From 33491acb3768a12a777a2980dafd6cb87860c72c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 8 Oct 2025 11:20:09 +0200 Subject: [PATCH] [int] --- roles/authelia-and-nginx/cfg.schema.json | 24 ++ roles/authelia-and-nginx/defaults/main.json | 5 +- roles/authelia-and-nginx/tasks/main.json | 13 +- roles/authelia-and-nginx/templates/conf.j2 | 12 +- roles/authelia-and-nginx/vardef.json | 15 - roles/authelia-for-hedgedoc/cfg.schema.json | 24 ++ .../authelia-for-hedgedoc/defaults/main.json | 6 +- roles/authelia-for-hedgedoc/tasks/main.json | 9 +- .../templates/authelia-client-conf.json.j2 | 4 +- roles/hedgedoc-and-nginx/cfg.schema.json | 24 ++ roles/hedgedoc-and-nginx/defaults/main.json | 5 +- roles/hedgedoc-and-nginx/tasks/main.json | 13 +- roles/hedgedoc-and-nginx/templates/conf.j2 | 10 +- roles/hedgedoc-and-nginx/vardef.json | 15 - roles/hedgedoc/cfg.schema.json | 264 ++++++++++++++++++ roles/hedgedoc/defaults/main.json | 37 ++- roles/hedgedoc/tasks/main.json | 21 +- roles/hedgedoc/templates/config.json.j2 | 48 ++-- roles/hedgedoc/templates/systemd-unit.j2 | 4 +- roles/hedgedoc/vardef.json | 87 ------ roles/owncloud-and-nginx/cfg.schema.json | 28 ++ roles/owncloud-and-nginx/defaults/main.json | 7 +- roles/owncloud-and-nginx/tasks/main.json | 13 +- roles/owncloud-and-nginx/templates/conf.j2 | 14 +- roles/owncloud-and-nginx/vardef.json | 20 -- roles/owncloud/templates/csp.yaml.j2 | 1 + roles/owncloud/templates/env.j2 | 4 +- roles/tlscert_selfsigned/cfg.schema.json | 14 + roles/tlscert_selfsigned/defaults/main.json | 3 +- roles/tlscert_selfsigned/tasks/main.json | 25 +- 30 files changed, 528 insertions(+), 241 deletions(-) create mode 100644 roles/authelia-and-nginx/cfg.schema.json delete mode 100644 roles/authelia-and-nginx/vardef.json create mode 100644 roles/authelia-for-hedgedoc/cfg.schema.json create mode 100644 roles/hedgedoc-and-nginx/cfg.schema.json delete mode 100644 roles/hedgedoc-and-nginx/vardef.json create mode 100644 roles/hedgedoc/cfg.schema.json delete mode 100644 roles/hedgedoc/vardef.json create mode 100644 roles/owncloud-and-nginx/cfg.schema.json delete mode 100644 roles/owncloud-and-nginx/vardef.json create mode 100644 roles/tlscert_selfsigned/cfg.schema.json diff --git a/roles/authelia-and-nginx/cfg.schema.json b/roles/authelia-and-nginx/cfg.schema.json new file mode 100644 index 0000000..59e399d --- /dev/null +++ b/roles/authelia-and-nginx/cfg.schema.json @@ -0,0 +1,24 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "domain": { + "nullable": false, + "type": "string" + }, + "tls_mode": { + "nullable": false, + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "enum": "force" + } + }, + "additionalProperties": false, + "required": [ + "domain" + ] +} diff --git a/roles/authelia-and-nginx/defaults/main.json b/roles/authelia-and-nginx/defaults/main.json index 0aaf1b7..28e3be5 100644 --- a/roles/authelia-and-nginx/defaults/main.json +++ b/roles/authelia-and-nginx/defaults/main.json @@ -1,4 +1,5 @@ { - "var_authelia_and_nginx_domain": "authelia.example.org", - "var_authelia_and_nginx_tls_mode": "force" + "cfg_authelia_and_nginx_defaults": { + "tls_mode": "force" + } } diff --git a/roles/authelia-and-nginx/tasks/main.json b/roles/authelia-and-nginx/tasks/main.json index 87dcf2b..c56c915 100644 --- a/roles/authelia-and-nginx/tasks/main.json +++ b/roles/authelia-and-nginx/tasks/main.json @@ -1,4 +1,11 @@ [ + { + "name": "show vars", + "when": "switch_show_vars", + "ansible.builtin.debug": { + "var": "vars.cfg_authelia_and_nginx" + } + }, { "name": "deactivate default site", "become": true, @@ -12,7 +19,7 @@ "become": true, "ansible.builtin.template": { "src": "conf.j2", - "dest": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}" + "dest": "/etc/nginx/sites-available/{{cfg_authelia_and_nginx.domain}}" } }, { @@ -20,8 +27,8 @@ "become": true, "ansible.builtin.file": { "state": "link", - "src": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}", - "dest": "/etc/nginx/sites-enabled/{{var_authelia_and_nginx_domain}}" + "src": "/etc/nginx/sites-available/{{cfg_authelia_and_nginx.domain}}", + "dest": "/etc/nginx/sites-enabled/{{cfg_authelia_and_nginx.domain}}" } }, { diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2 