From bb48e8ae3686c8b7dc6a92d9c7ad78be863c697b Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Fri, 21 Mar 2025 20:19:12 +0100 Subject: [PATCH] Solved portfolio bug, entered keycloak entries for portfolio, added hints to phpmyadmin and updated mailu documentary --- group_vars/all/00_general.yml | 4 +- group_vars/all/07_applications.yml | 22 ++-- roles/docker-mailu/Administration.md | 7 -- roles/docker-mailu/Testing.md | 6 + roles/docker-mailu/User_Administration.md | 108 ++++++++++++++++++ roles/docker-phpmyadmin/templates/env.j2 | 2 + .../docker-portfolio/templates/config.yaml.j2 | 19 +++ 7 files changed, 147 insertions(+), 21 deletions(-) create mode 100644 roles/docker-mailu/Testing.md create mode 100644 roles/docker-mailu/User_Administration.md diff --git a/group_vars/all/00_general.yml b/group_vars/all/00_general.yml index 5e0db945..79753958 100644 --- a/group_vars/all/00_general.yml +++ b/group_vars/all/00_general.yml @@ -68,6 +68,4 @@ matomo_tracking_enabled_default: true # Enables\Disables Matomo track css_enabled_default: true # Enables\Disables Global CSS on all html pages by default. ## iframe for primary domain -# Enables\Disables the possibility to be embedded via iframe by default. -# Enable conciously on every app in which it makes sense, due to that this a potential security risk -landingpage_iframe_enabled_default: false \ No newline at end of file +landingpage_iframe_enabled_default: true # Enables\Disables the possibility to be embedded via iframe by default. \ No newline at end of file diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml index 587de490..27822adc 100644 --- a/group_vars/all/07_applications.yml +++ b/group_vars/all/07_applications.yml @@ -32,8 +32,8 @@ defaults_applications: ## Assets Server assets_server: - source_directory: "{{ playbook_dir }}/assets" # Directory from which the assets will be copied - url: "https://{{domains.file_server}}/assets}}" # Public address of the assets directory + source_directory: "{{ playbook_dir }}/assets" # Directory from which the assets will be copied + url: "https://{{domains.file_server}}/assets" # Public address of the assets directory ## Attendize attendize: @@ -600,17 +600,17 @@ defaults_applications: ## PHPMyAdmin phpmyadmin: - version: "latest" - autologin: false # This is a high security risk. Just activate this option if you know what you're doing + version: "latest" + autologin: false # This is a high security risk. Just activate this option if you know what you're doing oauth2_proxy: - enabled: true - port: "80" - application: "application" -# cookie_secret: None # Set via openssl rand -hex 16 + enabled: true + port: "80" + application: "application" +# cookie_secret: None # Set via openssl rand -hex 16 database: - central_storage: True # Activate Central Database Storage + central_storage: True # Activate Central Database Storage css: - enabled: False # The css needs more optimation for PHPMyAdmin + enabled: False # The css needs more optimation for PHPMyAdmin matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe @@ -639,7 +639,7 @@ defaults_applications: # Snipe-IT snipe_it: - version: "latest" + version: "latest" database: central_storage: True # Activate Central Database Storage matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking diff --git a/roles/docker-mailu/Administration.md b/roles/docker-mailu/Administration.md index b564190e..c9109553 100644 --- a/roles/docker-mailu/Administration.md +++ b/roles/docker-mailu/Administration.md @@ -32,13 +32,6 @@ To resend queued mails, use this command: docker-compose exec -it smtp postqueue -f ``` -# Testing 🧪 - -Use the following tools for testing: - -- [SSL-Tools Mailserver Test](https://de.ssl-tools.net/mailservers/) -- [TestEmail.de](http://testemail.de/) - # Updates 🔄 For instructions on updating your Mailu setup, follow the official [Mailu maintenance guide](https://mailu.io/master/maintain.html). diff --git a/roles/docker-mailu/Testing.md b/roles/docker-mailu/Testing.md new file mode 100644 index 00000000..0bf8772e --- /dev/null +++ b/roles/docker-mailu/Testing.md @@ -0,0 +1,6 @@ +# Test Server Instance + +Use the following tools to test your server instance: + +- [SSL-Tools Mailserver Test](https://de.ssl-tools.net/mailservers/) +- [TestEmail.de](http://testemail.de/) \ No newline at end of file diff --git a/roles/docker-mailu/User_Administration.md b/roles/docker-mailu/User_Administration.md new file mode 100644 index 00000000..2a8a10c2 --- /dev/null +++ b/roles/docker-mailu/User_Administration.md @@ -0,0 +1,108 @@ +# User Administration + +## Promoting an OIDC User to Admin 🧑‍💼 + +If your administrator logs in via OpenID Connect (OIDC) and you don't want to create a separate local user, you can promote the existing