From f8c984d6c273927280fd15286e1970a35dc725b8 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Fri, 18 Apr 2025 23:17:29 +0200 Subject: [PATCH] Refactored CyMaIS basic features and optimized wordpress implementation --- Makefile | 15 + docs/guides/developer/Role_Creation.md | 13 +- filter_plugins/configuration_filters.py | 16 +- group_vars/all/.gitignore | 1 + group_vars/all/00_general.yml | 19 +- group_vars/all/07_applications.yml | 452 +++++----- main.py | 4 +- requirements.yml | 4 +- roles/docker-bigbluebutton/templates/env.j2 | 4 +- roles/docker-central-database/tasks/main.yml | 4 +- .../templates/services/mariadb.yml.j2 | 2 +- .../templates/services/postgres.yml.j2 | 2 +- .../docker-central-database/vars/database.yml | 4 +- roles/docker-discourse/handlers/main.yml | 2 +- roles/docker-discourse/tasks/main.yml | 4 +- .../templates/discourse_application.yml.j2 | 4 +- roles/docker-friendica/vars/main.yml | 2 +- roles/docker-funkwhale/templates/env.j2 | 2 +- roles/docker-mailu/templates/env.j2 | 6 +- roles/docker-mailu/vars/main.yml | 2 +- roles/docker-mastodon/templates/env.j2 | 4 +- .../tasks/create-and-seed-database.yml | 2 +- .../templates/synapse/homeserver.yaml.j2 | 2 +- .../templates/config/oidc.config.php.j2 | 2 +- roles/docker-openproject/tasks/main.yml | 2 +- roles/docker-pgadmin/vars/main.yml | 2 +- roles/docker-phpmyadmin/vars/main.yml | 2 +- .../lookup_plugins/docker_cards.py | 4 +- .../docker-portfolio/templates/config.yaml.j2 | 10 +- .../templates/footer_menu.yaml.j2 | 8 +- roles/docker-snipe_it/templates/env.j2 | 2 +- roles/docker-taiga/tasks/main.yml | 2 +- .../templates/docker-compose.yml.j2 | 8 +- roles/docker-taiga/templates/env.j2 | 2 +- roles/docker-taiga/vars/main.yml | 4 +- roles/docker-wordpress/tasks/main.yml | 6 +- .../tasks/setup-discourse-api-key.yml | 23 + roles/docker-wordpress/tasks/wp_discourse.yml | 17 + roles/docker-wordpress/vars/wp_discourse.yml | 10 + roles/health-nginx/TODO.md | 2 + .../templates/iframe.conf.j2 | 2 +- roles/nginx-modifier-all/tasks/main.yml | 4 +- .../templates/global.includes.conf.j2 | 12 +- roles/nginx-modifier-matomo/tasks/main.yml | 2 +- roles/nginx-modifier-matomo/vars/main.yml | 2 +- tasks/constructor.yml | 14 + templates/docker/compose/networks.yml.j2 | 2 +- .../compose/volumes-just-database.yml.j2 | 2 +- templates/docker/compose/volumes.yml.j2 | 2 +- .../container/depends-on-also-database.yml.j2 | 2 +- .../depends-on-database-redis.yml.j2 | 2 +- .../container/depends-on-just-database.yml.j2 | 2 +- templates/docker/container/networks.yml.j2 | 2 +- templates/vars/applications.yml.j2 | 826 ++++++++++++++++++ templates/vars/features.yml.j2 | 19 + tests/unit/test_docker_cards.py | 16 +- 56 files changed, 1262 insertions(+), 325 deletions(-) create mode 100644 Makefile create mode 100644 group_vars/all/.gitignore create mode 100644 roles/docker-wordpress/tasks/setup-discourse-api-key.yml create mode 100644 roles/docker-wordpress/tasks/wp_discourse.yml create mode 100644 roles/docker-wordpress/vars/wp_discourse.yml create mode 100644 roles/health-nginx/TODO.md create mode 100644 templates/vars/applications.yml.j2 create mode 100644 templates/vars/features.yml.j2 diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..6c1f6e2c --- /dev/null +++ b/Makefile @@ -0,0 +1,15 @@ +# Makefile for j2render + +TEMPLATE=./templates/vars/applications.yml.j2 +OUTPUT=./group_vars/all/07_applications.yml + +build: + @echo "🔧 Building rendered file from $(TEMPLATE)..." + @mkdir -p $(dir $(OUTPUT)) + j2r $(TEMPLATE) $(OUTPUT) + @echo "✅ Output written to $(OUTPUT)" + +install: build + +test: + python -m unittest discover -s tests/unit \ No newline at end of file diff --git a/docs/guides/developer/Role_Creation.md b/docs/guides/developer/Role_Creation.md index c34be5e3..60f14b09 100644 --- a/docs/guides/developer/Role_Creation.md +++ b/docs/guides/developer/Role_Creation.md @@ -17,10 +17,15 @@ defaults_applications: ## My Service Configuration my_service: - version: "latest" # Version of the service - matomo_tracking_enabled: true # Enable Matomo tracking for analytics - css_enabled: true # Enable or disable global CSS styling - landingpage_iframe_enabled: false # Allow embedding the landing page in an iframe (if true) + version: "latest" + features: # Version of the service + matomo: true # Enable Matomo tracking for analytics + css: true # Enable or disable global CSS styling + iframe: false # Allow embedding the landing page in an iframe (if true) + database: true # Enable central database integration + ldap: true # Enable ldap integration + oauth2: true # Enable oauth2 proxy + oidc: true # Enable oidc ``` --- diff --git a/filter_plugins/configuration_filters.py b/filter_plugins/configuration_filters.py index 9c94a55c..fdbe66ad 100644 --- a/filter_plugins/configuration_filters.py +++ b/filter_plugins/configuration_filters.py @@ -1,20 +1,20 @@ -def get_oauth22_enabled(applications, application_id): +def get_oauth2_enabled(applications, application_id): # Retrieve the application dictionary based on the ID app = applications.get(application_id, {}) # Retrieve the value for oauth2_proxy.enabled, default is False - enabled = app.get('oauth2_proxy', {}).get('enabled', False) + enabled = app.get('features', {}).get('oauth2', False) return bool(enabled) def get_oidc_enabled(applications, application_id): # Retrieve the application dictionary based on the ID app = applications.get(application_id, {}) # Retrieve the value for oidc.enabled, default is False - enabled = app.get('oidc', {}).get('enabled', False) + enabled = app.get('features', {}).get('oidc', False) return bool(enabled) -def get_landingpage_iframe_enabled(applications, application_id): +def get_features_iframe(applications, application_id): app = applications.get(application_id) - enabled = app.get('landingpage_iframe_enabled') + enabled = app.features.iframe return bool(enabled) def get_database_central_storage(applications, application_id): @@ -24,14 +24,14 @@ def get_database_central_storage(applications, application_id): If not defined, None is returned. """ app = applications.get(application_id, {}) - db_type = app.get('database', {}).get('central_storage', False) + db_type = app.get('features', {}).get('database', False) return db_type class FilterModule(object): def filters(self): return { 'get_oidc_enabled': get_oidc_enabled, - 'get_oauth2_enabled': get_oauth22_enabled, + 'get_oauth2_enabled': get_oauth2_enabled, 'get_database_central_storage': get_database_central_storage, - 'get_landingpage_iframe_enabled': get_landingpage_iframe_enabled, + 'get_features_iframe': get_features_iframe, } \ No newline at end of file diff --git a/group_vars/all/.gitignore b/group_vars/all/.gitignore new file mode 100644 index 00000000..85577219 --- /dev/null +++ b/group_vars/all/.gitignore @@ -0,0 +1 @@ +*_applications.yml \ No newline at end of file diff --git a/group_vars/all/00_general.yml b/group_vars/all/00_general.yml index 57f17507..67283420 100644 --- a/group_vars/all/00_general.yml +++ b/group_vars/all/00_general.yml @@ -51,21 +51,4 @@ enable_wildcard_certificate: false # This enables debugging in ansible and in the apps # You SHOULD NOT enable this on production servers -enable_debug: false - -######################### -## ENABLED DEFAULTS ## -######################### - -# The following defaults are used for the default_applications -# It can be that in a default_applications the value for one application is overwritten. -# You can overwritte it in this case in the applications in your inventory - -## Matomo Tracking -matomo_tracking_enabled_default: true # Enables\Disables Matomo tracking on all html pages by default. - -## CSS -css_enabled_default: true # Enables\Disables Global CSS on all html pages by default. - -## iframe for primary domain -landingpage_iframe_enabled_default: true # Enables\Disables the possibility to be embedded via iframe by default. \ No newline at end of file +enable_debug: false \ No newline at end of file diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml index 5608801d..de079883 100644 --- a/group_vars/all/07_applications.yml +++ b/group_vars/all/07_applications.yml @@ -1,3 +1,4 @@ + # Docker Applications ## Docker Role Specific Parameters @@ -11,9 +12,7 @@ docker_restart_policy: "unless-stopped" # If other applications depend on this variables, propably it makes sense to define it in e.g. IMA or other variable files. # helper -_applications_nextcloud_ldap_enabled: "{{ applications.nextcloud.ldap.enabled | default(true) }}" -_applications_nextcloud_oidc_enabled: "{{ applications.nextcloud.oidc.enabled | default(true) }}" -_applications_nextcloud_oidc_flavor: "{{ applications.nextcloud.oidc.flavor | default('oidc_login' if _applications_nextcloud_ldap_enabled else 'sociallogin') }}" +_applications_nextcloud_oidc_flavor: "{{ applications.nextcloud.oidc.flavor | default('oidc_login' if applications.nextcloud.features.ldap | default(true) else 'sociallogin') }}" # applications @@ -25,48 +24,46 @@ defaults_applications: company_name: "{{primary_domain}}" company_email: "{{users.administrator.email}}" setup_admin_email: "{{users.administrator.email}}" - database: - central_storage: True - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + database: True # Enables use of central database ## Assets Server assets_server: source_directory: "{{ playbook_dir }}/assets" # Directory from which the assets will be copied url: "https://{{domains.file_server}}/assets" # Public address of the assets directory - ## Attendize attendize: version: "latest" - database: - central_storage: True - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + database: True # Enables use of central database ## Baserow baserow: version: "latest" - database: - central_storage: True - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: True # Allows embedding via iframe on landing page + database: True # Enables use of central database ## Big Blue Button bigbluebutton: enable_greenlight: "true" setup: false # Set to true in inventory file for initial setup - oidc: - enabled: true # Activate OIDC - database: - central_storage: True - ldap: - enabled: False # @todo LDAP needs to get propper implemented and tested, just set values during refactoring - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe +# @todo LDAP needs to get propper implemented and tested, just set values during refactoring + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: True # Allows embedding via iframe on landing page + ldap: False # Enables LDAP integration and networking + oidc: True # Enables OpenID Connect (OIDC) authentication + database: True # Enables use of central database credentials: # shared_secret: # Needs to be defined in inventory file # etherpad_api_key: # Needs to be defined in inventory file @@ -87,11 +84,11 @@ defaults_applications: #jwt_secret: # Needs to be defined in inventory file - Use: openssl rand -base64 64 | tr -d '\n' #plc_rotation_key_k256_private_key_hex: # Needs to be defined in inventory file - Use: openssl rand -hex 32 #admin_password: # Needs to be defined in inventory file - Use: openssl rand -base64 16 - database: - central_storage: True - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: True # Allows embedding via iframe on landing page + database: True # Enables use of central database # Chromium Browser chromium: @@ -110,20 +107,25 @@ defaults_applications: network: "discourse_default" # Name of the docker network container: "discourse_application" # Name of the container application repository: "discourse_repository" # Name of the repository folder - # database_password: # Needs to be defined in inventory file - oidc: - enabled: true # Activate OIDC - database: - central_storage: True # Activate Central Database Storage - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + credentials: + database: +# password: # Needs to be defined in inventory file + master_api: +# key: # Needs to be defined in inventory file + username: "{{ users.administrator.username }}" # Username for the Master API + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: True # Allows embedding via iframe on landing page + oidc: True # Enables OpenID Connect (OIDC) authentication + database: True # Enables use of central database ## File Server file_server: - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "true" # Landingpage should be embeded in portfolio + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: True # Allows embedding via iframe on landing page # Firefox Browser firefox: @@ -134,47 +136,45 @@ defaults_applications: ## Friendica friendica: version: "latest" - oidc: - enabled: true # Activate OIDC. Plugin is not working yet - database: - central_storage: True # Activate Central Database Storage - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: True # Allows embedding via iframe on landing page + oidc: True # Enables OpenID Connect (OIDC) authentication + database: True # Enables use of central database ## Funkwhale funkwhale: version: "1.4.0" - ldap: - enabled: True # Enables LDAP by default @todo check implementation - database: - central_storage: True # Activate Central Database Storage - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: True # Allows embedding via iframe on landing page + ldap: True # Enables LDAP integration and networking + database: True # Enables use of central database ## Gitea gitea: version: "latest" # Use latest docker image - database: - central_storage: True # Activate Central Database Storage configuration: repository: enable_push_create_user: True # Allow users to push local repositories to Gitea and have them automatically created for a user. default_private: last # Default private when creating a new repository: last, private, public default_push_create_private: True # Default private when creating a new repository with push-to-create. - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: True # Allows embedding via iframe on landing page + database: True # Enables use of central database ## Gitlab gitlab: version: "latest" - database: - central_storage: True # Activate Central Database Storage - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: True # Allows embedding via iframe on landing page + database: True # Enables use of central database ## Gnome gnome: @@ -186,15 +186,17 @@ defaults_applications: ## Joomla joomla: version: "latest" - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: True # Allows embedding via iframe on landing page ## HTML Server html_server: - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "true" # Landingpage should be embeded in portfolio + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page ## Keycloak keycloak: @@ -202,31 +204,31 @@ defaults_applications: users: administrator: username: "{{users.administrator.username}}" # Administrator Username for Keycloak - ldap: - enabled: True # Enables LDAP by default import_realm: True # If True realm will be imported. If false skip. - database: - central_storage: True # Activate Central Database Storage # database_password: # Needs to be defined in inventory file # administrator_password: # Needs to be defined in inventory file - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: false # Disabled by default, because it leads to authentification problems + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: True # Allows embedding via iframe on landing page + ldap: True # Enables LDAP integration and networking + database: True # Enables use of central database # LDAP Account Manager lam: version: "latest" # administrator_password: "{{users.administrator.initial_password}}" # CHANGE for security reasons - ldap: - enabled: True # Should have the same value as applications.ldap.network.local. oauth2_proxy: - enabled: true # Activate the OAuth2 Proxy for the LDAP Webinterface application: application # Needs to be the same as webinterface port: 80 # application port # cookie_secret: None # Set via openssl rand -hex 16 - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: True # Allows embedding via iframe on landing page + ldap: True # Enables LDAP integration and networking + oauth2: False # Enables OAuth2 proxy integration + database: False # Enables use of central database ## LDAP ldap: @@ -242,8 +244,8 @@ defaults_applications: # administrator_password: # CHANGE for security reasons in inventory file # administrator_database_password: # CHANGE for security reasons in inventory file force_import: False # Forces the import of the LDIF files - ldap: - enabled: True # Enables LDAP network by default + features: + ldap: True # Enables LDAP integration and networking ## Libre Office libreoffice: @@ -257,31 +259,31 @@ defaults_applications: public_api_activated: False # Security hole. Can be used for spaming version: "latest" # Docker Image version setup: false # Set true in inventory file to execute the setup and initializing procedures - database: - central_storage: True # Activate Central Database Storage - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: True # Allows embedding via iframe on landing page + database: True # Enables use of central database mailu: version: "2024.06" # Docker Image Version setup: false # Set true in inventory file to execute the setup and initializing procedures oidc: - enabled: true # Activate OIDC for Mailu email_by_username: true # If true, then the mail is set by the username. If wrong then the OIDC user email is used enable_user_creation: true # Users will be created if not existing domain: "{{primary_domain}}" # The main domain from which mails will be send \ email suffix behind @ - # I don't know why the database deactivation is necessary - database: - central_storage: False # Deactivate central database for mailu credentials: # secret_key: # Set to a randomly generated 16 bytes string # database_password: # Needs to be set in inventory file # api_token: # Configures the authentication token. The minimum length is 3 characters. This is a mandatory setting for using the RESTful API. # initial_administrator_password: # Initial administrator password for setup - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: true # Default enabled because working well in iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: True # Allows embedding via iframe on landing page + oidc: True # Enables OpenID Connect (OIDC) authentication + database: False # Enables use of central database +# Deactivate central database for mailu, I don't know why the database deactivation is necessary ## MariaDB mariadb: @@ -291,25 +293,21 @@ defaults_applications: matomo: version: "latest" oauth2_proxy: - enabled: false # Deactivated atm. @todo implement -# cookie_secret: None # Set via openssl rand -hex 16 +# cookie_secret: None # Set via openssl rand -hex 16 # database_password: Null # Needs to be set in inventory file # auth_token: Null # Needs to be set in inventory file - database: - central_storage: True # Activate Central Database Storage - matomo_tracking_enabled: false # Activate in inventory file if you want to have the statistics, as soon as matomo is running - css_enabled: false # Not optimized yet for matomo - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: False # Enables Matomo tracking + css: False # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + oauth2: False # Enables OAuth2 proxy integration + database: True # Enables use of central database ## Mastodon mastodon: version: "latest" single_user_mode: false # Set true for initial setup setup: false # Set true in inventory file to execute the setup and initializing procedures - database: - central_storage: True # Activate Central Database Storage - oidc: - enabled: True # Activate OIDC for Mastodon credentials: # Check out the README.md of the docker-mastodon role to get detailled instructions about how to setup the credentials # database_password: @@ -322,9 +320,12 @@ defaults_applications: # deterministic_key: # key_derivation_salt: # primary_key: - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + oidc: True # Enables OpenID Connect (OIDC) authentication + database: True # Enables use of central database ## Matrix matrix: @@ -339,13 +340,13 @@ defaults_applications: element: version: "latest" setup: false # Set true in inventory file to execute the setup and initializing procedures - database: - central_storage: True # Activate Central Database Storage - oidc: - enabled: False # Deactivated OIDC due to this issue https://github.com/matrix-org/synapse/issues/10492 - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + oidc: False # Enables OpenID Connect (OIDC) authentication + database: True # Enables use of central database +# Deactivated OIDC due to this issue https://github.com/matrix-org/synapse/issues/10492 ## Moodle moodle: @@ -355,20 +356,20 @@ defaults_applications: username: "{{users.administrator.username}}" email: "{{users.administrator.email}}" version: "latest" - database: - central_storage: True # Activate Central Database Storage - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + database: True # Enables use of central database ## MyBB mybb: version: "latest" - database: - central_storage: True # Activate Central Database Storage - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + database: True # Enables use of central database ## Nextcloud nextcloud: @@ -376,17 +377,19 @@ defaults_applications: ldap: enabled: True # Enables LDAP by default oidc: - enabled: "{{ _applications_nextcloud_oidc_enabled }}" # Activate OIDC for Nextcloud + enabled: "{{ applications.nextcloud.features.oidc | default(true) }}" # Activate OIDC for Nextcloud # floavor decides which OICD plugin should be used. # Available options: oidc_login, sociallogin # @see https://apps.nextcloud.com/apps/oidc_login # @see https://apps.nextcloud.com/apps/sociallogin flavor: "oidc_login" # Keeping on sociallogin because the other option is not implemented yet - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe - database: - central_storage: True # Activate Central Database Storage + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + ldap: True # Enables LDAP integration and networking + oidc: True # Enables OpenID Connect (OIDC) authentication + database: True # Enables use of central database credentials: # database_password: Null # Needs to be set in inventory file users: @@ -577,13 +580,13 @@ defaults_applications: # enabled: false twofactor_nextcloud_notification: # Nextcloud two-factor notification: sends notifications for two-factor authentication events (https://apps.nextcloud.com/apps/twofactor_nextcloud_notification) - enabled: "{{ (not _applications_nextcloud_oidc_enabled) | lower }}" # Deactivate 2FA if oidc is active + enabled: "{{ not applications.nextcloud.features.oidc | default(true) }}" # Deactivate 2FA if oidc is active twofactor_totp: # Nextcloud two-factor TOTP: provides time-based one-time password authentication (https://apps.nextcloud.com/apps/twofactor_totp) - enabled: "{{ (not _applications_nextcloud_oidc_enabled) | lower }}" # Deactivate 2FA if oidc is active + enabled: "{{ not applications.nextcloud.features.oidc | default(true) }}" # Deactivate 2FA if oidc is active user_ldap: # Nextcloud user LDAP: integrates LDAP for user management and authentication (https://apps.nextcloud.com/apps/user_ldap) - enabled: "{{ _applications_nextcloud_ldap_enabled | lower }}" + enabled: "{{ applications.nextcloud.features.ldap | default(true) }}" user_oidc: # Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/user_oidc) enabled: "{{ _applications_nextcloud_oidc_flavor=='user_oidc' | lower }}" @@ -600,37 +603,38 @@ defaults_applications: version: "latest" # Docker Image version redirect_url: "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak. allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe - + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + ## Open Project openproject: version: "13" # Update when available. Sadly no rolling release implemented oauth2_proxy: - enabled: true # OpenProject doesn't support OIDC, so this procy in combination with LDAP is needed application: "proxy" port: "80" # cookie_secret: None # Set via openssl rand -hex 16 ldap: - enabled: True # Enables LDAP by default filters: administrators: True # Set true to filter administrators users: False # Set true to filter users - database: - central_storage: True # Activate Central Database Storage - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + ldap: True # Enables LDAP integration and networking + oauth2: True # Enables OAuth2 proxy integration + database: True # Enables use of central database ## Peertube peertube: version: "bookworm" - database: - central_storage: True # Activate Central Database Storage - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + database: True # Enables use of central database ## PgAdmin pgadmin: @@ -642,56 +646,54 @@ defaults_applications: email: "{{ users.administrator.email }}" # Initial login email address password: "{{ users.administrator.initial_password }}" # Initial login password – should be overridden in inventory for security oauth2_proxy: - enabled: true # Enable OAuth2 proxy for authentication application: "application" port: "80" # cookie_secret: None # Set via: openssl rand -hex 16 - database: - central_storage: True # Uses central PostgreSQL database - matomo_tracking_enabled: "{{ matomo_tracking_enabled_default }}" # Enables/Disables Matomo Tracking - css_enabled: "{{ css_enabled_default }}" # Enables/Disables global CSS styling - landingpage_iframe_enabled: "{{ landingpage_iframe_enabled_default }}" # Enables/Disables embedding via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + oauth2: True # Enables OAuth2 proxy integration + database: True # Enables use of central database ## phpLDAPadmin phpldapadmin: version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest - ldap: - enabled: True # Should have the same value as applications.ldap.network.local. oauth2_proxy: - enabled: true # Activate the OAuth2 Proxy for the LDAP Webinterface application: application # Needs to be the same as webinterface port: 8080 # application port # cookie_secret: None # Set via openssl rand -hex 16 - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + ldap: True # Enables LDAP integration and networking + oauth2: True # Enables OAuth2 proxy integration ## PHPMyAdmin phpmyadmin: version: "latest" # Use the latest phpmyadmin version autologin: false # This is a high security risk. Just activate this option if you know what you're doing oauth2_proxy: - enabled: true port: "80" application: "application" # cookie_secret: None # Set via openssl rand -hex 16 - database: - central_storage: True # Activate Central Database Storage - css: - enabled: False # The css needs more optimation for PHPMyAdmin - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: False # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + oauth2: True # Enables OAuth2 proxy integration + database: True # Enables use of central database ## Pixelfed pixelfed: titel: "Pictures on {{primary_domain}}" version: "latest" - database: - central_storage: True # Activate Central Database Storage - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + database: True # Enables use of central database ## Postgres # Please set an version in your inventory file - Rolling release for postgres isn't recommended @@ -699,50 +701,50 @@ defaults_applications: version: "latest" portfolio: - database: - central_storage: False # Portfolio doesn't use any database - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: false # Doesn't make sense to load landingpage in landingpage + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page ## Presentation presentation: - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: False # Would mess with the presentation layout - landingpage_iframe_enabled: True # Makes sense to make the documentary allways in iframe available + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: True # Allows embedding via iframe on landing page # Snipe-IT snipe_it: version: "latest" - database: - central_storage: True # Activate Central Database Storage - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + database: True # Enables use of central database ## Sphinx sphinx: - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: true # Makes sense to make the documentary allways in iframe available + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page ## Taiga taiga: version: "latest" - database: - central_storage: True # Activate Central Database Storage - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe oidc: # Taiga doesn't have a functioning oidc support at the moment # See # - https://community.taiga.io/t/taiga-and-oidc-plugin/4866 # # Due to this reason this plutin is deactivated atm - enabled: False # De\Activate OIDC for Taiga flavor: 'taigaio' # Potential flavors: robrotheram, taigaio - + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + oidc: False # Enables OpenID Connect (OIDC) authentication + database: True # Enables use of central database ## YOURLS yourls: @@ -751,16 +753,16 @@ defaults_applications: username: "{{users.administrator.username}}" version: "latest" oauth2_proxy: - enabled: true application: "application" port: "80" location: "/admin/" # Protects the admin area # cookie_secret: None # Set via openssl rand -hex 16 - database: - central_storage: True # Activate Central Database Storage - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: "{{css_enabled_default}}" # Enables\Disables Global CSS Style - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe + features: + matomo: True # Enables Matomo tracking + css: True # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + oauth2: True # Enables OAuth2 proxy integration + database: True # Enables use of central database wordpress: # Deactivate Global theming for wordpress role @@ -769,16 +771,18 @@ defaults_applications: # # May a solution could be to generate a template or css file dedicated # for wordpress based on the theming values and import it. - database: - central_storage: True # Activate Central Database Storage - matomo_tracking_enabled: "{{matomo_tracking_enabled_default}}" # Enables\Disables Matomo Tracking - css_enabled: false # CSS is hard to tweak for wordpress - landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}" # Enables\Disables the possibility to embed this on landing page via iframe - oidc: - enabled: true # Activate OIDC - title: "Blog" - credentials: - administrator: - username: "{{users.administrator.username}}" # Username of the wordpress administrator -# password: # Password of the wordpress administrator - email: "{{users.administrator.email}}" # Email of the wordpress adminsitrator \ No newline at end of file + title: "Blog" # Wordpress titel + credentials: # Credentials + administrator: # Wordpress administrator + username: "{{users.administrator.username}}" # Username of the wordpress administrator +# password: # Password of the wordpress administrator + email: "{{users.administrator.email}}" # Email of the wordpress adminsitrator + plugins: + discourse: false + oidc: true + features: + matomo: True # Enables Matomo tracking + css: False # Enables custom CSS styling + iframe: False # Allows embedding via iframe on landing page + oidc: True # Enables OpenID Connect (OIDC) authentication + database: True # Enables use of central database \ No newline at end of file diff --git a/main.py b/main.py index 207714b7..b4d06cfd 100755 --- a/main.py +++ b/main.py @@ -7,7 +7,7 @@ import os def run_ansible_vault(action, filename, password_file): """Execute an ansible-vault command with the specified action on a file.""" cmd = ["ansible-vault", action, filename, "--vault-password-file", password_file] - subprocess.run(cmd, check=True) + subprocess.run(cmd, check=True) def run_ansible_playbook(inventory: str, playbook: str, modes: dict, limit: str = None, password_file: str = None, verbose: int = 0): """Execute an ansible-playbook command with optional parameters.""" @@ -30,7 +30,7 @@ def run_ansible_playbook(inventory: str, playbook: str, modes: dict, limit: str if verbose: # Append a single flag with multiple "v"s (e.g. -vvv) cmd.append("-" + "v" * verbose) - + subprocess.run(['make','build'], check=True) subprocess.run(cmd, check=True) def main(): diff --git a/requirements.yml b/requirements.yml index e8e4a0a7..2440e357 100644 --- a/requirements.yml +++ b/requirements.yml @@ -2,4 +2,6 @@ collections: - name: kewlfft.aur pacman: - ansible - - python-passlib \ No newline at end of file + - python-passlib +pkgmgr: + - j2r \ No newline at end of file diff --git a/roles/docker-bigbluebutton/templates/env.j2 b/roles/docker-bigbluebutton/templates/env.j2 index 5d0c646b..cddee5c2 100644 --- a/roles/docker-bigbluebutton/templates/env.j2 +++ b/roles/docker-bigbluebutton/templates/env.j2 @@ -161,7 +161,7 @@ OFFICE365_HD= # It is useful for cases when Greenlight is deployed behind a Network Load Balancer or proxy OAUTH2_REDIRECT= -{% if applications[application_id].ldap.enabled | bool %} +{% if applications[application_id].features.ldap | bool %} # LDAP Login Provider (optional) # # You can enable LDAP authentication by providing values for the variables below. @@ -286,7 +286,7 @@ HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html # approval - For approve/decline registration DEFAULT_REGISTRATION=invite -{% if applications[application_id].oidc.enabled | bool %} +{% if applications[application_id].features.oidc | bool %} ### EXTERNAL AUTHENTICATION METHODS # @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/ # diff --git a/roles/docker-central-database/tasks/main.yml b/roles/docker-central-database/tasks/main.yml index c6f4a1d2..756a9a14 100644 --- a/roles/docker-central-database/tasks/main.yml +++ b/roles/docker-central-database/tasks/main.yml @@ -16,12 +16,12 @@ src: "env/{{database_type}}.env.j2" dest: "{{database_env}}" notify: docker compose project build and setup - when: not applications[application_id].database.central_storage | bool + when: not applications[application_id].features.database | bool - name: "Create central database" include_role: name: "docker-{{database_type}}" - when: applications[application_id].database.central_storage | bool + when: applications[application_id].features.database | bool - name: "Add database to backup" include_tasks: "{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml" \ No newline at end of file diff --git a/roles/docker-central-database/templates/services/mariadb.yml.j2 b/roles/docker-central-database/templates/services/mariadb.yml.j2 index 9ebf4d61..04c9e1a6 100644 --- a/roles/docker-central-database/templates/services/mariadb.yml.j2 +++ b/roles/docker-central-database/templates/services/mariadb.yml.j2 @@ -1,5 +1,5 @@ # This template needs to be included in docker-compose.yml, which depend on a mariadb database -{% if not applications[application_id].database.central_storage | bool %} +{% if not applications[application_id].features.database | bool %} database: container_name: {{application_id}}-database logging: diff --git a/roles/docker-central-database/templates/services/postgres.yml.j2 b/roles/docker-central-database/templates/services/postgres.yml.j2 index 7d9d0ccf..847c05ee 100644 --- a/roles/docker-central-database/templates/services/postgres.yml.j2 +++ b/roles/docker-central-database/templates/services/postgres.yml.j2 @@ -1,5 +1,5 @@ # This template needs to be included in docker-compose.yml, which depend on a postgres database -{% if not applications[application_id].database.central_storage | bool %} +{% if not applications[application_id].features.database | bool %} database: image: postgres:{{applications.postgres.version}}-alpine container_name: {{application_id}}-database diff --git a/roles/docker-central-database/vars/database.yml b/roles/docker-central-database/vars/database.yml index 3b35215f..eb19dfa0 100644 --- a/roles/docker-central-database/vars/database.yml +++ b/roles/docker-central-database/vars/database.yml @@ -1,5 +1,5 @@ -database_instance: "{{ 'central-' + database_type if applications[application_id].database.central_storage | bool else application_id }}" -database_host: "{{ 'central-' + database_type if applications[application_id].database.central_storage | bool else 'database' }}" +database_instance: "{{ 'central-' + database_type if applications[application_id].features.database | bool else application_id }}" +database_host: "{{ 'central-' + database_type if applications[application_id].features.database | bool else 'database' }}" database_name: "{{ application_id }}" database_username: "{{ application_id }}" database_port: "{{ 3306 if database_type == 'mariadb' else 5432 }}" diff --git a/roles/docker-discourse/handlers/main.yml b/roles/docker-discourse/handlers/main.yml index 665e38c0..e066721c 100644 --- a/roles/docker-discourse/handlers/main.yml +++ b/roles/docker-discourse/handlers/main.yml @@ -11,7 +11,7 @@ command: cmd: "docker network connect {{applications.discourse.network}} central-{{ database_type }}" ignore_errors: true - when: applications[application_id].database.central_storage | bool + when: applications[application_id].features.database | bool listen: recreate discourse - name: rebuild discourse diff --git a/roles/docker-discourse/tasks/main.yml b/roles/docker-discourse/tasks/main.yml index 5edfca1c..bc4547ed 100644 --- a/roles/docker-discourse/tasks/main.yml +++ b/roles/docker-discourse/tasks/main.yml @@ -68,10 +68,10 @@ command: cmd: "docker network connect central_postgres {{applications.discourse.container}}" ignore_errors: true - when: applications[application_id].database.central_storage | bool + when: applications[application_id].features.database | bool - name: "remove central database from {{application_id}}_default" command: cmd: "docker network disconnect {{applications.discourse.network}} central-{{ database_type }}" ignore_errors: true - when: applications[application_id].database.central_storage | bool + when: applications[application_id].features.database | bool diff --git a/roles/docker-discourse/templates/discourse_application.yml.j2 b/roles/docker-discourse/templates/discourse_application.yml.j2 index 2f2a0129..44e7e3c2 100644 --- a/roles/docker-discourse/templates/discourse_application.yml.j2 +++ b/roles/docker-discourse/templates/discourse_application.yml.j2 @@ -1,5 +1,5 @@ templates: -{% if not applications[application_id].database.central_storage | bool %} +{% if not applications[application_id].features.database | bool %} - "templates/postgres.template.yml" {% endif %} #- "templates/redis.template.yml" @@ -112,7 +112,7 @@ run: ## If you want to set the 'From' email address for your first registration, uncomment and change: ## After getting the first signup email, re-comment the line. It only needs to run once. #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'" -{% if applications[application_id].oidc.enabled | bool %} +{% if applications[application_id].features.oidc | bool %} # Deactivate Default Login - exec: rails r "SiteSetting.enable_local_logins = false" - exec: rails r "SiteSetting.enable_passkeys = false" # https://meta.discourse.org/t/passwordless-login-using-passkeys/285589 diff --git a/roles/docker-friendica/vars/main.yml b/roles/docker-friendica/vars/main.yml index df4d4f47..817aa6aa 100644 --- a/roles/docker-friendica/vars/main.yml +++ b/roles/docker-friendica/vars/main.yml @@ -1,4 +1,4 @@ application_id: "friendica" database_password: "{{friendica_database_password}}" database_type: "mariadb" -no_validation: "{{applications[application_id].oidc.enabled}}" # Email validation is not neccessary if OIDC is active \ No newline at end of file +no_validation: "{{applications[application_id].features.oidc}}" # Email validation is not neccessary if OIDC is active \ No newline at end of file diff --git a/roles/docker-funkwhale/templates/env.j2 b/roles/docker-funkwhale/templates/env.j2 index 5020a03f..35c2a58a 100644 --- a/roles/docker-funkwhale/templates/env.j2 +++ b/roles/docker-funkwhale/templates/env.j2 @@ -100,7 +100,7 @@ DJANGO_SETTINGS_MODULE=config.settings.production # Generate one using `openssl rand -base64 45`, for example DJANGO_SECRET_KEY={{funkwhale_django_secret}} -{% if applications[application_id].ldap.enabled | bool %} +{% if applications[application_id].features.ldap | bool %} # LDAP settings # Use the following options to allow authentication on your Funkwhale instance # using a LDAP directory. diff --git a/roles/docker-mailu/templates/env.j2 b/roles/docker-mailu/templates/env.j2 index 19c2909e..6cb59888 100644 --- a/roles/docker-mailu/templates/env.j2 +++ b/roles/docker-mailu/templates/env.j2 @@ -151,14 +151,14 @@ API_TOKEN={{applications.mailu.credentials.api_token}} AUTH_REQUIRE_TOKENS=True -{% if applications[application_id].oidc.enabled | bool %} +{% if applications[application_id].features.oidc | bool %} ################################### # OpenID Connect settings ################################### # @see https://github.com/heviat/Mailu-OIDC/tree/master # Enable OpenID Connect. Possible values: True, False -OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | capitalize }} +OIDC_ENABLED={{ applications[application_id].features.oidc | string | capitalize }} # OpenID Connect provider configuration URL OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}} @@ -182,7 +182,7 @@ OIDC_CHANGE_PASSWORD_REDIRECT_ENABLED=True # Redirect URL for password change. Defaults to provider issuer url appended by /.well-known/change-password OIDC_CHANGE_PASSWORD_REDIRECT_URL={{oidc.client.change_credentials}} -{% if applications[application_id].oidc.enabled | bool %} +{% if applications[application_id].features.oidc | bool %} # The OIDC claim used as the username. If the selected claim contains an email address, it will be used as is. If it is not an email (e.g., sub), the email address will be constructed as @. Defaults to email. OIDC_USERNAME_CLAIM={{oidc.attributes.username}} diff --git a/roles/docker-mailu/vars/main.yml b/roles/docker-mailu/vars/main.yml index 7340db66..3132dbd0 100644 --- a/roles/docker-mailu/vars/main.yml +++ b/roles/docker-mailu/vars/main.yml @@ -6,7 +6,7 @@ enable_wildcard_certificate: false # Use dedicated source for oidc if activated # @see https://github.com/heviat/Mailu-OIDC/tree/2024.06 -docker_source: "{{ 'ghcr.io/heviat' if applications[application_id].oidc.enabled | bool else 'ghcr.io/mailu' }}" +docker_source: "{{ 'ghcr.io/heviat' if applications[application_id].features.oidc | bool else 'ghcr.io/mailu' }}" domain: "{{ domains[application_id] }}" http_port: "{{ ports.localhost.http[application_id] }}" \ No newline at end of file diff --git a/roles/docker-mastodon/templates/env.j2 b/roles/docker-mastodon/templates/env.j2 index d1bd6421..9baa3ee9 100644 --- a/roles/docker-mastodon/templates/env.j2 +++ b/roles/docker-mastodon/templates/env.j2 @@ -52,14 +52,14 @@ SMTP_OPENSSL_VERIFY_MODE=none SMTP_ENABLE_STARTTLS=auto SMTP_FROM_ADDRESS=Mastodon <{{system_email.from}}> -{% if applications[application_id].oidc.enabled | bool %} +{% if applications[application_id].features.oidc | bool %} ################################### # OpenID Connect settings ################################### # @see https://github.com/mastodon/mastodon/pull/16221 # @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso -OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | lower }} +OIDC_ENABLED={{ applications[application_id].features.oidc | string | lower }} OIDC_DISPLAY_NAME="{{oidc.button_text}}" OIDC_ISSUER={{oidc.client.issuer_url}} OIDC_DISCOVERY=true diff --git a/roles/docker-matrix-compose/tasks/create-and-seed-database.yml b/roles/docker-matrix-compose/tasks/create-and-seed-database.yml index b6598b9b..36e512c4 100644 --- a/roles/docker-matrix-compose/tasks/create-and-seed-database.yml +++ b/roles/docker-matrix-compose/tasks/create-and-seed-database.yml @@ -7,7 +7,7 @@ - name: "create {{database_name}} database" include_role: name: docker-postgres - when: applications[application_id].database.central_storage | bool + when: applications[application_id].features.database | bool - name: "include seed-database-to-backup.yml" include_tasks: "{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml" \ No newline at end of file diff --git a/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2 b/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2 index a3bbab4c..2fa0cb61 100644 --- a/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2 +++ b/roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2 @@ -45,7 +45,7 @@ email: client_base_url: "{{domains.matrix_synapse}}" validation_token_lifetime: 15m -{% if applications[application_id].oidc.enabled | bool %} +{% if applications[application_id].features.oidc | bool %} # @See https://matrix-org.github.io/synapse/latest/openid.html oidc_providers: - idp_id: keycloak diff --git a/roles/docker-nextcloud/templates/config/oidc.config.php.j2 b/roles/docker-nextcloud/templates/config/oidc.config.php.j2 index cb9da342..ee71a08c 100644 --- a/roles/docker-nextcloud/templates/config/oidc.config.php.j2 +++ b/roles/docker-nextcloud/templates/config/oidc.config.php.j2 @@ -146,7 +146,7 @@ return array ( // // The `id` attribute in `oidc_login_attributes` must return the // "Internal Username" (see expert settings in LDAP integration) - 'oidc_login_proxy_ldap' => {{applications[application_id].ldap.enabled | string | lower}}, + 'oidc_login_proxy_ldap' => {{applications[application_id].features.ldap | string | lower}}, // Disable creation of users new to Nextcloud from OIDC login. // A user may be known to the IdP but not (yet) known to Nextcloud. diff --git a/roles/docker-openproject/tasks/main.yml b/roles/docker-openproject/tasks/main.yml index 77f942ef..f63314a1 100644 --- a/roles/docker-openproject/tasks/main.yml +++ b/roles/docker-openproject/tasks/main.yml @@ -59,4 +59,4 @@ - name: Setup LDAP include_tasks: ldap.yml - when: applications[application_id].ldap.enabled | bool \ No newline at end of file + when: applications[application_id].features.ldap | bool \ No newline at end of file diff --git a/roles/docker-pgadmin/vars/main.yml b/roles/docker-pgadmin/vars/main.yml index 24eeabf3..98b56d48 100644 --- a/roles/docker-pgadmin/vars/main.yml +++ b/roles/docker-pgadmin/vars/main.yml @@ -1,6 +1,6 @@ application_id: "pgadmin" database_type: "postgres" -database_host: "{{ 'central-' + database_type if applications[application_id].database.central_storage }}" +database_host: "{{ 'central-' + database_type if applications[application_id].features.database }}" database_var_file: "{{playbook_dir}}/roles/docker-central-database/vars/database.yml" pgadmin_user: 5050 pgadmin_group: "{{pgadmin_user}}" \ No newline at end of file diff --git a/roles/docker-phpmyadmin/vars/main.yml b/roles/docker-phpmyadmin/vars/main.yml index 7ba56590..73a054d9 100644 --- a/roles/docker-phpmyadmin/vars/main.yml +++ b/roles/docker-phpmyadmin/vars/main.yml @@ -1,3 +1,3 @@ application_id: "phpmyadmin" database_type: "mariadb" -database_host: "{{ 'central-' + database_type if applications[application_id].database.central_storage}}" \ No newline at end of file +database_host: "{{ 'central-' + database_type if applications[application_id].features.database}}" \ No newline at end of file diff --git a/roles/docker-portfolio/lookup_plugins/docker_cards.py b/roles/docker-portfolio/lookup_plugins/docker_cards.py index fb614e95..6161fe2a 100644 --- a/roles/docker-portfolio/lookup_plugins/docker_cards.py +++ b/roles/docker-portfolio/lookup_plugins/docker_cards.py @@ -22,7 +22,7 @@ class LookupModule(LookupBase): - Retrieves the icon class from galaxy_info.logo.class - Retrieves the tags from galaxy_info.galaxy_tags - Builds the URL using the 'domains' variable (e.g. domains[application_id]) - - Sets the iframe flag from applications[application_id].landingpage_iframe_enabled + - Sets the iframe flag from applications[application_id].features.iframe Only cards whose application_id is included in the variable group_names are returned. """ @@ -98,7 +98,7 @@ class LookupModule(LookupBase): url = "https://" + domain_url if domain_url else "" app_data = applications.get(application_id, {}) - iframe = app_data.get("landingpage_iframe_enabled", False) + iframe = app_data.get("features", {}).get("iframe", False) # Build card dictionary card = { diff --git a/roles/docker-portfolio/templates/config.yaml.j2 b/roles/docker-portfolio/templates/config.yaml.j2 index 3ad4e115..78f9cbf3 100644 --- a/roles/docker-portfolio/templates/config.yaml.j2 +++ b/roles/docker-portfolio/templates/config.yaml.j2 @@ -28,7 +28,7 @@ accounts: class: fa-brands fa-mastodon url: "https://{{ service_provider.contact.mastodon.split('@')[2] }}/@{{ service_provider.contact.mastodon.split('@')[1] }}" identifier: "{{service_provider.contact.mastodon}}" - iframe: {{ applications | get_landingpage_iframe_enabled('mastodon') }} + iframe: {{ applications | get_features_iframe('mastodon') }} {% endif %} {% if service_provider.contact.bluesky is defined and service_provider.contact.bluesky != "" %} @@ -52,7 +52,7 @@ accounts: class: fa-solid fa-camera identifier: "{{service_provider.contact.pixelfed}}" url: "https://{{ service_provider.contact.pixelfed.split('@')[2] }}/@{{ service_provider.contact.pixelfed.split('@')[1] }}" - iframe: {{ applications | get_landingpage_iframe_enabled('pixelfed') }} + iframe: {{ applications | get_features_iframe('pixelfed') }} {% endif %} {% if service_provider.contact.peertube is defined and service_provider.contact.peertube != "" %} @@ -64,7 +64,7 @@ accounts: class: fa-solid fa-video identifier: "{{service_provider.contact.peertube}}" url: "https://{{ service_provider.contact.peertube.split('@')[2] }}/@{{ service_provider.contact.peertube.split('@')[1] }}" - iframe: {{ applications | get_landingpage_iframe_enabled('peertube') }} + iframe: {{ applications | get_features_iframe('peertube') }} {% endif %} {% if service_provider.contact.wordpress is defined and service_provider.contact.wordpress != "" %} @@ -76,7 +76,7 @@ accounts: class: fa-solid fa-blog identifier: "{{service_provider.contact.wordpress}}" url: "https://{{ service_provider.contact.wordpress.split('@')[2] }}/@{{ service_provider.contact.wordpress.split('@')[1] }}" - iframe: {{ applications | get_landingpage_iframe_enabled('wordpress') }} + iframe: {{ applications | get_features_iframe('wordpress') }} {% endif %} {% if service_provider.contact.source_code is defined and service_provider.contact.source_code != "" %} @@ -98,7 +98,7 @@ accounts: class: fas fa-network-wired identifier: "{{service_provider.contact.friendica}}" url: "https://{{ service_provider.contact.friendica.split('@')[2] }}/@{{ service_provider.contact.friendica.split('@')[1] }}" - iframe: {{ applications | get_landingpage_iframe_enabled('friendica') }} + iframe: {{ applications | get_features_iframe('friendica') }} {% endif %} diff --git a/roles/docker-portfolio/templates/footer_menu.yaml.j2 b/roles/docker-portfolio/templates/footer_menu.yaml.j2 index ee7d8442..d00e832a 100644 --- a/roles/docker-portfolio/templates/footer_menu.yaml.j2 +++ b/roles/docker-portfolio/templates/footer_menu.yaml.j2 @@ -37,13 +37,13 @@ icon: class: fa-solid fa-shield-halved url: https://{{domains.keycloak}}/admin - iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }} + iframe: {{ applications | get_features_iframe('keycloak') }} - name: Profile description: Update your personal admin settings icon: class: fa-solid fa-user-gear url: https://{{ domains.keycloak }}/realms/{{oidc.client.id}}/account - iframe: {{ applications | get_landingpage_iframe_enabled('keycloak') }} + iframe: {{ applications | get_features_iframe('keycloak') }} - name: Logout description: End your admin session securely icon: @@ -113,7 +113,7 @@ icon: class: fas fa-book url: https://{{domains.sphinx}} - iframe: {{ applications | get_landingpage_iframe_enabled('sphinx') }} + iframe: {{ applications | get_features_iframe('sphinx') }} {% endif %} @@ -124,7 +124,7 @@ icon: class: "fas fa-chalkboard-teacher" url: https://{{domains.presentation}} - iframe: {{ applications | get_landingpage_iframe_enabled('presentation') }} + iframe: {{ applications | get_features_iframe('presentation') }} {% endif %} diff --git a/roles/docker-snipe_it/templates/env.j2 b/roles/docker-snipe_it/templates/env.j2 index 014b87a8..9d54e589 100644 --- a/roles/docker-snipe_it/templates/env.j2 +++ b/roles/docker-snipe_it/templates/env.j2 @@ -27,7 +27,7 @@ DB_DATABASE={{database_name}} DB_USERNAME={{database_username}} DB_PASSWORD={{database_password}} -{% if not applications[application_id].database.central_storage | bool %} +{% if not applications[application_id].features.database | bool %} MYSQL_ROOT_PASSWORD={{database_password}} DB_PREFIX=null DB_DUMP_PATH='/usr/bin' diff --git a/roles/docker-taiga/tasks/main.yml b/roles/docker-taiga/tasks/main.yml index 3a1e2432..20db5088 100644 --- a/roles/docker-taiga/tasks/main.yml +++ b/roles/docker-taiga/tasks/main.yml @@ -18,7 +18,7 @@ template: src: "taiga/{{item}}.py.j2" dest: "{{ docker_compose.directories.config }}taiga-{{item}}.py" - when: applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' + when: applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio' notify: docker compose project build and setup loop: "{{ settings_files }}" diff --git a/roles/docker-taiga/templates/docker-compose.yml.j2 b/roles/docker-taiga/templates/docker-compose.yml.j2 index bea672de..37040149 100644 --- a/roles/docker-taiga/templates/docker-compose.yml.j2 +++ b/roles/docker-taiga/templates/docker-compose.yml.j2 @@ -9,7 +9,7 @@ services: - media-data:/taiga-back/media # - ./config.py:/taiga-back/settings/config.py -{% if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' %} +{% if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio' %} - {{ docker_compose.directories.config }}taiga-local.py:/taiga-back/settings/local.py:ro @@ -22,7 +22,7 @@ services: condition: service_started taiga-async-rabbitmq: condition: service_started -{% if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' %} +{% if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio' %} command: > /bin/sh -c " @@ -42,7 +42,7 @@ services: - media-data:/taiga-back/media # - ./config.py:/taiga-back/settings/config.py -{% if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' %} +{% if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio' %} {% for item in settings_files %} - {{ docker_compose.directories.config }}taiga-{{ item }}.py:/taiga-back/settings/{{ item }}.py:ro @@ -57,7 +57,7 @@ services: condition: service_started taiga-async-rabbitmq: condition: service_started -{% if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' %} +{% if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio' %} command: > /bin/sh -c " diff --git a/roles/docker-taiga/templates/env.j2 b/roles/docker-taiga/templates/env.j2 index db74afd2..1f5858e2 100644 --- a/roles/docker-taiga/templates/env.j2 +++ b/roles/docker-taiga/templates/env.j2 @@ -47,7 +47,7 @@ MAX_AGE = 360 # Taiga's Telemetry - Variable to enable or disable the anonymous telemetry ENABLE_TELEMETRY = True -{% if applications[application_id].oidc.enabled %} +{% if applications[application_id].features.oidc %} {% if applications[application_id].oidc.flavor == 'taigaio' %} diff --git a/roles/docker-taiga/vars/main.yml b/roles/docker-taiga/vars/main.yml index 08a7769d..7da120db 100644 --- a/roles/docker-taiga/vars/main.yml +++ b/roles/docker-taiga/vars/main.yml @@ -5,10 +5,10 @@ docker_repository_address: "https://github.com/taigaio/taiga-docker" email_backend: "smtp" ## use an SMTP server or display the emails in the console (either "smtp" or "console") docker_compose_init: "{{docker_compose.directories.instance}}docker-compose-inits.yml.j2" taiga_image_backend: >- - {{ 'robrotheram/taiga-back-openid' if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'robrotheram' + {{ 'robrotheram/taiga-back-openid' if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'robrotheram' else 'taigaio/taiga-back' }} taiga_image_frontend: >- - {{ 'robrotheram/taiga-front-openid' if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'robrotheram' + {{ 'robrotheram/taiga-front-openid' if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'robrotheram' else 'taigaio/taiga-front' }} taiga_frontend_conf_path: "{{docker_compose.directories.config}}conf.json" diff --git a/roles/docker-wordpress/tasks/main.yml b/roles/docker-wordpress/tasks/main.yml index 50708de3..b7ab4619 100644 --- a/roles/docker-wordpress/tasks/main.yml +++ b/roles/docker-wordpress/tasks/main.yml @@ -39,4 +39,8 @@ - name: "Activating OIDC when enabled." include_tasks: oidc.yml - when: applications[application_id].oidc.enabled | bool + when: applications[application_id].features.oidc | bool + +#- name: "Activating WP Discourse when enabled" +# include_tasks: wp_discourse.yml +# when: applications[application_id].wp_discourse.enabled | bool diff --git a/roles/docker-wordpress/tasks/setup-discourse-api-key.yml b/roles/docker-wordpress/tasks/setup-discourse-api-key.yml new file mode 100644 index 00000000..6936b57c --- /dev/null +++ b/roles/docker-wordpress/tasks/setup-discourse-api-key.yml @@ -0,0 +1,23 @@ +--- +- name: "Create Discourse API key for WordPress integration" + uri: + url: "https://{{ domains.discourse }}/admin/api/keys" + method: POST + headers: + Content-Type: "application/json" + Api-Key: "{{ applications.discourse.master_api_key }}" + Api-Username: "{{ applications.discourse.master_api_username | default('admin') }}" + body_format: json + body: + key: + description: "WP Discourse Integration" + username: "system" + return_content: true + status_code: 200 + register: discourse_api_key_response + when: applications.discourse.master_api_key is defined + +- name: "Set fact for vault_discourse_api_key" + set_fact: + vault_discourse_api_key: "{{ discourse_api_key_response.json.key.key }}" + when: discourse_api_key_response is defined and discourse_api_key_response.json.key is defined diff --git a/roles/docker-wordpress/tasks/wp_discourse.yml b/roles/docker-wordpress/tasks/wp_discourse.yml new file mode 100644 index 00000000..d945f8cf --- /dev/null +++ b/roles/docker-wordpress/tasks/wp_discourse.yml @@ -0,0 +1,17 @@ +--- +- name: "Install WP Discourse plugin" + command: > + docker-compose exec -u www-data -T application + wp plugin install wp-discourse --activate + --path={{ wordpress_docker_html_path }} + args: + chdir: "{{ docker_compose.directories.instance }}" + +- name: "Configure WP Discourse settings" + vars: + discourse_settings_json_b64: "{{ discourse_settings | to_json | b64encode }}" + command: > + docker-compose exec -u www-data -T application bash -lc + "wp eval \"update_option('wp_discourse_options', json_decode(base64_decode('{{ discourse_settings_json_b64 }}'), true));\" --path={{ wordpress_docker_html_path }}" + args: + chdir: "{{ docker_compose.directories.instance }}" diff --git a/roles/docker-wordpress/vars/wp_discourse.yml b/roles/docker-wordpress/vars/wp_discourse.yml new file mode 100644 index 00000000..084e9542 --- /dev/null +++ b/roles/docker-wordpress/vars/wp_discourse.yml @@ -0,0 +1,10 @@ +# Defines WP Discourse plugin settings +# @see https://github.com/discourse/wp-discourse + +discourse_settings: + publish_discourse_posts: true + discourse_url: "https://{{ domains.discourse }}" + discourse_api_key: "{{ applications.discourse.api_key }}" + discourse_username: "system" + discourse_use_sso: false # You can change this depending on your integration style + discourse_sso_secret: "{{ applications.wordpress.credentials.discourse_sso_secret | default('') }}" \ No newline at end of file diff --git a/roles/health-nginx/TODO.md b/roles/health-nginx/TODO.md new file mode 100644 index 00000000..8f25fa1f --- /dev/null +++ b/roles/health-nginx/TODO.md @@ -0,0 +1,2 @@ +# Todo +- Implement health check for oauth2-proxy \ No newline at end of file diff --git a/roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2 b/roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2 index 95bee773..8908fb13 100644 --- a/roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2 +++ b/roles/nginx-docker-reverse-proxy/templates/iframe.conf.j2 @@ -1,4 +1,4 @@ -{% if landingpage_iframe_enabled | default(applications.get(application_id).get('landingpage_iframe_enabled')) | bool %} +{% if applications.get(application_id, {}).get('features', {}).get('iframe', False) %} add_header X-Frame-Options "SAMEORIGIN" always; add_header Content-Security-Policy "frame-ancestors 'self' {{primary_domain}};" always; {% endif %} diff --git a/roles/nginx-modifier-all/tasks/main.yml b/roles/nginx-modifier-all/tasks/main.yml index 77ba9f1d..00ec6ded 100644 --- a/roles/nginx-modifier-all/tasks/main.yml +++ b/roles/nginx-modifier-all/tasks/main.yml @@ -1,9 +1,9 @@ - name: "Activate Global CSS for {{domain}}" include_role: name: nginx-modifier-css - when: applications.get(application_id).get('css_enabled') | bool + when: applications.get(application_id).get('features').get('css') | bool - name: "Activate Global Matomo Tracking for {{domain}}" include_role: name: nginx-modifier-matomo - when: applications.get(application_id).get('matomo_tracking_enabled') | bool \ No newline at end of file + when: applications.get(application_id).get('features').get('matomo') | bool \ No newline at end of file diff --git a/roles/nginx-modifier-all/templates/global.includes.conf.j2 b/roles/nginx-modifier-all/templates/global.includes.conf.j2 index 85cd62bd..7a0b1b8b 100644 --- a/roles/nginx-modifier-all/templates/global.includes.conf.j2 +++ b/roles/nginx-modifier-all/templates/global.includes.conf.j2 @@ -2,20 +2,20 @@ sub_filter_once off; sub_filter_types text/html; -{% set css_enabled_final = applications.get(application_id).get('css_enabled') | bool %} -{% set matomo_tracking_enabled_final = applications.get(application_id).get('matomo_tracking_enabled') | bool %} +{% set features_css_final = applications.get(application_id).get('features').get('css') | bool %} +{% set features_matomo_final = applications.get(application_id).get('features').get('matomo') | bool %} -{% if matomo_tracking_enabled_final | bool %} +{% if features_matomo_final | bool %} {# Include Global Matomo Tracking #} {% include 'roles/nginx-modifier-matomo/templates/matomo-tracking.conf.j2' %} {% endif %} -{% if css_enabled_final | bool or matomo_tracking_enabled_final | bool %} - sub_filter '' '{% if matomo_tracking_enabled_final | bool %}{% include 'roles/nginx-modifier-matomo/templates/script.j2' %}{% endif %}{% if css_enabled_final | bool %}{% include 'roles/nginx-modifier-css/templates/link.j2' %}{% endif %}'; +{% if features_css_final | bool or features_matomo_final | bool %} + sub_filter '' '{% if features_matomo_final | bool %}{% include 'roles/nginx-modifier-matomo/templates/script.j2' %}{% endif %}{% if features_css_final | bool %}{% include 'roles/nginx-modifier-css/templates/link.j2' %}{% endif %}'; {% endif %} -{% if css_enabled_final | bool %} +{% if features_css_final | bool %} {# Include Global CSS Location #} {% include 'roles/nginx-modifier-css/templates/location.conf.j2' %} {% endif %} diff --git a/roles/nginx-modifier-matomo/tasks/main.yml b/roles/nginx-modifier-matomo/tasks/main.yml index bfdd6aa8..98d289bf 100644 --- a/roles/nginx-modifier-matomo/tasks/main.yml +++ b/roles/nginx-modifier-matomo/tasks/main.yml @@ -30,7 +30,7 @@ uri: url: "https://{{ domains.matomo }}/index.php" method: POST - body: "module=API&method=SitesManager.addSite&siteName={{ base_domain }}&urls=https://{{ base_domain }}&token_auth={{ applications.matomo.auth_token }}&format=json" + body: "module=API&method=SitesManager.addSite&siteName={{ base_domain }}&urls=https://{{ base_domain }}&token_auth={{ applications.matomo.credentials.auth_token }}&format=json" body_format: form-urlencoded status_code: 200 return_content: yes diff --git a/roles/nginx-modifier-matomo/vars/main.yml b/roles/nginx-modifier-matomo/vars/main.yml index 4be16dbd..622d2ebf 100644 --- a/roles/nginx-modifier-matomo/vars/main.yml +++ b/roles/nginx-modifier-matomo/vars/main.yml @@ -1,2 +1,2 @@ base_domain: "{{ domain | regex_replace('^(?:.*\\.)?(.+\\..+)$', '\\1') }}" -verification_url: "https://{{domains.matomo}}/index.php?module=API&method=SitesManager.getSitesIdFromSiteUrl&url=https://{{base_domain}}&format=json&token_auth={{applications.matomo.auth_token}}" \ No newline at end of file +verification_url: "https://{{domains.matomo}}/index.php?module=API&method=SitesManager.getSitesIdFromSiteUrl&url=https://{{base_domain}}&format=json&token_auth={{applications.matomo.credentials.auth_token}}" \ No newline at end of file diff --git a/tasks/constructor.yml b/tasks/constructor.yml index 73fcb137..2b364554 100644 --- a/tasks/constructor.yml +++ b/tasks/constructor.yml @@ -32,6 +32,20 @@ set_fact: applications: "{{ defaults_applications | combine(applications | default({}, true), recursive=True) }}" +# @todo implement +# - name: Ensure features.integrated is set based on group membership +# set_fact: +# applications: "{{ applications | combine({ item.key: updated_app }, recursive=True) }}" +# vars: +# original_app: "{{ applications[item.key] | default({}) }}" +# original_features: "{{ original_app.features | default({}) }}" +# needs_integration: original_features.integrated is not defined +# updated_features: >- +# {{ original_features | combine({'integrated': (item.key in group_names)}) if needs_integration else original_features }} +# updated_app: >- +# {{ original_app | combine({'features': updated_features}) }} +# loop: "{{ applications | dict2items }}" + - name: Merge networks definitions set_fact: networks: "{{ defaults_networks | combine(networks | default({}, true), recursive=True) }}" diff --git a/templates/docker/compose/networks.yml.j2 b/templates/docker/compose/networks.yml.j2 index 5bbbefa9..4b3917d9 100644 --- a/templates/docker/compose/networks.yml.j2 +++ b/templates/docker/compose/networks.yml.j2 @@ -4,7 +4,7 @@ networks: central_{{ database_type }}: external: true {% endif %} -{% if applications[application_id].get('ldap', {}).get('enabled', false) | bool and applications.ldap.network.local | bool %} +{% if applications[application_id].get('features', {}).get('ldap', false) | bool and applications.ldap.network.local | bool %} central_ldap: external: true {% endif %} diff --git a/templates/docker/compose/volumes-just-database.yml.j2 b/templates/docker/compose/volumes-just-database.yml.j2 index c62ecb2a..c7266223 100644 --- a/templates/docker/compose/volumes-just-database.yml.j2 +++ b/templates/docker/compose/volumes-just-database.yml.j2 @@ -1,5 +1,5 @@ {# This needs to be included in docker-compose.yml which just contain a database volume #} -{% if not (applications[application_id].database.central_storage | default(false)) | bool %} +{% if not (applications[application_id].features.database | default(false)) | bool %} volumes: database: {% endif %} diff --git a/templates/docker/compose/volumes.yml.j2 b/templates/docker/compose/volumes.yml.j2 index 2410c65b..194063fa 100644 --- a/templates/docker/compose/volumes.yml.j2 +++ b/templates/docker/compose/volumes.yml.j2 @@ -1,6 +1,6 @@ {# This template needs to be included in docker-compose.yml which contain a database and additional volumes #} volumes: -{% if not (applications[application_id].database.central_storage | default(false)) | bool %} +{% if not (applications[application_id].features.database | default(false)) | bool %} database: {% endif %} {{ "\n" }} \ No newline at end of file diff --git a/templates/docker/container/depends-on-also-database.yml.j2 b/templates/docker/container/depends-on-also-database.yml.j2 index dd725d40..ee93bb2f 100644 --- a/templates/docker/container/depends-on-also-database.yml.j2 +++ b/templates/docker/container/depends-on-also-database.yml.j2 @@ -1,6 +1,6 @@ {# This template needs to be included in docker-compose.yml containers which depend on a database and additional containers #} depends_on: -{% if not applications[application_id].database.central_storage | bool %} +{% if not applications[application_id].features.database | bool %} database: condition: service_healthy {% endif %} diff --git a/templates/docker/container/depends-on-database-redis.yml.j2 b/templates/docker/container/depends-on-database-redis.yml.j2 index ba7b4466..fd73adb4 100644 --- a/templates/docker/container/depends-on-database-redis.yml.j2 +++ b/templates/docker/container/depends-on-database-redis.yml.j2 @@ -1,6 +1,6 @@ {# This template needs to be included in docker-compose.yml containers, which depend on a database, redis and optional additional volumes #} depends_on: -{% if not applications[application_id].database.central_storage | bool %} +{% if not applications[application_id].features.database | bool %} database: condition: service_healthy {% endif %} diff --git a/templates/docker/container/depends-on-just-database.yml.j2 b/templates/docker/container/depends-on-just-database.yml.j2 index fc984fd8..1c9afab0 100644 --- a/templates/docker/container/depends-on-just-database.yml.j2 +++ b/templates/docker/container/depends-on-just-database.yml.j2 @@ -1,5 +1,5 @@ {# This template needs to be included in docker-compose.yml containers, which just depend on a database #} -{% if not applications[application_id].database.central_storage | bool %} +{% if not applications[application_id].features.database | bool %} depends_on: database: condition: service_healthy diff --git a/templates/docker/container/networks.yml.j2 b/templates/docker/container/networks.yml.j2 index 7fd2a807..6215b1cf 100644 --- a/templates/docker/container/networks.yml.j2 +++ b/templates/docker/container/networks.yml.j2 @@ -3,7 +3,7 @@ {% if applications | get_database_central_storage(application_id) | bool and database_type is defined %} central_{{ database_type }}: {% endif %} -{% if applications[application_id].get('ldap', {}).get('enabled', false)|bool and applications.ldap.network.local|bool %} +{% if applications[application_id].get('features', {}).get('ldap', false) | bool and applications.ldap.network.local|bool %} central_ldap: {% endif %} default: diff --git a/templates/vars/applications.yml.j2 b/templates/vars/applications.yml.j2 new file mode 100644 index 00000000..a7c27500 --- /dev/null +++ b/templates/vars/applications.yml.j2 @@ -0,0 +1,826 @@ +{% import "features.yml.j2" as features %}{% raw %} +# Docker Applications + +## Docker Role Specific Parameters +docker_restart_policy: "unless-stopped" + +############################################## +## Applications Configuration +############################################## + +# Keep in mind, that this configuration should in general just apply to the roles which set the applications up. +# If other applications depend on this variables, propably it makes sense to define it in e.g. IMA or other variable files. + +# helper +_applications_nextcloud_oidc_flavor: "{{ applications.nextcloud.oidc.flavor | default('oidc_login' if applications.nextcloud.features.ldap | default(true) else 'sociallogin') }}" + +# applications + +defaults_applications: + + ## Akaunting + akaunting: + version: "latest" + company_name: "{{primary_domain}}" + company_email: "{{users.administrator.email}}" + setup_admin_email: "{{users.administrator.email}}" +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, + 'database': true, +}) }}{% raw %} + + ## Assets Server + assets_server: + source_directory: "{{ playbook_dir }}/assets" # Directory from which the assets will be copied + url: "https://{{domains.file_server}}/assets" # Public address of the assets directory + ## Attendize + attendize: + version: "latest" +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, + 'database': true, +}) }}{% raw %} + + ## Baserow + baserow: + version: "latest" +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': true, + 'database': true, +}) }}{% raw %} + + ## Big Blue Button + bigbluebutton: + enable_greenlight: "true" + setup: false # Set to true in inventory file for initial setup +# @todo LDAP needs to get propper implemented and tested, just set values during refactoring +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': true, + 'ldap': false, + 'oidc': true, + 'database': true, +}) }}{% raw %} + credentials: +# shared_secret: # Needs to be defined in inventory file +# etherpad_api_key: # Needs to be defined in inventory file +# rails_secret: # Needs to be defined in inventory file +# postgresql_secret: # Needs to be defined in inventory file +# fsesl_password: # Needs to be defined in inventory file +# turn_secret: # Needs to be defined in inventory file + urls: + api: "https://{{domains.bigbluebutton}}/bigbluebutton/" # API Address used by Nextcloud Integration + + ## Bluesky + bluesky: + users: + administrator: + email: "{{users.administrator.email}}" + pds: + version: "latest" + #jwt_secret: # Needs to be defined in inventory file - Use: openssl rand -base64 64 | tr -d '\n' + #plc_rotation_key_k256_private_key_hex: # Needs to be defined in inventory file - Use: openssl rand -hex 32 + #admin_password: # Needs to be defined in inventory file - Use: openssl rand -base64 16 +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': true, + 'database': true, +}) }}{% raw %} + + # Chromium Browser + chromium: + plugins: # Plugins to be installed in Chromium + - "cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx" # U-Block Origine Plugin + - "oboonakemofpalcgghocfoadofidjkkk;https://clients2.google.com/service/update2/crx" # KeepassXC Plugin + + coturn: # @todo implement + credentials: + user: turnuser + # password: # Need to be defined in invetory file + # secret: # Need to be defined in invetory file + + ## Discourse: + discourse: + network: "discourse_default" # Name of the docker network + container: "discourse_application" # Name of the container application + repository: "discourse_repository" # Name of the repository folder + credentials: + database: +# password: # Needs to be defined in inventory file + master_api: +# key: # Needs to be defined in inventory file + username: "{{ users.administrator.username }}" # Username for the Master API +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': true, + 'oidc': true, + 'database': true, +}) }}{% raw %} + + ## File Server + file_server: +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': true, +}) }}{% raw %} + + # Firefox Browser + firefox: + plugins: # Plugins to be installed in Firefox + - "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi" # U-Block Origine Plugin + - "https://addons.mozilla.org/firefox/downloads/latest/keepassxc-browser/latest.xpi" # KeepassXC Plugin + + ## Friendica + friendica: + version: "latest" +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': true, + 'oidc': true, + 'database': true, +}) }}{% raw %} + + ## Funkwhale + funkwhale: + version: "1.4.0" +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': true, + 'ldap': true, + 'database': true, +}) }}{% raw %} + + ## Gitea + gitea: + version: "latest" # Use latest docker image + configuration: + repository: + enable_push_create_user: True # Allow users to push local repositories to Gitea and have them automatically created for a user. + default_private: last # Default private when creating a new repository: last, private, public + default_push_create_private: True # Default private when creating a new repository with