apps/integration_discourse) - enabled: false - integration_gitlab: - # Nextcloud Integration GitLab: connects Nextcloud with GitLab repositories (https://apps.nextcloud.com/apps/integration_gitlab) - enabled: "{{ 'gitlab' in group_names | lower }}" - integration_github: - # Nextcloud Integration GitHub: integrates GitHub repositories with Nextcloud (https://apps.nextcloud.com/apps/integration_github) - enabled: false - integration_google: - # Nextcloud Integration Google: connects Google services with Nextcloud (https://apps.nextcloud.com/apps/integration_google) - enabled: true - integration_mastodon: - # Nextcloud Integration Mastodon: connects Nextcloud with the Mastodon social network (https://apps.nextcloud.com/apps/integration_mastodon) - enabled: "{{ 'mastodon' in group_names | lower }}" - integration_openai: - # Nextcloud Integration OpenAI: brings OpenAI functionalities into Nextcloud (https://apps.nextcloud.com/apps/integration_openai) - enabled: false - integration_openproject: - # Nextcloud Integration OpenProject: integrates project management features from OpenProject (https://apps.nextcloud.com/apps/integration_openproject) - enabled: "{{ 'openproject' in group_names | lower }}" - integration_peertube: - # Nextcloud Integration PeerTube: connects to PeerTube for video sharing (https://apps.nextcloud.com/apps/integration_peertube) - enabled: "{{ 'peertube' in group_names | lower }}" - #keeweb - # # Nextcloud KeeWeb: integrates the KeeWeb password manager within Nextcloud (https://apps.nextcloud.com/apps/keeweb) - # # This isn't maintained anymore. The alternatives don't support keepass files - # enabled: false - keeporsweep: - # Nextcloud keep or sweep: helps manage and clean up files and data (https://apps.nextcloud.com/apps/keeporsweep) - enabled: true - mail: - # Nextcloud mail: integrated email client for managing mail accounts (https://apps.nextcloud.com/apps/mail) - enabled: true - maps: - # Nextcloud maps: provides mapping and location services integration (https://apps.nextcloud.com/apps/maps) - enabled: true - metadata: - # Nextcloud Metadata: manages and displays file metadata for enhanced organization (https://apps.nextcloud.com/apps/metadata) - enabled: true - news: - # Nextcloud News: aggregates and displays news feeds directly in Nextcloud (https://apps.nextcloud.com/apps/news) - enabled: true - oidc_login: - # Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/oidc_login) - enabled: "{{ _applications_nextcloud_oidc_flavor=='oidc_login' | lower }}" - incompatible_plugins: - - user_oidc # Will be disabled - - sociallogin # Will be disabled - phonetrack: - # Nextcloud phone track: tracks and monitors mobile device usage (https://apps.nextcloud.com/apps/phonetrack) - enabled: true - polls: - # Nextcloud polls: facilitates creation and management of user polls (https://apps.nextcloud.com/apps/polls) - enabled: true - quota_warning: - # Nextcloud quota warning: notifies users when storage limits are reached (https://apps.nextcloud.com/apps/quota_warning) - enabled: true - recognize: - # Nextcloud recognize: performs image recognition tasks (https://apps.nextcloud.com/apps/recognize) - enabled: false # Deactivated because it let to bugs - richdocuments: - # Nextcloud Rich Documents: provides collaborative document editing capabilities (https://apps.nextcloud.com/apps/richdocuments) - enabled: false # @todo To set it default to true activate https://hub.docker.com/r/collabora/code before - sociallogin: - # Nextcloud social login: allows authentication using social networks (https://apps.nextcloud.com/apps/sociallogin) - enabled: "{{ _applications_nextcloud_oidc_flavor=='sociallogin' | lower }}" - incompatible_plugins: - - user_oidc # Will be disabled - - oidc_login # Will be disabled - spreed: - # Nextcloud Spreed: offers video conferencing and chat functionalities (https://apps.nextcloud.com/apps/spreed) - enabled: false # @todo to activate it first implement docker-coturn and activate it - tables: - # Nextcloud tables: allows creation and editing of tables within the interface (https://apps.nextcloud.com/apps/tables) - enabled: true - tasks: - # Nextcloud tasks: manages personal or group tasks and to-do lists (https://apps.nextcloud.com/apps/tasks) - enabled: true - #terms_of_service - # # Nextcloud Terms of Service: manages user acceptance of terms and conditions (https://apps.nextcloud.com/apps/terms_of_service) - # enabled: false - twofactor_nextcloud_notification: - # Nextcloud two-factor notification: sends notifications for two-factor authentication events (https://apps.nextcloud.com/apps/twofactor_nextcloud_notification) - enabled: "{{ not applications.nextcloud.features.oidc | default(true) }}" # Deactivate 2FA if oidc is active - twofactor_totp: - # Nextcloud two-factor TOTP: provides time-based one-time password authentication (https://apps.nextcloud.com/apps/twofactor_totp) - enabled: "{{ not applications.nextcloud.features.oidc | default(true) }}" # Deactivate 2FA if oidc is active - user_ldap: - # Nextcloud user LDAP: integrates LDAP for user management and authentication (https://apps.nextcloud.com/apps/user_ldap) - enabled: "{{ applications.nextcloud.features.ldap | default(true) }}" - user_oidc: - # Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/user_oidc) - enabled: "{{ _applications_nextcloud_oidc_flavor=='user_oidc' | lower }}" - incompatible_plugins: - - oidc_login - - sociallogin - whiteboard: - # Nextcloud Whiteboard: provides a collaborative drawing and brainstorming tool (https://apps.nextcloud.com/apps/whiteboard) - enabled: true - - ## OAuth2 Proxy - oauth2_proxy: - configuration_file: "oauth2-proxy-keycloak.cfg" # Needs to be set true in the roles which use it - version: "latest" # Docker Image version - redirect_url: "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak. - allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - - ## Open Project - openproject: - version: "13" # Update when available. Sadly no rolling release implemented - oauth2_proxy: - application: "proxy" - port: "80" -# cookie_secret: None # Set via openssl rand -hex 16 - ldap: - filters: - administrators: True # Set true to filter administrators - users: False # Set true to filter users - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - ldap: True # Enables LDAP integration and networking - oauth2: True # Enables OAuth2 proxy integration - database: True # Enables use of central database - - ## Peertube - peertube: - version: "bookworm" - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - database: True # Enables use of central database - - ## PgAdmin - pgadmin: - version: "latest" - server_mode: False # If true then the preconfigured database file is loaded. Recommended False. True is a security risk. - master_password_required: True # Master password is required. Recommended True. False is a security risk. - users: - administrator: - email: "{{ users.administrator.email }}" # Initial login email address - password: "{{ users.administrator.initial_password }}" # Initial login password – should be overridden in inventory for security - oauth2_proxy: - application: "application" - port: "80" -# cookie_secret: None # Set via: openssl rand -hex 16 - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - oauth2: True # Enables OAuth2 proxy integration - database: True # Enables use of central database - - ## phpLDAPadmin - phpldapadmin: - version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest - oauth2_proxy: - application: application # Needs to be the same as webinterface - port: 8080 # application port -# cookie_secret: None # Set via openssl rand -hex 16 - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - ldap: True # Enables LDAP integration and networking - oauth2: True # Enables OAuth2 proxy integration - - ## PHPMyAdmin - phpmyadmin: - version: "latest" # Use the latest phpmyadmin version - autologin: false # This is a high security risk. Just activate this option if you know what you're doing - oauth2_proxy: - port: "80" - application: "application" -# cookie_secret: None # Set via openssl rand -hex 16 - features: - matomo: True # Enables Matomo tracking - css: False # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - oauth2: True # Enables OAuth2 proxy integration - database: True # Enables use of central database - - ## Pixelfed - pixelfed: - titel: "Pictures on {{primary_domain}}" - version: "latest" - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - database: True # Enables use of central database - - ## Postgres - # Please set an version in your inventory file - Rolling release for postgres isn't recommended - postgres: - version: "latest" - - portfolio: - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - - ## Presentation - presentation: - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: True # Allows embedding via iframe on landing page - - # Snipe-IT - snipe_it: - version: "latest" - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - database: True # Enables use of central database - - ## Sphinx - sphinx: - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - - ## Taiga - taiga: - version: "latest" - oidc: - # Taiga doesn't have a functioning oidc support at the moment - # See - # - https://community.taiga.io/t/taiga-and-oidc-plugin/4866 - # - # Due to this reason this plutin is deactivated atm - flavor: 'taigaio' # Potential flavors: robrotheram, taigaio - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - oidc: False # Enables OpenID Connect (OIDC) authentication - database: True # Enables use of central database - - ## YOURLS - yourls: - users: - administrator: - username: "{{users.administrator.username}}" - version: "latest" - oauth2_proxy: - application: "application" - port: "80" - location: "/admin/" # Protects the admin area -# cookie_secret: None # Set via openssl rand -hex 16 - features: - matomo: True # Enables Matomo tracking - css: True # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - oauth2: True # Enables OAuth2 proxy integration - database: True # Enables use of central database - - wordpress: -# Deactivate Global theming for wordpress role -# due to the reason that wordpress has to much different themes -# and one styling for all is not possible. -# -# May a solution could be to generate a template or css file dedicated -# for wordpress based on the theming values and import it. - title: "Blog" # Wordpress titel - credentials: # Credentials - administrator: # Wordpress administrator - username: "{{users.administrator.username}}" # Username of the wordpress administrator -# password: # Password of the wordpress administrator - email: "{{users.administrator.email}}" # Email of the wordpress adminsitrator - plugins: - discourse: false - oidc: true - features: - matomo: True # Enables Matomo tracking - css: False # Enables custom CSS styling - iframe: False # Allows embedding via iframe on landing page - oidc: True # Enables OpenID Connect (OIDC) authentication - database: True # Enables use of central database \ No newline at end of file diff --git a/roles/docker-discourse/tasks/main.yml b/roles/docker-discourse/tasks/main.yml index bc4547ed..884e52c7 100644 --- a/roles/docker-discourse/tasks/main.yml +++ b/roles/docker-discourse/tasks/main.yml @@ -5,10 +5,12 @@ pacman: name: which state: present + when: run_once_docker_discourse is not defined - name: "include docker-central-database" include_role: name: docker-central-database + when: run_once_docker_discourse is not defined - name: "include role nginx-domain-setup for {{application_id}}" include_role: @@ -16,21 +18,27 @@ vars: domain: "{{ domains[application_id] }}" http_port: "{{ ports.localhost.http[application_id] }}" + when: run_once_docker_discourse is not defined - name: "cleanup central database from {{application_id}}_default network" command: cmd: "docker network disconnect {{applications.discourse.network}} central-{{ database_type }}" ignore_errors: true - when: mode_reset | bool + when: + - mode_reset | bool + - run_once_docker_discourse is not defined - name: add docker-compose.yml template: src: docker-compose.yml.j2 dest: "{{docker_compose.directories.instance}}docker-compose.yml" - notify: docker compose project setup + notify: + - docker compose project setup + - run_once_docker_discourse is not defined - name: flush, to recreate discourse docker compose meta: flush_handlers + when: run_once_docker_discourse is not defined - name: pull docker repository git: @@ -40,18 +48,21 @@ notify: recreate discourse become: true ignore_errors: true + when: run_once_docker_discourse is not defined - name: set chmod 700 for {{docker_repository_directory }}containers ansible.builtin.file: path: "{{docker_repository_directory }}/containers" mode: '700' state: directory + when: run_once_docker_discourse is not defined - name: "copy configuration to {{discourse_application_yml_destination}}" template: src: discourse_application.yml.j2 dest: "{{discourse_application_yml_destination}}" notify: recreate discourse + when: run_once_docker_discourse is not defined - name: "destroy container discourse_application" command: @@ -59,19 +70,31 @@ chdir: "{{docker_repository_directory }}" ignore_errors: true notify: recreate discourse - when: mode_reset | bool + when: + - mode_reset | bool + - run_once_docker_discourse is not defined - name: flush, to recreate discourse app meta: flush_handlers + when: run_once_docker_discourse is not defined - name: "add {{applications.discourse.container}} to network central_postgres" command: cmd: "docker network connect central_postgres {{applications.discourse.container}}" ignore_errors: true - when: applications[application_id].features.database | bool + when: + - applications[application_id].features.database | bool + - run_once_docker_discourse is not defined - name: "remove central database from {{application_id}}_default" command: cmd: "docker network disconnect {{applications.discourse.network}} central-{{ database_type }}" ignore_errors: true - when: applications[application_id].features.database | bool + when: + - applications[application_id].features.database | bool + - run_once_docker_discourse is not defined + +- name: run the docker_discourse tasks once + set_fact: + run_once_docker_discourse: true + when: run_once_docker_discourse is not defined \ No newline at end of file diff --git a/roles/docker-wordpress/README.md b/roles/docker-wordpress/README.md index 0b72ebbe..9a62326a 100644 --- a/roles/docker-wordpress/README.md +++ b/roles/docker-wordpress/README.md @@ -2,7 +2,7 @@ ## Description -WordPress is a versatile and widely used content management system (CMS) that powers millions of websites—from blogs and portfolios to e-commerce and corporate sites. This deployment provides a containerized WordPress instance optimized for multisite operation, advanced media management, and extensive plugin support, allowing you to fully leverage the rich features of the WordPress software. +[WordPress](https://en.wordpress.org/) is a versatile and widely used [content management system (CMS)](https://en.wikipedia.org/wiki/Content_management_system) that powers millions of websites—from blogs and portfolios to e-commerce and corporate sites. This deployment provides a containerized WordPress instance optimized for multisite operation, advanced media management, and extensive plugin support, allowing you to fully leverage the rich features of the WordPress software. ## Overview @@ -31,6 +31,8 @@ WordPress offers an extensive array of features that make it a robust platform f This automated Docker Compose deployment streamlines the process by building a custom WordPress image (which includes tools like msmtp for email delivery) and configuring the necessary PHP settings. In doing so, it ensures that your WordPress site is secure, scalable, and always up‑to‑date. +This deployment provides a containerized WordPress instance optimized for multisite operation, advanced media management, and extensive plugin support—including optional integration with Discourse forums. + ## Purpose The goal of this deployment is to provide a production‑ready, scalable WordPress instance with multisite capabilities and enhanced performance. By automating the custom image build and configuration processes via Docker Compose and Ansible, it minimizes manual intervention, reduces errors, and allows you to