This commit updates multiple roles to ensure compatibility with Ansible 2.20.
Several include paths and task-loading mechanisms required adjustments,
as Ansible 2.20 applies stricter evaluation rules for complex Jinja expressions
and no longer resolves certain relative include paths the way Ansible 2.18 did.
Key changes:
- Replaced legacy once_finalize.yml and once_flag.yml with the new structure
under tasks/utils/once/finalize.yml and tasks/utils/once/flag.yml.
- Updated all include_tasks statements to use 'path_join' with playbook_dir,
ensuring deterministic and absolute file resolution across roles.
- Fixed all network helper includes by converting direct relative paths such as
'roles/docker-compose/tasks/utils/network.yml' to proper Jinja-evaluated paths.
- Normalized MATOMO_* variable names for consistency with the updated variable
scope behavior in Ansible 2.20.
- Removed deprecated patterns that were implicitly supported in Ansible 2.18
but break under the more strict variable and path resolution model in 2.20.
These changes are part of the full migration step required to ensure the
infinito-nexus roles remain stable, deterministic, and forward-compatible with
Ansible 2.20.
Details of the discussion and reasoning can be found in this conversation:
https://chatgpt.com/share/69300a8d-24d4-800f-bec0-e895a695618a
- Moved database seed variables from vars/main.yml to task-level include in BigBlueButton
- Simplified core include logic in sys-ctl-bkp-docker-2-loc
- Ensured clean conditional for BKP_DOCKER_2_LOC_DB_ENABLED
See: https://chatgpt.com/share/68f216f7-62d8-800f-94e3-c82e4418e51b (deutsch)
- Switch to custom BBB Docker repository
- Externalize Coturn and Collabora by default
- Add dedicated 03_dependencies.yml for dependency handling
- Improve env templating with lowercased feature flags
- Add conditional healthcheck for Greenlight
- Refactor TURN/STUN/relay handling with role variable _BBB_COTURN_ROLE
- Extend Collabora/Greenlight dependency wiring in override file
- Nextcloud Talk: refine vars and enable/disable logic with separate plugin/service flags, add network_mode support and conditional nginx proxy block
Ref: https://chatgpt.com/share/68d741ff-a544-800f-9e81-a565e0bab0eb
- Split internal/external Coturn for BBB and Nextcloud
- Added dedicated relay port ranges per app
- Updated env and compose overrides for coturn
- Ensure coturn role is loaded conditionally
- Standardize credential/env passing for coturn
@Seehttps://chatgpt.com/share/68d6f376-4878-800f-b4f7-62822caa49ea
- Aligned schema/main.yml credential definitions with consistent spacing
- Changed PostgreSQL secret to use random_hex_32 instead of bcrypt
- Improved administrator creation logic in tasks/02_administrator.yml:
* First try with primary password
* Retry with starred password if OIDC is enabled
* Fallback to user:set_admin_role if both fail
See: https://chatgpt.com/share/68d6aa34-19cc-800f-828a-a5121fda589f
Context: debugging mediasoup/WebRTC failures caused by empty/interpolated vars (EXTERNAL_IPv4, etc.).
- Normalize config/main.yml (ip6_enabled flag, enable greenlight/coturn) and tidy formatting.
- Extend vars/main.yml with BBB_* switches (IPv6, Greenlight, Coturn), TURN/Coturn cert paths.
- env.j2: wire secrets & toggles, guard IPv6 via BBB_IP6_ENABLED, switch LDAP/OIDC to role flags, add TURN/STUN, and general cleanup.
- tasks/main.yml: use BBB_* fact names, robust path joins, write docker-compose.override.yml, and notify compose on env/override changes.
- tasks/01_docker-compose.yml: reference new BBB_DOCKER_COMPOSE_* facts.
- Add templates/docker-compose.override.yml.j2 (placeholder for SFU overrides to avoid bad defaults during runs).
Rationale: make Compose brings deterministic (no empty ), paving the way to set MS_WEBRTC_LISTEN_IPS in override without risk.
Chat reference: debugging thread with GPT-5 Thinking on 2025-09-26 https://chatgpt.com/share/68d59d98-4388-800f-a627-07b6a603d0b2.
This commit restructures systemctl service definitions and category mappings.
Motivation: Alarm-related bugs revealed inconsistencies in service and role handling.
Preparation step: lays the groundwork for fixing the alarm issues by aligning categories, roles, and service templates.
- Fixed incorrect handling of RBAC group configuration (moved from OIDC claims into dedicated RBAC variable set).
- Unified RBAC group usage across applications (LAM, pgAdmin, phpLDAPadmin, phpMyAdmin, YOURLS).
- Replaced old 'KEYCLOAK_OIDC_RBAC_SCOPE_NAME' with dedicated 'KEYCLOAK_RBAC_GROUP_*' variables.
- Updated OAuth2 Proxy configuration to use 'RBAC.GROUP.CLAIM'.
- Refactored Keycloak role task structure:
* Renamed and reorganized task files for clarity ('_update.yml', '02_cleanup.yml', etc.).
* Introduced meta and dependency handling separation.
- Cleaned up Keycloak config defaults and recaptcha placeholders.
