From 41d8ad8489c25959a5575a47559f1da41a885922 Mon Sep 17 00:00:00 2001
From: Okke Harsta <oharsta@zilverline.com>
Date: Wed, 13 May 2026 12:47:15 +0200
Subject: [PATCH 1/4] Only one manage per access instance

---
 .../templates/serverapplication.yml.j2        | 50 ++++++++++++-------
 1 file changed, 33 insertions(+), 17 deletions(-)

diff --git a/roles/openaccess/templates/serverapplication.yml.j2 b/roles/openaccess/templates/serverapplication.yml.j2
index 80da77a94..06390f480 100644
--- a/roles/openaccess/templates/serverapplication.yml.j2
+++ b/roles/openaccess/templates/serverapplication.yml.j2
@@ -16,6 +16,8 @@ server:
 spring:
   main:
     banner-mode: "off"
+  cache:
+    type: simple
   session:
     jdbc:
       cleanup-cron: "-"
@@ -108,6 +110,7 @@ config:
   sram: "https://{{ env }}.sram.surf.nl/"
   service_desk: "https://servicedesk.surf.nl/jira/plugins/servlet/desk/user/requests?reporter=all"
   feedback_widget_enabled: true
+  test_environment: {{ openconextaccess.test_environment }}
   # For other environments, move to group_vars
   identity_providers:
       - name: "SXS IdP"
@@ -147,6 +150,8 @@ gui:
 
 feature:
   enable-performance-seed: False
+  statistics-enabled: False
+  stepup-required: False
 
 email:
   from: "{{ noreply_email }}"
@@ -158,17 +163,10 @@ email:
 
 manage:
   enabled: True
-  activeManage: TEST
-  test:
-    url: {{ openconextaccess.managetest.url }}
-    user: {{ openconextaccess.managetest.user }}
-    password: {{ openconextaccess.managetest.password }}
-    defaultState: prodaccepted
-  prod:
-    url: {{ openconextaccess.manageprod.url }}
-    user: {{ openconextaccess.manageprod.user }}
-    password: {{ openconextaccess.managetest.password }}
-    defaultState: testaccepted
+  url: {{ openconextaccess.managetest.url }}
+  user: {{ openconextaccess.managetest.user }}
+  password: {{ openconextaccess.managetest.password }}
+  defaultState: testaccepted
   # If manage is disabled (e.g. enabled: False) the staticManageDirectory is the directory where the {metadata_type}.json files
   # are located. This can also be an absolute file path, e.g. file:///opt/openconext/invite/manage
   staticManageDirectory: classpath:/manage
@@ -180,18 +178,36 @@ invite:
   user: {{ invite.access_user }}
   password: "{{ invite.access_secret }}"
 
-s3storage:
-  url: {{ openconextaccess.s3_storage.url }}
-  key: {{ openconextaccess.s3_storage.key }}
-  secret: {{ openconextaccess.s3_storage.secret }}
-  bucket: {{ openconextaccess.s3_storage.bucket }}
-
 statistics:
   enabled: {{ openconextaccess.statistics.enabled }}
   url: {{ openconextaccess.statistics.url }}
   user: {{ openconextaccess.statistics.user }}
   password: {{ openconextaccess.statistics.password }}
 
+s3storage:
+  url: {{ openconextaccess.s3_storage.url }}
+  key: {{ openconextaccess.s3_storage.key }}
+  secret: {{ openconextaccess.s3_storage.secret }}
+  bucket: {{ openconextaccess.s3_storage.bucket }}
+
+ohdear:
+  apiKey: "test-token"
+  baseUrl: http://localhost:8089/api
+  enabled: false
+
+springdoc:
+  pathsToMatch: "/api/v1/**"
+  api-docs:
+    path: "/ui/api-docs"
+    enabled: false
+  swagger-ui:
+    path: "/ui/api-ui.html"
+    enabled: false
+    operationsSorter: method
+    oauth:
+      client-id: ${spring.security.oauth2.client.registration.oidcng.client-id}
+      client-secret: ${spring.security.oauth2.client.registration.oidcng.client-secret}
+      use-basic-authentication-with-access-code-grant: true
 
 management:
   health:

From 9d49c90471bb85c18c3a68282b838fd07136bb27 Mon Sep 17 00:00:00 2001
From: Okke Harsta <oharsta@zilverline.com>
Date: Fri, 15 May 2026 15:55:55 +0200
Subject: [PATCH 2/4] English IdP description

---
 roles/openaccess/templates/serverapplication.yml.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/openaccess/templates/serverapplication.yml.j2 b/roles/openaccess/templates/serverapplication.yml.j2
index 06390f480..9c29fe9b3 100644
--- a/roles/openaccess/templates/serverapplication.yml.j2
+++ b/roles/openaccess/templates/serverapplication.yml.j2
@@ -115,11 +115,11 @@ config:
   identity_providers:
       - name: "SXS IdP"
         entityid: "http://mock-idp"
-        descriptionEN: "Een test-IdP waarmee je zelf attributen-sets kunt simuleren. De metadata vind je <a href='https://mujina-idp.test.surfconext.nl/metadata' target='_blank'>hier</a>"
+        descriptionEN: "A test IdP that allows you to simulate attribute sets yourself. You can find the metadata <a href='https://mujina-idp.test.surfconext.nl/metadata' target='_blank'>here</a>"
         descriptionNL: "Een test-IdP waarmee je zelf attributen-sets kunt simuleren. De metadata vind je <a href='https://mujina-idp.test.surfconext.nl/metadata' target='_blank'>hier</a>"
       - name: "SXS Dummy"
         entityid: "https://idp.diy.surfconext.nl"
-        descriptionEN: "Een test-IdP met <a href='https://idp.diy.surfconext.nl/showusers.php' target='_blank'>fictieve gebruikersaccounts</a>. De metadata vind je <a href='https://idp.diy.surfconext.nl/saml2/idp/metadata.php' target='_blank'>hier</a>"
+        descriptionEN: "A test IdP with <a href='https://idp.diy.surfconext.nl/showusers.php' target='_blank'>fictitious user accounts</a>. You can find the metadata <a href='https://idp.diy.surfconext.nl/saml2/idp/metadata.php' target='_blank'>here</a>"
         descriptionNL: "Een test-IdP met <a href='https://idp.diy.surfconext.nl/showusers.php' target='_blank'>fictieve gebruikersaccounts</a>. De metadata vind je <a href='https://idp.diy.surfconext.nl/saml2/idp/metadata.php' target='_blank'>hier</a>"
   idp_proxy_meta_data: {{ openconextaccess.idp_proxy_meta_data }}
   minimal_stepup_acr_level: "http://{{ base_domain }}/assurance/loa2"

From c1b124e14aa6c1384f7362be089a397564f4298c Mon Sep 17 00:00:00 2001
From: Okke Harsta <oharsta@zilverline.com>
Date: Fri, 15 May 2026 16:32:34 +0200
Subject: [PATCH 3/4] Fixed deployment openaccess

---
 roles/openaccess/templates/serverapplication.yml.j2 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/openaccess/templates/serverapplication.yml.j2 b/roles/openaccess/templates/serverapplication.yml.j2
index 9c29fe9b3..f9dbf266a 100644
--- a/roles/openaccess/templates/serverapplication.yml.j2
+++ b/roles/openaccess/templates/serverapplication.yml.j2
@@ -163,9 +163,9 @@ email:
 
 manage:
   enabled: True
-  url: {{ openconextaccess.managetest.url }}
-  user: {{ openconextaccess.managetest.user }}
-  password: {{ openconextaccess.managetest.password }}
+  url: {{ openconextaccess.manage.url }}
+  user: {{ openconextaccess.manage.user }}
+  password: {{ openconextaccess.manage.password }}
   defaultState: testaccepted
   # If manage is disabled (e.g. enabled: False) the staticManageDirectory is the directory where the {metadata_type}.json files
   # are located. This can also be an absolute file path, e.g. file:///opt/openconext/invite/manage

From f3c7410f42205a4b379609503ef50abbcd1e8d62 Mon Sep 17 00:00:00 2001
From: Okke Harsta <oharsta@zilverline.com>
Date: Fri, 22 May 2026 10:07:40 +0200
Subject: [PATCH 4/4] Added OhDear configuration

---
 roles/openaccess/templates/serverapplication.yml.j2 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/openaccess/templates/serverapplication.yml.j2 b/roles/openaccess/templates/serverapplication.yml.j2
index f9dbf266a..3286d5a79 100644
--- a/roles/openaccess/templates/serverapplication.yml.j2
+++ b/roles/openaccess/templates/serverapplication.yml.j2
@@ -191,9 +191,9 @@ s3storage:
   bucket: {{ openconextaccess.s3_storage.bucket }}
 
 ohdear:
-  apiKey: "test-token"
-  baseUrl: http://localhost:8089/api
-  enabled: false
+  apiKey: {{ openconextaccess_ohdear_apikey }}
+  baseUrl: "https://ohdear.app/api"
+  enabled: true
 
 springdoc:
   pathsToMatch: "/api/v1/**"