In between commit auto user creation before system email refactoring

roles/docker-discourse/templates/discourse_application.yml.j2

@@ -51,8 +51,8 @@ env:
   DISCOURSE_DEVELOPER_EMAILS:       {{users.administrator.email}}
 
   # Set Logo
-  DISCOURSE_LOGO_URL:       "{{service_provider.platform.logo}}"
-  DISCOURSE_LOGO_SMALL_URL: "{{service_provider.platform.logo}}"
+  DISCOURSE_LOGO_URL:       "{{ service_provider.platform.logo  }}"
+  DISCOURSE_LOGO_SMALL_URL: "{{ service_provider.platform.logo  }}"
 
   # SMTP ADDRESS, username, and password are required
   # WARNING the char '#' in SMTP password can cause problems!
@@ -124,7 +124,7 @@ run:
   - exec: rails r "SiteSetting.username_change_period = 0" # Deactivate changing of username
 
   # Activate Administrator User
-  #- exec: printf '{{users.administrator.email}}\n{{users.administrator.initial_password}}\n{{users.administrator.initial_password}}\nY\n' | rake admin:create
+  #- exec: printf '{{users.administrator.email}}\n{{users.administrator.password}}\n{{users.administrator.password}}\nY\n' | rake admin:create
   #- exec: rails r "User.find_by_email('{{users.administrator.email}}').update(username: '{{users.administrator.username}}')"
 
   # The following code is just an inspiration, how to connect with the oidc account. as long as this is not set the admini account needs to be manually connected with oidc 

roles/docker-keycloak/templates/env.j2

@@ -19,4 +19,4 @@ KC_DB_PASSWORD=                 {{database_password}}
 
 # If the initial administrator already exists and the environment variables are still present at startup, an error message stating the failed creation of the initial administrator is shown in the logs. Keycloak ignores the values and starts up correctly.
 KC_BOOTSTRAP_ADMIN_USERNAME=    {{users.administrator.username}}
-KC_BOOTSTRAP_ADMIN_PASSWORD=    {{users.administrator.initial_password}}
+KC_BOOTSTRAP_ADMIN_PASSWORD=    {{users.administrator.password}}

roles/docker-ldap/templates/ldif/data/02_users.ldif.j2

@@ -1,3 +1,8 @@
+{##
+# Iterate over all users and create LDAP entries for each, then assign admin to application roles
+# This template loops through a 'users' list variable where each user is a dict with keys:
+#   username, uid, gid, password (optional), sn (optional), cn (optional)
+##}
 #######################################################################
 # Container for Application Roles (if not already created)
 #######################################################################
@@ -6,36 +11,48 @@ objectClass: organizationalUnit
 ou: roles
 description: Container for application access profiles
 
+{% for user in users %}
 #######################################################################
-# Create Admin User
+# Create User {{ user.username }}
 #######################################################################
-dn: {{ldap.attributes.user_id}}={{users.administrator.username}},{{ldap.dn.users}}
+dn: {{ ldap.attributes.user_id }}={{ user.username }},{{ ldap.dn.users }}
 objectClass: top
 objectClass: inetOrgPerson
 objectClass: posixAccount
-{{ldap.attributes.user_id}}: {{users.administrator.username}}
-sn: Administrator
-cn: Administrator
-userPassword: {SSHA}CHANGE_THIS_PASSWORD
+{{ ldap.attributes.user_id }}: {{ user.username }}
+sn: {{ user.username }}
+cn: {{ user.username }}
+userPassword: {{ user.password }}
 loginShell: /bin/bash
-homeDirectory: /home/admin
-uidNumber: {{users.administrator.uid}}
-gidNumber: {{users.administrator.gid}}
+homeDirectory: /home/{{ user.username }}
+uidNumber: {{ user.uid }}
+gidNumber: {{ user.gid }}
 
 #######################################################################
-# Add Admin User to All Application Role Groups
+# Assign {{ user.username }} to application user roles
 #######################################################################
-{# Loop over each application defined in defaults_applications #}
 {% for app, config in defaults_applications.items() %}
+dn: cn={{ app }}-user,{{ ldap.dn.application_roles }}
+changetype: modify
+add: roleOccupant
+roleOccupant: {{ ldap.attributes.user_id }}={{ user.username }},{{ ldap.dn.users }}
 
+{% endfor %}
+{% endfor %}
+
+#######################################################################
+# Add Admin User to All Application Role Groups (unchanged)
+#######################################################################
+{% for app, config in defaults_applications.items() %}
 dn: cn={{ app }}-administrator,{{ ldap.dn.application_roles }}
 changetype: modify
 add: roleOccupant
-roleOccupant: {{ldap.attributes.user_id}}={{users.administrator.username}},{{ldap.dn.users}}
+roleOccupant: {{ ldap.attributes.user_id }}={{ users.administrator.username }},{{ ldap.dn.users }}
 
 dn: cn={{ app }}-user,{{ ldap.dn.application_roles }}
 changetype: modify
 add: roleOccupant
-roleOccupant: {{ldap.attributes.user_id}}={{users.administrator.username}},{{ldap.dn.users}}
+roleOccupant: {{ ldap.attributes.user_id }}={{ users.administrator.username }},{{ ldap.dn.users }}
 
 {% endfor %}
+

roles/docker-listmonk/meta/main.yml

@@ -19,4 +19,5 @@ galaxy_info:
   documentation: "https://s.veen.world/cymais"
   logo:
     class: "fa-solid fa-list"
-dependencies: []
+dependencies:
+  - docker-mailu

roles/docker-listmonk/vars/main.yml

@@ -70,7 +70,7 @@ listmonk_settings:
     value: '"{{ service_provider.platform.logo }}"'
 
   - key: "app.site_name"
-    value: '"Mailing list"'
+    value: '"{{ service_provider.company.titel }} Mailing list"'
 
 #  - key: "bounce.enabled"
 #    value: 'false'

roles/docker-mailu/tasks/create-mailu-user-and-token.yml

@@ -1,7 +1,8 @@
 ---
 # tasks/create-mailu-user-and-token.yml
 #
-# Ensures a Mailu user exists and idempotently creates an API token for them.
+# Ensures a Mailu user exists and idempotently creates an API token for them,
+# storing tokens in a dictionary for targeted access.
 #
 # Required variables:
 #   mailu_compose_dir:        Path to your docker-compose.yml directory
@@ -12,11 +13,11 @@
 #   mailu_global_api_token:   Global API token (from API_TOKEN environment variable)
 #
 # Optional variable:
-#   mailu_user_token:         Pre-existing API token for the user (if already created)
+#   mailu_user_tokens:        Dictionary of existing tokens, e.g. { "alice": "secret" }
 
 - name: "Ensure Mailu user {{ mailu_user }}@{{ mailu_domain }} exists"
   command: >
-    docker compose exec admin flask mailu user {{ mailu_user }} {{ mailu_domain }} '{{ mailu_password }}'
+    docker compose exec admin flask mailu {{ mailu_action }} {{ mailu_user }} {{ mailu_domain }} '{{ mailu_password }}'
   args:
     chdir: "{{ mailu_compose_dir }}"
   register: mailu_user_creation
@@ -51,19 +52,21 @@
     body_format: json
     body:
       comment: "{{ mailu_user }}"
-      ip: "0.0.0.0/0"
+      ip: "{{ mailu_token_ip }}"
     status_code: 201
   register: mailu_token_creation
   when: mailu_user_existing_token is not defined
 
-- name: "Set mailu_user_token fact"
+- name: "Set mailu_user_tokens dictionary"
   set_fact:
-    mailu_user_token: >
-      {{ (mailu_token_creation is defined)
-         ? mailu_token_creation.json.secret
-         : (mailu_user_existing_token.secret | default('')) }}
+    mailu_user_tokens: >
+      {{ (mailu_user_tokens | default({}))
+         | combine({ mailu_user: ((mailu_token_creation is defined)
+                                  | ternary(mailu_token_creation.json.secret,
+                                            mailu_user_existing_token.secret)) }) }}
 
 # Note:
 # - GET /tokens returns only metadata (id, comment, ip, created), not the secret itself.
 # - The secret is returned only by the POST request and must be captured when created.
-# - Store mailu_user_token securely (e.g., in Ansible Vault) for future use.
+# - Tokens are stored in the mailu_user_tokens dictionary for targeted access.
+# - Persist mailu_user_tokens securely (e.g., in Ansible Vault) for future use.

roles/docker-mailu/tasks/main.yml

@@ -1,29 +1,48 @@
 ---
-- name: "include docker-central-database"
-  include_role: 
+- name: "Include docker-central-database"
+  include_role:
     name: docker-central-database
+  when: run_once_docker_mailu is not defined
 
-- name: "include role nginx-domain-setup for {{application_id}}"
+- name: "Include role nginx-domain-setup for {{ application_id }}"
   include_role:
     name: nginx-domain-setup
   vars:
-    domain: 	"{{ domains[application_id] }}"
-    http_port: 	"{{ ports.localhost.http[application_id] }}"
-  vars:
+    domain: "{{ domains[application_id] }}"
+    http_port: "{{ ports.localhost.http[application_id] }}"
     nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size 31M;"
+  when: run_once_docker_mailu is not defined
 
 - name: "Include the nginx-docker-cert-deploy role"
   include_role:
     name: nginx-docker-cert-deploy
+  when: run_once_docker_mailu is not defined
 
-- name: "copy docker-compose.yml and env file"
+- name: "Copy docker-compose.yml and env file"
   include_tasks: copy-docker-compose-and-env.yml
+  when: run_once_docker_mailu is not defined
 
-- name: flush docker service
+- name: Flush docker service handlers
   meta: flush_handlers
+  when: run_once_docker_mailu is not defined
 
-- name: create administrator account
-  command:
-    cmd: "docker compose -p mailu exec admin flask mailu admin {{users.administrator.username}} {{primary_domain}} {{applications.mailu.initial_administrator_password}}"
-    chdir: "{{docker_compose.directories.instance}}"
-  ignore_errors: true
+- name: "Create Mailu accounts and API tokens"
+  include_tasks: create-mailu-user-and-token.yml
+  vars:
+    mailu_compose_dir:        "{{ docker_compose.directories.instance }}"
+    mailu_domain:             "{{ domain }}"
+    mailu_api_base_url:       "{{ web_protocol }}://{{ domain }}/api/v1"
+    mailu_global_api_token:   "{{ applications.mailu.credentials.api_token }}"
+    mailu_action:             "{{ item.value.is_admin | default(false) | ternary('admin','user') }}"
+    mailu_user:               "{{ item.key }}"
+    mailu_password:           "{{ item.value.password }}"
+    mailu_token_ip:           "{{ item.value.ip | default('') }}"
+  loop:                       "{{ users | dict2items }}"
+  loop_control:
+    loop_var: item
+  when: run_once_docker_mailu is not defined
+
+- name: Run the docker_mailu tasks once
+  set_fact:
+    run_once_docker_mailu: true
+  when: run_once_docker_mailu is not defined

roles/docker-mailu/templates/env.j2

@@ -182,7 +182,7 @@ OIDC_CHANGE_PASSWORD_REDIRECT_ENABLED=True
 # Redirect URL for password change. Defaults to provider issuer url appended by /.well-known/change-password
 OIDC_CHANGE_PASSWORD_REDIRECT_URL={{oidc.client.change_credentials}}
 
-{% if applications[application_id].features.oidc | bool %}
+{% if applications[application_id].oidc.email_by_username | bool %}
 
 # The OIDC claim used as the username. If the selected claim contains an email address, it will be used as is. If it is not an email (e.g., sub), the email address will be constructed as <OIDC_USERNAME_CLAIM>@<OIDC_USER_DOMAIN>. Defaults to email.
 OIDC_USERNAME_CLAIM={{oidc.attributes.username}}

roles/docker-nextcloud/templates/env.j2

@@ -25,7 +25,7 @@ MAIL_DOMAIN=                    "{{system_email.domain}}"
 
 # Initial Admin Data
 NEXTCLOUD_ADMIN_USER=           "{{applications[application_id].users.administrator.username}}"
-NEXTCLOUD_ADMIN_PASSWORD=       "{{applications[application_id].users.administrator.initial_password}}"
+NEXTCLOUD_ADMIN_PASSWORD=       "{{applications[application_id].users.administrator.password}}"
 
 # Security
 

roles/user-administrator/tasks/main.yml

@@ -2,7 +2,7 @@
   user:
     name: administrator
     update_password: on_create
-    password: "{{ users.administrator.initial_password | password_hash('sha512') }}"
+    password: "{{ users.administrator.password | password_hash('sha512') }}"
     create_home: yes
     generate_ssh_key: yes
     ssh_key_type: rsa