Fix PeerTube OIDC plugin automation

- Store oidc_settings as proper YAML dict with correct keys - Ensure plugin is installed only if missing - Update DB settings as jsonb and enforce enabled/uninstalled state - Add CLI enforcement for plugin activation - Correct task conditions (enable/disable logic) with boolean filters Ref: https://chatgpt.com/share/68dd1d16-9b34-800f-b2bf-a3fe058f25b1
2025-10-10 02:38:10 +02:00 · 2025-10-01 14:23:07 +02:00
parent e7702948b8
commit 5cdcc18a99
3 changed files with 38 additions and 23 deletions
--- a/roles/web-app-peertube/tasks/01_enable-oidc.yml
+++ b/roles/web-app-peertube/tasks/01_enable-oidc.yml
@@ -1,4 +1,5 @@
- name: "Load OIDC Settings vor Peertube"
+---
 - name: "Load OIDC Settings for Peertube"
  include_vars: vars/oidc-settings.yml
  changed_when: false
@@ -6,13 +7,12 @@
  command: >
    docker exec {{ PEERTUBE_CONTAINER }} test -d /data/plugins/data/peertube-plugin-auth-openid-connect
  register: peertube_oidc_plugin_check
-  failed_when:  false
+  failed_when: false
  changed_when: false
 - name: "Install auth-openid-connect plugin for Peertube"
  command: >
-    docker exec {{ PEERTUBE_CONTAINER }} \
+    docker exec {{ PEERTUBE_CONTAINER }} npm run plugin:install -- --npm-name {{ PEERTUBE_OIDC_PLUGIN }}
    npm run plugin:install -- --npm-name {{ PEERTUBE_OIDC_PLUGIN }}
  when: peertube_oidc_plugin_check.rc != 0
  notify: docker compose up
@@ -25,9 +25,26 @@
    login_port: "{{ database_port }}"
    query: |
      UPDATE public.plugin
-      SET settings = '{{ oidc_settings | to_json }}',
+      SET settings    = '{{ oidc_settings | to_json }}'::jsonb,
-      enabled = TRUE,
+          enabled     = TRUE,
-      uninstalled = FALSE
+          uninstalled = FALSE
-      WHERE name = 'auth-openid-connect';
+      WHERE name = 'auth-openid-connect'
        AND (
          settings IS DISTINCT FROM '{{ oidc_settings | to_json }}'::jsonb
          OR enabled IS DISTINCT FROM TRUE
          OR uninstalled IS DISTINCT FROM FALSE
        );
  register: _peertube_oidc_update
  retries: 5
  delay: 3
  until: _peertube_oidc_update is succeeded
  notify: docker compose up
-  when: peertube_oidc_plugin_check.rc != 0
+
 - name: "Ensure plugin is enabled in PeerTube (CLI)"
  command: >
    docker exec {{ PEERTUBE_CONTAINER }} npm run plugin:enable -- --npm-name {{ PEERTUBE_OIDC_PLUGIN }}
  register: _peertube_enable
  failed_when: false
  changed_when: >
    _peertube_enable.stdout is defined and
    ('already enabled' not in _peertube_enable.stdout)
--- a/roles/web-app-peertube/tasks/main.yml
+++ b/roles/web-app-peertube/tasks/main.yml
@@ -15,8 +15,8 @@
 - name: "Install and activate auth-openid-connect plugin if OIDC is enabled"
  include_tasks: 01_enable-oidc.yml
-  when: PEERTUBE_OIDC_ENABLED
+  when: PEERTUBE_OIDC_ENABLED | bool
 - name: "Deinstall and disable auth-openid-connect plugin if OIDC is enabled"
  include_tasks: 02_disable-oidc.yml
-  when: PEERTUBE_OIDC_ENABLED
+  when: not PEERTUBE_OIDC_ENABLED | bool
--- a/roles/web-app-peertube/vars/oidc-settings.yml
+++ b/roles/web-app-peertube/vars/oidc-settings.yml
@@ -1,12 +1,10 @@
-oidc_settings: |
+oidc_settings:
-  {
+  discover-url: "{{ OIDC.CLIENT.DISCOVERY_DOCUMENT }}"
-    "scope": "openid email profile",
+  client-id: "{{ OIDC.CLIENT.ID }}"
-    "desk-id": "{{ OIDC.CLIENT.ID }}",
+  client-secret: "{{ OIDC.CLIENT.SECRET }}"
-    "discover-url": "{{ OIDC.CLIENT.DISCOVERY_DOCUMENT }}",
+  scope: "openid email profile"
-    "desk-secret": "{{ OIDC.CLIENT.SECRET }}",
+  username-property: "{{ OIDC.ATTRIBUTES.USERNAME }}"
-    "mail-property": "email",
+  display-name-property: "{{ OIDC.ATTRIBUTES.USERNAME }}"
-    "auth-display-name": "{{ OIDC.BUTTON_TEXT }}",
+  mail-property: "email"
-    "username-property": "{{ OIDC.ATTRIBUTES.USERNAME }}",
+  auth-display-name: "{{ OIDC.BUTTON_TEXT }}"
-    "signature-algorithm": "RS256",
+  signature-algorithm: "RS256"
    "display-name-property": "{{ OIDC.ATTRIBUTES.USERNAME }}"
  }