kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-11-02 19:28:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kevinveenbirkenbach:feature/xwiki-auth-oidc
Branches Tags
kevinveenbirkenbach:master kevinveenbirkenbach:feature/drupal kevinveenbirkenbach:feature/xwiki-auth-oidc kevinveenbirkenbach:feature/keycloak-service-account-client
..
compare: kevinveenbirkenbach:d61c81634c94ba452f01e997ad08a6412e14f117
Branches Tags
kevinveenbirkenbach:feature/drupal kevinveenbirkenbach:master kevinveenbirkenbach:feature/xwiki-auth-oidc kevinveenbirkenbach:feature/keycloak-service-account-client

5 Commits
feature/xw ... d61c81634c

Author SHA1 Message Date
Kevin Veen-Birkenbach
d61c81634c Add Joomla CLI paths and implement non-interactive admin password reset via CLI 
Ref: https://chatgpt.com/share/69039c22-f530-800f-a641-fd2636d5b6af
 2025-10-30 18:11:18 +01:00
Kevin Veen-Birkenbach
265f815b48 Optimized Listmonk and Nextcloud CSP for hcaptcha 2025-10-30 16:02:09 +01:00
Kevin Veen-Birkenbach
f8e5110730 Add Redis readiness check before Nextcloud upgrade and add retry logic for maintenance repair 
This prevents OCC repair failures caused by Redis still loading its dataset after container restarts.
See context: https://chatgpt.com/share/690377ba-1520-800f-b8c1-bc93fbd9232f
 2025-10-30 15:36:00 +01:00
Kevin Veen-Birkenbach
37b213f96a Refactor XWiki OIDC activation to use REST-based authenticationService update (reliable alternative to Groovy) — see ChatGPT discussion: https://chatgpt.com/share/69005d88-6bf8-800f-af41-73b0e5dc9c13 2025-10-29 11:12:19 +01:00
Kevin Veen-Birkenbach
5ef525eac9 Optimized CSP for Gitlab 2025-10-28 08:26:53 +01:00
14 changed files with 62 additions and 151 deletions
Expand all files Collapse all files

4
roles/web-app-gitlab/config/main.yml
View File

@@ -27,3 +27,7 @@ server:
domains:
canonical:
- lab.git.{{ PRIMARY_DOMAIN }}
csp:
flags:
script-src-elem:
unsafe-inline: true

4
roles/web-app-joomla/tasks/01_install.yml
View File

@@ -11,7 +11,7 @@
# (Optional) specifically wait for the CLI installer script
- name: "Check for CLI installer"
command:
argv: [ docker, exec, "{{ JOOMLA_CONTAINER }}", test, -f, /var/www/html/installation/joomla.php ]
argv: [ docker, exec, "{{ JOOMLA_CONTAINER }}", test, -f, "{{ JOOMLA_INSTALLER_CLI_FILE }}" ]
register: has_installer
changed_when: false
failed_when: false
@@ -32,7 +32,7 @@
- exec
- "{{ JOOMLA_CONTAINER }}"
- php
- /var/www/html/installation/joomla.php
- "{{ JOOMLA_INSTALLER_CLI_FILE }}"
- install
- "--db-type={{ JOOMLA_DB_CONNECTOR }}"
- "--db-host={{ database_host }}"

18
roles/web-app-joomla/tasks/05_reset_admin_password.yml Normal file
View File

@@ -0,0 +1,18 @@
---
# Reset Joomla admin password via CLI (inside the container)
- name: "Reset Joomla admin password (non-interactive CLI)"
command:
argv:
- docker
- exec
- "{{ JOOMLA_CONTAINER }}"
- php
- "{{ JOOMLA_CLI_FILE }}"
- user:reset-password
- "--username"
- "{{ JOOMLA_USER_NAME }}"
- "--password"
- "{{ JOOMLA_USER_PASSWORD }}"
register: j_password_reset
no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
changed_when: j_password_reset.rc == 0

4
roles/web-app-joomla/tasks/main.yml
View File

@@ -24,3 +24,7 @@
- name: Include assert routines
include_tasks: "04_assert.yml"
when: MODE_ASSERT | bool
- name: Reset Admin Password
include_tasks: 05_reset_admin_password.yml

2
roles/web-app-joomla/vars/main.yml
View File

@@ -13,6 +13,8 @@ JOOMLA_DOMAINS: "{{ applications | get_app_conf(application_id
JOOMLA_SITE_NAME: "{{ SOFTWARE_NAME }} Joomla - CMS"
JOOMLA_DB_CONNECTOR: "{{ 'pgsql' if database_type == 'postgres' else 'mysqli' }}"
JOOMLA_CONFIG_FILE: "/var/www/html/configuration.php"
JOOMLA_INSTALLER_CLI_FILE: "/var/www/html/installation/joomla.php"
JOOMLA_CLI_FILE: "/var/www/html/cli/joomla.php"
# User
JOOMLA_USER_NAME: "{{ users.administrator.username }}"

10
roles/web-app-listmonk/config/main.yml
View File

@@ -13,6 +13,16 @@ server:
aliases: []
status_codes:
default: 404
csp:
flags:
script-src-elem:
unsafe-inline: true
whitelist:
script-src-elem:
- "https://www.hcaptcha.com"
- "https://js.hcaptcha.com"
frame-src:
- "https://newassets.hcaptcha.com/"
docker:
services:
database:

4
roles/web-app-nextcloud/config/main.yml
View File

@@ -9,6 +9,9 @@ server:
script-src-attr:
unsafe-eval: true
whitelist:
script-src-elem:
- "https://www.hcaptcha.com"
- "https://js.hcaptcha.com"
font-src:
- "data:"
connect-src:
@@ -19,6 +22,7 @@ server:
frame-src:
- "{{ WEBSOCKET_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
- "{{ WEB_PROTOCOL }}://collabora.{{ PRIMARY_DOMAIN }}"
- "https://newassets.hcaptcha.com/"
worker-src:
- "blob:"
domains:

3
roles/web-app-nextcloud/tasks/03_upgrade.yml
View File

@@ -7,6 +7,9 @@
command: "{{ NEXTCLOUD_DOCKER_EXEC_OCC }} maintenance:repair --include-expensive"
register: occ_repair
changed_when: "'No repairs needed' not in occ_repair.stdout"
retries: 3
delay: 10
until: occ_repair.rc == 0
- name: Nextcloud | App update (retry once)
command: "{{ NEXTCLOUD_DOCKER_EXEC_OCC }} app:update --all"

7
roles/web-app-nextcloud/tasks/main.yml
View File

@@ -16,6 +16,13 @@
- name: Flush all handlers immediately so that occ can be used
meta: flush_handlers
- name: Wait until Redis is ready (PONG)
command: "docker exec {{ NEXTCLOUD_REDIS_CONTAINER }} redis-cli ping"
register: redis_ping
retries: 60
delay: 2
until: (redis_ping.stdout | default('')) is search('PONG')
- name: Update\Upgrade Nextcloud
include_tasks: 03_upgrade.yml
when: MODE_UPDATE | bool

5
roles/web-app-nextcloud/vars/main.yml
View File

@@ -141,4 +141,7 @@ NEXTCLOUD_DOCKER_USER: "www-data" # Name of the www-data user
## Execution
NEXTCLOUD_INTERNAL_OCC_COMMAND: "{{ [ NEXTCLOUD_DOCKER_WORK_DIRECTORY, 'occ'] | path_join }}"
NEXTCLOUD_DOCKER_EXEC: "docker exec -u {{ NEXTCLOUD_DOCKER_USER }} {{ NEXTCLOUD_CONTAINER }}" # General execute composition
NEXTCLOUD_DOCKER_EXEC_OCC: "{{ NEXTCLOUD_DOCKER_EXEC }} {{ NEXTCLOUD_INTERNAL_OCC_COMMAND }}" # Execute docker occ command
NEXTCLOUD_DOCKER_EXEC_OCC: "{{ NEXTCLOUD_DOCKER_EXEC }} {{ NEXTCLOUD_INTERNAL_OCC_COMMAND }}" # Execute docker occ command
## Redis
NEXTCLOUD_REDIS_CONTAINER: "{{ entity_name }}-redis"

6
roles/web-app-xwiki/tasks/01_core.yml
View File

@@ -36,12 +36,6 @@
- name: Load setup procedures for extensions
include_tasks: 04_extensions.yml
- name: "Set authentication service according to feature toggles"
include_tasks: 05_set_authservice.yml
- name: "Run AuthDiag (temporary)"
include_tasks: _auth_diag.yml
- block:
- name: "Create Final Docker Compose File"
template:

73
roles/web-app-xwiki/tasks/05_set_authservice.yml
View File

@@ -1,73 +0,0 @@
---
# Sets XWikiPreferences.authenticationService to modern component hint (standard, oidc, ldap)
- name: "XWIKI | Compute target authservice hint"
set_fact:
_target_authservice: >-
{{
'oidc' if (XWIKI_OIDC_ENABLED | bool)
else ('ldap' if (XWIKI_LDAP_ENABLED | bool)
else 'standard')
}}
- name: "XWIKI | PUT Groovy page SetAuthService"
uri:
url: "{{ [XWIKI_REST_XWIKI_PAGES, 'SetAuthService'] | url_join }}"
method: PUT
user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
force_basic_auth: true
status_code: [200,201,202,204]
headers:
Content-Type: "application/xml"
Accept: "application/xml"
body: |
<page xmlns="http://www.xwiki.org">
<title>SetAuthService</title>
<content><![CDATA[
{% raw %}{{groovy}}{% endraw %}
try {
def doc = xwiki.getDocument('XWiki.XWikiPreferences')
def obj = doc.getObject('XWiki.XWikiPreferences', true)
obj.set('authenticationService', '{{ _target_authservice }}')
def engine = xcontext.context.getWiki()
engine.saveDocument(doc.getDocument(), "Set authentication service to {{ _target_authservice }}", true, xcontext.context)
print "OK::{{ _target_authservice }}"
} catch (Throwable t) {
print "ERROR::" + (t?.message ?: t?.toString())
}
{% raw %}{{/groovy}}{% endraw %}
]]></content>
<syntax>xwiki/2.1</syntax>
</page>
register: _put_auth_page
- name: "XWIKI | Execute SetAuthService"
uri:
url: "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/bin/view/XWiki/SetAuthService?xpage=plain"
method: GET
user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
force_basic_auth: true
status_code: [200]
return_content: yes
register: _exec_auth_page
retries: 10
delay: 3
until: _exec_auth_page is succeeded
- name: "ASSERT | Auth service set"
assert:
that:
- _exec_auth_page.content is search("OK::")
fail_msg: "Failed to set XWikiPreferences.authenticationService: {{ _exec_auth_page.content | default('no content') }}"
- name: "XWIKI | Delete SetAuthService page"
uri:
url: "{{ [XWIKI_REST_XWIKI_PAGES, 'SetAuthService'] | url_join }}"
method: DELETE
user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
force_basic_auth: true
status_code: [204,200,202,404]
changed_when: false

68
roles/web-app-xwiki/tasks/_auth_diag.yml
View File

@@ -1,68 +0,0 @@
# roles/web-app-xwiki/tasks/_auth_diag.yml
- name: "XWIKI | PUT page XWiki.AuthDiag (Groovy)"
uri:
url: "{{ [XWIKI_REST_XWIKI_PAGES, 'AuthDiag'] | url_join }}"
method: PUT
user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
force_basic_auth: true
status_code: [200,201,202,204]
headers:
Content-Type: "application/xml"
Accept: "application/xml"
body: |
<page xmlns="http://www.xwiki.org">
<title>AuthDiag</title>
<content><![CDATA[
{% raw %}{{groovy}}{% endraw %}
import org.xwiki.security.authservice.AuthService
try {
def cm = services.component.componentManager
def hints = cm.getComponentDescriptorList(AuthService).collect{ it.roleHint }.sort()
def doc = xwiki.getDocument('XWiki.XWikiPreferences')
def obj = doc.getObject('XWiki.XWikiPreferences', true)
def pref = (obj.get('authenticationService') ?: 'unset')
println "HINTS::" + hints
println "PREF::" + pref
def chosenHint = (pref ?: 'standard')
def hasChosen = hints.contains(chosenHint)
println "HAS_CHOSEN::" + hasChosen + "::" + chosenHint
} catch (Throwable t) {
println "ERROR::" + (t?.message ?: t?.toString())
}
{% raw %}{{/groovy}}{% endraw %}
]]></content>
<syntax>xwiki/2.1</syntax>
</page>
register: _put_authdiag
changed_when: false
- name: "XWIKI | Run AuthDiag"
uri:
url: "http://127.0.0.1:{{ XWIKI_HOST_PORT }}/bin/view/XWiki/AuthDiag?xpage=plain"
method: GET
user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
force_basic_auth: true
status_code: [200]
return_content: yes
register: _authdiag_run
changed_when: false
- name: "DEBUG | AuthDiag output"
debug:
msg: "{{ _authdiag_run.content | regex_replace('<[^>]+>', '') | trim }}"
# Optional sauber machen:
- name: "XWIKI | DELETE AuthDiag page"
uri:
url: "{{ [XWIKI_REST_XWIKI_PAGES, 'AuthDiag'] | url_join }}"
method: DELETE
user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
force_basic_auth: true
status_code: [204,200,202,404]
changed_when: false

5
roles/web-app-xwiki/templates/docker-compose.yml.j2
View File

@@ -8,9 +8,11 @@
- "127.0.0.1:{{ XWIKI_HOST_PORT }}:{{ container_port }}"
environment:
JAVA_OPTS: >-
{% if xwiki_oidc_enabled_switch | bool %}
{% if xwiki_oidc_enabled_switch| bool %}
-Dxwiki.authentication.authservice=oidc
-Dxwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl
{% elif xwiki_ldap_enabled_switch | bool %}
-Dxwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
-Dxwiki.authentication.authservice=ldap
-Dxwiki.authentication.ldap=1
-Dxwiki.authentication.ldap.trylocal={{ (XWIKI_LDAP_TRYLOCAL | bool) | ternary(1, 0) }}
@@ -25,6 +27,7 @@
-Dxwiki.authentication.ldap.update_user=1
{% else %}
-Dxwiki.authentication.authservice=standard
-Dxwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl
{% endif %}
volumes:
- "{{ XWIKI_HOST_PROPERTIES_PATH }}:/usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.properties"