From 949feb912a0ed1627fbc542458e4842d6ef4fe90 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Sun, 6 Apr 2025 09:08:53 +0200 Subject: [PATCH] Implemented OIDC draft for Taiga --- roles/docker-taiga/README.md | 42 ++++++++++--------- roles/docker-taiga/meta/main.yml | 26 ++++++++++++ .../templates/docker-compose.yml.j2 | 6 +-- roles/docker-taiga/templates/env.j2 | 19 +++++++++ roles/docker-taiga/vars/main.yml | 14 ++++--- 5 files changed, 78 insertions(+), 29 deletions(-) create mode 100644 roles/docker-taiga/meta/main.yml diff --git a/roles/docker-taiga/README.md b/roles/docker-taiga/README.md index f1868a41..ddd5a4ea 100644 --- a/roles/docker-taiga/README.md +++ b/roles/docker-taiga/README.md @@ -1,31 +1,33 @@ -# Docker Taiga Role 🐳📋 +# Taiga 🐳📋 -This Ansible role sets up and configures a Taiga project management platform using Docker. It includes tasks for setting up the database, Nginx proxy, and updating the repository with necessary files. +## Description -## Tasks +This Ansible role deploys and configures the [Taiga](https://www.taiga.io/) project management platform using Docker. It supports core services like backend, frontend, events, and async processing — with optional integration for OpenID Connect (OIDC) authentication. -The main tasks included in this role are: +Designed for Arch Linux systems, it ensures consistent and modular setup of the entire Taiga stack, including database and proxy configuration. This role integrates with the CyMaIS infrastructure through conditional Docker Compose file generation and optional service dependencies. -- Setting up the database. -- Configuring Nginx as a proxy. -- Updating the repository with necessary files. +## Overview -## Variables +- Deploys Taiga using Docker and Docker Compose. +- Supports PostgreSQL and RabbitMQ as dependencies. +- Automatically integrates Nginx as a reverse proxy. +- Optionally enables OIDC via `taiga-contrib-openid-auth`. -Key variables used in this role include the Docker Compose project name, database type and password, and the repository address. +## Purpose -## Templates +The purpose of this role is to automate the provisioning of a complete, containerized Taiga environment in a secure, repeatable, and infrastructure-compliant way. It supports multiple deployment scenarios (internal tools, team collaboration, or homelab usage) and fits into a modular Ansible-based DevOps workflow. -The role includes several Jinja2 templates to configure the environment and Docker Compose setup, including: +## Features -- **docker-compose-inits.yml.j2** -- **.env.j2** -- **docker-compose.yml.j2** +- 🐳 **Docker-Based Deployment** – Uses `docker-compose` to orchestrate all services. +- 🔐 **Optional OpenID Connect Integration** – Conditionally enables Keycloak or other OIDC providers. +- 🔁 **Async and Event Support** – Includes `taiga-events` and `taiga-async`. +- 📨 **SMTP Email Support** – Supports both real and console email backends. +- 🧩 **Modular Role Integration** – Compatible with roles like `docker-central-database`, `nginx-domain-setup`, and `docker-repository-setup`. -## Author +## Credits 📝 -This role was created by Kevin Veen-Birkenbach. You can reach him at [kevin@veen.world](mailto:kevin@veen.world). Visit his website at [veen.world](https://www.veen.world/). - -## Note - -This README was created with the assistance of ChatGPT. [Link to conversation](https://chatgpt.com/share/fee718ab-cfe1-46f3-b97f-8f8c896ffd11). +Developed and maintained by **Kevin Veen-Birkenbach** +Visit [veen.world](https://www.veen.world) for more information. +Part of the [CyMaIS Project](https://github.com/kevinveenbirkenbach/cymais) +License: [CyMaIS NonCommercial License (CNCL)](https://s.veen.world/cncl) \ No newline at end of file diff --git a/roles/docker-taiga/meta/main.yml b/roles/docker-taiga/meta/main.yml new file mode 100644 index 00000000..fd9a2ae7 --- /dev/null +++ b/roles/docker-taiga/meta/main.yml @@ -0,0 +1,26 @@ +--- +galaxy_info: + author: "Kevin Veen-Birkenbach" + description: "Deploy and configure the Taiga project management platform, with OpenID Connect