Solved portfolio bug, entered keycloak entries for portfolio, added hints to phpmyadmin and updated mailu documentary

2025-03-26 03:03:32 +01:00 · 2025-03-21 20:19:12 +01:00 · 2025-03-21 20:19:12 +01:00 · bb48e8ae36
commit bb48e8ae36
parent 12ad339221
7 changed files with 147 additions and 21 deletions
--- a/group_vars/all/00_general.yml
+++ b/group_vars/all/00_general.yml
@ -68,6 +68,4 @@ matomo_tracking_enabled_default:           true  # Enables\Disables Matomo track
 css_enabled_default:                       true  # Enables\Disables Global CSS on all html pages by default.

 ## iframe for primary domain
-# Enables\Disables the possibility to be embedded via iframe by default. 
-# Enable conciously on every app in which it makes sense, due to that this a potential security risk
-landingpage_iframe_enabled_default:        false
+landingpage_iframe_enabled_default:        true  # Enables\Disables the possibility to be embedded via iframe by default. 
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@ -32,8 +32,8 @@ defaults_applications:

  ## Assets Server
  assets_server:
-    source_directory:             "{{ playbook_dir }}/assets"                   # Directory from which the assets will be copied
-    url:                          "https://{{domains.file_server}}/assets}}"    # Public address of the assets directory
+    source_directory:             "{{ playbook_dir }}/assets"               # Directory from which the assets will be copied
+    url:                          "https://{{domains.file_server}}/assets"  # Public address of the assets directory

  ## Attendize 
  attendize:
@ -600,17 +600,17 @@ defaults_applications:

  ## PHPMyAdmin
  phpmyadmin:
-    version:              "latest"
-    autologin:            false                                             # This is a high security risk. Just activate this option if you know what you're doing
+    version:                      "latest"
+    autologin:                    false                                     # This is a high security risk. Just activate this option if you know what you're doing
    oauth2_proxy:  
-      enabled:            true
-      port:               "80"
-      application:        "application"
-#     cookie_secret:      None                                              # Set via openssl rand -hex 16
+      enabled:                    true
+      port:                       "80"
+      application:                "application"
+#     cookie_secret:              None                                      # Set via openssl rand -hex 16
    database:
-      central_storage:    True                                              # Activate Central Database Storage
+      central_storage:            True                                      # Activate Central Database Storage
    css:
-      enabled:            False                                             # The css needs more optimation for PHPMyAdmin
+      enabled:                    False                                     # The css needs more optimation for PHPMyAdmin
    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
@ -639,7 +639,7 @@ defaults_applications:

