kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-04-28 18:30:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kevinveenbirkenbach:286517b1274040aa6d05fd1f86bccedb676c4b8e
Branches Tags
kevinveenbirkenbach:master
..
compare: kevinveenbirkenbach:439072c6b13cd9a33de9e93565fe28653ad0239b
Branches Tags
kevinveenbirkenbach:master

3 Commits
286517b127 ... 439072c6b1

Author SHA1 Message Date
Kevin Veen-Birkenbach
439072c6b1 removed deprecated parameter 2025-02-20 11:47:08 +01:00
Kevin Veen-Birkenbach
b2ccc69628 Refactored oidc, solved network bugs and refactored 2025-02-20 11:44:50 +01:00
Kevin Veen-Birkenbach
4dd694c4e2 Optimized design 2025-02-20 10:21:52 +01:00
18 changed files with 76 additions and 94 deletions
Show Stats Expand all files Collapse all files

28
group_vars/all/07_applications.yml
View File

@ -30,7 +30,9 @@ defaults_applications:
## Big Blue Button
bigbluebutton:
enable_greenlight: "true"
setup: false # Set to true in inventory file for initial setup
setup: false # Set to true in inventory file for initial setup
oidc:
enabled: true # Activate OIDC
## Bluesky
bluesky:
@ -47,15 +49,19 @@ defaults_applications:
container: "discourse_application" # Name of the container application
repository: "discourse_repository" # Name of the repository folder
# database_password: # Needs to be defined in inventory file
oidc:
enabled: true # Activate OIDC
## Friendica
friendica:
version: "latest"
oidc:
enabled: true # Activate OIDC. Plugin is not working yet
## Funkwhale
funkwhale:
version: "1.4.0"
ldap_enabled: True # Enables LDAP by default
ldap_enabled: True # Enables LDAP by default
## Gitea
gitea:
@ -107,6 +113,16 @@ defaults_applications:
version: "latest" # Docker Image version
setup: false # Set true in inventory file to execute the setup and initializing procedures
mailu:
oidc:
enabled: true # Activate OIDC for Mailu
domain: "{{primary_domain}}" # The main domain from which mails will be send \ email suffix behind @
# I don't know why the database deactivation is necessary
enable_central_database: False # Deactivate central database for mailu
# secret_key: # Needs to be set in inventory file
# database_password: # Needs to be set in inventory file
# api_token: # Needs to be set in inventory file
## MariaDB
mariadb:
version: "latest"
@ -118,12 +134,16 @@ defaults_applications:
enabled: false # Deactivated atm. @todo implement
# database_password: Null # Needs to be set in inventory file
# auth_token: Null # Needs to be set in inventory file
css:
enabled: false # The css isn't optimized yet for Matomo
## Mastodon
mastodon:
version: "latest"
single_user_mode: false # Set true for initial setup
setup: false # Set true in inventory file to execute the setup and initializing procedures
oidc:
enabled: true # Activate OIDC for Mailu
#
# Check out the README.md of the docker-mastodon role to get detailled instructions about how to setup the credentials
#
@ -171,8 +191,10 @@ defaults_applications:
## Nextcloud
nextcloud:
version: "production" # @see https://nextcloud.com/blog/nextcloud-release-channels-and-how-to-track-them/
ldap_enabled: True # Enables LDAP by default
ldap_enabled: True # Enables LDAP by default, missing ansible setup tasks @todo setup
# database_password: Null # Needs to be set in inventory file
oidc:
enabled: true # Activate OIDC for Nextcloud
## OAuth2 Proxy
oauth2_proxy:

4
group_vars/all/09_ports.yml
View File

@ -55,3 +55,7 @@ ports:
gitlab: 2202
ldaps:
openldap: 636
stun:
bigbluebutton: 3478 # Not sure if it's right placed here or if it should be moved to localhost section
turn:
bigbluebutton: 5349 # Not sure if it's right placed here or if it should be moved to localhost section

7
group_vars/all/10_networks.yml
View File

@ -12,8 +12,8 @@ defaults_networks:
subnet: 192.168.101.16/28
baserow:
subnet: 192.168.101.32/28
bigbluebutton:
subnet: 192.168.101.48/28
# Free:
# subnet: 192.168.101.48/28
bluesky:
subnet: 192.168.101.64/28
friendica:
@ -68,6 +68,7 @@ defaults_networks:
subnet: 192.168.102.192/28
discourse:
subnet: 192.168.102.208/28
bigbluebutton:
subnet: 10.7.7.0/24 # This variable does not have an impact. It's just there for documentation reasons.

1
group_vars/all/11_iam.yml
View File

@ -12,7 +12,6 @@ _oidc_client_realm: "{{ oidc.client.realm if oidc.client is defined and oi
_oidc_client_issuer_url: "https://{{domains.keycloak}}/realms/{{_oidc_client_realm}}"
defaults_oidc:
enabled: true # Enable OIDC functionality for all apps
client:
id: "{{primary_domain}}" # Client identifier, typically matching your primary domain
# secret: # Client secret for authenticating with the OIDC provider (set in the inventory file). Recommend greater then 32 characters

1
group_vars/all/12_storage.yml
View File

@ -1,6 +1,5 @@
## Enable Central Postgress and MariaDB instead of dedicated container per application
enable_central_database: true
enable_central_database_mailu: "{{enable_central_database}}"
## Enable Storage Optimizer for Docker Volumes
enable_system_storage_optimizer: true

9
group_vars/all/13_design.yml
View File

@ -4,15 +4,6 @@ defaults_design:
colors:
# General Colors
base: "#001f3f"
# Sucess Color
success: "#B2D3B2"
# As the warning color a light brown (earth)
warning: "#D2B48C"
# For error messages (standard red)
error: "#DC3545"
# As the info color a very light blue (symbolizing the sky)
info: "#F0F8FF"
filters:
saturation_change: 70
hue_shift: 0

26
group_vars/all/14_service_provider.yml
View File

@ -1,9 +1,9 @@
# Adapt the values in your inventory file
defaults_service_provider:
type: "legal" # Accepted Values: natural, legal
type: "legal" # Accepted Values: natural, legal
company:
titel: "CyMaIS Example GbR"
slogan: "We keep your 0 and 1 in line"
titel: "CyMaIS Example GbR"
slogan: "We keep your 0 and 1 in line"
address:
street: "Binary Avenue 01"
city: "Cybertown"
@ -11,19 +11,19 @@ defaults_service_provider:
country: "Nexusland"
logo: https://cloud.veen.world/s/logo_cymais_512x512/download
platform:
titel: "CyMaIS Plattform Demo"
subtitel: "Demo of the Cyber Master Infrastructur Solution Plattform"
titel: "CyMaIS Plattform Demo"
subtitel: "Demo of the Cyber Master Infrastructur Solution Plattform"
logo: https://cloud.veen.world/s/logo_cymais_512x512/download
favicon: https://cloud.veen.world/s/veen_world_favicon/download
contact:
bluesky: "@{{administrator_username}}.{{domains.bluesky_api}}"
email: "contact@{{primary_domain}}"
mastodon: "@{{administrator_username}}@{{domains.mastodon}}"
matrix: "@{{administrator_username}}:{{domains.matrix_synapse}}"
peertube: "@{{administrator_username}}@{{domains.peertube}}"
pixelfed: "@{{administrator_username}}@{{domains.pixelfed}}"
phone: "+0 000 000 404"
wordpress: "@{{administrator_username}}@{{domains.wordpress[0]}}"
bluesky: "@{{administrator_username}}.{{domains.bluesky_api}}"
email: "contact@{{primary_domain}}"
mastodon: "@{{administrator_username}}@{{domains.mastodon}}"
matrix: "@{{administrator_username}}:{{domains.matrix_synapse}}"
peertube: "@{{administrator_username}}@{{domains.peertube}}"
pixelfed: "@{{administrator_username}}@{{domains.pixelfed}}"
phone: "+0 000 000 404"
wordpress: "@{{administrator_username}}@{{domains.wordpress[0]}}"
legal:
editorial_responsible: "Johannes Gutenberg"
source_code: "https://github.com/kevinveenbirkenbach/cymais"

9
roles/docker-bigbluebutton/templates/env.j2
View File

@ -43,16 +43,17 @@ FSESL_PASSWORD={{bigbluebutton_fsesl_password}}
DOMAIN={{domain}}
EXTERNAL_IPv4={{networks.internet.ip4}}
EXTERNAL_IPv6=
# The following line is not tested and could lead to bugs:
EXTERNAL_IPv6={{networks.internet.ip6}}
# STUN SERVER
# stun.freeswitch.org
STUN_IP={{networks.internet.ip4}}
STUN_PORT=3478
STUN_PORT={{ ports.public.stun[application_id] }}
# TURN SERVER
# uncomment and adjust following two lines to add an external TURN server
TURN_SERVER=turns:{{domain}}:5349?transport=tcp
TURN_SERVER=turns:{{domain}}:{{ ports.public.turn[application_id] }}?transport=tcp
TURN_SECRET={{bigbluebutton_turn_secret}}
# Allowed SIP IPs
@ -282,7 +283,7 @@ HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html
# approval - For approve/decline registration
DEFAULT_REGISTRATION=invite
{% if oidc.enabled | bool %}
{% if applications[application_id].oidc.enabled | bool %}
### EXTERNAL AUTHENTICATION METHODS
# @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/
#

2
roles/docker-discourse/templates/discourse_application.yml.j2
View File

@ -112,7 +112,7 @@ run:
## If you want to set the 'From' email address for your first registration, uncomment and change:
## After getting the first signup email, re-comment the line. It only needs to run once.
#- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
{% if oidc.enabled | bool %}
{% if applications[application_id].oidc.enabled | bool %}
# Deactivate Default Login
- exec: rails r "SiteSetting.enable_local_logins = false"
- exec: rails r "SiteSetting.enable_passkeys = false" # https://meta.discourse.org/t/passwordless-login-using-passkeys/285589

2
roles/docker-friendica/vars/main.yml
View File

@ -1,4 +1,4 @@
application_id: "friendica"
database_password: "{{friendica_database_password}}"
database_type: "mariadb"
no_validation: "{{oidc.enabled}}" # Email validation is not neccessary if OIDC is active
no_validation: "{{applications[application_id].oidc.enabled}}" # Email validation is not neccessary if OIDC is active

2
roles/docker-keycloak/templates/import/realm.json.j2
View File

@ -835,7 +835,7 @@
"secret": "{{oidc.client.secret}}",
"redirectUris": [
{%- set redirect_uris = [] -%}
{%- for application, domain in defaults_domains.items() -%}
{%- for application, domain in domains.items() -%}
{%- if applications[application_id] is defined and applications | get_oauth2_enabled(application_id) -%}
{%- if domain is string -%}
{%- set _ = redirect_uris.append("https://" ~ domain ~ "/*") -%}

10
roles/docker-mailu/templates/env.j2
View File

@ -12,7 +12,7 @@
LD_PRELOAD=/usr/lib/libhardened_malloc.so
# Set to a randomly generated 16 bytes string
SECRET_KEY={{mailu_secret_key}}
SECRET_KEY={{applications.mailu.secret_key}}
# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
SUBNET={{networks.local.mailu.subnet}}
@ -118,7 +118,7 @@ WEBSITE=https://{{domain}}
# json-file (default)
# journald (On systemd platforms, useful for Fail2Ban integration)
# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!)
# LOG_DRIVER=json-file
LOG_DRIVER=syslog
# docker-compose project name, this will prepended to containers names.
COMPOSE_PROJECT_NAME=mailu
@ -145,20 +145,20 @@ LOG_LEVEL=WARNING
SQLALCHEMY_DATABASE_URI_ROUNDCUBE=mysql://{{database_username}}:{{database_password}}@{{database_host}}/{{database_name}}?collation=utf8mb4_unicode_ci
SQLALCHEMY_DATABASE_URI=mysql+mysqlconnector://{{database_username}}:{{database_password}}@{{database_host}}/{{database_name}}?collation=utf8mb4_unicode_ci
API_TOKEN={{mailu_api_token}}
API_TOKEN={{applications.mailu.api_token}}
# Activated https://mailu.io/master/configuration.html#advanced-settings
AUTH_REQUIRE_TOKENS=True
{% if oidc.enabled | bool %}
{% if applications[application_id].oidc.enabled | bool %}
###################################
# OpenID Connect settings
###################################
# @see https://github.com/heviat/Mailu-OIDC/tree/master
# Enable OpenID Connect. Possible values: True, False
OIDC_ENABLED={{ oidc.enabled | string | capitalize }}
OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | capitalize }}
# OpenID Connect provider configuration URL
OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}}
# OpenID redirect URL if HOSTNAME not matching your login url

6
roles/docker-mailu/vars/main.yml
View File

@ -1,5 +1,5 @@
application_id: "mailu"
database_password: "{{mailu_database_password}}"
database_password: "{{applications.mailu.database_password}}"
database_type: "mariadb"
cert_mount_directory: "{{docker_compose.directories.volumes}}certs/"
enable_wildcard_certificate: false
@ -7,8 +7,8 @@ enable_wildcard_certificate: false
# I don't know why this configuration is necessary.
# Propabldy due to a database migration problem, or dificulties to configure an external db in mailu
# @todo research
enable_central_database: "{{enable_central_database_mailu}}"
enable_central_database: "{{applications.mailu.enable_central_database}}"
# Use dedicated source for oidc if activated
# @see https://github.com/heviat/Mailu-OIDC/tree/2024.06
docker_source: "{{ 'ghcr.io/heviat' if oidc.enabled | bool else 'ghcr.io/mailu' }}"
docker_source: "{{ 'ghcr.io/heviat' if applications[application_id].oidc.enabled | bool else 'ghcr.io/mailu' }}"

4
roles/docker-mastodon/templates/env.j2
View File

@ -52,14 +52,14 @@ SMTP_OPENSSL_VERIFY_MODE=none
SMTP_ENABLE_STARTTLS=auto
SMTP_FROM_ADDRESS=Mastodon <{{system_email.from}}>
{% if oidc.enabled | bool %}
{% if applications[application_id].oidc.enabled | bool %}
###################################
# OpenID Connect settings
###################################
# @see https://github.com/mastodon/mastodon/pull/16221
# @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso
OIDC_ENABLED={{ oidc.enabled | string | lower }}
OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | lower }}
OIDC_DISPLAY_NAME="{{primary_domain | upper}} SSO"
OIDC_ISSUER={{oidc.client.issuer_url}}
OIDC_DISCOVERY=true

1
roles/docker-nextcloud/tasks/ldap.yml
View File

@ -1,3 +1,4 @@
# @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
# @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55
# @todo implement
#docker compose exec -u www-data application php occ app:enable user_ldap

8
roles/docker-nextcloud/tasks/main.yml
View File

@ -24,8 +24,8 @@
- name: Include OIDC-specific tasks
include_tasks: oidc.yml
when: oidc.enabled | bool
when: applications[application_id].oidc.enabled | bool
#- name: Include LDAP specific tasks
# include_tasks: ldap.yml
# when: ldap.enabled | bool
- name: Include LDAP specific tasks
include_tasks: ldap.yml
when: applications[application_id].ldap_enabled | bool

48
roles/nginx-modifier-css/templates/global.css.j2
View File

@ -14,13 +14,6 @@ HINT:
--color-{{ "%02d"|format(i) }}: {{ design.css.colors.base | adjust_color(target_lightness=(i / 100),saturation_change=design.css.filters.saturation_change,hue_shift=design.css.filters.hue_shift) }};
--color-rgb-{{ "%02d"|format(i) }}: {{ design.css.colors.base | adjust_color_rgb(target_lightness=(i / 100),saturation_change=design.css.filters.saturation_change,hue_shift=design.css.filters.hue_shift) }};
{% endfor %}
/** Special Action Colors **/
--success-color: {{ design.css.colors.success }};
--warning-color: {{ design.css.colors.warning }};
--error-color: {{ design.css.colors.error }};
--info-color: {{ design.css.colors.info }};
}
@media (prefers-color-scheme: dark) {
@ -30,12 +23,6 @@ HINT:
--color-{{ "%02d"|format(i) }}: {{ design.css.colors.base | adjust_color(target_lightness=(1 - (i / 100)),saturation_change=design.css.filters.saturation_change,hue_shift=design.css.filters.hue_shift) }};
--color-rgb-{{ "%02d"|format(i) }}: {{ design.css.colors.base | adjust_color_rgb(target_lightness=(1 - (i / 100)),saturation_change=design.css.filters.saturation_change,hue_shift=design.css.filters.hue_shift) }};
{% endfor %}
/** Special Action Colors **/
--success-color: {{ design.css.colors.success | adjust_color(target_lightness=(1 - 0.2)) }};
--warning-color: {{ design.css.colors.warning | adjust_color(target_lightness=(1 - 0.3)) }};
--error-color: {{ design.css.colors.error | adjust_color(target_lightness=(1 - 0.3)) }};
--info-color: {{ design.css.colors.info | adjust_color(target_lightness=(1 - 0.2)) }};
}
}
@ -62,10 +49,6 @@ HINT:
--bs-secondary: var(--color-65);
--bs-body-bg: var(--color-90);
--bs-body-color: var(--color-40);
--bs-danger: var(--error-color);
--bs-warning: var(--warning-color);
--bs-success: var(--success-color);
--bs-info: var(--info-color);
--bs-link-color: var(--color-50);
--bs-btn-color: var(--color-40);
}
@ -275,8 +258,13 @@ HINT:
--pf-v5-global--icon--Color--dark--light: var(--color-99);
--pf-v5-global--icon--Color--light--dark: var(--color-40);
--pf-v5-global--icon--Color--dark--dark: var(--color-10);
}
/* Additional Keykloak Configuration */
a.pf-v5-c-nav__link{
--pf-v5-c-nav__link--BackgroundColor: rgba(var(--color-rgb-56), 0.4);
}
/* gitea */
:root {
@ -577,26 +565,6 @@ h1, h2, h3, h4, h5, h6, p{
color: var(--color-10) !important;
}
/* Bootstrap */
/* States: Success, Warning, Error, Info (Background and Text Colors) */
.success, .alert-success {
background-color: var(--success-color) !important;
color: var(--color-40) !important;
}
.warning, .alert-warning {
background-color: var(--warning-color) !important;
color: var(--color-40) !important;
}
.error, .alert-danger {
background-color: var(--error-color) !important;
color: var(--color-40) !important;
}
.info, .alert-info {
background-color: var(--info-color) !important;
color: var(--color-40) !important;
}
/* Navigation (Background and Text Colors) */
.navbar, .navbar-light, .navbar-dark {
background-color: var(--color-90) !important;
@ -664,10 +632,6 @@ html.ng-csp header#header{
background-color: var(--color-80) !important;
}
html.ng-csp div#postsetupchecks ul.warnings{
color: var(--error-color) !important;
}
html.ng-csp div#postsetupchecks ul.info{
background-color: transparent !important;
}
@ -733,7 +697,7 @@ section.main.kanban{
}
div.master, div.kanban-header, div.kanban-table-inner, section.kanban button,a.dropdown-project-list-projects{
background-color: var(--info-color) !important;
background-color: var(--color-92) !important;
color: var(--color-40) !important;
}

2
templates/docker/compose/networks.yml.j2
View File

@ -9,7 +9,7 @@ networks:
external: true
{% endif %}
default:
{% if applications[application_id].ldap_enabled is defined and applications[application_id].ldap_enabled | bool and applications.ldap.openldap.network.local | bool %}
{% if application_id in networks.local and networks.local[application_id].subnet is defined %}
driver: bridge
ipam:
driver: default