mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-12-10 11:26:24 +00:00

Files

Kevin Veen-Birkenbach 716ebef33b Refactor task includes and update variable handling for Ansible 2.20 migration

This commit updates multiple roles to ensure compatibility with Ansible 2.20.
Several include paths and task-loading mechanisms required adjustments,
as Ansible 2.20 applies stricter evaluation rules for complex Jinja expressions
and no longer resolves certain relative include paths the way Ansible 2.18 did.

Key changes:
- Replaced legacy once_finalize.yml and once_flag.yml with the new structure
  under tasks/utils/once/finalize.yml and tasks/utils/once/flag.yml.
- Updated all include_tasks statements to use 'path_join' with playbook_dir,
  ensuring deterministic and absolute file resolution across roles.
- Fixed all network helper includes by converting direct relative paths such as
  'roles/docker-compose/tasks/utils/network.yml' to proper Jinja-evaluated paths.
- Normalized MATOMO_* variable names for consistency with the updated variable
  scope behavior in Ansible 2.20.
- Removed deprecated patterns that were implicitly supported in Ansible 2.18
  but break under the more strict variable and path resolution model in 2.20.

These changes are part of the full migration step required to ensure the
infinito-nexus roles remain stable, deterministic, and forward-compatible with
Ansible 2.20.

Details of the discussion and reasoning can be found in this conversation:
https://chatgpt.com/share/69300a8d-24d4-800f-bec0-e895a695618a

2025-12-03 11:02:34 +01:00

config

CSP (Safari-safe): merge -elem/-attr into base; respect explicit disables; no mirror-back; header only for documents/workers

2025-10-22 13:53:06 +02:00

filter_plugins

…

README.md

web-svc-logout

This folder contains an Ansible role to deploy and configure the Universal Logout Service.

Description

This role sets up the universal logout proxy service, a Dockerized Python Flask container that coordinates logout requests across multiple OIDC-integrated applications. It also configures the necessary Nginx proxy snippets and environment variables to enable unified logout flows.

It solves the common challenge of logging a user out from all connected apps with a single action, especially in environments where apps live on multiple subdomains and use OIDC authentication.

Overview

Deploys the universal logout service container based on the official universal-logout GitHub repository.
Configures the logout domains dynamically based on application inventory and features using custom Ansible filters.
Provides an Nginx /logout proxy configuration snippet that handles CORS and forwards logout requests to the logout service.
Supplies a user-friendly logout conductor UI that requests logout on all configured domains and shows live status.
Designed to be used as the Front Channel Logout URL for Keycloak or other OpenID Connect providers, enabling a seamless, service-spanning logout experience.

Features

Automatic discovery of logout domains from applications with the features.logout flag enabled.
Centralized logout proxy that clears cookies and sessions across all configured subdomains.
Status page with live feedback on logout progress for each domain.
Built-in support for Docker Compose deployment and integration with the Infinito.Nexus ecosystem.
Includes security-conscious headers (CORS, CSP) for smooth cross-domain logout operations.

Further Resources

This role is licensed under the Infinito.Nexus NonCommercial License.