2025-06-25 19:55:31 +02:00
30 changed files with 85 additions and 343 deletions
--- a/group_vars/all/03_domains.yml
+++ b/group_vars/all/03_domains.yml
@ -55,9 +55,8 @@ defaults_redirect_domain_mappings:
 - { source: "funkwhale.{{primary_domain}}",   target: "{{domains.funkwhale}}" }
 - { source: "gitea.{{primary_domain}}",       target: "{{domains.gitea}}" }
 - { source: "keycloak.{{primary_domain}}",    target: "{{domains.keycloak}}" }
 - { source: "lam.{{primary_domain}}",         target: "{{domains.ldap}}" }
 - { source: "listmonk.{{primary_domain}}",    target: "{{domains.listmonk}}" }
- { source: "mailu.{{primary_domain}}",       target: "{{domains.mailu}}" }
+- { source: "mailu.{{primary_domain}}",        target: "{{domains.mailu}}" }
 - { source: "moodle.{{primary_domain}}",      target: "{{domains.moodle}}" }
 - { source: "nextcloud.{{primary_domain}}",   target: "{{domains.nextcloud}}" }
 - { source: "openproject.{{primary_domain}}", target: "{{domains.openproject}}" }
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@ -15,7 +15,6 @@ _applications_nextcloud_ldap_enabled: "{{ applications.nextcloud.ldap.enabled |
 _applications_nextcloud_oidc_enabled: "{{ applications.nextcloud.oidc.enabled | default(true) }}"
 _applications_nextcloud_oidc_flavor:  "{{ applications.nextcloud.oidc.flavor | default('oidc_login' if _applications_nextcloud_ldap_enabled else 'sociallogin') }}"
 # applications
 defaults_applications:
@ -76,7 +75,6 @@ defaults_applications:
 #      turn_secret:                                                         # Needs to be defined in inventory file  
    urls:
      api:                        "https://{{domains.bigbluebutton}}/bigbluebutton/"  # API Address used by Nextcloud Integration
  ## Bluesky
  bluesky:
    users:
@ -607,22 +605,22 @@ defaults_applications:
  ## Open Project
  openproject:
-    version:                    "13"                                      # Update when available. Sadly no rolling release implemented
+    version:              "13"                                              # Update when available. Sadly no rolling release implemented
    oauth2_proxy:  
-      enabled:                  true                                      # OpenProject doesn't support OIDC, so this procy in combination with LDAP is needed
+      enabled:            true                                              # OpenProject doesn't support OIDC, so this procy in combination with LDAP is needed
-      application:              "proxy"
+      application:        "proxy"
-      port:                     "80"
+      port:               "80"
-#     cookie_secret:            None                                      # Set via openssl rand -hex 16
+#     cookie_secret:      None                                              # Set via openssl rand -hex 16
    ldap:
-      enabled:                  True                                      # Enables LDAP by default
+      enabled:            True                                              # Enables LDAP by default
-      filters:
+    database:
-        administrators:         True                                      # Set true to filter administrators
+      central_storage:    True                                              # Activate Central Database Storage
-        users:                  False                                     # Set true to filter users
+    css:
-    database:                                                                               
+      enabled:            false                                             # Temporary deactivated due to bugs
-      central_storage:          True                                      # Activate Central Database Storage
+                                                                            # @todo Solve and reactivate
-    matomo_tracking_enabled:    "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
+    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
-    css_enabled:                "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
+    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
-    landingpage_iframe_enabled: "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
+    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
  ## Peertube
  peertube:
@ -636,17 +634,15 @@ defaults_applications:
  ## PgAdmin
  pgadmin:
    version:                     "latest"
    server_mode:                 False                                          # If true then the preconfigured database file is loaded. Recommended False. True is a security risk.
    master_password_required:    True                                           # Master password is required. Recommended True. False is a security risk.
