Refactored oidc, solved network bugs and refactored

group_vars/all/07_applications.yml

@@ -30,7 +30,9 @@ defaults_applications:
   ## Big Blue Button
   bigbluebutton:
     enable_greenlight:    "true"
-    setup:                false # Set to true in inventory file for initial setup
+    setup:                false                           # Set to true in inventory file for initial setup
+    oidc:
+      enabled:               true                         # Activate OIDC
 
   ## Bluesky
   bluesky:
@@ -47,15 +49,19 @@ defaults_applications:
     container:  "discourse_application"       # Name of the container application
     repository: "discourse_repository"        # Name of the repository folder
     # database_password:                      # Needs to be defined in inventory file
+    oidc:
+      enabled:               true             # Activate OIDC
 
   ## Friendica
   friendica:
     version:              "latest"
+    oidc:
+      enabled:               true             # Activate OIDC. Plugin is not working yet
 
   ## Funkwhale
   funkwhale:
     version:        "1.4.0"
-    ldap_enabled:   True    # Enables LDAP by default 
+    ldap_enabled:   True                      # Enables LDAP by default 
 
   ## Gitea
   gitea:
@@ -107,6 +113,16 @@ defaults_applications:
     version:                          "latest"                                  # Docker Image version
     setup:                            false                                     # Set true in inventory file to execute the setup and initializing procedures
 
+  mailu:
+    oidc:
+      enabled:                        true                                      # Activate OIDC for Mailu
+    domain:                           "{{primary_domain}}"                      # The main domain from which mails will be send \ email suffix behind @
+    # I don't know why the database deactivation is necessary
+    enable_central_database:          False                                     # Deactivate central database for mailu
+#    secret_key:                                                                # Needs to be set in inventory file
+#    database_password:                                                         # Needs to be set in inventory file
+#    api_token:                                                                 # Needs to be set in inventory file
+
   ## MariaDB
   mariadb:
     version:                          "latest"
@@ -126,6 +142,8 @@ defaults_applications:
     version:                          "latest"
     single_user_mode:                 false                         # Set true for initial setup
     setup:                            false                         # Set true in inventory file to execute the setup and initializing procedures
+    oidc:
+      enabled:               true                                   # Activate OIDC for Mailu
 #
 # Check out the README.md of the docker-mastodon role to get detailled instructions about how to setup the credentials
 #
@@ -173,8 +191,10 @@ defaults_applications:
   ## Nextcloud
   nextcloud:
     version:              "production"  # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
-    ldap_enabled:         True          # Enables LDAP by default
+    ldap_enabled:         True          # Enables LDAP by default, missing ansible setup tasks @todo setup
 #   database_password:    Null          # Needs to be set in inventory file
+    oidc:
+      enabled:            true          # Activate OIDC for Nextcloud
 
   ## OAuth2 Proxy
   oauth2_proxy:

group_vars/all/09_ports.yml

@@ -55,3 +55,7 @@ ports:
       gitlab:        2202
     ldaps:
       openldap:      636
+    stun:   
+      bigbluebutton: 3478 # Not sure if it's right placed here or if it should be moved to localhost section
+    turn:
+      bigbluebutton: 5349 # Not sure if it's right placed here or if it should be moved to localhost section

group_vars/all/10_networks.yml

@@ -12,8 +12,8 @@ defaults_networks:
       subnet: 192.168.101.16/28
     baserow:
       subnet: 192.168.101.32/28
-    bigbluebutton:
-      subnet: 192.168.101.48/28
+    # Free:
+    #  subnet: 192.168.101.48/28
     bluesky:
       subnet: 192.168.101.64/28
     friendica:
@@ -68,6 +68,7 @@ defaults_networks:
       subnet: 192.168.102.192/28
     discourse:
       subnet: 192.168.102.208/28
-
+    bigbluebutton:
+      subnet: 10.7.7.0/24 # This variable does not have an impact. It's just there for documentation reasons.
 
