feat(web-app-openwebui): add bootstrap admin configuration via ADMIN_EMAIL

Introduce ADMIN_EMAIL and SHOW_ADMIN_DETAILS options to bootstrap the first
administrator account on fresh installations. This ensures at least one admin
exists without manual database intervention.

Conversation: https://chatgpt.com/share/68d18e02-d6b8-800f-aaab-920c61b9284a

roles/web-app-openwebui/templates/env.j2

@@ -8,12 +8,25 @@ OFFLINE_MODE={{ OPENWEBUI_OFFLINE_MODE | ternary(1, 0) }}
 HF_HUB_OFFLINE={{ OPENWEBUI_HF_HUB_OFFLINE | ternary(1, 0) }}
 ENABLE_PERSISTENT_CONFIG=false
 
+# =========================
+# Bootstrap Admin Account
+# =========================
+# Use this to automatically assign the first admin in a fresh installation.
+# The specified email will be promoted to ADMIN on first login.
+# After initial setup you can remove this block and manage admins via the UI.
+ADMIN_EMAIL=users.administrator.email
+
+# If enabled, the pending-activation page will display the admin’s email address
+# so new users know who to contact for access.
+SHOW_ADMIN_DETAILS=true
+
 {% if OPENWEBUI_OIDC_ENABLED %}
 # =========================
 # OIDC / OAuth2 Settings
 # =========================
 # Enable sign-up/login via OIDC provider
 ENABLE_OAUTH_SIGNUP=true
+DEFAULT_USER_ROLE=user
 
 # Client credentials (must match Keycloak client)
 OAUTH_CLIENT_ID={{ OIDC.CLIENT.ID }}
@@ -23,7 +36,7 @@ OAUTH_CLIENT_SECRET={{ OIDC.CLIENT.SECRET }}
 OPENID_PROVIDER_URL={{ OIDC.CLIENT.DISCOVERY_DOCUMENT }}
 
 # Redirect URI (must match what is configured in Keycloak client)
-OPENID_REDIRECT_URI={{ (domains | get_url(application_id, WEB_PROTOCOL)) ~ '/oauth/oidc/callback' }}
+OPENID_REDIRECT_URI={{ OPENWEBUI_OIDC_REDIRECT_URL }}
 
 # Display name of the provider in the login button
 OAUTH_PROVIDER_NAME={{ OIDC.BUTTON_TEXT }}
@@ -38,7 +51,7 @@ OAUTH_SCOPES=openid email profile
 ENABLE_OAUTH_ROLE_MANAGEMENT=true
 OAUTH_ROLES_CLAIM={{ RBAC.GROUP.CLAIM }}
 # OAUTH_ALLOWED_ROLES=user
-OAUTH_ADMIN_ROLES={{ [ RBAC.GROUP.NAME, application_id ~ '-administrator' ] | path_join }}
+OAUTH_ADMIN_ROLES={{ OPENWEBUI_OIDC_ADMIN_GROUP }}
 
 # =========================
 # Optional: Group Management

roles/web-app-openwebui/vars/main.yml

@@ -8,6 +8,7 @@ docker_compose_file_creation_enabled: true
 
 # Open WebUI
 # https://openwebui.com/
+OPENWEBUI_URL:                        "{{ domains | get_url(application_id, WEB_PROTOCOL) }}"
 OPENWEBUI_VERSION:                    "{{ applications | get_app_conf(application_id, 'docker.services.openwebui.version') }}"
 OPENWEBUI_IMAGE:                      "{{ applications | get_app_conf(application_id, 'docker.services.openwebui.image') }}"
 OPENWEBUI_CONTAINER:                  "{{ applications | get_app_conf(application_id, 'docker.services.openwebui.name') }}"
@@ -15,5 +16,9 @@ OPENWEBUI_OFFLINE_MODE:               "{{ applications | get_app_conf(applicatio
 OPENWEBUI_HF_HUB_OFFLINE:             "{{ applications | get_app_conf(application_id, 'docker.services.openwebui.hf_hub_offline') }}"
 OPENWEBUI_VOLUME:                     "{{ applications | get_app_conf(application_id, 'docker.volumes.openwebui') }}"
 OPENWEBUI_PORT_PUBLIC:                "{{ ports.localhost.http[application_id] }}"
+OPENWEBUI_LDAP_ENABLED:               "{{ applications | get_app_conf(application_id, 'features.ldap') }}"
+
+## OIDC
 OPENWEBUI_OIDC_ENABLED:               "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
-OPENWEBUI_LDAP_ENABLED:               "{{ applications | get_app_conf(application_id, 'features.ldap') }}"
+OPENWEBUI_OIDC_REDIRECT_URL:          "{{ [OPENWEBUI_URL,'/oauth/oidc/callback'] | url_join }}"
+OPENWEBUI_OIDC_ADMIN_GROUP:           "{{ [ RBAC.GROUP.NAME, application_id ~ '-administrator' ] | path_join }}"