Fix PeerTube OIDC plugin automation

- Store oidc_settings as proper YAML dict with correct keys - Ensure plugin is installed only if missing - Update DB settings as jsonb and enforce enabled/uninstalled state - Add CLI enforcement for plugin activation - Correct task conditions (enable/disable logic) with boolean filters Ref: https://chatgpt.com/share/68dd1d16-9b34-800f-b2bf-a3fe058f25b1
2025-11-04 04:08:15 +00:00 · 2025-10-01 14:23:07 +02:00
parent e7702948b8
commit 5cdcc18a99
3 changed files with 38 additions and 23 deletions
--- a/roles/web-app-peertube/tasks/01_enable-oidc.yml
+++ b/roles/web-app-peertube/tasks/01_enable-oidc.yml
@@ -1,4 +1,5 @@
- name: "Load OIDC Settings vor Peertube"
+---
+- name: "Load OIDC Settings for Peertube"
  include_vars: vars/oidc-settings.yml
  changed_when: false

@@ -6,13 +7,12 @@
  command: >
    docker exec {{ PEERTUBE_CONTAINER }} test -d /data/plugins/data/peertube-plugin-auth-openid-connect
  register: peertube_oidc_plugin_check
-  failed_when:  false
+  failed_when: false
  changed_when: false

 - name: "Install auth-openid-connect plugin for Peertube"
  command: >
-    docker exec {{ PEERTUBE_CONTAINER }} \
-    npm run plugin:install -- --npm-name {{ PEERTUBE_OIDC_PLUGIN }}
+    docker exec {{ PEERTUBE_CONTAINER }} npm run plugin:install -- --npm-name {{ PEERTUBE_OIDC_PLUGIN }}
  when: peertube_oidc_plugin_check.rc != 0
  notify: docker compose up

@@ -25,9 +25,26 @@
    login_port: "{{ database_port }}"
    query: |
      UPDATE public.plugin
-      SET settings = '{{ oidc_settings | to_json }}',
-      enabled = TRUE,
-      uninstalled = FALSE
-      WHERE name = 'auth-openid-connect';
+      SET settings    = '{{ oidc_settings | to_json }}'::jsonb,
+          enabled     = TRUE,
+          uninstalled = FALSE
+      WHERE name = 'auth-openid-connect'
+        AND (
+          settings IS DISTINCT FROM '{{ oidc_settings | to_json }}'::jsonb
+          OR enabled IS DISTINCT FROM TRUE
+          OR uninstalled IS DISTINCT FROM FALSE
+        );
+  register: _peertube_oidc_update
+  retries: 5
+  delay: 3
+  until: _peertube_oidc_update is succeeded
  notify: docker compose up
-  when: peertube_oidc_plugin_check.rc != 0
+
+- name: "Ensure plugin is enabled in PeerTube (CLI)"
+  command: >
+    docker exec {{ PEERTUBE_CONTAINER }} npm run plugin:enable -- --npm-name {{ PEERTUBE_OIDC_PLUGIN }}
+  register: _peertube_enable
+  failed_when: false
+  changed_when: >
+    _peertube_enable.stdout is defined and
+    ('already enabled' not in _peertube_enable.stdout)
--- a/roles/web-app-peertube/tasks/main.yml
+++ b/roles/web-app-peertube/tasks/main.yml
@@ -15,8 +15,8 @@

 - name: "Install and activate auth-openid-connect plugin if OIDC is enabled"
  include_tasks: 01_enable-oidc.yml
-  when: PEERTUBE_OIDC_ENABLED
+  when: PEERTUBE_OIDC_ENABLED | bool

 - name: "Deinstall and disable auth-openid-connect plugin if OIDC is enabled"
  include_tasks: 02_disable-oidc.yml
-  when: PEERTUBE_OIDC_ENABLED
+  when: not PEERTUBE_OIDC_ENABLED | bool
--- a/roles/web-app-peertube/vars/oidc-settings.yml
+++ b/roles/web-app-peertube/vars/oidc-settings.yml
@@ -1,12 +1,10 @@
-oidc_settings: |
-  {
-    "scope": "openid email profile",
-    "desk-id": "{{ OIDC.CLIENT.ID }}",
-    "discover-url": "{{ OIDC.CLIENT.DISCOVERY_DOCUMENT }}",
-    "desk-secret": "{{ OIDC.CLIENT.SECRET }}",
-    "mail-property": "email",
-    "auth-display-name": "{{ OIDC.BUTTON_TEXT }}",
-    "username-property": "{{ OIDC.ATTRIBUTES.USERNAME }}",
-    "signature-algorithm": "RS256",
-    "display-name-property": "{{ OIDC.ATTRIBUTES.USERNAME }}"
-  }
+oidc_settings:
+  discover-url: "{{ OIDC.CLIENT.DISCOVERY_DOCUMENT }}"
+  client-id: "{{ OIDC.CLIENT.ID }}"
+  client-secret: "{{ OIDC.CLIENT.SECRET }}"
+  scope: "openid email profile"
+  username-property: "{{ OIDC.ATTRIBUTES.USERNAME }}"
+  display-name-property: "{{ OIDC.ATTRIBUTES.USERNAME }}"
+  mail-property: "email"
+  auth-display-name: "{{ OIDC.BUTTON_TEXT }}"
+  signature-algorithm: "RS256"