No description
- Shell 64.5%
- Jinja 32.8%
- Makefile 2.7%
| docs | ||
| inventories | ||
| playbooks | ||
| roles | ||
| scripts | ||
| .gitignore | ||
| .sops.yaml | ||
| .yamllint | ||
| ansible.cfg | ||
| Makefile | ||
| README.md | ||
ansible-idp
Albient's identity provider (SSO) control plane — Zitadel, deployed HA and
systemd-native (no containers), backed by Postgres. A separate Ansible book, like
ansible-dns, feeding the wider Albient platform (mail is the first consumer).
See docs/architecture.md for the full design.
Quick start
scripts/bootstrap-secrets.sh init # generate masterkey/db/admin secrets
make lint # yamllint + ansible-lint
make check ENV=staging # dry-run
make deploy ENV=staging # deploy Zitadel HA
What this does today (Phase 1)
- Deploys Zitadel
idp_clusterHA: binary + systemd, shared Postgres (the platform Patroni R/W VIP), one-time schema + first-instance/admin bootstrap, health-gated start. TLS is terminated by the (forthcoming) edge role; Zitadel speaks plain HTTP on the private interface withExternalSecure=true.
Not yet (later phases)
- Branding + edge: apply Zitadel private-labeling (logo/colors/font/login text)
via the mgmt API — we brand Zitadel's own hosted pages rather than build a
custom portal — plus HAProxy + Let's Encrypt for
account.albient.co.uk. - Consumers: Stalwart as an OIDC RP / OAUTHBEARER; the provisioning API as the Zitadel write-path that syncs the mail directory (389-DS).
- App-passwords: issue/revoke UX in Roundcube or the provisioning API (the one custom UI bit Zitadel's pages don't cover).