removed deprecated parameter

Refactored oidc, solved network bugs and refactored
Optimized design
2025-11-04 04:08:15 +00:00 · 2025-02-20 11:47:08 +01:00 · 2025-02-20 11:44:50 +01:00 · 2025-02-20 10:21:52 +01:00
18 changed files with 76 additions and 94 deletions
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@@ -30,7 +30,9 @@ defaults_applications:
  ## Big Blue Button
  bigbluebutton:
    enable_greenlight:    "true"
-    setup:                false # Set to true in inventory file for initial setup
+    setup:                false                           # Set to true in inventory file for initial setup
+    oidc:
+      enabled:               true                         # Activate OIDC

  ## Bluesky
  bluesky:
@@ -47,15 +49,19 @@ defaults_applications:
    container:  "discourse_application"       # Name of the container application
    repository: "discourse_repository"        # Name of the repository folder
    # database_password:                      # Needs to be defined in inventory file
+    oidc:
+      enabled:               true             # Activate OIDC

  ## Friendica
  friendica:
    version:              "latest"
+    oidc:
+      enabled:               true             # Activate OIDC. Plugin is not working yet

  ## Funkwhale
  funkwhale:
    version:        "1.4.0"
-    ldap_enabled:   True    # Enables LDAP by default 
+    ldap_enabled:   True                      # Enables LDAP by default 

  ## Gitea
  gitea:
@@ -107,6 +113,16 @@ defaults_applications:
    version:                          "latest"                                  # Docker Image version
    setup:                            false                                     # Set true in inventory file to execute the setup and initializing procedures

+  mailu:
+    oidc:
+      enabled:                        true                                      # Activate OIDC for Mailu
+    domain:                           "{{primary_domain}}"                      # The main domain from which mails will be send \ email suffix behind @
+    # I don't know why the database deactivation is necessary
+    enable_central_database:          False                                     # Deactivate central database for mailu
+#    secret_key:                                                                # Needs to be set in inventory file
+#    database_password:                                                         # Needs to be set in inventory file
+#    api_token:                                                                 # Needs to be set in inventory file
+
  ## MariaDB
  mariadb:
    version:                          "latest"
@@ -118,12 +134,16 @@ defaults_applications:
      enabled:                        false                         # Deactivated atm. @todo implement 
 #   database_password:                Null                          # Needs to be set in inventory file
 #   auth_token:                       Null                          # Needs to be set in inventory file
+    css:
+      enabled:       false                                          # The css isn't optimized yet for Matomo

  ## Mastodon
  mastodon:
    version:                          "latest"
    single_user_mode:                 false                         # Set true for initial setup
    setup:                            false                         # Set true in inventory file to execute the setup and initializing procedures
+    oidc:
+      enabled:               true                                   # Activate OIDC for Mailu
 #
 # Check out the README.md of the docker-mastodon role to get detailled instructions about how to setup the credentials
 #
@@ -171,8 +191,10 @@ defaults_applications:
  ## Nextcloud
  nextcloud:
    version:              "production"  # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
-    ldap_enabled:         True          # Enables LDAP by default
+    ldap_enabled:         True          # Enables LDAP by default, missing ansible setup tasks @todo setup
 #   database_password:    Null          # Needs to be set in inventory file
+    oidc:
+      enabled:            true          # Activate OIDC for Nextcloud

  ## OAuth2 Proxy
  oauth2_proxy:
--- a/group_vars/all/09_ports.yml
+++ b/group_vars/all/09_ports.yml
@@ -55,3 +55,7 @@ ports:
      gitlab:        2202
    ldaps:
      openldap:      636
+    stun:   
+      bigbluebutton: 3478 # Not sure if it's right placed here or if it should be moved to localhost section
+    turn:
+      bigbluebutton: 5349 # Not sure if it's right placed here or if it should be moved to localhost section
--- a/group_vars/all/10_networks.yml
+++ b/group_vars/all/10_networks.yml
@@ -12,8 +12,8 @@ defaults_networks:
      subnet: 192.168.101.16/28
    baserow:
      subnet: 192.168.101.32/28
-    bigbluebutton:
-      subnet: 192.168.101.48/28
+    # Free:
+    #  subnet: 192.168.101.48/28
    bluesky:
      subnet: 192.168.101.64/28
    friendica:
@@ -68,6 +68,7 @@ defaults_networks:
      subnet: 192.168.102.192/28
    discourse:
      subnet: 192.168.102.208/28
-
+    bigbluebutton:
+      subnet: 10.7.7.0/24 # This variable does not have an impact. It's just there for documentation reasons.

  
--- a/group_vars/all/11_iam.yml
+++ b/group_vars/all/11_iam.yml
@@ -12,7 +12,6 @@ _oidc_client_realm:       "{{ oidc.client.realm if oidc.client is defined and oi
 _oidc_client_issuer_url:  "https://{{domains.keycloak}}/realms/{{_oidc_client_realm}}"

 defaults_oidc:
-  enabled:               true # Enable OIDC functionality for all apps 
  client:
    id:                   "{{primary_domain}}"                                              # Client identifier, typically matching your primary domain
 #   secret:                                                                                 # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters
--- a/group_vars/all/12_storage.yml
+++ b/group_vars/all/12_storage.yml
@@ -1,6 +1,5 @@
 ## Enable Central Postgress and MariaDB instead of dedicated container per application
 enable_central_database:          true
-enable_central_database_mailu:    "{{enable_central_database}}"

 ## Enable Storage Optimizer for Docker Volumes
 enable_system_storage_optimizer:  true
--- a/group_vars/all/13_design.yml
+++ b/group_vars/all/13_design.yml
@@ -4,15 +4,6 @@ defaults_design:
    colors:
      # General Colors
      base: "#001f3f"
-      
-      # Sucess Color
-      success:  "#B2D3B2"
-      # As the warning color – a light brown (earth)
-      warning:  "#D2B48C"
-      # For error messages (standard red)
-      error:    "#DC3545"
-      # As the info color – a very light blue (symbolizing the sky)
-      info:     "#F0F8FF"
    filters:
      saturation_change:  70
      hue_shift:          0
--- a/group_vars/all/14_service_provider.yml
+++ b/group_vars/all/14_service_provider.yml
@@ -1,9 +1,9 @@
 # Adapt the values in your inventory file
 defaults_service_provider:
-  type:           "legal"                                                       # Accepted Values: natural, legal
+  type:             "legal"                                                       # Accepted Values: natural, legal
  company:
-    titel:        "CyMaIS Example GbR"
-    slogan:       "We keep your 0 and 1 in line"
+    titel:          "CyMaIS Example GbR"
+    slogan:         "We keep your 0 and 1 in line"
    address:
      street:       "Binary Avenue 01"
      city:         "Cybertown"
@@ -11,19 +11,19 @@ defaults_service_provider:
      country:      "Nexusland"
    logo:           https://cloud.veen.world/s/logo_cymais_512x512/download
  platform:    
-    titel:        "CyMaIS Plattform Demo"
-    subtitel:     "Demo of the Cyber Master Infrastructur Solution Plattform"
+    titel:          "CyMaIS Plattform Demo"
+    subtitel:       "Demo of the Cyber Master Infrastructur Solution Plattform"
    logo:           https://cloud.veen.world/s/logo_cymais_512x512/download
    favicon:        https://cloud.veen.world/s/veen_world_favicon/download
  contact:
-    bluesky:      "@{{administrator_username}}.{{domains.bluesky_api}}"
-    email:        "contact@{{primary_domain}}"
-    mastodon:     "@{{administrator_username}}@{{domains.mastodon}}"
-    matrix:       "@{{administrator_username}}:{{domains.matrix_synapse}}"
-    peertube:     "@{{administrator_username}}@{{domains.peertube}}"
-    pixelfed:     "@{{administrator_username}}@{{domains.pixelfed}}"
-    phone:        "+0 000 000 404"
-    wordpress:    "@{{administrator_username}}@{{domains.wordpress[0]}}"
+    bluesky:        "@{{administrator_username}}.{{domains.bluesky_api}}"
+    email:          "contact@{{primary_domain}}"
+    mastodon:       "@{{administrator_username}}@{{domains.mastodon}}"
+    matrix:         "@{{administrator_username}}:{{domains.matrix_synapse}}"
+    peertube:       "@{{administrator_username}}@{{domains.peertube}}"
+    pixelfed:       "@{{administrator_username}}@{{domains.pixelfed}}"
+    phone:          "+0 000 000 404"
+    wordpress:      "@{{administrator_username}}@{{domains.wordpress[0]}}"
  legal:
    editorial_responsible:  "Johannes Gutenberg"
    source_code:            "https://github.com/kevinveenbirkenbach/cymais"
--- a/roles/docker-bigbluebutton/templates/env.j2
+++ b/roles/docker-bigbluebutton/templates/env.j2
@@ -43,16 +43,17 @@ FSESL_PASSWORD={{bigbluebutton_fsesl_password}}
 DOMAIN={{domain}}

 EXTERNAL_IPv4={{networks.internet.ip4}}
-EXTERNAL_IPv6=
+# The following line is not tested and could lead to bugs:
+EXTERNAL_IPv6={{networks.internet.ip6}}

 # STUN SERVER
 # stun.freeswitch.org
 STUN_IP={{networks.internet.ip4}}
-STUN_PORT=3478
+STUN_PORT={{ ports.public.stun[application_id] }}

 # TURN SERVER
 # uncomment and adjust following two lines to add an external TURN server
-TURN_SERVER=turns:{{domain}}:5349?transport=tcp
+TURN_SERVER=turns:{{domain}}:{{ ports.public.turn[application_id] }}?transport=tcp
 TURN_SECRET={{bigbluebutton_turn_secret}}

 # Allowed SIP IPs
@@ -282,7 +283,7 @@ HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html
 #   approval - For approve/decline registration
 DEFAULT_REGISTRATION=invite

-{% if oidc.enabled | bool %}
+{% if applications[application_id].oidc.enabled | bool %}
 ### EXTERNAL AUTHENTICATION METHODS
 # @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/
 #
--- a/roles/docker-discourse/templates/discourse_application.yml.j2
+++ b/roles/docker-discourse/templates/discourse_application.yml.j2
@@ -112,7 +112,7 @@ run:
  ## If you want to set the 'From' email address for your first registration, uncomment and change:
  ## After getting the first signup email, re-comment the line. It only needs to run once.
  #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
-{% if oidc.enabled | bool %}
+{% if applications[application_id].oidc.enabled | bool %}
  # Deactivate Default Login
  - exec: rails r "SiteSetting.enable_local_logins = false"
  - exec: rails r "SiteSetting.enable_passkeys = false" # https://meta.discourse.org/t/passwordless-login-using-passkeys/285589
--- a/roles/docker-friendica/vars/main.yml
+++ b/roles/docker-friendica/vars/main.yml
@@ -1,4 +1,4 @@
 application_id:     "friendica"
 database_password:  "{{friendica_database_password}}"
 database_type:      "mariadb"
-no_validation:      "{{oidc.enabled}}"                # Email validation is not neccessary if OIDC is active
+no_validation:      "{{applications[application_id].oidc.enabled}}" # Email validation is not neccessary if OIDC is active
--- a/roles/docker-keycloak/templates/import/realm.json.j2
+++ b/roles/docker-keycloak/templates/import/realm.json.j2
@@ -835,7 +835,7 @@
      "secret": "{{oidc.client.secret}}",
      "redirectUris": [
        {%- set redirect_uris = [] -%}
-        {%- for application, domain in defaults_domains.items() -%}
+        {%- for application, domain in domains.items() -%}
          {%- if applications[application_id] is defined and applications | get_oauth2_enabled(application_id) -%}
            {%- if domain is string -%}
              {%- set _ = redirect_uris.append("https://" ~ domain ~ "/*") -%}
--- a/roles/docker-mailu/templates/env.j2
+++ b/roles/docker-mailu/templates/env.j2
@@ -12,7 +12,7 @@
 LD_PRELOAD=/usr/lib/libhardened_malloc.so 

 # Set to a randomly generated 16 bytes string
-SECRET_KEY={{mailu_secret_key}}
+SECRET_KEY={{applications.mailu.secret_key}}

 # Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
 SUBNET={{networks.local.mailu.subnet}}
@@ -118,7 +118,7 @@ WEBSITE=https://{{domain}}
 # json-file (default)
 # journald (On systemd platforms, useful for Fail2Ban integration)
 # syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!)
-# LOG_DRIVER=json-file
+LOG_DRIVER=syslog

 # docker-compose project name, this will prepended to containers names.
 COMPOSE_PROJECT_NAME=mailu
@@ -145,20 +145,20 @@ LOG_LEVEL=WARNING
 SQLALCHEMY_DATABASE_URI_ROUNDCUBE=mysql://{{database_username}}:{{database_password}}@{{database_host}}/{{database_name}}?collation=utf8mb4_unicode_ci
 SQLALCHEMY_DATABASE_URI=mysql+mysqlconnector://{{database_username}}:{{database_password}}@{{database_host}}/{{database_name}}?collation=utf8mb4_unicode_ci

-API_TOKEN={{mailu_api_token}}
+API_TOKEN={{applications.mailu.api_token}}

 # Activated https://mailu.io/master/configuration.html#advanced-settings
 AUTH_REQUIRE_TOKENS=True


-{% if oidc.enabled | bool %}
+{% if applications[application_id].oidc.enabled | bool %}
 ################################### 
 # OpenID Connect settings
 ###################################
 # @see https://github.com/heviat/Mailu-OIDC/tree/master

 # Enable OpenID Connect. Possible values: True, False
-OIDC_ENABLED={{ oidc.enabled | string | capitalize }}
+OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | capitalize }}
 # OpenID Connect provider configuration URL
 OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}}
 # OpenID redirect URL if HOSTNAME not matching your login url
--- a/roles/docker-mailu/vars/main.yml
+++ b/roles/docker-mailu/vars/main.yml
@@ -1,5 +1,5 @@
 application_id:               "mailu"
-database_password:  	        "{{mailu_database_password}}"
+database_password:  	        "{{applications.mailu.database_password}}"
 database_type:                "mariadb"
 cert_mount_directory:         "{{docker_compose.directories.volumes}}certs/"
 enable_wildcard_certificate:  false
@@ -7,8 +7,8 @@ enable_wildcard_certificate:  false
 # I don't know why this configuration is necessary.
 # Propabldy due to a database migration problem, or dificulties to configure an external db in mailu
 # @todo research
-enable_central_database:      "{{enable_central_database_mailu}}"
+enable_central_database:      "{{applications.mailu.enable_central_database}}"

 # Use dedicated source for oidc if activated  
 # @see https://github.com/heviat/Mailu-OIDC/tree/2024.06
-docker_source:                "{{ 'ghcr.io/heviat' if oidc.enabled | bool else 'ghcr.io/mailu' }}"
+docker_source:                "{{ 'ghcr.io/heviat' if applications[application_id].oidc.enabled | bool else 'ghcr.io/mailu' }}"
--- a/roles/docker-mastodon/templates/env.j2
+++ b/roles/docker-mastodon/templates/env.j2
@@ -52,14 +52,14 @@ SMTP_OPENSSL_VERIFY_MODE=none
 SMTP_ENABLE_STARTTLS=auto
 SMTP_FROM_ADDRESS=Mastodon <{{system_email.from}}>

-{% if oidc.enabled | bool %}
+{% if applications[application_id].oidc.enabled | bool %}
 ################################### 
 # OpenID Connect settings
 ###################################
 # @see https://github.com/mastodon/mastodon/pull/16221
 # @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso

-OIDC_ENABLED={{ oidc.enabled | string | lower }}
+OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | lower }}
 OIDC_DISPLAY_NAME="{{primary_domain | upper}} SSO"
 OIDC_ISSUER={{oidc.client.issuer_url}}
 OIDC_DISCOVERY=true
--- a/roles/docker-nextcloud/tasks/ldap.yml
+++ b/roles/docker-nextcloud/tasks/ldap.yml
@@ -1,3 +1,4 @@
 # @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
 # @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55
+# @todo implement
 #docker compose exec -u www-data application php occ app:enable user_ldap
--- a/roles/docker-nextcloud/tasks/main.yml
+++ b/roles/docker-nextcloud/tasks/main.yml
@@ -24,8 +24,8 @@

 - name: Include OIDC-specific tasks
  include_tasks: oidc.yml
-  when: oidc.enabled | bool
+  when: applications[application_id].oidc.enabled | bool

-#- name: Include LDAP specific tasks
-#  include_tasks: ldap.yml
-#  when: ldap.enabled | bool
+- name: Include LDAP specific tasks
+  include_tasks: ldap.yml
+  when: applications[application_id].ldap_enabled | bool
--- a/roles/nginx-modifier-css/templates/global.css.j2
+++ b/roles/nginx-modifier-css/templates/global.css.j2
@@ -14,13 +14,6 @@ HINT:
        --color-{{ "%02d"|format(i) }}: {{ design.css.colors.base | adjust_color(target_lightness=(i / 100),saturation_change=design.css.filters.saturation_change,hue_shift=design.css.filters.hue_shift) }};
        --color-rgb-{{ "%02d"|format(i) }}: {{ design.css.colors.base | adjust_color_rgb(target_lightness=(i / 100),saturation_change=design.css.filters.saturation_change,hue_shift=design.css.filters.hue_shift) }};
    {% endfor %}
-
-    /** Special Action Colors **/
-    --success-color:    {{ design.css.colors.success }};
-    --warning-color:    {{ design.css.colors.warning }};
-    --error-color:      {{ design.css.colors.error }};
-    --info-color:       {{ design.css.colors.info }};
-
 }

@media (prefers-color-scheme: dark) {
@@ -30,12 +23,6 @@ HINT:
            --color-{{ "%02d"|format(i) }}: {{ design.css.colors.base | adjust_color(target_lightness=(1 - (i / 100)),saturation_change=design.css.filters.saturation_change,hue_shift=design.css.filters.hue_shift) }};
            --color-rgb-{{ "%02d"|format(i) }}: {{ design.css.colors.base | adjust_color_rgb(target_lightness=(1 - (i / 100)),saturation_change=design.css.filters.saturation_change,hue_shift=design.css.filters.hue_shift) }};
        {% endfor %}
-
-        /** Special Action Colors **/
-        --success-color:    {{ design.css.colors.success | adjust_color(target_lightness=(1 - 0.2)) }};
-        --warning-color:    {{ design.css.colors.warning | adjust_color(target_lightness=(1 - 0.3)) }};
-        --error-color:      {{ design.css.colors.error   | adjust_color(target_lightness=(1 - 0.3)) }};
-        --info-color:       {{ design.css.colors.info    | adjust_color(target_lightness=(1 - 0.2)) }};
    }
 }

@@ -62,10 +49,6 @@ HINT:
    --bs-secondary: var(--color-65);
    --bs-body-bg: var(--color-90);
    --bs-body-color: var(--color-40);
-    --bs-danger: var(--error-color);
-    --bs-warning: var(--warning-color);
-    --bs-success: var(--success-color);
-    --bs-info: var(--info-color);
    --bs-link-color: var(--color-50);
    --bs-btn-color: var(--color-40);
 }
@@ -275,8 +258,13 @@ HINT:
  --pf-v5-global--icon--Color--dark--light:    var(--color-99);
  --pf-v5-global--icon--Color--light--dark:    var(--color-40);
  --pf-v5-global--icon--Color--dark--dark:     var(--color-10);
+
 }

+/* Additional Keykloak Configuration */
+a.pf-v5-c-nav__link{
+    --pf-v5-c-nav__link--BackgroundColor: rgba(var(--color-rgb-56), 0.4);
+}

 /* gitea */
 :root {
@@ -577,26 +565,6 @@ h1, h2, h3, h4, h5, h6, p{
    color: var(--color-10) !important;
 }

-/* Bootstrap */
-
-/* States: Success, Warning, Error, Info (Background and Text Colors) */
-.success, .alert-success {
-    background-color: var(--success-color) !important;
-    color: var(--color-40) !important;
-}
-.warning, .alert-warning {
-    background-color: var(--warning-color) !important;
-    color: var(--color-40) !important;
-}
-.error, .alert-danger {
-    background-color: var(--error-color) !important;
-    color: var(--color-40) !important;
-}
-.info, .alert-info {
-    background-color: var(--info-color) !important;
-    color: var(--color-40) !important;
-}
-
 /* Navigation (Background and Text Colors) */
 .navbar, .navbar-light, .navbar-dark {
    background-color:   var(--color-90) !important;
@@ -664,10 +632,6 @@ html.ng-csp header#header{
    background-color:   var(--color-80) !important;
 }

-html.ng-csp div#postsetupchecks ul.warnings{
-    color: var(--error-color) !important;
-}
-
 html.ng-csp div#postsetupchecks ul.info{
    background-color: transparent !important;
 }
@@ -733,7 +697,7 @@ section.main.kanban{
 }

 div.master, div.kanban-header, div.kanban-table-inner, section.kanban button,a.dropdown-project-list-projects{
-    background-color: var(--info-color) !important;
+    background-color: var(--color-92) !important;
    color: var(--color-40) !important;
 }

--- a/templates/docker/compose/networks.yml.j2
+++ b/templates/docker/compose/networks.yml.j2
@@ -9,7 +9,7 @@ networks:
    external: true
 {% endif %}
  default:
-{% if applications[application_id].ldap_enabled is defined and applications[application_id].ldap_enabled | bool and applications.ldap.openldap.network.local | bool %}
+{% if application_id in networks.local and networks.local[application_id].subnet is defined %}
    driver: bridge
    ipam:
      driver: default
Author	SHA1	Message	Date
Kevin Veen-Birkenbach	439072c6b1	removed deprecated parameter	2025-02-20 11:47:08 +01:00
Kevin Veen-Birkenbach	b2ccc69628	Refactored oidc, solved network bugs and refactored	2025-02-20 11:44:50 +01:00
Kevin Veen-Birkenbach	4dd694c4e2	Optimized design	2025-02-20 10:21:52 +01:00