Open WebUI OIDC & proxy fixes + Ollama preload + async-safe pull

- svc-ai-ollama: - Add preload_models (llama3, mistral, nomic-embed-text) - Pre-pull task: loop_var=model, async-safe changed_when/failed_when - sys-svc-proxy (OpenResty): - Forward Authorization header - Ensure proxy_pass_request_headers on - web-app-openwebui: - ADMIN_EMAIL from users.administrator.email - Request RBAC group scope in OAUTH_SCOPES Ref: ChatGPT support (2025-09-23) — https://chatgpt.com/share/68d20588-2584-800f-aed4-26ce710c69c4
2025-09-24 11:06:24 +02:00 · 2025-09-23 04:27:46 +02:00
parent 1b91ddeac2
commit f4cf55b3c8
5 changed files with 30 additions and 3 deletions
--- a/roles/svc-ai-ollama/config/main.yml
+++ b/roles/svc-ai-ollama/config/main.yml
@@ -12,3 +12,7 @@ docker:
  volumes:
    models:     "ollama_models"
  network:      "ollama"
+preload_models:
+  - "llama3:latest"
+  - "mistral:latest"
+  - "nomic-embed-text:latest"
--- a/roles/svc-ai-ollama/tasks/01_core.yml
+++ b/roles/svc-ai-ollama/tasks/01_core.yml
@@ -16,4 +16,23 @@
  vars:
    docker_compose_flush_handlers: true

+- name: Pre-pull Ollama models
+  vars:
+    _cmd: "docker exec -i {{ OLLAMA_CONTAINER }} ollama pull {{ model }}"
+  shell: "{{ _cmd }}"
+  register: pull_result
+  loop: "{{ OLLAMA_PRELOAD_MODELS }}"
+  loop_control:
+    loop_var: model
+  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
+  changed_when: >
+    (not (ASYNC_ENABLED | bool)) and (
+      'downloaded' in (pull_result.stdout | default('')) or
+      'pulling manifest' in (pull_result.stdout | default(''))
+    )
+  failed_when: >
+    (pull_result.rc | default(0)) != 0 and
+    ('up to date' not in (pull_result.stdout | default('')))
+
 - include_tasks: utils/run_once.yml
--- a/roles/svc-ai-ollama/vars/main.yml
+++ b/roles/svc-ai-ollama/vars/main.yml
@@ -12,3 +12,5 @@ OLLAMA_CONTAINER:               "{{ applications | get_app_conf(application_id,
 OLLAMA_PORT:                    "{{ applications | get_app_conf(application_id, 'docker.services.ollama.port') }}"
 OLLAMA_VOLUME:                  "{{ applications | get_app_conf(application_id, 'docker.volumes.models') }}"
 OLLAMA_NETWORK:                 "{{ applications | get_app_conf(application_id, 'docker.network') }}"
+OLLAMA_PRELOAD_MODELS:          "{{ applications | get_app_conf(application_id, 'preload_models') }}"
+
--- a/roles/sys-svc-proxy/templates/location/html.conf.j2
+++ b/roles/sys-svc-proxy/templates/location/html.conf.j2
@@ -10,10 +10,12 @@ location {{location}}

  # headers
  proxy_set_header Host $host;
+  proxy_set_header Authorization $http_authorization;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-Port {{ WEB_PORT }};
+  proxy_pass_request_headers on;

  {% include 'roles/sys-svc-proxy/templates/headers/content_security_policy.conf.j2' %}

--- a/roles/web-app-openwebui/templates/env.j2
+++ b/roles/web-app-openwebui/templates/env.j2
@@ -14,7 +14,7 @@ ENABLE_PERSISTENT_CONFIG=false
 # Use this to automatically assign the first admin in a fresh installation.
 # The specified email will be promoted to ADMIN on first login.
 # After initial setup you can remove this block and manage admins via the UI.
-ADMIN_EMAIL=users.administrator.email
+ADMIN_EMAIL={{ users.administrator.email }}

 # If enabled, the pending-activation page will display the admin’s email address
 # so new users know who to contact for access.
@@ -42,7 +42,7 @@ OPENID_REDIRECT_URI={{ OPENWEBUI_OIDC_REDIRECT_URL }}
 OAUTH_PROVIDER_NAME={{ OIDC.BUTTON_TEXT }}

 # Scopes to request (openid is required; email/profile recommended)
-OAUTH_SCOPES=openid email profile
+OAUTH_SCOPES=openid email profile {{ RBAC.GROUP.CLAIM }}

 # =========================
 # Optional: Role Management