diff --git a/roles/backup-directory-validator/tasks/main.yml b/roles/backup-directory-validator/tasks/main.yml index eb42d033..0e040b97 100644 --- a/roles/backup-directory-validator/tasks/main.yml +++ b/roles/backup-directory-validator/tasks/main.yml @@ -1,4 +1,4 @@ -- name: "{{ role_name }} | pkgmgr install" +- name: "pkgmgr install" include_role: name: pkgmgr-install vars: diff --git a/roles/backup-docker-to-local/tasks/main.yml b/roles/backup-docker-to-local/tasks/main.yml index e9f13cd2..da5b29ee 100644 --- a/roles/backup-docker-to-local/tasks/main.yml +++ b/roles/backup-docker-to-local/tasks/main.yml @@ -1,4 +1,4 @@ -- name: "{{ role_name }} | pkgmgr install" +- name: "pkgmgr install" include_role: name: pkgmgr-install vars: diff --git a/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml b/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml index f15951a8..1e1751fb 100644 --- a/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml +++ b/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml @@ -1,6 +1,6 @@ # This file is also used by docker-matrix-compose -- name: "{{ role_name }} | Display all database variables" +- name: "Display all database variables" debug: msg: | database_instance: "{{ database_instance | default('undefined') }}" @@ -9,7 +9,7 @@ database_password: "{{ database_password | default('undefined') }}" when: enable_debug | bool -- name: "{{ role_name }} | fail if not all required database variables are defined" +- name: "fail if not all required database variables are defined" fail: msg: "You must define all of the following variables: database_instance, database_name, database_username, database_password" when: > @@ -22,7 +22,7 @@ database_username is defined and database_password is defined) -- name: "{{ role_name }} | seed database values in directory {{ backup_docker_to_local_folder }}" +- name: "seed database values in directory {{ backup_docker_to_local_folder }}" command: cmd: "python database_entry_seeder.py databases.csv {{database_instance}} {{database_name}} {{database_username}} {{database_password}}" chdir: "{{ backup_docker_to_local_folder }}" diff --git a/roles/cleanup-docker-anonymous-volumes/tasks/main.yml b/roles/cleanup-docker-anonymous-volumes/tasks/main.yml index a1779e6c..ec3a1875 100644 --- a/roles/cleanup-docker-anonymous-volumes/tasks/main.yml +++ b/roles/cleanup-docker-anonymous-volumes/tasks/main.yml @@ -1,4 +1,4 @@ -- name: "{{ role_name }} | pkgmgr install" +- name: "pkgmgr install" include_role: name: pkgmgr-install vars: diff --git a/roles/cleanup-failed-docker-backups/tasks/main.yml b/roles/cleanup-failed-docker-backups/tasks/main.yml index fe6bc45b..5982a307 100644 --- a/roles/cleanup-failed-docker-backups/tasks/main.yml +++ b/roles/cleanup-failed-docker-backups/tasks/main.yml @@ -1,4 +1,4 @@ -- name: "{{ role_name }} | pkgmgr install" +- name: "pkgmgr install" include_role: name: pkgmgr-install vars: diff --git a/roles/client-git/tasks/main.yml b/roles/client-git/tasks/main.yml index 0e3d1f39..f19025d3 100644 --- a/roles/client-git/tasks/main.yml +++ b/roles/client-git/tasks/main.yml @@ -4,7 +4,7 @@ state: present become: true -- name: "{{ role_name }} | pkgmgr install" +- name: "pkgmgr install" include_role: name: pkgmgr-install vars: diff --git a/roles/client-gnome-extensions/tasks/main.yml b/roles/client-gnome-extensions/tasks/main.yml index 59684f5d..6b42c889 100644 --- a/roles/client-gnome-extensions/tasks/main.yml +++ b/roles/client-gnome-extensions/tasks/main.yml @@ -2,7 +2,7 @@ ansible.builtin.shell: gsettings set org.gnome.shell disable-user-extensions false become: false -- name: "{{ role_name }} | pkgmgr install" +- name: "pkgmgr install" include_role: name: pkgmgr-install vars: diff --git a/roles/docker-central-database/tasks/main.yml b/roles/docker-central-database/tasks/main.yml index 9c2bedf7..c6f4a1d2 100644 --- a/roles/docker-central-database/tasks/main.yml +++ b/roles/docker-central-database/tasks/main.yml @@ -1,27 +1,27 @@ -- name: "{{ role_name }} | Load database variables" +- name: "Load database variables" include_vars: "{{ item }}" loop: - "{{ docker_var_file }}" # Important to load docker variables first so that database can use them - "{{ database_var_file }}" # Important to load them before docker role so that backup can use them # Docker Routines -- name: "{{ role_name }} | Include docker-compose role" +- name: "Include docker-compose role" include_role: name: docker-compose # The following env file will just be used from the dedicated mariadb container # and not the central-mariadb-database -- name: "{{ role_name }} | Create {{database_env}}" +- name: "Create {{database_env}}" template: src: "env/{{database_type}}.env.j2" dest: "{{database_env}}" notify: docker compose project build and setup when: not applications[application_id].database.central_storage | bool -- name: "{{ role_name }} | Create central database" +- name: "Create central database" include_role: name: "docker-{{database_type}}" when: applications[application_id].database.central_storage | bool -- name: "{{ role_name }} | Add database to backup" +- name: "Add database to backup" include_tasks: "{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml" \ No newline at end of file diff --git a/roles/docker-compose/tasks/main.yml b/roles/docker-compose/tasks/main.yml index 41b9d5d1..ff8ccf32 100644 --- a/roles/docker-compose/tasks/main.yml +++ b/roles/docker-compose/tasks/main.yml @@ -1,7 +1,7 @@ -- name: "{{ role_name }} | Load variables from {{ role_path }}/vars/docker-compose.yml for whole play" +- name: "Load variables from {{ role_path }}/vars/docker-compose.yml for whole play" include_vars: "{{ role_path }}/vars/docker-compose.yml" -- name: "{{ role_name }} | Remove {{ docker_compose.directories.instance }} and all its contents" +- name: "Remove {{ docker_compose.directories.instance }} and all its contents" file: path: "{{ docker_compose.directories.instance }}" state: absent @@ -9,7 +9,7 @@ # This could lead to problems in docker-compose directories which are based on a git repository # @todo Verify that this isn't the case. E.g. in accounting -- name: "{{ role_name }} | Create all docker-compose directories (including parent directories)" +- name: "Create all docker-compose directories (including parent directories)" file: path: "{{ item.value }}" state: directory diff --git a/roles/docker-presentation/tasks/main.yml b/roles/docker-presentation/tasks/main.yml index 4d3a65c4..b9b76d59 100644 --- a/roles/docker-presentation/tasks/main.yml +++ b/roles/docker-presentation/tasks/main.yml @@ -4,7 +4,7 @@ include_role: name: docker-compose -- name: "{{ role_name }} | pkgmgr install" +- name: "pkgmgr install" include_role: name: pkgmgr-install vars: diff --git a/roles/docker-sphinx/tasks/main.yml b/roles/docker-sphinx/tasks/main.yml index 86a6f87c..e3069f0d 100644 --- a/roles/docker-sphinx/tasks/main.yml +++ b/roles/docker-sphinx/tasks/main.yml @@ -4,7 +4,7 @@ include_role: name: docker-compose -- name: "{{ role_name }} | pkgmgr install" +- name: "pkgmgr install" include_role: name: pkgmgr-install vars: diff --git a/roles/docker-wordpress/tasks/install.yml b/roles/docker-wordpress/tasks/install.yml index 78678ea2..fcae5660 100644 --- a/roles/docker-wordpress/tasks/install.yml +++ b/roles/docker-wordpress/tasks/install.yml @@ -1,4 +1,4 @@ -- name: "{{ role_name }} | Run WordPress core install via WP CLI" +- name: "Run WordPress core install via WP CLI" command: > docker-compose exec -T -u www-data application wp core install diff --git a/roles/docker-wordpress/tasks/main.yml b/roles/docker-wordpress/tasks/main.yml index bb8b705c..50708de3 100644 --- a/roles/docker-wordpress/tasks/main.yml +++ b/roles/docker-wordpress/tasks/main.yml @@ -1,9 +1,9 @@ --- -- name: "{{ role_name }} | Include docker-central-database" +- name: "Include docker-central-database" include_role: name: docker-central-database -- name: "{{ role_name }} | Include role nginx-domain-setup for {{ application_id }}" +- name: "Include role nginx-domain-setup for {{ application_id }}" include_role: name: nginx-domain-setup loop: "{{ domains.wordpress }}" @@ -13,30 +13,30 @@ nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size {{ wordpress_max_upload_size }};" http_port: "{{ ports.localhost.http[application_id] }}" -- name: "{{ role_name }} | Transfering upload.ini to {{ docker_compose.directories.instance }}" +- name: "Transfering upload.ini to {{ docker_compose.directories.instance }}" template: src: upload.ini.j2 dest: "{{ docker_compose.directories.instance }}upload.ini" notify: docker compose project build and setup -- name: "{{ role_name }} | Transfering msmtprc to {{ host_msmtp_conf }}" +- name: "Transfering msmtprc to {{ host_msmtp_conf }}" template: src: "{{ playbook_dir }}/roles/msmtp/templates/msmtprc.conf.j2" dest: "{{ host_msmtp_conf }}" notify: docker compose project build and setup -- name: "{{ role_name }} | Transfering Dockerfile to {{ docker_compose.directories.instance }}" +- name: "Transfering Dockerfile to {{ docker_compose.directories.instance }}" copy: src: Dockerfile dest: "{{ docker_compose.directories.instance }}Dockerfile" notify: docker compose project build and setup -- name: "{{ role_name }} | copy docker-compose.yml and env file" +- name: "copy docker-compose.yml and env file" include_tasks: copy-docker-compose-and-env.yml -- name: "{{ role_name }} | Install wordpress" +- name: "Install wordpress" include_tasks: install.yml -- name: "{{ role_name }} | Activating OIDC when enabled." +- name: "Activating OIDC when enabled." include_tasks: oidc.yml when: applications[application_id].oidc.enabled | bool diff --git a/roles/docker-wordpress/tasks/oidc.yml b/roles/docker-wordpress/tasks/oidc.yml index d58f9855..ee3e7ee4 100644 --- a/roles/docker-wordpress/tasks/oidc.yml +++ b/roles/docker-wordpress/tasks/oidc.yml @@ -1,5 +1,5 @@ --- -- name: "{{ role_name }} | Install OpenID Connect Generic Plugin via WP CLI" +- name: "Install OpenID Connect Generic Plugin via WP CLI" command: > docker-compose exec -u www-data -T application wp plugin install daggerhart-openid-connect-generic @@ -7,10 +7,13 @@ args: chdir: "{{ docker_compose.directories.instance }}" -- name: "{{ role_name }} | Activate OpenID Connect Generic Plugin" +- name: "Activate OpenID Connect Generic Plugin" command: > docker-compose exec -u www-data -T application wp plugin activate daggerhart-openid-connect-generic --path={{ wordpress_docker_html_path }} args: chdir: "{{ docker_compose.directories.instance }}" + +- name: "Setup OIDC settings" + include_tasks: "oidc_settings.yml" \ No newline at end of file diff --git a/roles/docker-wordpress/tasks/oidc_settings.yml b/roles/docker-wordpress/tasks/oidc_settings.yml new file mode 100644 index 00000000..41d46ce8 --- /dev/null +++ b/roles/docker-wordpress/tasks/oidc_settings.yml @@ -0,0 +1,24 @@ +- name: "Load OIDC settings variables" + include_vars: + file: "{{ role_path }}/vars/oidc.yml" + name: oidc_vars + +- name: "Ensure the OIDC settings option exists as a PHP-serialized empty array" + # Generate an empty serialized array in the container, then add or update the option + command: > + docker-compose exec -u www-data -T application bash -lc + "serialized_empty_array=$(wp eval 'echo serialize(array());' --path={{ wordpress_docker_html_path }}); \ + wp option add openid_connect_generic_settings \"$serialized_empty_array\" --path={{ wordpress_docker_html_path }} \ + || wp option update openid_connect_generic_settings \"$serialized_empty_array\" --path={{ wordpress_docker_html_path }};" + args: + chdir: "{{ docker_compose.directories.instance }}" + failed_when: false + +- name: "Apply all OIDC settings via WP-CLI eval" + # Convert the settings map to JSON and update the option in one step + command: > + docker-compose exec -u www-data -T application bash -lc + "settings_json='{{ oidc_vars.oidc_settings | to_json }}'; \ + wp eval \"update_option('openid_connect_generic_settings', json_decode('"$settings_json"', true));\" --path={{ wordpress_docker_html_path }}" + args: + chdir: "{{ docker_compose.directories.instance }}" diff --git a/roles/docker-wordpress/templates/env.j2 b/roles/docker-wordpress/templates/env.j2 index b8fe8259..a91a560f 100644 --- a/roles/docker-wordpress/templates/env.j2 +++ b/roles/docker-wordpress/templates/env.j2 @@ -2,14 +2,3 @@ WORDPRESS_DB_HOST= "{{database_host}}:{{database_port}}" WORDPRESS_DB_USER= "{{database_username}}" WORDPRESS_DB_PASSWORD= "{{database_password}}" WORDPRESS_DB_NAME= "{{database_name}}" - -{% if applications[application_id].oidc.enabled | bool %} -# OIDC Configuration (loaded if OIDC is enabled) -# @see https://github.com/oidc-wp/openid-connect-generic/blob/develop/includes/openid-connect-generic-option-settings.php -OIDC_CLIENT_ID={{ oidc.client.id }} -OIDC_CLIENT_SECRET={{ oidc.client.secret }} -OIDC_ENDPOINT_LOGOUT_URL={{ oidc.client.logout_url }} -OIDC_ENDPOINT_LOGIN_URL={{ oidc.client.authorize_url }} -OIDC_ENDPOINT_TOKEN_URL={{ oidc.client.token_url }} -OIDC_ENDPOINT_USERINFO_URL={{ oidc.client.user_info_url }} -{% endif %} diff --git a/roles/docker-wordpress/vars/oidc.yml b/roles/docker-wordpress/vars/oidc.yml new file mode 100644 index 00000000..353cd39b --- /dev/null +++ b/roles/docker-wordpress/vars/oidc.yml @@ -0,0 +1,28 @@ +# vars/oidc.yml +# Defines OIDC settings for the OpenID Connect Generic plugin, with explanatory comments. + +oidc_settings: + client_id: "{{ oidc.client.id }}" # The client ID that identifies WordPress as the OIDC client. + client_secret: "{{ oidc.client.secret }}" # The secret key used by WordPress to authenticate to the OIDC provider. + endpoint_login: "{{ oidc.client.authorize_url }}" # URL of the authorization endpoint to initiate the login flow. + endpoint_token: "{{ oidc.client.token_url }}" # URL of the token endpoint for exchanging authorization codes for tokens. + endpoint_userinfo: "{{ oidc.client.user_info_url }}" # URL of the userinfo endpoint to retrieve user profile data. + endpoint_end_session: "{{ oidc.client.logout_url }}" # URL of the end-session endpoint to log users out of the IDP. +# login_type: "{{ oidc.client.login_type | default('') }}" # Determines how the login interface is rendered (e.g., button or form). +# scope: "{{ oidc.client.scope | default('openid profile email') }}" # Scopes requested from the OIDC provider during authentication. + create_if_does_not_exist: true # Auto-create a new WP user if one doesn’t exist. + enforce_privacy: false # Require authentication for all site pages if set to true. + link_existing_users: true # Link OIDC login to existing WP users by matching email. + redirect_on_logout: true # Redirect users after logout to the login screen or homepage. + redirect_user_back: true # Return users to their original URL after successful login. + #acr_values: "{{ oidc.client.acr_values | default('') }}" # ACR values defining required authentication context (e.g., MFA level). + enable_logging: "{{ enable_debug }}" # Enable detailed plugin logging for debugging and auditing. +# log_limit: "{{ oidc.client.log_limit | default('') }}" # Maximum number of log entries to retain before pruning. + #no_sslverify # The flag to enable/disable SSL verification during authorization. + #http_request_timeout # The timeout for requests made to the IDP. Default value is 5. + #identity_key # The key in the user claim array to find the user's identification data. + #nickname_key # The key in the user claim array to find the user's nickname. + #email_format # The key(s) in the user claim array to formulate the user's email address. + #displayname_format # The key(s) in the user claim array to formulate the user's display name. + #identify_with_username # The flag which indicates how the user's identity will be determined. + #state_time_limit # The valid time limit of the state, in seconds. Defaults to 180 seconds. \ No newline at end of file diff --git a/roles/driver-lid-switch/tasks/main.yml b/roles/driver-lid-switch/tasks/main.yml index 1e0f557f..1e5b3b59 100644 --- a/roles/driver-lid-switch/tasks/main.yml +++ b/roles/driver-lid-switch/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: "{{ role_name }} | pkgmgr install" +- name: "pkgmgr install" include_role: name: pkgmgr-install vars: diff --git a/roles/pkgmgr-install/tasks/main.yml b/roles/pkgmgr-install/tasks/main.yml index 8331e649..98a8c222 100644 --- a/roles/pkgmgr-install/tasks/main.yml +++ b/roles/pkgmgr-install/tasks/main.yml @@ -1,4 +1,4 @@ -- name: "{{ role_name }} | pkgmgr installation tasks" +- name: "pkgmgr installation tasks" become: "{{ pkgmgr_become }}" block: - name: update pkgmgr diff --git a/roles/system-btrfs-auto-balancer/tasks/main.yml b/roles/system-btrfs-auto-balancer/tasks/main.yml index 8e1119f9..cb5a1e6e 100644 --- a/roles/system-btrfs-auto-balancer/tasks/main.yml +++ b/roles/system-btrfs-auto-balancer/tasks/main.yml @@ -1,4 +1,4 @@ -- name: "{{ role_name }} | pkgmgr install" +- name: "pkgmgr install" include_role: name: pkgmgr-install vars: diff --git a/roles/system-swapfile/tasks/main.yml b/roles/system-swapfile/tasks/main.yml index 562f9515..c3e07387 100644 --- a/roles/system-swapfile/tasks/main.yml +++ b/roles/system-swapfile/tasks/main.yml @@ -1,4 +1,4 @@ -- name: "{{ role_name }} | pkgmgr install" +- name: "pkgmgr install" include_role: name: pkgmgr-install vars: