From f4cf55b3c8ae17dfb98010b37ab2e7d31324cf24 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Tue, 23 Sep 2025 04:27:46 +0200
Subject: [PATCH] Open WebUI OIDC & proxy fixes + Ollama preload + async-safe
 pull
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- svc-ai-ollama:
  - Add preload_models (llama3, mistral, nomic-embed-text)
  - Pre-pull task: loop_var=model, async-safe changed_when/failed_when

- sys-svc-proxy (OpenResty):
  - Forward Authorization header
  - Ensure proxy_pass_request_headers on

- web-app-openwebui:
  - ADMIN_EMAIL from users.administrator.email
  - Request RBAC group scope in OAUTH_SCOPES

Ref: ChatGPT support (2025-09-23) — https://chatgpt.com/share/68d20588-2584-800f-aed4-26ce710c69c4
---
 roles/svc-ai-ollama/config/main.yml           |  6 +++++-
 roles/svc-ai-ollama/tasks/01_core.yml         | 19 +++++++++++++++++++
 roles/svc-ai-ollama/vars/main.yml             |  2 ++
 .../templates/location/html.conf.j2           |  2 ++
 roles/web-app-openwebui/templates/env.j2      |  4 ++--
 5 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/roles/svc-ai-ollama/config/main.yml b/roles/svc-ai-ollama/config/main.yml
index 6d4257d3..0dece7da 100644
--- a/roles/svc-ai-ollama/config/main.yml
+++ b/roles/svc-ai-ollama/config/main.yml
@@ -11,4 +11,8 @@ docker:
       port:     11434
   volumes:
     models:     "ollama_models"
-  network:      "ollama"
\ No newline at end of file
+  network:      "ollama"
+preload_models:
+  - "llama3:latest"
+  - "mistral:latest"
+  - "nomic-embed-text:latest"
\ No newline at end of file
diff --git a/roles/svc-ai-ollama/tasks/01_core.yml b/roles/svc-ai-ollama/tasks/01_core.yml
index 58163f3d..be171468 100644
--- a/roles/svc-ai-ollama/tasks/01_core.yml
+++ b/roles/svc-ai-ollama/tasks/01_core.yml
@@ -16,4 +16,23 @@
   vars:
     docker_compose_flush_handlers: true
 
+- name: Pre-pull Ollama models
+  vars:
+    _cmd: "docker exec -i {{ OLLAMA_CONTAINER }} ollama pull {{ model }}"
+  shell: "{{ _cmd }}"
+  register: pull_result
+  loop: "{{ OLLAMA_PRELOAD_MODELS }}"
+  loop_control:
+    loop_var: model
+  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
+  changed_when: >
+    (not (ASYNC_ENABLED | bool)) and (
+      'downloaded' in (pull_result.stdout | default('')) or
+      'pulling manifest' in (pull_result.stdout | default(''))
+    )
+  failed_when: >
+    (pull_result.rc | default(0)) != 0 and
+    ('up to date' not in (pull_result.stdout | default('')))
+
 - include_tasks: utils/run_once.yml
\ No newline at end of file
diff --git a/roles/svc-ai-ollama/vars/main.yml b/roles/svc-ai-ollama/vars/main.yml
index 3fb2fb6c..49ac27e6 100644
--- a/roles/svc-ai-ollama/vars/main.yml
+++ b/roles/svc-ai-ollama/vars/main.yml
@@ -12,3 +12,5 @@ OLLAMA_CONTAINER:               "{{ applications | get_app_conf(application_id,
 OLLAMA_PORT:                    "{{ applications | get_app_conf(application_id, 'docker.services.ollama.port') }}"
 OLLAMA_VOLUME:                  "{{ applications | get_app_conf(application_id, 'docker.volumes.models') }}"
 OLLAMA_NETWORK:                 "{{ applications | get_app_conf(application_id, 'docker.network') }}"
+OLLAMA_PRELOAD_MODELS:          "{{ applications | get_app_conf(application_id, 'preload_models') }}"
+
diff --git a/roles/sys-svc-proxy/templates/location/html.conf.j2 b/roles/sys-svc-proxy/templates/location/html.conf.j2
index 9c13c277..fe15fdd5 100644
--- a/roles/sys-svc-proxy/templates/location/html.conf.j2
+++ b/roles/sys-svc-proxy/templates/location/html.conf.j2
@@ -10,10 +10,12 @@ location {{location}}
 
   # headers
   proxy_set_header Host $host;
+  proxy_set_header Authorization $http_authorization;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
   proxy_set_header X-Forwarded-Port {{ WEB_PORT }};
+  proxy_pass_request_headers on;
 
   {% include 'roles/sys-svc-proxy/templates/headers/content_security_policy.conf.j2' %}
 
diff --git a/roles/web-app-openwebui/templates/env.j2 b/roles/web-app-openwebui/templates/env.j2
index e4f99aba..20df3a7b 100644
--- a/roles/web-app-openwebui/templates/env.j2
+++ b/roles/web-app-openwebui/templates/env.j2
@@ -14,7 +14,7 @@ ENABLE_PERSISTENT_CONFIG=false
 # Use this to automatically assign the first admin in a fresh installation.
 # The specified email will be promoted to ADMIN on first login.
 # After initial setup you can remove this block and manage admins via the UI.
-ADMIN_EMAIL=users.administrator.email
+ADMIN_EMAIL={{ users.administrator.email }}
 
 # If enabled, the pending-activation page will display the admin’s email address
 # so new users know who to contact for access.
@@ -42,7 +42,7 @@ OPENID_REDIRECT_URI={{ OPENWEBUI_OIDC_REDIRECT_URL }}
 OAUTH_PROVIDER_NAME={{ OIDC.BUTTON_TEXT }}
 
 # Scopes to request (openid is required; email/profile recommended)
-OAUTH_SCOPES=openid email profile
+OAUTH_SCOPES=openid email profile {{ RBAC.GROUP.CLAIM }}
 
 # =========================
 # Optional: Role Management