diff --git a/roles/authelia/cfg.schema.json b/roles/authelia/cfg.schema.json new file mode 100644 index 0000000..ce77684 --- /dev/null +++ b/roles/authelia/cfg.schema.json @@ -0,0 +1,388 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "listen_address": { + "nullable": false, + "type": "string", + "default": "0.0.0.0" + }, + "jwt_secret": { + "nullable": false, + "type": "string" + }, + "users_file_path": { + "nullable": false, + "type": "string", + "default": "/var/authelia/users.yml" + }, + "log_file_path": { + "nullable": false, + "type": "string", + "default": "/var/authelia/log.jsonl" + }, + "domain": { + "nullable": false, + "type": "string", + "default": "authelia.example.org" + }, + "redirect_url": { + "nullable": false, + "type": "string", + "default": "https://example.org" + }, + "session_domain": { + "nullable": false, + "type": "string", + "default": "example.org" + }, + "session_secret": { + "nullable": false, + "type": "string" + }, + "storage_encryption_key": { + "nullable": false, + "type": "string" + }, + "storage": { + "anyOf": [ + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["sqlite"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "path": { + "nullable": false, + "type": "string", + "default": "/var/authelia/state.db" + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + } + }, + "additionalProperties": false, + "required": [ + "kind" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["postgresql"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "host": { + "nullable": false, + "type": "string", + "ddefault": "localhost" + }, + "port": { + "nullable": false, + "type": "integer", + "default": 5432 + }, + "username": { + "nullable": false, + "type": "string", + "default": "authelia_user" + }, + "password": { + "nullable": false, + "type": "string" + }, + "schema": { + "nullable": false, + "type": "string", + "default": "authelia" + } + }, + "additionalProperties": false, + "required": [ + "password" + ] + } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["mariadb"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "host": { + "nullable": false, + "type": "string", + "ddefault": "localhost" + }, + "port": { + "nullable": false, + "type": "integer", + "default": 3306 + }, + "username": { + "nullable": false, + "type": "string", + "default": "authelia_user" + }, + "password": { + "nullable": false, + "type": "string" + }, + "schema": { + "nullable": false, + "type": "string", + "default": "authelia" + } + }, + "additionalProperties": false, + "required": [ + "password" + ] + } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" + ] + } + ] + }, + "ntp_server": { + "nullable": false, + "type": "string", + "mandatory": false + }, + "password_reset": { + "nullable": false, + "type": "object", + "properties": { + "enabled": { + "nullable": false, + "type": "boolean", + "default": false + }, + "custom_url": { + "nullable": true, + "type": "string", + "default": null + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + }, + "notification": { + "anyOf": [ + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["file"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + } + }, + "additionalProperties": false, + "required": [ + "kind" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["smtp"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "host": { + "nullable": false, + "type": "string", + "default": "smtp.example.org" + }, + "port": { + "nullable": false, + "type": "integer", + "default": 465 + }, + "username": { + "nullable": false, + "type": "string", + "default": "authelia" + }, + "password": { + "nullable": false, + "type": "string" + }, + "sender": { + "nullable": false, + "type": "string", + "default": "authelia@example.org" + } + }, + "additionalProperties": false, + "required": [ + "password" + ] + } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" + ] + } + ] + }, + "oidc": { + "nullable": false, + "type": "object", + "properties": { + "hmac_secret": { + "nullable": false, + "type": "string" + }, + "lifespan": { + "nullable": false, + "type": "object", + "properties": { + "default": { + "nullable": false, + "type": "object", + "properties": { + "access_token": { + "nullable": false, + "type": "string", + "default": "1h" + }, + "refresh_token": { + "nullable": false, + "type": "string", + "default": "1m" + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + }, + "custom": { + "nullable": false, + "type": "object", + "properties": { + }, + "additionalProperties": { + "nullable": false, + "type": "object", + "properties": { + "access_token": { + "nullable": false, + "type": "string" + }, + "refresh_token": { + "nullable": false, + "type": "string" + } + }, + "additionalProperties": false, + "required": [ + "acces_token", + "refresh_token" + ] + }, + "required": [ + ], + "default": { + } + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + }, + "cors_endpoints": { + "nullable": true, + "type": "array", + "items": { + "nullable": false, + "type": "string", + "enum": [ + "authorization", + "pushed-authorization-request", + "token", + "revocation", + "introspection", + "userinfo" + ] + }, + "default": null + } + }, + "additionalProperties": false, + "required": [ + "hmac_secret" + ] + } + }, + "additionalProperties": false, + "required": [ + "jwt_secret", + "session_secret", + "storage_encryption_key", + "oidc" + ] +} diff --git a/roles/authelia/defaults/main.json b/roles/authelia/defaults/main.json index 04a1f7f..422c3af 100644 --- a/roles/authelia/defaults/main.json +++ b/roles/authelia/defaults/main.json @@ -1,39 +1,52 @@ { - "var_authelia_version": "4.37.5", - "var_authelia_architecture": "amd64", - "var_authelia_listen_address": "0.0.0.0", - "var_authelia_jwt_secret": "REPLACE_ME", - "var_authelia_users_file_path": "/var/authelia/users.yml", - "var_authelia_log_file_path": "/var/authelia/log.jsonl", - "var_authelia_domain": "authelia.example.org", - "var_authelia_redirect_url": "https://example.org", - "var_authelia_session_domain": "example.org", - "var_authelia_session_secret": "REPLACE_ME", - "var_authelia_storage_encryption_key": "REPLACE_ME", - "var_authelia_storage_kind": "sqlite", - "var_authelia_storage_data_sqlite_path": "/var/authelia/state.db", - "var_authelia_storage_data_postgresql_host": "localhost", - "var_authelia_storage_data_postgresql_port": 5432, - "var_authelia_storage_data_postgresql_username": "authelia_user", - "var_authelia_storage_data_postgresql_password": "REPLACE_ME", - "var_authelia_storage_data_postgresql_schema": "authelia", - "var_authelia_storage_data_mariadb_host": "localhost", - "var_authelia_storage_data_mariadb_port": 3306, - "var_authelia_storage_data_mariadb_username": "authelia_user", - "var_authelia_storage_data_mariadb_password": "REPLACE_ME", - "var_authelia_storage_data_mariadb_schema": "authelia", - "var_authelia_ntp_server": "time.cloudflare.com:123", - "var_authelia_password_reset_enabled": false, - "var_authelia_password_reset_custom_url": null, - "var_authelia_notification_mode": "smtp", - "var_authelia_notification_file_path": "/var/authelia/notifications", - "var_authelia_notification_smtp_host": "smtp.example.org", - "var_authelia_notification_smtp_port": 465, - "var_authelia_notification_smtp_username": "authelia", - "var_authelia_notification_smtp_password": "REPLACE_ME", - "var_authelia_notification_smtp_sender": "authelia@example.org", - "var_authelia_oidc_hmac_secret": "REPLACE_ME", - "var_authelia_oidc_lifespan_access_token": "1h", - "var_authelia_oidc_lifespan_refresh_token": "1m", - "var_authelia_oidc_cors_endpoints": null + "cfg_authelia_defaults": { + "listen_address": "0.0.0.0", + "users_file_path": "/var/authelia/users.yml", + "log_file_path": "/var/authelia/log.jsonl", + "domain": "authelia.example.org", + "redirect_url": "https://example.org", + "session_domain": "example.org", + "storage": { + "kind": "sqlite", + "data": { + "sqlite": { + "path": "/var/authelia/state.db" + }, + "postgresql": { + "host": "localhost", + "port": 5432, + "username": "authelia_user", + "schema": "authelia" + }, + "mariadb": { + "host": "localhost", + "port": 3306, + "username": "authelia_user", + "schema": "authelia" + } + } + }, + "ntp_server": "time.cloudflare.com:123", + "password_reset": { + "enabled": false, + "custom_url": null + }, + "notification": { + "kind": "file", + "data": { + "path": "/var/authelia/notifications" + } + }, + "oidc": { + "lifespan": { + "default": { + "access_token": "1d", + "refresh_token": "1h" + }, + "custom": { + } + }, + "cors_endpoints": null + } + } } diff --git a/roles/authelia/templates/conf-main.json.j2 b/roles/authelia/templates/conf-main.json.j2 index 5d77df9..97a00c8 100644 --- a/roles/authelia/templates/conf-main.json.j2 +++ b/roles/authelia/templates/conf-main.json.j2 @@ -2,12 +2,12 @@ "theme": "auto", "identity_validation": { "reset_password": { - "jwt_secret": "{{var_authelia_jwt_secret}}" + "jwt_secret": "{{cfg_authelia.jwt_secret}}" } }, "default_2fa_method": "totp", "server": { - "address": "{{var_authelia_listen_address}}:9091", + "address": "{{cfg_authelia.listen_address}}:9091", "endpoints": { "enable_pprof": false, "enable_expvars": false @@ -17,7 +17,7 @@ "log": { "level": "info", "format": "json", - "file_path": "{{var_authelia_log_file_path}}", + "file_path": "{{cfg_authelia.log_file_path}}", "keep_stdout": false }, "telemetry": { @@ -43,7 +43,7 @@ "user_verification": "preferred" }, "ntp": { - "address": "{{var_authelia_ntp_server}}", + "address": "{{cfg_authelia.ntp_server}}", "version": 4, "max_desync": "3s", "disable_startup_check": false, @@ -51,16 +51,16 @@ }, "authentication_backend": { "password_reset": { -{% if var_authelia_password_reset_enabled %} +{% if cfg_authelia.password_reset.enabled %} "disable": false, {% else %} "disable": true, {% endif %} - "custom_url": "{{var_authelia_password_reset_custom_url}}" + "custom_url": "{{cfg_authelia.password_reset.custom_url}}" }, "refresh_interval": "5m", "file": { - "path": "{{var_authelia_users_file_path}}", + "path": "{{cfg_authelia.users_file_path}}", "watch": true, "search": { "email": false, @@ -121,15 +121,15 @@ "session": { "name": "authelia_session", "same_site": "lax", - "secret": "{{var_authelia_session_secret}}", + "secret": "{{cfg_authelia.session_secret}}", "expiration": "1h", "inactivity": "5m", "remember_me": "1M", "cookies": [ { - "domain": "{{var_authelia_session_domain}}", - "authelia_url": "https://{{var_authelia_domain}}/", - "default_redirection_url": "{{var_authelia_redirect_url}}" + "domain": "{{cfg_authelia.session_domain}}", + "authelia_url": "https://{{cfg_authelia.domain}}/", + "default_redirection_url": "{{cfg_authelia.redirect_url}}" } ] }, @@ -139,44 +139,44 @@ "ban_time": "5m" }, "storage": { - "encryption_key": "{{var_authelia_storage_encryption_key}}", -{% if var_authelia_storage_kind == "sqlite" %} + "encryption_key": "{{cfg_authelia.storage_encryption_key}}", +{% if cfg_authelia.storage.kind == "sqlite" %} "local": { - "path": "{{var_authelia_storage_data_sqlite_path}}" + "path": "{{cfg_authelia.storage.data.path}}" } {% endif %} -{% if var_authelia_storage_kind == "postgresql" %} +{% if cfg_authelia.storage.kind == "postgresql" %} "postgres": { - "address": "{{var_authelia_storage_data_postgresql_host}}:{{var_authelia_storage_data_postgresql_port | string}}", + "address": "{{cfg_authelia.storage.data.host}}:{{cfg_authelia.storage.data.port | string}}", "schema": "public", - "username": "{{var_authelia_storage_data_postgresql_username}}", - "password": "{{var_authelia_storage_data_postgresql_password}}", - "database": "{{var_authelia_storage_data_postgresql_schema}}" + "username": "{{cfg_authelia.storage.data.username}}", + "password": "{{cfg_authelia.storage.data.password}}", + "database": "{{cfg_authelia.storage.data.schema}}" } {% endif %} -{% if var_authelia_storage_kind == "mariadb" %} +{% if cfg_authelia.storage_kind == "mariadb" %} "mysql": { - "host": "{{var_authelia_storage_data_mariadb_host}}", - "port": {{var_authelia_storage_data_mariadb_port | string}}, - "username": "{{var_authelia_storage_data_mariadb_username}}", - "password": "{{var_authelia_storage_data_mariadb_password}}", - "database": "{{var_authelia_storage_data_mariadb_schema}}" + "host": "{{cfg_authelia.storage.data.host}}", + "port": {{cfg_authelia.storage.data.port | string}}, + "username": "{{cfg_authelia.storage.data.username}}", + "password": "{{cfg_authelia.storage.data.password}}", + "database": "{{cfg_authelia.storage.data.schema}}" } {% endif %} }, "notifier": { "disable_startup_check": true, -{% if var_authelia_notification_mode == "file" %} +{% if cfg_authelia.notification.kind == "file" %} "filesystem": { - "filename": "{{var_authelia_notification_file_path}}" + "filename": "{{cfg_authelia.notification.data.path}}" } {% endif %} -{% if var_authelia_notification_mode == "smtp" %} +{% if cfg_authelia.notification_mode == "smtp" %} "smtp": { - "address": "{{var_authelia_notification_smtp_host}}:{{var_authelia_notification_smtp_port | string}}", - "username": "{{var_authelia_notification_smtp_username}}", - "password": "{{var_authelia_notification_smtp_password}}", - "sender": "{{var_authelia_notification_smtp_sender}}", + "address": "{{cfg_authelia.notification.data.host}}:{{cfg_authelia.notification.data.port | string}}", + "username": "{{cfg_authelia.notification.data.username}}", + "password": "{{cfg_authelia.notification.data.password}}", + "sender": "{{cfg_authelia.notification.data.sender}}", "disable_require_tls": false, "disable_html_emails": false, "tls": { @@ -187,7 +187,7 @@ }, "identity_providers": { "oidc": { - "hmac_secret": "{{var_authelia_oidc_hmac_secret}}", + "hmac_secret": "{{cfg_authelia.oidc.hmac_secret}}", "jwks": [ { "algorithm": "RS256", @@ -195,20 +195,15 @@ } ], "lifespans": { - "access_token": "{{var_authelia_oidc_lifespan_access_token}}", - "refresh_token": "{{var_authelia_oidc_lifespan_refresh_token}}", - "custom": { - "ocis": { - "access_token": "2d", - "refresh_token": "3d" - } - } + "access_token": "{{cfg_authelia.oidc.lifespan.default.access_token}}", + "refresh_token": "{{cfg_authelia.oidc.lifespan.default.refresh_token}}", + "custom": "{{cfg_authelia.oidc.lifespan.custom | to_json}}", }, "cors": { "allowed_origins_from_client_redirect_uris": true -{% if var_authelia_oidc_cors_endpoints == None %} +{% if cfg_authelia.oidc.cors_endpoints == None %} {% else %} - ,"endpoints": {{var_authelia_oidc_cors_endpoints | to_json}} + ,"endpoints": {{cfg_authelia.oidc.cors_endpoints | to_json}} {% endif %} }, "clients": [ diff --git a/roles/authelia/vardef.json b/roles/authelia/vardef.json deleted file mode 100644 index 9b651a1..0000000 --- a/roles/authelia/vardef.json +++ /dev/null @@ -1,169 +0,0 @@ -{ - "version": { - "type": "string", - "mandatory": false - }, - "architecture": { - "type": "string", - "mandatory": false - }, - "listen_address": { - "type": "string", - "mandatory": false - }, - "jwt_secret": { - "type": "string", - "mandatory": true - }, - "users_file_path": { - "type": "string", - "mandatory": false - }, - "log_file_path": { - "type": "string", - "mandatory": false - }, - "domain": { - "type": "string", - "mandatory": false - }, - "redirect_url": { - "type": "string", - "mandatory": false - }, - "session_domain": { - "type": "string", - "mandatory": false - }, - "session_secret": { - "type": "string", - "mandatory": true - }, - "storage_encryption_key": { - "type": "string", - "mandatory": true - }, - "storage_kind": { - "type": "string", - "mandatory": false - }, - "storage_data_sqlite_path": { - "type": "string", - "mandatory": false - }, - "storage_data_postgresql_host": { - "type": "string", - "mandatory": false - }, - "storage_data_postgresql_port": { - "type": "integer", - "mandatory": false - }, - "storage_data_postgresql_username": { - "type": "string", - "mandatory": false - }, - "storage_data_postgresql_password": { - "type": "string", - "mandatory": false - }, - "storage_data_postgresql_schema": { - "type": "string", - "mandatory": false - }, - "storage_data_mariadb_host": { - "type": "string", - "mandatory": false - }, - "storage_data_mariadb_port": { - "type": "integer", - "mandatory": false - }, - "storage_data_mariadb_username": { - "type": "string", - "mandatory": false - }, - "storage_data_mariadb_password": { - "type": "string", - "mandatory": false - }, - "storage_data_mariadb_schema": { - "type": "string", - "mandatory": false - }, - "ntp_server": { - "type": "string", - "mandatory": false - }, - "password_reset_enabled": { - "type": "boolean", - "mandatory": false - }, - "password_reset_custom_url": { - "nullable": true, - "type": "string", - "mandatory": false - }, - "notification_mode": { - "type": "string", - "mandatory": false, - "options": [ - "file", - "smtp" - ] - }, - "notification_file_path": { - "type": "string", - "mandatory": false - }, - "notification_smtp_host": { - "type": "string", - "mandatory": false - }, - "notification_smtp_port": { - "type": "integer", - "mandatory": false - }, - "notification_smtp_username": { - "type": "string", - "mandatory": false - }, - "notification_smtp_password": { - "type": "string", - "mandatory": false - }, - "notification_smtp_sender": { - "type": "string", - "mandatory": false - }, - "oidc_hmac_secret": { - "type": "string", - "mandatory": true - }, - "oidc_lifespan_access_token": { - "nullable": true, - "type": "string", - "mandatory": false - }, - "oidc_lifespan_refresh_token": { - "nullable": true, - "type": "string", - "mandatory": false - }, - "oidc_cors_endpoints": { - "nullable": true, - "type": "array", - "items": { - "type": "string", - "enum": [ - "authorization", - "pushed-authorization-request", - "token", - "revocation", - "introspection", - "userinfo" - ] - }, - "mandatory": false - } -}