Huge role refactoring/cleanup. Other commits will propably follow. Because some bugs will exist. Still important for longrun and also for auto docs/help/slideshow generation

2025-08-29 15:06:26 +02:00 · 2025-07-08 23:43:13 +02:00
parent 6b87a049d4
commit 563d5fd528
1242 changed files with 2301 additions and 1355 deletions
--- a/roles/web-app-taiga/templates/docker-compose-inits.yml.j2
+++ b/roles/web-app-taiga/templates/docker-compose-inits.yml.j2
@@ -0,0 +1,14 @@
+services:
+  taiga-manage:
+    image: taigaio/taiga-back:latest
+    environment:
+      CELERY_ENABLED: "False"
+{% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+    entrypoint: "python manage.py"
+    volumes:
+      - static-data:/taiga-back/static
+      - media-data:/taiga-back/media
+      # - ./config.py:/taiga-back/settings/config.py
+{% include 'roles/docker-compose/templates/networks.yml.j2' %}
+  taiga:
--- a/roles/web-app-taiga/templates/docker-compose.yml.j2
+++ b/roles/web-app-taiga/templates/docker-compose.yml.j2
@@ -0,0 +1,136 @@
+{% include 'roles/docker-compose/templates/base.yml.j2' %}
+
+  taiga-back:
+{% include 'roles/docker-container/templates/base.yml.j2' %}
+    image: {{taiga_image_backend}}:{{applications.taiga.version}}
+    volumes:
+      # These volumens will be used by taiga-back and taiga-async.
+      - static-data:/taiga-back/static
+      - media-data:/taiga-back/media
+      # - ./config.py:/taiga-back/settings/config.py
+
+{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
+
+      - {{ docker_compose.directories.config }}taiga-local.py:/taiga-back/settings/local.py:ro
+
+{% endif %}
+
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+      taiga:
+{% include 'roles/docker-container/templates/depends_on/dmbs_incl.yml.j2' %}
+      taiga-events-rabbitmq:
+        condition: service_started
+      taiga-async-rabbitmq:
+        condition: service_started
+{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
+    
+    command: >
+      /bin/sh -c "
+        pip install taiga-contrib-oidc-auth &&
+        /taiga-back/docker/entrypoint.sh"
+
+{% endif %}
+
+
+  taiga-async:
+{% include 'roles/docker-container/templates/base.yml.j2' %}
+    image: {{taiga_image_backend}}:{{applications.taiga.version}}
+    entrypoint: ["/taiga-back/docker/async_entrypoint.sh"]
+    volumes:
+      # These volumens will be used by taiga-back and taiga-async.
+      - static-data:/taiga-back/static
+      - media-data:/taiga-back/media
+      # - ./config.py:/taiga-back/settings/config.py
+
+{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
+
+{% for item in settings_files %}
+      - {{ docker_compose.directories.config }}taiga-{{ item }}.py:/taiga-back/settings/{{ item }}.py:ro
+{% endfor %}
+
+{% endif %}
+
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+      taiga:
+{% include 'roles/docker-container/templates/depends_on/dmbs_incl.yml.j2' %}
+      taiga-events-rabbitmq:
+        condition: service_started
+      taiga-async-rabbitmq:
+        condition: service_started
+{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
+    
+    command: >
+      /bin/sh -c "
+        pip install taiga-contrib-oidc-auth &&
+        /taiga-back/docker/entrypoint.sh"
+        
+{% endif %}
+
+  taiga-async-rabbitmq:
+    image: rabbitmq:3.8-management-alpine
+    hostname: "taiga-async-rabbitmq"
+    volumes:
+      - async-rabbitmq-data:/var/lib/rabbitmq
+{% include 'roles/docker-container/templates/base.yml.j2' %}
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+      taiga:
+
+  taiga-front:
+    image: {{taiga_image_frontend}}:{{applications.taiga.version}}
+{% include 'roles/docker-container/templates/base.yml.j2' %}
