From b2ccc69628524f6a2bd50419a0e6b549e5f76f85 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Thu, 20 Feb 2025 11:44:50 +0100 Subject: [PATCH] Refactored oidc, solved network bugs and refactored --- group_vars/all/07_applications.yml | 26 ++++++++++++++++--- group_vars/all/09_ports.yml | 4 +++ group_vars/all/10_networks.yml | 7 ++--- group_vars/all/12_storage.yml | 1 - roles/docker-bigbluebutton/templates/env.j2 | 9 ++++--- .../templates/discourse_application.yml.j2 | 2 +- roles/docker-friendica/vars/main.yml | 2 +- roles/docker-mailu/templates/env.j2 | 10 +++---- roles/docker-mailu/vars/main.yml | 6 ++--- roles/docker-mastodon/templates/env.j2 | 4 +-- roles/docker-nextcloud/tasks/ldap.yml | 1 + roles/docker-nextcloud/tasks/main.yml | 8 +++--- templates/docker/compose/networks.yml.j2 | 2 +- 13 files changed, 54 insertions(+), 28 deletions(-) diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml index e874763f..20a1274b 100644 --- a/group_vars/all/07_applications.yml +++ b/group_vars/all/07_applications.yml @@ -30,7 +30,9 @@ defaults_applications: ## Big Blue Button bigbluebutton: enable_greenlight: "true" - setup: false # Set to true in inventory file for initial setup + setup: false # Set to true in inventory file for initial setup + oidc: + enabled: true # Activate OIDC ## Bluesky bluesky: @@ -47,15 +49,19 @@ defaults_applications: container: "discourse_application" # Name of the container application repository: "discourse_repository" # Name of the repository folder # database_password: # Needs to be defined in inventory file + oidc: + enabled: true # Activate OIDC ## Friendica friendica: version: "latest" + oidc: + enabled: true # Activate OIDC. Plugin is not working yet ## Funkwhale funkwhale: version: "1.4.0" - ldap_enabled: True # Enables LDAP by default + ldap_enabled: True # Enables LDAP by default ## Gitea gitea: @@ -107,6 +113,16 @@ defaults_applications: version: "latest" # Docker Image version setup: false # Set true in inventory file to execute the setup and initializing procedures + mailu: + oidc: + enabled: true # Activate OIDC for Mailu + domain: "{{primary_domain}}" # The main domain from which mails will be send \ email suffix behind @ + # I don't know why the database deactivation is necessary + enable_central_database: False # Deactivate central database for mailu +# secret_key: # Needs to be set in inventory file +# database_password: # Needs to be set in inventory file +# api_token: # Needs to be set in inventory file + ## MariaDB mariadb: version: "latest" @@ -126,6 +142,8 @@ defaults_applications: version: "latest" single_user_mode: false # Set true for initial setup setup: false # Set true in inventory file to execute the setup and initializing procedures + oidc: + enabled: true # Activate OIDC for Mailu # # Check out the README.md of the docker-mastodon role to get detailled instructions about how to setup the credentials # @@ -173,8 +191,10 @@ defaults_applications: ## Nextcloud nextcloud: version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ - ldap_enabled: True # Enables LDAP by default + ldap_enabled: True # Enables LDAP by default, missing ansible setup tasks @todo setup # database_password: Null # Needs to be set in inventory file + oidc: + enabled: true # Activate OIDC for Nextcloud ## OAuth2 Proxy oauth2_proxy: diff --git a/group_vars/all/09_ports.yml b/group_vars/all/09_ports.yml index 087201c7..d02acc68 100644 --- a/group_vars/all/09_ports.yml +++ b/group_vars/all/09_ports.yml @@ -55,3 +55,7 @@ ports: gitlab: 2202 ldaps: openldap: 636 + stun: + bigbluebutton: 3478 # Not sure if it's right placed here or if it should be moved to localhost section + turn: + bigbluebutton: 5349 # Not sure if it's right placed here or if it should be moved to localhost section diff --git a/group_vars/all/10_networks.yml b/group_vars/all/10_networks.yml index c80e302d..129b8b04 100644 --- a/group_vars/all/10_networks.yml +++ b/group_vars/all/10_networks.yml @@ -12,8 +12,8 @@ defaults_networks: subnet: 192.168.101.16/28 baserow: subnet: 192.168.101.32/28 - bigbluebutton: - subnet: 192.168.101.48/28 + # Free: + # subnet: 192.168.101.48/28 bluesky: subnet: 192.168.101.64/28 friendica: @@ -68,6 +68,7 @@ defaults_networks: subnet: 192.168.102.192/28 discourse: subnet: 192.168.102.208/28 - + bigbluebutton: + subnet: 10.7.7.0/24 # This variable does not have an impact. It's just there for documentation reasons. \ No newline