Open WebUI OIDC & proxy fixes + Ollama preload + async-safe pull

- svc-ai-ollama: - Add preload_models (llama3, mistral, nomic-embed-text) - Pre-pull task: loop_var=model, async-safe changed_when/failed_when - sys-svc-proxy (OpenResty): - Forward Authorization header - Ensure proxy_pass_request_headers on - web-app-openwebui: - ADMIN_EMAIL from users.administrator.email - Request RBAC group scope in OAUTH_SCOPES Ref: ChatGPT support (2025-09-23) — https://chatgpt.com/share/68d20588-2584-800f-aed4-26ce710c69c4
2025-09-24 11:06:24 +02:00 · 2025-09-23 04:27:46 +02:00
parent 1b91ddeac2
commit f4cf55b3c8
5 changed files with 30 additions and 3 deletions
--- a/roles/web-app-openwebui/templates/env.j2
+++ b/roles/web-app-openwebui/templates/env.j2
@@ -14,7 +14,7 @@ ENABLE_PERSISTENT_CONFIG=false
 # Use this to automatically assign the first admin in a fresh installation.
 # The specified email will be promoted to ADMIN on first login.
 # After initial setup you can remove this block and manage admins via the UI.
-ADMIN_EMAIL=users.administrator.email
+ADMIN_EMAIL={{ users.administrator.email }}

 # If enabled, the pending-activation page will display the admin’s email address
 # so new users know who to contact for access.
@@ -42,7 +42,7 @@ OPENID_REDIRECT_URI={{ OPENWEBUI_OIDC_REDIRECT_URL }}
 OAUTH_PROVIDER_NAME={{ OIDC.BUTTON_TEXT }}

 # Scopes to request (openid is required; email/profile recommended)
-OAUTH_SCOPES=openid email profile
+OAUTH_SCOPES=openid email profile {{ RBAC.GROUP.CLAIM }}

 # =========================
 # Optional: Role Management