index cd3b8d6..2b99bcb 100644 --- a/roles/authelia-and-nginx/templates/conf.j2 +++ b/roles/authelia-and-nginx/templates/conf.j2 @@ -45,27 +45,27 @@ {% endmacro %} server { - server_name {{var_authelia_and_nginx_domain}}; + server_name {{cfg_authelia_and_nginx.domain}}; listen 80; listen [::]:80; -{% if (var_authelia_and_nginx_tls_mode == 'force') %} +{% if (cfg_authelia_and_nginx.tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ authelia_common() }} {% endif %} } -{% if (var_authelia_and_nginx_tls_mode != 'disable') %} +{% if (cfg_authelia_and_nginx.tls_mode != 'disable') %} server { - server_name {{var_authelia_and_nginx_domain}}; + server_name {{cfg_authelia_and_nginx.domain}}; listen [::]:443 ssl http2; listen 443 ssl http2; - ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; - ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{cfg_authelia_and_nginx.domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{cfg_authelia_and_nginx.domain}}.pem; include /etc/nginx/ssl-hardening.conf; {{ authelia_common() }} diff --git a/roles/authelia-and-nginx/vardef.json b/roles/authelia-and-nginx/vardef.json deleted file mode 100644 index b78ac7a..0000000 --- a/roles/authelia-and-nginx/vardef.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "domain": { - "type": "string", - "mandatory": false - }, - "tls_mode": { - "type": "string", - "options": [ - "disable", - "enable", - "force" - ], - "mandatory": false - } -} diff --git a/roles/authelia-for-hedgedoc/cfg.schema.json b/roles/authelia-for-hedgedoc/cfg.schema.json new file mode 100644 index 0000000..03e83ff --- /dev/null +++ b/roles/authelia-for-hedgedoc/cfg.schema.json @@ -0,0 +1,24 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "hedgedoc_url_base": { + "nullable": false, + "type": "string", + "default": "https://hedgedoc.example.org" + }, + "client_id": { + "nullable": false, + "type": "string", + "default": "hedgedoc" + }, + "client_secret": { + "nullable": false, + "type": "string" + } + }, + "additionalProperties": false, + "required": [ + "client_secret" + ] +} diff --git a/roles/authelia-for-hedgedoc/defaults/main.json b/roles/authelia-for-hedgedoc/defaults/main.json index b1e3329..603c7fe 100644 --- a/roles/authelia-for-hedgedoc/defaults/main.json +++ b/roles/authelia-for-hedgedoc/defaults/main.json @@ -1,5 +1,5 @@ { - "var_authelia_for_hedgedoc_hedgedoc_url_base": "https://hedgedoc.example.org", - "var_authelia_for_hedgedoc_client_id": "hedgedoc", - "var_authelia_for_hedgedoc_client_secret": "REPLACE_ME" + "cfg_authelia_for_hedgedoc_defaults": { + "client_id": "hedgedoc" + } } diff --git a/roles/authelia-for-hedgedoc/tasks/main.json b/roles/authelia-for-hedgedoc/tasks/main.json index d229a17..7447ebc 100644 --- a/roles/authelia-for-hedgedoc/tasks/main.json +++ b/roles/authelia-for-hedgedoc/tasks/main.json @@ -1,9 +1,16 @@ [ + { + "name": "show vars", + "when": "switch_show_vars", + "ansible.builtin.debug": { + "var": "vars.cfg_authelia_for_hedgedoc" + } + }, { "name": "configuration | compute client secret hash", "become": true, "ansible.builtin.shell": { - "cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_hedgedoc_client_secret}} | cut --delimiter=' ' --fields='2-'" + "cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_hedgedoc.client_secret}} | cut --delimiter=' ' --fields='2-'" }, "register": "temp_authelia_for_hedgedoc_client_secret_hashed" }, diff --git a/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 b/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 index 49a0c41..4547107 100644 --- a/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 +++ b/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 @@ -1,5 +1,5 @@ { - "client_id": "{{var_authelia_for_hedgedoc_client_id}}", + "client_id": "{{cfg_authelia_for_hedgedoc.client_id}}", "client_secret": "{{temp_authelia_for_hedgedoc_client_secret_hashed.stdout}}", "client_name": "Hedgedoc", "public": false, @@ -10,7 +10,7 @@ "profile" ], "redirect_uris": [ - "{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback" + "{{cfg_authelia_for_hedgedoc.hedgedoc_url_base}}/auth/oauth2/callback" ], "response_types": [ "code" diff --git a/roles/hedgedoc-and-nginx/cfg.schema.json b/roles/hedgedoc-and-nginx/cfg.schema.json new file mode 100644 index 0000000..a56a3c2 --- /dev/null +++ b/roles/hedgedoc-and-nginx/cfg.schema.json @@ -0,0 +1,24 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "domain": { + "nullable": false, + "type": "string" + }, + "tls_mode": { + "nullable": false, + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "default": "force" + } + }, + "additionalProperties": false, + "required": [ + "domain" + ] +} diff --git a/roles/hedgedoc-and-nginx/defaults/main.json b/roles/hedgedoc-and-nginx/defaults/main.json index aec6aa3..fec05a1 100644 --- a/roles/hedgedoc-and-nginx/defaults/main.json +++ b/roles/hedgedoc-and-nginx/defaults/main.json @@ -1,4 +1,5 @@ { - "var_hedgedoc_and_nginx_domain": "hedgedoc.example.org", - "var_hedgedoc_and_nginx_tls_mode": "force" + "cfg_hedgedoc_and_nginx_defaults": { + "tls_mode": "force" + } } diff --git a/roles/hedgedoc-and-nginx/tasks/main.json b/roles/hedgedoc-and-nginx/tasks/main.json index 40614bb..560d8a3 100644 --- a/roles/hedgedoc-and-nginx/tasks/main.json +++ b/roles/hedgedoc-and-nginx/tasks/main.json @@ -1,4 +1,11 @@ [ + { + "name": "show vars", + "when": "switch_show_vars", + "ansible.builtin.debug": { + "var": "vars.cfg_hedgedoc_and_nginx" + } + }, { "name": "deactivate default site", "become": true, @@ -12,7 +19,7 @@ "become": true, "ansible.builtin.template": { "src": "conf.j2", - "dest": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}" + "dest": "/etc/nginx/sites-available/{{cfg_hedgedoc_and_nginx.domain}}" } }, { @@ -20,8 +27,8 @@ "become": true, "ansible.builtin.file": { "state": "link", - "src": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}", - "dest": "/etc/nginx/sites-enabled/{{var_hedgedoc_and_nginx_domain}}" + "src": "/etc/nginx/sites-available/{{cfg_hedgedoc_and_nginx.domain}}", + "dest": "/etc/nginx/sites-enabled/{{cfg_hedgedoc_and_nginx.domain}}" } }, { diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index b9c6601..b6c6521 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -24,7 +24,7 @@ map $http_upgrade $connection_upgrade { {% endmacro %} server { - server_name {{var_hedgedoc_and_nginx_domain}}; + server_name {{cfg_hedgedoc_and_nginx.domain}}; listen 80; listen [::]:80; @@ -36,15 +36,15 @@ server { {% endif %} } -{% if (var_hedgedoc_and_nginx_tls_mode != 'disable') %} +{% if (cfg_hedgedoc_and_nginx.tls_mode != 'disable') %} server { - server_name {{var_hedgedoc_and_nginx_domain}}; + server_name {{cfg_hedgedoc_and_nginx.domain}}; listen [::]:443 ssl http2; listen 443 ssl http2; - ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem; - ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{cfg_hedgedoc_and_nginx.domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{cfg_hedgedoc_and_nginx.domain}}.pem; include /etc/nginx/ssl-hardening.conf; {{ hedgedoc_common() }} diff --git a/roles/hedgedoc-and-nginx/vardef.json b/roles/hedgedoc-and-nginx/vardef.json deleted file mode 100644 index b78ac7a..0000000 --- a/roles/hedgedoc-and-nginx/vardef.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "domain": { - "type": "string", - "mandatory": false - }, - "tls_mode": { - "type": "string", - "options": [ - "disable", - "enable", - "force" - ], - "mandatory": false - } -} diff --git a/roles/hedgedoc/cfg.schema.json b/roles/hedgedoc/cfg.schema.json new file mode 100644 index 0000000..11bd79b --- /dev/null +++ b/roles/hedgedoc/cfg.schema.json @@ -0,0 +1,264 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "user_name": { + "nullable": false, + "type": "string", + "default": "hedgedoc" + }, + "directory": { + "nullable": false, + "type": "string", + "default": "/opt/hedgedoc" + }, + "version": { + "nullable": false, + "type": "string", + "version": "1.9.9" + }, + "session_secret": { + "nullable": false, + "type": "string" + }, + "domain": { + "nullable": false, + "type": "string", + "default": "hedgedoc.example.org" + }, + "database": { + "anyOf": [ + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["sqlite"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "path": { + "nullable": false, + "type": "string", + "default": "/var/hedgedoc/data.sqlite" + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + } + }, + "additionalProperties": false, + "required": [ + "kind" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["postgresql"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "host": { + "nullable": false, + "type": "string", + "default": "localhost" + }, + "port": { + "nullable": false, + "type": "integer", + "default": 5432 + }, + "username": { + "nullable": false, + "type": "string", + "default": "hedgedoc_user" + }, + "password": { + "nullable": false, + "type": "string" + }, + "schema": { + "nullable": false, + "type": "string", + "default": "hedgedoc" + } + }, + "additionalProperties": false, + "required": [ + "password" + ] + } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["mariadb"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "host": { + "nullable": false, + "type": "string", + "default": "localhost" + }, + "port": { + "nullable": false, + "type": "integer", + "default": 3306 + }, + "username": { + "nullable": false, + "type": "string", + "default": "hedgedoc_user" + }, + "password": { + "nullable": false, + "type": "string" + }, + "schema": { + "nullable": false, + "type": "string", + "default": "hedgedoc" + } + }, + "additionalProperties": false, + "required": [ + "password" + ] + } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" + ] + } + ] + }, + "authentication": { + "anyOf": [ + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["internal"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + }, + "additionalProperties": false, + "required": [ + ] + } + }, + "additionalProperties": false, + "required": [ + "kind" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["authelia"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "url_base": { + "nullable": false, + "type": "string" + }, + "client_id": { + "nullable": false, + "type": "string", + "default": "hedgedoc" + }, + "client_secret": { + "nullable": false, + "type": "string" + } + }, + "additionalProperties": false, + "required": [ + "url_base", + "client_secret" + ] + } + }, + "additionalProperties": false, + "required": [ + "kind" + ] + } + ] + }, + "log_level": { + "nullable": false, + "type": "string", + "enum": [ + "debug", + "verbose", + "info", + "warn", + "error" + ], + "default": "error" + }, + "guest_allow_create": { + "nullable": false, + "type": "boolean", + "default": false + }, + "guest_allow_change": { + "nullable": false, + "type": "boolean", + "default": false + }, + "free_names_mode": { + "nullable": false, + "type": "string", + "default": "authed" + } + }, + "additionalProperties": false, + "required": [ + "domain", + "session_secret" + ] +} diff --git a/roles/hedgedoc/defaults/main.json b/roles/hedgedoc/defaults/main.json index 5dc2820..98e2b3d 100644 --- a/roles/hedgedoc/defaults/main.json +++ b/roles/hedgedoc/defaults/main.json @@ -1,21 +1,20 @@ { - "var_hedgedoc_user_name": "hedgedoc", - "var_hedgedoc_directory": "/opt/hedgedoc", - "var_hedgedoc_version": "1.9.9", - "var_hedgedoc_session_secret": "REPLACE_ME", - "var_hedgedoc_database_kind": "sqlite", - "var_hedgedoc_database_data_sqlite_path": "/var/hedgedoc/data.sqlite", - "var_hedgedoc_database_data_postgresql_host": "localhost", - "var_hedgedoc_database_data_postgresql_port": 