kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-02-22 04:29:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactored oidc, solved network bugs and refactored

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-02-20 11:44:50 +01:00
parent 4dd694c4e2
commit b2ccc69628
13 changed files with 54 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
group_vars/all/07_applications.yml
View File

@ -30,7 +30,9 @@ defaults_applications:
## Big Blue Button ## Big Blue Button
bigbluebutton: bigbluebutton:
enable_greenlight: "true" enable_greenlight: "true"
setup: false # Set to true in inventory file for initial setup setup: false # Set to true in inventory file for initial setup
oidc:
enabled: true # Activate OIDC
## Bluesky ## Bluesky
bluesky: bluesky:
@ -47,15 +49,19 @@ defaults_applications:
container: "discourse_application" # Name of the container application container: "discourse_application" # Name of the container application
repository: "discourse_repository" # Name of the repository folder repository: "discourse_repository" # Name of the repository folder
# database_password: # Needs to be defined in inventory file # database_password: # Needs to be defined in inventory file
oidc:
enabled: true # Activate OIDC
## Friendica ## Friendica
friendica: friendica:
version: "latest" version: "latest"
oidc:
enabled: true # Activate OIDC. Plugin is not working yet
## Funkwhale ## Funkwhale
funkwhale: funkwhale:
version: "1.4.0" version: "1.4.0"
ldap_enabled: True # Enables LDAP by default ldap_enabled: True # Enables LDAP by default
## Gitea ## Gitea
gitea: gitea:
@ -107,6 +113,16 @@ defaults_applications:
version: "latest" # Docker Image version version: "latest" # Docker Image version
setup: false # Set true in inventory file to execute the setup and initializing procedures setup: false # Set true in inventory file to execute the setup and initializing procedures
mailu:
oidc:
enabled: true # Activate OIDC for Mailu
domain: "{{primary_domain}}" # The main domain from which mails will be send \ email suffix behind @
# I don't know why the database deactivation is necessary
enable_central_database: False # Deactivate central database for mailu
# secret_key: # Needs to be set in inventory file
# database_password: # Needs to be set in inventory file
# api_token: # Needs to be set in inventory file
## MariaDB ## MariaDB
mariadb: mariadb:
version: "latest" version: "latest"
@ -126,6 +142,8 @@ defaults_applications:
version: "latest" version: "latest"
single_user_mode: false # Set true for initial setup single_user_mode: false # Set true for initial setup
setup: false # Set true in inventory file to execute the setup and initializing procedures setup: false # Set true in inventory file to execute the setup and initializing procedures
oidc:
enabled: true # Activate OIDC for Mailu
# #
# Check out the README.md of the docker-mastodon role to get detailled instructions about how to setup the credentials # Check out the README.md of the docker-mastodon role to get detailled instructions about how to setup the credentials
# #
@ -173,8 +191,10 @@ defaults_applications:
## Nextcloud ## Nextcloud
nextcloud: nextcloud:
version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
ldap_enabled: True # Enables LDAP by default ldap_enabled: True # Enables LDAP by default, missing ansible setup tasks @todo setup
# database_password: Null # Needs to be set in inventory file # database_password: Null # Needs to be set in inventory file
oidc:
enabled: true # Activate OIDC for Nextcloud
## OAuth2 Proxy ## OAuth2 Proxy
oauth2_proxy: oauth2_proxy:

4
group_vars/all/09_ports.yml
View File

@ -55,3 +55,7 @@ ports:
gitlab: 2202 gitlab: 2202
ldaps: ldaps:
openldap: 636 openldap: 636
stun:
bigbluebutton: 3478 # Not sure if it's right placed here or if it should be moved to localhost section
turn:
bigbluebutton: 5349 # Not sure if it's right placed here or if it should be moved to localhost section

7
group_vars/all/10_networks.yml
View File

@ -12,8 +12,8 @@ defaults_networks:
subnet: 192.168.101.16/28 subnet: 192.168.101.16/28
baserow: baserow:
subnet: 192.168.101.32/28 subnet: 192.168.101.32/28
bigbluebutton: # Free:
subnet: 192.168.101.48/28 # subnet: 192.168.101.48/28
bluesky: bluesky:
subnet: 192.168.101.64/28 subnet: 192.168.101.64/28
friendica: friendica:
@ -68,6 +68,7 @@ defaults_networks:
subnet: 192.168.102.192/28 subnet: 192.168.102.192/28
discourse: discourse:
subnet: 192.168.102.208/28 subnet: 192.168.102.208/28
bigbluebutton:
subnet: 10.7.7.0/24 # This variable does not have an impact. It's just there for documentation reasons.

1
group_vars/all/12_storage.yml
View File

@ -1,6 +1,5 @@
## Enable Central Postgress and MariaDB instead of dedicated container per application ## Enable Central Postgress and MariaDB instead of dedicated container per application
enable_central_database: true enable_central_database: true
enable_central_database_mailu: "{{enable_central_database}}"
## Enable Storage Optimizer for Docker Volumes ## Enable Storage Optimizer for Docker Volumes
enable_system_storage_optimizer: true enable_system_storage_optimizer: true

9
roles/docker-bigbluebutton/templates/env.j2
View File

@ -43,16 +43,17 @@ FSESL_PASSWORD={{bigbluebutton_fsesl_password}}
DOMAIN={{domain}} DOMAIN={{domain}}
EXTERNAL_IPv4={{networks.internet.ip4}} EXTERNAL_IPv4={{networks.internet.ip4}}
EXTERNAL_IPv6= # The following line is not tested and could lead to bugs:
EXTERNAL_IPv6={{networks.internet.ip6}}
# STUN SERVER # STUN SERVER
# stun.freeswitch.org # stun.freeswitch.org
STUN_IP={{networks.internet.ip4}} STUN_IP={{networks.internet.ip4}}
STUN_PORT=3478 STUN_PORT={{ ports.public.stun[application_id] }}
# TURN SERVER # TURN SERVER
# uncomment and adjust following two lines to add an external TURN server # uncomment and adjust following two lines to add an external TURN server
TURN_SERVER=turns:{{domain}}:5349?transport=tcp TURN_SERVER=turns:{{domain}}:{{ ports.public.turn[application_id] }}?transport=tcp
TURN_SECRET={{bigbluebutton_turn_secret}} TURN_SECRET={{bigbluebutton_turn_secret}}
# Allowed SIP IPs # Allowed SIP IPs
@ -282,7 +283,7 @@ HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html
# approval - For approve/decline registration # approval - For approve/decline registration
DEFAULT_REGISTRATION=invite DEFAULT_REGISTRATION=invite
{% if oidc.enabled | bool %} {% if applications[application_id].oidc.enabled | bool %}
### EXTERNAL AUTHENTICATION METHODS ### EXTERNAL AUTHENTICATION METHODS
# @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/ # @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/
# #

2
roles/docker-discourse/templates/discourse_application.yml.j2
View File

@ -112,7 +112,7 @@ run:
## If you want to set the 'From' email address for your first registration, uncomment and change: ## If you want to set the 'From' email address for your first registration, uncomment and change:
## After getting the first signup email, re-comment the line. It only needs to run once. ## After getting the first signup email, re-comment the line. It only needs to run once.
#- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'" #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
{% if oidc.enabled | bool %} {% if applications[application_id].oidc.enabled | bool %}
# Deactivate Default Login # Deactivate Default Login
- exec: rails r "SiteSetting.enable_local_logins = false" - exec: rails r "SiteSetting.enable_local_logins = false"
- exec: rails r "SiteSetting.enable_passkeys = false" # https://meta.discourse.org/t/passwordless-login-using-passkeys/285589 - exec: rails r "SiteSetting.enable_passkeys = false" # https://meta.discourse.org/t/passwordless-login-using-passkeys/285589

2
roles/docker-friendica/vars/main.yml
View File

@ -1,4 +1,4 @@
application_id: "friendica" application_id: "friendica"
database_password: "{{friendica_database_password}}" database_password: "{{friendica_database_password}}"
database_type: "mariadb" database_type: "mariadb"
no_validation: "{{oidc.enabled}}" # Email validation is not neccessary if OIDC is active no_validation: "{{applications[application_id].oidc.enabled}}" # Email validation is not neccessary if OIDC is active

10
roles/docker-mailu/templates/env.j2
View File

@ -12,7 +12,7 @@
LD_PRELOAD=/usr/lib/libhardened_malloc.so LD_PRELOAD=/usr/lib/libhardened_malloc.so
# Set to a randomly generated 16 bytes string # Set to a randomly generated 16 bytes string
SECRET_KEY={{mailu_secret_key}} SECRET_KEY={{applications.mailu.secret_key}}
# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!) # Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
SUBNET={{networks.local.mailu.subnet}} SUBNET={{networks.local.mailu.subnet}}
@ -118,7 +118,7 @@ WEBSITE=https://{{domain}}
# json-file (default) # json-file (default)
# journald (On systemd platforms, useful for Fail2Ban integration) # journald (On systemd platforms, useful for Fail2Ban integration)
# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!) # syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!)
# LOG_DRIVER=json-file LOG_DRIVER=syslog
# docker-compose project name, this will prepended to containers names. # docker-compose project name, this will prepended to containers names.
COMPOSE_PROJECT_NAME=mailu COMPOSE_PROJECT_NAME=mailu
@ -145,20 +145,20 @@ LOG_LEVEL=WARNING
SQLALCHEMY_DATABASE_URI_ROUNDCUBE=mysql://{{database_username}}:{{database_password}}@{{database_host}}/{{database_name}}?collation=utf8mb4_unicode_ci SQLALCHEMY_DATABASE_URI_ROUNDCUBE=mysql://{{database_username}}:{{database_password}}@{{database_host}}/{{database_name}}?collation=utf8mb4_unicode_ci
SQLALCHEMY_DATABASE_URI=mysql+mysqlconnector://{{database_username}}:{{database_password}}@{{database_host}}/{{database_name}}?collation=utf8mb4_unicode_ci SQLALCHEMY_DATABASE_URI=mysql+mysqlconnector://{{database_username}}:{{database_password}}@{{database_host}}/{{database_name}}?collation=utf8mb4_unicode_ci
API_TOKEN={{mailu_api_token}} API_TOKEN={{applications.mailu.api_token}}
# Activated https://mailu.io/master/configuration.html#advanced-settings # Activated https://mailu.io/master/configuration.html#advanced-settings
AUTH_REQUIRE_TOKENS=True AUTH_REQUIRE_TOKENS=True
{% if oidc.enabled | bool %} {% if applications[application_id].oidc.enabled | bool %}
################################### ###################################
# OpenID Connect settings # OpenID Connect settings
################################### ###################################
# @see https://github.com/heviat/Mailu-OIDC/tree/master # @see https://github.com/heviat/Mailu-OIDC/tree/master
# Enable OpenID Connect. Possible values: True, False # Enable OpenID Connect. Possible values: True, False
OIDC_ENABLED={{ oidc.enabled | string | capitalize }} OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | capitalize }}
# OpenID Connect provider configuration URL # OpenID Connect provider configuration URL
OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}} OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}}
# OpenID redirect URL if HOSTNAME not matching your login url # OpenID redirect URL if HOSTNAME not matching your login url

