Skip to content

ideon: add role for self-hosted collaborative workspace

jedmund requested to merge jedmund/add-ideon-auth into main

Created by: jedmund

Summary

  • New ideon Ansible role deploying Ideon (visual workspace / project mgmt / kanban / collab editing) to nuc-mini at idea.atelier.house
  • Modeled after roles/development/ (Forgejo): single-service compose + postgres:18-alpine sidecar, Traefik labels, no TinyAuth — Ideon handles its own auth
  • SendGrid SMTP wired for magic-link email; make deploy-ideon target added

Vault keys to add (group_vars/ideon/vault.yml)

  • ideon_secret_keyopenssl rand -hex 32
  • ideon_db_passwordopenssl rand -base64 32
  • ideon_smtp_password — SendGrid API key

Notes

  • OIDC against PocketID is configured post-install in Ideon's /management UI (the upstream image does not accept OAuth provider config via env vars). After registration, copy the redirect URI Ideon shows into PocketID, similar to the Line workflow.
  • Healthcheck uses wget --spider against /api/health — if the upstream image lacks wget, swap to curl or a TCP check.

Test plan

  • Add the three secrets to group_vars/ideon/vault.yml and encrypt
  • make deploy-ideon succeeds; ideon and ideon_postgres containers report healthy
  • https://idea.atelier.house serves the Ideon UI over HTTPS via the Cloudflare wildcard cert
  • WebSocket connection (wss://idea.atelier.house/...) succeeds in browser devtools (Yjs collab)
  • Test email from /management succeeds (SMTP)
  • Register PocketID as an OAuth provider via /management and confirm sign-in
  • Re-run make deploy-ideon — idempotent (no changes)

Merge request reports

Loading