    users:
      administrator:
        email:                   "{{ users.administrator.email }}"              # Initial login email address
        password:                "{{ users.administrator.initial_password }}"   # Initial login password – should be overridden in inventory for security
    oauth2_proxy:
-      enabled:                    true                                          # Enable OAuth2 proxy for authentication
+      enabled:                    true                                           # Enable OAuth2 proxy for authentication
      application:                "application"
      port:                       "80"
-#     cookie_secret:              None                                          # Set via: openssl rand -hex 16
+#     cookie_secret:              None                                           # Set via: openssl rand -hex 16
    database:
      central_storage:            True                                          # Uses central PostgreSQL database
    matomo_tracking_enabled:      "{{ matomo_tracking_enabled_default }}"       # Enables/Disables Matomo Tracking
--- a/roles/docker-ldap/Installation.md
+++ b/roles/docker-ldap/Installation.md
@ -27,9 +27,3 @@ EOF
 ```
 ### Verifiy that MemberOf is activated and loaded
 ```bash
 docker exec -it openldap sh -c 'ls -l /opt/bitnami/openldap/lib/openldap/memberof.*'
 docker exec -it openldap ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))'
 ```
--- a/roles/docker-ldap/tasks/lam.yml
+++ b/roles/docker-ldap/tasks/lam.yml
@ -1,33 +0,0 @@
 - name: "load lam variables"
  include_vars:
    file: lam.yml
 - name: "Ensure LAM profiles directory exists"
  file:
    path: "{{ lam_profiles_dir }}"
    state: directory
    mode: '0755'
    recurse: true
 #- name: "create {{docker_compose.directories.env}}lam.env"
 #  template: 
 #    src:  "lam/env.j2" 
 #    dest: "{{docker_compose.directories.env}}lam.env"
 #    mode: '770'
 #    force: yes
 #  notify: docker compose project setup
 #
 #- name: "create default.group to enable groupOfNames in LAM"
 #  template:
 #    src: "lam/default.group.j2"
 #    dest: "{{ lam_profiles_dir }}/default.group"
 #    mode: '0644'
 #  notify: docker compose project setup
 #
 #- name: "Create groupOfNames.conf to enable groupOfNames as base module in LAM"
 #  template:
 #    src: "lam/groupOfNames.conf.j2"
 #    dest: "{{ lam_profiles_dir }}/groupOfNames.conf"
 #    mode: '0644'
--- a/roles/docker-ldap/tasks/main.yml
+++ b/roles/docker-ldap/tasks/main.yml
@ -39,8 +39,13 @@
  notify: docker compose project setup
  when: applications.ldap.webinterface == 'phpldapadmin'
- name: "execute lam tasks"
+- name: "create {{docker_compose.directories.env}}lam.env"
-  include_tasks: lam.yml
+  template: 
    src:  "lam.env.j2" 
    dest: "{{docker_compose.directories.env}}lam.env"
    mode: '770'
    force: yes
  notify: docker compose project setup
  when: applications.ldap.webinterface == 'lam'
 - name: "copy docker-compose.yml and env file"
--- a/roles/docker-ldap/templates/docker-compose.yml.j2
+++ b/roles/docker-ldap/templates/docker-compose.yml.j2
@ -8,13 +8,11 @@ services:
      driver: journald
    restart: {{docker_restart_policy}}
 {% if applications.ldap.webinterface == 'lam' %}
-    image: ghcr.io/ldapaccountmanager/lam:{{applications.ldap.lam.version}}
+    image: ghcr.io/ldapaccountmanager/lam:{{applications.ldap.lam.version}}      # Dies ist das Docker-Image für LAM
    ports:
      - 127.0.0.1:{{ports.localhost.http.ldap}}:80 
    env_file:
      - "{{docker_compose.directories.env}}lam.env"
 #    volumes:
 #      - "{{ lam_profiles_dir }}:/var/lib/ldap-account-manager/config/profiles/"
 {% elif applications.ldap.webinterface == 'phpldapadmin' %}
    image: leenooks/phpldapadmin:{{applications.ldap.phpldapadmin.version}}
@ -36,13 +34,11 @@ services:
      - '{{ldif_host_path}}:{{ldif_docker_path}}:ro'                      # Mounting all ldif files for import
    healthcheck:
      test: >
-        bash -c '
+        ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.administrator}}" -w "{{ldap.bind_credential}}"
-        ldapsearch -x -H ldap://localhost:{{ ldap_docker_port }} \
+      interval: 30s
