Refactored oidc, solved network bugs and refactored

2025-08-29 15:06:26 +02:00 · 2025-02-20 11:44:50 +01:00
parent 4dd694c4e2
commit b2ccc69628
13 changed files with 54 additions and 28 deletions
--- a/roles/docker-bigbluebutton/templates/env.j2
+++ b/roles/docker-bigbluebutton/templates/env.j2
@@ -43,16 +43,17 @@ FSESL_PASSWORD={{bigbluebutton_fsesl_password}}
 DOMAIN={{domain}}

 EXTERNAL_IPv4={{networks.internet.ip4}}
-EXTERNAL_IPv6=
+# The following line is not tested and could lead to bugs:
+EXTERNAL_IPv6={{networks.internet.ip6}}

 # STUN SERVER
 # stun.freeswitch.org
 STUN_IP={{networks.internet.ip4}}
-STUN_PORT=3478
+STUN_PORT={{ ports.public.stun[application_id] }}

 # TURN SERVER
 # uncomment and adjust following two lines to add an external TURN server
-TURN_SERVER=turns:{{domain}}:5349?transport=tcp
+TURN_SERVER=turns:{{domain}}:{{ ports.public.turn[application_id] }}?transport=tcp
 TURN_SECRET={{bigbluebutton_turn_secret}}

 # Allowed SIP IPs
@@ -282,7 +283,7 @@ HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html
 #   approval - For approve/decline registration
 DEFAULT_REGISTRATION=invite

-{% if oidc.enabled | bool %}
+{% if applications[application_id].oidc.enabled | bool %}
 ### EXTERNAL AUTHENTICATION METHODS
 # @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/
 #
--- a/roles/docker-discourse/templates/discourse_application.yml.j2
+++ b/roles/docker-discourse/templates/discourse_application.yml.j2
@@ -112,7 +112,7 @@ run:
  ## If you want to set the 'From' email address for your first registration, uncomment and change:
  ## After getting the first signup email, re-comment the line. It only needs to run once.
  #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
-{% if oidc.enabled | bool %}
+{% if applications[application_id].oidc.enabled | bool %}
  # Deactivate Default Login
  - exec: rails r "SiteSetting.enable_local_logins = false"
  - exec: rails r "SiteSetting.enable_passkeys = false" # https://meta.discourse.org/t/passwordless-login-using-passkeys/285589
--- a/roles/docker-friendica/vars/main.yml
+++ b/roles/docker-friendica/vars/main.yml
@@ -1,4 +1,4 @@
 application_id:     "friendica"
 database_password:  "{{friendica_database_password}}"
 database_type:      "mariadb"
-no_validation:      "{{oidc.enabled}}"                # Email validation is not neccessary if OIDC is active
+no_validation:      "{{applications[application_id].oidc.enabled}}" # Email validation is not neccessary if OIDC is active
--- a/roles/docker-mailu/templates/env.j2
+++ b/roles/docker-mailu/templates/env.j2
@@ -12,7 +12,7 @@
 LD_PRELOAD=/usr/lib/libhardened_malloc.so 

 # Set to a randomly generated 16 bytes string
-SECRET_KEY={{mailu_secret_key}}
+SECRET_KEY={{applications.mailu.secret_key}}

 # Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
 SUBNET={{networks.local.mailu.subnet}}
@@ -118,7 +118,7 @@ WEBSITE=https://{{domain}}
 # json-file (default)
 # journald (On systemd platforms, useful for Fail2Ban integration)
 # syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!)
-# LOG_DRIVER=json-file
+LOG_DRIVER=syslog

 # docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME=mailu
@@ -145,20 +145,20 @@ LOG_LEVEL=WARNING
 SQLALCHEMY_DATABASE_URI_ROUNDCUBE=mysql://{{database_username}}:{{database_password}}@{{database_host}}/{{database_name}}?collation=utf8mb4_unicode_ci
 SQLALCHEMY_DATABASE_URI=mysql+mysqlconnector://{{database_username}}:{{database_password}}@{{database_host}}/{{database_name}}?collation=utf8mb4_unicode_ci

