kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-04-20 23:14:56 +02:00
Code Issues Packages Projects Releases Wiki Activity

Redesigned oidc attributs

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-04-17 14:50:04 +02:00
parent 7e24d9b1c3
commit b5b4550cfb
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
21 changed files with 89 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
roles/backup-directory-validator/tasks/main.yml
View File

@ -1,4 +1,4 @@
- name: "{{ role_name }} | pkgmgr install"
- name: "pkgmgr install"
include_role:
name: pkgmgr-install
vars:

2
roles/backup-docker-to-local/tasks/main.yml
View File

@ -1,4 +1,4 @@
- name: "{{ role_name }} | pkgmgr install"
- name: "pkgmgr install"
include_role:
name: pkgmgr-install
vars:

6
roles/backup-docker-to-local/tasks/seed-database-to-backup.yml
View File

@ -1,6 +1,6 @@
# This file is also used by docker-matrix-compose
- name: "{{ role_name }} | Display all database variables"
- name: "Display all database variables"
debug:
msg: |
database_instance: "{{ database_instance | default('undefined') }}"
@ -9,7 +9,7 @@
database_password: "{{ database_password | default('undefined') }}"
when: enable_debug | bool
- name: "{{ role_name }} | fail if not all required database variables are defined"
- name: "fail if not all required database variables are defined"
fail:
msg: "You must define all of the following variables: database_instance, database_name, database_username, database_password"
when: >
@ -22,7 +22,7 @@
database_username is defined and
database_password is defined)
- name: "{{ role_name }} | seed database values in directory {{ backup_docker_to_local_folder }}"
- name: "seed database values in directory {{ backup_docker_to_local_folder }}"
command:
cmd: "python database_entry_seeder.py databases.csv {{database_instance}} {{database_name}} {{database_username}} {{database_password}}"
chdir: "{{ backup_docker_to_local_folder }}"

2
roles/cleanup-docker-anonymous-volumes/tasks/main.yml
View File

@ -1,4 +1,4 @@
- name: "{{ role_name }} | pkgmgr install"
- name: "pkgmgr install"
include_role:
name: pkgmgr-install
vars:

2
roles/cleanup-failed-docker-backups/tasks/main.yml
View File

@ -1,4 +1,4 @@
- name: "{{ role_name }} | pkgmgr install"
- name: "pkgmgr install"
include_role:
name: pkgmgr-install
vars:

2
roles/client-git/tasks/main.yml
View File

@ -4,7 +4,7 @@
state: present
become: true
- name: "{{ role_name }} | pkgmgr install"
- name: "pkgmgr install"
include_role:
name: pkgmgr-install
vars:

2
roles/client-gnome-extensions/tasks/main.yml
View File

@ -2,7 +2,7 @@
ansible.builtin.shell: gsettings set org.gnome.shell disable-user-extensions false
become: false
- name: "{{ role_name }} | pkgmgr install"
- name: "pkgmgr install"
include_role:
name: pkgmgr-install
vars:

10
roles/docker-central-database/tasks/main.yml
View File

@ -1,27 +1,27 @@
- name: "{{ role_name }} | Load database variables"
- name: "Load database variables"
include_vars: "{{ item }}"
loop:
- "{{ docker_var_file }}" # Important to load docker variables first so that database can use them
- "{{ database_var_file }}" # Important to load them before docker role so that backup can use them
# Docker Routines
- name: "{{ role_name }} | Include docker-compose role"
- name: "Include docker-compose role"
include_role:
name: docker-compose
# The following env file will just be used from the dedicated mariadb container
# and not the central-mariadb-database
- name: "{{ role_name }} | Create {{database_env}}"
- name: "Create {{database_env}}"
template:
src: "env/{{database_type}}.env.j2"
dest: "{{database_env}}"
notify: docker compose project build and setup
when: not applications[application_id].database.central_storage | bool
- name: "{{ role_name }} | Create central database"
- name: "Create central database"
include_role:
name: "docker-{{database_type}}"
when: applications[application_id].database.central_storage | bool
- name: "{{ role_name }} | Add database to backup"
- name: "Add database to backup"
include_tasks: "{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml"

6
roles/docker-compose/tasks/main.yml
View File

@ -1,7 +1,7 @@
- name: "{{ role_name }} | Load variables from {{ role_path }}/vars/docker-compose.yml for whole play"
- name: "Load variables from {{ role_path }}/vars/docker-compose.yml for whole play"
include_vars: "{{ role_path }}/vars/docker-compose.yml"
- name: "{{ role_name }} | Remove {{ docker_compose.directories.instance }} and all its contents"
- name: "Remove {{ docker_compose.directories.instance }} and all its contents"
file:
path: "{{ docker_compose.directories.instance }}"
state: absent
@ -9,7 +9,7 @@
# This could lead to problems in docker-compose directories which are based on a git repository
# @todo Verify that this isn't the case. E.g. in accounting
- name: "{{ role_name }} | Create all docker-compose directories (including parent directories)"
- name: "Create all docker-compose directories (including parent directories)"
file:
path: "{{ item.value }}"
state: directory