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+      taiga:
+#    volumes:
+#      - {{ taiga_frontend_conf_path }}:/usr/share/nginx/html/conf.json:ro
+
+  taiga-events:
+    image: taigaio/taiga-events:latest
+{% include 'roles/docker-container/templates/base.yml.j2' %}
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+      taiga:
+    depends_on:
+      taiga-events-rabbitmq:
+        condition: service_started
+
+  taiga-events-rabbitmq:
+    image: rabbitmq:3.8-management-alpine
+    hostname: "events-rabbitmq"
+    volumes:
+      - events-rabbitmq-data:/var/lib/rabbitmq
+{% include 'roles/docker-container/templates/base.yml.j2' %}
+
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+      taiga:
+
+  taiga-protected:
+    image: taigaio/taiga-protected:latest
+{% include 'roles/docker-container/templates/base.yml.j2' %}
+
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+      taiga:
+
+  taiga-gateway:
+    image: nginx:alpine
+    ports:
+      - "127.0.0.1:{{ports.localhost.http[application_id]}}:80"
+    volumes:
+      - {{docker_repository_path}}taiga-gateway/taiga.conf:/etc/nginx/conf.d/default.conf
+      - static-data:/taiga/static
+      - media-data:/taiga/media
+{% include 'roles/docker-container/templates/base.yml.j2' %}
+
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+      taiga:
+    depends_on:
+      - taiga-front
+      - taiga-back
+      - taiga-events
+
+{% include 'roles/docker-compose/templates/volumes.yml.j2' %}
+  static-data:
+  media-data:
+  async-rabbitmq-data:
+  events-rabbitmq-data:
+
+{% include 'roles/docker-compose/templates/networks.yml.j2' %}
+  taiga:
--- a/roles/web-app-taiga/templates/env.j2
+++ b/roles/web-app-taiga/templates/env.j2
@@ -0,0 +1,90 @@
+# Taiga's URLs - Variables to define where Taiga should be served
+TAIGA_SITES_SCHEME  =   https          # serve Taiga using "http" or "https" (secured) connection
+TAIGA_SITES_DOMAIN  =   "{{domains | get_domain(application_id)}}"   # Taiga's base URL
+  
+TAIGA_SUBPATH       =   ""  # it'll be appended to the TAIGA_DOMAIN (use either "" or a "/subpath")
+WEBSOCKETS_SCHEME   =   wss # events connection protocol (use either "ws" or "wss")
+
+# Taiga's Secret Key - Variable to provide cryptographic signing
+TAIGA_SECRET_KEY    =   "{{applications[application_id].credentials.secret_key}}"
+SECRET_KEY          =   "{{applications[application_id].credentials.secret_key}}"
+
+# Taiga's Database settings - Variables to create the Taiga database and connect to it
+POSTGRES_USER       =   "{{database_username}}"       # user to connect to PostgreSQL
+POSTGRES_PASSWORD   =   "{{database_password}}"   # database user's password
+POSTGRES_DB         =   "{{database_name}}"
+POSTGRES_HOST       =   "{{database_host}}"
+
+# Taiga's SMTP settings - Variables to send Taiga's emails to the users
+EMAIL_BACKEND       =   "{{email_backend}}"          # use an SMTP server or display the emails in the console (either "smtp" or "console")
+EMAIL_HOST          =   "{{system_email.host}}"      # SMTP server address
+EMAIL_PORT          =   "{{system_email.port}}" # default SMTP port
+EMAIL_HOST_USER     =   "{{ users['no-reply'].email }}"  # user to connect the SMTP server
+EMAIL_HOST_PASSWORD =   "{{ users['no-reply'].mailu_token }}"  # SMTP user's password
+EMAIL_DEFAULT_FROM  =   "{{ users['no-reply'].email }}"      # default email address for the automated emails
+EMAIL_BACKEND:      =   "django.core.mail.backends.{{email_backend}}.EmailBackend"
+DEFAULT_FROM_EMAIL  =   "{{ users['no-reply'].email }}"
+
+# EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive (only set one of those to True)
