2025-06-25 19:55:31 +02:00
30 changed files with 85 additions and 343 deletions
--- a/group_vars/all/03_domains.yml
+++ b/group_vars/all/03_domains.yml
@ -55,7 +55,6 @@ defaults_redirect_domain_mappings:
 - { source: "funkwhale.{{primary_domain}}",   target: "{{domains.funkwhale}}" }
 - { source: "gitea.{{primary_domain}}",       target: "{{domains.gitea}}" }
 - { source: "keycloak.{{primary_domain}}",    target: "{{domains.keycloak}}" }
- { source: "lam.{{primary_domain}}",         target: "{{domains.ldap}}" }
 - { source: "listmonk.{{primary_domain}}",    target: "{{domains.listmonk}}" }
 - { source: "mailu.{{primary_domain}}",        target: "{{domains.mailu}}" }
 - { source: "moodle.{{primary_domain}}",      target: "{{domains.moodle}}" }
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@ -15,7 +15,6 @@ _applications_nextcloud_ldap_enabled: "{{ applications.nextcloud.ldap.enabled |
 _applications_nextcloud_oidc_enabled: "{{ applications.nextcloud.oidc.enabled | default(true) }}"
 _applications_nextcloud_oidc_flavor:  "{{ applications.nextcloud.oidc.flavor | default('oidc_login' if _applications_nextcloud_ldap_enabled else 'sociallogin') }}"

-# applications

 defaults_applications:

@ -76,7 +75,6 @@ defaults_applications:
 #      turn_secret:                                                         # Needs to be defined in inventory file  
    urls:
      api:                        "https://{{domains.bigbluebutton}}/bigbluebutton/"  # API Address used by Nextcloud Integration
-
  ## Bluesky
  bluesky:
    users:
@ -615,11 +613,11 @@ defaults_applications:
 #     cookie_secret:      None                                              # Set via openssl rand -hex 16
    ldap:
      enabled:            True                                              # Enables LDAP by default
-      filters:
-        administrators:         True                                      # Set true to filter administrators
-        users:                  False                                     # Set true to filter users
    database:
      central_storage:    True                                              # Activate Central Database Storage
+    css:
+      enabled:            false                                             # Temporary deactivated due to bugs
+                                                                            # @todo Solve and reactivate
    matomo_tracking_enabled:      "{{matomo_tracking_enabled_default}}"     # Enables\Disables Matomo Tracking
    css_enabled:                  "{{css_enabled_default}}"                 # Enables\Disables Global CSS Style
    landingpage_iframe_enabled:   "{{landingpage_iframe_enabled_default}}"  # Enables\Disables the possibility to embed this on landing page via iframe
@ -636,8 +634,6 @@ defaults_applications:
  ## PgAdmin
  pgadmin:
    version:                     "latest"
-    server_mode:                 False                                          # If true then the preconfigured database file is loaded. Recommended False. True is a security risk.
-    master_password_required:    True                                           # Master password is required. Recommended True. False is a security risk.
    users:
      administrator:
        email:                   "{{ users.administrator.email }}"              # Initial login email address
--- a/roles/docker-ldap/Installation.md
+++ b/roles/docker-ldap/Installation.md
@ -27,9 +27,3 @@ EOF


 ```
-
-### Verifiy that MemberOf is activated and loaded
-```bash
-docker exec -it openldap sh -c 'ls -l /opt/bitnami/openldap/lib/openldap/memberof.*'
-docker exec -it openldap ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))'
-```
--- a/roles/docker-ldap/tasks/lam.yml
+++ b/roles/docker-ldap/tasks/lam.yml
@ -1,33 +0,0 @@
- name: "load lam variables"
-  include_vars:
-    file: lam.yml
-
- name: "Ensure LAM profiles directory exists"
-  file:
-    path: "{{ lam_profiles_dir }}"
-    state: directory
-    mode: '0755'
-    recurse: true
-
-#- name: "create {{docker_compose.directories.env}}lam.env"
-#  template: 
-#    src:  "lam/env.j2" 
-#    dest: "{{docker_compose.directories.env}}lam.env"
-#    mode: '770'
-#    force: yes
-#  notify: docker compose project setup
-#
-#- name: "create default.group to enable groupOfNames in LAM"
-#  template:
-#    src: "lam/default.group.j2"
-#    dest: "{{ lam_profiles_dir }}/default.group"
-#    mode: '0644'
-#  notify: docker compose project setup
-#
-#- name: "Create groupOfNames.conf to enable groupOfNames as base module in LAM"
-#  template:
-#    src: "lam/groupOfNames.conf.j2"
-#    dest: "{{ lam_profiles_dir }}/groupOfNames.conf"
-#    mode: '0644'
-
-
--- a/roles/docker-ldap/tasks/main.yml
+++ b/roles/docker-ldap/tasks/main.yml
@ -39,8 +39,13 @@
  notify: docker compose project setup
  when: applications.ldap.webinterface == 'phpldapadmin'
  
- name: "execute lam tasks"
-  include_tasks: lam.yml
+- name: "create {{docker_compose.directories.env}}lam.env"
+  template: 
+    src:  "lam.env.j2" 
+    dest: "{{docker_compose.directories.env}}lam.env"
+    mode: '770'
+    force: yes
+  notify: docker compose project setup
  when: applications.ldap.webinterface == 'lam'

 - name: "copy docker-compose.yml and env file"
--- a/roles/docker-ldap/templates/docker-compose.yml.j2
+++ b/roles/docker-ldap/templates/docker-compose.yml.j2
@ -8,13 +8,11 @@ services:
      driver: journald
    restart: {{docker_restart_policy}}
 {% if applications.ldap.webinterface == 'lam' %}
-    image: ghcr.io/ldapaccountmanager/lam:{{applications.ldap.lam.version}}
+    image: ghcr.io/ldapaccountmanager/lam:{{applications.ldap.lam.version}}      # Dies ist das Docker-Image für LAM
    ports:
      - 127.0.0.1:{{ports.localhost.http.ldap}}:80 
    env_file:
      - "{{docker_compose.directories.env}}lam.env"
-#    volumes:
-#      - "{{ lam_profiles_dir }}:/var/lib/ldap-account-manager/config/profiles/"

 {% elif applications.ldap.webinterface == 'phpldapadmin' %}
    image: leenooks/phpldapadmin:{{applications.ldap.phpldapadmin.version}}
@ -36,13 +34,11 @@ services:
      - '{{ldif_host_path}}:{{ldif_docker_path}}:ro'                      # Mounting all ldif files for import
    healthcheck:
      test: >
-        bash -c '
-        ldapsearch -x -H ldap://localhost:{{ ldap_docker_port }} \
-          -D "{{ ldap.dn.administrator }}" -w "{{ ldap.bind_credential }}" -b "{{ ldap.dn.root }}" > /dev/null \
-        && ldapsearch -Y EXTERNAL -H ldapi:/// \
-          -b cn=config "(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))" \
-        | grep "olcOverlay:" | grep -q "memberof"
-        '
+        ldapsearch -x -H ldap://localhost:{{ldap_docker_port}} -b "{{ldap.dn.root}}" -D "{{ldap.dn.administrator}}" -w "{{ldap.bind_credential}}"
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
 {% include 'templates/docker/container/networks.yml.j2' %}

 {% include 'templates/docker/compose/volumes.yml.j2' %}
--- a/roles/docker-ldap/templates/lam.env.j2
+++ b/roles/docker-ldap/templates/lam.env.j2
--- a/roles/docker-ldap/templates/lam/default.group.j2
+++ b/roles/docker-ldap/templates/lam/default.group.j2
@ -1 +0,0 @@
-Modules: groupOfNames
--- a/roles/docker-ldap/templates/lam/groupOfNames.conf.j2
+++ b/roles/docker-ldap/templates/lam/groupOfNames.conf.j2
@ -1,5 +0,0 @@
-type: group
-module: groupOfNames
-cn: cn
-description: description
-member: member
--- a/roles/docker-ldap/vars/lam.yml
+++ b/roles/docker-ldap/vars/lam.yml
@ -1 +0,0 @@
-lam_profiles_dir: "{{ docker_compose.directories.volumes }}lam/config/profiles/"
--- a/roles/docker-ldap/vars/main.yml
+++ b/roles/docker-ldap/vars/main.yml
@ -2,7 +2,7 @@ application_id:               "ldap"
 ldaps_docker_port:    636
 ldap_docker_port:     389

-enable_wildcard_certificate:  false # Deactivate Wildcard Certificate
+enable_wildcard_certificate:  false # Deactivate dedicated Certificate

 ldif_host_path:             "{{docker_compose.directories.volumes}}ldif/"
 ldif_docker_path:           "/tmp/ldif/"
--- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
+++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
@ -16,5 +16,4 @@ provider_display_name   =   "Keycloak"

 # role restrictions
 #cookie_roles           =   "realm_access.roles"
-#allowed_groups           =   "{{applications.oauth2_proxy.allowed_roles}}"           # This is not correct here. needs to be placed in applications @todo move there when implementing
-# @see https://chatgpt.com/share/67f42607-bf68-800f-b587-bd56fe9067b5
+allowed_roles           =   "{{applications.oauth2_proxy.allowed_roles}}"           # This is not correct here. needs to be placed in applications @todo move there when implementing
--- a/roles/docker-openproject/vars/ldap.yml
+++ b/roles/docker-openproject/vars/ldap.yml
@ -5,13 +5,13 @@ openproject_ldap:
  account:              "{{ ldap.dn.administrator }}"                  # Bind DN (used for authentication)
  account_password:     "{{ ldap.bind_credential }}"                   # Bind password
  base_dn:              "{{ ldap.dn.users }}"                          # Base DN for user search
-  attr_login:             "{{ ldap.attributes.user_id }}"            # LDAP attribute used for login
+  attr_login:           "{{ ldap.attributes.user_id | default('uid') }}" # LDAP attribute used for login
  attr_firstname:       "givenName"                                    # LDAP attribute for first name
  attr_lastname:        "sn"                                           # LDAP attribute for last name
  attr_mail:            "mail"                                         # LDAP attribute for email
-  attr_admin:             "{{ openproject_filters.administrators }}" # Optional: LDAP attribute for admin group (leave empty if unused)
+  attr_admin:           ""                                             # Optional: LDAP attribute for admin group (leave empty if unused)
  onthefly_register:    true                                           # Automatically create users on first login
  tls_mode:             0                                              # 0 = No TLS, 1 = TLS, 2 = STARTTLS
  verify_peer:          false                                          # Whether to verify the SSL certificate
-  filter_string:          "{{ openproject_filters.users }}"          # Optional: Custom filter for users (e.g., "(objectClass=person)")
+  filter_string:        ""                                             # Optional: Custom filter for users (e.g., "(objectClass=person)")
  tls_certificate_string: ""                                          # Optional: Client certificate string for TLS (usually left empty)
--- a/roles/docker-openproject/vars/main.yml
+++ b/roles/docker-openproject/vars/main.yml
@ -16,12 +16,3 @@ openproject_rails_settings:
  smtp_user_name:         "{{ system_email.username }}"
  smtp_password:          "{{ system_email.password }}"
  smtp_ssl:               false
-
-openproject_filters:
-  administrators: >-
-    {{ '(memberOf=cn=openproject-admins,' ~ ldap.dn.application_roles ~ ')' 
-       if applications[application_id].ldap.filters.administrators else '' }}
-
-  users: >-
-    {{ '(memberOf=cn=openproject-users,' ~ ldap.dn.application_roles ~ ')' 
-       if applications[application_id].ldap.filters.users else '' }}
--- a/roles/docker-pgadmin/tasks/configuration.yml
+++ b/roles/docker-pgadmin/tasks/configuration.yml
@ -1,22 +0,0 @@
- name: "load variables from {{ database_var_file }}"
-  include_vars: "{{ database_var_file }}"
-
- name: "loading database configuration variables"
-  include_vars:
-    file: "{{ role_path }}/vars/configuration.yml"
