OpenConext · baszoetekouw · May 13, 2026 · May 15, 2026 · May 15, 2026 · May 22, 2026
diff --git a/.yamllint.yaml b/.yamllint.yaml
@@ -0,0 +1,27 @@
+---
+extends: "default"
+
+rules:
+  # 80 chars should be enough, but don't fail if a line is longer
+  line-length:
+    max: 160
+    level: "warning"
+
+  quoted-strings:
+    quote-type: "any"
+    required: true
+    allow-quoted-quotes: false
+    check-keys: false
+
+# ansible-lint compatibility:
+  comments:
+    min-spaces-from-content: 1
+
+  comments-indentation: false
+
+  braces:
+    max-spaces-inside: 1
+
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
diff --git a/environments/template/secrets/secret_example.yml b/environments/template/secrets/secret_example.yml
@@ -141,7 +141,7 @@ invite_lifecycle_secret: "secret"
 invite_internal_secret: "secret"
 invite_profile_secret: "secret"
 invite_sp_dashboard_secret: "secret"
-invite_access_secret: "secret"
+invite_access_dashboard_secret: "secret"
 invite_private_key_pkcs8: |
   -----BEGIN PRIVATE KEY-----
   MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCfpYYMgKYDICkp

diff --git a/provision.yml b/provision.yml
@@ -199,12 +199,12 @@
     - oidc-playground
   tags: ['oidc-playground']
 
-- name: Deploy openaccess app & server
+- name: Deploy access_dashboard app & server
   hosts: docker_openaccess
   become: true
   roles:
-    - openaccess
-  tags: ['openaccess']
+    - access_dashboard
+  tags: ['access_dashboard']
 
 - name: Deploy pdp app
   hosts: docker_pdp
@@ -302,4 +302,3 @@
   roles:
     - { role: mariadbdocker, tags: ['mariadbdocker']}
     - { role: mongodbdocker, tags: ['mongodbdocker']}
-
diff --git a/roles/access_dashboard/defaults/main.yml b/roles/access_dashboard/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+access_dashboard_docker_networks:
+  - name: "loadbalancer"
+access_dashboard_cronjobmaster: true
diff --git a/roles/access_dashboard/handlers/main.yml b/roles/access_dashboard/handlers/main.yml
@@ -0,0 +1,20 @@
+---
+- name: "Restart access dashboard server"
+  community.docker.docker_container:
+    name: "access_dashboard_server"
+    state: "started"
+    restart: true
+    # avoid restarting it creates unexpected data loss according to docker_container_module notes
+    comparisons:
+      '*': "ignore"
+  when: "access_dashboard_server_container is success and access_dashboard_server_container is not change"
+
+- name: "Restart access dashboard gui"
+  community.docker.docker_container:
+    name: "access_dashboard_gui"
+    state: "started"
+    restart: true
+    # avoid restarting it creates unexpected data loss according to docker_container_module notes
+    comparisons:
+      '*': "ignore"
+  when: "access_dashboard_gui_container is success and access_dashboard_gui_container is not change"
diff --git a/roles/access_dashboard/tasks/main.yml b/roles/access_dashboard/tasks/main.yml
@@ -0,0 +1,96 @@
+---
+- name: "Create directory to keep configfile"
+  ansible.builtin.file:
+    dest: "/opt/openconext/access_dashboard"
+    state: "directory"
+    owner: "root"
+    group: "root"
+    mode: "0770"
+
+- name: "Place the server configfiles"
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/opt/openconext/access_dashboard/{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "0600"
+  with_items:
+    - "logback.xml"
+    - "serverapplication.yml"
+  notify: "Restart access dashboard server"
+
+- name: "Place the gui configfiles"
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/opt/openconext/access_dashboard/{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "0600"
+  with_items:
+    - "apache_gui.conf"
+  notify: "Restart access dashboard gui"
+
+- name: "Add the MariaDB docker network to the list of networks when MariaDB runs in Docker"
+  ansible.builtin.set_fact:
+    access_dashboard_docker_networks:
+      - name: "loadbalancer"
+      - name: "openconext_mariadb"
+  when: "mariadb_in_docker | default(false) | bool"
+
+- name: "Create and start the access server container"
+  community.docker.docker_container:
+    name: "access_dashboard_server"
+    env:
+      TZ: "{{ timezone }}"
+    image: "ghcr.io/openconext/openconext-access/accessserver:{{ access_dashboard_version }}"
+    pull: true
+    restart_policy: "always"
+    state: "started"
+    networks: "{{ access_dashboard_docker_networks }}"
+    mounts:
+      - source: "/opt/openconext/access_dashboard/serverapplication.yml"
+        target: "/application.yml"
+        type: "bind"
+        read_only: true
+      - source: "/opt/openconext/access_dashboard/logback.xml"
+        target: "/logback.xml"
+        type: "bind"
+        read_only: true
+    command: "-Xmx512m --spring.config.location=./"
+    etc_hosts:
+      host.docker.internal: "host-gateway"
+  register: "access_dashboard_server_container"
+
+- name: "Create the access client container"
+  community.docker.docker_container:
+    name: "access_dashboard_gui"
+    image: "ghcr.io/openconext/openconext-access/accessclient:{{ access_dashboard_version }}"
+    pull: true
+    restart_policy: "always"
+    state: "started"
+    networks:
+      - name: "loadbalancer"
+    labels:
+      traefik.http.routers.accessclient.rule: "Host(`{{ access_dashboard_base_domain }}`)"
+      traefik.http.routers.accessclient.tls: "true"
+      traefik.enable: "true"
+    hostname: "access"
+    mounts:
+      - source: "/etc/localtime"
+        target: "/etc/localtime"
+        type: "bind"
+        read_only: true
+      - source: "/opt/openconext/access_dashboard/apache_gui.conf"
+        target: "/etc/apache2/sites-enabled/appconf.conf"
+        type: "bind"
+        read_only: true
+      - source: "/opt/openconext/common/favicon.ico"
+        target: "/var/www/favicon.ico"
+        type: "bind"
+        read_only: true
+    env:
+      S3_STORAGE_URL: "{{ access_dashboard.s3_storage.url }}"
+      S3_STORAGE_KEY: "{{ access_dashboard.s3_storage.key }}"
+      S3_STORAGE_SECRET: "{{ access_dashboard.s3_storage.secret }}"
+      S3_STORAGE_BUCKET: "{{ access_dashboard.s3_storage.bucket }}"
+  register: "access_dashboard_gui_container"
diff --git a/roles/access_dashboard/templates/apache_gui.conf.j2 b/roles/access_dashboard/templates/apache_gui.conf.j2
@@ -0,0 +1,59 @@
+ServerName access_dashboard_client
+
+RewriteEngine On
+RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$
+RewriteCond %{REQUEST_URI} !\.svg$
+RewriteCond %{REQUEST_URI} !\.png$
+RewriteCond %{REQUEST_URI} !\.ico$
+RewriteCond %{REQUEST_URI} !\.woff$
+RewriteCond %{REQUEST_URI} !\.woff2$
+RewriteCond %{REQUEST_URI} !\.ttf$
+RewriteCond %{REQUEST_URI} !\.wav$
+RewriteCond %{REQUEST_URI} !\.eot$
+RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$
+RewriteCond %{REQUEST_URI} !^/api/
+RewriteCond %{REQUEST_URI} !^/login/
+RewriteCond %{REQUEST_URI} !^/oauth2/
+RewriteCond %{REQUEST_URI} !^/ui/
+RewriteCond %{REQUEST_URI} !^/internal/
+RewriteCond %{REQUEST_URI} !^/fonts/
+RewriteRule (.*) /index.html [L]
+
+ProxyPass /api http://access_dashboard_server:8080/api retry=0
+ProxyPassReverse /api http://access_dashboard_server:8080/api
+ProxyPassMatch ^/oauth2(.*)$ http://access_dashboard_server:8080
+ProxyPassReverse /oauth2 http://access_dashboard_server:8080/oauth2
+ProxyPassMatch ^/internal(.*)$ http://access_dashboard_server:8080
+ProxyPassReverse /internal http://access_dashboard_server:8080/internal
+ProxyPassMatch ^/login(.*)$ http://access_dashboard_server:8080
+ProxyPassReverse /login http://access_dashboard_server:8080/login
+ProxyPassMatch ^/ui(.*)$ http://access_dashboard_server:8080
+ProxyPassReverse /ui http://access_dashboard_server:8080/ui
+
+DocumentRoot /var/www/
+
+<Location "/api">
+    ProxyPreserveHost On
+</Location>
+<Location "/oauth2">
+    ProxyPreserveHost On
+</Location>
+<Location "/internal">
+    ProxyPreserveHost On
+</Location>
+<Location "/login">
+    ProxyPreserveHost On
+</Location>
+<Directory /var/www>
+  Require all granted
+  Options -Indexes
+</Directory>
+
+<FilesMatch "\.html$">
+Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
+Header set Expires "Sun, 8 Jun 1986 08:06:00 GMT"
+</FilesMatch>
+
+Header always set X-Frame-Options "DENY"
+Header always set Referrer-Policy "strict-origin-when-cross-origin"
+Header always set X-Content-Type-Options "nosniff"
diff --git a/roles/access_dashboard/templates/logback.xml.j2 b/roles/access_dashboard/templates/logback.xml.j2
@@ -0,0 +1,29 @@
+#jinja2:lstrip_blocks: True
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration scan="true">
+
+  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+    <encoder>
+      <pattern>%d{ISO8601} %5p [%t] %logger{40}:%L - %m%n</pattern>
+    </encoder>
+  </appender>
+
+  <appender name="EMAIL" class="ch.qos.logback.classic.net.SMTPAppender">
+    <smtpHost>{{ smtp_server }}</smtpHost>
+    <from>{{ noreply_email }}</from>
+    <to>{{ error_mail_to }}</to>
+    <subject>{{ error_subject_prefix }}Unexpected error in surfaccess</subject>
+    <layout class="ch.qos.logback.classic.html.HTMLLayout"/>
+
+    <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+      <level>ERROR</level>
+    </filter>
+  </appender>
+
+  <logger name="surfaccess" level="INFO"/>
+  <root level="WARN">
+    <appender-ref ref="STDOUT"/>
+    <appender-ref ref="EMAIL"/>
+  </root>
+
+</configuration>