-          -D "{{ ldap.dn.administrator }}" -w "{{ ldap.bind_credential }}" -b "{{ ldap.dn.root }}" > /dev/null \
+      timeout: 10s
-        && ldapsearch -Y EXTERNAL -H ldapi:/// \
+      retries: 3
-          -b cn=config "(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))" \
+      start_period: 20s
        | grep "olcOverlay:" | grep -q "memberof"
        '
 {% include 'templates/docker/container/networks.yml.j2' %}
 {% include 'templates/docker/compose/volumes.yml.j2' %}
--- a/roles/docker-ldap/templates/lam.env.j2
+++ b/roles/docker-ldap/templates/lam.env.j2
--- a/roles/docker-ldap/templates/lam/default.group.j2
+++ b/roles/docker-ldap/templates/lam/default.group.j2
@ -1 +0,0 @@
 Modules: groupOfNames
--- a/roles/docker-ldap/templates/lam/groupOfNames.conf.j2
+++ b/roles/docker-ldap/templates/lam/groupOfNames.conf.j2
@ -1,5 +0,0 @@
 type: group
 module: groupOfNames
 cn: cn
 description: description
 member: member
--- a/roles/docker-ldap/vars/lam.yml
+++ b/roles/docker-ldap/vars/lam.yml
@ -1 +0,0 @@
 lam_profiles_dir: "{{ docker_compose.directories.volumes }}lam/config/profiles/"
--- a/roles/docker-ldap/vars/main.yml
+++ b/roles/docker-ldap/vars/main.yml
@ -1,12 +1,12 @@
-application_id:               "ldap"
+application_id:       "ldap"
-ldaps_docker_port:            636
+ldaps_docker_port:    636
-ldap_docker_port:             389
+ldap_docker_port:     389
-enable_wildcard_certificate:  false # Deactivate Wildcard Certificate
+enable_wildcard_certificate:  false # Deactivate dedicated Certificate
-ldif_host_path:               "{{docker_compose.directories.volumes}}ldif/"
+ldif_host_path:             "{{docker_compose.directories.volumes}}ldif/"
-ldif_docker_path:             "/tmp/ldif/"
+ldif_docker_path:           "/tmp/ldif/"
-ldap.dn.application_roles:    "ou=application_roles,{{ldap.dn.root}}"
+ldap.dn.application_roles:  "ou=application_roles,{{ldap.dn.root}}"
 ldif_types:
  - configuration
  - data
--- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
+++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
@ -16,5 +16,4 @@ provider_display_name   =   "Keycloak"
 # role restrictions
 #cookie_roles           =   "realm_access.roles"
-#allowed_groups           =   "{{applications.oauth2_proxy.allowed_roles}}"           # This is not correct here. needs to be placed in applications @todo move there when implementing
+allowed_roles           =   "{{applications.oauth2_proxy.allowed_roles}}"           # This is not correct here. needs to be placed in applications @todo move there when implementing
 # @see https://chatgpt.com/share/67f42607-bf68-800f-b587-bd56fe9067b5
--- a/roles/docker-openproject/vars/ldap.yml
+++ b/roles/docker-openproject/vars/ldap.yml
@ -1,17 +1,17 @@
 openproject_ldap:
-  name:                   "{{ primary_domain }}"                     # Display name for the LDAP connection in OpenProject
+  name:                 "{{ primary_domain }}"                         # Display name for the LDAP connection in OpenProject
-  host:                   "{{ ldap.server.domain }}"                 # LDAP server address
+  host:                 "{{ ldap.server.domain }}"                     # LDAP server address
-  port:                   "{{ ldap.server.port }}"                   # LDAP server port (typically 389 or 636)
+  port:                 "{{ ldap.server.port }}"                       # LDAP server port (typically 389 or 636)
-  account:                "{{ ldap.dn.administrator }}"              # Bind DN (used for authentication)
+  account:              "{{ ldap.dn.administrator }}"                  # Bind DN (used for authentication)
-  account_password:       "{{ ldap.bind_credential }}"               # Bind password
+  account_password:     "{{ ldap.bind_credential }}"                   # Bind password
-  base_dn:                "{{ ldap.dn.users }}"                      # Base DN for user search
+  base_dn:              "{{ ldap.dn.users }}"                          # Base DN for user search
-  attr_login:             "{{ ldap.attributes.user_id }}"            # LDAP attribute used for login
+  attr_login:           "{{ ldap.attributes.user_id | default('uid') }}" # LDAP attribute used for login
-  attr_firstname:         "givenName"                                # LDAP attribute for first name