at end of file diff --git a/group_vars/all/12_storage.yml b/group_vars/all/12_storage.yml index db716545..020247cd 100644 --- a/group_vars/all/12_storage.yml +++ b/group_vars/all/12_storage.yml @@ -1,6 +1,5 @@ ## Enable Central Postgress and MariaDB instead of dedicated container per application enable_central_database: true -enable_central_database_mailu: "{{enable_central_database}}" ## Enable Storage Optimizer for Docker Volumes enable_system_storage_optimizer: true diff --git a/roles/docker-bigbluebutton/templates/env.j2 b/roles/docker-bigbluebutton/templates/env.j2 index 810dd842..f200a76a 100644 --- a/roles/docker-bigbluebutton/templates/env.j2 +++ b/roles/docker-bigbluebutton/templates/env.j2 @@ -43,16 +43,17 @@ FSESL_PASSWORD={{bigbluebutton_fsesl_password}} DOMAIN={{domain}} EXTERNAL_IPv4={{networks.internet.ip4}} -EXTERNAL_IPv6= +# The following line is not tested and could lead to bugs: +EXTERNAL_IPv6={{networks.internet.ip6}} # STUN SERVER # stun.freeswitch.org STUN_IP={{networks.internet.ip4}} -STUN_PORT=3478 +STUN_PORT={{ ports.public.stun[application_id] }} # TURN SERVER # uncomment and adjust following two lines to add an external TURN server -TURN_SERVER=turns:{{domain}}:5349?transport=tcp +TURN_SERVER=turns:{{domain}}:{{ ports.public.turn[application_id] }}?transport=tcp TURN_SECRET={{bigbluebutton_turn_secret}} # Allowed SIP IPs @@ -282,7 +283,7 @@ HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html # approval - For approve/decline registration DEFAULT_REGISTRATION=invite -{% if oidc.enabled | bool %} +{% if applications[application_id].oidc.enabled | bool %} ### EXTERNAL AUTHENTICATION METHODS # @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/ # diff --git a/roles/docker-discourse/templates/discourse_application.yml.j2 b/roles/docker-discourse/templates/discourse_application.yml.j2 index 8a7db606..745f8931 100644 --- a/roles/docker-discourse/templates/discourse_application.yml.j2 +++ b/roles/docker-discourse/templates/discourse_application.yml.j2 @@ -112,7 +112,7 @@ run: ## If you want to set the 'From' email address for your first registration, uncomment and change: ## After getting the first signup email, re-comment the line. It only needs to run once. #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'" -{% if oidc.enabled | bool %} +{% if applications[application_id].oidc.enabled | bool %} # Deactivate Default Login - exec: rails r "SiteSetting.enable_local_logins = false" - exec: rails r "SiteSetting.enable_passkeys = false" # https://meta.discourse.org/t/passwordless-login-using-passkeys/285589 diff --git a/roles/docker-friendica/vars/main.yml b/roles/docker-friendica/vars/main.yml index da83e1f0..df4d4f47 100644 --- a/roles/docker-friendica/vars/main.yml +++ b/roles/docker-friendica/vars/main.yml @@ -1,4 +1,4 @@ application_id: "friendica" database_password: "{{friendica_database_password}}" database_type: "mariadb" -no_validation: "{{oidc.enabled}}" # Email validation is not neccessary if OIDC is active \ No newline at end of file +no_validation: "{{applications[application_id].oidc.enabled}}" # Email validation is not neccessary if OIDC is active \ No newline at end of file diff --git a/roles/docker-mailu/templates/env.j2 b/roles/docker-mailu/templates/env.j2 index 58f2d4b7..9bf1e517 100644 --- a/roles/docker-mailu/templates/env.j2 +++ b/roles/docker-mailu/templates/env.j2 @@ -12,7 +12,7 @@ LD_PRELOAD=/usr/lib/libhardened_malloc.so # Set to a randomly generated 16 bytes string -SECRET_KEY={{mailu_secret_key}} +SECRET_KEY={{applications.mailu.secret_key}} # Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!) SUBNET={{networks.local.mailu.subnet}} @@ -118,7 +118,7 @@ WEBSITE=https://{{domain}} # json-file (default) # journald (On systemd platforms, useful for Fail2Ban integration) # syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!) -# LOG_DRIVER=json-file +LOG_DRIVER=syslog # docker-compose project name, this will prepended to containers names. COMPOSE_PROJECT_NAME=mailu @@ -145,20 +145,20 @@ LOG_LEVEL=WARNING SQLALCHEMY_DATABASE_URI_ROUNDCUBE=mysql://{{database_username}}:{{database_password}}@{{database_host}}/{{database_name}}?collation=utf8mb4_unicode_ci SQLALCHEMY_DATABASE_URI=mysql+mysqlconnector://{{database_username}}:{{database_password}}@{{database_host}}/{{database_name}}?collation=utf8mb4_unicode_ci -API_TOKEN={{mailu_api_token}} +API_TOKEN={{applications.mailu.api_token}} # Activated