Huge role refactoring/cleanup. Other commits will propably follow. Because some bugs will exist. Still important for longrun and also for auto docs/help/slideshow generation

2025-08-29 15:06:26 +02:00 · 2025-07-08 23:43:13 +02:00
parent 6b87a049d4
commit 563d5fd528
1242 changed files with 2301 additions and 1355 deletions
--- a/roles/web-app-wordpress/vars/configuration.yml
+++ b/roles/web-app-wordpress/vars/configuration.yml
@@ -0,0 +1,57 @@
+title:                "Blog"                                      # Wordpress titel
+plugins:
+  wp-discourse:
+    enabled:          "{{ 'discourse' in group_names | lower }}"
+  daggerhart-openid-connect-generic:
+    enabled:          true
+  activitypub:
+    enabled:          true
+features:
+  matomo:             true
+  css:                false
+  portfolio_iframe:   true
+  oidc:               true
+  central_database:   true
+version:              latest
+csp:
+  flags:
+    style-src:
+      unsafe-inline:  true
+    script-src-elem:
+      unsafe-inline:  true
+    script-src:
+      unsafe-eval:    true
+  whitelist:
+    worker-src:
+      - "blob:"
+    font-src:
+      - "data:"
+      - "https://fonts.bunny.net"
+    script-src-elem:
+      - "https://cdn.gtranslate.net"    # Necessary for translation plugins
+      - "https://translate.google.com"  # Necessary for translation plugins
+      - "blog.{{ primary_domain }}"
+    style-src:
+      - "https://fonts.bunny.net"
+    frame-src:
+      - "blob:"
+      - "*.{{ primary_domain }}"
+domains:
+  canonical:
+    - "blog.{{ primary_domain }}"
+docker:
+  services:
+    database:
+      enabled: true
+rbac:
+  roles:
+    subscriber:
+      description: "Can read posts and leave comments but cannot write or manage content"
+    author:
+      description: "Can write and manage own posts"
+    contributor:
+      description: "Can write and submit posts for review but cannot publish"
+    editor:
+      description: "Can publish and manage all posts, including those by other users"
+    administrator:
+      description: "Has full administrative access: manage themes, plugins, settings, and users"
--- a/roles/web-app-wordpress/vars/discourse.yml
+++ b/roles/web-app-wordpress/vars/discourse.yml
@@ -0,0 +1,245 @@
+# Defines WP Discourse plugin settings
+# @see https://github.com/discourse/wp-discourse
+
+# roles/web-app-wordpress/vars/discourse.yml
+# Defines WP Discourse plugin settings (exported from your current wp_options dump)
+
+discourse_settings:
+  #- name: wpdc_discourse_domain
+  #  key: wpdc_discourse_domain
+  #  value: ""
+
+  - name: discourse_connect
+    key: url
+    value: "{{ domains | get_url('discourse', web_protocol) }}"
+  - name: discourse_connect
+    key: api-key
+    value: "{{ vault_discourse_api_key }}"
+  - name: discourse_connect
+    key: publish-username
+    value: "system"
+
+  #- name: discourse_publish
+  #  key: display-subcategories
+  #  value: false
+  #- name: discourse_publish
+  #  key: publish-category
+  #  value: false
+  #- name: discourse_publish
+  #  key: publish-category-update
+  #  value: false
+  #- name: discourse_publish
+  #  key: full-post-content
+  #  value: false
+  #- name: discourse_publish
+  #  key: allow-tags
+  #  value: false
+  #- name: discourse_publish
+  #  key: max-tags
+  #  value: 5
+  #- name: discourse_publish
+  #  key: publish-as-unlisted
+  #  value: false
+  #- name: discourse_publish
+  #  key: custom-excerpt-length
+  #  value: 55
+  #- name: discourse_publish
+  #  key: add-featured-link
+  #  value: false
+  #- name: discourse_publish
+  #  key: auto-publish
+  #  value: false
+  #- name: discourse_publish
+  #  key: force-publish
+  #  value: false
+  #- name: discourse_publish
+  #  key: force-publish-max-age