concentrate on building great content. @@ -40,6 +42,7 @@ The goal of this deployment is to provide a production‑ready, scalable WordPre - [WordPress Official Website](https://wordpress.org/) - [WordPress Multisite Documentation](https://wordpress.org/support/article/create-a-network/) - [WordPress Plugin Repository](https://wordpress.org/plugins/) +- [WP Discourse Plugin](https://wordpress.org/plugins/wp-discourse/) ## Credits diff --git a/roles/docker-wordpress/tasks/discourse/README.md b/roles/docker-wordpress/tasks/discourse/README.md new file mode 100644 index 00000000..07c1a811 --- /dev/null +++ b/roles/docker-wordpress/tasks/discourse/README.md @@ -0,0 +1,4 @@ +# Wordpress with Discourse Support + +This folder contains the files to setup Discourse support for Wordpress. +IT's realized with the [WP Discourse Plugin](https://de.wordpress.org/plugins/wp-discourse/) \ No newline at end of file diff --git a/roles/docker-wordpress/tasks/discourse/generate-api-key.yml b/roles/docker-wordpress/tasks/discourse/generate-api-key.yml new file mode 100644 index 00000000..136e3ae9 --- /dev/null +++ b/roles/docker-wordpress/tasks/discourse/generate-api-key.yml @@ -0,0 +1,37 @@ +- name: "Revoke old WP Discourse API keys via Rails" + command: > + docker exec {{ applications.discourse.container }} + rails runner " + user = User.find_by_username('system') + ApiKey + .where( + user_id: user.id, + description: 'WP Discourse Integration', + revoked_at: nil + ) + .update_all(revoked_at: Time.current) + " + args: + chdir: "{{ docker_compose.directories.instance }}" + failed_when: false + +- name: "Generate new WP Discourse API key via Rails" + command: > + docker exec {{ applications.discourse.container }} + rails runner " + user = User.find_by_username('system') + ak = ApiKey.create!( + user_id: user.id, + token: SecureRandom.hex, + description: 'WP Discourse Integration' + ) + puts ak.token + " + args: + chdir: "{{ docker_compose.directories.instance }}" + register: discourse_generated_api_key + failed_when: false + +- name: "Set fact for new WP Discourse API key" + set_fact: + vault_discourse_api_key: "{{ discourse_generated_api_key.stdout_lines[0] }}" \ No newline at end of file diff --git a/roles/docker-wordpress/tasks/wp_discourse.yml b/roles/docker-wordpress/tasks/discourse/install.yml similarity index 65% rename from roles/docker-wordpress/tasks/wp_discourse.yml rename to roles/docker-wordpress/tasks/discourse/install.yml index d945f8cf..94dbddcb 100644 --- a/roles/docker-wordpress/tasks/wp_discourse.yml +++ b/roles/docker-wordpress/tasks/discourse/install.yml @@ -1,4 +1,17 @@ --- +- name: "Include docker-discourse" + include_role: + name: docker-discourse + +- name: "Generate Discourse API Key when WP Discourse is enabled" + include_tasks: generate-api-key.yml + +# Load after api key generation, so that it can be used +- name: "Include WP Discourse vars" + include_vars: + file: "{{ role_path }}/vars/discourse.yml" + name: discourse_settings + - name: "Install WP Discourse plugin" command: > docker-compose exec -u www-data -T application diff --git a/roles/docker-wordpress/tasks/main.yml b/roles/docker-wordpress/tasks/main.yml index b7ab4619..c0061fda 100644 --- a/roles/docker-wordpress/tasks/main.yml +++ b/roles/docker-wordpress/tasks/main.yml @@ -38,9 +38,9 @@ include_tasks: install.yml - name: "Activating OIDC when enabled." - include_tasks: oidc.yml + include_tasks: oidc/install.yml when: applications[application_id].features.oidc | bool -#- name: "Activating WP Discourse when enabled" -# include_tasks: wp_discourse.yml -# when: applications[application_id].wp_discourse.enabled | bool +- name: "Activating WP Discourse when enabled" + include_tasks: discourse/install.yml + when: applications[application_id].plugins.discourse | bool \ No newline at end of file diff --git a/roles/docker-wordpress/tasks/oidc/README.md b/roles/docker-wordpress/tasks/oidc/README.md new file mode 100644 index 00000000..3de942ea --- /dev/null +++ b/roles/docker-wordpress/tasks/oidc/README.md @@ -0,0 +1,2 @@ +# Wordpress with OIDC +This folder contains