-
- name: "Render servers.json file"
-  template:
-    src: servers.json.j2
-    dest: "{{ pgadmin_host_server_file }}"
-    mode: "0644"
-  notify: docker compose project setup
-
- name: "Render .pgpass file"
-  template:
-    src: pgpass.j2
-    dest: "{{ pgadmin_host_password_file }}"
-    owner: "{{ pgadmin_user }}"
-    group: "{{ pgadmin_group }}"
-    mode: "0600"
-  notify: docker compose project setup
--- a/roles/docker-pgadmin/tasks/main.yml
+++ b/roles/docker-pgadmin/tasks/main.yml
@ -10,9 +10,5 @@
    domain:     "{{ domains[application_id] }}"
    http_port:  "{{ ports.localhost.http[application_id] }}"

- name: "configure pgadmin servers"
-  include_tasks: configuration.yml
-  when: applications[application_id].server_mode | bool
-
 - name: "copy docker-compose.yml and env file"
  include_tasks: copy-docker-compose-and-env.yml
--- a/roles/docker-pgadmin/templates/docker-compose.yml.j2
+++ b/roles/docker-pgadmin/templates/docker-compose.yml.j2
@ -3,7 +3,7 @@ services:
 {% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}

  application:
-    image: dpage/pgadmin4:{{applications[application_id].version}}
+    image: dpage/pgadmin4:{{applications.pgadmin.version}}
    container_name: pgadmin
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
    ports:
@ -15,14 +15,5 @@ services:
      interval: 30s
      timeout: 10s
      retries: 3
-    volumes:
-      - "data:/var/lib/pgadmin"
-{% if applications[application_id].server_mode | bool %}
-      - "{{ pgadmin_host_server_file }}:{{ pgadmin_docker_server_file }}"
-      - "{{ pgadmin_host_password_file }}:{{ pgadmin_docker_password_file }}"
-{% endif %}
-
-{% include 'templates/docker/compose/volumes.yml.j2' %}
-  data:

 {% include 'templates/docker/compose/networks.yml.j2' %}
--- a/roles/docker-pgadmin/templates/env.j2
+++ b/roles/docker-pgadmin/templates/env.j2
@ -1,21 +1,5 @@
 # Configuration @see https://www.pgadmin.org/docs/pgadmin4/latest/container_deployment.html

-# Disable postfix integration (not needed in containerized environments)
-PGADMIN_DISABLE_POSTFIX=True
-
-# Default login email for server mode
 PGADMIN_DEFAULT_EMAIL={{ applications[application_id].users.administrator.email }}
-
-# Default login password for server mode
 PGADMIN_DEFAULT_PASSWORD={{ applications[application_id].users.administrator.password }}
-
-{% if applications[application_id].server_mode | bool %}
-# Load server connection settings from this JSON file
-PGADMIN_SERVER_JSON_FILE={{ pgadmin_docker_server_file }}
-
-# Enable desktop (single-user) mode
-PGADMIN_CONFIG_SERVER_MODE=False
-
-# Disable master password prompt for stored credentials
-PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED={{ applications[application_id].master_password_required | capitalize }}
-{% endif %}
+PGADMIN_DISABLE_POSTFIX=True
--- a/roles/docker-pgadmin/templates/pgpass.j2
+++ b/roles/docker-pgadmin/templates/pgpass.j2
@ -1,3 +0,0 @@
-{% for server in pgadmin_servers %}
-{{ server.host }}:{{ server.port }}:*:{{ server.username }}:{{ server.password }}
-{% endfor %}
--- a/roles/docker-pgadmin/templates/servers.json.j2
+++ b/roles/docker-pgadmin/templates/servers.json.j2
@ -1,16 +0,0 @@
-{
-  "Servers": {
-    {% for server in pgadmin_servers %}
-    "{{ loop.index }}": {
-      "Name": "{{ server.name }}",
-      "Group": "Servers",
-      "Host": "{{ server.host }}",
-      "Port": {{ server.port }},
-      "MaintenanceDB": "{{ server.maintenance_db }}",
-      "Username": "{{ server.username }}",
-      "SSLMode": "prefer",
-      "PassFile": "/pgpass"
-    }{% if not loop.last %},{% endif %}
-    {% endfor %}
-  }
-}
--- a/roles/docker-pgadmin/vars/configuration.yml
+++ b/roles/docker-pgadmin/vars/configuration.yml
@ -1,14 +0,0 @@
-pgadmin_host_server_file:     "{{docker_compose.directories.volumes}}servers.json"
-pgadmin_docker_server_file:   "/pgadmin4/servers.json"