push-to-create. +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': true, + 'database': true, +}) }}{% raw %} + + ## Gitlab + gitlab: + version: "latest" +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': true, + 'database': true, +}) }}{% raw %} + + ## Gnome + gnome: + plugins: + - [enable,nasa_apod@elinvention.ovh,https://github.com/Elinvention/gnome-shell-extension-nasa-apod.git] + - [disable,dash-to-dock@micxgx.gmail.com,''] + - [enable, dash-to-panel@jderose9.github.com,''] + + ## Joomla + joomla: + version: "latest" +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': true, +}) }}{% raw %} + + ## HTML Server + html_server: +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, +}) }}{% raw %} + + ## Keycloak + keycloak: + version: "latest" + users: + administrator: + username: "{{users.administrator.username}}" # Administrator Username for Keycloak + import_realm: True # If True realm will be imported. If false skip. +# database_password: # Needs to be defined in inventory file +# administrator_password: # Needs to be defined in inventory file +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': true, + 'ldap': true, + 'database': true, +}) }}{% raw %} + + # LDAP Account Manager + lam: + version: "latest" +# administrator_password: "{{users.administrator.initial_password}}" # CHANGE for security reasons + oauth2_proxy: + application: application # Needs to be the same as webinterface + port: 80 # application port +# cookie_secret: None # Set via openssl rand -hex 16 +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': true, + 'ldap': true, + 'database': false, + 'oauth2': false, +}) }}{% raw %} + + ## LDAP + ldap: + version: "latest" + network: + local: True # Activates local network to allow other docker containers to connect + public: False # Set to true in inventory file if you want to expose the LDAP port to the internet + hostname: "ldap" # Hostname of the LDAP Server in the central_ldap network + webinterface: "lam" # The webinterface which should be used. Possible: lam and phpldapadmin + users: + administrator: + username: "{{users.administrator.username}}" # Administrator username + # administrator_password: # CHANGE for security reasons in inventory file + # administrator_database_password: # CHANGE for security reasons in inventory file + force_import: False # Forces the import of the LDIF files +{% endraw %}{{ features.render_features({ + 'ldap': true, +}) }}{% raw %} + + ## Libre Office + libreoffice: + flavor: "fresh" # Libre Office flavor, fresh for new, still for stable + + ## Listmonk + listmonk: + users: + administrator: + username: "{{users.administrator.username}}" # Listmonk administrator account username + public_api_activated: False # Security hole. Can be used for spaming + version: "latest" # Docker Image version + setup: false # Set true in inventory file to execute the setup and initializing procedures +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': true, + 'database': true, +}) }}{% raw %} + + mailu: + version: "2024.06" # Docker Image Version + setup: false # Set true in inventory file to execute the setup and initializing procedures + oidc: + email_by_username: true # If true, then the mail is set by the username. If wrong then the OIDC user email is used + enable_user_creation: true # Users will be created if not existing + domain: "{{primary_domain}}" # The main domain from which mails will be send \ email suffix behind @ + credentials: +# secret_key: # Set to a randomly generated 16 bytes string +# database_password: # Needs to be set in inventory file +# api_token: # Configures the authentication token. The minimum length is 3 characters. This is a mandatory setting for using the RESTful API. +# initial_administrator_password: # Initial administrator password for setup +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': true, + 'oidc': true, + 'database': false +}) }}{% raw %} +# Deactivate central database for mailu, I don't know why the database deactivation is necessary + + ## MariaDB + mariadb: + version: "latest" + + ## Matomo + matomo: + version: "latest" + oauth2_proxy: +# cookie_secret: None # Set via openssl rand -hex 16 +# database_password: Null # Needs to be set in inventory file +# auth_token: Null # Needs to be set in inventory file +{% endraw %}{{ features.render_features({ + 'matomo': false, + 'css': false, + 'iframe': false, + 'database': true, + 'oauth2': false, +}) }}{% raw %} + + ## Mastodon + mastodon: + version: "latest" + single_user_mode: false # Set true for initial setup + setup: false # Set true in inventory file to execute the setup and initializing procedures + credentials: +# Check out the README.md of the docker-mastodon role to get detailled instructions about how to setup the credentials +# database_password: +# secret_key_base: +# otp_secret: +# vapid: +# private_key: +# public_key: +# active_record_encryption: +# deterministic_key: +# key_derivation_salt: +# primary_key: +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, + 'oidc': true, + 'database': true, +}) }}{% raw %} + + ## Matrix + matrix: + users: + administrator: + username: "{{users.administrator.username}}" # Accountname of the matrix admin + playbook_tags: "setup-all,start" # For the initial update use: install-all,ensure-matrix-users-created,start + role: "compose" # Role to setup Matrix. Valid values: ansible, compose + server_name: "{{primary_domain}}" # Adress for the account names etc. + synapse: + version: "latest" + element: + version: "latest" + setup: false # Set true in inventory file to execute the setup and initializing procedures +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, + 'oidc': false, + 'database': true, +}) }}{% raw %} +# Deactivated OIDC due to this issue https://github.com/matrix-org/synapse/issues/10492 + + ## Moodle + moodle: + site_titel: "Global Learning Academy on {{primary_domain}}" + users: + administrator: + username: "{{users.administrator.username}}" + email: "{{users.administrator.email}}" + version: "latest" +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, + 'database': true, +}) }}{% raw %} + + ## MyBB + mybb: + version: "latest" +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, + 'database': true, +}) }}{% raw %} + + ## Nextcloud + nextcloud: + version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/ + ldap: + enabled: True # Enables LDAP by default + oidc: + enabled: "{{ applications.nextcloud.features.oidc | default(true) }}" # Activate OIDC for Nextcloud + # floavor decides which OICD plugin should be used. + # Available options: oidc_login, sociallogin + # @see https://apps.nextcloud.com/apps/oidc_login + # @see https://apps.nextcloud.com/apps/sociallogin + flavor: "oidc_login" # Keeping on sociallogin because the other option is not implemented yet +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, + 'ldap': true, + 'oidc': true, + 'database': true, +}) }}{% raw %} + credentials: +# database_password: Null # Needs to be set in inventory file + users: + administrator: + username: "{{users.administrator.username}}" + initial_password: "{{users.administrator.initial_password}}" # Keep in mind to change the password fast after creation and activate 2FA + default_quota: '1000000000' # Quota to assign if no quota is specified in the OIDC response (bytes) + legacy_login_mask: + enabled: False # If true, then legacy login mask is shown. Otherwise just SSO + container: + application: "nextcloud-application" # Nextcloud application container name + proxy: "nextcloud-web" # Nextcloud Proxy Container Name + performance: + php: + memory_limit: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory limit + upload_limit: "5G" # Set upload limit to 5GB for big media files + opcache_memory_consumption: "{{ ((ansible_memtotal_mb | int) / 30)|int }}M" # Dynamic set memory consumption + plugins: + # List for Nextcloud Plugin Routine + # Decides if plugins should be activated or deactivated + appointments: + # Nextcloud appointments: handles scheduling and appointment management (https://apps.nextcloud.com/apps/appointments) + enabled: true + bbb: + # Nextcloud BigBlueButton integration: enables video conferencing using BigBlueButton (https://apps.nextcloud.com/apps/bbb) + enabled: "{{ 'bigbluebutton' in group_names | lower }}" + #- bookmarks + # # Nextcloud Bookmarks: manage and share your bookmarks easily (https://apps.nextcloud.com/apps/bookmarks) + # enabled: false + calendar: + # Nextcloud calendar: manages calendar events and scheduling (https://apps.nextcloud.com/apps/calendar) + enabled: true + cfg_share_links: + # Nextcloud share links configuration: customizes sharing settings and link options (https://apps.nextcloud.com/apps/cfg_share_links) + enabled: true + collectives: + # Nextcloud collectives: supports collaborative group management and sharing (https://apps.nextcloud.com/apps/collectives) + enabled: true + contacts: + # Nextcloud contacts: manages address book and contact information (https://apps.nextcloud.com/apps/contacts) + enabled: true + cospend: + # Nextcloud cospend: manages shared expenses and spending tracking (https://apps.nextcloud.com/apps/cospend) + enabled: true + deck: + # Nextcloud Deck: organizes tasks and projects using Kanban boards (https://apps.nextcloud.com/apps/deck) + # When Taiga is activated, this plugin is deactivated, because Taiga is the prefered application. + enabled: "{{ 'taiga' not in group_names | lower }}" + drawio: + # Nextcloud draw.io: integrates diagram creation and editing tools (https://apps.nextcloud.com/apps/drawio) + enabled: true + duplicatefinder: + # Nextcloud duplicate finder: scans and identifies duplicate files (https://apps.nextcloud.com/apps/duplicatefinder) + enabled: true + emlviewer: + # Nextcloud EML Viewer: previews and manages EML email files (https://apps.nextcloud.com/apps/emlviewer) + enabled: true + event_update_notification: + # Nextcloud event update notification: sends alerts when events are updated (https://apps.nextcloud.com/apps/event_update_notification) + enabled: true + epubviewer: + # Nextcloud EPUB Viewer: enables reading and previewing EPUB e-books (https://apps.nextcloud.com/apps/epubviewer) + enabled: true + external: + # Nextcloud External: Adds links to external services (https://apps.nextcloud.com/apps/external) + enabled: true + #files_accesscontrol + # # Nextcloud Files Access Control: restricts file access based on defined rules (https://apps.nextcloud.com/apps/files_accesscontrol) + # enabled: false + #files_archive + # # Nextcloud Files Archive: compresses and archives files for efficient storage (https://apps.nextcloud.com/apps/files_archive) + # enabled: false + #files_automatedtagging + # # Nextcloud Files Automated Tagging: automatically tags files to improve organization (https://apps.nextcloud.com/apps/files_automatedtagging) + # enabled: false + files_bpm: + # Nextcloud Files BPM: integrates business process management for file workflows (https://apps.nextcloud.com/apps/files_bpm) + enabled: true + files_downloadactivity: + # Nextcloud Files Download Activity: tracks and logs file download events (https://apps.nextcloud.com/apps/files_downloadactivity) + enabled: true + files_linkeditor: + # Nextcloud files link editor: allows customization of shared file links (https://apps.nextcloud.com/apps/files_linkeditor) + enabled: true + files_mindmap: + # Nextcloud Files Mindmap: visualizes file relationships as mind maps (https://apps.nextcloud.com/apps/files_mindmap) + enabled: true + files_texteditor: + # Nextcloud Files Text Editor: provides an online editor for text files (https://apps.nextcloud.com/apps/files_texteditor) + # Not available for Nextcloud < 27 + enabled: false + fileslibreofficeedit: + # Nextcloud LibreOffice integration: allows online editing of documents with LibreOffice (https://apps.nextcloud.com/apps/fileslibreofficeedit) + enabled: true + forms: + # Nextcloud forms: facilitates creation of forms and surveys (https://apps.nextcloud.com/apps/forms) + enabled: true + gestion: + # Nextcloud Gestion: manages administrative tasks and workflows (https://apps.nextcloud.com/apps/gestion) + enabled: true + groupfolders: + # Nextcloud Group Folders: centralizes shared folders for group collaboration (https://apps.nextcloud.com/apps/groupfolders) + enabled: true + gpxpod: + # Nextcloud GPX pod: visualizes GPS tracks and GPX data (https://apps.nextcloud.com/apps/gpxpod) + enabled: true + integration_discourse: + # Nextcloud Integration Discourse: connects Nextcloud with Discourse forums (https://apps.nextcloud.com/apps/integration_discourse) + enabled: false + integration_gitlab: + # Nextcloud Integration GitLab: connects Nextcloud with GitLab repositories (https://apps.nextcloud.com/apps/integration_gitlab) + enabled: "{{ 'gitlab' in group_names | lower }}" + integration_github: + # Nextcloud Integration GitHub: integrates GitHub repositories with Nextcloud (https://apps.nextcloud.com/apps/integration_github) + enabled: false + integration_google: + # Nextcloud Integration Google: connects Google services with Nextcloud (https://apps.nextcloud.com/apps/integration_google) + enabled: true + integration_mastodon: + # Nextcloud Integration Mastodon: connects Nextcloud with the Mastodon social network (https://apps.nextcloud.com/apps/integration_mastodon) + enabled: "{{ 'mastodon' in group_names | lower }}" + integration_openai: + # Nextcloud Integration OpenAI: brings OpenAI functionalities into Nextcloud (https://apps.nextcloud.com/apps/integration_openai) + enabled: false + integration_openproject: + # Nextcloud Integration OpenProject: integrates project management features from OpenProject (https://apps.nextcloud.com/apps/integration_openproject) + enabled: "{{ 'openproject' in group_names | lower }}" + integration_peertube: + # Nextcloud Integration PeerTube: connects to PeerTube for video sharing (https://apps.nextcloud.com/apps/integration_peertube) + enabled: "{{ 'peertube' in group_names | lower }}" + #keeweb + # # Nextcloud KeeWeb: integrates the KeeWeb password manager within Nextcloud (https://apps.nextcloud.com/apps/keeweb) + # # This isn't maintained anymore. The alternatives don't support keepass files + # enabled: false + keeporsweep: + # Nextcloud keep or sweep: helps manage and clean up files and data (https://apps.nextcloud.com/apps/keeporsweep) + enabled: true + mail: + # Nextcloud mail: integrated email client for managing mail accounts (https://apps.nextcloud.com/apps/mail) + enabled: true + maps: + # Nextcloud maps: provides mapping and location services integration (https://apps.nextcloud.com/apps/maps) + enabled: true + metadata: + # Nextcloud Metadata: manages and displays file metadata for enhanced organization (https://apps.nextcloud.com/apps/metadata) + enabled: true + news: + # Nextcloud News: aggregates and displays news feeds directly in Nextcloud (https://apps.nextcloud.com/apps/news) + enabled: true + oidc_login: + # Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/oidc_login) + enabled: "{{ _applications_nextcloud_oidc_flavor=='oidc_login' | lower }}" + incompatible_plugins: + - user_oidc # Will be disabled + - sociallogin # Will be disabled + phonetrack: + # Nextcloud phone track: tracks and monitors mobile device usage (https://apps.nextcloud.com/apps/phonetrack) + enabled: true + polls: + # Nextcloud polls: facilitates creation and management of user polls (https://apps.nextcloud.com/apps/polls) + enabled: true + quota_warning: + # Nextcloud quota warning: notifies users when storage limits are reached (https://apps.nextcloud.com/apps/quota_warning) + enabled: true + recognize: + # Nextcloud recognize: performs image recognition tasks (https://apps.nextcloud.com/apps/recognize) + enabled: false # Deactivated because it let to bugs + richdocuments: + # Nextcloud Rich Documents: provides collaborative document editing capabilities (https://apps.nextcloud.com/apps/richdocuments) + enabled: false # @todo To set it default to true activate https://hub.docker.com/r/collabora/code before + sociallogin: + # Nextcloud social login: allows authentication using social networks (https://apps.nextcloud.com/apps/sociallogin) + enabled: "{{ _applications_nextcloud_oidc_flavor=='sociallogin' | lower }}" + incompatible_plugins: + - user_oidc # Will be disabled + - oidc_login # Will be disabled + spreed: + # Nextcloud Spreed: offers video conferencing and chat functionalities (https://apps.nextcloud.com/apps/spreed) + enabled: false # @todo to activate it first implement docker-coturn and activate it + tables: + # Nextcloud tables: allows creation and editing of tables within the interface (https://apps.nextcloud.com/apps/tables) + enabled: true + tasks: + # Nextcloud tasks: manages personal or group tasks and to-do lists (https://apps.nextcloud.com/apps/tasks) + enabled: true + #terms_of_service + # # Nextcloud Terms of Service: manages user acceptance of terms and conditions (https://apps.nextcloud.com/apps/terms_of_service) + # enabled: false + twofactor_nextcloud_notification: + # Nextcloud two-factor notification: sends notifications for two-factor authentication events (https://apps.nextcloud.com/apps/twofactor_nextcloud_notification) + enabled: "{{ not applications.nextcloud.features.oidc | default(true) }}" # Deactivate 2FA if oidc is active + twofactor_totp: + # Nextcloud two-factor TOTP: provides time-based one-time password authentication (https://apps.nextcloud.com/apps/twofactor_totp) + enabled: "{{ not applications.nextcloud.features.oidc | default(true) }}" # Deactivate 2FA if oidc is active + user_ldap: + # Nextcloud user LDAP: integrates LDAP for user management and authentication (https://apps.nextcloud.com/apps/user_ldap) + enabled: "{{ applications.nextcloud.features.ldap | default(true) }}" + user_oidc: + # Nextcloud User OIDC: integrates OpenID Connect for user authentication (https://apps.nextcloud.com/apps/user_oidc) + enabled: "{{ _applications_nextcloud_oidc_flavor=='user_oidc' | lower }}" + incompatible_plugins: + - oidc_login + - sociallogin + whiteboard: + # Nextcloud Whiteboard: provides a collaborative drawing and brainstorming tool (https://apps.nextcloud.com/apps/whiteboard) + enabled: true + + ## OAuth2 Proxy + oauth2_proxy: + configuration_file: "oauth2-proxy-keycloak.cfg" # Needs to be set true in the roles which use it + version: "latest" # Docker Image version + redirect_url: "https://{{domains.keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth" # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak. + allowed_roles: admin # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, +}) }}{% raw %} + + ## Open Project + openproject: + version: "13" # Update when available. Sadly no rolling release implemented + oauth2_proxy: + application: "proxy" + port: "80" +# cookie_secret: None # Set via openssl rand -hex 16 + ldap: + filters: + administrators: True # Set true to filter administrators + users: False # Set true to filter users +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, + 'ldap': true, + 'database': true, + 'oauth2': true, +}) }}{% raw %} + + ## Peertube + peertube: + version: "bookworm" +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, + 'database': true, +}) }}{% raw %} + + ## PgAdmin + pgadmin: + version: "latest" + server_mode: False # If true then the preconfigured database file is loaded. Recommended False. True is a security risk. + master_password_required: True # Master password is required. Recommended True. False is a security risk. + users: + administrator: + email: "{{ users.administrator.email }}" # Initial login email address + password: "{{ users.administrator.initial_password }}" # Initial login password – should be overridden in inventory for security + oauth2_proxy: + application: "application" + port: "80" +# cookie_secret: None # Set via: openssl rand -hex 16 +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, + 'database': true, + 'oauth2': true, +}) }}{% raw %} + + ## phpLDAPadmin + phpldapadmin: + version: "2.0.0-dev" # @todo Attention: Change this as fast as released to latest + oauth2_proxy: + application: application # Needs to be the same as webinterface + port: 8080 # application port +# cookie_secret: None # Set via openssl rand -hex 16 +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, + 'ldap': true, + 'oauth2': true, +}) }}{% raw %} + + ## PHPMyAdmin + phpmyadmin: + version: "latest" # Use the latest phpmyadmin version + autologin: false # This is a high security risk. Just activate this option if you know what you're doing + oauth2_proxy: + port: "80" + application: "application" +# cookie_secret: None # Set via openssl rand -hex 16 +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': false, + 'iframe': false, + 'database': true, + 'oauth2': true, +}) }}{% raw %} + + ## Pixelfed + pixelfed: + titel: "Pictures on {{primary_domain}}" + version: "latest" +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, + 'database': true, +}) }}{% raw %} + + ## Postgres + # Please set an version in your inventory file - Rolling release for postgres isn't recommended + postgres: + version: "latest" + + portfolio: +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, +}) }}{% raw %} + + ## Presentation + presentation: +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': true, +}) }}{% raw %} + + # Snipe-IT + snipe_it: + version: "latest" +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, + 'database': true, +}) }}{% raw %} + + ## Sphinx + sphinx: +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, +}) }}{% raw %} + + ## Taiga + taiga: + version: "latest" + oidc: + # Taiga doesn't have a functioning oidc support at the moment + # See + # - https://community.taiga.io/t/taiga-and-oidc-plugin/4866 + # + # Due to this reason this plutin is deactivated atm + flavor: 'taigaio' # Potential flavors: robrotheram, taigaio +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, + 'oidc': false, + 'database': true, +}) }}{% raw %} + + ## YOURLS + yourls: + users: + administrator: + username: "{{users.administrator.username}}" + version: "latest" + oauth2_proxy: + application: "application" + port: "80" + location: "/admin/" # Protects the admin area +# cookie_secret: None # Set via openssl rand -hex 16 +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': true, + 'iframe': false, + 'database': true, + 'oauth2': true, +}) }}{% raw %} + + wordpress: +# Deactivate Global theming for wordpress role +# due to the reason that wordpress has to much different themes +# and one styling for all is not possible. +# +# May a solution could be to generate a template or css file dedicated +# for wordpress based on the theming values and import it. + title: "Blog" # Wordpress titel + credentials: # Credentials + administrator: # Wordpress administrator + username: "{{users.administrator.username}}" # Username of the wordpress administrator +# password: # Password of the wordpress administrator + email: "{{users.administrator.email}}" # Email of the wordpress adminsitrator + plugins: + discourse: false + oidc: true +{% endraw %}{{ features.render_features({ + 'matomo': true, + 'css': false, + 'iframe': false, + 'oidc': true, + 'database': true, +}) }}{% raw %} \ No newline at end of file diff --git a/templates/vars/features.yml.j2 b/templates/vars/features.yml.j2 new file mode 100644 index 00000000..0ef45b8d --- /dev/null +++ b/templates/vars/features.yml.j2 @@ -0,0 +1,19 @@ +{% macro render_features(options) %} + features: + {%- set feature_map = { + 'matomo': 'Enables Matomo tracking', + 'css': 'Enables custom CSS styling', + 'iframe': 'Allows embedding via iframe on landing page', + 'ldap': 'Enables LDAP integration and networking', + 'oidc': 'Enables OpenID Connect (OIDC) authentication', + 'oauth2': 'Enables OAuth2 proxy integration', + 'database': 'Enables use of central database' + } %} + {%- for key, comment in feature_map.items() %} + {%- if key in options %} + + {{ key }}: {{ options[key] }} # {{ comment }} + + {%- endif %} + {%- endfor %} +{% endmacro %} diff --git a/tests/unit/test_docker_cards.py b/tests/unit/test_docker_cards.py index 6329f2bd..c87a643b 100644 --- a/tests/unit/test_docker_cards.py +++ b/tests/unit/test_docker_cards.py @@ -44,7 +44,13 @@ galaxy_info: # Define dummy variables including group_names that contain the application_id "portfolio". fake_variables = { "domains": {"portfolio": "myportfolio.com"}, - "applications": {"portfolio": {"landingpage_iframe_enabled": True}}, + "applications": { + "portfolio": { + "features": { + "iframe": True + } + } + }, "group_names": ["portfolio"] } result = lookup_module.run([self.test_roles_dir], variables=fake_variables) @@ -71,7 +77,13 @@ galaxy_info: # Set fake variables with group_names that do NOT include the application_id "portfolio". fake_variables = { "domains": {"portfolio": "myportfolio.com"}, - "applications": {"portfolio": {"landingpage_iframe_enabled": True}}, + "applications": { + "portfolio": { + "features": { + "iframe": True + } + } + }, "group_names": [] # Not including "portfolio" } result = lookup_module.run([self.test_roles_dir], variables=fake_variables)