Added role cleanup-docker-anonymous-volumes

group_vars/all/07_applications.yml

@@ -105,14 +105,14 @@ defaults_applications:
 
   ## Discourse:
   discourse:
-    network:              "discourse_default"                               # Name of the docker network
-    container:            "discourse_application"                           # Name of the container application
-    repository:           "discourse_repository"                            # Name of the repository folder
+    network:                      "discourse_default"                       # Name of the docker network
+    container:                    "discourse_application"                   # Name of the container application
+    repository:                   "discourse_repository"                    # Name of the repository folder
     # database_password:                                                    # Needs to be defined in inventory file
     oidc:
-      enabled:            true                                              # Activate OIDC
+      enabled:                    true                                      # Activate OIDC
     database:
-      central_storage:    True                                              # Activate Central Database Storage
+      central_storage:            True                                      # Activate Central Database Storage
     matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
     css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
     landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
@@ -131,7 +131,7 @@ defaults_applications:
 
   ## Friendica
   friendica:
-    version:              "latest"
+    version:                 "latest"
     oidc:
       enabled:               true                                           # Activate OIDC. Plugin is not working yet
     database:
@@ -267,6 +267,8 @@ defaults_applications:
     setup:                            false                                       # Set true in inventory file to execute the setup and initializing procedures
     oidc:
       enabled:                        true                                        # Activate OIDC for Mailu
+      email_by_username:              true                                        # If true, then the mail is set by the username. If wrong then the OIDC user email is used
+      enable_user_creation:           true                                        # Users will be created if not existing
     domain:                           "{{primary_domain}}"                        # The main domain from which mails will be send \ email suffix behind @
     # I don't know why the database deactivation is necessary
     database:
@@ -276,9 +278,9 @@ defaults_applications:
 #     database_password:                                                          # Needs to be set in inventory file
 #     api_token:                                                                  # Configures the authentication token. The minimum length is 3 characters. This is a mandatory setting for using the RESTful API.
 #     initial_administrator_password:                                             # Initial administrator password for setup 
-    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"           # Enables\Disables Matomo Tracking
-    css_enabled:                  "{{css_enabled_default}}"                       # Enables\Disables Global CSS Style
-    landingpage_iframe_enabled:   true                                            # Default enabled because working well in iframe
+    matomo_tracking_enabled:          "{{matomo_tracking_enabled_default}}"       # Enables\Disables Matomo Tracking
+    css_enabled:                      "{{css_enabled_default}}"                   # Enables\Disables Global CSS Style
+    landingpage_iframe_enabled:       true                                        # Default enabled because working well in iframe
 
   ## MariaDB
   mariadb:
@@ -718,7 +720,7 @@ defaults_applications:
     # - https://community.taiga.io/t/taiga-and-oidc-plugin/4866
     #
     # Due to this reason this plutin is deactivated atm
-      enabled:                    False                                     # De\Activate OIDC for Taiga
+      enabled:                    True                                     # De\Activate OIDC for Taiga
                                                                             
 
   ## YOURLS

group_vars/all/11_iam.yml

@@ -24,6 +24,10 @@ defaults_oidc:
     logout_url:           "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout"      # Endpoint to log out the user
     change_credentials:   "{{_oidc_client_issuer_url}}account/account-security/signing-in"  # URL for managing or changing user credentials
   button_text:            "SSO Login({{primary_domain | upper}})"                           # Default button text
+  attributes:
+    # Attribut to identify the user
+    username:             "preferred_username"
+
 #############################################
 ### LDAP                                  ###
 #############################################

roles/cleanup-docker-anonymous-volumes/README.md

@@ -0,0 +1,20 @@
+# Cleanup Docker Anonymous Volumes
+
+## Description
+
+This Ansible role installs and executes [`dockreap`](https://github.com/kevinveenbirkenbach/docker-volume-cleaner), a tool designed to clean up unused anonymous Docker volumes (including symlinks and their targets) to maintain a tidy Docker environment.
+
+## Overview
+
+The role installs the tool via [`pkgmgr`](https://github.com/kevinveenbirkenbach/package-manager) using the `dockreap` alias and runs it with the `--no-confirmation` flag to ensure automatic, non-interactive cleanup.
+
+## Purpose
+
+This role is intended to automate the removal of orphaned Docker volumes that consume unnecessary disk space. It is especially useful in backup, CI/CD, or maintenance routines.
+
+## Features
+
+- **Automated Cleanup:** Runs `dockreap --no-confirmation` to clean up unused anonymous volumes.
+- **pkgmgr Integration:** Installs the tool via Kevin’s package manager (`pkgmgr`).
+- **Idempotent Execution:** Ensures the tool is installed and run only once per playbook run.
+- **Symlink-Aware:** Safely handles symlinked `_data` directories and their targets.

roles/cleanup-docker-anonymous-volumes/meta/main.yml

@@ -0,0 +1,28 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Install and run dockreap to clean up unused anonymous Docker volumes"
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Linux
+      versions:
+        - all
+  galaxy_tags:
+    - docker
+    - cleanup
+    - automation
+    - maintenance
+    - volumes
+    - pkgmgr
+  repository: "https://github.com/kevinveenbirkenbach/docker-volume-cleaner"
+  issue_tracker_url: "https://github.com/kevinveenbirkenbach/docker-volume-cleaner/issues"
+  documentation: "https://github.com/kevinveenbirkenbach/docker-volume-cleaner#readme"
+
+dependencies:
+  - package-manager

roles/cleanup-docker-anonymous-volumes/tasks/main.yml

@@ -0,0 +1,14 @@
+- name: install dockreap
+  command:
+    cmd: "pkgmgr install dockreap"
+  when: run_once_cleanup_docker_anonymous_volumes is not defined
+
+- name: run dockreap with --no-confirmation
+  command:
+    cmd: "dockreap --no-confirmation"
+  when: run_once_cleanup_docker_anonymous_volumes is not defined
+
+- name: mark dockreap as run
+  set_fact:
+    run_once_cleanup_docker_anonymous_volumes: true
+  when: run_once_cleanup_docker_anonymous_volumes is not defined

roles/docker-bigbluebutton/handlers/main.yml

@@ -62,8 +62,9 @@
         greenlight:
         redis:
         coturn:
-        #freeswitch:
+        freeswitch:
         bigbluebutton:
+        mediasoup
     marker: "# {mark} ANSIBLE MANAGED BLOCK FOR VOLUMES"
     insertbefore: "^services:"
   listen: setup bigbluebutton

roles/docker-keycloak/templates/import/realm.json.j2

@@ -1499,7 +1499,7 @@
             "user.attribute": "username",
             "id.token.claim": "true",
             "access.token.claim": "true",
-            "claim.name": "preferred_username",
+            "claim.name": "{{oidc.attributes.username}}",
             "jsonType.label": "String"
           }
         },

roles/docker-mailu/templates/env.j2

@@ -159,20 +159,38 @@ AUTH_REQUIRE_TOKENS=True
 
 # Enable OpenID Connect. Possible values: True, False
 OIDC_ENABLED={{ applications[application_id].oidc.enabled | string | capitalize }}
+
 # OpenID Connect provider configuration URL
 OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}}
-# OpenID redirect URL if HOSTNAME not matching your login url
-OIDC_REDIRECT_URL=https://{{domains[application_id]}}
+
+
 # OpenID Connect Client ID for Mailu
 OIDC_CLIENT_ID={{oidc.client.id}}
+
 # OpenID Connect Client secret for Mailu
 OIDC_CLIENT_SECRET={{oidc.client.secret}}
+
 # Label text for OpenID Connect login button. Default: OpenID Connect
-OIDC_BUTTON_NAME=OpenID Connect
+OIDC_BUTTON_NAME={{oidc.button_text}}
+
 # Disable TLS certificate verification for the OIDC client. Possible values: True, False
 OIDC_VERIFY_SSL=True
+
 # Enable redirect to OIDC provider for password change. Possible values: True, False
 OIDC_CHANGE_PASSWORD_REDIRECT_ENABLED=True
+
 # Redirect URL for password change. Defaults to provider issuer url appended by /.well-known/change-password
 OIDC_CHANGE_PASSWORD_REDIRECT_URL={{oidc.client.change_credentials}}
+
+{% if applications[application_id].oidc.enabled | bool %}
+
+# The OIDC claim used as the username. If the selected claim contains an email address, it will be used as is. If it is not an email (e.g., sub), the email address will be constructed as <OIDC_USERNAME_CLAIM>@<OIDC_USER_DOMAIN>. Defaults to email.
+OIDC_USERNAME_CLAIM={{oidc.attributes.username}}
+
+# The domain used when constructing an email from a non-email username (e.g., when OIDC_USERNAME_CLAIM=sub). Ignored if OIDC_USERNAME_CLAIM is already an email. Defaults to the value of DOMAIN.
+OIDC_USER_DOMAIN={{primary_domain}}
+{% endif %}
+
+# If enabled, users who authenticate successfully but do not yet have an account will have one created for them. If disabled, only existing users can log in, and authentication will fail for users without a pre-existing account. Defaults to True.
+OIDC_ENABLE_USER_CREATION={{ applications[application_id].oidc.enable_user_creation | string | capitalize }}
 {% endif %}

roles/docker-mastodon/templates/env.j2

@@ -64,12 +64,14 @@ OIDC_DISPLAY_NAME="{{oidc.button_text}}"
 OIDC_ISSUER={{oidc.client.issuer_url}}
 OIDC_DISCOVERY=true
 OIDC_SCOPE="openid,profile,email"
-OIDC_UID_FIELD=preferred_username                       # @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak
+# @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak
+OIDC_UID_FIELD={{oidc.attributes.username}}
 OIDC_CLIENT_ID={{oidc.client.id}}
 OIDC_REDIRECT_URI=https://{{domains[application_id]}}/auth/auth/openid_connect/callback
 OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
 OIDC_CLIENT_SECRET={{oidc.client.secret}}
-OMNIAUTH_ONLY=true                                      # uncomment to only use OIDC for login / registration buttons
+# uncomment to only use OIDC for login / registration buttons
+OMNIAUTH_ONLY=true
 ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true
 ONE_CLICK_SSO_LOGIN=true
 {% endif %}

roles/docker-matrix-compose/templates/synapse/homeserver.yaml.j2

@@ -56,7 +56,7 @@ oidc_providers:
     scopes: ["openid", "profile"]
     user_mapping_provider:
       config:
-        localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
+        localpart_template: "{% raw %}{{ user.{% endraw %}{{oidc.attributes.username}} {% raw %}}}{% endraw %}"
         display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
     backchannel_logout_enabled: true
 {% endif %}

roles/docker-nextcloud/templates/config/oidc.config.php.j2

@@ -102,7 +102,7 @@ return array (
         'mail' => 'email',
         'quota' => 'nextcloudQuota',
         # 'home' => 'homeDirectory',    # Not implemented yet
-        'ldap_uid' => 'preferred_username',
+        'ldap_uid' => '{{oidc.attributes.username}}',
         # 'groups' => 'ownCloudGroups', # Not implemented yet
         # 'login_filter' => 'realm_access_roles',
     //    'photoURL' => 'picture',

roles/docker-openproject/tasks/ldap.yml

@@ -1,7 +1,24 @@
-- name: "Create LDAP auth source"
+- name: Load LDAP configuration variables
+  include_vars:
+    file: "ldap.yml"
+
+- name: Check if LDAP source exists
   community.postgresql.postgresql_query:
-    db: openproject
-    login_user: postgres
+    db: "{{ database_name }}"
+    login_user: "{{ database_username }}"
+    login_password: "{{ database_password }}"
+    login_host: "127.0.0.1"
+    login_port: "{{ database_port }}"
+    query: "SELECT 1 FROM ldap_auth_sources WHERE name = '{{ openproject_ldap.name }}' LIMIT 1;"
+  register: ldap_check
+
+- name: Create LDAP auth source if it doesn't exist
+  community.postgresql.postgresql_query:
+    db: "{{ database_name }}"
+    login_user: "{{ database_username }}"
+    login_password: "{{ database_password }}"
+    login_host: "127.0.0.1"
+    login_port: "{{ database_port }}"
     query: >
       INSERT INTO ldap_auth_sources
       (name, host, port, account, account_password, base_dn, attr_login,
@@ -26,11 +43,8 @@
         '{{ openproject_ldap.filter_string }}',
         {{ openproject_ldap.verify_peer }},
         '{{ openproject_ldap.tls_certificate_string }}'
-      )
-      ON CONFLICT (name) DO NOTHING;
-  become: true
-  vars_files:
-    - vars/ldap.yml
+      );
+  when: ldap_check.query_result | length == 0
 
 - name: "Check existing LDAP sources"
   community.postgresql.postgresql_query:

roles/docker-openproject/tasks/main.yml

@@ -57,7 +57,7 @@
     command: >
       bash -c "cd /app &&
       {{ rails_env }} {{ rails_cmd }} 'Setting[:{{ item.key }}] = {{ item.value | to_json }}'"
-  loop: "{{ openproject_settings | dict2items }}"
+  loop: "{{ openproject_rails_settings | dict2items }}"
 
 - name: Setup LDAP
   include_tasks: ldap.yml

roles/docker-openproject/vars/main.yml

@@ -8,3 +8,11 @@ custom_openproject_image:     "custom_openproject"
 
 # The following volume doesn't have a practcical function. It just exist to prevent the creation of unnecessary anonymous volumes
 dummy_volume:                 "{{docker_compose.directories.volumes}}dummy_volume"
+
+openproject_rails_settings:
+  email_delivery_method:  "smtp"
+  smtp_address:           "{{ system_email.host }}"
+  smtp_domain:            "{{ system_email.domain }}"
+  smtp_user_name:         "{{ system_email.username }}"
+  smtp_password:          "{{ system_email.password }}"
+  smtp_ssl:               false

roles/docker-openproject/vars/settings.yml

@@ -1,7 +0,0 @@
-openproject_settings:
-  email_delivery_method:  "smtp"
-  smtp_address:           "{{ system_email.host }}"
-  smtp_domain:            "{{ system_email.domain }}"
-  smtp_user_name:         "{{ system_email.username }}"
-  smtp_password:          "{{ system_email.password }}"
-  smtp_ssl:               false

roles/docker-taiga/templates/env.j2

@@ -57,11 +57,15 @@ OPENID_TOKEN_URL="{{oidc.client.token_url}}"
 OPENID_CLIENT_ID="{{oidc.client.id}}"
 OPENID_CLIENT_SECRET="{{oidc.client.secret}}"
 OPENID_NAME="{{oidc.button_text}}"
+OPENID_USERNAME_FIELD="{{oidc.attributes.username}}"
+
 # Default Values
-#
 # OPENID_ID_FIELD="sub"
-# OPENID_USERNAME_FIELD="preferred_username"
 # OPENID_FULLNAME_FIELD="name"
 # OPENID_EMAIL_FIELD="email"
 # OPENID_SCOPE="openid email"
+
+# The following are optional fields to configure filtering users based on the openid-userinfo. A common use case is to allow only specific roles or groups to log into taiga. OPENID_FILTER_FIELD is the name of the claim that's present in the UserInfo. The field is expected to be a list of strings. OPENID_FILTER is the allowed values, comma seperated.
+#OPENID_FILTER = "taiga_users,taiga_admins"
+#OPENID_FILTER_FIELD = "groups"
 {% endif %}

roles/nginx-modifier-css/templates/global.css.j2

@@ -1168,7 +1168,7 @@ section.kanban h1, section.kanban h2{
 }
 
 input.ng-empty::placeholder,.ng-empty::placeholder  {
-  color: rgba(var(--color-rgb-03),0.6); /* Beispiel: roter Platzhaltertext */
+  color: rgba(var(--color-rgb-03),0.6);
 }
 
 .lightbox {
@@ -1180,6 +1180,10 @@ input.ng-empty::placeholder,.ng-empty::placeholder  {
     border-color: var(--color-70);
 }
 
+.discover-header {
+    background: none;
+}
+
 /* Portfolio */ 
 .card-img-top i {
     filter: drop-shadow(4px 4px 4px rgba(var(--color-rgb-23), 0.6));

tasks/destructor.yml

@@ -2,3 +2,9 @@
   include_role:
     name: system-storage-optimizer
   when: "(path_mass_storage is defined or path_rapid_storage is defined) and enable_system_storage_optimizer | bool and (docker_enabled is defined and docker_enabled | bool) "
+
+- name: Cleanup Docker Anonymous Volumes
+  import_role:
+    name: cleanup-docker-anonymous-volumes
+  when: mode_cleanup | bool
+