   

group_vars/all/12_storage.yml

@@ -1,6 +1,5 @@
 ## Enable Central Postgress and MariaDB instead of dedicated container per application
 enable_central_database:          true
-enable_central_database_mailu:    "{{enable_central_database}}"
 
 ## Enable Storage Optimizer for Docker Volumes
 enable_system_storage_optimizer:  true

roles/docker-bigbluebutton/templates/env.j2

@@ -43,16 +43,17 @@ FSESL_PASSWORD={{bigbluebutton_fsesl_password}}
 DOMAIN={{domain}}
 
 EXTERNAL_IPv4={{networks.internet.ip4}}
-EXTERNAL_IPv6=
+# The following line is not tested and could lead to bugs:
+EXTERNAL_IPv6={{networks.internet.ip6}}
 
 # STUN SERVER
 # stun.freeswitch.org
 STUN_IP={{networks.internet.ip4}}
-STUN_PORT=3478
+STUN_PORT={{ ports.public.stun[application_id] }}
 
 # TURN SERVER
 # uncomment and adjust following two lines to add an external TURN server
-TURN_SERVER=turns:{{domain}}:5349?transport=tcp
+TURN_SERVER=turns:{{domain}}:{{ ports.public.turn[application_id] }}?transport=tcp
 TURN_SECRET={{bigbluebutton_turn_secret}}
 
 # Allowed SIP IPs
@@ -282,7 +283,7 @@ HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html
 #   approval - For approve/decline registration
 DEFAULT_REGISTRATION=invite
 
-{% if oidc.enabled | bool %}
+{% if applications[application_id].oidc.enabled | bool %}
 ### EXTERNAL AUTHENTICATION METHODS
 # @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/
 #

roles/docker-discourse/templates/discourse_application.yml.j2

@@ -112,7 +112,7 @@ run:
   ## If you want to set the 'From' email address for your first registration, uncomment and change:
   ## After getting the first signup email, re-comment the line. It only needs to run once.
   #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
-{% if oidc.enabled | bool %}
+{% if applications[application_id].oidc.enabled | bool %}
   # Deactivate Default Login
   - exec: rails r "SiteSetting.enable_local_logins = false"
   - exec: rails r "SiteSetting.enable_passkeys = false" # https://meta.discourse.org/t/passwordless-login-using-passkeys/285589

roles/docker-friendica/vars/main.yml

@@ -1,4 +1,4 @@
 application_id:     "friendica"
 database_password:  "{{friendica_database_password}}"
 database_type:      "mariadb"
-no_validation:      "{{oidc.enabled}}"                # Email validation is not neccessary if OIDC is active
+no_validation:      "{{applications[application_id].oidc.enabled}}" # Email validation is not neccessary if OIDC is active

roles/docker-mailu/templates/env.j2

@@ -12,7 +12,7 @@
 LD_PRELOAD=/usr/lib/libhardened_malloc.so 
 
 # Set to a randomly generated 16 bytes string
-SECRET_KEY={{mailu_secret_key}}
+SECRET_KEY={{applications.mailu.secret_key}}
 
 # Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
 SUBNET={{networks.local.mailu.subnet}}
@@ -118,7 +118,7 @@ WEBSITE=https://{{domain}}
 # json-file (default)
 # journald (On systemd platforms, useful for Fail2Ban integration)
 # syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!)
-# LOG_DRIVER=json-file
+LOG_DRIVER=syslog
 
 # docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME=mailu
@@ -145,20 +145,20 @@ LOG_LEVEL=WARNING
 SQLALCHEMY_DATABASE_URI_ROUNDCUBE=mysql://{{database_username}}:{{database_password}}@{{database_host}}/{{database_name}}?collation=utf8mb4_unicode_ci
 SQLALCHEMY_DATABASE_URI=mysql+mysqlconnector://{{database_username}}:{{database_password}}@{{database_host}}/{{database_name}}?collation=utf8mb4_unicode_ci
 
