From 88a65ad91927e5195cb8ebf73b49a84b5dfb1eb1 Mon Sep 17 00:00:00 2001
From: Fenris Wolf <fenris@folksprak.org>
Date: Thu, 9 Oct 2025 01:47:20 +0200
Subject: [PATCH] [task-406] hedgedoc

---
 roles/authelia-for-hedgedoc/cfg.schema.json   | 25 +++++++++++++++++++
 .../authelia-for-hedgedoc/defaults/main.json  |  6 ++---
 roles/authelia-for-hedgedoc/tasks/main.json   |  9 ++++++-
 .../templates/authelia-client-conf.json.j2    |  4 +--
 roles/hedgedoc-and-nginx/cfg.schema.json      | 24 ++++++++++++++++++
 roles/hedgedoc-and-nginx/defaults/main.json   |  5 ++--
 roles/hedgedoc-and-nginx/tasks/main.json      | 13 +++++++---
 roles/hedgedoc-and-nginx/templates/conf.j2    | 12 ++++-----
 roles/hedgedoc-and-nginx/vardef.json          | 15 -----------
 9 files changed, 81 insertions(+), 32 deletions(-)
 create mode 100644 roles/authelia-for-hedgedoc/cfg.schema.json
 create mode 100644 roles/hedgedoc-and-nginx/cfg.schema.json
 delete mode 100644 roles/hedgedoc-and-nginx/vardef.json

diff --git a/roles/authelia-for-hedgedoc/cfg.schema.json b/roles/authelia-for-hedgedoc/cfg.schema.json
new file mode 100644
index 0000000..c8bf2cb
--- /dev/null
+++ b/roles/authelia-for-hedgedoc/cfg.schema.json
@@ -0,0 +1,25 @@
+{
+	"nullable": false,
+	"type": "object",
+	"properties": {
+		"hedgedoc_url_base": {
+			"nullable": false,
+			"type": "string"
+		},
+		"client_id": {
+			"nullable": false,
+			"type": "string",
+			"default": "hedgedoc"
+		},
+		"client_secret": {
+			"nullable": false,
+			"type": "string"
+		}
+	},
+	"additionalProperties": false,
+	"required": [
+		"hedgedoc_url_base",
+		"client_id",
+		"client_secret"
+	]
+}
diff --git a/roles/authelia-for-hedgedoc/defaults/main.json b/roles/authelia-for-hedgedoc/defaults/main.json
index b1e3329..603c7fe 100644
--- a/roles/authelia-for-hedgedoc/defaults/main.json
+++ b/roles/authelia-for-hedgedoc/defaults/main.json
@@ -1,5 +1,5 @@
 {
-	"var_authelia_for_hedgedoc_hedgedoc_url_base": "https://hedgedoc.example.org",
-	"var_authelia_for_hedgedoc_client_id": "hedgedoc",
-	"var_authelia_for_hedgedoc_client_secret": "REPLACE_ME"
+	"cfg_authelia_for_hedgedoc_defaults": {
+		"client_id": "hedgedoc"
+	}
 }
diff --git a/roles/authelia-for-hedgedoc/tasks/main.json b/roles/authelia-for-hedgedoc/tasks/main.json
index d229a17..7447ebc 100644
--- a/roles/authelia-for-hedgedoc/tasks/main.json
+++ b/roles/authelia-for-hedgedoc/tasks/main.json
@@ -1,9 +1,16 @@
 [
+	{
+		"name": "show vars",
+		"when": "switch_show_vars",
+		"ansible.builtin.debug": {
+			"var": "vars.cfg_authelia_for_hedgedoc"
+		}
+	},
 	{
 		"name": "configuration | compute client secret hash",
 		"become": true,
 		"ansible.builtin.shell": {
-			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_hedgedoc_client_secret}} | cut --delimiter=' ' --fields='2-'"
+			"cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_hedgedoc.client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
 		"register": "temp_authelia_for_hedgedoc_client_secret_hashed"
 	},
diff --git a/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 b/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2
index 49a0c41..4547107 100644
--- a/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2
+++ b/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2
@@ -1,5 +1,5 @@
 {
-	"client_id": "{{var_authelia_for_hedgedoc_client_id}}",
+	"client_id": "{{cfg_authelia_for_hedgedoc.client_id}}",
 	"client_secret": "{{temp_authelia_for_hedgedoc_client_secret_hashed.stdout}}",
 	"client_name": "Hedgedoc",
 	"public": false,
@@ -10,7 +10,7 @@
 		"profile"
 	],
 	"redirect_uris": [
-		"{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback"
+		"{{cfg_authelia_for_hedgedoc.hedgedoc_url_base}}/auth/oauth2/callback"
 	],
 	"response_types": [
 		"code"
diff --git a/roles/hedgedoc-and-nginx/cfg.schema.json b/roles/hedgedoc-and-nginx/cfg.schema.json
new file mode 100644
index 0000000..a56a3c2
--- /dev/null
+++ b/roles/hedgedoc-and-nginx/cfg.schema.json
@@ -0,0 +1,24 @@
+{
+	"nullable": false,
+	"type": "object",
+	"properties": {
+		"domain": {
+			"nullable": false,
+			"type": "string"
+		},
+		"tls_mode": {
+			"nullable": false,
+			"type": "string",
+			"options": [
+				"disable",
+				"enable",
+				"force"
+			],
+			"default": "force"
+		}
+	},
+	"additionalProperties": false,
+	"required": [
+		"domain"
+	]
+}
diff --git a/roles/hedgedoc-and-nginx/defaults/main.json b/roles/hedgedoc-and-nginx/defaults/main.json
index aec6aa3..fec05a1 100644
--- a/roles/hedgedoc-and-nginx/defaults/main.json
+++ b/roles/hedgedoc-and-nginx/defaults/main.json
@@ -1,4 +1,5 @@
 {
-	"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org",
-	"var_hedgedoc_and_nginx_tls_mode": "force"
+	"cfg_hedgedoc_and_nginx_defaults": {
+		"tls_mode": "force"
+	}
 }
diff --git a/roles/hedgedoc-and-nginx/tasks/main.json b/roles/hedgedoc-and-nginx/tasks/main.json
index 40614bb..560d8a3 100644
--- a/roles/hedgedoc-and-nginx/tasks/main.json
+++ b/roles/hedgedoc-and-nginx/tasks/main.json
@@ -1,4 +1,11 @@
 [
+	{
+		"name": "show vars",
+		"when": "switch_show_vars",
+		"ansible.builtin.debug": {
+			"var": "vars.cfg_hedgedoc_and_nginx"
+		}
+	},
 	{
 		"name": "deactivate default site",
 		"become": true,
@@ -12,7 +19,7 @@
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "conf.j2",
-			"dest": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}"
+			"dest": "/etc/nginx/sites-available/{{cfg_hedgedoc_and_nginx.domain}}"
 		}
 	},
 	{
@@ -20,8 +27,8 @@
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "link",
-			"src": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}",
-			"dest": "/etc/nginx/sites-enabled/{{var_hedgedoc_and_nginx_domain}}"
+			"src": "/etc/nginx/sites-available/{{cfg_hedgedoc_and_nginx.domain}}",
+			"dest": "/etc/nginx/sites-enabled/{{cfg_hedgedoc_and_nginx.domain}}"
 		}
 	},
 	{
diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2
index b9c6601..2212af7 100644
--- a/roles/hedgedoc-and-nginx/templates/conf.j2
+++ b/roles/hedgedoc-and-nginx/templates/conf.j2
@@ -24,27 +24,27 @@ map $http_upgrade $connection_upgrade {
 {% endmacro %}
 
 server {
-	server_name {{var_hedgedoc_and_nginx_domain}};
+	server_name {{cfg_hedgedoc_and_nginx.domain}};
 	
 	listen 80;
 	listen [::]:80;
 	
-{% if (var_element_and_nginx_tls_mode == 'force') %}
+{% if (cfg_hedgedoc_and_nginx.tls_mode == 'force') %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 {{ hedgedoc_common() }}
 {% endif %}
 }
 
-{% if (var_hedgedoc_and_nginx_tls_mode != 'disable') %}
+{% if (cfg_hedgedoc_and_nginx.tls_mode != 'disable') %}
 server {
-	server_name {{var_hedgedoc_and_nginx_domain}};
+	server_name {{cfg_hedgedoc_and_nginx.domain}};
 	
 	listen [::]:443 ssl http2;
 	listen 443 ssl http2;
 	
-	ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
-	ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{cfg_hedgedoc_and_nginx.domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{cfg_hedgedoc_and_nginx.domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	
 {{ hedgedoc_common() }}
diff --git a/roles/hedgedoc-and-nginx/vardef.json b/roles/hedgedoc-and-nginx/vardef.json
deleted file mode 100644
index b78ac7a..0000000
--- a/roles/hedgedoc-and-nginx/vardef.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-	"domain": {
-		"type": "string",
-		"mandatory": false
-	},
-	"tls_mode": {
-		"type": "string",
-		"options": [
-			"disable",
-			"enable",
-			"force"
-		],
-		"mandatory": false
-	}
-}