https://mailu.io/master/configuration.html#advanced-settings AUTH_REQUIRE_TOKENS=True -{% if oidc.enabled | bool %} +{% if applications[application_id].oidc.enabled | bool %} ################################### # OpenID Connect settings ################################### # @see https://github.com/heviat/Mailu-OIDC/tree/master # Enable OpenID Connect. Possible values: True, False -OIDC_ENABLED={{ oidc.enabled | string | capitalize }} +OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | capitalize }} # OpenID Connect provider configuration URL OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}} # OpenID redirect URL if HOSTNAME not matching your login url diff --git a/roles/docker-mailu/vars/main.yml b/roles/docker-mailu/vars/main.yml index ad2e10e7..e1c105e6 100644 --- a/roles/docker-mailu/vars/main.yml +++ b/roles/docker-mailu/vars/main.yml @@ -1,5 +1,5 @@ application_id: "mailu" -database_password: "{{mailu_database_password}}" +database_password: "{{applications.mailu.database_password}}" database_type: "mariadb" cert_mount_directory: "{{docker_compose.directories.volumes}}certs/" enable_wildcard_certificate: false @@ -7,8 +7,8 @@ enable_wildcard_certificate: false # I don't know why this configuration is necessary. # Propabldy due to a database migration problem, or dificulties to configure an external db in mailu # @todo research -enable_central_database: "{{enable_central_database_mailu}}" +enable_central_database: "{{applications.mailu.enable_central_database}}" # Use dedicated source for oidc if activated # @see https://github.com/heviat/Mailu-OIDC/tree/2024.06 -docker_source: "{{ 'ghcr.io/heviat' if oidc.enabled | bool else 'ghcr.io/mailu' }}" \ No newline at end of file +docker_source: "{{ 'ghcr.io/heviat' if applications[application_id].oidc.enabled | bool else 'ghcr.io/mailu' }}" \ No newline at end of file diff --git a/roles/docker-mastodon/templates/env.j2 b/roles/docker-mastodon/templates/env.j2 index 80683a8a..878c29f6 100644 --- a/roles/docker-mastodon/templates/env.j2 +++ b/roles/docker-mastodon/templates/env.j2 @@ -52,14 +52,14 @@ SMTP_OPENSSL_VERIFY_MODE=none SMTP_ENABLE_STARTTLS=auto SMTP_FROM_ADDRESS=Mastodon <{{system_email.from}}> -{% if oidc.enabled | bool %} +{% if applications[application_id].oidc.enabled | bool %} ################################### # OpenID Connect settings ################################### # @see https://github.com/mastodon/mastodon/pull/16221 # @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso -OIDC_ENABLED={{ oidc.enabled | string | lower }} +OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | lower }} OIDC_DISPLAY_NAME="{{primary_domain | upper}} SSO" OIDC_ISSUER={{oidc.client.issuer_url}} OIDC_DISCOVERY=true diff --git a/roles/docker-nextcloud/tasks/ldap.yml b/roles/docker-nextcloud/tasks/ldap.yml index f5adcc81..41bddeba 100644 --- a/roles/docker-nextcloud/tasks/ldap.yml +++ b/roles/docker-nextcloud/tasks/ldap.yml @@ -1,3 +1,4 @@ # @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html # @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55 +# @todo implement #docker compose exec -u www-data application php occ app:enable user_ldap \ No newline at end of file diff --git a/roles/docker-nextcloud/tasks/main.yml b/roles/docker-nextcloud/tasks/main.yml index dcb556cc..4c07aca8 100644 --- a/roles/docker-nextcloud/tasks/main.yml +++ b/roles/docker-nextcloud/tasks/main.yml @@ -24,8 +24,8 @@ - name: Include OIDC-specific tasks include_tasks: oidc.yml - when: oidc.enabled | bool + when: applications[application_id].oidc.enabled | bool -#- name: Include LDAP specific tasks -# include_tasks: ldap.yml -# when: ldap.enabled | bool \ No newline at end of file +- name: Include LDAP specific tasks + include_tasks: ldap.yml + when: applications[application_id].ldap_enabled | bool \ No newline at end of file diff --git a/templates/docker/compose/networks.yml.j2 b/templates/docker/compose/networks.yml.j2 index 340ef14d..df32a43d 100644 --- a/templates/docker/compose/networks.yml.j2 +++ b/templates/docker/compose/networks.yml.j2 @@ -9,7 +9,7 @@ networks: external: true {% endif %} default: -{% if applications[application_id].ldap_enabled is defined and applications[application_id].ldap_enabled | bool and applications.ldap.openldap.network.local | bool %} +{% if application_id in networks.local and networks.local[application_id].subnet is defined %} driver: bridge ipam: driver: default