Huge role refactoring/cleanup. Other commits will propably follow. Because some bugs will exist. Still important for longrun and also for auto docs/help/slideshow generation

roles/web-app-moodle/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+- name: "include service-rdbms-central"
+  include_role: 
+    name: service-rdbms-central
+
+- name: "include role webserver-proxy-domain for {{application_id}}"
+  include_role:
+    name: webserver-proxy-domain
+  vars:
+    domain:   "{{ domains | get_domain(application_id) }}"
+    http_port:   "{{ ports.localhost.http[application_id] }}"
+
+- name: Wait until the Moodle container is healthy
+  shell: docker inspect --format '{% raw %}{{.State.Health.Status}}{% endraw %}' {{ container_name }}
+  register: health_check
+  until: health_check.stdout.strip() == "healthy"
+  retries: 120
+  delay: 5
+
+- name: "Include ownership settings tasks for moodle"
+  include_tasks: ownership.yml
+
+- name: "Configure OIDC login for Moodle if enabled"
+  include_tasks: oidc.yml
+  when: applications | is_feature_enabled('oidc',application_id)
+
+- name: Run Moodle system check
+  command: >
+    docker exec --user {{ bitnami_user }} {{ container_name }}
+    php /opt/bitnami/moodle/admin/cli/checks.php
+  register: moodle_checks
+  changed_when: false
+  failed_when: >
+    moodle_checks.rc != 0 or
+    "OK: All" not in moodle_checks.stdout

roles/web-app-moodle/tasks/oidc.yml

@@ -0,0 +1,60 @@
+---
+
+- name: Check if OIDC plugin is present in container
+  command: >
+    docker exec --user root {{ container_name }} test -d {{ bitnami_oidc_plugin_dir }}
+  register: oidc_plugin_check
+  ignore_errors: true
+  changed_when: false
+
+- name: Fail if plugin not present to avoid broken auth
+  fail:
+    msg: "OIDC plugin not present – skipping configuration"
+  when: oidc_plugin_check.rc != 0
+
+#- name: "Upgrade Moodle to apply OIDC plugin"
+#  command: "docker exec --user {{ bitnami_user }} {{ container_name }} php /opt/bitnami/moodle/admin/cli/upgrade.php --non-interactive"
+#
+#- name: Clear Moodle cache
+#  command: >
+#    docker exec --user {{ bitnami_user }} {{ container_name }} php /opt/bitnami/moodle/admin/cli/purge_caches.php
+
+- name: "Set Moodle OIDC configuration via CLI"
+  loop:
+    - { name: "idptype",              value: 3 }
+    - { name: "clientauthmethod",     value: 1 }  
+    - { name: "clientid",             value: "{{ oidc.client.id }}" }
+    - { name: "clientsecret",         value: "{{ oidc.client.secret }}" }
+    - { name: "opname",               value: "{{oidc.button_text}}" }
+    - { name: "oidcscope",            value: "openid profile email" }
+    - { name: "authendpoint",         value: "{{ oidc.client.authorize_url }}" }
+    - { name: "tokenendpoint",        value: "{{ oidc.client.token_url }}" }
+    - { name: "bindingusernameclaim", value: "{{ oidc.attributes.username }}" }
+    - { name: "single_sign_off",      value: 1 }  # Logs the user out from the IDP
+    - { name: "logouturi",            value: "{{ oidc.client.logout_url }}" }
+    - { name: "icon",                 value: "moodle:t/lock" }
+    - { name: "field_map_firstname",  value: "{{ oidc.attributes.given_name }}" }
+    - { name: "field_lock_firstname", value: "locked" }
+    - { name: "field_map_lastname",   value: "{{ oidc.attributes.family_name }}" }
+    - { name: "field_lock_lastname",  value: "locked" }
+    - { name: "field_map_email",      value: "locked" }
+    #- { name: "showloginform",        value: 0 }  # Deactivate if OIDC is active
+    - { name: "alternateloginurl",    value: "{{ domains | get_url(application_id, web_protocol) }}/auth/oidc/" }
+  loop_control:
+    label: "{{ item.name }}"
+  command: >
+    docker exec --user {{ bitnami_user }} {{ container_name }} php /opt/bitnami/moodle/admin/cli/cfg.php --component=auth_oidc
+    --name={{ item.name }} --set="{{ item.value }}"
+
+- name: "Enable OIDC login"
+  command: "docker exec --user {{ bitnami_user }} {{ container_name }} php /opt/bitnami/moodle/admin/cli/cfg.php --name=auth --set=oidc"
+
+- name: Set auth = 'oidc' for all users except guest
+  shell: >
+    docker exec {{ database_instance }} mariadb -u {{ database_username }} -p{{ database_password }}
+    -e "UPDATE moodle.mdl_user SET auth = 'oidc' WHERE username != 'guest';"
+  args:
+    executable: /bin/bash
+
+#- name: Prevent Account Creation
+#  command: docker exec --user {{ bitnami_user }} {{ container_name }} php /opt/bitnami/moodle/admin/cli/cfg.php --name=authpreventaccountcreation --set=1

roles/web-app-moodle/tasks/ownership.yml

@@ -0,0 +1,19 @@
+# This file sets the correct ownership rights for Moodle volumes
+
+- name: Set ownership and permissions on Moodle directories
+  vars:
+    moodle_dirs:
+      - "{{ bitnami_code_dir }}"
+      - "{{ bitnami_data_dir }}"
+  block:
+    - name: Ensure ownership is correct
+      command: "docker exec --user root {{ container_name }} chown -R {{ bitnami_user_group }} {{ item }}"
+      loop: "{{ moodle_dirs }}"
+
+    - name: Set directory permissions (770)
+      command: "docker exec --user root {{ container_name }} find {{ item }} -type d -exec chmod 770 {} \\;"
+      loop: "{{ moodle_dirs }}"
+
+    - name: Set file permissions (660)
+      command: "docker exec --user root {{ container_name }} find {{ item }} -type f -exec chmod 660 {} \\;"
+      loop: "{{ moodle_dirs }}"