5432, - "var_hedgedoc_database_data_postgresql_username": "hedgedoc_user", - "var_hedgedoc_database_data_postgresql_password": "REPLACE_ME", - "var_hedgedoc_database_data_postgresql_schema": "hedgedoc", - "var_hedgedoc_domain": "hedgedoc.example.org", - "var_hedgedoc_authentication_kind": "internal", - "var_hedgedoc_authentication_data_authelia_client_id": "hedgedoc", - "var_hedgedoc_authentication_data_authelia_client_secret": "REPLACE_ME", - "var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.example.org", - "var_hedgedoc_guest_allow_create": false, - "var_hedgedoc_guest_allow_change": false, - "var_hedgedoc_free_names_mode": "authed" + "cfg_hedgedoc_defaults": { + "user_name": "hedgedoc", + "directory": "/opt/hedgedoc", + "version": "1.9.9", + "database": { + "kind": "sqlite", + "data": { + "path": "/var/hedgedoc/data.sqlite" + } + }, + "authentication": { + "kind": "internal" + }, + "log_level": "error", + "guest_allow_create": false, + "guest_allow_change": false, + "free_names_mode": "authed" + } } diff --git a/roles/hedgedoc/tasks/main.json b/roles/hedgedoc/tasks/main.json index 5347cc1..8b97d27 100644 --- a/roles/hedgedoc/tasks/main.json +++ b/roles/hedgedoc/tasks/main.json @@ -1,4 +1,11 @@ [ + { + "name": "show vars", + "when": "switch_show_vars", + "ansible.builtin.debug": { + "var": "vars.cfg_hedgedoc" + } + }, { "name": "packages", "become": true, @@ -26,16 +33,16 @@ "name": "user", "become": true, "ansible.builtin.user": { - "name": "{{var_hedgedoc_user_name}}", + "name": "{{cfg_hedgedoc.user_name}}", "create_home": true, - "home": "{{var_hedgedoc_directory}}" + "home": "{{cfg_hedgedoc.directory}}" } }, { "name": "download", "become": false, "ansible.builtin.get_url": { - "url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{var_hedgedoc_version}}/hedgedoc-{{var_hedgedoc_version}}.tar.gz", + "url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{cfg_hedgedoc.version}}/hedgedoc-{{cfg_hedgedoc.version}}.tar.gz", "dest": "/tmp/hedgedoc.tar.gz" } }, @@ -45,8 +52,8 @@ "ansible.builtin.unarchive": { "remote_src": true, "src": "/tmp/hedgedoc.tar.gz", - "dest": "{{var_hedgedoc_directory | dirname}}", - "owner": "{{var_hedgedoc_user_name}}" + "dest": "{{cfg_hedgedoc.directory | dirname}}", + "owner": "{{cfg_hedgedoc.user_name}}" } }, { @@ -54,7 +61,7 @@ "become": true, "become_user": "hedgedoc", "ansible.builtin.command": { - "chdir": "{{var_hedgedoc_directory}}", + "chdir": "{{cfg_hedgedoc.directory}}", "cmd": "bin/setup" } }, @@ -63,7 +70,7 @@ "become": true, "ansible.builtin.template": { "src": "config.json.j2", - "dest": "{{var_hedgedoc_directory}}/config.json" + "dest": "{{cfg_hedgedoc.directory}}/config.json" } }, { diff --git a/roles/hedgedoc/templates/config.json.j2 b/roles/hedgedoc/templates/config.json.j2 index 509e4b6..b4dddc1 100644 --- a/roles/hedgedoc/templates/config.json.j2 +++ b/roles/hedgedoc/templates/config.json.j2 @@ -1,61 +1,61 @@ { "production": { - "loglevel": "error", -{% if var_hedgedoc_database_kind == 'sqlite' %} + "loglevel": "{{cfg_hedgedoc.log_level}}", +{% if cfg_hedgedoc.database.kind == 'sqlite' %} "db": { "dialect": "sqlite", - "storage": "{{var_hedgedoc_database_data_sqlite_path}}" + "storage": "{{cfg_hedgedoc.database.data.path}}" }, {% endif %} -{% if var_hedgedoc_database_kind == 'postgresql' %} +{% if cfg_hedgedoc.database.kind == 'postgresql' %} "db": { "dialect": "postgres", - "host": "{{var_hedgedoc_database_data_postgresql_host}}", - "port": {{var_hedgedoc_database_data_postgresql_port | to_json}}, - "username": "{{var_hedgedoc_database_data_postgresql_username}}", - "password": "{{var_hedgedoc_database_data_postgresql_password}}", - "database": "{{var_hedgedoc_database_data_postgresql_schema}}" + "host": "{{cfg_hedgedoc.database.data.host}}", + "port": {{cfg_hedgedoc.database.data.port | to_json}}, + "username": "{{cfg_hedgedoc.database.data.username}}", + "password": "{{cfg_hedgedoc.database.data.password}}", + "database": "{{cfg_hedgedoc.database.data.schema}}" }, {% endif %} - "sessionSecret": "{{var_hedgedoc_session_secret}}", + "sessionSecret": "{{cfg_hedgedoc.session_secret}}", "host": "localhost", "allowOrigin": [ "localhost" ], - "domain": "{{var_hedgedoc_domain}}", + "domain": "{{cfg_hedgedoc.domain}}", "urlAddPort": false, "protocolUseSSL": true, -{% if var_hedgedoc_authentication_kind == 'internal' %} +{% if cfg_hedgedoc.authentication.kind == 'internal' %} "email": true, "allowEmailRegister": true, {% endif %} -{% if var_hedgedoc_authentication_kind == 'authelia' %} +{% if cfg_hedgedoc.authentication.kind == 'authelia' %} "oauth2": { - "providerName": "{{var_hedgedoc_authentication_data_authelia_provider_name}}", - "clientID": "{{var_hedgedoc_authentication_data_authelia_client_id}}", - "clientSecret": "{{var_hedgedoc_authentication_data_authelia_client_secret}}", + "providerName": "{{cfg_hedgedoc.authentication.data.provider_name}}", + "clientID": "{{cfg_hedgedoc.authentication.data.client_id}}", + "clientSecret": "{{cfg_hedgedoc.authentication.data.client_secret}}", "scope": "openid email profile", "userProfileUsernameAttr": "sub", "userProfileDisplayNameAttr": "name", "userProfileEmailAttr": "email", - "userProfileURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/userinfo", - "tokenURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/token", - "authorizationURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/authorization" + "userProfileURL": "{{cfg_hedgedoc.authentication.data.url_base}}/api/oidc/userinfo", + "tokenURL": "{{cfg_hedgedoc.authentication.data.url_base}}/api/oidc/token", + "authorizationURL": "{{cfg_hedgedoc.authentication.data.url_base}}/api/oidc/authorization" }, "email": false, "allowEmailRegister": false, {% endif %} - "allowAnonymous": {{var_hedgedoc_guest_allow_create | to_json}}, - "allowAnonymousEdits": {{var_hedgedoc_guest_allow_change | to_json}}, -{% if var_hedgedoc_free_names_mode == 'never' %} + "allowAnonymous": {{cfg_hedgedoc.guest_allow_create | to_json}}, + "allowAnonymousEdits": {{cfg_hedgedoc.guest_allow_change | to_json}}, +{% if cfg_hedgedoc.free_names_mode == 'never' %} "allowFreeURL": false, "requireFreeURLAuthentication": false, {% endif %} -{% if var_hedgedoc_free_names_mode == 'authed' %} +{% if cfg_hedgedoc.free_names_mode == 'authed' %} "allowFreeURL": true, "requireFreeURLAuthentication": true, {% endif %} -{% if var_hedgedoc_free_names_mode == 'always' %} +{% if cfg_hedgedoc.free_names_mode == 'always' %} "allowFreeURL": true, "requireFreeURLAuthentication": false, {% endif %} diff --git a/roles/hedgedoc/templates/systemd-unit.j2 b/roles/hedgedoc/templates/systemd-unit.j2 index 000bd6e..7a1d54f 100644 --- a/roles/hedgedoc/templates/systemd-unit.j2 +++ b/roles/hedgedoc/templates/systemd-unit.j2 @@ -3,8 +3,8 @@ Description=Hedgedoc After=multi-user.target [Service] -WorkingDirectory={{var_hedgedoc_directory}} -User={{var_hedgedoc_user_name}} +WorkingDirectory={{cfg_hedgedoc.directory}} +User={{cfg_hedgedoc.user_name}} Environment="NODE_ENV=production" ExecStart=yarn start SyslogIdentifier=hedgedoc diff --git a/roles/hedgedoc/vardef.json b/roles/hedgedoc/vardef.json deleted file mode 100644 index cb6e8d6..0000000 --- a/roles/hedgedoc/vardef.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "user_name": { - "type": "string", - "mandatory": false - }, - "directory": { - "type": "string", - "mandatory": false - }, - "version": { - "type": "string", - "mandatory": false - }, - "session_secret": { - "type": "string", - "mandatory": true - }, - "database_kind": { - "type": "string", - "mandatory": false, - "options": [ - "sqlite", - "postgresql", - "mariadb" - ] - }, - "database_data_sqlite_path": { - "type": "string", - "mandatory": false - }, - "database_data_postgresql_host": { - "type": "string", - "mandatory": false - }, - "database_data_postgresql_port": { - "type": "integer", - "mandatory": false - }, - "database_data_postgresql_username": { - "type": "string", - "mandatory": false - }, - "database_data_postgresql_password": { - "type": "string", - "mandatory": false - }, - "database_data_postgresql_schema": { - "type": "string", - "mandatory": false - }, - "domain": { - "type": "string", - "mandatory": false - }, - "authentication_kind": { - "type": "string", - "mandatory": false, - "options": [ - "internal", - "authelia" - ] - }, - "authentication_data_authelia_client_id": { - "type": "string", - "mandatory": false - }, - "authentication_data_authelia_client_secret": { - "type": "string", - "mandatory": false - }, - "authentication_data_authelia_url_base": { - "type": "string", - "mandatory": false - }, - "guest_allow_create": { - "type": "boolean", - "mandatory": false - }, - "guest_allow_change": { - "type": "boolean", - "mandatory": false - }, - "free_names_mode": { - "type": "string", - "mandatory": false - } -} diff --git a/roles/owncloud-and-nginx/cfg.schema.json b/roles/owncloud-and-nginx/cfg.schema.json new file mode 100644 index 0000000..974342b --- /dev/null +++ b/roles/owncloud-and-nginx/cfg.schema.json @@ -0,0 +1,28 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "domain": { + "nullable": false, + "type": "string" + }, + "tls_mode": { + "nullable": false, + "type": "string", + "enum": [ + "disable", + "enable", + "force" + ], + "default": "force" + }, + "maximum_upload_size": { + "type": "string", + "default": "1G" + } + }, + "additionalProperties": false, + "required": [ + "domain" + ] +} diff --git a/roles/owncloud-and-nginx/defaults/main.json b/roles/owncloud-and-nginx/defaults/main.json index 9ad192e..cc7e319 100644 --- a/roles/owncloud-and-nginx/defaults/main.json +++ b/roles/owncloud-and-nginx/defaults/main.json @@ -1,5 +1,6 @@ { - "var_owncloud_and_nginx_domain": "owncloud.example.org", - "var_owncloud_and_nginx_tls_mode": "force", - "var_owncloud_and_nginx_maximum_upload_size": "1G" + "cfg_owncloud_and_nginx_defaults": { + "tls_mode": "force", + "maximum_upload_size": "1G" + } } diff --git a/roles/owncloud-and-nginx/tasks/main.json b/roles/owncloud-and-nginx/tasks/main.json index 004dfa3..19e3f42 100644 --- a/roles/owncloud-and-nginx/tasks/main.json +++ b/roles/owncloud-and-nginx/tasks/main.json @@ -1,4 +1,11 @@ [ + { + "name": "show vars", + "when": "switch_show_vars", + "ansible.builtin.debug": { + "var": "vars.cfg_owncloud_and_nginx" + } + }, { "name": "deactivate default site", "become": true, @@ -12,7 +19,7 @@ "become": true, "ansible.builtin.template": { "src": "conf.j2", - "dest": "/etc/nginx/sites-available/{{var_owncloud_and_nginx_domain}}" + "dest": "/etc/nginx/sites-available/{{cfg_owncloud_and_nginx.domain}}" } }, { @@ -20,8 +27,8 @@ "become": true, "ansible.builtin.file": { "state": "link", - "src": "/etc/nginx/sites-available/{{var_owncloud_and_nginx_domain}}", - "dest": "/etc/nginx/sites-enabled/{{var_owncloud_and_nginx_domain}}" + "src": "/etc/nginx/sites-available/{{cfg_owncloud_and_nginx.domain}}", + "dest": "/etc/nginx/sites-enabled/{{cfg_owncloud_and_nginx.domain}}" } }, { diff --git a/roles/owncloud-and-nginx/templates/conf.j2 b/roles/owncloud-and-nginx/templates/conf.j2 index 85e67ab..db4e6ac 100644 --- a/roles/owncloud-and-nginx/templates/conf.j2 +++ b/roles/owncloud-and-nginx/templates/conf.j2 @@ -1,7 +1,7 @@ {% macro owncloud_common() %} location / { proxy_pass http://localhost:9200; - client_max_body_size {{var_owncloud_and_nginx_maximum_upload_size}}; + client_max_body_size {{cfg_owncloud_and_nginx.maximum_upload_size}}; } {% endmacro %} @@ -9,24 +9,24 @@ server { listen 80; listen [::]:80; - server_name {{var_owncloud_and_nginx_domain}}; + server_name {{cfg_owncloud_and_nginx.domain}}; -{% if var_owncloud_and_nginx_tls_mode == 'force' %} +{% if cfg_owncloud_and_nginx.tls_mode == 'force' %} return 301 https://$http_host$request_uri; {% else %} {{ owncloud_common() }} {% endif %} } -{% if var_owncloud_and_nginx_tls_mode != 'disable' %} +{% if cfg_owncloud_and_nginx.tls_mode != 'disable' %} server { listen 443 ssl; listen [::]:443 ssl; - server_name {{var_owncloud_and_nginx_domain}}; + server_name {{cfg_owncloud_and_nginx.domain}}; - ssl_certificate_key /etc/ssl/private/{{var_owncloud_and_nginx_domain}}.pem; - ssl_certificate /etc/ssl/fullchains/{{var_owncloud_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{cfg_owncloud_and_nginx.domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{cfg_owncloud_and_nginx.domain}}.pem; include /etc/nginx/ssl-hardening.conf; {{ owncloud_common() }} diff --git a/roles/owncloud-and-nginx/vardef.json b/roles/owncloud-and-nginx/vardef.json deleted file mode 100644 index 7872cb8..0000000 --- a/roles/owncloud-and-nginx/vardef.json +++ /dev/null @@ -1,20 +0,0 @@ - -{ - "domain": { - "type": "string", - "mandatory": false - }, - "tls_mode": { - "type": "string", - "options": [ - "disable", - "enable", - "force" - ], - "mandatory": false - }, - "maximum_upload_size": { - "type": "string", - "mandatory": false - } -} diff --git a/roles/owncloud/templates/csp.yaml.j2 b/roles/owncloud/templates/csp.yaml.j2 index 7953508..2373aa5 100644 --- a/roles/owncloud/templates/csp.yaml.j2 +++ b/roles/owncloud/templates/csp.yaml.j2 @@ -1,6 +1,7 @@ directives: connect-src: - '''self''' + - 'https://{{cfg_owncloud.domain}}' {% if cfg_owncloud.authentication.kind == 'authelia' %} - '{{cfg_owncloud.authentication.data.url_base}}' {% endif %} diff --git a/roles/owncloud/templates/env.j2 b/roles/owncloud/templates/env.j2 index 6511309..642330f 100644 --- a/roles/owncloud/templates/env.j2 +++ b/roles/owncloud/templates/env.j2 @@ -12,8 +12,8 @@ WEB_OIDC_RESPONSE_TYPE=code WEB_OIDC_SCOPE=openid profile email groups WEB_OPTION_LOGIN_URL={{cfg_owncloud.authentication.data.url_base}} WEB_OPTION_LOGOUT_URL={{cfg_owncloud.authentication.data.url_base}} -WEB_UI_THEME_SERVER={{cfg_owncloud.domain}} -WEB_UI_CONFIG_SERVER={{cfg_owncloud.domain}} +WEB_UI_THEME_SERVER=https://{{cfg_owncloud.domain}} +WEB_UI_CONFIG_SERVER=https://{{cfg_owncloud.domain}} {% endif %} ## other clients diff --git a/roles/tlscert_selfsigned/cfg.schema.json b/roles/tlscert_selfsigned/cfg.schema.json new file mode 100644 index 0000000..c06145c --- /dev/null +++ b/roles/tlscert_selfsigned/cfg.schema.json @@ -0,0 +1,14 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "domain": { + "nullable": false, + "type": "string" + } + }, + "additionalProperties": false, + "required": [ + "domain" + ] +} diff --git a/roles/tlscert_selfsigned/defaults/main.json b/roles/tlscert_selfsigned/defaults/main.json index 06c1a9a..9fe02ee 100644 --- a/roles/tlscert_selfsigned/defaults/main.json +++ b/roles/tlscert_selfsigned/defaults/main.json @@ -1,3 +1,4 @@ { - "var_tlscert_selfsigned_domain": "foo.example.org" + "cfg_tlscert_selfsigned_defaults": { + } } diff --git a/roles/tlscert_selfsigned/tasks/main.json b/roles/tlscert_selfsigned/tasks/main.json index bed8255..cbe8ea6 100644 --- a/roles/tlscert_selfsigned/tasks/main.json +++ b/roles/tlscert_selfsigned/tasks/main.json @@ -1,4 +1,11 @@ [ + { + "name": "show vars", + "when": "switch_show_vars", + "ansible.builtin.debug": { + "var": "vars.cfg_tlscert_selfsigned" + } + }, { "name": "install packages", "become": true, @@ -28,19 +35,19 @@ "name": "csr | generate private key", "become": true, "community.crypto.openssl_privatekey": { - "path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem" + "path": "/etc/ssl/private/{{cfg_tlscert_selfsigned.domain}}.pem" } }, { "name": "csr | execute", "become": true, "community.crypto.openssl_csr": { - "privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem", - "common_name": "{{var_tlscert_selfsigned_domain}}", + "privatekey_path": "/etc/ssl/private/{{cfg_tlscert_selfsigned.domain}}.pem", + "common_name": "{{cfg_tlscert_selfsigned.domain}}", "subject_alt_name": [ - "DNS:{{var_tlscert_selfsigned_domain}}" + "DNS:{{cfg_tlscert_selfsigned.domain}}" ], - "path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem" + "path": "/etc/ssl/csr/{{cfg_tlscert_selfsigned.domain}}.pem" }, "register": "temp_csr" }, @@ -48,17 +55,17 @@ "name": "generate certificate", "become": true, "community.crypto.x509_certificate": { - "privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem", - "csr_path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem", + "privatekey_path": "/etc/ssl/private/{{cfg_tlscert_selfsigned.domain}}.pem", + "csr_path": "/etc/ssl/csr/{{cfg_tlscert_selfsigned.domain}}.pem", "provider": "selfsigned", - "path": "/etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem" + "path": "/etc/ssl/certs/{{cfg_tlscert_selfsigned.domain}}.pem" } }, { "name": "compose fullchain", "become": true, "ansible.builtin.shell": { - "cmd": "cat /etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem > /etc/ssl/fullchains/{{var_tlscert_selfsigned_domain}}.pem" + "cmd": "cat /etc/ssl/certs/{{cfg_tlscert_selfsigned.domain}}.pem > /etc/ssl/fullchains/{{cfg_tlscert_selfsigned.domain}}.pem" } } ]