+  #  value: 0
+  #- name: discourse_publish
+  #  key: publish-failure-notice
+  #  value: true
+  #- name: discourse_publish
+  #  key: publish-failure-email
+  #  value: "{{ users.administrator.email }}"
+  #- name: discourse_publish
+  #  key: auto-track
+  #  value: true
+  #- name: discourse_publish
+  #  key: allowed_post_types
+  #  value:
+  #    - post
+  #- name: discourse_publish
+  #  key: hide-discourse-name-field
+  #  value: false
+  #- name: discourse_publish
+  #  key: discourse-username-editable
+  #  value: false
+#
+  #- name: discourse_comment
+  #  key: enable-discourse-comments
+  #  value: false
+  #- name: discourse_comment
+  #  key: comment-type
+  #  value: "display-comments"
+  #- name: discourse_comment
+  #  key: ajax-load
+  #  value: false
+  #- name: discourse_comment
+  #  key: cache-html
+  #  value: false
+  #- name: discourse_comment
+  #  key: clear-cached-comment-html
+  #  value: false
+  #- name: discourse_comment
+  #  key: discourse-new-tab
+  #  value: false
+  #- name: discourse_comment
+  #  key: comment-sync-period
+  #  value: 10
+  #- name: discourse_comment
+  #  key: hide-wordpress-comments
+  #  value: false
+  #- name: discourse_comment
+  #  key: show-existing-comments
+  #  value: false
+  #- name: discourse_comment
+  #  key: existing-comments-heading
+  #  value: ""
+  #- name: discourse_comment
+  #  key: max-comments
+  #  value: 5
+  #- name: discourse_comment
+  #  key: min-replies
+  #  value: 1
+  #- name: discourse_comment
+  #  key: min-score
+  #  value: 0
+  #- name: discourse_comment
+  #  key: min-trust-level
+  #  value: 1
+  #- name: discourse_comment
+  #  key: bypass-trust-level-score
+  #  value: 50
+  #- name: discourse_comment
+  #  key: custom-datetime-format
+  #  value: ""
+  #- name: discourse_comment
+  #  key: only-show-moderator-liked
+  #  value: false
+  #- name: discourse_comment
+  #  key: load-comment-css
+  #  value: false
+#
+  #- name: discourse_configurable_text
+  #  key: discourse-link-text
+  #  value: ""
+  #- name: discourse_configurable_text
+  #  key: start-discussion-text
+  #  value: "Start the discussion at"
+  #- name: discourse_configurable_text
+  #  key: continue-discussion-text
+  #  value: "Continue the discussion at"
+  #- name: discourse_configurable_text
+  #  key: join-discussion-text
+  #  value: "Join the discussion at"
+  #- name: discourse_configurable_text
+  #  key: comments-singular-text
+  #  value: "Comment"
+  #- name: discourse_configurable_text
+  #  key: comments-plural-text
+  #  value: "Comments"
+  #- name: discourse_configurable_text
+  #  key: no-comments-text
+  #  value: "Join the Discussion"
+  #- name: discourse_configurable_text
+  #  key: notable-replies-text
+  #  value: "Notable Replies"
+  #- name: discourse_configurable_text
+  #  key: comments-not-available-text
+  #  value: "Comments are not currently available for this post."
+  #- name: discourse_configurable_text
+  #  key: participants-text
+  #  value: "Participants"
+  #- name: discourse_configurable_text
+  #  key: published-at-text
+  #  value: "Originally published at:"
+  #- name: discourse_configurable_text
+  #  key: single-reply-text
+  #  value: "Reply"
+  #- name: discourse_configurable_text
+  #  key: many-replies-text
+  #  value: "Replies"
+  #- name: discourse_configurable_text
+  #  key: more-replies-more-text
+  #  value: "more"
+  #- name: discourse_configurable_text
+  #  key: external-login-text
+  #  value: "Log in with Discourse"
+  #- name: discourse_configurable_text
+  #  key: link-to-discourse-text
+  #  value: "Link your account to Discourse"
+  #- name: discourse_configurable_text
+  #  key: linked-to-discourse-text
+  #  value: "Your account is linked with Discourse!"