-pgadmin_host_password_file:   "{{docker_compose.directories.volumes}}.pgpass"
-pgadmin_docker_password_file: "/pgpass"
-
-pgadmin_servers:
-  - name:           "Central Postgres Database"
-    host:           "{{ database_host }}"
-    port:           "{{ database_port }}"
-    username:       "postgres"
-    maintenance_db: "postgres"
-    password:       "{{ central_postgres_password }}"
-
-# Here you can add more databases 
--- a/roles/docker-pgadmin/vars/main.yml
+++ b/roles/docker-pgadmin/vars/main.yml
@ -1,6 +1,3 @@
 application_id:       "pgadmin"
 database_type:        "postgres"
 database_host:        "{{ 'central-' + database_type if applications[application_id].database.central_storage }}"
-database_var_file:            "{{playbook_dir}}/roles/docker-central-database/vars/database.yml"
-pgadmin_user:                 5050
-pgadmin_group:                "{{pgadmin_user}}"
--- a/roles/docker-snipe_it/templates/env.j2
+++ b/roles/docker-snipe_it/templates/env.j2
@ -53,7 +53,7 @@ MAIL_HOST               =   {{system_email.host}}               # SMTP server ad
 MAIL_PORT               =   {{system_email.port}}                       # SMTP server address
 MAIL_USERNAME           =   {{system_email.username}}                   # user to connect the SMTP server
 MAIL_PASSWORD           =   {{system_email.password}}                   # SMTP user's password
-MAIL_TLS_VERIFY_PEER    =   {{ system_email.tls | capitalize }} # use TLS (secure) connection with the SMTP server
+MAIL_TLS_VERIFY_PEER    =   {{ system_email.tls | lower | capitalize }} # use TLS (secure) connection with the SMTP server
 MAIL_FROM_ADDR          =   {{system_email.from}}                       # default email address for the automated emails
 MAIL_FROM_NAME          =   'Snipe-IT'
 MAIL_REPLYTO_ADDR       =   {{system_email.from}}                       # default email address for the automated emails
--- a/roles/docker-taiga/Development.md
+++ b/roles/docker-taiga/Development.md
@ -1,4 +1,4 @@
-# Development Notes
+# Development 

 ## Build front container

@ -13,25 +13,3 @@ Verify front configuration:
 ```bash
 docker compose exec -it taiga-front cat /usr/share/nginx/html/conf.json
 ```
-
-Verify the backend configuration:
-```bash
-docker compose exec -it taiga-back cat /taiga-back/settings/local.py
-```
-
-## Additional Configuration for plugin
-```bash
-# ENABLE_OPENID Plugin
-ENABLE_OPENID = os.getenv('ENABLE_OPENID', 'False') == 'True'
-if ENABLE_OPENID:
-    INSTALLED_APPS += [
-        "taiga_contrib_openid_auth"
-    ]
-    OPENID_USER_URL = os.getenv('OPENID_USER_URL')
-    OPENID_TOKEN_URL = os.getenv('OPENID_TOKEN_URL')
-    OPENID_CLIENT_ID = os.getenv('OPENID_CLIENT_ID')
-    OPENID_CLIENT_SECRET = os.getenv('OPENID_CLIENT_SECRET')
-    OPENID_SCOPE = os.getenv('OPENID_SCOPE')
-    OPENID_FILTER = os.getenv('OPENID_FILTER')
-    OPENID_FILTER_FIELD = os.getenv('OPENID_FILTER_FIELD')
-```
--- a/roles/docker-taiga/README.md
+++ b/roles/docker-taiga/README.md
@ -34,9 +34,7 @@ By using this role, teams can set up Taiga in minutes on Arch Linux systems —
 ## Features

 - 🐳 **Docker-Based Deployment:** Easy containerized setup of backend, frontend, async workers, and events service.
- 🔐 **OIDC (Single Sign-On):** Supported via:
-    - [taiga-contrib-openid-auth (robrotheram)](https://github.com/robrotheram/taiga-contrib-openid-auth)
-    - [taiga-contrib-oidc-auth (official)](https://github.com/taigaio/taiga-contrib-oidc-auth)
+- 🔐 **OIDC (Single Sign-On):** Supported via [taiga-contrib-openid-auth (robrotheram)](https://github.com/robrotheram/taiga-contrib-openid-auth)
 - 📨 **Email Backend:** Supports SMTP and console backends for development.
 - 🔁 **Async & Realtime Events:** Includes RabbitMQ and support for Taiga’s event system.
 - 🌐 **Reverse Proxy Ready:** Integrates with Nginx using the `nginx-domain-setup` role.
--- a/roles/docker-taiga/tasks/main.yml
+++ b/roles/docker-taiga/tasks/main.yml
@ -14,12 +14,6 @@
  include_role: 
    name: docker-repository-setup

- name: "template local.py for taiga-contrib-oidc-auth"
-  template:
-    src: taiga/local.py.j2
-    dest: "{{ docker_compose.directories.config }}taiga-local.py"
-  when: applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio'
-
 - name: "create {{docker_compose_init}}"
  template:
    src:	"docker-compose-inits.yml.j2"
--- a/roles/docker-taiga/templates/docker-compose.yml.j2
+++ b/roles/docker-taiga/templates/docker-compose.yml.j2
@ -8,13 +8,6 @@ services:
      - static-data:/taiga-back/static
      - media-data:/taiga-back/media
      # - ./config.py:/taiga-back/settings/config.py
-
-{% if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' %}
-
-      - {{ docker_compose.directories.config }}taiga-local.py:/taiga-back/settings/local.py:ro
-
-{% endif %}
-
 {% include 'templates/docker/container/networks.yml.j2' %}
      taiga:
 {% include 'templates/docker/container/depends-on-also-database.yml.j2' %}
@ -22,15 +15,6 @@ services:
        condition: service_started
      taiga-async-rabbitmq:
        condition: service_started
-{% if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' %}
-    
-    command: >
-      /bin/sh -c "
-        pip install taiga-contrib-oidc-auth &&
-        /taiga-back/docker/entrypoint.sh"
-
-{% endif %}
-

  taiga-async:
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
@ -41,13 +25,6 @@ services:
      - static-data:/taiga-back/static
      - media-data:/taiga-back/media
      # - ./config.py:/taiga-back/settings/config.py
-
-{% if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' %}
-
-      - {{ docker_compose.directories.config }}taiga-local.py:/taiga-back/settings/local.py:ro
-
-{% endif %}
-
 {% include 'templates/docker/container/networks.yml.j2' %}
      taiga:
 {% include 'templates/docker/container/depends-on-also-database.yml.j2' %}
@ -55,14 +32,6 @@ services:
        condition: service_started
      taiga-async-rabbitmq:
        condition: service_started
-{% if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'taigaio' %}
-    
-    command: >
-      /bin/sh -c "
-        pip install taiga-contrib-oidc-auth &&
-        /taiga-back/docker/entrypoint.sh"
-        
-{% endif %}

  taiga-async-rabbitmq:
    image: rabbitmq:3.8-management-alpine
--- a/roles/docker-taiga/templates/env.j2
+++ b/roles/docker-taiga/templates/env.j2
@ -26,7 +26,7 @@ EMAIL_BACKEND:      =   "django.core.mail.backends.{{email_backend}}.EmailBacken
 DEFAULT_FROM_EMAIL  =   "{{system_email.from}}"

 # EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive (only set one of those to True)
-EMAIL_USE_TLS   =   "{{ system_email.tls | capitalize }}"         # use TLS (secure) connection with the SMTP server
+EMAIL_USE_TLS   =   "{{ system_email.tls | lower | capitalize }}"         # use TLS (secure) connection with the SMTP server
 EMAIL_USE_SSL   =   "{{ 'False' if system_email.start_tls else 'True' }}" # use implicit TLS (secure) connection with the SMTP server

 RABBITMQ_USER=taiga
@ -48,30 +48,8 @@ MAX_AGE             =   360
 ENABLE_TELEMETRY    =   True

 {% if applications[application_id].oidc.enabled %}
-
-{% if applications[application_id].oidc.flavor == 'taigaio' %}
-
-# OIDC via taigaio official contrib
-# @See https://github.com/taigaio/taiga-contrib-oidc-auth
-ENABLE_OIDC=True
-OIDC_RP_CLIENT_ID="{{ oidc.client.id }}"
-OIDC_RP_CLIENT_SECRET="{{ oidc.client.secret }}"
-OIDC_OP_AUTHORIZATION_ENDPOINT="{{ oidc.client.authorize_url }}"
-OIDC_OP_TOKEN_ENDPOINT="{{ oidc.client.token_url }}"
-OIDC_OP_USER_ENDPOINT="{{ oidc.client.user_info_url }}"
-OIDC_RP_SIGN_ALGO="RS256"
-OIDC_RP_SCOPES="openid profile email"
-OIDC_USE_STATE=True
-OIDC_USE_NONCE=True
-OIDC_RP_CALLBACK_URL="{{ oidc.client.redirect_uri | default('') }}"
-OIDC_OP_JWKS_ENDPOINT="{{ oidc.client.jwks_url | default('') }}"
-
-{% endif %}
-
-{% if applications[application_id].oidc.flavor == 'robrotheram' %}
-
-# OIDC via robrotheram
-# @see https://github.com/robrotheram/taiga-contrib-openid-auth
+# OICD 
+# @See https://github.com/robrotheram/taiga-contrib-openid-auth
 ENABLE_OPENID=True
 OPENID_URL="{{oidc.client.authorize_url}}"
 OPENID_USER_URL="{{oidc.client.user_info_url}}"
@ -80,14 +58,14 @@ OPENID_CLIENT_ID="{{oidc.client.id}}"
 OPENID_CLIENT_SECRET="{{oidc.client.secret}}"
 OPENID_NAME="{{oidc.button_text}}"
 OPENID_USERNAME_FIELD="{{oidc.attributes.username}}"
-# Optional:
+
+# Default Values
 # OPENID_ID_FIELD="sub"
 # OPENID_FULLNAME_FIELD="name"
 # OPENID_EMAIL_FIELD="email"
 # OPENID_SCOPE="openid email"
+
+# The following are optional fields to configure filtering users based on the openid-userinfo. A common use case is to allow only specific roles or groups to log into taiga. OPENID_FILTER_FIELD is the name of the claim that's present in the UserInfo. The field is expected to be a list of strings. OPENID_FILTER is the allowed values, comma seperated.
