Huge role refactoring/cleanup. Other commits will propably follow. Because some bugs will exist. Still important for longrun and also for auto docs/help/slideshow generation

roles/web-app-moodle/Administration.md

@@ -0,0 +1,58 @@
+# Administration
+
+## Moodle Docker Directory Path
+
+Moodle lives in: ``cd /opt/docker/moodle``
+
+## Upgrade 
+
+```bash
+docker exec --user daemon moodle php /opt/bitnami/moodle/admin/cli/upgrade.php --non-interactive
+```
+
+## Delete Cache
+
+To clean the cache execute:
+
+```bash
+docker exec --user daemon moodle php /opt/bitnami/moodle/admin/cli/purge_caches.php
+docker exec --user root moodle rm -rf \
+  /bitnami/moodledata/cache/* \
+  /bitnami/moodledata/localcache/* \
+  /bitnami/moodledata/temp/* \
+  /bitnami/moodledata/sessions/*
+docker restart moodle
+```
+
+## CLI
+
+A detailled Guid how to use the CLI in moodle you will find [here](https://docs.moodle.org/500/de/Administration_%C3%BCber_Kommandozeile).
+
+## General Administration Tasks
+
+### Radical Erase of Setup
+To manually erase the full moodle setup inkluding all data execute:
+
+**CLI:**
+
+```bash 
+cd /opt/docker/moodle && \
+docker compose down -v || {
+  echo "docker compose down failed, cleaning up manually"
+  rm -rv /mnt/hdd/data/docker/volumes/moodle_*
+  docker compose down -v
+} && \
+rm -rv /opt/docker/moodle
+``` 
+
+Afterwards login to the database and execute
+
+**MariaDB:**
+```sql
+DROP DATABASE IF EXISTS moodle;
+```
+
+to delete all data in the database related to this role. 
+
+### Virgin Setup
+After the installation you can rerun this role to create a fresh setup of Moodle. 

roles/web-app-moodle/README.md

@@ -0,0 +1,31 @@
+# Moodle
+
+## Description
+
+Ignite the learning experience with [Moodle](https://moodle.org/), a powerful and versatile platform for online education that energizes classrooms and fosters interactive learning. Moodle delivers a comprehensive set of tools for creating, managing, and sharing educational content, supporting collaboration among educators and learners alike.
+
+## Overview
+
+This role deploys Moodle using Docker, automating the setup of both the Moodle application and its underlying MariaDB database. It integrates with an Nginx reverse proxy to ensure secure and efficient web access and uses persistent storage to safeguard your data and configuration.
+
+## Features
+
+- **Comprehensive e-Learning Platform:** Offers an extensive array of features including course management, assessment tools, and collaborative resources.
+- **Customizable Interface:** Tailor the look and feel of your learning environment with numerous themes and plugins.
+- **Scalable Deployment:** Leverage Docker for a portable and scalable installation that adapts as your user base grows.
+- **Robust Data Management:** Secure and reliable storage of both the Moodle application and user data through Docker volumes.
+- **Secure Web Access:** Configured to work seamlessly behind an Nginx reverse proxy for enhanced security and performance.
+* **Single Sign-On (SSO) / OpenID Connect (OIDC):** Seamless integration with external identity providers for centralized authentication.
+
+## Further Resources
+
+- [Bitnami Moodle Container on GitHub](https://github.com/bitnami/containers/tree/main/bitnami/moodle)
+- [Moodle Official Website](https://moodle.org/)
+
+## Credits
+
+Developed and maintained by **Kevin Veen-Birkenbach**.  
+Learn more at [veen.world](https://www.veen.world).
+
+Part of the [CyMaIS Project](https://github.com/kevinveenbirkenbach/cymais)  
+Licensed under [CyMaIS NonCommercial License (CNCL)](https://s.veen.world/cncl).

roles/web-app-moodle/TODO.md

@@ -0,0 +1,2 @@
+# Todo
+- Check if sendmail needs to be installed. See [Issue](https://github.com/bitnami/containers/issues/63311).

