kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-12-03 07:59:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8008afe0dec107be92c9448fa4b804148929c620
computer-playbook/group_vars/all/09_networks.yml
Kevin Veen-Birkenbach 26dfab147d Implement reserved username handling for users, LDAP and Keycloak 
Add end-to-end support for reserved usernames and tighten CAPTCHA / Keycloak logic.

Changes:

- Makefile: rename EXTRA_USERS → RESERVED_USERNAMES and pass it as --reserved-usernames to the users defaults generator.

- cli/build/defaults/users.py: propagate  flag into generated users, add --reserved-usernames CLI option and mark listed accounts as reserved.

- Add reserved_users filter plugin with  and  helpers for Ansible templates and tasks.

- Add unit tests for reserved_users filters and the new reserved-usernames behaviour in the users defaults generator.

- group_vars/all/00_general.yml: harden RECAPTCHA_ENABLED / HCAPTCHA_ENABLED checks with default('') and explicit > 0 length checks.

- svc-db-openldap: introduce OPENLDAP_PROVISION_* flags, add OPENLDAP_PROVISION_RESERVED and OPERNLDAP_USERS to optionally exclude reserved users from provisioning.

- svc-db-openldap templates/tasks: switch role/group LDIF and user import loops to use OPERNLDAP_USERS instead of the full users dict.

- networks: assign dedicated subnet for web-app-roulette-wheel.

- web-app-keycloak vars: compute KEYCLOAK_RESERVED_USERNAMES_LIST and KEYCLOAK_RESERVED_USERNAMES_REGEX from users | reserved_usernames.

- web-app-keycloak user profile template: inject reserved-username regex into username validation pattern and improve error message, fix SSH public key attribute usage and add component name field.

- web-app-keycloak update/_update.yml: strip subComponents from component payloads before update and disable async/poll for easier debugging.

- web-app-keycloak tasks/main.yml: guard cleanup include with MODE_CLEANUP and keep reCAPTCHA update behind KEYCLOAK_RECAPTCHA_ENABLED.

- user/users defaults: mark system/service accounts (root, daemon, mail, admin, webmaster, etc.) as reserved so they cannot be chosen as login names.

- svc-prx-openresty vars: simplify OPENRESTY_CONTAINER lookup by dropping unused default parameter.

- sys-ctl-rpr-btrfs-balancer: simplify main.yml by removing the extra block wrapper.

- sys-daemon handlers: quote handler name for consistency.

Context: change set discussed and refined in ChatGPT on 2025-11-29 (Infinito.Nexus reserved usernames & Keycloak user profile flow). See conversation: https://chatgpt.com/share/692b21f5-5d98-800f-8e15-1ded49deddc9
2025-11-29 17:40:45 +01:00

141 lines
4.1 KiB
YAML
Raw Blame History

defaults_networks:
internet:
ip4: "127.0.0.1" # Change this in inventory to the ip4 address of your server
ip6: "::01" # Change this in inventory to the ip6 address of your server
local:
# The default docker subnetworking does lead to overlapping and to huge networks.
# Due to this reason networks with 16 ips are created.
# This should be sufficient for the most cases
# /28 Networks, 14 Usable Ip Addresses
web-app-akaunting:
subnet: 192.168.101.0/28
web-app-confluence:
subnet: 192.168.101.16/28
web-app-baserow:
subnet: 192.168.101.32/28
web-app-mobilizon:
subnet: 192.168.101.48/28
web-app-bluesky:
subnet: 192.168.101.64/28
web-app-friendica:
subnet: 192.168.101.80/28
web-app-funkwhale:
subnet: 192.168.101.96/28
web-app-gitea:
subnet: 192.168.101.112/28
web-app-gitlab:
subnet: 192.168.101.128/28
web-app-joomla:
subnet: 192.168.101.144/28
web-app-keycloak:
subnet: 192.168.101.160/28
web-app-wordpress:
subnet: 192.168.101.176/28
web-app-listmonk:
subnet: 192.168.101.192/28
web-app-jira:
subnet: 192.168.101.208/28
web-app-matomo:
subnet: 192.168.101.224/28
web-app-mastodon:
subnet: 192.168.101.240/28
web-app-matrix:
subnet: 192.168.102.0/28
web-app-mailu:
# Use one of the last container ips for dns resolving so that it isn't used
dns_resolver: 192.168.102.29
subnet: 192.168.102.16/28
web-app-moodle:
subnet: 192.168.102.32/28
web-app-bookwyrm:
subnet: 192.168.102.48/28
web-app-nextcloud:
subnet: 192.168.102.64/28
web-app-openproject:
subnet: 192.168.102.80/28
web-app-peertube:
subnet: 192.168.102.96/28
web-app-phpmyadmin:
subnet: 192.168.102.112/28
web-app-pixelfed:
subnet: 192.168.102.128/28
web-app-pgadmin:
subnet: 192.168.102.144/28
web-app-snipe-it:
subnet: 192.168.102.160/28
web-app-taiga:
subnet: 192.168.102.176/28
web-app-yourls:
subnet: 192.168.102.192/28
web-app-discourse:
subnet: 192.168.102.208/28
web-app-sphinx:
subnet: 192.168.102.224/28
web-app-lam:
subnet: 192.168.103.0/28
web-app-phpldapadmin:
subnet: 192.168.103.16/28
web-app-fusiondirectory:
subnet: 192.168.103.32/28
web-app-navigator:
subnet: 192.168.103.48/28
web-app-espocrm:
subnet: 192.168.103.64/28
web-app-syncope:
subnet: 192.168.103.80/28
web-svc-collabora:
subnet: 192.168.103.96/28
web-svc-simpleicons:
subnet: 192.168.103.112/28
web-svc-libretranslate:
subnet: 192.168.103.128/28
web-app-pretix:
subnet: 192.168.103.144/28
web-app-mig:
subnet: 192.168.103.160/28
web-svc-logout:
subnet: 192.168.103.176/28
web-app-chess:
subnet: 192.168.103.192/28
web-app-magento:
subnet: 192.168.103.208/28
web-app-bridgy-fed:
subnet: 192.168.103.224/28
web-app-xwiki:
subnet: 192.168.103.240/28
web-app-openwebui:
subnet: 192.168.104.0/28
web-app-flowise:
subnet: 192.168.104.16/28
web-app-minio:
subnet: 192.168.104.32/28
web-svc-coturn:
subnet: 192.168.104.48/28
web-app-mini-qr:
subnet: 192.168.104.64/28
web-app-shopware:
subnet: 192.168.104.80/28
web-svc-onlyoffice:
subnet: 192.168.104.96/28
web-app-suitecrm:
subnet: 192.168.104.112/28
web-app-littlejs:
subnet: 192.168.104.128/28
web-app-roulette-wheel:
subnet: 192.168.104.144/28
# /24 Networks / 254 Usable Clients
web-app-bigbluebutton:
# This network variable isn't used.
# It's registered here to make transparent which network bbb is using and to avoid conflicts.
subnet: 10.7.7.0/24
svc-db-postgres:
subnet: 192.168.200.0/24
svc-db-mariadb:
subnet: 192.168.201.0/24
svc-db-openldap:
subnet: 192.168.202.0/24
svc-ai-ollama:
subnet: 192.168.203.0/24 # Big network to bridge applications into ai
Reference in New Issue View Git Blame Copy Permalink