-API_TOKEN={{mailu_api_token}}
+API_TOKEN={{applications.mailu.api_token}}

 # Activated https://mailu.io/master/configuration.html#advanced-settings
 AUTH_REQUIRE_TOKENS=True


-{% if oidc.enabled | bool %}
+{% if applications[application_id].oidc.enabled | bool %}
 ################################### 
 # OpenID Connect settings
 ###################################
 # @see https://github.com/heviat/Mailu-OIDC/tree/master

 # Enable OpenID Connect. Possible values: True, False
-OIDC_ENABLED={{ oidc.enabled | string | capitalize }}
+OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | capitalize }}
 # OpenID Connect provider configuration URL
 OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}}
 # OpenID redirect URL if HOSTNAME not matching your login url
--- a/roles/docker-mailu/vars/main.yml
+++ b/roles/docker-mailu/vars/main.yml
@@ -1,5 +1,5 @@
 application_id:               "mailu"
-database_password:  	        "{{mailu_database_password}}"
+database_password:  	        "{{applications.mailu.database_password}}"
 database_type:                "mariadb"
 cert_mount_directory:         "{{docker_compose.directories.volumes}}certs/"
 enable_wildcard_certificate:  false
@@ -7,8 +7,8 @@ enable_wildcard_certificate:  false
 # I don't know why this configuration is necessary.
 # Propabldy due to a database migration problem, or dificulties to configure an external db in mailu
 # @todo research
-enable_central_database:      "{{enable_central_database_mailu}}"
+enable_central_database:      "{{applications.mailu.enable_central_database}}"

 # Use dedicated source for oidc if activated  
 # @see https://github.com/heviat/Mailu-OIDC/tree/2024.06
-docker_source:                "{{ 'ghcr.io/heviat' if oidc.enabled | bool else 'ghcr.io/mailu' }}"
+docker_source:                "{{ 'ghcr.io/heviat' if applications[application_id].oidc.enabled | bool else 'ghcr.io/mailu' }}"
--- a/roles/docker-mastodon/templates/env.j2
+++ b/roles/docker-mastodon/templates/env.j2
@@ -52,14 +52,14 @@ SMTP_OPENSSL_VERIFY_MODE=none
 SMTP_ENABLE_STARTTLS=auto
 SMTP_FROM_ADDRESS=Mastodon <{{system_email.from}}>

-{% if oidc.enabled | bool %}
+{% if applications[application_id].oidc.enabled | bool %}
 ################################### 
 # OpenID Connect settings
 ###################################
 # @see https://github.com/mastodon/mastodon/pull/16221
 # @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso

-OIDC_ENABLED={{ oidc.enabled | string | lower }}
+OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | lower }}
 OIDC_DISPLAY_NAME="{{primary_domain | upper}} SSO"
 OIDC_ISSUER={{oidc.client.issuer_url}}
 OIDC_DISCOVERY=true
--- a/roles/docker-nextcloud/tasks/ldap.yml
+++ b/roles/docker-nextcloud/tasks/ldap.yml
@@ -1,3 +1,4 @@
 # @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
 # @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55
+# @todo implement
 #docker compose exec -u www-data application php occ app:enable user_ldap
--- a/roles/docker-nextcloud/tasks/main.yml
+++ b/roles/docker-nextcloud/tasks/main.yml
@@ -24,8 +24,8 @@

 - name: Include OIDC-specific tasks
  include_tasks: oidc.yml
-  when: oidc.enabled | bool
+  when: applications[application_id].oidc.enabled | bool

-#- name: Include LDAP specific tasks
-#  include_tasks: ldap.yml
-#  when: ldap.enabled | bool
+- name: Include LDAP specific tasks
+  include_tasks: ldap.yml
+  when: applications[application_id].ldap_enabled | bool