Implemented OIDC draft for Taiga

2025-04-20 15:04:57 +02:00 · 2025-04-06 09:08:53 +02:00 · 2025-04-06 09:08:53 +02:00 · 949feb912a
commit 949feb912a
parent bfd1839a8b
5 changed files with 78 additions and 29 deletions
--- a/roles/docker-taiga/README.md
+++ b/roles/docker-taiga/README.md
@ -1,31 +1,33 @@
-# Docker Taiga Role 🐳📋
+# Taiga 🐳📋

-This Ansible role sets up and configures a Taiga project management platform using Docker. It includes tasks for setting up the database, Nginx proxy, and updating the repository with necessary files.
+## Description

-## Tasks
+This Ansible role deploys and configures the [Taiga](https://www.taiga.io/) project management platform using Docker. It supports core services like backend, frontend, events, and async processing — with optional integration for OpenID Connect (OIDC) authentication.

-The main tasks included in this role are:
+Designed for Arch Linux systems, it ensures consistent and modular setup of the entire Taiga stack, including database and proxy configuration. This role integrates with the CyMaIS infrastructure through conditional Docker Compose file generation and optional service dependencies.

- Setting up the database.
- Configuring Nginx as a proxy.
- Updating the repository with necessary files.
+## Overview

-## Variables
+- Deploys Taiga using Docker and Docker Compose.
+- Supports PostgreSQL and RabbitMQ as dependencies.
+- Automatically integrates Nginx as a reverse proxy.
+- Optionally enables OIDC via `taiga-contrib-openid-auth`.

-Key variables used in this role include the Docker Compose project name, database type and password, and the repository address.
+## Purpose

-## Templates
+The purpose of this role is to automate the provisioning of a complete, containerized Taiga environment in a secure, repeatable, and infrastructure-compliant way. It supports multiple deployment scenarios (internal tools, team collaboration, or homelab usage) and fits into a modular Ansible-based DevOps workflow.

-The role includes several Jinja2 templates to configure the environment and Docker Compose setup, including:
+## Features

- **docker-compose-inits.yml.j2**
- **.env.j2**
- **docker-compose.yml.j2**
+- 🐳 **Docker-Based Deployment** – Uses `docker-compose` to orchestrate all services.
+- 🔐 **Optional OpenID Connect Integration** – Conditionally enables Keycloak or other OIDC providers.
+- 🔁 **Async and Event Support** – Includes `taiga-events` and `taiga-async`.
+- 📨 **SMTP Email Support** – Supports both real and console email backends.
+- 🧩 **Modular Role Integration** – Compatible with roles like `docker-central-database`, `nginx-domain-setup`, and `docker-repository-setup`.

-## Author
+## Credits 📝

-This role was created by Kevin Veen-Birkenbach. You can reach him at [kevin@veen.world](mailto:kevin@veen.world). Visit his website at [veen.world](https://www.veen.world/).
-
-## Note
-
-This README was created with the assistance of ChatGPT. [Link to conversation](https://chatgpt.com/share/fee718ab-cfe1-46f3-b97f-8f8c896ffd11).
+Developed and maintained by **Kevin Veen-Birkenbach**  
+Visit [veen.world](https://www.veen.world) for more information.  
+Part of the [CyMaIS Project](https://github.com/kevinveenbirkenbach/cymais)  
+License: [CyMaIS NonCommercial License (CNCL)](https://s.veen.world/cncl)
--- a/roles/docker-taiga/meta/main.yml
+++ b/roles/docker-taiga/meta/main.yml
@ -0,0 +1,26 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Deploy and configure the Taiga project management platform, with OpenID Connect support."
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: | 
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - taiga
+    - docker
+    - project-management
+    - oidc
+    - openid
+    - archlinux
+    - cymais
+  repository: https://s.veen.world/cymais
+  issue_tracker_url: https://s.veen.world/cymaisissues
+  documentation: https://s.veen.world/cymais
--- a/roles/docker-taiga/templates/docker-compose.yml.j2
+++ b/roles/docker-taiga/templates/docker-compose.yml.j2
@ -2,7 +2,7 @@ services:
 {% include 'roles/docker-central-database/templates/services/' + database_type + '.yml.j2' %}
  taiga-back:
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
-    image: taigaio/taiga-back:{{applications.taiga.version}}
+    image: {{taiga_image_backend}}:{{applications.taiga.version}}
    volumes:
      # These volumens will be used by taiga-back and taiga-async.
      - static-data:/taiga-back/static
@ -18,7 +18,7 @@ services:

  taiga-async:
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
-    image: taigaio/taiga-back:latest
+    image: {{taiga_image_backend}}:{{applications.taiga.version}}
    entrypoint: ["/taiga-back/docker/async_entrypoint.sh"]
    volumes:
      # These volumens will be used by taiga-back and taiga-async.
@ -43,7 +43,7 @@ services:
      taiga:

  taiga-front:
-    image: taigaio/taiga-front:latest
+    image: {{taiga_image_frontend}}:{{applications.taiga.version}}
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
 {% include 'templates/docker/container/networks.yml.j2' %}
      taiga:
--- a/roles/docker-taiga/templates/env.j2
+++ b/roles/docker-taiga/templates/env.j2
@ -46,3 +46,22 @@ MAX_AGE             =   360

 # Taiga's Telemetry - Variable to enable or disable the anonymous telemetry
 ENABLE_TELEMETRY    =   True
+
+{% if applications[application_id].oidc.enabled %}
+# OICD 
+# @See https://github.com/robrotheram/taiga-contrib-openid-auth
+ENABLE_OPENID="True"
+OPENID_URL="{{oidc.client.authorize_url}}"
+OPENID_USER_URL="{{oidc.client.user_info_url}}"
+OPENID_TOKEN_URL="{{oidc.client.torken_url}}"
+OPENID_CLIENT_ID="{{oidc.client.id}}"
+OPENID_CLIENT_SECRET="{{oidc.client.secret}}"
+OPENID_NAME="SSO"
+# Default Values
+#
+# OPENID_ID_FIELD="sub"
+# OPENID_USERNAME_FIELD="preferred_username"
+# OPENID_FULLNAME_FIELD="name"
+# OPENID_EMAIL_FIELD="email"
+# OPENID_SCOPE="openid email"
+{% endif %}
--- a/roles/docker-taiga/vars/main.yml
+++ b/roles/docker-taiga/vars/main.yml
@ -4,3 +4,5 @@ database_password:           "{{taiga_database_password}}"
 docker_repository_address:  "https://github.com/taigaio/taiga-docker"
 email_backend:              "smtp"                                      ## use an SMTP server or display the emails in the console (either "smtp" or "console")
 docker_compose_init:        "{{docker_compose.directories.instance}}docker-compose-inits.yml.j2"
+taiga_image_backend:        "{{ 'robrotheram/taiga-back-openid' if applications[application_id].oidc.enabled else 'taigaio/taiga-back' }}"
+taiga_image_frontend:       "{{ 'robrotheram/taiga-front-openid' if applications[application_id].oidc.enabled else 'taigaio/taiga-front' }}"