Solved merge variable bug

group_vars/all/00_general.yml

@@ -1,7 +1,6 @@
 # General
 pause_duration:         "120"         # Database delay to wait for the central database before continue tasks
 
-backups_folder_path:    "/Backups/"   # Path to the backups folder
 timezone:               "UTC"
 locale:                 "en"
 
@@ -26,14 +25,8 @@ hours_server_awake:               "0..23"
 ## Random delay for systemd timers to avoid peak loads.
 randomized_delay_sec:             "5min" 
 
-# Storage Space-Related Configurations          
-size_percent_maximum_backup:      75  # Maximum storage space in percent for backups
-size_percent_cleanup_disc_space:  85  # Threshold for triggering cleanup actions
-size_percent_disc_space_warning:  90  # Warning threshold in percent for free disk space
-
 # Runtime Variables for Process Control
 activate_all_timers:                  false   # Activates all timers, independend if the handlers had been triggered
-nginx_matomo_tracking:                false   # Activates matomo tracking on all html pages
 
 # One Wildcard Certificate for All Subdomains
 # Enables a single Let's Encrypt wildcard certificate for all subdomains instead of individual certificates.
@@ -46,4 +39,5 @@ nginx_matomo_tracking:                false   # Activates matomo tracking on all
 enable_wildcard_certificate:          false  
 
 # This enables debugging in ansible and in the apps
+# You SHOULD NOT enable this on production servers
 enable_debug:   false

group_vars/all/05_nginx.yml

@@ -14,3 +14,5 @@ nginx:
 
 ## Nginx static repository
 nginx_static_repository_address: NULL #This should contain the url to an git repository which has a static homepage included and an index.html file. @todo move this variable to the role
+
+nginx_matomo_tracking:                false   # Activates matomo tracking on all html pages

group_vars/all/07_applications.yml

@@ -1,31 +1,14 @@
 # Docker Applications
 
-## Enable Central MariaDB
-enable_central_database: true
-enable_central_database_mailu: "{{enable_central_database}}"
-
-## Enable Storage Optimizer for Docker Volumes
-enable_system_storage_optimizer: true
-
 ## Docker Role Specific Parameters
 docker_restart_policy:        "unless-stopped"
 
-### Keycloak Client Configuration
+##############################################
-oidc_client_active:               true  # Implement OpenID Connect https://en.wikipedia.org/wiki/OpenID_Connect
+## Private Helper variables                ### 
-oidc_client_id:                   "{{primary_domain}}"
+##############################################
-oidc_client_realm:                "{{primary_domain}}"   
-oidc_client_issuer_url:           "https://{{domains.keycloak}}/realms/{{oidc_client_realm}}"
-oidc_client_discovery_document:   "{{oidc_client_issuer_url}}/.well-known/openid-configuration"
-oidc_client_authorize_url:        "{{oidc_client_issuer_url}}/protocol/openid-connect/auth"
-oidc_client_toke_url:             "{{oidc_client_issuer_url}}/protocol/openid-connect/token"
-oidc_client_user_info_url:        "{{oidc_client_issuer_url}}/protocol/openid-connect/userinfo"
-oidc_client_logout_url:           "{{oidc_client_issuer_url}}/protocol/openid-connect/logout"
-# oidc_client_secret:             "{{oidc_client_secret}}"  # Default use wildcard for primary domain, subdomain client specific configuration in vars files in the roles is possible
 
-ldap_network_enabled:                  false                                     # Activate LDAP network for insecure communitation on localhot between different container instances. Set in vars/main.yml
+# By default don't expose openldap to the internet, just if explicit configured
-
+_ldap_openldap_expose_to_internet:       "{{ applications.ldap.openldap.expose_to_internet if applications.ldap is defined and applications.ldap.openldap is defined else false}}"
-oauth2_proxy_upstream_application_and_port:  "application:80"                          # The name of the application which the server redirects to. Needs to be defined in role vars.
-oauth2_proxy_active:                         false   
 
 defaults_applications:
 
@@ -86,7 +69,8 @@ defaults_applications:
       administrator_password:         "{{user_administrator_initial_password}}" # CHANGE for security reasons
     openldap:
       version:                        "latest"
-      expose_to_internet:             false     # Set to true if you want to expose the LDAP port to the internet. Keep in mind to
+      expose_to_internet:             "{{_ldap_openldap_expose_to_internet}}"   # Set to true if you want to expose the LDAP port to the internet
+      domain:                         "{{domains.ldap if _ldap_openldap_expose_to_internet else 'openldap'}}" # Mapping for public or locale access
     phpldapadmin:
       version:                        "2.0.0-dev"                               # @todo Attention: Change this as fast as released to latest
     webinterface:                     "lam"                                     # The webinterface which should be used. Possible: lam and phpldapadmin