roles/web-app-moodle/meta/main.yml

@@ -0,0 +1,23 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Ignite the learning experience with Moodle, a powerful and versatile platform for online education that energizes classrooms and fosters interactive learning."
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  galaxy_tags:
+    - moodle
+    - docker
+    - education
+    - cms
+    - e-learning
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
+  logo:
+    class: "fa-solid fa-graduation-cap"
+  run_after:
+    - "web-app-keycloak"

roles/web-app-moodle/meta/schema.yml

@@ -0,0 +1,5 @@
+credentials:
+  user_password:
+    description: "Initial password for the Moodle admin user"
+    algorithm: "sha256"
+    validation: "^[a-f0-9]{64}$"

roles/web-app-moodle/meta/users.yml

@@ -0,0 +1,3 @@
+users:
+  administrator:
+    username:         "administrator"

roles/web-app-moodle/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+- name: "include service-rdbms-central"
+  include_role: 
+    name: service-rdbms-central
+
+- name: "include role webserver-proxy-domain for {{application_id}}"
+  include_role:
+    name: webserver-proxy-domain
+  vars:
+    domain:   "{{ domains | get_domain(application_id) }}"
+    http_port:   "{{ ports.localhost.http[application_id] }}"
+
+- name: Wait until the Moodle container is healthy
+  shell: docker inspect --format '{% raw %}{{.State.Health.Status}}{% endraw %}' {{ container_name }}
+  register: health_check
+  until: health_check.stdout.strip() == "healthy"
+  retries: 120
+  delay: 5
+
+- name: "Include ownership settings tasks for moodle"
+  include_tasks: ownership.yml
+
+- name: "Configure OIDC login for Moodle if enabled"
+  include_tasks: oidc.yml
+  when: applications | is_feature_enabled('oidc',application_id)
+
+- name: Run Moodle system check
+  command: >
+    docker exec --user {{ bitnami_user }} {{ container_name }}
+    php /opt/bitnami/moodle/admin/cli/checks.php
+  register: moodle_checks
+  changed_when: false
+  failed_when: >
+    moodle_checks.rc != 0 or
+    "OK: All" not in moodle_checks.stdout

