Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/zitadel/tasks/oidc-apps.yml
Pieter 48ef4da920 Fix Zitadel deployment by removing FirstInstance variables 
- Remove all ZITADEL_FIRSTINSTANCE_* environment variables
- Fixes migration error: duplicate key constraint violation
- Root cause: Bug in Zitadel v2.63.7 FirstInstance migration
- Workaround: Complete initial setup via web UI
- Upstream issue: https://github.com/zitadel/zitadel/issues/8791

Changes:
- Clean up obsolete documentation (OIDC_AUTOMATION.md, SETUP_GUIDE.md, COLLABORA_SETUP.md)
- Add PROJECT_REFERENCE.md for essential configuration info
- Add force recreate functionality with clean database volumes
- Update bootstrap instructions for web UI setup
- Document one-time manual setup requirement for OIDC automation

Zitadel now deploys successfully and is accessible at:
https://zitadel.test.vrije.cloud

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-06 16:43:57 +01:00

107 lines
3.5 KiB
YAML
Raw Blame History

---
# OIDC Application creation tasks via Zitadel API
# Fully automated OIDC app provisioning for Nextcloud and other services
- name: Create Zitadel scripts directory
file:
path: /opt/zitadel
state: directory
mode: '0755'
- name: Copy OIDC automation scripts to server
copy:
src: "{{ item }}"
dest: "/opt/zitadel/{{ item }}"
mode: '0755'
loop:
- zitadel_api.py
- name: Install Python libraries for OIDC automation
package:
name:
- python3-requests
- python3-jwt
state: present
become: yes
- name: Check if JWT key file exists
shell: docker exec zitadel ls /machinekey/api-automation.json
register: jwt_key_check
failed_when: false
changed_when: false
- name: Set JWT authentication available
set_fact:
jwt_auth_available: "{{ jwt_key_check.rc == 0 }}"
- name: Copy JWT key from container to host
shell: docker cp zitadel:/machinekey/api-automation.json /tmp/api-automation.json
when: jwt_auth_available
changed_when: false
- name: Create OIDC application for Nextcloud using JWT auth
shell: |
python3 /opt/zitadel/zitadel_api.py \
"{{ zitadel_domain }}" \
"/tmp/api-automation.json" \
"Nextcloud" \
"https://nextcloud.{{ client_domain }}/apps/user_oidc/code"
register: oidc_app_result
when: jwt_auth_available
changed_when: "'created' in oidc_app_result.stdout"
failed_when: oidc_app_result.rc != 0
- name: Clean up temporary JWT key file
file:
path: /tmp/api-automation.json
state: absent
when: jwt_auth_available
- name: Parse OIDC app creation result
set_fact:
oidc_app_data: "{{ oidc_app_result.stdout | from_json }}"
when: jwt_auth_available and oidc_app_result is defined
- name: Display OIDC app status
debug:
msg: |
✅ Nextcloud OIDC Application: {{ oidc_app_data.status }}
Client ID: {{ oidc_app_data.client_id | default('N/A') }}
Redirect URI: {{ oidc_app_data.redirect_uri | default('N/A') }}
when: jwt_auth_available and oidc_app_data is defined
- name: Save OIDC credentials for Nextcloud configuration
set_fact:
nextcloud_oidc_client_id: "{{ oidc_app_data.client_id }}"
nextcloud_oidc_client_secret: "{{ oidc_app_data.client_secret }}"
when: jwt_auth_available and oidc_app_data is defined and oidc_app_data.status == 'created'
no_log: true
- name: Configure OIDC provider in Nextcloud
shell: |
docker exec -u www-data nextcloud php occ user_oidc:provider:add \
--clientid="{{ nextcloud_oidc_client_id }}" \
--clientsecret="{{ nextcloud_oidc_client_secret }}" \
--discoveryuri="https://{{ zitadel_domain }}/.well-known/openid-configuration" \
"Zitadel" || true
when: jwt_auth_available and nextcloud_oidc_client_id is defined and nextcloud_oidc_client_secret is defined
register: oidc_config_result
changed_when: "'Provider Zitadel has been created' in oidc_config_result.stdout"
- name: Display OIDC configuration result
debug:
msg: |
✅ Nextcloud OIDC Provider Configuration: {{ 'Success' if oidc_config_result.changed else 'Already configured' }}
Users can now login to Nextcloud using Zitadel SSO!
Visit: https://nextcloud.{{ client_domain }}
when: jwt_auth_available and oidc_config_result is defined
- name: OIDC automation not available
debug:
msg: |
⚠️ OIDC automation not available - JWT key not found.
This should not happen if FirstInstance completed successfully.
Check Zitadel logs: docker logs zitadel
when: not jwt_auth_available
Reference in a new issue View git blame Copy permalink