group_vars/all/11_iam.yml

@@ -0,0 +1,39 @@
+#############################################
+### Identity and Access Management (IAM)  ###
+#############################################
+
+#############################################
+### OIDC                                  ###
+#############################################
+# @see https://en.wikipedia.org/wiki/OpenID_Connect
+
+## Private configuration variables:
+_oidc_client_realm:       "{{ oidc.client.realm if oidc.client is defined and oidc.client.realm is defined else primary_domain }}"
+_oidc_client_issuer_url:  "https://{{domains.keycloak}}/realms/{{_oidc_client_realm}}"
+
+defaults_oidc:
+  enabled:               true
+  client:
+    id:                   "{{primary_domain}}"
+#   secret:               # Define in inventory file
+    realm:                "{{_oidc_client_realm}}"
+    issuer_url:           "{{_oidc_client_issuer_url}}"
+    discovery_document:   "{{_oidc_client_issuer_url}}/.well-known/openid-configuration"
+    authorize_url:        "{{_oidc_client_issuer_url}}/protocol/openid-connect/auth"
+    toke_url:             "{{_oidc_client_issuer_url}}/protocol/openid-connect/token"
+    user_info_url:        "{{_oidc_client_issuer_url}}/protocol/openid-connect/userinfo"
+    logout_url:           "{{_oidc_client_issuer_url}}/protocol/openid-connect/logout"
+    change_credentials:   "{{_oidc_client_issuer_url}}account/account-security/signing-in"
+
+#############################################
+### OAuth2-Proxy                          ###
+#############################################
+# The name of the application which the server redirects to. Needs to be defined in role vars.
+oauth2_proxy_upstream_application_and_port:  "application:80"
+oauth2_proxy_active:                         false   
+
+#############################################
+### LDAP                                  ###
+#############################################
+# Activate LDAP network for insecure communitation on localhot between different container instances. Set in vars/main.yml
+ldap_network_enabled:                  false

group_vars/all/12_storage.yml

@@ -0,0 +1,13 @@
+## Enable Central Postgress and MariaDB instead of dedicated container per application
+enable_central_database:          true
+enable_central_database_mailu:    "{{enable_central_database}}"
+
+## Enable Storage Optimizer for Docker Volumes
+enable_system_storage_optimizer:  true
+
+backups_folder_path:              "/Backups/"   # Path to the backups folder
+
+# Storage Space-Related Configurations          
+size_percent_maximum_backup:      75  # Maximum storage space in percent for backups
+size_percent_cleanup_disc_space:  85  # Threshold for triggering cleanup actions
+size_percent_disc_space_warning:  90  # Warning threshold in percent for free disk space

playbook.constructor.yml

@@ -8,14 +8,23 @@
   - name: Merge domain definitions
     set_fact:
       domains: "{{ defaults_domains | combine(domains | default({}, true), recursive=True) }}"
-  - name: Merge redirect domain definitions
+
+  - name: Merge redirect domain definitions into dictionary
     set_fact:
-      redirect_domain_mappings: >-
+      combined_mapping: >-
         {{
           (defaults_redirect_domain_mappings | items2dict(key_name='source', value_name='target'))
-          | combine((redirect_domain_mappings | items2dict(key_name='source', value_name='target')), recursive=True)
+          | combine(
-          | dict2items
+              (redirect_domain_mappings | items2dict(key_name='source', value_name='target')),
+              recursive=True
+            )
         }}
+
+  - name: Transform combined mapping to list with source and target keys
+    set_fact:
+      redirect_domain_mappings: "{{ redirect_domain_mappings | default([]) + [ {'source': item.key, 'target': item.value} ] }}"
+    loop: "{{ combined_mapping | dict2items }}"
+
   - name: Merge application definitions
     set_fact:
       applications: "{{ defaults_applications | combine(applications | default({}, true), recursive=True) }}"
@@ -23,6 +32,15 @@
     set_fact:
       networks: "{{ defaults_networks | combine(networks | default({}, true), recursive=True) }}"
   
+  - name: Merge oidc configuration
+    set_fact:
+      oidc: "{{ defaults_oidc | combine(oidc | default({}, true), recursive=True) }}"
+
+  - name: print oidc dict
+    debug:
+      var: oidc
+    when: enable_debug | bool
+
 - name: update device
   hosts:  all
   become: true

roles/docker-bigbluebutton/templates/env.j2

@@ -282,12 +282,12 @@ HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html
 #   approval - For approve/decline registration
 DEFAULT_REGISTRATION=invite
 
-{% if oidc_client_active | bool %}
+{% if oidc.enabled | bool %}
 ### EXTERNAL AUTHENTICATION METHODS
 # @See https://docs.bigbluebutton.org/greenlight/v3/external-authentication/
 #
-OPENID_CONNECT_CLIENT_ID={{oidc_client_id}}
+OPENID_CONNECT_CLIENT_ID={{oidc.client.id}}
-OPENID_CONNECT_CLIENT_SECRET={{oidc_client_secret}}
+OPENID_CONNECT_CLIENT_SECRET={{oidc.client.secret}}
-OPENID_CONNECT_ISSUER={{oidc_client_issuer_url}}
+OPENID_CONNECT_ISSUER={{oidc.client.issuer_url}}
 OPENID_CONNECT_REDIRECT=https://{{domain}}
 {% endif %}

roles/docker-discourse/templates/discourse_application.yml.j2

@@ -112,16 +112,16 @@ run:
   ## If you want to set the 'From' email address for your first registration, uncomment and change:
   ## After getting the first signup email, re-comment the line. It only needs to run once.
   #- exec: rails r "SiteSetting.notification_email='info@unconfigured.discourse.org'"
-{% if oidc_client_active | bool %}
+{% if oidc.enabled | bool %}
   # Deactivate Default Login
   - exec: rails r "SiteSetting.enable_local_logins = false"
   - exec: rails r "SiteSetting.enable_passkeys = false" # https://meta.discourse.org/t/passwordless-login-using-passkeys/285589
 
