From 6f851973fa8c2da6edbcfdcb02970e77f83fe61d Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Mon, 27 Jan 2025 12:48:25 +0100
Subject: [PATCH] Deactivated default login mask

---
 roles/docker-discourse/README.md                           | 6 ++++++
 .../templates/discourse_application.yml.j2                 | 7 ++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/roles/docker-discourse/README.md b/roles/docker-discourse/README.md
index 2cc0569e..5ac90fb9 100644
--- a/roles/docker-discourse/README.md
+++ b/roles/docker-discourse/README.md
@@ -2,6 +2,12 @@
 
 This Ansible role sets up Discourse, a popular open-source discussion platform, using Docker containers. It is designed to automate the deployment and configuration process of Discourse, making it easier to maintain and update.
 
+
+## Check configuration
+```bash
+./launcher enter application
+pry(main)> SiteSetting.all.each { |setting| puts "#{setting.name}: #{setting.value}" }
+```
 ---
 
 This README was generated with information provided in the Ansible role. For more detailed instructions and information, refer to the inline comments within the role files. Additional support and context for this role can be found in an [online chat discussion](https://chat.openai.com/share/fdbf9870-1f7e-491f-b4d2-357e6e8ad59c).
diff --git a/roles/docker-discourse/templates/discourse_application.yml.j2 b/roles/docker-discourse/templates/discourse_application.yml.j2
index c077fc22..51bf1b4c 100644
--- a/roles/docker-discourse/templates/discourse_application.yml.j2
+++ b/roles/docker-discourse/templates/discourse_application.yml.j2
@@ -113,11 +113,16 @@ run:
   ## After getting the first signup email, re-comment the line. It only needs to run once.
   #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
 {% if oidc_client_active | bool %}
+  # Deactivate Default Login
+  - exec: rails r "SiteSetting.enable_local_logins = false"
+  - exec: rails r "SiteSetting.enable_passkeys = false" # https://meta.discourse.org/t/passwordless-login-using-passkeys/285589
+
+  # OIDC Activation
   - exec: rails r "SiteSetting.openid_connect_enabled = true"
   - exec: rails r "SiteSetting.openid_connect_discovery_document = '{{oidc_client_discovery_document}}'"
   - exec: rails r "SiteSetting.openid_connect_client_id = '{{oidc_client_id}}'"         
   - exec: rails r "SiteSetting.openid_connect_client_secret = '{{oidc_client_secret}}'"     
-  - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout_redirect = ''"
+  - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout_redirect = 'https://{{domain}}'"
   - exec: rails r "SiteSetting.openid_connect_allow_association_change = false"
   - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout = true"
 {% endif %}