roles/web-app-moodle/tasks/oidc.yml

@@ -0,0 +1,60 @@
+---
+
+- name: Check if OIDC plugin is present in container
+  command: >
+    docker exec --user root {{ container_name }} test -d {{ bitnami_oidc_plugin_dir }}
+  register: oidc_plugin_check
+  ignore_errors: true
+  changed_when: false
+
+- name: Fail if plugin not present to avoid broken auth
+  fail:
+    msg: "OIDC plugin not present – skipping configuration"
+  when: oidc_plugin_check.rc != 0
+
+#- name: "Upgrade Moodle to apply OIDC plugin"
+#  command: "docker exec --user {{ bitnami_user }} {{ container_name }} php /opt/bitnami/moodle/admin/cli/upgrade.php --non-interactive"
+#
+#- name: Clear Moodle cache
+#  command: >
+#    docker exec --user {{ bitnami_user }} {{ container_name }} php /opt/bitnami/moodle/admin/cli/purge_caches.php
+
+- name: "Set Moodle OIDC configuration via CLI"
+  loop:
+    - { name: "idptype",              value: 3 }
+    - { name: "clientauthmethod",     value: 1 }  
+    - { name: "clientid",             value: "{{ oidc.client.id }}" }
+    - { name: "clientsecret",         value: "{{ oidc.client.secret }}" }
+    - { name: "opname",               value: "{{oidc.button_text}}" }
+    - { name: "oidcscope",            value: "openid profile email" }
+    - { name: "authendpoint",         value: "{{ oidc.client.authorize_url }}" }
+    - { name: "tokenendpoint",        value: "{{ oidc.client.token_url }}" }
+    - { name: "bindingusernameclaim", value: "{{ oidc.attributes.username }}" }
+    - { name: "single_sign_off",      value: 1 }  # Logs the user out from the IDP
+    - { name: "logouturi",            value: "{{ oidc.client.logout_url }}" }
+    - { name: "icon",                 value: "moodle:t/lock" }
+    - { name: "field_map_firstname",  value: "{{ oidc.attributes.given_name }}" }
+    - { name: "field_lock_firstname", value: "locked" }
+    - { name: "field_map_lastname",   value: "{{ oidc.attributes.family_name }}" }
+    - { name: "field_lock_lastname",  value: "locked" }
+    - { name: "field_map_email",      value: "locked" }
+    #- { name: "showloginform",        value: 0 }  # Deactivate if OIDC is active
+    - { name: "alternateloginurl",    value: "{{ domains | get_url(application_id, web_protocol) }}/auth/oidc/" }
+  loop_control:
+    label: "{{ item.name }}"
+  command: >
+    docker exec --user {{ bitnami_user }} {{ container_name }} php /opt/bitnami/moodle/admin/cli/cfg.php --component=auth_oidc
+    --name={{ item.name }} --set="{{ item.value }}"
+
+- name: "Enable OIDC login"
+  command: "docker exec --user {{ bitnami_user }} {{ container_name }} php /opt/bitnami/moodle/admin/cli/cfg.php --name=auth --set=oidc"
+
+- name: Set auth = 'oidc' for all users except guest
+  shell: >
+    docker exec {{ database_instance }} mariadb -u {{ database_username }} -p{{ database_password }}
+    -e "UPDATE moodle.mdl_user SET auth = 'oidc' WHERE username != 'guest';"
+  args:
+    executable: /bin/bash
+
+#- name: Prevent Account Creation
+#  command: docker exec --user {{ bitnami_user }} {{ container_name }} php /opt/bitnami/moodle/admin/cli/cfg.php --name=authpreventaccountcreation --set=1

roles/web-app-moodle/tasks/ownership.yml

@@ -0,0 +1,19 @@
+# This file sets the correct ownership rights for Moodle volumes
+
+- name: Set ownership and permissions on Moodle directories
+  vars:
+    moodle_dirs:
+      - "{{ bitnami_code_dir }}"
+      - "{{ bitnami_data_dir }}"
+  block:
+    - name: Ensure ownership is correct
+      command: "docker exec --user root {{ container_name }} chown -R {{ bitnami_user_group }} {{ item }}"
+      loop: "{{ moodle_dirs }}"
+
+    - name: Set directory permissions (770)
+      command: "docker exec --user root {{ container_name }} find {{ item }} -type d -exec chmod 770 {} \\;"
+      loop: "{{ moodle_dirs }}"
+
+    - name: Set file permissions (660)
+      command: "docker exec --user root {{ container_name }} find {{ item }} -type f -exec chmod 660 {} \\;"
+      loop: "{{ moodle_dirs }}"

roles/web-app-moodle/templates/Dockerfile.j2

@@ -0,0 +1,16 @@
+FROM bitnami/moodle:{{ applications[application_id].version }}
+
+{% if applications | is_feature_enabled('oidc', application_id) %}
+RUN install_packages unzip curl jq \
+ && VERSION=$(curl -s https://api.github.com/repos/microsoft/moodle-auth_oidc/tags \
+      | jq -r '.[].name' \
+      | grep v{{ applications[application_id].version }} \
+      | sort -Vr \
+      | head -n1) \
+ && echo "Using version $VERSION" \
+ && curl -L -o /tmp/oidc.zip https://github.com/microsoft/moodle-auth_oidc/archive/refs/tags/${VERSION}.zip \
+ && unzip /tmp/oidc.zip -d /tmp \
+ && mv /tmp/moodle-auth_oidc-* {{ bitnami_oidc_plugin_dir }} \
+ && chown -R {{ bitnami_user_group }} {{ bitnami_oidc_plugin_dir }} \
+ && rm -rf /tmp/oidc.zip
+{% endif %}