+EMAIL_USE_TLS   =   "{{ system_email.tls | capitalize }}"         # use TLS (secure) connection with the SMTP server
+EMAIL_USE_SSL   =   "{{ 'False' if system_email.start_tls else 'True' }}" # use implicit TLS (secure) connection with the SMTP server
+
+RABBITMQ_USER=taiga
+RABBITMQ_PASS=taiga
+RABBITMQ_VHOST=taiga
+
+# Taiga's RabbitMQ settings - Variables to leave messages for the realtime and asynchronous events
+RABBITMQ_DEFAULT_RABBITMQ_USER  =   taiga  # user to connect to RabbitMQ
+RABBITMQ_DEFAULT_RABBITMQ_PASS  =   taiga  # RabbitMQ user's password
+RABBITMQ_DEFAULT_RABBITMQ_VHOST =   taiga  # RabbitMQ container name
+RABBITMQ_ERLANG_COOKIE          =   secret-erlang-cookie  # unique value shared by any connected instance of RabbitMQ
+
+# Taiga's Attachments - Variable to define how long the attachments will be accesible
+ATTACHMENTS_MAX_AG  =   360  # token expiration date (in seconds)
+MAX_AGE             =   360
+      
+
+# Taiga's Telemetry - Variable to enable or disable the anonymous telemetry
+ENABLE_TELEMETRY    =   True
+
+{% if applications | is_feature_enabled('oidc',application_id) %}
+
+{% if applications[application_id].oidc.flavor == 'taigaio' %}
+
+# OIDC via taigaio official contrib
+# @See https://github.com/taigaio/taiga-contrib-oidc-auth
+
+OIDC_RP_CLIENT_ID="{{ oidc.client.id }}"
+OIDC_RP_CLIENT_SECRET="{{ oidc.client.secret }}"
+OIDC_OP_AUTHORIZATION_ENDPOINT="{{ oidc.client.authorize_url }}"
+OIDC_OP_TOKEN_ENDPOINT="{{ oidc.client.token_url }}"
+OIDC_OP_USER_ENDPOINT="{{ oidc.client.user_info_url }}"
+OIDC_RP_SIGN_ALGO="RS256"
+OIDC_RP_SCOPES="openid profile email"
+OIDC_OP_JWKS_ENDPOINT="{{ oidc.client.certs }}"
+
+{% endif %}
+
+{% if applications[application_id].oidc.flavor == 'robrotheram' %}
+
+# OIDC via robrotheram
+# @see https://github.com/robrotheram/taiga-contrib-openid-auth
+ENABLE_OPENID=True
+OPENID_URL="{{oidc.client.authorize_url}}"
+OPENID_USER_URL="{{oidc.client.user_info_url}}"
+OPENID_TOKEN_URL="{{oidc.client.token_url}}"
+OPENID_CLIENT_ID="{{oidc.client.id}}"
+OPENID_CLIENT_SECRET="{{oidc.client.secret}}"
+OPENID_NAME="{{oidc.button_text}}"
+OPENID_USERNAME_FIELD="{{oidc.attributes.username}}"
+# Optional:
+# OPENID_ID_FIELD="sub"
+# OPENID_FULLNAME_FIELD="name"
+# OPENID_EMAIL_FIELD="email"
+# OPENID_SCOPE="openid email"
+# OPENID_FILTER = "taiga_users,taiga_admins"
+# OPENID_FILTER_FIELD = "groups"
+
+{% endif %}
+
+{% endif %}
--- a/roles/web-app-taiga/templates/oidc/local.py.j2
+++ b/roles/web-app-taiga/templates/oidc/local.py.j2
@@ -0,0 +1,23 @@
+INSTALLED_APPS += [
+    "mozilla_django_oidc",
+    "taiga_contrib_oidc_auth",
+]
+
+AUTHENTICATION_BACKENDS = list(AUTHENTICATION_BACKENDS) + [
+    "taiga_contrib_oidc_auth.oidc.TaigaOIDCAuthenticationBackend",
+]
+
+ROOT_URLCONF = "settings.urls"
+
+import os
+
+OIDC_CALLBACK_CLASS = "taiga_contrib_oidc_auth.views.TaigaOIDCAuthenticationCallbackView"
+OIDC_RP_SCOPES = os.getenv("OIDC_RP_SCOPES")
+OIDC_RP_SIGN_ALGO = os.getenv("OIDC_RP_SIGN_ALGO")
+#OIDC_BASE_URL = "" @todo remove if not needed
+OIDC_OP_JWKS_ENDPOINT = os.getenv("OIDC_OP_JWKS_ENDPOINT")
+OIDC_OP_AUTHORIZATION_ENDPOINT = os.getenv("OIDC_OP_AUTHORIZATION_ENDPOINT")
+OIDC_OP_TOKEN_ENDPOINT = os.getenv("OIDC_OP_TOKEN_ENDPOINT")
+OIDC_OP_USER_ENDPOINT = os.getenv("OIDC_OP_USER_ENDPOINT")
+OIDC_RP_CLIENT_ID = os.getenv("OIDC_RP_CLIENT_ID")
+OIDC_RP_CLIENT_SECRET = os.getenv("OIDC_RP_CLIENT_SECRET")
--- a/roles/web-app-taiga/templates/oidc/urls.py
+++ b/roles/web-app-taiga/templates/oidc/urls.py
@@ -0,0 +1,4 @@
+from taiga.urls import *
+urlpatterns += [
+    url(r"^oidc/", include("mozilla_django_oidc.urls")),
+]