   # OIDC Activation
   - exec: rails r "SiteSetting.openid_connect_enabled = true"
-  - exec: rails r "SiteSetting.openid_connect_discovery_document = '{{oidc_client_discovery_document}}'"
+  - exec: rails r "SiteSetting.openid_connect_discovery_document = '{{oidc.client.discovery_document}}'"
-  - exec: rails r "SiteSetting.openid_connect_client_id = '{{oidc_client_id}}'"         
+  - exec: rails r "SiteSetting.openid_connect_client_id = '{{oidc.client.id}}'"         
-  - exec: rails r "SiteSetting.openid_connect_client_secret = '{{oidc_client_secret}}'"     
+  - exec: rails r "SiteSetting.openid_connect_client_secret = '{{oidc.client.secret}}'"     
   - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout_redirect = 'https://{{domain}}'"
   - exec: rails r "SiteSetting.openid_connect_allow_association_change = false"
   - exec: rails r "SiteSetting.openid_connect_rp_initiated_logout = true"

roles/docker-keycloak/vars/main.yml

@@ -1,3 +1,4 @@
-application_id:  	  "keycloak"
+application_id:  	    "keycloak"
-database_type:      "postgres"
+database_type:        "postgres"
-database_password:  "{{keycloak_database_password}}"
+database_password:    "{{keycloak_database_password}}"
+ldap_network_enabled: true  # Activate LDAP network

roles/docker-ldap/tasks/main.yml

@@ -19,6 +19,11 @@
     state: absent
   when: not applications.ldap.openldap.expose_to_internet | bool
 
+- name: create docker network for LDAP, so that other applications can access it
+  docker_network:
+    name: central_ldap
+    state: present
+
 - name: "create {{docker_compose.files.docker_compose}}"
   template:
     src:	"docker-compose.yml.j2"
@@ -40,6 +45,7 @@
     mode: '770'
     force: yes
   notify: docker compose project setup
+  when: applications.ldap.webinterface == 'phpldapadmin'
 
 - name: "create {{docker_compose.directories.env}}lam.env"
   template: 
@@ -48,3 +54,4 @@
     mode: '770'
     force: yes
   notify: docker compose project setup
+  when: applications.ldap.webinterface == 'lam'

roles/docker-ldap/templates/docker-compose.yml.j2

@@ -25,9 +25,11 @@ services:
     image: bitnami/openldap:{{applications.ldap.openldap.version}}
     container_name: openldap
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
+{% if applications.ldap.openldap.expose_to_internet | bool %}
     ports:
       - 127.0.0.1:{{ldap_localhost_port}}:{{ldap_localhost_port}}               # Expose just on localhost so that nginx stream proxy can use it
       - 127.0.0.1:{{ldap_secure_localhost_port}}:{{ldap_secure_localhost_port}} # Expose just on localhost
+{% endif %}
     volumes:
       - 'data:/bitnami/openldap'
     healthcheck:

roles/docker-ldap/templates/lam.env.j2

@@ -7,7 +7,7 @@ LAM_PASSWORD=               {{applications.ldap.lam.administrator_password}}
 LAM_CONFIGURATION_DATABASE= files                                                   # configuration database (files or mysql) @todo implement mariadb
 
 # LDAP Configuration
-LDAP_SERVER=                {{domain}}                                              # domain of LDAP database root entry, will be converted to dc=...,dc=...
+LDAP_SERVER=                {{applications.ldap.openldap.domain}}                   # domain of LDAP database root entry, will be converted to dc=...,dc=...
 LDAP_BASE_DN=               {{ldap_root}}                                           # LDAP base DN to overwrite value generated by LDAP_DOMAIN
 LDAP_USER=                  {{ldap_admin_dn}}                                       # LDAP admin user (set as login user for LAM)
 LDAP_ADMIN_PASSWORD=        {{applications.ldap.administrator_database_password}}   # LDAP admin password

roles/docker-ldap/vars/main.yml

@@ -11,4 +11,4 @@ oauth2_proxy_active:                        true
 
 enable_wildcard_certificate:  false # Activate dedicated Certificate
 
-ldap_network_enabled:                 true  # Activate LDAP network
+ldap_network_enabled:         true  # Activate LDAP network

roles/docker-mailu/README.md

@@ -1,8 +1,8 @@
-# Mailu Server Docker Role
+# Mailu Server Docker Role 🚀
 
-This guide provides instructions for setting up, operating, and maintaining the Mailu server docker role.
+This guide provides instructions for setting up, operating, and maintaining the [Mailu](https://mailu.io/) server Docker role.
 