-API_TOKEN={{mailu_api_token}}
+API_TOKEN={{applications.mailu.api_token}}
 
 # Activated https://mailu.io/master/configuration.html#advanced-settings
 AUTH_REQUIRE_TOKENS=True
 
 
-{% if oidc.enabled | bool %}
+{% if applications[application_id].oidc.enabled | bool %}
 ################################### 
 # OpenID Connect settings
 ###################################
 # @see https://github.com/heviat/Mailu-OIDC/tree/master
 
 # Enable OpenID Connect. Possible values: True, False
-OIDC_ENABLED={{ oidc.enabled | string | capitalize }}
+OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | capitalize }}
 # OpenID Connect provider configuration URL
 OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}}
 # OpenID redirect URL if HOSTNAME not matching your login url

roles/docker-mailu/vars/main.yml

@@ -1,5 +1,5 @@
 application_id:               "mailu"
-database_password:  	        "{{mailu_database_password}}"
+database_password:  	        "{{applications.mailu.database_password}}"
 database_type:                "mariadb"
 cert_mount_directory:         "{{docker_compose.directories.volumes}}certs/"
 enable_wildcard_certificate:  false
@@ -7,8 +7,8 @@ enable_wildcard_certificate:  false
 # I don't know why this configuration is necessary.
 # Propabldy due to a database migration problem, or dificulties to configure an external db in mailu
 # @todo research
-enable_central_database:      "{{enable_central_database_mailu}}"
+enable_central_database:      "{{applications.mailu.enable_central_database}}"
 
 # Use dedicated source for oidc if activated  
 # @see https://github.com/heviat/Mailu-OIDC/tree/2024.06
-docker_source:                "{{ 'ghcr.io/heviat' if oidc.enabled | bool else 'ghcr.io/mailu' }}"
+docker_source:                "{{ 'ghcr.io/heviat' if applications[application_id].oidc.enabled | bool else 'ghcr.io/mailu' }}"

roles/docker-mastodon/templates/env.j2

@@ -52,14 +52,14 @@ SMTP_OPENSSL_VERIFY_MODE=none
 SMTP_ENABLE_STARTTLS=auto
 SMTP_FROM_ADDRESS=Mastodon <{{system_email.from}}>
 
-{% if oidc.enabled | bool %}
+{% if applications[application_id].oidc.enabled | bool %}
 ################################### 
 # OpenID Connect settings
 ###################################
 # @see https://github.com/mastodon/mastodon/pull/16221
 # @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso
 
-OIDC_ENABLED={{ oidc.enabled | string | lower }}
+OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | lower }}
 OIDC_DISPLAY_NAME="{{primary_domain | upper}} SSO"
 OIDC_ISSUER={{oidc.client.issuer_url}}
 OIDC_DISCOVERY=true

roles/docker-nextcloud/tasks/ldap.yml

@@ -1,3 +1,4 @@
 # @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
 # @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55
+# @todo implement
 #docker compose exec -u www-data application php occ app:enable user_ldap

roles/docker-nextcloud/tasks/main.yml

@@ -24,8 +24,8 @@
 
 - name: Include OIDC-specific tasks
   include_tasks: oidc.yml
-  when: oidc.enabled | bool
+  when: applications[application_id].oidc.enabled | bool
 
-#- name: Include LDAP specific tasks
-#  include_tasks: ldap.yml
-#  when: ldap.enabled | bool
+- name: Include LDAP specific tasks
+  include_tasks: ldap.yml
+  when: applications[application_id].ldap_enabled | bool

templates/docker/compose/networks.yml.j2

@@ -9,7 +9,7 @@ networks:
     external: true
 {% endif %}
   default:
-{% if applications[application_id].ldap_enabled is defined and applications[application_id].ldap_enabled | bool and applications.ldap.openldap.network.local | bool %}
+{% if application_id in networks.local and networks.local[application_id].subnet is defined %}
     driver: bridge
     ipam:
       driver: default