Redesigned oidc attributs

roles/backup-directory-validator/tasks/main.yml

@@ -1,4 +1,4 @@
-- name: "{{ role_name }} | pkgmgr install"
+- name: "pkgmgr install"
   include_role:
     name: pkgmgr-install
   vars:

roles/backup-docker-to-local/tasks/main.yml

@@ -1,4 +1,4 @@
-- name: "{{ role_name }} | pkgmgr install"
+- name: "pkgmgr install"
   include_role:
     name: pkgmgr-install
   vars:

roles/backup-docker-to-local/tasks/seed-database-to-backup.yml

@@ -1,6 +1,6 @@
 # This file is also used by docker-matrix-compose
 
-- name: "{{ role_name }} | Display all database variables"
+- name: "Display all database variables"
   debug:
     msg: |
       database_instance: "{{ database_instance | default('undefined') }}"
@@ -9,7 +9,7 @@
       database_password: "{{ database_password | default('undefined') }}"
   when: enable_debug | bool
 
-- name: "{{ role_name }} | fail if not all required database variables are defined"
+- name: "fail if not all required database variables are defined"
   fail:
     msg: "You must define all of the following variables: database_instance, database_name, database_username, database_password"
   when: >
@@ -22,7 +22,7 @@
      database_username is defined and
      database_password is defined)
 
-- name: "{{ role_name }} | seed database values in directory {{ backup_docker_to_local_folder }}"
+- name: "seed database values in directory {{ backup_docker_to_local_folder }}"
   command:
     cmd: "python database_entry_seeder.py databases.csv {{database_instance}} {{database_name}} {{database_username}} {{database_password}}"
     chdir: "{{ backup_docker_to_local_folder }}"

roles/cleanup-docker-anonymous-volumes/tasks/main.yml

@@ -1,4 +1,4 @@
-- name: "{{ role_name }} | pkgmgr install"
+- name: "pkgmgr install"
   include_role:
     name: pkgmgr-install
   vars:

roles/cleanup-failed-docker-backups/tasks/main.yml

@@ -1,4 +1,4 @@
-- name: "{{ role_name }} | pkgmgr install"
+- name: "pkgmgr install"
   include_role:
     name: pkgmgr-install
   vars:

roles/client-git/tasks/main.yml

@@ -4,7 +4,7 @@
     state: present
   become: true
 
-- name: "{{ role_name }} | pkgmgr install"
+- name: "pkgmgr install"
   include_role:
     name: pkgmgr-install
   vars:

roles/client-gnome-extensions/tasks/main.yml

@@ -2,7 +2,7 @@
   ansible.builtin.shell: gsettings set org.gnome.shell disable-user-extensions false
   become: false
 
-- name: "{{ role_name }} | pkgmgr install"
+- name: "pkgmgr install"
   include_role:
     name: pkgmgr-install
   vars:

roles/docker-central-database/tasks/main.yml

@@ -1,27 +1,27 @@
-- name: "{{ role_name }} | Load database variables"
+- name: "Load database variables"
   include_vars: "{{ item }}"
   loop:
     - "{{ docker_var_file }}"   # Important to load docker variables first so that database can use them
     - "{{ database_var_file }}" # Important to load them before docker role so that backup can use them
 
 # Docker Routines
-- name: "{{ role_name }} | Include docker-compose role"
+- name: "Include docker-compose role"
   include_role: 
     name: docker-compose
 
 # The following env file will just be used from the dedicated mariadb container
 # and not the central-mariadb-database
-- name: "{{ role_name }} | Create {{database_env}}"
+- name: "Create {{database_env}}"
   template: 
     src: "env/{{database_type}}.env.j2"
     dest: "{{database_env}}"
   notify: docker compose project build and setup
   when: not applications[application_id].database.central_storage | bool
 
-- name: "{{ role_name }} | Create central database"
+- name: "Create central database"
   include_role:
     name: "docker-{{database_type}}"
   when: applications[application_id].database.central_storage | bool
 