-## Table of Contents
+## Table of Contents 📖
 
 - [Setup](#setup)
   - [Fetchmail Issues](#fetchmail-issues)
@@ -16,24 +16,25 @@ This guide provides instructions for setting up, operating, and maintaining the
 - [Updates](#updates)
 - [Queue Management](#queue-management)
 - [Spam Issues](#spam-issues)
+- [OIDC Support](#oidc-support)
 - [To-Do](#to-do)
 - [References](#references)
 
-## Setup
+## Setup ⚙️
 
-### Fetchmail Issues
+### Fetchmail Issues 📨
 
 Fetchmail might not work properly with large amounts of data. For more information, refer to this [issue](https://github.com/Mailu/Mailu/issues/1719).
 
-#### Deactivating Fetchmail
+#### Deactivating Fetchmail ❌
 
 Before uninstalling Fetchmail, ensure you remove all fetched accounts from the administration panel.
 
-#### Fetchmail Security Concerns
+#### Fetchmail Security Concerns 🔐
 
 There are known security concerns with Fetchmail as stated in the [German Wikipedia](https://de.wikipedia.org/wiki/Fetchmail). If you require Fetchmail functions in the future, consider creating a Docker container for [Getmail](https://en.wikipedia.org/wiki/Getmail) as it is considered more secure.
 
-#### Fetchmail Workaround
+#### Fetchmail Workaround 🔄
 
 If you need to receive emails from another account, follow these steps:
 
@@ -41,7 +42,7 @@ If you need to receive emails from another account, follow these steps:
 2. Export all data from your original account.
 3. Import all data to your new account.
 
-### Port Management
+### Port Management 🌐
 
 Check for any port conflicts and manually change the conflicting ports if necessary. Use the following command to verify:
 
@@ -49,7 +50,7 @@ Check for any port conflicts and manually change the conflicting ports if necess
 netstat -tulpn
 ```
 
-### Admin Account Creation
+### Admin Account Creation 👤
 
 To use Mailu, create the primary administrator user account, `admin@{{hostname}}`, using the command below. Replace `PASSWORD` with your preferred password:
 
@@ -57,11 +58,11 @@ To use Mailu, create the primary administrator user account, `admin@{{hostname}}
 docker-compose -p mailu exec admin flask mailu admin {{admin}} {{hostname}} PASSWORD
 ```
 
-### CLI User Management
+### CLI User Management 🛠️
 
 For managing users, follow the instructions in the official [Mailu CLI documentation](https://mailu.io/master/cli.html).
 
-### Starting the Server
+### Starting the Server ▶️
 
 To start the server, use the following command:
 
@@ -69,9 +70,9 @@ To start the server, use the following command:
 docker-compose -p mailu up -d
 ```
 
-## Debugging
+## Debugging 🕵️‍♂️
 
-### Database Access
+### Database Access 📂
 
 To access the database, use the following command:
 
@@ -79,7 +80,7 @@ To access the database, use the following command:
 docker-compose exec -it database mysql -u root -D mailu -p
 ```
 
-### Container Access
+### Container Access 🖥️
 
 To access the front container, use this command:
 
@@ -87,7 +88,7 @@ To access the front container, use this command:
 docker-compose exec -it front /bin/bash
 ```
 
-### Restarting Services
+### Restarting Services 🔄
 
 To restart all services, use the following command:
 
@@ -95,7 +96,7 @@ To restart all services, use the following command:
 docker-compose restart
 ```
 
-### Resending Queued Mails
+### Resending Queued Mails ✉️
 
 To resend queued mails, use this command:
 
@@ -103,63 +104,69 @@ To resend queued mails, use this command:
 docker-compose exec -it smtp postqueue -f
 ```
 
-## Testing
+## Testing 🧪
 
 Use the following tools for testing:
 
-- SSL-Tools Mailserver Test (URL: https://de.ssl-tools.net/mailservers/)
+- [SSL-Tools Mailserver Test](https://de.ssl-tools.net/mailservers/)
-- TestEmail.de (URL: http://testemail.de/)
+- [TestEmail.de](http://testemail.de/)
 
-## Updates
+## Updates 🔄
 
 For instructions on updating your Mailu setup, follow the official [Mailu maintenance guide](https://mailu.io/master/maintain.html).
 
-## Queue Management
+## Queue Management 📬
 
 To manage the Postfix email queue in Mailu, you can use the following commands:
 
-- **Display the email queue**: This command shows all queued emails.
+- **Display the email queue**:
+
   ```bash
   docker compose exec -it smtp postqueue -p
   ```
 
-- **Delete all emails in the queue**: To remove all queued emails permanently, use the command:
+- **Delete all emails in the queue**:
+
   ```bash
   docker compose exec -it smtp postsuper -d ALL
   ```
 
-These commands can help control the email queue, especially for clearing out emails with delivery issues or delays.
+## Spam Issues 🚨
 
-## Spam Issues
+### Inspect 🔎
-
-### Inspect
 
 Use the following tools to monitor your domain and email deliverability:
 
 - [Google Postmaster](https://postmaster.google.com/) - Analyzes deliverability and spam issues for Gmail.
 - [Yahoo Postmaster](https://postmaster.yahooinc.com) - Provides insights and delivery reports for Yahoo.
 
-### Blacklist Check
+### Blacklist Check 🚫
 
 If your domain is blacklisted, you can check the status with these services and take steps to remove your domain if necessary:
 
-- [Spamhaus](https://check.spamhaus.org/) - One of the most widely used blacklists for spam.
+- [Spamhaus](https://check.spamhaus.org/)
-- [Barracuda](https://www.barracudacentral.org/lookups) - Checks if your IP is on the Barracuda blacklist.
+- [Barracuda](https://www.barracudacentral.org/lookups)
 
-### Cloudmark Reset Request
+### Cloudmark Reset Request 🔄
 
-If your IP or domain is flagged by Cloudmark, you can submit a **reset request** to help restore deliverability:
+If your IP or domain is flagged by Cloudmark, you can submit a **reset request**:
 
 - [Cloudmark Reset](https://csi.cloudmark.com/en/reset/)
 
-## To-Do
+## OIDC Support 🔐
 
-- Implement two-factor authentication in Roundcube Webmail. More information can be found [here](https://blog.kuepper.nrw/2019/03/30/roundcube-webmail-mit-zwei-faktor-authentifizierung/).
+This role now supports OpenID Connect (OIDC) authentication with [Mailu-OIDC](https://github.com/heviat/Mailu-OIDC)! 🎉
-- Integrate Nextcloud 15 and newer with Mailu. Learn more about this [here](https://mailu.io/master/faq.html#i-want-to-integrate-nextcloud-15-and-newer-with-mailu).
-- User authentication with Nextcloud. Find more information [here](https://docs.nextcloud.com/server/9.0/admin_manual/configuration_user/user_auth_ftp_smb_imap.html).
 
-## References
+To enable OIDC authentication, simply set the following variable:
 
+```yaml
+oidc:
+  enabled: true
+```
+
+For more details, check out the [Mailu-OIDC repository](https://github.com/heviat/Mailu-OIDC/tree/2024.06).
+
+## References 🔗
 - [Mailu compose setup guide](https://mailu.io/1.7/compose/setup.html)
 - [SysPass issue #1299](https://github.com/nuxsmin/sysPass/issues/1299)
 - [Mailu issue #1719](https://github.com/Mailu/Mailu/issues/1719)
@@ -169,8 +176,18 @@ If your IP or domain is flagged by Cloudmark, you can submit a **reset request**
 - [Mailu GitHub repository](https://github.com/Mailu/Mailu)
 - [Plesk support article on RoundCube connection issue](https://support.plesk.com/hc/en-us/articles/115001264814-Unable-to-log-into-RoundCube-Connection-to-storage-server-failed)
 - [Gist by marienfressinaud](https://gist.github.com/marienfressinaud/f284a59b18aad395eb0de2d22836ae6b)
-- [Implementing OpenID with Mailu](https://github.com/heviat/Mailu-OIDC)
 
-For more information about this role, visit the [GitHub repository](https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/docker-mailu).
+---
 
-This README.md was optimized with [Chat-GPT](https://chat.openai.com/share/d1ad5ce7-3aa1-4a14-a959-63393b39374a)
+For more information about this role, visit the GitHub repositories:
+- [Mailu](https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/docker-mailu)
+- [Mailu-OIDC](https://github.com/heviat/Mailu-OIDC)
+
+### About this Role ✨
+
+This Mailu Docker role was developed by **[Kevin Veen-Birkenbach](https://veen.world)**.
+
+This `README.md` was optimized with the help of [ChatGPT](https://chat.openai.com)🚀 and this conversations: 
+
+- https://chat.openai.com/share/d1ad5ce7-3aa1-4a14-a959-63393b39374a
+- https://chatgpt.com/share/67a4bffb-9330-800f-aed5-715c6a8ced2f

roles/docker-mailu/templates/docker-compose.yml.j2

@@ -6,13 +6,13 @@ services:
 
   # Core services
   resolver:
-    image: ghcr.io/mailu/unbound:{{applications.mailu.version}}
+    image: {{docker_source}}/unbound:{{applications.mailu.version}}
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
 {% include 'templates/docker/container/networks.yml.j2' %}
         ipv4_address: {{networks.local.mailu.dns}}
 
   front:
-    image: ghcr.io/mailu/nginx:{{applications.mailu.version}}
+    image: {{docker_source}}/nginx:{{applications.mailu.version}}
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
     ports:
       - "127.0.0.1:{{ http_port }}:80"
@@ -37,7 +37,7 @@ services:
       - {{networks.local.mailu.dns}}
       
   admin:
-    image: ghcr.io/mailu/admin:{{applications.mailu.version}}
+    image: {{docker_source}}/admin:{{applications.mailu.version}}
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
     volumes:
       - "admin_data:/data"
@@ -52,7 +52,7 @@ services:
 {% include 'templates/docker/container/networks.yml.j2' %}
 
   imap:
-    image: ghcr.io/mailu/dovecot:{{applications.mailu.version}}
+    image: {{docker_source}}/dovecot:{{applications.mailu.version}}
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
     volumes:
       - "dovecot_mail:/mail"
@@ -65,7 +65,7 @@ services:
 {% include 'templates/docker/container/networks.yml.j2' %}
 
   smtp:
-    image: ghcr.io/mailu/postfix:{{applications.mailu.version}}
+    image: {{docker_source}}/postfix:{{applications.mailu.version}}
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
     volumes:
       - "{{docker_compose.directories.volumes}}overrides:/overrides:ro"
@@ -78,7 +78,7 @@ services:
 {% include 'templates/docker/container/networks.yml.j2' %}
 
   oletools:
-    image: ghcr.io/mailu/oletools:{{applications.mailu.version}}
+    image: {{docker_source}}/oletools:{{applications.mailu.version}}
     hostname: oletools
     restart: {{docker_restart_policy}}
     depends_on:
@@ -89,7 +89,7 @@ services:
       noinet:
 
   antispam:
-    image: ghcr.io/mailu/rspamd:{{applications.mailu.version}}
+    image: {{docker_source}}/rspamd:{{applications.mailu.version}}
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
     volumes:
       - "filter:/var/lib/rspamd"
@@ -119,7 +119,7 @@ services:
 {% include 'templates/docker/container/networks.yml.j2' %}
 
   webdav:
-    image: ghcr.io/mailu/radicale:{{applications.mailu.version}}
+    image: {{docker_source}}/radicale:{{applications.mailu.version}}
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
     volumes:
       - "webdav_data:/data"
@@ -131,7 +131,7 @@ services:
       radicale:
 
   fetchmail:
-    image: ghcr.io/mailu/fetchmail:{{applications.mailu.version}}
+    image: {{docker_source}}/fetchmail:{{applications.mailu.version}}
     volumes:
       - "admin_data:/data"
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
@@ -145,7 +145,7 @@ services:
 {% include 'templates/docker/container/networks.yml.j2' %}
 
   webmail:
-    image: ghcr.io/mailu/webmail:{{applications.mailu.version}}
+    image: {{docker_source}}/webmail:{{applications.mailu.version}}
 {% include 'roles/docker-compose/templates/services/base.yml.j2' %}
     volumes:
       - "webmail_data:/data"

roles/docker-mailu/templates/env.j2

@@ -149,3 +149,30 @@ API_TOKEN={{mailu_api_token}}
 
 # Activated https://mailu.io/master/configuration.html#advanced-settings
 AUTH_REQUIRE_TOKENS=True
+
+
+{% if oidc.enabled | bool %}
+################################### 
+# OpenID Connect settings
+###################################
+# @see https://github.com/heviat/Mailu-OIDC/tree/master
+
+# Enable OpenID Connect. Possible values: True, False
+OIDC_ENABLED={{ oidc.enabled | string | capitalize }}
+# OpenID Connect provider configuration URL
+OIDC_PROVIDER_INFO_URL={{oidc.client.issuer_url}}
+# OpenID redirect URL if HOSTNAME not matching your login url
+OIDC_REDIRECT_URL=https://{{domain}}
+# OpenID Connect Client ID for Mailu
+OIDC_CLIENT_ID={{oidc.client.id}}
+# OpenID Connect Client secret for Mailu
+OIDC_CLIENT_SECRET={{oidc.client.secret}}
+# Label text for OpenID Connect login button. Default: OpenID Connect
+OIDC_BUTTON_NAME=OpenID Connect
+# Disable TLS certificate verification for the OIDC client. Possible values: True, False
+OIDC_VERIFY_SSL=True
+# Enable redirect to OIDC provider for password change. Possible values: True, False
+OIDC_CHANGE_PASSWORD_REDIRECT_ENABLED=True
+# Redirect URL for password change. Defaults to provider issuer url appended by /.well-known/change-password
+OIDC_CHANGE_PASSWORD_REDIRECT_URL={{oidc.client.change_credentials}}
+{% endif %}

roles/docker-mailu/vars/main.yml

@@ -8,3 +8,7 @@ enable_wildcard_certificate:  false
 # Propabldy due to a database migration problem, or dificulties to configure an external db in mailu
 # @todo research
 enable_central_database:      "{{enable_central_database_mailu}}"
+
+# Use dedicated source for oidc if activated  
+# @see https://github.com/heviat/Mailu-OIDC/tree/2024.06
+docker_source:                "{{ 'ghcr.io/heviat' if oidc.enabled | bool else 'ghcr.io/mailu' }}"

roles/docker-mastodon/README.md

@@ -1,16 +1,24 @@
-# docker mastodon
+# 🚀 Docker Mastodon with OIDC Support
 
-## create configuration
+## 📌 Overview
+This project provides a **Docker-based setup for Mastodon**, including full **OIDC (OpenID Connect) authentication support**. It is maintained by **[Kevin Veen-Birkenbach](https://www.veen.world)**.
+
+This README and some parts of the code were created with the assistance of ChatGPT. You can follow the discussion and evolution of this project in [this conversation](https://chatgpt.com/c/67a4e19b-3884-800f-9d45-621dda2a6572).
+
+## ⚙️ Configuration & Setup
+
+### 🔧 Create Configuration
+Run the following command to generate a new configuration setup:
 ```bash
     docker-compose run --rm web bundle exec rake mastodon:setup
 ```
 
-## Setup with existing configuration
+### 🔄 Setup with an Existing Configuration
 ```bash
 docker-compose run --rm web bundle exec rails db:migrate
 ```
 
-## cleanup
+### 🗑️ Cleanup (Remove Instance & Volumes)
 ```bash
 cd {{path_docker_compose_instances}}mastodon/
 docker-compose down
@@ -19,33 +27,45 @@ cd {{path_docker_compose_instances}} &&
 rm -vR {{path_docker_compose_instances}}mastodon
 ```
 
-## access terminal
+### 🔍 Access Mastodon Terminal
 ```bash
 docker-compose exec -it web /bin/bash
 ```
 
-## set rights
+### 🛠️ Set File Permissions
-
+After setting up Mastodon, apply the correct file permissions:
-After setting up mastodon you need to give the rights 
-
 ```bash
 docker-compose exec -it -u root web chown -R 991:991 public
 ```
 
-### Running Database Migrations
+## 📦 Database Management
-
-To ensure all required database tables and structures are in place after an update, you can run database migrations directly within the Mastodon web container. Use the following command:
 
+### 🏗️ Running Database Migrations
+Ensure all required database structures are up to date:
 ```bash
 docker compose exec -it web bash -c "RAILS_ENV=production bin/rails db:migrate"
 ```
 
-This command enters the web container and runs migrations in production mode, updating the database structure to match the current version of the Mastodon software. If your Mastodon web container is named differently in your `docker-compose.yml`, replace `web` with the appropriate container name.
+## 🚀 Performance Optimization
+
+### 🗑️ Delete Cache & Recompile Assets
+```bash
+docker-compose exec web bundle exec rails assets:precompile
+docker-compose restart
+```
+
+This ensures your Mastodon instance is loading the latest assets after updates.
+
+## 🔐 OIDC (OpenID Connect) Authentication Support
+This Mastodon role now **fully supports OpenID Connect (OIDC)**, allowing seamless authentication via identity providers like **Keycloak, Auth0, Google, or other OIDC-compliant services**.
+
+## 📚 Further Reading
+- [Mastodon with Docker & Traefik](https://goneuland.de/mastodon-mit-docker-und-traefik-installieren/)
+- [Mastodon Configuration Guide](https://gist.github.com/TrillCyborg/84939cd4013ace9960031b803a0590c4)
+- [Check Website Availability](https://www.2daygeek.com/linux-command-check-website-is-up-down-alive/)
+- [Personal Mastodon Setup](https://vitobotta.com/2022/11/07/setting-up-a-personal-mastodon-instance/)
+- [Scaling a Mastodon Server](https://www.digitalocean.com/community/tutorials/how-to-scale-your-mastodon-server)
+- [Mastodon GitHub Issues](https://github.com/mastodon/mastodon/issues/7958)
+
 
-## further information
-- https://goneuland.de/mastodon-mit-docker-und-traefik-installieren/
-- https://gist.github.com/TrillCyborg/84939cd4013ace9960031b803a0590c4
-- https://www.2daygeek.com/linux-command-check-website-is-up-down-alive/
-- https://vitobotta.com/2022/11/07/setting-up-a-personal-mastodon-instance/
-- https://www.digitalocean.com/community/tutorials/how-to-scale-your-mastodon-server
 

roles/docker-mastodon/templates/env.j2

@@ -1,3 +1,5 @@
+# @see https://docs.joinmastodon.org/admin/config
+
 LOCAL_DOMAIN={{domain}}
 ALTERNATE_DOMAINS="{{ domains.mastodon_alternates | join(',') }}"
 SINGLE_USER_MODE={{applications.mastodon.single_user_mode}}
@@ -28,3 +30,25 @@ SMTP_FROM_ADDRESS=Mastodon <{{system_email.from}}>
 ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY= {{mastodon_active_record_encryption_deterministic_key}}
 ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{mastodon_active_record_encryption_key_derivation_salt}}
 ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{mastodon_active_record_encryption_primary_key}}
+
+{% if oidc.enabled | bool %}
+################################### 
+# OpenID Connect settings
+###################################
+# @see https://github.com/mastodon/mastodon/pull/16221
+# @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso
+
+OIDC_ENABLED={{ oidc.enabled | string | lower }}
+OIDC_DISPLAY_NAME="{{primary_domain | upper}} SSO"
+OIDC_ISSUER={{oidc.client.issuer_url}}
+OIDC_DISCOVERY=true
+OIDC_SCOPE="openid,profile,email"
+OIDC_UID_FIELD=preferred_username                       # @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak
+OIDC_CLIENT_ID={{oidc.client.id}}
+OIDC_REDIRECT_URI=https://{{domain}}/auth/auth/openid_connect/callback
+OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
+OIDC_CLIENT_SECRET={{oidc.client.secret}}
+OMNIAUTH_ONLY=true                                      # uncomment to only use OIDC for login / registration buttons
+ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true
+ONE_CLICK_SSO_LOGIN=true
+{% endif %}

roles/docker-nextcloud/tasks/main.yml

@@ -35,4 +35,4 @@
 # @todo activate
 #- name: Include OIDC-specific tasks if OIDC client is active
 #  include_tasks: oidc_tasks.yml
-#  when: oidc_client_active | bool
+#  when: oidc.enabled | bool

roles/docker-nextcloud/tasks/oidc_tasks.yml

@@ -20,7 +20,7 @@
   command: >
     docker-compose exec -u www-data application /var/www/html/occ
     config:app:set sociallogin custom_providers
-    --value='{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","authorizeUrl":"{{oidc_client_authorize_url}}","tokenUrl":"{{oidc_client_toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc_client_user_info_url}}","logoutUrl":"{{oidc_client_logout_url}}","clientId":"{{oidc_client_id}}","clientSecret":"{{oidc_client_secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
+    --value='{"custom_oidc":[{"name":"{{domains.keycloak}}","title":"keycloak","authorizeUrl":"{{oidc.client.authorize_url}}","tokenUrl":"{{oidc.client.toke_url}}","displayNameClaim":"","userInfoUrl":"{{oidc.client.user_info_url}}","logoutUrl":"{{oidc.client.logout_url}}","clientId":"{{oidc.client.id}}","clientSecret":"{{oidc.client.secret}}","scope":"openid","groupsClaim":"","style":"","defaultGroup":""}]}'
   # This configuration defines custom OpenID Connect (OIDC) providers for authentication.
   # In this case, it sets up a Keycloak provider with details like URLs for authorization,
   # token retrieval, user info, and logout, as well as the client ID and secret.

roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2

@@ -3,14 +3,14 @@ cookie_secret           =   "{{applications.oauth2_proxy.cookie_secret}}"
 email_domains           =   "{{primary_domain}}"
 cookie_secure           =   "false"
 upstreams               =   "http://{{oauth2_proxy_upstream_application_and_port}}"
-cookie_domains          =   ["{{domain}}", "{{domains.keycloak}}"]                   # Required so cookie can be read on all subdomains.
+cookie_domains          =   ["{{domain}}", "{{domains.keycloak}}"]                  # Required so cookie can be read on all subdomains.
 whitelist_domains       =   [".{{primary_domain}}"]                                 # Required to allow redirection back to original requested target.
 
 # keycloak provider
-client_secret           =   "{{oidc_client_secret}}"
+client_secret           =   "{{oidc.client.secret}}"
-client_id               =   "{{oidc_client_id}}"
+client_id               =   "{{oidc.client.id}}"
 redirect_url            =   "https://{{domain}}/oauth2/callback"
-oidc_issuer_url         =   "{{oidc_client_issuer_url}}"
+oidc_issuer_url         =   "{{oidc.client.issuer_url}}"
 provider                =   "oidc"
 provider_display_name   =   "Keycloak"
 

roles/nginx/README.md

@@ -1,9 +1,22 @@
 # role nginx
+This role sets up an nginx server. It was developed by [Kevin Veen-Birkenbach](https://www.veen.world).
+## Debug
 
-## debug
+### General Debugging
 ```bash 
 journalctl -f -u nginx
 ```
+
+### Detailled Debugging
+Set ``enable_debugenable_debug: true``.
+#### Follow logs of one host
+```bash
+journalctl -u nginx -f | grep "<<hostname>>"
+```
+
+
+### Activate detailled Debugging:
+
 ## performance
 - https://www.monitis.com/blog/6-best-practices-for-optimizing-your-nginx-performance/
 - https://www.nginx.com/blog/tuning-nginx/

roles/nginx/tasks/main.yml

@@ -35,7 +35,6 @@
 
 - name: "include task certbot-matomo.yml"
   include_tasks: certbot-matomo.yml
-  when: run_once_nginx is not defined
   vars:
     domain: "{{primary_domain}}"
   when: run_once_nginx is not defined

roles/nginx/templates/nginx.conf.j2

@@ -17,8 +17,22 @@ http
   # caching
   proxy_cache_path /tmp/cache levels=1:2 keys_zone=cache:20m max_size=20g inactive=14d use_temp_path=off;
 
-  # logs
+  # logging and debugging
+{% if enable_debug | bool %}
+  # individual log format for better debugging
+  log_format debug '$host - $remote_addr [$time_local] '
+                  '"$request" $status $body_bytes_sent '
+                  '"Referer: $http_referer" '
+                  '"User-Agent: $http_user_agent" '
+                  '"ReqTime: $request_time" "UpstreamTime: $upstream_response_time" '
+                  '"ReqLength: $request_length" "BytesSent: $bytes_sent" '
+                  '"ConnRequests: $connection_requests" '
+                  '"X-Forwarded-For: $http_x_forwarded_for" '
+                  '"Scheme: $scheme" "Protocol: $server_protocol" "ServerName: $server_name"';
+  access_log syslog:server=unix:/dev/log debug;
+{% else %}
   access_log syslog:server=unix:/dev/log;
+{% endif %}
   error_log syslog:server=unix:/dev/log;
 
   sendfile on;

templates/docker/compose/networks.yml.j2

@@ -4,8 +4,9 @@ networks:
   central_{{ database_type }}:
     external: true
 {% endif %}
-{% if ldap_network_enabled %}
+{% if ldap_network_enabled | bool %}
   central_ldap:
+    external: true
 {% endif %}
   default:
 {% if application_id in networks.local and networks.local[application_id].subnet is defined %}

templates/docker/container/networks.yml.j2

@@ -3,7 +3,7 @@
 {% if enable_central_database | bool and database_type is defined %}
       central_{{ database_type }}:
 {% endif %}
-{% if ldap_network_enabled %}
+{% if ldap_network_enabled | bool %}
       central_ldap:
 {% endif %}
       default: