feat(web-app-drupal): add Drupal role, OIDC config, and wiring

- networks: add web-app-drupal subnet 192.168.104.80/28
- ports: map localhost http port 8060
- add role files: tasks, vars, schema, users, templates (Dockerfile, docker-compose, settings.local.php, upload.ini)
- add docs: README.md and Administration.md

Ref: https://chatgpt.com/share/690535c5-b55c-800f-8556-5335a6b8a33f

roles/web-app-drupal/tasks/01_settings_local_include.yml

@@ -0,0 +1,25 @@
+- name: "Ensure settings.php exists and includes settings.local.php"
+  command: >
+    docker exec -u root {{ DRUPAL_CONTAINER }} bash -lc
+    "set -e;
+     f='{{ DRUPAL_DOCKER_CONF_PATH }}/settings.php';
+     df='{{ DRUPAL_DOCKER_CONF_PATH }}/default.settings.php';
+     if [ ! -f \"$f\" ] && [ -f \"$df\" ]; then
+       cp \"$df\" \"$f\";
+       chown www-data:www-data \"$f\";
+       chmod 644 \"$f\";
+     fi;
+     php -r '
+       $f=\"{{ DRUPAL_DOCKER_CONF_PATH }}/settings.php\";
+       if (!file_exists($f)) { exit(0); }
+       $c=file_get_contents($f);
+       $inc=\"\\nif (file_exists(\\\"\$app_root/\$site_path/settings.local.php\\\")) { include \$app_root/\$site_path/settings.local.php; }\\n\";
+       if (strpos($c, \"settings.local.php\") === false) {
+         file_put_contents($f, $c.$inc);
+         echo \"patched\";
+       } else {
+         echo \"exists\";
+       }
+     '"
+  register: settings_local_include
+  changed_when: "'patched' in settings_local_include.stdout"

roles/web-app-drupal/tasks/02_install.yml

@@ -0,0 +1,15 @@
+- name: "Run Drupal site:install via Drush"
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+  command: >
+    docker exec {{ DRUPAL_CONTAINER }} bash -lc
+    "/var/www/html/vendor/bin/drush -r {{ DRUPAL_DOCKER_HTML_PATH }} si standard -y
+    --site-name='{{ applications | get_app_conf(application_id, 'title', True) }}'
+    --account-name='{{ applications | get_app_conf(application_id, 'users.administrator.username') }}'
+    --account-mail='{{ applications | get_app_conf(application_id, 'users.administrator.email', True) }}'
+    --account-pass='{{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}'
+    --uri='{{ DRUPAL_URL }}'"
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: drupal_install
+  changed_when: "'Installation complete' in drupal_install.stdout"
+  failed_when: false

roles/web-app-drupal/tasks/03_enable_modules.yml

@@ -0,0 +1,12 @@
+- name: "Enable OpenID Connect core module"
+  command: >
+    docker exec {{ DRUPAL_CONTAINER }} bash -lc
+    "/var/www/html/vendor/bin/drush -r {{ DRUPAL_DOCKER_HTML_PATH }} en openid_connect -y"
+  changed_when: true
+
+- name: "Enable OpenID Connect Keycloak preset (submodule of openid_connect)"
+  command: >
+    docker exec {{ DRUPAL_CONTAINER }} bash -lc
+    "/var/www/html/vendor/bin/drush -r {{ DRUPAL_DOCKER_HTML_PATH }} en openid_connect_client_keycloak -y"
+  changed_when: true
+  failed_when: false

roles/web-app-drupal/tasks/04_configure_oidc.yml

@@ -0,0 +1,59 @@
+- name: "Load OIDC vars"
+  include_vars:
+    file: "{{ role_path }}/vars/oidc.yml"
+    name: oidc_vars
+
+- name: "Apply openid_connect.settings (global)"
+  loop: "{{ oidc_vars.oidc_settings | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  command: >
+    docker exec {{ DRUPAL_CONTAINER }} bash -lc
+    "/var/www/html/vendor/bin/drush -r {{ DRUPAL_DOCKER_HTML_PATH }} cset -y
+    openid_connect.settings {{ item.key }}
+    {{ (item.value | to_json) if item.value is mapping or item.value is sequence else item.value }}"
+
+- name: "Ensure OIDC client entity exists"
+  vars:
+    client_id: "{{ oidc_vars.oidc_client.id }}"
+    client_label: "{{ oidc_vars.oidc_client.label }}"
+  command: >
+    docker exec {{ DRUPAL_CONTAINER }} bash -lc
+    "/var/www/html/vendor/bin/drush -r {{ DRUPAL_DOCKER_HTML_PATH }} eval '
+    $id=\"{{ client_id }}\"; $label=\"{{ client_label }}\";
+    $storage=\Drupal::entityTypeManager()->getStorage(\"openid_connect_client\");
+    if (!$storage->load($id)) {
+      $client=$storage->create([\"id\"=>$id,\"label\"=>$label]);
+      $client->save();
+      print \"created\";
+    } else { print \"exists\"; }'"
+  register: client_exists
+  changed_when: "'created' in client_exists.stdout"
+
+- name: "Apply OIDC client settings"
+  vars:
+    client_id: "{{ oidc_vars.oidc_client.id }}"
+    settings_map: "{{ oidc_vars.oidc_client.settings }}"
+    kv: "{{ settings_map | dict2items }}"
+  loop: "{{ kv }}"
+  loop_control:
+    label: "{{ item.key }}"
+  command: >
+    docker exec {{ DRUPAL_CONTAINER }} bash -lc
+    "/var/www/html/vendor/bin/drush -r {{ DRUPAL_DOCKER_HTML_PATH }} eval '
+    $id=\"{{ client_id }}\";
+    $key=\"{{ item.key }}\";
+    $val=json_decode(base64_decode(\"{{ (item.value | to_json | b64encode) }}\"), true);
+    $storage=\Drupal::entityTypeManager()->getStorage(\"openid_connect_client\");
+    $c=$storage->load($id);
+    $s=$c->get(\"settings\");
+    $s[$key]=$val;
+    $c->set(\"settings\", $s);
+    $c->save();'"
+  changed_when: true
+
+- name: "Clear caches after OIDC config"
+  command: >
+    docker exec {{ DRUPAL_CONTAINER }} bash -lc
+    "/var/www/html/vendor/bin/drush -r {{ DRUPAL_DOCKER_HTML_PATH }} cr"
+  changed_when: false

roles/web-app-drupal/tasks/05_trusted_hosts.yml

@@ -0,0 +1,19 @@
+- name: "Set trusted_host_patterns for canonical domains"
+  vars:
+    patterns: "{{ DRUPAL_DOMAINS
+                  | map('regex_replace','\\\\.','\\\\\\\\.')
+                  | map('regex_replace','^','^')
+                  | map('regex_replace','$','$')
+                  | list }}"
+    php_array: "{{ patterns | to_json }}"
+  command: >
+    docker exec -u root {{ DRUPAL_CONTAINER }} bash -lc
+    "php -r '
+    $f="{{ DRUPAL_DOCKER_CONF_PATH }}/settings.local.php";
+    $c=file_exists($f)?file_get_contents($f):"<?php\n";
+    // Remove existing assignment of $settings[\"trusted_host_patterns\"] (if any)
+    $c=preg_replace(\"/(\\\\$settings\\['trusted_host_patterns'\\]\\s*=).*?;/s\", \"\", $c);
+    $c.="\n\$settings[\'trusted_host_patterns\'] = ".var_export(json_decode("{{ php_array|e }}", true), true).";\n";
+    file_put_contents($f,$c);
+    '"
+  changed_when: true

roles/web-app-drupal/tasks/main.yml

@@ -0,0 +1,55 @@
+- name: "Include role sys-stk-front-proxy for {{ application_id }}"
+  include_role:
+    name: sys-stk-front-proxy
+  loop: "{{ DRUPAL_DOMAINS }}"
+  loop_control:
+    loop_var: domain
+  vars:
+    proxy_extra_configuration: "client_max_body_size {{ DRUPAL_MAX_UPLOAD_SIZE }};"
+    http_port: "{{ ports.localhost.http[application_id] }}"
+
+- name: "Load docker and DB for {{ application_id }}"
+  include_role:
+    name: sys-stk-back-stateful
+  vars:
+    docker_compose_flush_handlers: false
+
+- name: "Transfer upload.ini to {{ DRUPAL_CONFIG_UPLOAD_ABS }}"
+  template:
+    src: upload.ini.j2
+    dest: "{{ DRUPAL_CONFIG_UPLOAD_ABS }}"
+  notify:
+  - docker compose up
+  - docker compose build
+
+- name: "Transfer msmtprc to {{ DRUPAL_MSMTP_ABS }}"
+  template:
+    src:  "{{ DRUPAL_MSMTP_SRC }}"
+    dest: "{{ DRUPAL_MSMTP_ABS }}"
+  notify: docker compose up
+
+- name: "Transfer settings.local.php overrides"
+  template:
+    src:  settings.local.php.j2
+    dest: "{{ DRUPAL_SETTINGS_LOCAL_ABS }}"
+  notify: docker compose up
+
+- name: Flush handlers to make container ready
+  meta: flush_handlers
+
+- name: "Ensure settings.php includes settings.local.php"
+  include_tasks: 01_settings_local_include.yml
+
+- name: "Install Drupal (site:install)"
+  include_tasks: 02_install.yml
+
+- name: "Enable OIDC modules"
+  include_tasks: 03_enable_modules.yml
+  when: applications | get_app_conf(application_id, 'features.oidc')
+
+- name: "Configure OIDC (global + client)"
+  include_tasks: 04_configure_oidc.yml
+  when: applications | get_app_conf(application_id, 'features.oidc')
+
+- name: "Harden trusted host patterns"
+  include_tasks: 05_trusted_hosts.yml