6
roles/docker-mailu/vars/main.yml
View File

@ -1,5 +1,5 @@
application_id: "mailu" application_id: "mailu"
database_password: "{{mailu_database_password}}" database_password: "{{applications.mailu.database_password}}"
database_type: "mariadb" database_type: "mariadb"
cert_mount_directory: "{{docker_compose.directories.volumes}}certs/" cert_mount_directory: "{{docker_compose.directories.volumes}}certs/"
enable_wildcard_certificate: false enable_wildcard_certificate: false
@ -7,8 +7,8 @@ enable_wildcard_certificate: false
# I don't know why this configuration is necessary. # I don't know why this configuration is necessary.
# Propabldy due to a database migration problem, or dificulties to configure an external db in mailu # Propabldy due to a database migration problem, or dificulties to configure an external db in mailu
# @todo research # @todo research
enable_central_database: "{{enable_central_database_mailu}}" enable_central_database: "{{applications.mailu.enable_central_database}}"
# Use dedicated source for oidc if activated # Use dedicated source for oidc if activated
# @see https://github.com/heviat/Mailu-OIDC/tree/2024.06 # @see https://github.com/heviat/Mailu-OIDC/tree/2024.06
docker_source: "{{ 'ghcr.io/heviat' if oidc.enabled | bool else 'ghcr.io/mailu' }}" docker_source: "{{ 'ghcr.io/heviat' if applications[application_id].oidc.enabled | bool else 'ghcr.io/mailu' }}"

4
roles/docker-mastodon/templates/env.j2
View File

@ -52,14 +52,14 @@ SMTP_OPENSSL_VERIFY_MODE=none
SMTP_ENABLE_STARTTLS=auto SMTP_ENABLE_STARTTLS=auto
SMTP_FROM_ADDRESS=Mastodon <{{system_email.from}}> SMTP_FROM_ADDRESS=Mastodon <{{system_email.from}}>
{% if oidc.enabled | bool %} {% if applications[application_id].oidc.enabled | bool %}
################################### ###################################
# OpenID Connect settings # OpenID Connect settings
################################### ###################################
# @see https://github.com/mastodon/mastodon/pull/16221 # @see https://github.com/mastodon/mastodon/pull/16221
# @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso # @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso
OIDC_ENABLED={{ oidc.enabled | string | lower }} OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | lower }}
OIDC_DISPLAY_NAME="{{primary_domain | upper}} SSO" OIDC_DISPLAY_NAME="{{primary_domain | upper}} SSO"
OIDC_ISSUER={{oidc.client.issuer_url}} OIDC_ISSUER={{oidc.client.issuer_url}}
OIDC_DISCOVERY=true OIDC_DISCOVERY=true

1
roles/docker-nextcloud/tasks/ldap.yml
View File

@ -1,3 +1,4 @@
# @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html # @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
# @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55 # @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55
# @todo implement
#docker compose exec -u www-data application php occ app:enable user_ldap #docker compose exec -u www-data application php occ app:enable user_ldap

8
roles/docker-nextcloud/tasks/main.yml
View File

@ -24,8 +24,8 @@
- name: Include OIDC-specific tasks - name: Include OIDC-specific tasks
include_tasks: oidc.yml include_tasks: oidc.yml
when: oidc.enabled | bool when: applications[application_id].oidc.enabled | bool
#- name: Include LDAP specific tasks - name: Include LDAP specific tasks
# include_tasks: ldap.yml include_tasks: ldap.yml
# when: ldap.enabled | bool when: applications[application_id].ldap_enabled | bool

2
templates/docker/compose/networks.yml.j2
View File

@ -9,7 +9,7 @@ networks:
external: true external: true
{% endif %} {% endif %}
default: default:
{% if applications[application_id].ldap_enabled is defined and applications[application_id].ldap_enabled | bool and applications.ldap.openldap.network.local | bool %} {% if application_id in networks.local and networks.local[application_id].subnet is defined %}
driver: bridge driver: bridge
ipam: ipam:
driver: default driver: default