-- name: "{{ role_name }} | Add database to backup"
+- name: "Add database to backup"
   include_tasks: "{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml"

roles/docker-compose/tasks/main.yml

@@ -1,7 +1,7 @@
-- name: "{{ role_name }} | Load variables from {{ role_path }}/vars/docker-compose.yml for whole play"
+- name: "Load variables from {{ role_path }}/vars/docker-compose.yml for whole play"
   include_vars: "{{ role_path }}/vars/docker-compose.yml"
 
-- name: "{{ role_name }} | Remove {{ docker_compose.directories.instance }} and all its contents"
+- name: "Remove {{ docker_compose.directories.instance }} and all its contents"
   file:
     path: "{{ docker_compose.directories.instance }}"
     state: absent
@@ -9,7 +9,7 @@
 
 # This could lead to problems in docker-compose directories which are based on a git repository
 # @todo Verify that this isn't the case. E.g. in accounting
-- name: "{{ role_name }} | Create all docker-compose directories (including parent directories)"
+- name: "Create all docker-compose directories (including parent directories)"
   file:
     path: "{{ item.value }}"
     state: directory

roles/docker-presentation/tasks/main.yml

@@ -4,7 +4,7 @@
   include_role: 
     name: docker-compose
 
-- name: "{{ role_name }} | pkgmgr install"
+- name: "pkgmgr install"
   include_role:
     name: pkgmgr-install
   vars:

roles/docker-sphinx/tasks/main.yml

@@ -4,7 +4,7 @@
   include_role: 
     name: docker-compose
 
-- name: "{{ role_name }} | pkgmgr install"
+- name: "pkgmgr install"
   include_role:
     name: pkgmgr-install
   vars:

roles/docker-wordpress/tasks/install.yml

@@ -1,4 +1,4 @@
-- name: "{{ role_name }} | Run WordPress core install via WP CLI"
+- name: "Run WordPress core install via WP CLI"
   command: >
     docker-compose exec -T -u www-data application
     wp core install

roles/docker-wordpress/tasks/main.yml

@@ -1,9 +1,9 @@
 ---
-- name: "{{ role_name }} | Include docker-central-database"
+- name: "Include docker-central-database"
   include_role: 
     name: docker-central-database
   
-- name: "{{ role_name }} | Include role nginx-domain-setup for {{ application_id }}"
+- name: "Include role nginx-domain-setup for {{ application_id }}"
   include_role:
     name: nginx-domain-setup
   loop: "{{ domains.wordpress }}"
@@ -13,30 +13,30 @@
     nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size {{ wordpress_max_upload_size }};"
     http_port: "{{ ports.localhost.http[application_id] }}"
 
-- name: "{{ role_name }} | Transfering upload.ini to {{ docker_compose.directories.instance }}"
+- name: "Transfering upload.ini to {{ docker_compose.directories.instance }}"
   template:
     src: upload.ini.j2
     dest: "{{ docker_compose.directories.instance }}upload.ini"
   notify: docker compose project build and setup
 
-- name: "{{ role_name }} | Transfering msmtprc to {{ host_msmtp_conf }}"
+- name: "Transfering msmtprc to {{ host_msmtp_conf }}"
   template:
     src: "{{ playbook_dir }}/roles/msmtp/templates/msmtprc.conf.j2"
     dest: "{{ host_msmtp_conf }}"
   notify: docker compose project build and setup
 
-- name: "{{ role_name }} | Transfering Dockerfile to {{ docker_compose.directories.instance }}"
+- name: "Transfering Dockerfile to {{ docker_compose.directories.instance }}"
   copy:
     src: Dockerfile
     dest: "{{ docker_compose.directories.instance }}Dockerfile"
   notify: docker compose project build and setup
 
-- name: "{{ role_name }} | copy docker-compose.yml and env file"
+- name: "copy docker-compose.yml and env file"
   include_tasks: copy-docker-compose-and-env.yml
 
-- name: "{{ role_name }} | Install wordpress"
+- name: "Install wordpress"
   include_tasks: install.yml
 
-- name: "{{ role_name }} | Activating OIDC when enabled."
+- name: "Activating OIDC when enabled."
   include_tasks: oidc.yml
   when: applications[application_id].oidc.enabled | bool

roles/docker-wordpress/tasks/oidc.yml

@@ -1,5 +1,5 @@
 ---
-- name: "{{ role_name }} | Install OpenID Connect Generic Plugin via WP CLI"
+- name: "Install OpenID Connect Generic Plugin via WP CLI"
   command: >
     docker-compose exec -u www-data -T application
       wp plugin install daggerhart-openid-connect-generic
@@ -7,10 +7,13 @@
   args:
     chdir: "{{ docker_compose.directories.instance }}"
 
-- name: "{{ role_name }} | Activate OpenID Connect Generic Plugin"
+- name: "Activate OpenID Connect Generic Plugin"
   command: >
     docker-compose exec -u www-data -T application
       wp plugin activate daggerhart-openid-connect-generic
       --path={{ wordpress_docker_html_path }}
   args:
     chdir: "{{ docker_compose.directories.instance }}"
+
+- name: "Setup OIDC settings"
+  include_tasks: "oidc_settings.yml"

roles/docker-wordpress/tasks/oidc_settings.yml

@@ -0,0 +1,24 @@
+- name: "Load OIDC settings variables"
+  include_vars:
+    file: "{{ role_path }}/vars/oidc.yml"
+    name: oidc_vars
+
+- name: "Ensure the OIDC settings option exists as a PHP-serialized empty array"
+  # Generate an empty serialized array in the container, then add or update the option
+  command: >
+    docker-compose exec -u www-data -T application bash -lc
+    "serialized_empty_array=$(wp eval 'echo serialize(array());' --path={{ wordpress_docker_html_path }}); \
+     wp option add openid_connect_generic_settings \"$serialized_empty_array\" --path={{ wordpress_docker_html_path }} \
+     || wp option update openid_connect_generic_settings \"$serialized_empty_array\" --path={{ wordpress_docker_html_path }};"
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  failed_when: false
+
+- name: "Apply all OIDC settings via WP-CLI eval"
+  # Convert the settings map to JSON and update the option in one step
+  command: >
+    docker-compose exec -u www-data -T application bash -lc
+      "settings_json='{{ oidc_vars.oidc_settings | to_json }}'; \
+       wp eval \"update_option('openid_connect_generic_settings', json_decode('"$settings_json"', true));\" --path={{ wordpress_docker_html_path }}"
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"

roles/docker-wordpress/templates/env.j2

@@ -2,14 +2,3 @@ WORDPRESS_DB_HOST=      "{{database_host}}:{{database_port}}"
 WORDPRESS_DB_USER=      "{{database_username}}"
 WORDPRESS_DB_PASSWORD=  "{{database_password}}"
 WORDPRESS_DB_NAME=      "{{database_name}}"
-
-{% if applications[application_id].oidc.enabled | bool %}
-# OIDC Configuration (loaded if OIDC is enabled)
-# @see https://github.com/oidc-wp/openid-connect-generic/blob/develop/includes/openid-connect-generic-option-settings.php
-OIDC_CLIENT_ID={{ oidc.client.id }}
-OIDC_CLIENT_SECRET={{ oidc.client.secret }}
-OIDC_ENDPOINT_LOGOUT_URL={{ oidc.client.logout_url }}
-OIDC_ENDPOINT_LOGIN_URL={{ oidc.client.authorize_url }}
-OIDC_ENDPOINT_TOKEN_URL={{ oidc.client.token_url }}
-OIDC_ENDPOINT_USERINFO_URL={{ oidc.client.user_info_url }}
-{% endif %}

roles/docker-wordpress/vars/oidc.yml

@@ -0,0 +1,28 @@
+# vars/oidc.yml
+# Defines OIDC settings for the OpenID Connect Generic plugin, with explanatory comments.
+
+oidc_settings:
+  client_id:                "{{ oidc.client.id }}"                                          # The client ID that identifies WordPress as the OIDC client.
+  client_secret:            "{{ oidc.client.secret }}"                                      # The secret key used by WordPress to authenticate to the OIDC provider.
+  endpoint_login:           "{{ oidc.client.authorize_url }}"                               # URL of the authorization endpoint to initiate the login flow.
+  endpoint_token:           "{{ oidc.client.token_url }}"                                   # URL of the token endpoint for exchanging authorization codes for tokens.
+  endpoint_userinfo:        "{{ oidc.client.user_info_url }}"                               # URL of the userinfo endpoint to retrieve user profile data.
+  endpoint_end_session:     "{{ oidc.client.logout_url }}"                                  # URL of the end-session endpoint to log users out of the IDP.
+#  login_type:               "{{ oidc.client.login_type | default('') }}"                    # Determines how the login interface is rendered (e.g., button or form).
+#  scope:                    "{{ oidc.client.scope | default('openid profile email') }}"    # Scopes requested from the OIDC provider during authentication.
+  create_if_does_not_exist: true                                                            # Auto-create a new WP user if one doesn’t exist.
+  enforce_privacy:          false                                                           # Require authentication for all site pages if set to true.
+  link_existing_users:      true                                                            # Link OIDC login to existing WP users by matching email.
+  redirect_on_logout:       true                                                            # Redirect users after logout to the login screen or homepage.
+  redirect_user_back:       true                                                            # Return users to their original URL after successful login.
+  #acr_values:               "{{ oidc.client.acr_values | default('') }}"                   # ACR values defining required authentication context (e.g., MFA level).
+  enable_logging:           "{{ enable_debug }}"                                            # Enable detailed plugin logging for debugging and auditing.
+#  log_limit:                "{{ oidc.client.log_limit | default('') }}"                     # Maximum number of log entries to retain before pruning.
+  #no_sslverify                                                                              # The flag to enable/disable SSL verification during authorization.
+  #http_request_timeout                                                                      # The timeout for requests made to the IDP. Default value is 5.
+  #identity_key                                                                              # The key in the user claim array to find the user's identification data.
+  #nickname_key                                                                              # The key in the user claim array to find the user's nickname.
+  #email_format                                                                              # The key(s) in the user claim array to formulate the user's email address.
+  #displayname_format                                                                        # The key(s) in the user claim array to formulate the user's display name.
+  #identify_with_username                                                                    # The flag which indicates how the user's identity will be determined.
+  #state_time_limit                                                                          # The valid time limit of the state, in seconds. Defaults to 180 seconds.

roles/driver-lid-switch/tasks/main.yml

@@ -1,5 +1,5 @@
 ---
-- name: "{{ role_name }} | pkgmgr install"
+- name: "pkgmgr install"
   include_role:
     name: pkgmgr-install
   vars:

roles/pkgmgr-install/tasks/main.yml

@@ -1,4 +1,4 @@
-- name: "{{ role_name }} | pkgmgr installation tasks"
+- name: "pkgmgr installation tasks"
   become: "{{ pkgmgr_become }}"
   block:
     - name: update pkgmgr

roles/system-btrfs-auto-balancer/tasks/main.yml

@@ -1,4 +1,4 @@
-- name: "{{ role_name }} | pkgmgr install"
+- name: "pkgmgr install"
   include_role:
     name: pkgmgr-install
   vars:

roles/system-swapfile/tasks/main.yml

@@ -1,4 +1,4 @@
-- name: "{{ role_name }} | pkgmgr install"
+- name: "pkgmgr install"
   include_role:
     name: pkgmgr-install
   vars: