misc/ansible-base
0
0
Fork 0
Code Issues Pull requests 1 Actions Packages Projects Releases Wiki Activity

[int]

Browse source
This commit is contained in:
Christian Fraß 2025-10-08 11:20:09 +02:00
parent cdeedc7ac3
commit 33491acb37
30 changed files with 528 additions and 241 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
roles/authelia-and-nginx/cfg.schema.json Normal file
View file

@ -0,0 +1,24 @@
{
"nullable": false,
"type": "object",
"properties": {
"domain": {
"nullable": false,
"type": "string"
},
"tls_mode": {
"nullable": false,
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"enum": "force"
}
},
"additionalProperties": false,
"required": [
"domain"
]
}

5
roles/authelia-and-nginx/defaults/main.json
View file

@ -1,4 +1,5 @@
{
"var_authelia_and_nginx_domain": "authelia.example.org",
"var_authelia_and_nginx_tls_mode": "force"
"cfg_authelia_and_nginx_defaults": {
"tls_mode": "force"
}
}

13
roles/authelia-and-nginx/tasks/main.json
View file

@ -1,4 +1,11 @@
[
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_authelia_and_nginx"
}
},
{
"name": "deactivate default site",
"become": true,
@ -12,7 +19,7 @@
"become": true,
"ansible.builtin.template": {
"src": "conf.j2",
"dest": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}"
"dest": "/etc/nginx/sites-available/{{cfg_authelia_and_nginx.domain}}"
}
},
{
@ -20,8 +27,8 @@
"become": true,
"ansible.builtin.file": {
"state": "link",
"src": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}",
"dest": "/etc/nginx/sites-enabled/{{var_authelia_and_nginx_domain}}"
"src": "/etc/nginx/sites-available/{{cfg_authelia_and_nginx.domain}}",
"dest": "/etc/nginx/sites-enabled/{{cfg_authelia_and_nginx.domain}}"
}
},
{

12
roles/authelia-and-nginx/templates/conf.j2
View file

@ -45,27 +45,27 @@
{% endmacro %}
server {
server_name {{var_authelia_and_nginx_domain}};
server_name {{cfg_authelia_and_nginx.domain}};
listen 80;
listen [::]:80;
{% if (var_authelia_and_nginx_tls_mode == 'force') %}
{% if (cfg_authelia_and_nginx.tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
{{ authelia_common() }}
{% endif %}
}
{% if (var_authelia_and_nginx_tls_mode != 'disable') %}
{% if (cfg_authelia_and_nginx.tls_mode != 'disable') %}
server {
server_name {{var_authelia_and_nginx_domain}};
server_name {{cfg_authelia_and_nginx.domain}};
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{cfg_authelia_and_nginx.domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{cfg_authelia_and_nginx.domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ authelia_common() }}

15
roles/authelia-and-nginx/vardef.json
View file

@ -1,15 +0,0 @@
{
"domain": {
"type": "string",
"mandatory": false
},
"tls_mode": {
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"mandatory": false
}
}

24
roles/authelia-for-hedgedoc/cfg.schema.json Normal file
View file

@ -0,0 +1,24 @@
{
"nullable": false,
"type": "object",
"properties": {
"hedgedoc_url_base": {
"nullable": false,
"type": "string",
"default": "https://hedgedoc.example.org"
},
"client_id": {
"nullable": false,
"type": "string",
"default": "hedgedoc"
},
"client_secret": {
"nullable": false,
"type": "string"
}
},
"additionalProperties": false,
"required": [
"client_secret"
]
}

6
roles/authelia-for-hedgedoc/defaults/main.json
View file

@ -1,5 +1,5 @@
{
"var_authelia_for_hedgedoc_hedgedoc_url_base": "https://hedgedoc.example.org",
"var_authelia_for_hedgedoc_client_id": "hedgedoc",
"var_authelia_for_hedgedoc_client_secret": "REPLACE_ME"
"cfg_authelia_for_hedgedoc_defaults": {
"client_id": "hedgedoc"
}
}

9
roles/authelia-for-hedgedoc/tasks/main.json
View file

@ -1,9 +1,16 @@
[
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_authelia_for_hedgedoc"
}
},
{
"name": "configuration | compute client secret hash",
"become": true,
"ansible.builtin.shell": {
"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_hedgedoc_client_secret}} | cut --delimiter=' ' --fields='2-'"
"cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_hedgedoc.client_secret}} | cut --delimiter=' ' --fields='2-'"
},
"register": "temp_authelia_for_hedgedoc_client_secret_hashed"
},

4
roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2
View file

@ -1,5 +1,5 @@
{
"client_id": "{{var_authelia_for_hedgedoc_client_id}}",
"client_id": "{{cfg_authelia_for_hedgedoc.client_id}}",
"client_secret": "{{temp_authelia_for_hedgedoc_client_secret_hashed.stdout}}",
"client_name": "Hedgedoc",
"public": false,
@ -10,7 +10,7 @@
"profile"
],
"redirect_uris": [
"{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback"
"{{cfg_authelia_for_hedgedoc.hedgedoc_url_base}}/auth/oauth2/callback"
],
"response_types": [
"code"

24
roles/hedgedoc-and-nginx/cfg.schema.json Normal file
View file

@ -0,0 +1,24 @@
{
"nullable": false,
"type": "object",
"properties": {
"domain": {
"nullable": false,
"type": "string"
},
"tls_mode": {
"nullable": false,
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"default": "force"
}
},
"additionalProperties": false,
"required": [
"domain"
]
}

5
roles/hedgedoc-and-nginx/defaults/main.json
View file

@ -1,4 +1,5 @@
{
"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org",
"var_hedgedoc_and_nginx_tls_mode": "force"
"cfg_hedgedoc_and_nginx_defaults": {
"tls_mode": "force"
}
}

13
roles/hedgedoc-and-nginx/tasks/main.json
View file

@ -1,4 +1,11 @@
[
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_hedgedoc_and_nginx"
}
},
{
"name": "deactivate default site",
"become": true,
@ -12,7 +19,7 @@
"become": true,
"ansible.builtin.template": {
"src": "conf.j2",
"dest": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}"
"dest": "/etc/nginx/sites-available/{{cfg_hedgedoc_and_nginx.domain}}"
}
},
{
@ -20,8 +27,8 @@
"become": true,
"ansible.builtin.file": {
"state": "link",
"src": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}",
"dest": "/etc/nginx/sites-enabled/{{var_hedgedoc_and_nginx_domain}}"
"src": "/etc/nginx/sites-available/{{cfg_hedgedoc_and_nginx.domain}}",
"dest": "/etc/nginx/sites-enabled/{{cfg_hedgedoc_and_nginx.domain}}"
}
},
{

10
roles/hedgedoc-and-nginx/templates/conf.j2
View file

@ -24,7 +24,7 @@ map $http_upgrade $connection_upgrade {
{% endmacro %}
server {
server_name {{var_hedgedoc_and_nginx_domain}};
server_name {{cfg_hedgedoc_and_nginx.domain}};
listen 80;
listen [::]:80;
@ -36,15 +36,15 @@ server {
{% endif %}
}
{% if (var_hedgedoc_and_nginx_tls_mode != 'disable') %}
{% if (cfg_hedgedoc_and_nginx.tls_mode != 'disable') %}
server {
server_name {{var_hedgedoc_and_nginx_domain}};
server_name {{cfg_hedgedoc_and_nginx.domain}};
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{cfg_hedgedoc_and_nginx.domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{cfg_hedgedoc_and_nginx.domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ hedgedoc_common() }}

15
roles/hedgedoc-and-nginx/vardef.json
View file

@ -1,15 +0,0 @@
{
"domain": {
"type": "string",
"mandatory": false
},
"tls_mode": {
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"mandatory": false
}
}