roles/web-app-moodle/templates/docker-compose.yml.j2

@@ -0,0 +1,25 @@
+{% include 'roles/docker-compose/templates/base.yml.j2' %}
+
+  moodle:
+{% set container_port = 8080 %}
+    container_name: {{ container_name }}
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: moodle_custom
+    ports:
+      - 127.0.0.1:{{ports.localhost.http[application_id]}}:{{ container_port }}
+{% include 'roles/docker-container/templates/base.yml.j2' %}
+    volumes:
+      - 'code:{{ bitnami_code_link }}'
+      - 'data:{{ bitnami_data_dir }}'
+{% include 'roles/docker-container/templates/healthcheck/tcp.yml.j2' %}
+{% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+
+{% include 'roles/docker-compose/templates/volumes.yml.j2' %}
+  code:
+  data:
+
+{% include 'roles/docker-compose/templates/networks.yml.j2' %}
+  

roles/web-app-moodle/templates/env.j2

@@ -0,0 +1,24 @@
+
+# General 
+MOODLE_SITE_NAME="{{applications[application_id].site_titel}}"
+MOODLE_HOST="{{ domains | get_domain(application_id) }}"
+MOODLE_SSLPROXY=yes
+MOODLE_REVERSE_PROXY=yes
+MOODLE_USERNAME={{applications[application_id].users.administrator.username}}
+MOODLE_PASSWORD={{applications[application_id].credentials.user_password}}
+MOODLE_EMAIL={{applications[application_id].users.administrator.email}}
+BITNAMI_DEBUG={% if enable_debug | bool %}true{% else %}false{% endif %}
+
+# Database
+MOODLE_DATABASE_HOST={{database_host}}
+MOODLE_DATABASE_PORT_NUMBER={{database_port}}
+MOODLE_DATABASE_USER={{database_username}}
+MOODLE_DATABASE_NAME={{database_name}}
+MOODLE_DATABASE_PASSWORD={{database_password}}
+
+# SMTP 
+MOODLE_SMTP_HOST={{ system_email.host }}
+MOODLE_SMTP_PORT_NUMBER={{ system_email.port }}
+MOODLE_SMTP_USER={{ users['no-reply'].email }}
+MOODLE_SMTP_PASSWORD={{ users['no-reply'].mailu_token }}
+MOODLE_SMTP_PROTOCOL={{ 'ssl' if system_email.tls else ('tls' if system_email.start_tls else '') }}

roles/web-app-moodle/vars/configuration.yml

@@ -0,0 +1,31 @@
+site_titel:           "Academy on {{primary_domain}}"
+version:              "4.5"                                 # Latest LTS - Necessary for OIDC
+features:
+  matomo:             true
+  css:                false
+  portfolio_iframe:   true
+  central_database:   true
+  oidc:               true
+csp:
+  flags:
+    script-src-elem:
+      unsafe-inline:  true
+      unsafe-eval:    true
+    script-src:
+      unsafe-eval:    true
+    style-src:
+      unsafe-inline:  true
+      unsafe-eval:    true
+  whitelist:
+    font-src:
+      - "data:"
+      - "blob:"
+    script-src-elem:
+      - "https://cdn.jsdelivr.net"
+domains:
+  canonical:
+    - "academy.{{ primary_domain }}"
+docker:
+  services:
+    database:
+      enabled: true

roles/web-app-moodle/vars/main.yml

@@ -0,0 +1,10 @@
+---
+application_id:           "moodle"
+database_type:            "mariadb"
+container_name:           "{{ application_id }}"
+bitnami_code_link:        "/bitnami/moodle"
+bitnami_code_dir:         "/opt{{bitnami_code_link}}"
+bitnami_data_dir:         "/bitnami/moodledata"
+bitnami_oidc_plugin_dir:  "{{ bitnami_code_dir }}/auth/oidc"
+bitnami_user:             "daemon"  
+bitnami_user_group:       "{{ bitnami_user }}:{{ bitnami_user }}"