kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-29 15:06:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Huge role refactoring/cleanup. Other commits will propably follow. Because some bugs will exist. Still important for longrun and also for auto docs/help/slideshow generation

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-07-08 23:43:13 +02:00
parent 6b87a049d4
commit 563d5fd528
1242 changed files with 2301 additions and 1355 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
roles/web-app-taiga/Development.md Normal file
View File

@@ -0,0 +1,37 @@
# Development Notes
## Build front container
```bash
docker compose up -d --force-recreate taiga-front
```
## Debug
Verify front configuration:
```bash
docker compose exec -it taiga-front cat /usr/share/nginx/html/conf.json
```
Verify the backend configuration:
```bash
docker compose exec -it taiga-back cat /taiga-back/settings/local.py
```
## Additional Configuration for plugin
```bash
# ENABLE_OPENID Plugin
ENABLE_OPENID = os.getenv('ENABLE_OPENID', 'False') == 'True'
if ENABLE_OPENID:
INSTALLED_APPS += [
"taiga_contrib_openid_auth"
]
OPENID_USER_URL = os.getenv('OPENID_USER_URL')
OPENID_TOKEN_URL = os.getenv('OPENID_TOKEN_URL')
OPENID_CLIENT_ID = os.getenv('OPENID_CLIENT_ID')
OPENID_CLIENT_SECRET = os.getenv('OPENID_CLIENT_SECRET')
OPENID_SCOPE = os.getenv('OPENID_SCOPE')
OPENID_FILTER = os.getenv('OPENID_FILTER')
OPENID_FILTER_FIELD = os.getenv('OPENID_FILTER_FIELD')
```

54
roles/web-app-taiga/README.md Normal file
View File

@@ -0,0 +1,54 @@
# Taiga
## Description
[Taiga](https://www.taiga.io/) is a powerful and intuitive open-source project management platform tailored for agile teams. Whether you're practicing Scrum, Kanban, or a custom hybrid workflow, Taiga offers a rich, customizable environment to plan, track, and collaborate on your projects — without the complexity of enterprise tools or the vendor lock-in of SaaS platforms.
This Ansible role deploys Taiga in a Docker-based environment, allowing fast, reproducible, and secure installations. It also optionally integrates [OpenID Connect (OIDC)](https://openid.net/connect/) for single sign-on via providers like Keycloak.
---
## Why Taiga?
Taiga is ideal for developers, designers, and agile teams who want:
-**Beautiful UI:** Clean, modern, and responsive interface.
- 📌 **Agile Workflows:** Supports Scrum, Kanban, Scrumban, and Epics.
- 🗃️ **Backlog & Sprint Management:** Create user stories, tasks, and sprints with ease.
- 📈 **Burn-down Charts & Metrics:** Monitor velocity and progress.
- 🔄 **Custom Workflows:** Define your own states, priorities, and permissions.
- 📎 **Attachments & Wiki:** Collaborate with file uploads and internal documentation.
- 🔐 **SSO/Authentication Plugins:** OpenID Connect, LDAP, GitHub, GitLab and more.
- 🌍 **Multilingual UI:** Used by teams worldwide.
---
## Purpose
This role automates the deployment and configuration of a complete, production-ready Taiga stack using Docker Compose. It ensures integration with common infrastructure tools such as Nginx, PostgreSQL, and RabbitMQ, while optionally enabling OpenID Connect authentication for enterprise-grade SSO.
By using this role, teams can set up Taiga in minutes on Arch Linux systems — whether in a homelab, dev environment, or production cluster.
---
## Features
- 🐳 **Docker-Based Deployment:** Easy containerized setup of backend, frontend, async workers, and events service.
- 🔐 **OIDC (Single Sign-On):** Supported via:
- [taiga-contrib-openid-auth (robrotheram)](https://github.com/robrotheram/taiga-contrib-openid-auth)
- [taiga-contrib-oidc-auth (official)](https://github.com/taigaio/taiga-contrib-oidc-auth)
- 📨 **Email Backend:** Supports SMTP and console backends for development.
- 🔁 **Async & Realtime Events:** Includes RabbitMQ and support for Taigas event system.
- 🌐 **Reverse Proxy Ready:** Integrates with Nginx using the `webserver-proxy-domain` role.
- 🧩 **Composable Design:** Integrates cleanly with other CyMaIS infrastructure roles.
---
## Author
Developed and maintained by **Kevin Veen-Birkenbach**
Email: [kevin@veen.world](mailto:kevin@veen.world)
Website: [veen.world](https://www.veen.world)
Part of the [CyMaIS Project](https://github.com/kevinveenbirkenbach/cymais)
License: [CyMaIS NonCommercial License (CNCL)](https://s.veen.world/cncl)