OIDC-authenticated user to a global admin directly in the Mailu database using the CLI. + +Follow these steps: + +1. Enter the Mailu `admin` container shell: + + ```bash + docker exec -it mailu-admin-1 flask shell + ``` + +2. Inside the interactive shell, run the following commands: + + ```python + from mailu import models, db + user = models.User.query.filter_by(email='admin@example.com').first() + user.global_admin = True + db.session.commit() + ``` + + Replace `admin@example.com` with the OIDC email address used to log in. + +3. Exit the shell: + + ```python + exit() + ``` + +Your OIDC-authenticated user is now a full **global admin** and has access to all administrative functions in the Mailu interface. + +> 💡 Tip: This method is useful when you're using federated login and want to avoid managing separate local admin credentials. + + +Klar! Hier ist die Anleitung zur Änderung der primären Domain eines Mailu-Benutzers, speziell für **MariaDB** als Datenbank-Backend, auf **Englisch** und im gleichen Stil wie deine Doku: + +--- + +## Changing the Primary Domain of a Mailu Account (MariaDB) 🌐 + +Mailu links user accounts to specific domains, so changing a user's primary domain cannot be done via the admin interface. You need to update it manually via the database. + +> ⚠️ **Warning:** Always back up your database before performing manual operations. + +### Steps for MariaDB: + +1. Connect to the Mailu MariaDB container: + + ```bash + docker compose exec -it database mariadb -u mailu -p + ``` + + Enter the password when prompted (you can find it in your `docker-compose.yml` or `.env` file). + +2. Select the Mailu database (usually named `mailu`): + + ```sql + USE mailu; + ``` + +3. Update the user's domain and email: + + ```sql + UPDATE user SET email='newname@newdomain.com', domain_name='newdomain.com' WHERE email='oldname@olddomain.com'; + ``` + + If needed, also update the local part (username): + + ```sql + UPDATE user SET localpart='newname' WHERE email='newname@newdomain.com'; + ``` + +4. If the new domain does not exist yet, insert it into the `domain` table: + + ```sql + INSERT INTO domain (name, max_users, max_aliases, max_quota_bytes, comment, enabled) + VALUES ('newdomain.com', 100, 100, 10737418240, 'New domain', true); + ``` + +5. If the user had aliases, update the `alias` table accordingly. + +--- + +### Alternative: Recreate the User + +If you prefer not to modify the database manually: + +- Delete the old user via the admin UI +- Create a new user under the desired domain +- Migrate emails using IMAP tools (e.g. `imapsync`) + +--- + +### Update DNS and Mailu Configuration + +Ensure that the new domain is correctly set up: + +- Add it to `HOSTNAMES` in your `docker-compose.yml` +- Set up proper DNS records (MX, SPF, DKIM, DMARC) +- If using Let's Encrypt (`TLS_FLAVOR=cert`), make sure the domain is included in `LETSENCRYPT_HOSTS` + +> 💡 **Tip:** Mailu must be aware of the domain both in its configuration and the database for mail routing and certificate issuance to work correctly. + +--- + +Wenn du willst, kann ich dir das gleich in eine fertige Markdown-Datei oder ein Doku-Format einfügen. \ No newline at end of file diff --git a/roles/docker-phpmyadmin/templates/env.j2 b/roles/docker-phpmyadmin/templates/env.j2 index 9195f28b..b905e22f 100644 --- a/roles/docker-phpmyadmin/templates/env.j2 +++ b/roles/docker-phpmyadmin/templates/env.j2 @@ -1,3 +1,5 @@ +# Configuration @see https://hub.docker.com/_/phpmyadmin + PMA_HOST= central-mariadb {% if applications.phpmyadmin.autologin | bool %} PMA_USER= root diff --git a/roles/docker-portfolio/templates/config.yaml.j2 b/roles/docker-portfolio/templates/config.yaml.j2 index 8636992c..d296ca61 100644 --- a/roles/docker-portfolio/templates/config.yaml.j2 +++ b/roles/docker-portfolio/templates/config.yaml.j2 @@ -682,6 +682,25 @@ navigation: class: fas fa-user-shield url: https://{{domains.keycloak}}/admin iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }} + children: + - name: Keycloak Master Admin + description: Access the central admin console + icon: + class: fa-solid fa-shield-halved + url: https://{{ domains.keycloak }}/admin/master/console/ + iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }} + - name: Manage Your Profile + description: Update your personal admin settings + icon: + class: fa-solid fa-user-gear + url: https://{{ domains.keycloak }}/realms/{{oidc.client.id}}/account + iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }} + - name: Log Out of Keycloak + description: End your admin session securely + icon: + class: fa-solid fa-right-from-bracket + url: https://{{ domains.keycloak }}/realms/{{oidc.client.id}}/protocol/openid-connect/logout + iframe: false {% endif %} {% if "ldap" in group_names %}