264
roles/hedgedoc/cfg.schema.json Normal file
View file

@ -0,0 +1,264 @@
{
"nullable": false,
"type": "object",
"properties": {
"user_name": {
"nullable": false,
"type": "string",
"default": "hedgedoc"
},
"directory": {
"nullable": false,
"type": "string",
"default": "/opt/hedgedoc"
},
"version": {
"nullable": false,
"type": "string",
"version": "1.9.9"
},
"session_secret": {
"nullable": false,
"type": "string"
},
"domain": {
"nullable": false,
"type": "string",
"default": "hedgedoc.example.org"
},
"database": {
"anyOf": [
{
"nullable": false,
"type": "object",
"properties": {
"kind": {
"nullable": false,
"type": "string",
"enum": ["sqlite"]
},
"data": {
"nullable": false,
"type": "object",
"properties": {
"path": {
"nullable": false,
"type": "string",
"default": "/var/hedgedoc/data.sqlite"
}
},
"additionalProperties": false,
"required": [
],
"default": {
}
}
},
"additionalProperties": false,
"required": [
"kind"
]
},
{
"nullable": false,
"type": "object",
"properties": {
"kind": {
"nullable": false,
"type": "string",
"enum": ["postgresql"]
},
"data": {
"nullable": false,
"type": "object",
"properties": {
"host": {
"nullable": false,
"type": "string",
"default": "localhost"
},
"port": {
"nullable": false,
"type": "integer",
"default": 5432
},
"username": {
"nullable": false,
"type": "string",
"default": "hedgedoc_user"
},
"password": {
"nullable": false,
"type": "string"
},
"schema": {
"nullable": false,
"type": "string",
"default": "hedgedoc"
}
},
"additionalProperties": false,
"required": [
"password"
]
}
},
"additionalProperties": false,
"required": [
"kind",
"data"
]
},
{
"nullable": false,
"type": "object",
"properties": {
"kind": {
"nullable": false,
"type": "string",
"enum": ["mariadb"]
},
"data": {
"nullable": false,
"type": "object",
"properties": {
"host": {
"nullable": false,
"type": "string",
"default": "localhost"
},
"port": {
"nullable": false,
"type": "integer",
"default": 3306
},
"username": {
"nullable": false,
"type": "string",
"default": "hedgedoc_user"
},
"password": {
"nullable": false,
"type": "string"
},
"schema": {
"nullable": false,
"type": "string",
"default": "hedgedoc"
}
},
"additionalProperties": false,
"required": [
"password"
]
}
},
"additionalProperties": false,
"required": [
"kind",
"data"
]
}
]
},
"authentication": {
"anyOf": [
{
"nullable": false,
"type": "object",
"properties": {
"kind": {
"nullable": false,
"type": "string",
"enum": ["internal"]
},
"data": {
"nullable": false,
"type": "object",
"properties": {
},
"additionalProperties": false,
"required": [
]
}
},
"additionalProperties": false,
"required": [
"kind"
]
},
{
"nullable": false,
"type": "object",
"properties": {
"kind": {
"nullable": false,
"type": "string",
"enum": ["authelia"]
},
"data": {
"nullable": false,
"type": "object",
"properties": {
"url_base": {
"nullable": false,
"type": "string"
},
"client_id": {
"nullable": false,
"type": "string",
"default": "hedgedoc"
},
"client_secret": {
"nullable": false,
"type": "string"
}
},
"additionalProperties": false,
"required": [
"url_base",
"client_secret"
]
}
},
"additionalProperties": false,
"required": [
"kind"
]
}
]
},
"log_level": {
"nullable": false,
"type": "string",
"enum": [
"debug",
"verbose",
"info",
"warn",
"error"
],
"default": "error"
},
"guest_allow_create": {
"nullable": false,
"type": "boolean",
"default": false
},
"guest_allow_change": {
"nullable": false,
"type": "boolean",
"default": false
},
"free_names_mode": {
"nullable": false,
"type": "string",
"default": "authed"
}
},
"additionalProperties": false,
"required": [
"domain",
"session_secret"
]
}

37
roles/hedgedoc/defaults/main.json
View file

@ -1,21 +1,20 @@
{
"var_hedgedoc_user_name": "hedgedoc",
"var_hedgedoc_directory": "/opt/hedgedoc",
"var_hedgedoc_version": "1.9.9",
"var_hedgedoc_session_secret": "REPLACE_ME",
"var_hedgedoc_database_kind": "sqlite",
"var_hedgedoc_database_data_sqlite_path": "/var/hedgedoc/data.sqlite",
"var_hedgedoc_database_data_postgresql_host": "localhost",
"var_hedgedoc_database_data_postgresql_port": 5432,
"var_hedgedoc_database_data_postgresql_username": "hedgedoc_user",
"var_hedgedoc_database_data_postgresql_password": "REPLACE_ME",
"var_hedgedoc_database_data_postgresql_schema": "hedgedoc",
"var_hedgedoc_domain": "hedgedoc.example.org",
"var_hedgedoc_authentication_kind": "internal",
"var_hedgedoc_authentication_data_authelia_client_id": "hedgedoc",
"var_hedgedoc_authentication_data_authelia_client_secret": "REPLACE_ME",
"var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.example.org",
"var_hedgedoc_guest_allow_create": false,
"var_hedgedoc_guest_allow_change": false,
"var_hedgedoc_free_names_mode": "authed"
"cfg_hedgedoc_defaults": {
"user_name": "hedgedoc",
"directory": "/opt/hedgedoc",
"version": "1.9.9",
"database": {
"kind": "sqlite",
"data": {
"path": "/var/hedgedoc/data.sqlite"
}
},
"authentication": {
"kind": "internal"
},
"log_level": "error",
"guest_allow_create": false,
"guest_allow_change": false,
"free_names_mode": "authed"
}
}

21
roles/hedgedoc/tasks/main.json
View file

@ -1,4 +1,11 @@
[
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_hedgedoc"
}
},
{
"name": "packages",
"become": true,
@ -26,16 +33,16 @@
"name": "user",
"become": true,
"ansible.builtin.user": {
"name": "{{var_hedgedoc_user_name}}",
"name": "{{cfg_hedgedoc.user_name}}",
"create_home": true,
"home": "{{var_hedgedoc_directory}}"
"home": "{{cfg_hedgedoc.directory}}"
}
},
{
"name": "download",
"become": false,
"ansible.builtin.get_url": {
"url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{var_hedgedoc_version}}/hedgedoc-{{var_hedgedoc_version}}.tar.gz",
"url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{cfg_hedgedoc.version}}/hedgedoc-{{cfg_hedgedoc.version}}.tar.gz",
"dest": "/tmp/hedgedoc.tar.gz"
}
},
@ -45,8 +52,8 @@
"ansible.builtin.unarchive": {
"remote_src": true,
"src": "/tmp/hedgedoc.tar.gz",
"dest": "{{var_hedgedoc_directory | dirname}}",
"owner": "{{var_hedgedoc_user_name}}"
"dest": "{{cfg_hedgedoc.directory | dirname}}",
"owner": "{{cfg_hedgedoc.user_name}}"
}
},
{
@ -54,7 +61,7 @@
"become": true,
"become_user": "hedgedoc",
"ansible.builtin.command": {
"chdir": "{{var_hedgedoc_directory}}",
"chdir": "{{cfg_hedgedoc.directory}}",
"cmd": "bin/setup"
}
},
@ -63,7 +70,7 @@
"become": true,
"ansible.builtin.template": {
"src": "config.json.j2",
"dest": "{{var_hedgedoc_directory}}/config.json"
"dest": "{{cfg_hedgedoc.directory}}/config.json"
}
},
{

48
roles/hedgedoc/templates/config.json.j2
View file

@ -1,61 +1,61 @@
{
"production": {
"loglevel": "error",
{% if var_hedgedoc_database_kind == 'sqlite' %}
"loglevel": "{{cfg_hedgedoc.log_level}}",
{% if cfg_hedgedoc.database.kind == 'sqlite' %}
"db": {
"dialect": "sqlite",
"storage": "{{var_hedgedoc_database_data_sqlite_path}}"
"storage": "{{cfg_hedgedoc.database.data.path}}"
},
{% endif %}
{% if var_hedgedoc_database_kind == 'postgresql' %}
{% if cfg_hedgedoc.database.kind == 'postgresql' %}
"db": {
"dialect": "postgres",
"host": "{{var_hedgedoc_database_data_postgresql_host}}",
"port": {{var_hedgedoc_database_data_postgresql_port | to_json}},
"username": "{{var_hedgedoc_database_data_postgresql_username}}",
"password": "{{var_hedgedoc_database_data_postgresql_password}}",
"database": "{{var_hedgedoc_database_data_postgresql_schema}}"
"host": "{{cfg_hedgedoc.database.data.host}}",
"port": {{cfg_hedgedoc.database.data.port | to_json}},
"username": "{{cfg_hedgedoc.database.data.username}}",
"password": "{{cfg_hedgedoc.database.data.password}}",
"database": "{{cfg_hedgedoc.database.data.schema}}"
},
{% endif %}
"sessionSecret": "{{var_hedgedoc_session_secret}}",
"sessionSecret": "{{cfg_hedgedoc.session_secret}}",
"host": "localhost",
"allowOrigin": [
"localhost"
],
"domain": "{{var_hedgedoc_domain}}",
"domain": "{{cfg_hedgedoc.domain}}",
"urlAddPort": false,
"protocolUseSSL": true,
{% if var_hedgedoc_authentication_kind == 'internal' %}
{% if cfg_hedgedoc.authentication.kind == 'internal' %}
"email": true,
"allowEmailRegister": true,
{% endif %}
{% if var_hedgedoc_authentication_kind == 'authelia' %}
{% if cfg_hedgedoc.authentication.kind == 'authelia' %}
"oauth2": {
"providerName": "{{var_hedgedoc_authentication_data_authelia_provider_name}}",
"clientID": "{{var_hedgedoc_authentication_data_authelia_client_id}}",
"clientSecret": "{{var_hedgedoc_authentication_data_authelia_client_secret}}",
"providerName": "{{cfg_hedgedoc.authentication.data.provider_name}}",
"clientID": "{{cfg_hedgedoc.authentication.data.client_id}}",
"clientSecret": "{{cfg_hedgedoc.authentication.data.client_secret}}",
"scope": "openid email profile",
"userProfileUsernameAttr": "sub",
"userProfileDisplayNameAttr": "name",
"userProfileEmailAttr": "email",
"userProfileURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/userinfo",
"tokenURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/token",
"authorizationURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/authorization"
"userProfileURL": "{{cfg_hedgedoc.authentication.data.url_base}}/api/oidc/userinfo",
"tokenURL": "{{cfg_hedgedoc.authentication.data.url_base}}/api/oidc/token",
"authorizationURL": "{{cfg_hedgedoc.authentication.data.url_base}}/api/oidc/authorization"
},
"email": false,
"allowEmailRegister": false,
{% endif %}
"allowAnonymous": {{var_hedgedoc_guest_allow_create | to_json}},
"allowAnonymousEdits": {{var_hedgedoc_guest_allow_change | to_json}},
{% if var_hedgedoc_free_names_mode == 'never' %}
"allowAnonymous": {{cfg_hedgedoc.guest_allow_create | to_json}},
"allowAnonymousEdits": {{cfg_hedgedoc.guest_allow_change | to_json}},
{% if cfg_hedgedoc.free_names_mode == 'never' %}
"allowFreeURL": false,
"requireFreeURLAuthentication": false,
{% endif %}
{% if var_hedgedoc_free_names_mode == 'authed' %}
{% if cfg_hedgedoc.free_names_mode == 'authed' %}
"allowFreeURL": true,
"requireFreeURLAuthentication": true,
{% endif %}
{% if var_hedgedoc_free_names_mode == 'always' %}
{% if cfg_hedgedoc.free_names_mode == 'always' %}
"allowFreeURL": true,
"requireFreeURLAuthentication": false,
{% endif %}

4
roles/hedgedoc/templates/systemd-unit.j2
View file

@ -3,8 +3,8 @@ Description=Hedgedoc
After=multi-user.target
[Service]
WorkingDirectory={{var_hedgedoc_directory}}
User={{var_hedgedoc_user_name}}
WorkingDirectory={{cfg_hedgedoc.directory}}
User={{cfg_hedgedoc.user_name}}
Environment="NODE_ENV=production"
ExecStart=yarn start
SyslogIdentifier=hedgedoc

87
roles/hedgedoc/vardef.json
View file

@ -1,87 +0,0 @@
{
"user_name": {
"type": "string",
"mandatory": false
},
"directory": {
"type": "string",
"mandatory": false
},
"version": {
"type": "string",
"mandatory": false
},
"session_secret": {
"type": "string",
"mandatory": true
},
"database_kind": {
"type": "string",
"mandatory": false,
"options": [
"sqlite",
"postgresql",
"mariadb"
]
},
"database_data_sqlite_path": {
"type": "string",
"mandatory": false
},
"database_data_postgresql_host": {
"type": "string",
"mandatory": false
},
"database_data_postgresql_port": {
"type": "integer",
"mandatory": false
},
"database_data_postgresql_username": {
"type": "string",
"mandatory": false
},
"database_data_postgresql_password": {
"type": "string",
"mandatory": false
},
"database_data_postgresql_schema": {
"type": "string",
"mandatory": false
},
"domain": {
"type": "string",
"mandatory": false
},
"authentication_kind": {
"type": "string",
"mandatory": false,
"options": [
"internal",
"authelia"
]
},
"authentication_data_authelia_client_id": {
"type": "string",
"mandatory": false
},
"authentication_data_authelia_client_secret": {
"type": "string",
"mandatory": false
},
"authentication_data_authelia_url_base": {
"type": "string",
"mandatory": false
},
"guest_allow_create": {
"type": "boolean",
"mandatory": false
},
"guest_allow_change": {
"type": "boolean",
"mandatory": false
},
"free_names_mode": {
"type": "string",
"mandatory": false
}
}

28
roles/owncloud-and-nginx/cfg.schema.json Normal file
View file

@ -0,0 +1,28 @@
{
"nullable": false,
"type": "object",
"properties": {
"domain": {
"nullable": false,
"type": "string"
},
"tls_mode": {
"nullable": false,
"type": "string",
"enum": [
"disable",
"enable",
"force"
],
"default": "force"
},
"maximum_upload_size": {
"type": "string",
"default": "1G"
}
},
"additionalProperties": false,
"required": [
"domain"
]
}

7
roles/owncloud-and-nginx/defaults/main.json
View file

@ -1,5 +1,6 @@
{
"var_owncloud_and_nginx_domain": "owncloud.example.org",
"var_owncloud_and_nginx_tls_mode": "force",
"var_owncloud_and_nginx_maximum_upload_size": "1G"
"cfg_owncloud_and_nginx_defaults": {
"tls_mode": "force",
"maximum_upload_size": "1G"
}
}

13
roles/owncloud-and-nginx/tasks/main.json
View file

@ -1,4 +1,11 @@
[
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_owncloud_and_nginx"
}
},
{
"name": "deactivate default site",
"become": true,
@ -12,7 +19,7 @@
"become": true,
"ansible.builtin.template": {
"src": "conf.j2",
"dest": "/etc/nginx/sites-available/{{var_owncloud_and_nginx_domain}}"
"dest": "/etc/nginx/sites-available/{{cfg_owncloud_and_nginx.domain}}"
}
},
{
@ -20,8 +27,8 @@
"become": true,
"ansible.builtin.file": {
"state": "link",
"src": "/etc/nginx/sites-available/{{var_owncloud_and_nginx_domain}}",
"dest": "/etc/nginx/sites-enabled/{{var_owncloud_and_nginx_domain}}"
"src": "/etc/nginx/sites-available/{{cfg_owncloud_and_nginx.domain}}",
"dest": "/etc/nginx/sites-enabled/{{cfg_owncloud_and_nginx.domain}}"
}
},
{

14
roles/owncloud-and-nginx/templates/conf.j2
View file

@ -1,7 +1,7 @@
{% macro owncloud_common() %}
location / {
proxy_pass http://localhost:9200;
client_max_body_size {{var_owncloud_and_nginx_maximum_upload_size}};
client_max_body_size {{cfg_owncloud_and_nginx.maximum_upload_size}};
}
{% endmacro %}
@ -9,24 +9,24 @@ server {
listen 80;
listen [::]:80;
server_name {{var_owncloud_and_nginx_domain}};
server_name {{cfg_owncloud_and_nginx.domain}};
{% if var_owncloud_and_nginx_tls_mode == 'force' %}
{% if cfg_owncloud_and_nginx.tls_mode == 'force' %}
return 301 https://$http_host$request_uri;
{% else %}
{{ owncloud_common() }}
{% endif %}
}
{% if var_owncloud_and_nginx_tls_mode != 'disable' %}
{% if cfg_owncloud_and_nginx.tls_mode != 'disable' %}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name {{var_owncloud_and_nginx_domain}};
server_name {{cfg_owncloud_and_nginx.domain}};
ssl_certificate_key /etc/ssl/private/{{var_owncloud_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_owncloud_and_nginx_domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{cfg_owncloud_and_nginx.domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{cfg_owncloud_and_nginx.domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ owncloud_common() }}

20
roles/owncloud-and-nginx/vardef.json
View file

@ -1,20 +0,0 @@
{
"domain": {
"type": "string",
"mandatory": false
},
"tls_mode": {
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"mandatory": false
},
"maximum_upload_size": {
"type": "string",
"mandatory": false
}
}

1
roles/owncloud/templates/csp.yaml.j2
View file

@ -1,6 +1,7 @@
directives:
connect-src:
- '''self'''
- 'https://{{cfg_owncloud.domain}}'
{% if cfg_owncloud.authentication.kind == 'authelia' %}
- '{{cfg_owncloud.authentication.data.url_base}}'
{% endif %}

4
roles/owncloud/templates/env.j2
View file

@ -12,8 +12,8 @@ WEB_OIDC_RESPONSE_TYPE=code
WEB_OIDC_SCOPE=openid profile email groups
WEB_OPTION_LOGIN_URL={{cfg_owncloud.authentication.data.url_base}}
WEB_OPTION_LOGOUT_URL={{cfg_owncloud.authentication.data.url_base}}
WEB_UI_THEME_SERVER={{cfg_owncloud.domain}}
WEB_UI_CONFIG_SERVER={{cfg_owncloud.domain}}
WEB_UI_THEME_SERVER=https://{{cfg_owncloud.domain}}
WEB_UI_CONFIG_SERVER=https://{{cfg_owncloud.domain}}
{% endif %}
## other clients

14
roles/tlscert_selfsigned/cfg.schema.json Normal file
View file

@ -0,0 +1,14 @@
{
"nullable": false,
"type": "object",
"properties": {
"domain": {
"nullable": false,
"type": "string"
}
},
"additionalProperties": false,
"required": [
"domain"
]
}

3
roles/tlscert_selfsigned/defaults/main.json
View file

@ -1,3 +1,4 @@
{
"var_tlscert_selfsigned_domain": "foo.example.org"
"cfg_tlscert_selfsigned_defaults": {
}
}

25
roles/tlscert_selfsigned/tasks/main.json
View file

@ -1,4 +1,11 @@
[
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_tlscert_selfsigned"
}
},
{
"name": "install packages",
"become": true,
@ -28,19 +35,19 @@
"name": "csr | generate private key",
"become": true,
"community.crypto.openssl_privatekey": {
"path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem"
"path": "/etc/ssl/private/{{cfg_tlscert_selfsigned.domain}}.pem"
}
},
{
"name": "csr | execute",
"become": true,
"community.crypto.openssl_csr": {
"privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem",
"common_name": "{{var_tlscert_selfsigned_domain}}",
"privatekey_path": "/etc/ssl/private/{{cfg_tlscert_selfsigned.domain}}.pem",
"common_name": "{{cfg_tlscert_selfsigned.domain}}",
"subject_alt_name": [
"DNS:{{var_tlscert_selfsigned_domain}}"
"DNS:{{cfg_tlscert_selfsigned.domain}}"
],
"path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem"
"path": "/etc/ssl/csr/{{cfg_tlscert_selfsigned.domain}}.pem"
},
"register": "temp_csr"
},
@ -48,17 +55,17 @@
"name": "generate certificate",
"become": true,
"community.crypto.x509_certificate": {
"privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem",
"csr_path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem",
"privatekey_path": "/etc/ssl/private/{{cfg_tlscert_selfsigned.domain}}.pem",
"csr_path": "/etc/ssl/csr/{{cfg_tlscert_selfsigned.domain}}.pem",
"provider": "selfsigned",
"path": "/etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem"
"path": "/etc/ssl/certs/{{cfg_tlscert_selfsigned.domain}}.pem"
}
},
{
"name": "compose fullchain",
"become": true,
"ansible.builtin.shell": {
"cmd": "cat /etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem > /etc/ssl/fullchains/{{var_tlscert_selfsigned_domain}}.pem"
"cmd": "cat /etc/ssl/certs/{{cfg_tlscert_selfsigned.domain}}.pem > /etc/ssl/fullchains/{{cfg_tlscert_selfsigned.domain}}.pem"
}
}
]