Solved variable and handler bugs

group_vars/all

@@ -168,9 +168,10 @@ domain_moodle:                  "academy.{{primary_domain}}"
 domain_mediawiki:               "wiki.{{primary_domain}}"
 domain_nextcloud:               "cloud.{{primary_domain}}"
 domain_openproject:             "project.{{primary_domain}}"
-domain_pixelfed:                "picture.{{primary_domain}}"
 domain_peertube:                "video.{{primary_domain}}"
 domains_peertube:               []
+domain_phpmyadmin:              "phpmyadmin.{{primary_domain}}"
+domain_pixelfed:                "picture.{{primary_domain}}"
 domain_portfolio:               "{{primary_domain}}"
 domain_roulette:                "roulette.{{primary_domain}}"
 domain_taiga:                   "kanban.{{primary_domain}}"
@@ -250,9 +251,9 @@ ldap_openldap_version:                "latest"
 ldap_phpldapadmin_version:            "2.0.0-dev"                               # @todo Attention: Change this as fast as released to latest
 ldap_webinterface:                    "lam"                                     # The webinterface which should be used. Possible: lam and phpldapadmin
 ldap_administrator_username:          "{{administrator_username}}"
-ldap_administrator_password:          "{{user_administrator_initial_password}}" #CHANGE for security reasons
-ldap_administrator_database_password: "{{user_administrator_initial_password}}" #CHANGE for security reasons
-ldap_lam_administrator_password:      "{{user_administrator_initial_password}}" #CHANGE for security reasons
+ldap_administrator_password:          "{{user_administrator_initial_password}}" # CHANGE for security reasons
+ldap_administrator_database_password: "{{user_administrator_initial_password}}" # CHANGE for security reasons
+ldap_lam_administrator_password:      "{{user_administrator_initial_password}}" # CHANGE for security reasons
 
 #### Listmonk
 listmonk_admin_username:          "{{administrator_username}}"
@@ -300,15 +301,19 @@ oauth2_proxy_active:                  false       # Needs to be set true in the
 oauth2_version:                               "latest"
 oauth2_proxy_redirect_url:                    "https://{{domain_keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"  # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
 # oauth2_proxy_port:                          >= 4180                                   # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
-# oauth2_proxy_upstream_application_and_port:  # The name of the application which the server redirects to. Needs to be defined in role vars.
-
-#### Open Project
-# openproject_oauth2_proxy_client_secret: Needs to be defined in inventory # The client ID configured in Keycloak for the application. 
-# openproject_oauth2_proxy_cookie_secret: Needs to be defined in inventory # The client secret configured in Keycloak for the application.
+oauth2_proxy_upstream_application_and_port:   "application:80"                          # The name of the application which the server redirects to. Needs to be defined in role vars.
+oauth2_proxy_allowed_roles:                   admin                                     # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups  
+oauth2_proxy_client_id:                       "{{primary_domain}}"                      # The id of the client application
+oauth2_proxy_client_secret:                   "{{primary_oauth2_proxy_client_secret}}"  # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible
+oauth2_proxy_cookie_secret:                   "{{primary_oauth2_proxy_cookie_secret}}"  # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible openssl rand -hex 16
 
 #### Peertube
 peertube_version:                         "bookworm"
 
+#### PHPMyAdmin
+phpmyadmin_version:                       "latest"
+phpmyadmin_autologin:                     false     # This is a high security risk. Just activate this option if you know what you're doing
+
 #### Pixelfed
 pixelfed_app_name:          "Pictures on {{primary_domain}}"
 pixelfed_version:           "latest"

inventory.example.yml

@@ -45,7 +45,7 @@ pixelfed_database_password:         "I_NEED_TO_CHANGE_THIS_UNSECURE_PASSWORD"
 pixelfed_app_key:                   "I_NEED_TO_CHANGE_THIS_UNSECURE_PASSWORD"
 wordpress_database_password:        "I_NEED_TO_CHANGE_THIS_UNSECURE_PASSWORD"
 yourls_database_password:           "I_NEED_TO_CHANGE_THIS_UNSECURE_PASSWORD"
-yourls_administrator_username_password:               "I_NEED_TO_CHANGE_THIS_UNSECURE_PASSWORD"
+yourls_administrator_password:      "I_NEED_TO_CHANGE_THIS_UNSECURE_PASSWORD"
 
 path_mass_storage:                  "/mnt/hdd/"
 path_rapid_storage:                 "/mnt/ssd/"

playbook.servers.yml

@@ -315,6 +315,17 @@
       vars:
         domain: "{{domain_ldap}}"
         http_port:          8033
+        oauth2_proxy_port:  4182
+
+- name: setup PHPMyAdmin
+  hosts: phpmyadmin
+  become: true
+  roles:
+   -  role: docker-phpmyadmin
+      vars:
+        domain: "{{domain_phpmyadmin}}"
+        http_port:          8034
+        oauth2_proxy_port:  4181
 
 # Native Webserver Roles
 - name: setup nginx-static-repositorys

roles/docker-compose/handlers/main.yml

@@ -27,4 +27,4 @@
   environment:
     COMPOSE_HTTP_TIMEOUT: 600
     DOCKER_CLIENT_TIMEOUT: 600
-  listen: docker compose project setup
+  listen: docker compose project build and setup

roles/docker-ldap/templates/docker-compose.yml.j2

@@ -1,11 +1,14 @@
 services:
-{% if ldap_webinterface == 'lam' %}
-  lam:
-    image: ghcr.io/ldapaccountmanager/lam:{{ldap_lam_version}}  # Dies ist das Docker-Image für LAM
-    container_name: lam
+
+{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
+
+  {{ldap_webinterface}}:
+    container_name: {{ldap_webinterface}}
     logging:
       driver: journald
     restart: {{docker_restart_policy}}
+{% if ldap_webinterface == 'lam' %}
+    image: ghcr.io/ldapaccountmanager/lam:{{ldap_lam_version}}      # Dies ist das Docker-Image für LAM
     ports:
       - 127.0.0.1:{{http_port}}:80 
     environment:                                                    # See all variables here: https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/docker/.env  
@@ -23,11 +26,7 @@ services:
       LDAP_USER:           {{ldap_admin_dn}}                         # LDAP admin user (set as login user for LAM)
       LDAP_ADMIN_PASSWORD: {{ldap_administrator_database_password}}  # LDAP admin password
 {% elif ldap_webinterface == 'phpldapadmin' %}
-  phpldapadmin:
     image: leenooks/phpldapadmin:{{ldap_phpldapadmin_version}}
-    logging:
-      driver: journald
-    restart: {{docker_restart_policy}}
     ports:
       - 127.0.0.1:{{http_port}}:8080
     environment:
@@ -37,6 +36,7 @@ services:
 {% endif %}
   openldap:
     image: bitnami/openldap:{{ldap_openldap_version}}
+    container_name: openldap
     logging:
       driver: journald
     restart: {{docker_restart_policy}}

roles/docker-ldap/vars/main.yml

@@ -4,3 +4,7 @@ ldap_admin_dn:                "cn={{ldap_administrator_username}},{{ldap_root}}"
 ldap_secure_localhost_port:   1636
 ldap_secure_internet_port:    636
 ldap_localhost_port:          389
+
+# OAuth2 Proxy Configuration
+oauth2_proxy_upstream_application_and_port: "{{ ldap_webinterface }}:{% if ldap_webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}"
+oauth2_proxy_active:                        true

roles/docker-mailu/README.md

@@ -177,6 +177,7 @@ If your IP or domain is flagged by Cloudmark, you can submit a **reset request**
 - [Mailu GitHub repository](https://github.com/Mailu/Mailu)
 - [Plesk support article on RoundCube connection issue](https://support.plesk.com/hc/en-us/articles/115001264814-Unable-to-log-into-RoundCube-Connection-to-storage-server-failed)
 - [Gist by marienfressinaud](https://gist.github.com/marienfressinaud/f284a59b18aad395eb0de2d22836ae6b)
+- [Implementing OpenID with Mailu](https://github.com/heviat/Mailu-OIDC)
 
 For more information about this role, visit the [GitHub repository](https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/docker-mailu).
 

roles/docker-oauth2-proxy/README.md

@@ -1 +1,58 @@
-https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/local-environment/keycloak/oauth2-proxy-realm.json
+# Docker OAuth2 Proxy Role
+
+Welcome to the **Docker OAuth2 Proxy Role**! 🌟 This role contains helper functions to set up an OAuth2 proxy using [OAuth2 Proxy](https://github.com/oauth2-proxy/oauth2-proxy), a tool designed to secure applications by protecting them with OAuth2 authentication. 💡
+
+## Overview
+
+The OAuth2 Proxy is used to shield specific web applications from unauthorized access by requiring users to authenticate via an external identity provider, such as Keycloak. This role simplifies the setup process by providing templated configurations and tasks to integrate the OAuth2 Proxy with Docker Compose and Keycloak.
+
+## Features
+
+- 🚀 Automated configuration transfer to your Docker Compose instance.
+- 🔧 Template files for a fully customizable proxy setup.
+- 🔐 Integration with Keycloak as an OpenID Connect (OIDC) provider.
+- 🛡️ Configurations to secure applications and allow cookie-based authentication across subdomains.
+
+## How It Works
+
+The role includes the following key components:
+
+1. **Templates**:
+    - `oauth2-proxy-keycloak.cfg.j2`: A configuration file for the OAuth2 Proxy, pre-integrated with Keycloak as an identity provider.
+    - `container.yml.j2`: A container definition for the OAuth2 Proxy, specifying the image, ports, volumes, and restart policies.
+
+2. **Tasks**:
+    - A task to transfer the templated configuration to the Docker Compose instance directory.
+    - A notifier to trigger the setup of the Docker Compose project after transferring the configuration.
+
+3. **Integration**:
+    - Keycloak is configured as the OIDC provider, enabling seamless authentication and authorization.
+    - Upstream application support ensures traffic is securely proxied to the correct destination.
+
+## Why Use This Proxy?
+
+Using this proxy ensures that only authenticated users can access your protected applications. By leveraging OAuth2, you can:
+
+- ✅ Secure applications with minimal configuration.
+- ✅ Enable single sign-on (SSO) and centralized user management.
+- ✅ Restrict access to specific domains and subdomains.
+
+## Dependencies
+
+Before using this role, ensure you have the following:
+
+- Docker and Docker Compose installed on your system.
+- A running Keycloak instance configured with the appropriate realm and clients.
+
+## Learn More
+
+To learn more about OAuth2 Proxy, check out the [official documentation](https://oauth2-proxy.github.io/oauth2-proxy/).
+
+## Author
+
+This role was created and maintained by **Kevin Veen-Birkenbach**. 🌍 You can learn more about Kevin and his projects at [veen.world](https://www.veen.world).
+
+---
+
+Protect your web applications with ease and confidence! ✨
+

roles/docker-oauth2-proxy/templates/container.yml.j2

@@ -1,5 +1,4 @@
   oauth2-proxy:
-    #image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.1
     image: quay.io/oauth2-proxy/oauth2-proxy:{{oauth2_version}}
     restart: {{docker_restart_policy}}
     command: --config /oauth2-proxy.cfg

roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2

@@ -1,17 +1,19 @@
-http_address="0.0.0.0:4180"
-cookie_secret="{{oauth2_proxy_cookie_secret}}"
-email_domains="{{primary_domain}}"
-cookie_secure="false"
-upstreams="http://{{oauth2_proxy_upstream_application_and_port}}"
-cookie_domains=["{{domain}}", "{{domain_keycloak}}"]                # Required so cookie can be read on all subdomains.
-whitelist_domains=[".{{primary_domain}}"]                           # Required to allow redirection back to original requested target.
+http_address            =   "0.0.0.0:4180"
+cookie_secret           =   "{{oauth2_proxy_cookie_secret}}"
+email_domains           =   "{{primary_domain}}"
+cookie_secure           =   "false"
+upstreams               =   "http://{{oauth2_proxy_upstream_application_and_port}}"
+cookie_domains          =   ["{{domain}}", "{{domain_keycloak}}"]                   # Required so cookie can be read on all subdomains.
+whitelist_domains       =   [".{{primary_domain}}"]                                 # Required to allow redirection back to original requested target.
 
 # keycloak provider
-client_secret="{{oauth2_proxy_client_secret}}"
-client_id="{{domain}}"
-redirect_url="https://{{domain}}/oauth2/callback"
+client_secret           =   "{{oauth2_proxy_client_secret}}"
+client_id               =   "{{oauth2_proxy_client_id}}"
+redirect_url            =   "https://{{domain}}/oauth2/callback"
+oidc_issuer_url         =   "https://{{domain_keycloak}}/realms/{{primary_domain}}"
+provider                =   "oidc"
+provider_display_name   =   "Keycloak"
 
-# in this case oauth2-proxy is going to visit
-oidc_issuer_url="https://{{domain_keycloak}}/realms/{{primary_domain}}"
-provider="oidc"
-provider_display_name="Keycloak"
+# role restrictions
+#cookie_roles            =   "realm_access.roles"
+allowed_roles           =   "{{oauth2_proxy_allowed_roles}}"

roles/docker-openproject/vars/main.yml

@@ -1,14 +1,13 @@
 docker_compose_project_name:                  "openproject"
 repository_directory:                         "{{ path_docker_compose_instances }}{{docker_compose_project_name}}/"
 docker_compose_instance_directory:            "{{repository_directory}}compose/"
-database_password:                            "{{openproject_database_password}}"
 repository_address:                           "https://github.com/opf/openproject-deploy"
+database_password:                            "{{openproject_database_password}}"
 database_type:                                "postgres"
+
 # The following volume doesn't have a practcical function. It just exist to prevent the creation of unnecessary anonymous volumes
 dummy_volume:                                 "{{repository_directory}}dummy_volume"
 
 # OAuth2 Proxy Configuration
-oauth2_proxy_client_secret:                   "{{openproject_oauth2_proxy_client_secret}}"
-oauth2_proxy_cookie_secret:                   "{{openproject_oauth2_proxy_cookie_secret}}"
 oauth2_proxy_upstream_application_and_port:   "proxy:80"
 oauth2_proxy_active:                          true

roles/docker-phpmyadmin/README.md

@@ -0,0 +1,23 @@
+# Docker PhpMyAdmin Role
+
+Welcome to the **Docker PhpMyAdmin Role**! 🎉 This role simplifies the deployment of PhpMyAdmin in a Docker environment, including optional OAuth2 proxy support for enhanced security.
+
+## Features ✨
+
+- 🚀 **Automated Deployment:** Effortlessly deploy PhpMyAdmin with Docker Compose.
+- 🔐 **OAuth2 Proxy Support:** Secure access with OAuth2 authentication.
+- 🛠️ **Configurable Settings:** Fully customizable via Ansible variables.
+- 🌐 **Support for Central Databases:** Seamlessly integrates with a central MariaDB database.
+- 🐳 **Docker Compose Integration:** Generates `docker-compose.yml` tailored to your environment.
+
+## Learn More 📖
+
+- Official PhpMyAdmin Website: [https://www.phpmyadmin.net/](https://www.phpmyadmin.net/)
+
+## Contributing 🤝
+
+Contributions are welcome! Feel free to fork this repository, submit issues, or create pull requests to improve this role.
+
+---
+
+Made with ❤️ by [Kevin Veen-Birkenbach](https://www.veen.world).

roles/docker-phpmyadmin/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- name: "include docker/compose/common.yml"
+  include_tasks: docker/compose/common.yml
+
+- name: "include tasks nginx-docker-proxy-domain.yml"
+  include_tasks: nginx-docker-proxy-domain.yml
+
+- name: add docker-compose.yml
+  template: 
+    src:  "docker-compose.yml.j2" 
+    dest: "{{docker_compose_instance_directory}}docker-compose.yml"
+  notify: docker compose project setup

roles/docker-phpmyadmin/templates/docker-compose.yml.j2

@@ -0,0 +1,22 @@
+services:
+
+{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
+
+  application:
+    logging:
+      driver: journald
+    image: phpmyadmin/phpmyadmin:{{phpmyadmin_version}}
+    container_name: phpmyadmin
+    environment:
+      PMA_HOST: central-mariadb
+{% if phpmyadmin_autologin | bool %}
+      PMA_USER: root
+      PMA_PASSWORD: "{{central_mariadb_root_password}}"
+{% endif %}
+    restart: {{docker_restart_policy}}
+    ports:
+      - "127.0.0.1:{{http_port}}:80"
+{% include 'templates/docker/container/depends-on-just-database.yml.j2' %}
+{% include 'templates/docker/container/networks.yml.j2' %}
+
+{% include 'templates/docker/compose/networks.yml.j2' %}

roles/docker-phpmyadmin/vars/main.yml

@@ -0,0 +1,5 @@
+docker_compose_project_name:  "phpmyadmin"
+database_type:                "mariadb"
+database_host:                "{{ 'central-' + database_type if enable_central_database}}"
+# OAuth2 Proxy Configuration
+oauth2_proxy_active:        true

roles/docker-yourls/templates/docker-compose.yml.j2

@@ -15,8 +15,8 @@ services:
       YOURLS_DB_PASS: "{{database_password}}"
       YOURLS_DB_NAME: "{{database_name}}"
       YOURLS_SITE:    "https://{{domain}}"
-      yourls_administrator_username:  "{{yourls_administrator_username}}"
-      YOURLS_PASS:                    "{{yourls_administrator_username_password}}"
+      YOURLS_USER:    "{{yourls_administrator_username}}"
+      YOURLS_PASS:    "{{yourls_administrator_password}}"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://127.0.0.1/admin/"]
       interval: 1m

tasks/update-repository-with-files.yml

@@ -1,13 +1,7 @@
-- name: "Add {{oauth2_configuration_file}} to detached_files if oauth2_proxy_active is true"
+- name: "Merge detached_files with oauth2_configuration_file"
   ansible.builtin.set_fact:
-    detached_files: >-
-      {{
-        (detached_files | default([])) +
-        [oauth2_configuration_file]
-        if oauth2_configuration_file not in (detached_files | default([]))
-        else detached_files | default([])
-      }}
-  when: oauth2_proxy_active | default(false)
+    merged_detached_files: "{{ detached_files + [oauth2_configuration_file] }}"
+  when: oauth2_proxy_active
 
 - name: "backup detached files"
   command: >
@@ -15,7 +9,7 @@
   args:
     removes: "{{docker_compose_instance_directory}}{{ item }}"
   become: true
-  loop: "{{ detached_files }}"
+  loop: "{{ merged_detached_files | default(detached_files) }}"
 
 - name: checkout repository 
   ansible.builtin.shell: git checkout .
@@ -38,9 +32,9 @@
   args:
     removes: "/tmp/{{docker_compose_project_name}}-{{ item }}.backup"
   become: true
-  loop: "{{ detached_files }}"
+  loop: "{{ merged_detached_files | default(detached_files) }}"
 
-- name: "copy {{ item }}"
+- name: "copy {{ detached_files }} templates to server"
   template: 
     src: "{{ item }}.j2"
     dest: "{{docker_compose_instance_directory}}{{ item }}"