+#
+  #- name: discourse_webhook
+  #  key: use-discourse-webhook
+  #  value: false
+  #- name: discourse_webhook
+  #  key: webhook-secret
+  #  value: ""
+  #- name: discourse_webhook
+  #  key: webhook-match-old-topics
+  #  value: false
+  #- name: discourse_webhook
+  #  key: use-discourse-user-webhook
+  #  value: false
+  #- name: discourse_webhook
+  #  key: webhook-match-user-email
+  #  value: false
+#
+  #- name: discourse_sso_common
+  #  key: sso-secret
+  #  value: ""
+#
+  #- name: discourse_sso_provider
+  #  key: enable-sso
+  #  value: false
+  #- name: discourse_sso_provider
+  #  key: auto-create-sso-user
+  #  value: false
+  #- name: discourse_sso_provider
+  #  key: login-path
+  #  value: ""
+  #- name: discourse_sso_provider
+  #  key: real-name-as-discourse-name
+  #  value: false
+  #- name: discourse_sso_provider
+  #  key: force-avatar-update
+  #  value: false
+  #- name: discourse_sso_provider
+  #  key: redirect-without-login
+  #  value: false
+#
+  #- name: discourse_sso_client
+  #  key: sso-desktop-enabled
+  #  value: false
+  #- name: discourse_sso_client
+  #  key: sso-desktop-login-form-change
+  #  value: false
+  #- name: discourse_sso_client
+  #  key: sso-desktop-login-form-redirect
+  #  value: ""
+  #- name: discourse_sso_client
+  #  key: sso-desktop-sync-by-email
+  #  value: false
+  #- name: discourse_sso_client
+  #  key: sso-desktop-disable-create-user
+  #  value: false
+  #- name: discourse_sso_client
+  #  key: sso-desktop-sync-logout
+  #  value: false
+#
+  - name: discourse_logs
+    key: logs-enabled
+    value: "{{ enable_debug }}"
--- a/roles/web-app-wordpress/vars/main.yml
+++ b/roles/web-app-wordpress/vars/main.yml
@@ -0,0 +1,6 @@
+application_id:             "wordpress"
+wordpress_max_upload_size:  "64M"
+database_type:              "mariadb"
+wordpress_custom_image:     "wordpress_custom"
+wordpress_docker_html_path: "/var/www/html"
+host_msmtp_conf:            "{{docker_compose.directories.config}}msmtprc.conf"
--- a/roles/web-app-wordpress/vars/oidc.yml
+++ b/roles/web-app-wordpress/vars/oidc.yml
@@ -0,0 +1,29 @@
+# vars/oidc.yml
+# Defines OIDC settings for the OpenID Connect Generic plugin, with explanatory comments.
+# @see https://github.com/oidc-wp/openid-connect-generic/blob/develop/includes/openid-connect-generic-option-settings.php
+
+oidc_settings:
+  client_id:                "{{ oidc.client.id }}"                                                # The client ID that identifies WordPress as the OIDC client.
+  client_secret:            "{{ oidc.client.secret }}"                                            # The secret key used by WordPress to authenticate to the OIDC provider.
+  endpoint_login:           "{{ oidc.client.authorize_url }}"                                     # URL of the authorization endpoint to initiate the login flow.
+  endpoint_token:           "{{ oidc.client.token_url }}"                                         # URL of the token endpoint for exchanging authorization codes for tokens.
+  endpoint_userinfo:        "{{ oidc.client.user_info_url }}"                                     # URL of the userinfo endpoint to retrieve user profile data.
+  endpoint_end_session:     "{{ oidc.client.logout_url }}"                                        # URL of the end-session endpoint to log users out of the IDP.
+  login_type:               "auto"                                                                # Determines how the login interface is rendered (e.g., button or form).
+  scope:                    "openid profile email"                                                # Scopes requested from the OIDC provider during authentication.
+  create_if_does_not_exist: true                                                                  # Auto-create a new WP user if one doesn’t exist.
+  enforce_privacy:          false                                                                 # Require authentication for all site pages if set to true.
+  link_existing_users:      true                                                                  # Link OIDC login to existing WP users by matching email.
+  redirect_on_logout:       true                                                                  # Redirect users after logout to the login screen or homepage.
+  redirect_user_back:       true                                                                  # Return users to their original URL after successful login.
+  #acr_values:               "{{ oidc.client.acr_values | default('') }}"                         # ACR values defining required authentication context (e.g., MFA level).
+  enable_logging:           "{{ enable_debug }}"                                                  # Enable detailed plugin logging for debugging and auditing.
+#  log_limit:                "{{ oidc.client.log_limit | default('') }}"                          # Maximum number of log entries to retain before pruning.
+  no_sslverify:             false                                                                 # The flag to enable/disable SSL verification during authorization.
+  http_request_timeout:     5                                                                     # The timeout for requests made to the IDP. Default value is 5.
+  identity_key:             "{{ oidc.attributes.username }}"                                      # The key in the user claim array to find the user's identification data.
+  nickname_key:             "{{ oidc.attributes.username }}"                                      # The key in the user claim array to find the user's nickname.
+  email_format:             "{{ oidc.attributes.email }}"                                         # The key(s) in the user claim array to formulate the user's email address.
+  displayname_format:       "{{ oidc.attributes.given_name }} {{ oidc.attributes.family_name }}"  # The key(s) in the user claim array to formulate the user's display name.
+  identify_with_username:   true                                                                  # The flag which indicates how the user's identity will be determined.
+  state_time_limit:         180                                                                   # The valid time limit of the state, in seconds. Defaults to 180 seconds.