  # Snipe-IT
  snipe_it:
-    version:           "latest"
+    version:                      "latest"
    database:
      central_storage:  True                                                # Activate Central Database Storage
    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
--- a/roles/docker-mailu/Administration.md
+++ b/roles/docker-mailu/Administration.md
@ -32,13 +32,6 @@ To resend queued mails, use this command:
 docker-compose exec -it smtp postqueue -f
 ```

-# Testing 🧪
-
-Use the following tools for testing:
-
- [SSL-Tools Mailserver Test](https://de.ssl-tools.net/mailservers/)
- [TestEmail.de](http://testemail.de/)
-
 # Updates 🔄

 For instructions on updating your Mailu setup, follow the official [Mailu maintenance guide](https://mailu.io/master/maintain.html).
--- a/roles/docker-mailu/Testing.md
+++ b/roles/docker-mailu/Testing.md
@ -0,0 +1,6 @@
+# Test Server Instance
+
+Use the following tools to test your server instance:
+
+- [SSL-Tools Mailserver Test](https://de.ssl-tools.net/mailservers/)
+- [TestEmail.de](http://testemail.de/)
--- a/roles/docker-mailu/User_Administration.md
+++ b/roles/docker-mailu/User_Administration.md
@ -0,0 +1,108 @@
+# User Administration
+
+## Promoting an OIDC User to Admin 🧑‍💼
+
+If your administrator logs in via OpenID Connect (OIDC) and you don't want to create a separate local user, you can promote the existing OIDC-authenticated user to a global admin directly in the Mailu database using the CLI.
+
+Follow these steps:
+
+1. Enter the Mailu `admin` container shell:
+
+   ```bash
+   docker exec -it mailu-admin-1 flask shell
+   ```
+
+2. Inside the interactive shell, run the following commands:
+
+   ```python
+   from mailu import models, db
+   user = models.User.query.filter_by(email='admin@example.com').first()
+   user.global_admin = True
+   db.session.commit()
+   ```
+
+   Replace `admin@example.com` with the OIDC email address used to log in.
+
+3. Exit the shell:
+
+   ```python
+   exit()
+   ```
+
+Your OIDC-authenticated user is now a full **global admin** and has access to all administrative functions in the Mailu interface.
+
+> 💡 Tip: This method is useful when you're using federated login and want to avoid managing separate local admin credentials.
+
+
+Klar! Hier ist die Anleitung zur Änderung der primären Domain eines Mailu-Benutzers, speziell für **MariaDB** als Datenbank-Backend, auf **Englisch** und im gleichen Stil wie deine Doku:
+
+---
+
+## Changing the Primary Domain of a Mailu Account (MariaDB) 🌐
+
+Mailu links user accounts to specific domains, so changing a user's primary domain cannot be done via the admin interface. You need to update it manually via the database.
+
+> ⚠️ **Warning:** Always back up your database before performing manual operations.
+
+### Steps for MariaDB:
+
+1. Connect to the Mailu MariaDB container:
+
+   ```bash
+   docker compose exec -it database mariadb -u mailu -p
+   ```
+
+   Enter the password when prompted (you can find it in your `docker-compose.yml` or `.env` file).
+
+2. Select the Mailu database (usually named `mailu`):
+
+   ```sql
+   USE mailu;
+   ```
+
+3. Update the user's domain and email:
+
+   ```sql
+   UPDATE user SET email='newname@newdomain.com', domain_name='newdomain.com' WHERE email='oldname@olddomain.com';
+   ```
+
+   If needed, also update the local part (username):
+
+   ```sql
+   UPDATE user SET localpart='newname' WHERE email='newname@newdomain.com';
+   ```
+
+4. If the new domain does not exist yet, insert it into the `domain` table:
+
+   ```sql
+   INSERT INTO domain (name, max_users, max_aliases, max_quota_bytes, comment, enabled)
+   VALUES ('newdomain.com', 100, 100, 10737418240, 'New domain', true);
+   ```
+
+5. If the user had aliases, update the `alias` table accordingly.
+
+---
+
+### Alternative: Recreate the User
+
+If you prefer not to modify the database manually:
+
+- Delete the old user via the admin UI
+- Create a new user under the desired domain
+- Migrate emails using IMAP tools (e.g. `imapsync`)
+
+---
+
+### Update DNS and Mailu Configuration
+
+Ensure that the new domain is correctly set up:
+
+- Add it to `HOSTNAMES` in your `docker-compose.yml`
+- Set up proper DNS records (MX, SPF, DKIM, DMARC)
+- If using Let's Encrypt (`TLS_FLAVOR=cert`), make sure the domain is included in `LETSENCRYPT_HOSTS`
+
+> 💡 **Tip:** Mailu must be aware of the domain both in its configuration and the database for mail routing and certificate issuance to work correctly.
+
+---
+
+Wenn du willst, kann ich dir das gleich in eine fertige Markdown-Datei oder ein Doku-Format einfügen.
--- a/roles/docker-phpmyadmin/templates/env.j2
+++ b/roles/docker-phpmyadmin/templates/env.j2
@ -1,3 +1,5 @@
+# Configuration @see https://hub.docker.com/_/phpmyadmin
+
 PMA_HOST= central-mariadb
 {% if applications.phpmyadmin.autologin | bool %}
 PMA_USER= root
--- a/roles/docker-portfolio/templates/config.yaml.j2
+++ b/roles/docker-portfolio/templates/config.yaml.j2
@ -682,6 +682,25 @@ navigation:
            class: fas fa-user-shield
          url: https://{{domains.keycloak}}/admin
          iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }}
+          children:
+          - name: Keycloak Master Admin
+            description: Access the central admin console
+            icon:
+              class: fa-solid fa-shield-halved
+            url: https://{{ domains.keycloak }}/admin/master/console/
+            iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }}
+          - name: Manage Your Profile
+            description: Update your personal admin settings
+            icon:
+              class: fa-solid fa-user-gear
+            url: https://{{ domains.keycloak }}/realms/{{oidc.client.id}}/account
+            iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }}
+          - name: Log Out of Keycloak
+            description: End your admin session securely
+            icon:
+              class: fa-solid fa-right-from-bracket
+            url: https://{{ domains.keycloak }}/realms/{{oidc.client.id}}/protocol/openid-connect/logout
+            iframe: false

    {% endif %}
    {% if "ldap" in group_names %}