support." + license: "CyMaIS NonCommercial License (CNCL)" + license_url: "https://s.veen.world/cncl" + company: | + Kevin Veen-Birkenbach + Consulting & Coaching Solutions + https://www.veen.world + min_ansible_version: "2.9" + platforms: + - name: Archlinux + versions: + - rolling + galaxy_tags: + - taiga + - docker + - project-management + - oidc + - openid + - archlinux + - cymais + repository: https://s.veen.world/cymais + issue_tracker_url: https://s.veen.world/cymaisissues + documentation: https://s.veen.world/cymais \ No newline at end of file diff --git a/roles/docker-taiga/templates/docker-compose.yml.j2 b/roles/docker-taiga/templates/docker-compose.yml.j2 index 02cacab2..aff6a4b9 100644 --- a/roles/docker-taiga/templates/docker-compose.yml.j2 +++ b/roles/docker-taiga/templates/docker-compose.yml.j2 @@ -2,7 +2,7 @@ services: {% include 'roles/docker-central-database/templates/services/' + database_type + '.yml.j2' %} taiga-back: {% include 'roles/docker-compose/templates/services/base.yml.j2' %} - image: taigaio/taiga-back:{{applications.taiga.version}} + image: {{taiga_image_backend}}:{{applications.taiga.version}} volumes: # These volumens will be used by taiga-back and taiga-async. - static-data:/taiga-back/static @@ -18,7 +18,7 @@ services: taiga-async: {% include 'roles/docker-compose/templates/services/base.yml.j2' %} - image: taigaio/taiga-back:latest + image: {{taiga_image_backend}}:{{applications.taiga.version}} entrypoint: ["/taiga-back/docker/async_entrypoint.sh"] volumes: # These volumens will be used by taiga-back and taiga-async. @@ -43,7 +43,7 @@ services: taiga: taiga-front: - image: taigaio/taiga-front:latest + image: {{taiga_image_frontend}}:{{applications.taiga.version}} {% include 'roles/docker-compose/templates/services/base.yml.j2' %} {% include 'templates/docker/container/networks.yml.j2' %} taiga: diff --git a/roles/docker-taiga/templates/env.j2 b/roles/docker-taiga/templates/env.j2 index 01c64ad0..52684ff6 100644 --- a/roles/docker-taiga/templates/env.j2 +++ b/roles/docker-taiga/templates/env.j2 @@ -46,3 +46,22 @@ MAX_AGE = 360 # Taiga's Telemetry - Variable to enable or disable the anonymous telemetry ENABLE_TELEMETRY = True + +{% if applications[application_id].oidc.enabled %} +# OICD +# @See https://github.com/robrotheram/taiga-contrib-openid-auth +ENABLE_OPENID="True" +OPENID_URL="{{oidc.client.authorize_url}}" +OPENID_USER_URL="{{oidc.client.user_info_url}}" +OPENID_TOKEN_URL="{{oidc.client.torken_url}}" +OPENID_CLIENT_ID="{{oidc.client.id}}" +OPENID_CLIENT_SECRET="{{oidc.client.secret}}" +OPENID_NAME="SSO" +# Default Values +# +# OPENID_ID_FIELD="sub" +# OPENID_USERNAME_FIELD="preferred_username" +# OPENID_FULLNAME_FIELD="name" +# OPENID_EMAIL_FIELD="email" +# OPENID_SCOPE="openid email" +{% endif %} \ No newline at end of file diff --git a/roles/docker-taiga/vars/main.yml b/roles/docker-taiga/vars/main.yml index 37254ff7..f0166403 100644 --- a/roles/docker-taiga/vars/main.yml +++ b/roles/docker-taiga/vars/main.yml @@ -1,6 +1,8 @@ -application_id: "taiga" -database_type: "postgres" -database_password: "{{taiga_database_password}}" -docker_repository_address: "https://github.com/taigaio/taiga-docker" -email_backend: "smtp" ## use an SMTP server or display the emails in the console (either "smtp" or "console") -docker_compose_init: "{{docker_compose.directories.instance}}docker-compose-inits.yml.j2" \ No newline at end of file +application_id: "taiga" +database_type: "postgres" +database_password: "{{taiga_database_password}}" +docker_repository_address: "https://github.com/taigaio/taiga-docker" +email_backend: "smtp" ## use an SMTP server or display the emails in the console (either "smtp" or "console") +docker_compose_init: "{{docker_compose.directories.instance}}docker-compose-inits.yml.j2" +taiga_image_backend: "{{ 'robrotheram/taiga-back-openid' if applications[application_id].oidc.enabled else 'taigaio/taiga-back' }}" +taiga_image_frontend: "{{ 'robrotheram/taiga-front-openid' if applications[application_id].oidc.enabled else 'taigaio/taiga-front' }}" \ No newline at end of file