2
roles/docker-presentation/tasks/main.yml
View File

@ -4,7 +4,7 @@
include_role:
name: docker-compose
- name: "{{ role_name }} | pkgmgr install"
- name: "pkgmgr install"
include_role:
name: pkgmgr-install
vars:

2
roles/docker-sphinx/tasks/main.yml
View File

@ -4,7 +4,7 @@
include_role:
name: docker-compose
- name: "{{ role_name }} | pkgmgr install"
- name: "pkgmgr install"
include_role:
name: pkgmgr-install
vars:

2
roles/docker-wordpress/tasks/install.yml
View File

@ -1,4 +1,4 @@
- name: "{{ role_name }} | Run WordPress core install via WP CLI"
- name: "Run WordPress core install via WP CLI"
command: >
docker-compose exec -T -u www-data application
wp core install

16
roles/docker-wordpress/tasks/main.yml
View File

@ -1,9 +1,9 @@
---
- name: "{{ role_name }} | Include docker-central-database"
- name: "Include docker-central-database"
include_role:
name: docker-central-database
- name: "{{ role_name }} | Include role nginx-domain-setup for {{ application_id }}"
- name: "Include role nginx-domain-setup for {{ application_id }}"
include_role:
name: nginx-domain-setup
loop: "{{ domains.wordpress }}"
@ -13,30 +13,30 @@
nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size {{ wordpress_max_upload_size }};"
http_port: "{{ ports.localhost.http[application_id] }}"
- name: "{{ role_name }} | Transfering upload.ini to {{ docker_compose.directories.instance }}"
- name: "Transfering upload.ini to {{ docker_compose.directories.instance }}"
template:
src: upload.ini.j2
dest: "{{ docker_compose.directories.instance }}upload.ini"
notify: docker compose project build and setup
- name: "{{ role_name }} | Transfering msmtprc to {{ host_msmtp_conf }}"
- name: "Transfering msmtprc to {{ host_msmtp_conf }}"
template:
src: "{{ playbook_dir }}/roles/msmtp/templates/msmtprc.conf.j2"
dest: "{{ host_msmtp_conf }}"
notify: docker compose project build and setup
- name: "{{ role_name }} | Transfering Dockerfile to {{ docker_compose.directories.instance }}"
- name: "Transfering Dockerfile to {{ docker_compose.directories.instance }}"
copy:
src: Dockerfile
dest: "{{ docker_compose.directories.instance }}Dockerfile"
notify: docker compose project build and setup
- name: "{{ role_name }} | copy docker-compose.yml and env file"
- name: "copy docker-compose.yml and env file"
include_tasks: copy-docker-compose-and-env.yml
- name: "{{ role_name }} | Install wordpress"
- name: "Install wordpress"
include_tasks: install.yml
- name: "{{ role_name }} | Activating OIDC when enabled."
- name: "Activating OIDC when enabled."
include_tasks: oidc.yml
when: applications[application_id].oidc.enabled | bool

7
roles/docker-wordpress/tasks/oidc.yml
View File

@ -1,5 +1,5 @@
---
- name: "{{ role_name }} | Install OpenID Connect Generic Plugin via WP CLI"
- name: "Install OpenID Connect Generic Plugin via WP CLI"
command: >
docker-compose exec -u www-data -T application
wp plugin install daggerhart-openid-connect-generic
@ -7,10 +7,13 @@
args:
chdir: "{{ docker_compose.directories.instance }}"
- name: "{{ role_name }} | Activate OpenID Connect Generic Plugin"
- name: "Activate OpenID Connect Generic Plugin"
command: >
docker-compose exec -u www-data -T application
wp plugin activate daggerhart-openid-connect-generic
--path={{ wordpress_docker_html_path }}
args:
chdir: "{{ docker_compose.directories.instance }}"
- name: "Setup OIDC settings"
include_tasks: "oidc_settings.yml"

24
roles/docker-wordpress/tasks/oidc_settings.yml Normal file
View File

@ -0,0 +1,24 @@
- name: "Load OIDC settings variables"
include_vars:
file: "{{ role_path }}/vars/oidc.yml"
name: oidc_vars
- name: "Ensure the OIDC settings option exists as a PHP-serialized empty array"
# Generate an empty serialized array in the container, then add or update the option
command: >
docker-compose exec -u www-data -T application bash -lc
"serialized_empty_array=$(wp eval 'echo serialize(array());' --path={{ wordpress_docker_html_path }}); \
wp option add openid_connect_generic_settings \"$serialized_empty_array\" --path={{ wordpress_docker_html_path }} \
|| wp option update openid_connect_generic_settings \"$serialized_empty_array\" --path={{ wordpress_docker_html_path }};"
args:
chdir: "{{ docker_compose.directories.instance }}"
failed_when: false
- name: "Apply all OIDC settings via WP-CLI eval"
# Convert the settings map to JSON and update the option in one step
command: >
docker-compose exec -u www-data -T application bash -lc
"settings_json='{{ oidc_vars.oidc_settings | to_json }}'; \
wp eval \"update_option('openid_connect_generic_settings', json_decode('"$settings_json"', true));\" --path={{ wordpress_docker_html_path }}"
args:
chdir: "{{ docker_compose.directories.instance }}"