+  attr_firstname:       "givenName"                                    # LDAP attribute for first name
-  attr_lastname:          "sn"                                       # LDAP attribute for last name
+  attr_lastname:        "sn"                                           # LDAP attribute for last name
-  attr_mail:              "mail"                                     # LDAP attribute for email
+  attr_mail:            "mail"                                         # LDAP attribute for email
-  attr_admin:             "{{ openproject_filters.administrators }}" # Optional: LDAP attribute for admin group (leave empty if unused)
+  attr_admin:           ""                                             # Optional: LDAP attribute for admin group (leave empty if unused)
-  onthefly_register:      true                                       # Automatically create users on first login
+  onthefly_register:    true                                           # Automatically create users on first login
-  tls_mode:               0                                          # 0 = No TLS, 1 = TLS, 2 = STARTTLS
+  tls_mode:             0                                              # 0 = No TLS, 1 = TLS, 2 = STARTTLS
-  verify_peer:            false                                      # Whether to verify the SSL certificate
+  verify_peer:          false                                          # Whether to verify the SSL certificate
-  filter_string:          "{{ openproject_filters.users }}"          # Optional: Custom filter for users (e.g., "(objectClass=person)")
+  filter_string:        ""                                             # Optional: Custom filter for users (e.g., "(objectClass=person)")
-  tls_certificate_string: ""                                         # Optional: Client certificate string for TLS (usually left empty)
+  tls_certificate_string: ""                                          # Optional: Client certificate string for TLS (usually left empty)
--- a/roles/docker-openproject/vars/main.yml
+++ b/roles/docker-openproject/vars/main.yml
@ -1,6 +1,6 @@
 application_id:               "openproject"
 docker_repository_address:    "https://github.com/opf/openproject-deploy"
-database_password:            "{{ applications[application_id].credentials.database_password }}"
+database_password:            "{{applications[application_id].credentials.database_password}}"
 database_type:                "postgres"
 openproject_plugins_service:  "{{docker_compose.directories.services}}plugins/"
@ -10,18 +10,9 @@ custom_openproject_image:     "custom_openproject"
 dummy_volume:                 "{{docker_compose.directories.volumes}}dummy_volume"
 openproject_rails_settings:
-  email_delivery_method:      "smtp"
+  email_delivery_method:  "smtp"
-  smtp_address:               "{{ system_email.host }}"
+  smtp_address:           "{{ system_email.host }}"
-  smtp_domain:                "{{ system_email.domain }}"
+  smtp_domain:            "{{ system_email.domain }}"
-  smtp_user_name:             "{{ system_email.username }}"
+  smtp_user_name:         "{{ system_email.username }}"
-  smtp_password:              "{{ system_email.password }}"
+  smtp_password:          "{{ system_email.password }}"
-  smtp_ssl:                   false
+  smtp_ssl:               false
 openproject_filters:
  administrators: >-
    {{ '(memberOf=cn=openproject-admins,' ~ ldap.dn.application_roles ~ ')' 
       if applications[application_id].ldap.filters.administrators else '' }}
  users: >-
    {{ '(memberOf=cn=openproject-users,' ~ ldap.dn.application_roles ~ ')' 
       if applications[application_id].ldap.filters.users else '' }}
--- a/roles/docker-pgadmin/tasks/configuration.yml
+++ b/roles/docker-pgadmin/tasks/configuration.yml
@ -1,22 +0,0 @@
 - name: "load variables from {{ database_var_file }}"
  include_vars: "{{ database_var_file }}"
 - name: "loading database configuration variables"
  include_vars:
    file: "{{ role_path }}/vars/configuration.yml"
 - name: "Render servers.json file"
  template:
    src: servers.json.j2
    dest: "{{ pgadmin_host_server_file }}"
    mode: "0644"
  notify: docker compose project setup
 - name: "Render .pgpass file"
