diff --git a/roles/web-app-peertube/tasks/01_enable-oidc.yml b/roles/web-app-peertube/tasks/01_enable-oidc.yml index afc9eed0..465cf8dd 100644 --- a/roles/web-app-peertube/tasks/01_enable-oidc.yml +++ b/roles/web-app-peertube/tasks/01_enable-oidc.yml @@ -1,4 +1,5 @@ -- name: "Load OIDC Settings vor Peertube" +--- +- name: "Load OIDC Settings for Peertube" include_vars: vars/oidc-settings.yml changed_when: false @@ -6,13 +7,12 @@ command: > docker exec {{ PEERTUBE_CONTAINER }} test -d /data/plugins/data/peertube-plugin-auth-openid-connect register: peertube_oidc_plugin_check - failed_when: false + failed_when: false changed_when: false - name: "Install auth-openid-connect plugin for Peertube" command: > - docker exec {{ PEERTUBE_CONTAINER }} \ - npm run plugin:install -- --npm-name {{ PEERTUBE_OIDC_PLUGIN }} + docker exec {{ PEERTUBE_CONTAINER }} npm run plugin:install -- --npm-name {{ PEERTUBE_OIDC_PLUGIN }} when: peertube_oidc_plugin_check.rc != 0 notify: docker compose up @@ -25,9 +25,26 @@ login_port: "{{ database_port }}" query: | UPDATE public.plugin - SET settings = '{{ oidc_settings | to_json }}', - enabled = TRUE, - uninstalled = FALSE - WHERE name = 'auth-openid-connect'; + SET settings = '{{ oidc_settings | to_json }}'::jsonb, + enabled = TRUE, + uninstalled = FALSE + WHERE name = 'auth-openid-connect' + AND ( + settings IS DISTINCT FROM '{{ oidc_settings | to_json }}'::jsonb + OR enabled IS DISTINCT FROM TRUE + OR uninstalled IS DISTINCT FROM FALSE + ); + register: _peertube_oidc_update + retries: 5 + delay: 3 + until: _peertube_oidc_update is succeeded notify: docker compose up - when: peertube_oidc_plugin_check.rc != 0 + +- name: "Ensure plugin is enabled in PeerTube (CLI)" + command: > + docker exec {{ PEERTUBE_CONTAINER }} npm run plugin:enable -- --npm-name {{ PEERTUBE_OIDC_PLUGIN }} + register: _peertube_enable + failed_when: false + changed_when: > + _peertube_enable.stdout is defined and + ('already enabled' not in _peertube_enable.stdout) diff --git a/roles/web-app-peertube/tasks/main.yml b/roles/web-app-peertube/tasks/main.yml index fd358dd2..3f7bbf8b 100644 --- a/roles/web-app-peertube/tasks/main.yml +++ b/roles/web-app-peertube/tasks/main.yml @@ -15,8 +15,8 @@ - name: "Install and activate auth-openid-connect plugin if OIDC is enabled" include_tasks: 01_enable-oidc.yml - when: PEERTUBE_OIDC_ENABLED + when: PEERTUBE_OIDC_ENABLED | bool - name: "Deinstall and disable auth-openid-connect plugin if OIDC is enabled" include_tasks: 02_disable-oidc.yml - when: PEERTUBE_OIDC_ENABLED \ No newline at end of file + when: not PEERTUBE_OIDC_ENABLED | bool \ No newline at end of file diff --git a/roles/web-app-peertube/vars/oidc-settings.yml b/roles/web-app-peertube/vars/oidc-settings.yml index fc309e37..51893145 100644 --- a/roles/web-app-peertube/vars/oidc-settings.yml +++ b/roles/web-app-peertube/vars/oidc-settings.yml @@ -1,12 +1,10 @@ -oidc_settings: | - { - "scope": "openid email profile", - "desk-id": "{{ OIDC.CLIENT.ID }}", - "discover-url": "{{ OIDC.CLIENT.DISCOVERY_DOCUMENT }}", - "desk-secret": "{{ OIDC.CLIENT.SECRET }}", - "mail-property": "email", - "auth-display-name": "{{ OIDC.BUTTON_TEXT }}", - "username-property": "{{ OIDC.ATTRIBUTES.USERNAME }}", - "signature-algorithm": "RS256", - "display-name-property": "{{ OIDC.ATTRIBUTES.USERNAME }}" - } +oidc_settings: + discover-url: "{{ OIDC.CLIENT.DISCOVERY_DOCUMENT }}" + client-id: "{{ OIDC.CLIENT.ID }}" + client-secret: "{{ OIDC.CLIENT.SECRET }}" + scope: "openid email profile" + username-property: "{{ OIDC.ATTRIBUTES.USERNAME }}" + display-name-property: "{{ OIDC.ATTRIBUTES.USERNAME }}" + mail-property: "email" + auth-display-name: "{{ OIDC.BUTTON_TEXT }}" + signature-algorithm: "RS256" \ No newline at end of file