34
roles/web-app-taiga/meta/main.yml Normal file
View File

@@ -0,0 +1,34 @@
---
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: >
Supercharge your project management with Taiga—a dynamic, agile tool designed for teams that thrive on creativity and collaboration.
Experience a vibrant interface, robust task tracking, and an energetic platform that drives your projects to success.
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
galaxy_tags:
- taiga
- docker
- project-management
- oidc
- openid
- archlinux
- cymais
repository: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
logo:
class: "fa-solid fa-tasks"
run_after:
- service-rdbms-postgres
- web-app-matomo
- web-app-keycloak

5
roles/web-app-taiga/meta/schema.yml Normal file
View File

@@ -0,0 +1,5 @@
credentials:
secret_key:
description: "Django SECRET_KEY used for cryptographic signing in Taiga"
algorithm: "sha256"
validation: "^[a-f0-9]{64}$"

26
roles/web-app-taiga/tasks/main.yml Normal file
View File

@@ -0,0 +1,26 @@
---
- name: "include service-rdbms-central"
include_role:
name: service-rdbms-central
- name: "include role webserver-proxy-domain for {{application_id}}"
include_role:
name: webserver-proxy-domain
vars:
domain: "{{ domains | get_domain(application_id) }}"
http_port: "{{ ports.localhost.http[application_id] }}"
- name: "copy templates {{ settings_files }} for taiga-contrib-oidc-auth"
template:
src: "taiga/{{item}}.py.j2"
dest: "{{ docker_compose.directories.config }}taiga-{{item}}.py"
when: applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio'
notify: docker compose up
loop: "{{ settings_files }}"
- name: "create {{docker_compose_init}}"
template:
src: "docker-compose-inits.yml.j2"
dest: "{{docker_compose_init}}"
notify: docker compose up

14
roles/web-app-taiga/templates/docker-compose-inits.yml.j2 Normal file
View File

@@ -0,0 +1,14 @@
services:
taiga-manage:
image: taigaio/taiga-back:latest
environment:
CELERY_ENABLED: "False"
{% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
{% include 'roles/docker-container/templates/networks.yml.j2' %}
entrypoint: "python manage.py"
volumes:
- static-data:/taiga-back/static
- media-data:/taiga-back/media
# - ./config.py:/taiga-back/settings/config.py
{% include 'roles/docker-compose/templates/networks.yml.j2' %}
taiga:

136
roles/web-app-taiga/templates/docker-compose.yml.j2 Normal file
View File

@@ -0,0 +1,136 @@
{% include 'roles/docker-compose/templates/base.yml.j2' %}
taiga-back:
{% include 'roles/docker-container/templates/base.yml.j2' %}
image: {{taiga_image_backend}}:{{applications.taiga.version}}
volumes:
# These volumens will be used by taiga-back and taiga-async.
- static-data:/taiga-back/static
- media-data:/taiga-back/media
# - ./config.py:/taiga-back/settings/config.py
{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
- {{ docker_compose.directories.config }}taiga-local.py:/taiga-back/settings/local.py:ro
{% endif %}
{% include 'roles/docker-container/templates/networks.yml.j2' %}
taiga:
{% include 'roles/docker-container/templates/depends_on/dmbs_incl.yml.j2' %}
taiga-events-rabbitmq:
condition: service_started
taiga-async-rabbitmq:
condition: service_started
{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
command: >
/bin/sh -c "
pip install taiga-contrib-oidc-auth &&
/taiga-back/docker/entrypoint.sh"
{% endif %}
taiga-async:
{% include 'roles/docker-container/templates/base.yml.j2' %}
image: {{taiga_image_backend}}:{{applications.taiga.version}}
entrypoint: ["/taiga-back/docker/async_entrypoint.sh"]
volumes:
# These volumens will be used by taiga-back and taiga-async.
- static-data:/taiga-back/static
- media-data:/taiga-back/media
# - ./config.py:/taiga-back/settings/config.py
{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
{% for item in settings_files %}
- {{ docker_compose.directories.config }}taiga-{{ item }}.py:/taiga-back/settings/{{ item }}.py:ro
{% endfor %}
{% endif %}
{% include 'roles/docker-container/templates/networks.yml.j2' %}
taiga:
{% include 'roles/docker-container/templates/depends_on/dmbs_incl.yml.j2' %}
taiga-events-rabbitmq:
condition: service_started
taiga-async-rabbitmq:
condition: service_started
{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
command: >
/bin/sh -c "
pip install taiga-contrib-oidc-auth &&
/taiga-back/docker/entrypoint.sh"
{% endif %}
taiga-async-rabbitmq:
image: rabbitmq:3.8-management-alpine
hostname: "taiga-async-rabbitmq"
volumes:
- async-rabbitmq-data:/var/lib/rabbitmq
{% include 'roles/docker-container/templates/base.yml.j2' %}
{% include 'roles/docker-container/templates/networks.yml.j2' %}
taiga:
taiga-front:
image: {{taiga_image_frontend}}:{{applications.taiga.version}}
{% include 'roles/docker-container/templates/base.yml.j2' %}
{% include 'roles/docker-container/templates/networks.yml.j2' %}
taiga:
# volumes:
# - {{ taiga_frontend_conf_path }}:/usr/share/nginx/html/conf.json:ro
taiga-events:
image: taigaio/taiga-events:latest
{% include 'roles/docker-container/templates/base.yml.j2' %}
{% include 'roles/docker-container/templates/networks.yml.j2' %}
taiga:
depends_on:
taiga-events-rabbitmq:
condition: service_started
taiga-events-rabbitmq:
image: rabbitmq:3.8-management-alpine
hostname: "events-rabbitmq"
volumes:
- events-rabbitmq-data:/var/lib/rabbitmq
{% include 'roles/docker-container/templates/base.yml.j2' %}
{% include 'roles/docker-container/templates/networks.yml.j2' %}
taiga:
taiga-protected:
image: taigaio/taiga-protected:latest
{% include 'roles/docker-container/templates/base.yml.j2' %}
{% include 'roles/docker-container/templates/networks.yml.j2' %}
taiga:
taiga-gateway:
image: nginx:alpine
ports:
- "127.0.0.1:{{ports.localhost.http[application_id]}}:80"
volumes:
- {{docker_repository_path}}taiga-gateway/taiga.conf:/etc/nginx/conf.d/default.conf
- static-data:/taiga/static
- media-data:/taiga/media
{% include 'roles/docker-container/templates/base.yml.j2' %}
{% include 'roles/docker-container/templates/networks.yml.j2' %}
taiga:
depends_on:
- taiga-front
- taiga-back
- taiga-events
{% include 'roles/docker-compose/templates/volumes.yml.j2' %}
static-data:
media-data:
async-rabbitmq-data:
events-rabbitmq-data:
{% include 'roles/docker-compose/templates/networks.yml.j2' %}
taiga:

90
roles/web-app-taiga/templates/env.j2 Normal file
View File

@@ -0,0 +1,90 @@
# Taiga's URLs - Variables to define where Taiga should be served
TAIGA_SITES_SCHEME = https # serve Taiga using "http" or "https" (secured) connection
TAIGA_SITES_DOMAIN = "{{domains | get_domain(application_id)}}" # Taiga's base URL
TAIGA_SUBPATH = "" # it'll be appended to the TAIGA_DOMAIN (use either "" or a "/subpath")
WEBSOCKETS_SCHEME = wss # events connection protocol (use either "ws" or "wss")
# Taiga's Secret Key - Variable to provide cryptographic signing
TAIGA_SECRET_KEY = "{{applications[application_id].credentials.secret_key}}"
SECRET_KEY = "{{applications[application_id].credentials.secret_key}}"
# Taiga's Database settings - Variables to create the Taiga database and connect to it
POSTGRES_USER = "{{database_username}}" # user to connect to PostgreSQL
POSTGRES_PASSWORD = "{{database_password}}" # database user's password
POSTGRES_DB = "{{database_name}}"
POSTGRES_HOST = "{{database_host}}"
# Taiga's SMTP settings - Variables to send Taiga's emails to the users
EMAIL_BACKEND = "{{email_backend}}" # use an SMTP server or display the emails in the console (either "smtp" or "console")
EMAIL_HOST = "{{system_email.host}}" # SMTP server address
EMAIL_PORT = "{{system_email.port}}" # default SMTP port
EMAIL_HOST_USER = "{{ users['no-reply'].email }}" # user to connect the SMTP server
EMAIL_HOST_PASSWORD = "{{ users['no-reply'].mailu_token }}" # SMTP user's password
EMAIL_DEFAULT_FROM = "{{ users['no-reply'].email }}" # default email address for the automated emails
EMAIL_BACKEND: = "django.core.mail.backends.{{email_backend}}.EmailBackend"
DEFAULT_FROM_EMAIL = "{{ users['no-reply'].email }}"
# EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive (only set one of those to True)
EMAIL_USE_TLS = "{{ system_email.tls | capitalize }}" # use TLS (secure) connection with the SMTP server
EMAIL_USE_SSL = "{{ 'False' if system_email.start_tls else 'True' }}" # use implicit TLS (secure) connection with the SMTP server
RABBITMQ_USER=taiga
RABBITMQ_PASS=taiga
RABBITMQ_VHOST=taiga
# Taiga's RabbitMQ settings - Variables to leave messages for the realtime and asynchronous events
RABBITMQ_DEFAULT_RABBITMQ_USER = taiga # user to connect to RabbitMQ
RABBITMQ_DEFAULT_RABBITMQ_PASS = taiga # RabbitMQ user's password
RABBITMQ_DEFAULT_RABBITMQ_VHOST = taiga # RabbitMQ container name
RABBITMQ_ERLANG_COOKIE = secret-erlang-cookie # unique value shared by any connected instance of RabbitMQ
# Taiga's Attachments - Variable to define how long the attachments will be accesible
ATTACHMENTS_MAX_AG = 360 # token expiration date (in seconds)
MAX_AGE = 360
# Taiga's Telemetry - Variable to enable or disable the anonymous telemetry
ENABLE_TELEMETRY = True
{% if applications | is_feature_enabled('oidc',application_id) %}
{% if applications[application_id].oidc.flavor == 'taigaio' %}
# OIDC via taigaio official contrib
# @See https://github.com/taigaio/taiga-contrib-oidc-auth
OIDC_RP_CLIENT_ID="{{ oidc.client.id }}"
OIDC_RP_CLIENT_SECRET="{{ oidc.client.secret }}"
OIDC_OP_AUTHORIZATION_ENDPOINT="{{ oidc.client.authorize_url }}"
OIDC_OP_TOKEN_ENDPOINT="{{ oidc.client.token_url }}"
OIDC_OP_USER_ENDPOINT="{{ oidc.client.user_info_url }}"
OIDC_RP_SIGN_ALGO="RS256"
OIDC_RP_SCOPES="openid profile email"
OIDC_OP_JWKS_ENDPOINT="{{ oidc.client.certs }}"
{% endif %}
{% if applications[application_id].oidc.flavor == 'robrotheram' %}
# OIDC via robrotheram
# @see https://github.com/robrotheram/taiga-contrib-openid-auth
ENABLE_OPENID=True
OPENID_URL="{{oidc.client.authorize_url}}"
OPENID_USER_URL="{{oidc.client.user_info_url}}"
OPENID_TOKEN_URL="{{oidc.client.token_url}}"
OPENID_CLIENT_ID="{{oidc.client.id}}"
OPENID_CLIENT_SECRET="{{oidc.client.secret}}"
OPENID_NAME="{{oidc.button_text}}"
OPENID_USERNAME_FIELD="{{oidc.attributes.username}}"
# Optional:
# OPENID_ID_FIELD="sub"
# OPENID_FULLNAME_FIELD="name"
# OPENID_EMAIL_FIELD="email"
# OPENID_SCOPE="openid email"
# OPENID_FILTER = "taiga_users,taiga_admins"
# OPENID_FILTER_FIELD = "groups"
{% endif %}
{% endif %}

23
roles/web-app-taiga/templates/oidc/local.py.j2 Normal file
View File

@@ -0,0 +1,23 @@
INSTALLED_APPS += [
"mozilla_django_oidc",
"taiga_contrib_oidc_auth",
]
AUTHENTICATION_BACKENDS = list(AUTHENTICATION_BACKENDS) + [
"taiga_contrib_oidc_auth.oidc.TaigaOIDCAuthenticationBackend",
]
ROOT_URLCONF = "settings.urls"
import os
OIDC_CALLBACK_CLASS = "taiga_contrib_oidc_auth.views.TaigaOIDCAuthenticationCallbackView"
OIDC_RP_SCOPES = os.getenv("OIDC_RP_SCOPES")
OIDC_RP_SIGN_ALGO = os.getenv("OIDC_RP_SIGN_ALGO")
#OIDC_BASE_URL = "" @todo remove if not needed
OIDC_OP_JWKS_ENDPOINT = os.getenv("OIDC_OP_JWKS_ENDPOINT")
OIDC_OP_AUTHORIZATION_ENDPOINT = os.getenv("OIDC_OP_AUTHORIZATION_ENDPOINT")
OIDC_OP_TOKEN_ENDPOINT = os.getenv("OIDC_OP_TOKEN_ENDPOINT")
OIDC_OP_USER_ENDPOINT = os.getenv("OIDC_OP_USER_ENDPOINT")
OIDC_RP_CLIENT_ID = os.getenv("OIDC_RP_CLIENT_ID")
OIDC_RP_CLIENT_SECRET = os.getenv("OIDC_RP_CLIENT_SECRET")

4
roles/web-app-taiga/templates/oidc/urls.py Normal file
View File

@@ -0,0 +1,4 @@
from taiga.urls import *
urlpatterns += [
url(r"^oidc/", include("mozilla_django_oidc.urls")),
]

30
roles/web-app-taiga/vars/configuration.yml Normal file
View File

@@ -0,0 +1,30 @@
version: "latest"
oidc: {}
# Taiga doesn't have a functioning oidc support at the moment
# See
# - https://community.taiga.io/t/taiga-and-oidc-plugin/4866
#
# Due to this reason this plutin is deactivated atm
flavor: 'taigaio' # Potential flavors: robrotheram, taigaio
features:
matomo: true
css: false
portfolio_iframe: true
oidc: false
central_database: true
docker:
services:
database:
enabled: true
csp:
flags:
script-src-elem:
unsafe-inline: true
unsafe-eval: true
style-src:
unsafe-inline: true
script-src:
unsafe-eval: true
domains:
canonical:
- "kanban.{{ primary_domain }}"

16
roles/web-app-taiga/vars/main.yml Normal file
View File

@@ -0,0 +1,16 @@
application_id: "taiga"
database_type: "postgres"
docker_repository_address: "https://github.com/taigaio/taiga-docker"
email_backend: "smtp" ## use an SMTP server or display the emails in the console (either "smtp" or "console")
docker_compose_init: "{{docker_compose.directories.instance}}docker-compose-inits.yml.j2"
taiga_image_backend: >-
{{ 'robrotheram/taiga-back-openid' if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'robrotheram'
else 'taigaio/taiga-back' }}
taiga_image_frontend: >-
{{ 'robrotheram/taiga-front-openid' if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'robrotheram'
else 'taigaio/taiga-front' }}
taiga_frontend_conf_path: "{{docker_compose.directories.config}}conf.json"
docker_repository: true
settings_files:
- urls
- local