11
roles/docker-wordpress/templates/env.j2
View File

@ -2,14 +2,3 @@ WORDPRESS_DB_HOST= "{{database_host}}:{{database_port}}"
WORDPRESS_DB_USER= "{{database_username}}"
WORDPRESS_DB_PASSWORD= "{{database_password}}"
WORDPRESS_DB_NAME= "{{database_name}}"
{% if applications[application_id].oidc.enabled | bool %}
# OIDC Configuration (loaded if OIDC is enabled)
# @see https://github.com/oidc-wp/openid-connect-generic/blob/develop/includes/openid-connect-generic-option-settings.php
OIDC_CLIENT_ID={{ oidc.client.id }}
OIDC_CLIENT_SECRET={{ oidc.client.secret }}
OIDC_ENDPOINT_LOGOUT_URL={{ oidc.client.logout_url }}
OIDC_ENDPOINT_LOGIN_URL={{ oidc.client.authorize_url }}
OIDC_ENDPOINT_TOKEN_URL={{ oidc.client.token_url }}
OIDC_ENDPOINT_USERINFO_URL={{ oidc.client.user_info_url }}
{% endif %}

28
roles/docker-wordpress/vars/oidc.yml Normal file
View File

@ -0,0 +1,28 @@
# vars/oidc.yml
# Defines OIDC settings for the OpenID Connect Generic plugin, with explanatory comments.
oidc_settings:
client_id: "{{ oidc.client.id }}" # The client ID that identifies WordPress as the OIDC client.
client_secret: "{{ oidc.client.secret }}" # The secret key used by WordPress to authenticate to the OIDC provider.
endpoint_login: "{{ oidc.client.authorize_url }}" # URL of the authorization endpoint to initiate the login flow.
endpoint_token: "{{ oidc.client.token_url }}" # URL of the token endpoint for exchanging authorization codes for tokens.
endpoint_userinfo: "{{ oidc.client.user_info_url }}" # URL of the userinfo endpoint to retrieve user profile data.
endpoint_end_session: "{{ oidc.client.logout_url }}" # URL of the end-session endpoint to log users out of the IDP.
# login_type: "{{ oidc.client.login_type | default('') }}" # Determines how the login interface is rendered (e.g., button or form).
# scope: "{{ oidc.client.scope | default('openid profile email') }}" # Scopes requested from the OIDC provider during authentication.
create_if_does_not_exist: true # Auto-create a new WP user if one doesnt exist.
enforce_privacy: false # Require authentication for all site pages if set to true.
link_existing_users: true # Link OIDC login to existing WP users by matching email.
redirect_on_logout: true # Redirect users after logout to the login screen or homepage.
redirect_user_back: true # Return users to their original URL after successful login.
#acr_values: "{{ oidc.client.acr_values | default('') }}" # ACR values defining required authentication context (e.g., MFA level).
enable_logging: "{{ enable_debug }}" # Enable detailed plugin logging for debugging and auditing.
# log_limit: "{{ oidc.client.log_limit | default('') }}" # Maximum number of log entries to retain before pruning.
#no_sslverify # The flag to enable/disable SSL verification during authorization.
#http_request_timeout # The timeout for requests made to the IDP. Default value is 5.
#identity_key # The key in the user claim array to find the user's identification data.
#nickname_key # The key in the user claim array to find the user's nickname.
#email_format # The key(s) in the user claim array to formulate the user's email address.
#displayname_format # The key(s) in the user claim array to formulate the user's display name.
#identify_with_username # The flag which indicates how the user's identity will be determined.
#state_time_limit # The valid time limit of the state, in seconds. Defaults to 180 seconds.

2
roles/driver-lid-switch/tasks/main.yml
View File

@ -1,5 +1,5 @@
---
- name: "{{ role_name }} | pkgmgr install"
- name: "pkgmgr install"
include_role:
name: pkgmgr-install
vars:

2
roles/pkgmgr-install/tasks/main.yml
View File

@ -1,4 +1,4 @@
- name: "{{ role_name }} | pkgmgr installation tasks"
- name: "pkgmgr installation tasks"
become: "{{ pkgmgr_become }}"
block:
- name: update pkgmgr

2
roles/system-btrfs-auto-balancer/tasks/main.yml
View File

@ -1,4 +1,4 @@
- name: "{{ role_name }} | pkgmgr install"
- name: "pkgmgr install"
include_role:
name: pkgmgr-install
vars:

2
roles/system-swapfile/tasks/main.yml
View File

@ -1,4 +1,4 @@
- name: "{{ role_name }} | pkgmgr install"
- name: "pkgmgr install"
include_role:
name: pkgmgr-install
vars: