web-app-taiga: add manage/init flow and idempotent admin bootstrap; fix OIDC config and env quoting

config/main.yml: convert oidc from empty mapping to block; indent flavor under oidc; enable javascript feature.

tasks/main.yml: use path_join for taiga settings; create docker-compose-inits via TAIGA_DOCKER_COMPOSE_INIT_PATH; flush handlers; add idempotent createsuperuser via taiga-manage with async/poll and masked logs.

templates/docker-compose-inits.yml.j2: include compose/container base to inherit env and project settings.

templates/env.j2: quote WEB_PROTOCOL and WEBSOCKET_PROTOCOL.

templates/javascript.js.j2: add SSO warning include.

users/main.yml: add administrator email stub.

vars/main.yml: add js_application_name; restructure OIDC flavor flags; add compose PATH vars; expose TAIGA_SUPERUSER_* vars.

Chat reference: https://chatgpt.com/share/68af7637-225c-800f-b670-2b948f5dea54

group_vars/all/01_modes.yml

@@ -1,10 +1,10 @@
 # Mode
 
 # The following modes can be combined with each other
-MODE_TEST:    false # Executes test routines instead of productive routines
-MODE_UPDATE:  true  # Executes updates
-MODE_BACKUP:  true  # Activates the backup before the update procedure
-MODE_CLEANUP: true  # Cleanup unused files and configurations
-MODE_DEBUG:   false # This enables debugging in ansible and in the apps, You SHOULD NOT enable this on production servers
-MODE_RESET:   false # Cleans up all Infinito.Nexus files. It's necessary to run to whole playbook and not particial roles when using this function.
-MODE_ASSERT:  false # Executes validation tasks during the run.
+MODE_TEST:    false               # Executes test routines instead of productive routines
+MODE_UPDATE:  true                # Executes updates
+MODE_DEBUG:   false               # This enables debugging in ansible and in the apps, You SHOULD NOT enable this on production servers
+MODE_RESET:   false               # Cleans up all Infinito.Nexus files. It's necessary to run to whole playbook and not particial roles when using this function.
+MODE_BACKUP:  "{{ MODE_UPDATE }}" # Activates the backup before the update procedure
+MODE_CLEANUP: "{{ MODE_DEBUG }}"  # Cleanup unused files and configurations
+MODE_ASSERT:  "{{ MODE_DEBUG }}"  # Executes validation tasks during the run.

roles/web-app-espocrm/config/main.yml

@@ -18,7 +18,7 @@ server:
         unsafe-eval:    true
     whitelist:
       connect-src:
-        - {{ WEBSOCKET_PROTOCOL }}://espocrm.{{ PRIMARY_DOMAIN }}
+        - "{{ WEBSOCKET_PROTOCOL }}://espocrm.{{ PRIMARY_DOMAIN }}"
         - "data:"
       frame-src:
         - https://s.espocrm.com/

roles/web-app-taiga/config/main.yml

@@ -1,10 +1,10 @@
-oidc: {}
+oidc:
     # Taiga doesn't have a functioning oidc support at the moment
     # See
     # - https://community.taiga.io/t/taiga-and-oidc-plugin/4866
     #
     # Due to this reason this plutin is deactivated atm
-flavor:               'taigaio' # Potential flavors: robrotheram, taigaio
+  flavor:             'taigaio' # Potential flavors: robrotheram, taigaio
 features:
   matomo:             true
   css:                true
@@ -12,6 +12,7 @@ features:
   oidc:               false
   central_database:   true
   logout:             true
+  javascript:         true
 docker:
   services:
     database:

roles/web-app-taiga/tasks/main.yml

@@ -2,18 +2,46 @@
 - name: "load docker, db and proxy for {{ application_id }}"
   include_role: 
     name: cmp-db-docker-proxy
+  vars:
+    docker_compose_flush_handlers: false
 
 - name: "copy templates {{ TAIGA_SETTING_FILES }} for taiga-contrib-oidc-auth"
   template:
     src:  "taiga/{{item}}.py.j2"
-    dest: "{{ docker_compose.directories.config }}taiga-{{item}}.py"
+    dest: "{{ [ docker_compose.directories.config, 'taiga-' ~ item ~ '.py'] | path_join }}"
   when:   TAIGA_TAIGAIO_ENABLED | bool
   notify: docker compose up
   loop:   "{{ TAIGA_SETTING_FILES }}"
 
-- name: "create {{ TAIGA_DOCKER_COMPOSE_INIT }}"
+- name: "create {{ TAIGA_DOCKER_COMPOSE_INIT_PATH }}"
   template:
     src:  "docker-compose-inits.yml.j2"
-    dest:  "{{ TAIGA_DOCKER_COMPOSE_INIT }}"
+    dest:  "{{ TAIGA_DOCKER_COMPOSE_INIT_PATH }}"
   notify: docker compose up
 
+- name: "Flush Taiga handlers"
+  meta: flush_handlers
+
+- name: "Create Taiga admin user (idempotent)"
+  command: >
+    docker compose
+    -f {{ TAIGA_DOCKER_COMPOSE_PATH }}
+    -f {{ TAIGA_DOCKER_COMPOSE_INIT_PATH }}
+    run --rm taiga-manage
+    createsuperuser --noinput
+    --username {{ TAIGA_SUPERUSER_NAME }}
+    --email {{ TAIGA_SUPERUSER_EMAIL }}
+  environment:
+    DJANGO_SUPERUSER_PASSWORD: "{{ TAIGA_SUPERUSER_PASSWORD }}"
+  args:
+    chdir: "{{ docker_compose.directories.instance }}"
+  register: taiga_create_admin
+  changed_when: taiga_create_admin.rc == 0
+  failed_when: >
+    taiga_create_admin.rc != 0 and
+    ('already taken' not in (taiga_create_admin.stdout + taiga_create_admin.stderr) | lower) and
+    ('already exists' not in (taiga_create_admin.stdout + taiga_create_admin.stderr) | lower) and
+    ('integrityerror' not in (taiga_create_admin.stdout + taiga_create_admin.stderr) | lower)
+  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
+  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"

roles/web-app-taiga/templates/docker-compose-inits.yml.j2

@@ -1,5 +1,6 @@
-services:
+{% include 'roles/docker-compose/templates/base.yml.j2' %}
   taiga-manage:
+{% include 'roles/docker-container/templates/base.yml.j2' %}
     image: taigaio/taiga-back:latest
     environment:
       CELERY_ENABLED: "False"

roles/web-app-taiga/templates/env.j2

@@ -1,9 +1,9 @@
 # Taiga's URLs - Variables to define where Taiga should be served
-TAIGA_SITES_SCHEME  =   {{ WEB_PROTOCOL }}         # serve Taiga using "http" or "https" (secured) connection
+TAIGA_SITES_SCHEME  =   "{{ WEB_PROTOCOL }}"         # serve Taiga using "http" or "https" (secured) connection
 TAIGA_SITES_DOMAIN  =   "{{ domains | get_domain(application_id) }}"   # Taiga's base URL
   
 TAIGA_SUBPATH       =   ""  # it'll be appended to the TAIGA_DOMAIN (use either "" or a "/subpath")
-WEBSOCKETS_SCHEME   =   {{ WEBSOCKET_PROTOCOL }} # events connection protocol (use either "ws" or "wss")
+WEBSOCKETS_SCHEME   =   "{{ WEBSOCKET_PROTOCOL }}" # events connection protocol (use either "ws" or "wss")
 
 # Taiga's Secret Key - Variable to provide cryptographic signing
 TAIGA_SECRET_KEY    =   "{{ applications | get_app_conf(application_id, 'credentials.secret_key') }}"

roles/web-app-taiga/templates/javascript.js.j2

@@ -0,0 +1 @@
+{% include 'templates/roles/web-app/templates/javascripts/sso_warning.js.j2' %}

roles/web-app-taiga/users/main.yml

@@ -0,0 +1,3 @@
+users:
+  administrator:
+    email:                "administrator@{{ PRIMARY_DOMAIN }}"

roles/web-app-taiga/vars/main.yml

@@ -1,24 +1,27 @@
 # General
 application_id:             "web-app-taiga"
 database_type:              "postgres"
+js_application_name:        "Taiga"
 
 # Docker
 docker_repository_address:  "https://github.com/taigaio/taiga-docker"
 docker_pull_git_repository: true
 
-# Taiga
-TAIGA_OIDC_ENABLED:           "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
-TAIGA_FLAVOR_ROBROTHERAM:     "{{ applications | get_app_conf(application_id, 'oidc.flavor') == 'robrotheram' }}"
-TAIGA_ROBROTHERAM_ENABLED:    "{{ TAIGA_OIDC_ENABLED and TAIGA_FLAVOR_ROBROTHERAM }}"
-TAIGA_FLAVOR_TAIGAIO:         "{{ applications | get_app_conf(application_id, 'oidc.flavor') == 'taigaio' }}"
-TAIGA_TAIGAIO_ENABLED:        "{{ TAIGA_OIDC_ENABLED and TAIGA_FLAVOR_TAIGAIO }}"
-TAIGA_EMAIL_BACKEND:          "{{ 'smtp' if SYSTEM_EMAIL.SMTP else 'console' }}"  ## use an SMTP server or display the emails in the console (either "smtp" or "console")
-TAIGA_DOCKER_COMPOSE_INIT:    "{{ [ docker_compose.directories.instance,'docker-compose-inits.yml.j2' ] | path_join }}"
-TAIGA_DOCKER_IMAGE_BACKEND:   "{{ 'robrotheram/taiga-back-openid' if TAIGA_ROBROTHERAM_ENABLED else 'taigaio/taiga-back' }}"
-TAIGA_DOCKER_IMAGE_FRONTEND:  "{{ 'robrotheram/taiga-front-openid' if TAIGA_ROBROTHERAM_ENABLED else 'taigaio/taiga-front' }}"
-TAIGA_FRONTEND_CONF_PATH:     "{{ [ docker_compose.directories.config,'conf.json' ] | path_join }}"
-TAIGA_SETTING_FILES:
-- urls
-- local
-
-TAIGA_VERSION:   "{{ applications | get_app_conf(application_id, 'docker.services.taiga.version') }}"
+# Taiga      
+TAIGA_OIDC_ENABLED:             "{{ applications | get_app_conf(application_id, 'features.oidc') }}"
+TAIGA_OIDC_FLAVOR:              "{{ applications | get_app_conf(application_id, 'oidc.flavor') }}"
+TAIGA_FLAVOR_ROBROTHERAM:       "{{ TAIGA_OIDC_FLAVOR == 'robrotheram' }}"
+TAIGA_ROBROTHERAM_ENABLED:      "{{ TAIGA_OIDC_ENABLED and TAIGA_FLAVOR_ROBROTHERAM }}"
+TAIGA_FLAVOR_TAIGAIO:           "{{ TAIGA_OIDC_FLAVOR == 'taigaio' }}"
+TAIGA_TAIGAIO_ENABLED:          "{{ TAIGA_OIDC_ENABLED and TAIGA_FLAVOR_TAIGAIO }}"
+TAIGA_EMAIL_BACKEND:            "{{ 'smtp' if SYSTEM_EMAIL.SMTP else 'console' }}"  ## use an SMTP server or display the emails in the console (either "smtp" or "console")
+TAIGA_DOCKER_COMPOSE_INIT_PATH: "{{ [ docker_compose.directories.instance,'docker-compose-inits.yml' ] | path_join }}"
+TAIGA_DOCKER_COMPOSE_PATH:      "{{ [ docker_compose.directories.instance,'docker-compose.yml' ] | path_join }}"
+TAIGA_DOCKER_IMAGE_BACKEND:     "{{ 'robrotheram/taiga-back-openid' if TAIGA_ROBROTHERAM_ENABLED else 'taigaio/taiga-back' }}"
+TAIGA_DOCKER_IMAGE_FRONTEND:    "{{ 'robrotheram/taiga-front-openid' if TAIGA_ROBROTHERAM_ENABLED else 'taigaio/taiga-front' }}"
+TAIGA_FRONTEND_CONF_PATH:       "{{ [ docker_compose.directories.config,'conf.json' ] | path_join }}"
+TAIGA_VERSION:                  "{{ applications | get_app_conf(application_id, 'docker.services.taiga.version') }}"
+TAIGA_SUPERUSER_NAME:           "{{ users.administrator.username }}"
+TAIGA_SUPERUSER_PASSWORD:       "{{ users.administrator.password }}"
+TAIGA_SUPERUSER_EMAIL:          "{{ users.administrator.email }}"
+TAIGA_SETTING_FILES:            ['urls','local']