  template:
    src: pgpass.j2
    dest: "{{ pgadmin_host_password_file }}"
    owner: "{{ pgadmin_user }}"
    group: "{{ pgadmin_group }}"
    mode: "0600"
  notify: docker compose project setup
--- a/roles/docker-pgadmin/tasks/main.yml
+++ b/roles/docker-pgadmin/tasks/main.yml
@ -10,9 +10,5 @@
    domain:     "{{ domains[application_id] }}"
    http_port:  "{{ ports.localhost.http[application_id] }}"
 - name: "configure pgadmin servers"
  include_tasks: configuration.yml
  when: applications[application_id].server_mode | bool
 - name: "copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
--- a/roles/docker-pgadmin/templates/docker-compose.yml.j2
+++ b/roles/docker-pgadmin/templates/docker-compose.yml.j2
@ -3,7 +3,7 @@ services:
 {% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
  application:
-    image: dpage/pgadmin4:{{applications[application_id].version}}
+    image: dpage/pgadmin4:{{applications.pgadmin.version}}
    container_name: pgadmin
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
    ports:
@ -15,14 +15,5 @@ services:
      interval: 30s
      timeout: 10s
      retries: 3
    volumes:
      - "data:/var/lib/pgadmin"
 {% if applications[application_id].server_mode | bool %}
      - "{{ pgadmin_host_server_file }}:{{ pgadmin_docker_server_file }}"
      - "{{ pgadmin_host_password_file }}:{{ pgadmin_docker_password_file }}"
 {% endif %}
 {% include 'templates/docker/compose/volumes.yml.j2' %}
  data:
 {% include 'templates/docker/compose/networks.yml.j2' %}
--- a/roles/docker-pgadmin/templates/env.j2
+++ b/roles/docker-pgadmin/templates/env.j2
@ -1,21 +1,5 @@
 # Configuration @see https://www.pgadmin.org/docs/pgadmin4/latest/container_deployment.html
 # Disable postfix integration (not needed in containerized environments)
 PGADMIN_DISABLE_POSTFIX=True
 # Default login email for server mode
 PGADMIN_DEFAULT_EMAIL={{ applications[application_id].users.administrator.email }}
 # Default login password for server mode
 PGADMIN_DEFAULT_PASSWORD={{ applications[application_id].users.administrator.password }}
-
+PGADMIN_DISABLE_POSTFIX=True
 {% if applications[application_id].server_mode | bool %}
 # Load server connection settings from this JSON file
 PGADMIN_SERVER_JSON_FILE={{ pgadmin_docker_server_file }}
 # Enable desktop (single-user) mode
 PGADMIN_CONFIG_SERVER_MODE=False
 # Disable master password prompt for stored credentials
 PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED={{ applications[application_id].master_password_required | capitalize }}
 {% endif %}
--- a/roles/docker-pgadmin/templates/pgpass.j2
+++ b/roles/docker-pgadmin/templates/pgpass.j2
@ -1,3 +0,0 @@
 {% for server in pgadmin_servers %}
 {{ server.host }}:{{ server.port }}:*:{{ server.username }}:{{ server.password }}
 {% endfor %}
--- a/roles/docker-pgadmin/templates/servers.json.j2
+++ b/roles/docker-pgadmin/templates/servers.json.j2
@ -1,16 +0,0 @@
 {
  "Servers": {
    {% for server in pgadmin_servers %}
    "{{ loop.index }}": {
      "Name": "{{ server.name }}",
      "Group": "Servers",
      "Host": "{{ server.host }}",
      "Port": {{ server.port }},
      "MaintenanceDB": "{{ server.maintenance_db }}",
      "Username": "{{ server.username }}",
      "SSLMode": "prefer",
      "PassFile": "/pgpass"
    }{% if not loop.last %},{% endif %}
    {% endfor %}
  }
 }
--- a/roles/docker-pgadmin/vars/configuration.yml
+++ b/roles/docker-pgadmin/vars/configuration.yml
@ -1,14 +0,0 @@
 pgadmin_host_server_file:     "{{docker_compose.directories.volumes}}servers.json"
 pgadmin_docker_server_file:   "/pgadmin4/servers.json"
 pgadmin_host_password_file:   "{{docker_compose.directories.volumes}}.pgpass"
 pgadmin_docker_password_file: "/pgpass"
 pgadmin_servers:
  - name:           "Central Postgres Database"
    host:           "{{ database_host }}"
    port:           "{{ database_port }}"
    username:       "postgres"
    maintenance_db: "postgres"
    password:       "{{ central_postgres_password }}"
 # Here you can add more databases 
--- a/roles/docker-pgadmin/vars/main.yml
+++ b/roles/docker-pgadmin/vars/main.yml
@ -1,6 +1,3 @@
-application_id:               "pgadmin"
+application_id:       "pgadmin"
-database_type:                "postgres"
+database_type:        "postgres"
-database_host:                "{{ 'central-' + database_type if applications[application_id].database.central_storage }}"
+database_host:        "{{ 'central-' + database_type if applications[application_id].database.central_storage }}"
 database_var_file:            "{{playbook_dir}}/roles/docker-central-database/vars/database.yml"
 pgadmin_user:                 5050
 pgadmin_group:                "{{pgadmin_user}}"
--- a/roles/docker-snipe_it/templates/env.j2
+++ b/roles/docker-snipe_it/templates/env.j2
@ -49,14 +49,14 @@ DB_SSL_VERIFY_SERVER=null
 # REQUIRED: OUTGOING MAIL SERVER SETTINGS
 # --------------------------------------------
 MAIL_MAILER             =   smtp
-MAIL_HOST               =   {{system_email.host}}               # SMTP server address
+MAIL_HOST               =   {{system_email.host}}                       # SMTP server address
-MAIL_PORT               =   {{system_email.port}}               # SMTP server address
+MAIL_PORT               =   {{system_email.port}}                       # SMTP server address
-MAIL_USERNAME           =   {{system_email.username}}           # user to connect the SMTP server
+MAIL_USERNAME           =   {{system_email.username}}                   # user to connect the SMTP server
-MAIL_PASSWORD           =   {{system_email.password}}           # SMTP user's password
+MAIL_PASSWORD           =   {{system_email.password}}                   # SMTP user's password
-MAIL_TLS_VERIFY_PEER    =   {{ system_email.tls | capitalize }} # use TLS (secure) connection with the SMTP server
+MAIL_TLS_VERIFY_PEER    =   {{ system_email.tls | lower | capitalize }} # use TLS (secure) connection with the SMTP server
-MAIL_FROM_ADDR          =   {{system_email.from}}               # default email address for the automated emails
+MAIL_FROM_ADDR          =   {{system_email.from}}                       # default email address for the automated emails
 MAIL_FROM_NAME          =   'Snipe-IT'
-MAIL_REPLYTO_ADDR       =   {{system_email.from}}               # default email address for the automated emails
+MAIL_REPLYTO_ADDR       =   {{system_email.from}}                       # default email address for the automated emails
 MAIL_REPLYTO_NAME       =   'Snipe-IT'
 MAIL_AUTO_EMBED_METHOD  =   'attachment'
--- a/roles/docker-taiga/Development.md
+++ b/roles/docker-taiga/Development.md
@ -1,4 +1,4 @@
-# Development Notes
+# Development 
 ## Build front container
@ -12,26 +12,4 @@ Verify front configuration:
 ```bash
 docker compose exec -it taiga-front cat /usr/share/nginx/html/conf.json
 ```
 Verify the backend configuration:
 ```bash
 docker compose exec -it taiga-back cat /taiga-back/settings/local.py
 ```
 ## Additional Configuration for plugin
 ```bash
 # ENABLE_OPENID Plugin
 ENABLE_OPENID = os.getenv('ENABLE_OPENID', 'False') == 'True'
 if ENABLE_OPENID:
    INSTALLED_APPS += [
        "taiga_contrib_openid_auth"
    ]
    OPENID_USER_URL = os.getenv('OPENID_USER_URL')
    OPENID_TOKEN_URL = os.getenv('OPENID_TOKEN_URL')
    OPENID_CLIENT_ID = os.getenv('OPENID_CLIENT_ID')
    OPENID_CLIENT_SECRET = os.getenv('OPENID_CLIENT_SECRET')
    OPENID_SCOPE = os.getenv('OPENID_SCOPE')
    OPENID_FILTER = os.getenv('OPENID_FILTER')
    OPENID_FILTER_FIELD = os.getenv('OPENID_FILTER_FIELD')
 ```
--- a/roles/docker-taiga/README.md
+++ b/roles/docker-taiga/README.md
@ -34,9 +34,7 @@ By using this role, teams can set up Taiga in minutes on Arch Linux systems —
 ## Features
 - 🐳 **Docker-Based Deployment:** Easy containerized setup of backend, frontend, async workers, and events service.
- 🔐 **OIDC (Single Sign-On):** Supported via:
+- 🔐 **OIDC (Single Sign-On):** Supported via [taiga-contrib-openid-auth (robrotheram)](https://github.com/robrotheram/taiga-contrib-openid-auth)
    - [taiga-contrib-openid-auth (robrotheram)](https://github.com/robrotheram/taiga-contrib-openid-auth)
    - [taiga-contrib-oidc-auth (official)](https://github.com/taigaio/taiga-contrib-oidc-auth)
 - 📨 **Email Backend:** Supports SMTP and console backends for development.
 - 🔁 **Async & Realtime Events:** Includes RabbitMQ and support for Taiga’s event system.
 - 🌐 **Reverse Proxy Ready:** Integrates with Nginx using the `nginx-domain-setup` role.
--- a/roles/docker-taiga/tasks/main.yml
+++ b/roles/docker-taiga/tasks/main.yml
@ -14,12 +14,6 @@
  include_role: 
    name: docker-repository-setup
 - name: "template local.py for taiga-contrib-oidc-auth"
  template:
    src: taiga/local.py.j2
    dest: "{{ docker_compose.directories.config }}taiga-local.py"
  when: applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio'
 - name: "create {{docker_compose_init}}"
  template:
    src:	"docker-compose-inits.yml.j2"
--- a/roles/docker-taiga/templates/docker-compose.yml.j2
+++ b/roles/docker-taiga/templates/docker-compose.yml.j2
@ -8,13 +8,6 @@ services:
      - static-data:/taiga-back/static
      - media-data:/taiga-back/media
      # - ./config.py:/taiga-back/settings/config.py
 {% if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' %}
      - {{ docker_compose.directories.config }}taiga-local.py:/taiga-back/settings/local.py:ro
 {% endif %}
 {% include 'templates/docker/container/networks.yml.j2' %}
      taiga:
 {% include 'templates/docker/container/depends-on-also-database.yml.j2' %}
@ -22,15 +15,6 @@ services:
        condition: service_started
      taiga-async-rabbitmq:
        condition: service_started
 {% if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' %}
    command: >
      /bin/sh -c "
        pip install taiga-contrib-oidc-auth &&
        /taiga-back/docker/entrypoint.sh"
 {% endif %}
  taiga-async:
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
@ -41,13 +25,6 @@ services:
      - static-data:/taiga-back/static
      - media-data:/taiga-back/media
      # - ./config.py:/taiga-back/settings/config.py
 {% if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' %}
      - {{ docker_compose.directories.config }}taiga-local.py:/taiga-back/settings/local.py:ro
 {% endif %}
 {% include 'templates/docker/container/networks.yml.j2' %}
      taiga:
 {% include 'templates/docker/container/depends-on-also-database.yml.j2' %}
@ -55,14 +32,6 @@ services:
        condition: service_started
      taiga-async-rabbitmq:
        condition: service_started
 {% if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' %}
    command: >
      /bin/sh -c "
        pip install taiga-contrib-oidc-auth &&
        /taiga-back/docker/entrypoint.sh"
 {% endif %}
  taiga-async-rabbitmq:
    image: rabbitmq:3.8-management-alpine
--- a/roles/docker-taiga/templates/env.j2
+++ b/roles/docker-taiga/templates/env.j2
@ -26,7 +26,7 @@ EMAIL_BACKEND:      =   "django.core.mail.backends.{{email_backend}}.EmailBacken
 DEFAULT_FROM_EMAIL  =   "{{system_email.from}}"
 # EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive (only set one of those to True)
-EMAIL_USE_TLS   =   "{{ system_email.tls | capitalize }}"         # use TLS (secure) connection with the SMTP server
+EMAIL_USE_TLS   =   "{{ system_email.tls | lower | capitalize }}"         # use TLS (secure) connection with the SMTP server
 EMAIL_USE_SSL   =   "{{ 'False' if system_email.start_tls else 'True' }}" # use implicit TLS (secure) connection with the SMTP server
 RABBITMQ_USER=taiga
@ -48,30 +48,8 @@ MAX_AGE             =   360
 ENABLE_TELEMETRY    =   True
 {% if applications[application_id].oidc.enabled %}
-
+# OICD 
-{% if applications[application_id].oidc.flavor == 'taigaio' %}
+# @See https://github.com/robrotheram/taiga-contrib-openid-auth
 # OIDC via taigaio official contrib
 # @See https://github.com/taigaio/taiga-contrib-oidc-auth
 ENABLE_OIDC=True
 OIDC_RP_CLIENT_ID="{{ oidc.client.id }}"
 OIDC_RP_CLIENT_SECRET="{{ oidc.client.secret }}"
 OIDC_OP_AUTHORIZATION_ENDPOINT="{{ oidc.client.authorize_url }}"
 OIDC_OP_TOKEN_ENDPOINT="{{ oidc.client.token_url }}"
