In between commit auto user creation before system email refactoring

2025-08-29 15:06:26 +02:00 · 2025-04-24 14:42:38 +02:00
parent f27076a5cc
commit 59e985eb3b
12 changed files with 119 additions and 53 deletions
--- a/roles/docker-mailu/tasks/create-mailu-user-and-token.yml
+++ b/roles/docker-mailu/tasks/create-mailu-user-and-token.yml
@@ -1,7 +1,8 @@
 ---
 # tasks/create-mailu-user-and-token.yml
 #
-# Ensures a Mailu user exists and idempotently creates an API token for them.
+# Ensures a Mailu user exists and idempotently creates an API token for them,
+# storing tokens in a dictionary for targeted access.
 #
 # Required variables:
 #   mailu_compose_dir:        Path to your docker-compose.yml directory
@@ -12,11 +13,11 @@
 #   mailu_global_api_token:   Global API token (from API_TOKEN environment variable)
 #
 # Optional variable:
-#   mailu_user_token:         Pre-existing API token for the user (if already created)
+#   mailu_user_tokens:        Dictionary of existing tokens, e.g. { "alice": "secret" }

 - name: "Ensure Mailu user {{ mailu_user }}@{{ mailu_domain }} exists"
  command: >
-    docker compose exec admin flask mailu user {{ mailu_user }} {{ mailu_domain }} '{{ mailu_password }}'
+    docker compose exec admin flask mailu {{ mailu_action }} {{ mailu_user }} {{ mailu_domain }} '{{ mailu_password }}'
  args:
    chdir: "{{ mailu_compose_dir }}"
  register: mailu_user_creation
@@ -51,19 +52,21 @@
    body_format: json
    body:
      comment: "{{ mailu_user }}"
-      ip: "0.0.0.0/0"
+      ip: "{{ mailu_token_ip }}"
    status_code: 201
  register: mailu_token_creation
  when: mailu_user_existing_token is not defined

- name: "Set mailu_user_token fact"
+- name: "Set mailu_user_tokens dictionary"
  set_fact:
-    mailu_user_token: >
-      {{ (mailu_token_creation is defined)
-         ? mailu_token_creation.json.secret
-         : (mailu_user_existing_token.secret | default('')) }}
+    mailu_user_tokens: >
+      {{ (mailu_user_tokens | default({}))
+         | combine({ mailu_user: ((mailu_token_creation is defined)
+                                  | ternary(mailu_token_creation.json.secret,
+                                            mailu_user_existing_token.secret)) }) }}

 # Note:
 # - GET /tokens returns only metadata (id, comment, ip, created), not the secret itself.
 # - The secret is returned only by the POST request and must be captured when created.
-# - Store mailu_user_token securely (e.g., in Ansible Vault) for future use.
+# - Tokens are stored in the mailu_user_tokens dictionary for targeted access.
+# - Persist mailu_user_tokens securely (e.g., in Ansible Vault) for future use.
--- a/roles/docker-mailu/tasks/main.yml
+++ b/roles/docker-mailu/tasks/main.yml
@@ -1,29 +1,48 @@
 ---
- name: "include docker-central-database"
-  include_role: 
+- name: "Include docker-central-database"
+  include_role:
    name: docker-central-database
+  when: run_once_docker_mailu is not defined

- name: "include role nginx-domain-setup for {{application_id}}"
+- name: "Include role nginx-domain-setup for {{ application_id }}"
  include_role:
    name: nginx-domain-setup
  vars:
-    domain: 	"{{ domains[application_id] }}"
-    http_port: 	"{{ ports.localhost.http[application_id] }}"
-  vars:
+    domain: "{{ domains[application_id] }}"
+    http_port: "{{ ports.localhost.http[application_id] }}"
    nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size 31M;"
+  when: run_once_docker_mailu is not defined

 - name: "Include the nginx-docker-cert-deploy role"
  include_role:
    name: nginx-docker-cert-deploy
+  when: run_once_docker_mailu is not defined

- name: "copy docker-compose.yml and env file"
+- name: "Copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
+  when: run_once_docker_mailu is not defined

- name: flush docker service
+- name: Flush docker service handlers
  meta: flush_handlers
+  when: run_once_docker_mailu is not defined

- name: create administrator account
-  command:
-    cmd: "docker compose -p mailu exec admin flask mailu admin {{users.administrator.username}} {{primary_domain}} {{applications.mailu.initial_administrator_password}}"
-    chdir: "{{docker_compose.directories.instance}}"
-  ignore_errors: true
+- name: "Create Mailu accounts and API tokens"
+  include_tasks: create-mailu-user-and-token.yml
+  vars:
+    mailu_compose_dir:        "{{ docker_compose.directories.instance }}"
+    mailu_domain:             "{{ domain }}"
+    mailu_api_base_url:       "{{ web_protocol }}://{{ domain }}/api/v1"
+    mailu_global_api_token:   "{{ applications.mailu.credentials.api_token }}"
+    mailu_action:             "{{ item.value.is_admin | default(false) | ternary('admin','user') }}"
+    mailu_user:               "{{ item.key }}"
+    mailu_password:           "{{ item.value.password }}"
+    mailu_token_ip:           "{{ item.value.ip | default('') }}"
+  loop:                       "{{ users | dict2items }}"
+  loop_control:
+    loop_var: item
+  when: run_once_docker_mailu is not defined
+
+- name: Run the docker_mailu tasks once
+  set_fact:
+    run_once_docker_mailu: true
+  when: run_once_docker_mailu is not defined