kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-09-24 11:06:24 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
f4cf55b3c8ae17dfb98010b37ab2e7d31324cf24
computer-playbook/roles/web-app-openwebui/templates/env.j2
Kevin Veen-Birkenbach f4cf55b3c8 Open WebUI OIDC & proxy fixes + Ollama preload + async-safe pull 
- svc-ai-ollama:
  - Add preload_models (llama3, mistral, nomic-embed-text)
  - Pre-pull task: loop_var=model, async-safe changed_when/failed_when

- sys-svc-proxy (OpenResty):
  - Forward Authorization header
  - Ensure proxy_pass_request_headers on

- web-app-openwebui:
  - ADMIN_EMAIL from users.administrator.email
  - Request RBAC group scope in OAUTH_SCOPES

Ref: ChatGPT support (2025-09-23) — https://chatgpt.com/share/68d20588-2584-800f-aed4-26ce710c69c4
2025-09-23 04:27:46 +02:00

98 lines
3.5 KiB
Django/Jinja
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Documentation: https://docs.openwebui.com/getting-started/env-configuration/
# =========================
# Open WebUI Base Settings
# =========================
OLLAMA_BASE_URL={{ OLLAMA_BASE_LOCAL_URL }}
OFFLINE_MODE={{ OPENWEBUI_OFFLINE_MODE | ternary(1, 0) }}
HF_HUB_OFFLINE={{ OPENWEBUI_HF_HUB_OFFLINE | ternary(1, 0) }}
ENABLE_PERSISTENT_CONFIG=false
# =========================
# Bootstrap Admin Account
# =========================
# Use this to automatically assign the first admin in a fresh installation.
# The specified email will be promoted to ADMIN on first login.
# After initial setup you can remove this block and manage admins via the UI.
ADMIN_EMAIL={{ users.administrator.email }}
# If enabled, the pending-activation page will display the admins email address
# so new users know who to contact for access.
SHOW_ADMIN_DETAILS=true
{% if OPENWEBUI_OIDC_ENABLED %}
# =========================
# OIDC / OAuth2 Settings
# =========================
# Enable sign-up/login via OIDC provider
ENABLE_OAUTH_SIGNUP=true
DEFAULT_USER_ROLE=user
# Client credentials (must match Keycloak client)
OAUTH_CLIENT_ID={{ OIDC.CLIENT.ID }}
OAUTH_CLIENT_SECRET={{ OIDC.CLIENT.SECRET }}
# Well-known configuration URL from Keycloak
OPENID_PROVIDER_URL={{ OIDC.CLIENT.DISCOVERY_DOCUMENT }}
# Redirect URI (must match what is configured in Keycloak client)
OPENID_REDIRECT_URI={{ OPENWEBUI_OIDC_REDIRECT_URL }}
# Display name of the provider in the login button
OAUTH_PROVIDER_NAME={{ OIDC.BUTTON_TEXT }}
# Scopes to request (openid is required; email/profile recommended)
OAUTH_SCOPES=openid email profile {{ RBAC.GROUP.CLAIM }}
# =========================
# Optional: Role Management
# =========================
# Enable automatic role mapping from token claims
ENABLE_OAUTH_ROLE_MANAGEMENT=true
OAUTH_ROLES_CLAIM={{ RBAC.GROUP.CLAIM }}
# OAUTH_ALLOWED_ROLES=user
OAUTH_ADMIN_ROLES={{ OPENWEBUI_OIDC_ADMIN_GROUP }}
# =========================
# Optional: Group Management
# =========================
# ENABLE_OAUTH_GROUP_MANAGEMENT=true
# ENABLE_OAUTH_GROUP_CREATION=false
# OAUTH_GROUP_CLAIM={{ RBAC.GROUP.CLAIM }}
{% endif %}
{% if OPENWEBUI_LDAP_ENABLED %}
# =========================
# LDAP Authentication
# =========================
# Enable LDAP login in parallel to OIDC (both can coexist)
ENABLE_LDAP=true
# --- Server Settings ---
# Label shown in the UI (optional)
LDAP_SERVER_LABEL=OpenLDAP
# Hostname/IP and port from your global LDAP settings
LDAP_SERVER_HOST={{ LDAP.SERVER.DOMAIN }}
LDAP_SERVER_PORT={{ LDAP.SERVER.PORT }}
# TLS: set to true for StartTLS or LDAPS (maps from your SECURITY setting)
# SECURITY can be "", "TLS" or "SSL" in your mapping; treat TLS/SSL as true
LDAP_USE_TLS={{ ('true' if (LDAP.SERVER.SECURITY | upper) in ['TLS','SSL'] else 'false') }}
# Certificate validation (set to true if you use a proper CA; false for self-signed/dev)
LDAP_VALIDATE_CERT={{ ('true' if (LDAP.SERVER.SECURITY | upper) in ['TLS','SSL'] else 'false') }}
# --- Bind Credentials (app/service account) ---
LDAP_APP_DN={{ LDAP.DN.ADMINISTRATOR.DATA }}
LDAP_APP_PASSWORD={{ LDAP.BIND_CREDENTIAL }}
# --- User Schema / Search ---
# Base DN for user search
LDAP_SEARCH_BASE={{ LDAP.DN.ROOT }}
# Attribute used as login name (uid / sAMAccountName / mail, etc.)
LDAP_ATTRIBUTE_FOR_USERNAME={{ LDAP.USER.ATTRIBUTES.ID }}
# Attribute for email address
LDAP_ATTRIBUTE_FOR_MAIL={{ LDAP.USER.ATTRIBUTES.MAIL }}
# Search filter with placeholder for username
LDAP_SEARCH_FILTER=({{ LDAP.USER.ATTRIBUTES.ID }}=%(user)s)
{% endif %}
Reference in New Issue View Git Blame Copy Permalink