 OIDC_OP_USER_ENDPOINT="{{ oidc.client.user_info_url }}"
 OIDC_RP_SIGN_ALGO="RS256"
 OIDC_RP_SCOPES="openid profile email"
 OIDC_USE_STATE=True
 OIDC_USE_NONCE=True
 OIDC_RP_CALLBACK_URL="{{ oidc.client.redirect_uri | default('') }}"
 OIDC_OP_JWKS_ENDPOINT="{{ oidc.client.jwks_url | default('') }}"
 {% endif %}
 {% if applications[application_id].oidc.flavor == 'robrotheram' %}
 # OIDC via robrotheram
 # @see https://github.com/robrotheram/taiga-contrib-openid-auth
 ENABLE_OPENID=True
 OPENID_URL="{{oidc.client.authorize_url}}"
 OPENID_USER_URL="{{oidc.client.user_info_url}}"
@ -80,14 +58,14 @@ OPENID_CLIENT_ID="{{oidc.client.id}}"
 OPENID_CLIENT_SECRET="{{oidc.client.secret}}"
 OPENID_NAME="{{oidc.button_text}}"
 OPENID_USERNAME_FIELD="{{oidc.attributes.username}}"
-# Optional:
+
 # Default Values
 # OPENID_ID_FIELD="sub"
 # OPENID_FULLNAME_FIELD="name"
 # OPENID_EMAIL_FIELD="email"
 # OPENID_SCOPE="openid email"
 # OPENID_FILTER = "taiga_users,taiga_admins"
 # OPENID_FILTER_FIELD = "groups"
 {% endif %}
 # The following are optional fields to configure filtering users based on the openid-userinfo. A common use case is to allow only specific roles or groups to log into taiga. OPENID_FILTER_FIELD is the name of the claim that's present in the UserInfo. The field is expected to be a list of strings. OPENID_FILTER is the allowed values, comma seperated.
 #OPENID_FILTER = "taiga_users,taiga_admins"
 #OPENID_FILTER_FIELD = "groups"
 {% endif %}
--- a/roles/docker-taiga/templates/local.py.j2
+++ b/roles/docker-taiga/templates/local.py.j2
@ -1,24 +0,0 @@
 INSTALLED_APPS += [
    "mozilla_django_oidc",
    "taiga_contrib_oidc_auth",
 ]
 AUTHENTICATION_BACKENDS = list(AUTHENTICATION_BACKENDS) + [
    "taiga_contrib_oidc_auth.oidc.TaigaOIDCAuthenticationBackend",
 ]
 ROOT_URLCONF = "settings.urls"
 OIDC_CALLBACK_CLASS = "taiga_contrib_oidc_auth.views.TaigaOIDCAuthenticationCallbackView"
 OIDC_RP_SCOPES = "openid profile email"
 OIDC_RP_SIGN_ALGO = "RS256"
 OIDC_BASE_URL = "{{ oidc.base_url }}"
 OIDC_OP_JWKS_ENDPOINT = OIDC_BASE_URL + "/Jwks"
 OIDC_OP_AUTHORIZATION_ENDPOINT = OIDC_BASE_URL + "/Authorization"
 OIDC_OP_TOKEN_ENDPOINT = OIDC_BASE_URL + "/Token"
 OIDC_OP_USER_ENDPOINT = OIDC_BASE_URL + "/UserInfo"
 import os
 OIDC_RP_CLIENT_ID = os.getenv("OIDC_RP_CLIENT_ID")
 OIDC_RP_CLIENT_SECRET = os.getenv("OIDC_RP_CLIENT_SECRET")
--- a/roles/docker-taiga/vars/main.yml
+++ b/roles/docker-taiga/vars/main.yml
@ -4,10 +4,6 @@ database_password:          "{{taiga_database_password}}"
 docker_repository_address:  "https://github.com/taigaio/taiga-docker"
 email_backend:              "smtp"                                      ## use an SMTP server or display the emails in the console (either "smtp" or "console")
 docker_compose_init:        "{{docker_compose.directories.instance}}docker-compose-inits.yml.j2"
-taiga_image_backend: >-
+taiga_image_backend:        "{{ 'robrotheram/taiga-back-openid' if applications[application_id].oidc.enabled else 'taigaio/taiga-back' }}"
-  {{ 'robrotheram/taiga-back-openid' if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'robrotheram'
+taiga_image_frontend:       "{{ 'robrotheram/taiga-front-openid' if applications[application_id].oidc.enabled else 'taigaio/taiga-front' }}"
     else 'taigaio/taiga-back' }}
 taiga_image_frontend: >-
  {{ 'robrotheram/taiga-front-openid' if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'robrotheram'
     else 'taigaio/taiga-front' }}
 taiga_frontend_conf_path:   "{{docker_compose.directories.config}}conf.json"
		`@ -1 +0,0 @@`
			`lam_profiles_dir: "{{ docker_compose.directories.volumes }}lam/config/profiles/"`