 #OPENID_FILTER = "taiga_users,taiga_admins"
 #OPENID_FILTER_FIELD = "groups"
-
-{% endif %}
-
 {% endif %}
--- a/roles/docker-taiga/templates/local.py.j2
+++ b/roles/docker-taiga/templates/local.py.j2
@ -1,24 +0,0 @@
-INSTALLED_APPS += [
-    "mozilla_django_oidc",
-    "taiga_contrib_oidc_auth",
-]
-
-AUTHENTICATION_BACKENDS = list(AUTHENTICATION_BACKENDS) + [
-    "taiga_contrib_oidc_auth.oidc.TaigaOIDCAuthenticationBackend",
-]
-
-ROOT_URLCONF = "settings.urls"
-
-OIDC_CALLBACK_CLASS = "taiga_contrib_oidc_auth.views.TaigaOIDCAuthenticationCallbackView"
-OIDC_RP_SCOPES = "openid profile email"
-OIDC_RP_SIGN_ALGO = "RS256"
-
-OIDC_BASE_URL = "{{ oidc.base_url }}"
-OIDC_OP_JWKS_ENDPOINT = OIDC_BASE_URL + "/Jwks"
-OIDC_OP_AUTHORIZATION_ENDPOINT = OIDC_BASE_URL + "/Authorization"
-OIDC_OP_TOKEN_ENDPOINT = OIDC_BASE_URL + "/Token"
-OIDC_OP_USER_ENDPOINT = OIDC_BASE_URL + "/UserInfo"
-
-import os
-OIDC_RP_CLIENT_ID = os.getenv("OIDC_RP_CLIENT_ID")
-OIDC_RP_CLIENT_SECRET = os.getenv("OIDC_RP_CLIENT_SECRET")
--- a/roles/docker-taiga/vars/main.yml
+++ b/roles/docker-taiga/vars/main.yml
@ -4,10 +4,6 @@ database_password:          "{{taiga_database_password}}"
 docker_repository_address:  "https://github.com/taigaio/taiga-docker"
 email_backend:              "smtp"                                      ## use an SMTP server or display the emails in the console (either "smtp" or "console")
 docker_compose_init:        "{{docker_compose.directories.instance}}docker-compose-inits.yml.j2"
-taiga_image_backend: >-
-  {{ 'robrotheram/taiga-back-openid' if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'robrotheram'
-     else 'taigaio/taiga-back' }}
-taiga_image_frontend: >-
-  {{ 'robrotheram/taiga-front-openid' if applications[application_id].oidc.enabled and applications[application_id].oidc.flavor == 'robrotheram'
-     else 'taigaio/taiga-front' }}
+taiga_image_backend:        "{{ 'robrotheram/taiga-back-openid' if applications[application_id].oidc.enabled else 'taigaio/taiga-back' }}"
+taiga_image_frontend:       "{{ 'robrotheram/taiga-front-openid' if applications[application_id].oidc.enabled else 'taigaio/taiga-front' }}"
 taiga_frontend_conf_path:   "{{docker_compose.directories.config}}conf.json"
				`@ -1 +0,0 @@`
				`lam_profiles_dir: "{{ docker_compose.directories.volumes }}lam/config/profiles/"`