the files to setup Wordpress with OIDC. \ No newline at end of file diff --git a/roles/docker-wordpress/tasks/oidc.yml b/roles/docker-wordpress/tasks/oidc/install.yml similarity index 79% rename from roles/docker-wordpress/tasks/oidc.yml rename to roles/docker-wordpress/tasks/oidc/install.yml index ee3e7ee4..c788aa9c 100644 --- a/roles/docker-wordpress/tasks/oidc.yml +++ b/roles/docker-wordpress/tasks/oidc/install.yml @@ -7,6 +7,13 @@ args: chdir: "{{ docker_compose.directories.instance }}" +- name: Wait for Discourse API + wait_for: + host: "{{ domains.discourse }}" + port: 80 + delay: 5 + timeout: 600 + - name: "Activate OpenID Connect Generic Plugin" command: > docker-compose exec -u www-data -T application @@ -16,4 +23,4 @@ chdir: "{{ docker_compose.directories.instance }}" - name: "Setup OIDC settings" - include_tasks: "oidc_settings.yml" \ No newline at end of file + include_tasks: "settings.yml" \ No newline at end of file diff --git a/roles/docker-wordpress/tasks/oidc_settings.yml b/roles/docker-wordpress/tasks/oidc/settings.yml similarity index 100% rename from roles/docker-wordpress/tasks/oidc_settings.yml rename to roles/docker-wordpress/tasks/oidc/settings.yml diff --git a/roles/docker-wordpress/tasks/setup-discourse-api-key.yml b/roles/docker-wordpress/tasks/setup-discourse-api-key.yml deleted file mode 100644 index 6936b57c..00000000 --- a/roles/docker-wordpress/tasks/setup-discourse-api-key.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: "Create Discourse API key for WordPress integration" - uri: - url: "https://{{ domains.discourse }}/admin/api/keys" - method: POST - headers: - Content-Type: "application/json" - Api-Key: "{{ applications.discourse.master_api_key }}" - Api-Username: "{{ applications.discourse.master_api_username | default('admin') }}" - body_format: json - body: - key: - description: "WP Discourse Integration" - username: "system" - return_content: true - status_code: 200 - register: discourse_api_key_response - when: applications.discourse.master_api_key is defined - -- name: "Set fact for vault_discourse_api_key" - set_fact: - vault_discourse_api_key: "{{ discourse_api_key_response.json.key.key }}" - when: discourse_api_key_response is defined and discourse_api_key_response.json.key is defined diff --git a/roles/docker-wordpress/vars/discourse.yml b/roles/docker-wordpress/vars/discourse.yml new file mode 100644 index 00000000..0e19169c --- /dev/null +++ b/roles/docker-wordpress/vars/discourse.yml @@ -0,0 +1,9 @@ +# Defines WP Discourse plugin settings +# @see https://github.com/discourse/wp-discourse + +discourse_settings: + publish_discourse_posts: true + discourse_url: "https://{{ domains.discourse }}" + discourse_api_key: "{{ vault_discourse_api_key }}" + discourse_username: "system" + discourse_use_sso: false \ No newline at end of file diff --git a/roles/docker-wordpress/vars/wp_discourse.yml b/roles/docker-wordpress/vars/wp_discourse.yml deleted file mode 100644 index 084e9542..00000000 --- a/roles/docker-wordpress/vars/wp_discourse.yml +++ /dev/null @@ -1,10 +0,0 @@ -# Defines WP Discourse plugin settings -# @see https://github.com/discourse/wp-discourse - -discourse_settings: - publish_discourse_posts: true - discourse_url: "https://{{ domains.discourse }}" - discourse_api_key: "{{ applications.discourse.api_key }}" - discourse_username: "system" - discourse_use_sso: false # You can change this depending on your integration style - discourse_sso_secret: "{{ applications.wordpress.credentials.discourse_sso_secret | default('') }}" \ No newline at end of file diff --git a/templates/vars/applications.yml.j2 b/templates/vars/applications.yml.j2 index a7c27500..8ba3488a 100644 --- a/templates/vars/applications.yml.j2 +++ b/templates/vars/applications.yml.j2 @@ -815,7 +815,7 @@ defaults_applications: # password: # Password of the wordpress administrator email: "{{users.administrator.email}}" # Email of the wordpress adminsitrator plugins: - discourse: false + discourse: "{{ 'discourse' in group_names | lower }}" oidc: true {% endraw %}{{ features.render_features({ 'matomo': true,