From ae35b719400499e9093ef39d62b778d83f8deae4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 14:35:48 +0200 Subject: [PATCH] [int] --- roles/authelia-for-owncloud/cfg.schema.json | 93 +++++++++++++ .../authelia-for-owncloud/defaults/main.json | 26 ++-- roles/authelia-for-owncloud/tasks/main.json | 118 ++++++++++------ .../authelia-client-conf-android.json.j2 | 24 +++- .../authelia-client-conf-desktop.json.j2 | 25 +++- .../authelia-client-conf-ios.json.j2 | 25 +++- .../authelia-client-conf-web.json.j2 | 27 +++- roles/authelia-for-owncloud/vardef.json | 34 ----- roles/authelia/templates/conf-main.json.j2 | 8 +- roles/owncloud/cfg.schema.json | 128 ++++++++++++++++++ roles/owncloud/defaults/main.json | 38 +++--- roles/owncloud/info.md | 6 + roles/owncloud/tasks/main.json | 33 +++-- roles/owncloud/templates/env.j2 | 83 +++++++----- roles/owncloud/vardef.json | 75 ---------- 15 files changed, 502 insertions(+), 241 deletions(-) create mode 100644 roles/authelia-for-owncloud/cfg.schema.json delete mode 100644 roles/authelia-for-owncloud/vardef.json create mode 100644 roles/owncloud/cfg.schema.json delete mode 100644 roles/owncloud/vardef.json diff --git a/roles/authelia-for-owncloud/cfg.schema.json b/roles/authelia-for-owncloud/cfg.schema.json new file mode 100644 index 0000000..42ae537 --- /dev/null +++ b/roles/authelia-for-owncloud/cfg.schema.json @@ -0,0 +1,93 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "owncloud_url_base": { + "nullable": false, + "type": "string", + "default": "https://owncloud.example.org" + }, + "web": { + "nullable": true, + "type": "object", + "properties": { + "client_id": { + "nullable": false, + "type": "string", + "default": "owncloud_web" + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + }, + "desktop": { + "nullable": true, + "type": "object", + "properties": { + "client_id": { + "nullable": false, + "type": "string", + "default": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69" + }, + "client_secret": { + "nullable": false, + "type": "string", + "default": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh" + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + }, + "android": { + "nullable": true, + "type": "object", + "properties": { + "client_id": { + "nullable": false, + "type": "string", + "default": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD" + }, + "client_secret": { + "nullable": false, + "type": "string", + "default": "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD" + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + }, + "ios": { + "nullable": true, + "type": "object", + "properties": { + "ios_client_id": { + "nullable": false, + "type": "string", + "default": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1" + }, + "ios_client_secret": { + "nullable": false, + "type": "string", + "default": "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx" + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + } + }, + "additionalProperties": false, + "required": [ + ] +} diff --git a/roles/authelia-for-owncloud/defaults/main.json b/roles/authelia-for-owncloud/defaults/main.json index 4daa968..71aba99 100644 --- a/roles/authelia-for-owncloud/defaults/main.json +++ b/roles/authelia-for-owncloud/defaults/main.json @@ -1,10 +1,20 @@ { - "var_authelia_for_owncloud_owncloud_url_base": "https://owncloud.example.org", - "var_authelia_for_owncloud_web_client_id": "owncloud_web", - "var_authelia_for_owncloud_android_client_id": "owncloud_android", - "var_authelia_for_owncloud_android_client_secret": "REPLACE_ME", - "var_authelia_for_owncloud_ios_client_id": "owncloud_ios", - "var_authelia_for_owncloud_ios_client_secret": "REPLACE_ME", - "var_authelia_for_owncloud_desktop_client_id": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69", - "var_authelia_for_owncloud_desktop_client_secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh" + "cfg_authelia_for_owncloud_defaults": { + "owncloud_url_base": "https://owncloud.example.org", + "web": { + "client_id": "owncloud_web" + }, + "desktop": { + "client_id": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69", + "client_secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh" + }, + "android": { + "client_id": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD", + "client_secret": "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD" + }, + "ios": { + "client_id": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1", + "client_secret": "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx" + } + } } diff --git a/roles/authelia-for-owncloud/tasks/main.json b/roles/authelia-for-owncloud/tasks/main.json index 99c0626..45ec048 100644 --- a/roles/authelia-for-owncloud/tasks/main.json +++ b/roles/authelia-for-owncloud/tasks/main.json @@ -1,49 +1,91 @@ [ { - "name": "configuration | compute client secret hash | web", - "become": true, - "ansible.builtin.shell": { - "cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_owncloud_web_client_secret}} | cut --delimiter=' ' --fields='2-'" - }, - "register": "temp_authelia_for_owncloud_web_client_secret_hashed" + "name": "configuration | client | web", + "when": "cfg_authelia_for_owncloud.web != None", + "block": [ + { + "name": "compute client secret hash", + "become": true, + "ansible.builtin.shell": { + "cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.web.client_secret}} | cut --delimiter=' ' --fields='2-'" + }, + "register": "temp_authelia_for_owncloud_web_client_secret_hashed" + }, + { + "name": "emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf-web.json.j2", + "dest": "/etc/authelia/conf.d/clients/owncloud-web.json" + } + } + ] }, { - "name": "configuration | compute client secret hash | android", - "become": true, - "ansible.builtin.shell": { - "cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_owncloud_android_client_secret}} | cut --delimiter=' ' --fields='2-'" - }, - "register": "temp_authelia_for_owncloud_android_client_secret_hashed" + "name": "configuration | client | desktop", + "when": "cfg_authelia_for_ownloud.desktop != None", + "block": [ + { + "name": "compute client secret hash", + "become": true, + "ansible.builtin.shell": { + "cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.desktop.client_secret}} | cut --delimiter=' ' --fields='2-'" + }, + "register": "temp_authelia_for_owncloud_desktop_client_secret_hashed" + }, + { + "name": "emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf-desktop.json.j2", + "dest": "/etc/authelia/conf.d/clients/owncloud-desktop.json" + } + } + ] }, { - "name": "configuration | compute client secret hash | ios", - "become": true, - "ansible.builtin.shell": { - "cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_owncloud_ios_client_secret}} | cut --delimiter=' ' --fields='2-'" - }, - "register": "temp_authelia_for_owncloud_ios_client_secret_hashed" + "name": "configuration | client | android", + "when": "cfg_authelia_for_ownloud.android != None", + "block": [ + { + "name": "compute client secret hash", + "become": true, + "ansible.builtin.shell": { + "cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.android.client_secret}} | cut --delimiter=' ' --fields='2-'" + }, + "register": "temp_authelia_for_owncloud_android_client_secret_hashed" + }, + { + "name": "emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf-android.json.j2", + "dest": "/etc/authelia/conf.d/clients/owncloud-android.json" + } + } + ] }, { - "name": "configuration | compute client secret hash | desktop", - "become": true, - "ansible.builtin.shell": { - "cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_owncloud_desktop_client_secret}} | cut --delimiter=' ' --fields='2-'" - }, - "register": "temp_authelia_for_owncloud_desktop_client_secret_hashed" - }, - { - "name": "configuration | emplace", - "become": true, - "loop": [ - {"src": "authelia-client-conf-web.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-web.json"}, - {"src": "authelia-client-conf-desktop.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-desktop.json"}, - {"src": "authelia-client-conf-android.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-android.json"}, - {"src": "authelia-client-conf-ios.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-ios.json"} - ], - "ansible.builtin.template": { - "src": "{{item.src}}", - "dest": "{{item.dest}}" - } + "name": "configuration | client | ios", + "when": "cfg_authelia_for_ownloud.ios != None", + "block": [ + { + "name": "compute client secret hash", + "become": true, + "ansible.builtin.shell": { + "cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.ios.client_secret}} | cut --delimiter=' ' --fields='2-'" + }, + "register": "temp_authelia_for_owncloud_ios_client_secret_hashed" + }, + { + "name": "emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf-ios.json.j2", + "dest": "/etc/authelia/conf.d/clients/owncloud-ios.json" + } + } + ] }, { "name": "configuration | apply", diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 index b47cbc0..60ff3ae 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 @@ -1,19 +1,33 @@ { - "client_id": "{{var_authelia_for_owncloud_android_client_id}}", + "client_id": "{{cfg_authelia_for_owncloud.android.client_id}}", "client_secret": "{{temp_authelia_for_owncloud_android_client_secret_hashed.stdout}}", "client_name": "ownCloud | Android Client", + + "public": false, "authorization_policy": "one_factor", + "require_pkce": true, + "pkce_challenge_method": "S256", "scopes": [ "openid", + "offline_access", "groups", "profile", - "email", - "offline_access" + "email" + ], + "redirect_uris": [ + "oc://android.owncloud.com" + + + ], "response_types": [ "code" ], - "redirect_uris": [ - "oc://android.owncloud.com" + "grant_types": [ + "authorization_code", + "refresh_token" ] + "access_token_signed_response_alg": "none", + "userinfo_signed_response_alg": "none", + "token_endpoint_auth_method": "client_secret_basic" } diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 index 4338426..23b5d22 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 @@ -1,20 +1,33 @@ { - "client_id": "{{var_authelia_for_owncloud_desktop_client_id}}", + "client_id": "{{cfg_authelia_for_owncloud.desktop.client_id}}", "client_secret": "{{temp_authelia_for_owncloud_desktop_client_secret_hashed.stdout}}", "client_name": "ownCloud | Desktop Client", + + "public": false, "authorization_policy": "one_factor", + "require_pkce": true, + "pkce_challenge_method": "S256", "scopes": [ "openid", + "offline_access", "groups", "profile", - "email", - "offline_access" - ], - "response_types": [ - "code" + "email" ], "redirect_uris": [ "http://127.0.0.1", "http://localhost" + + + ], + "response_types": [ + "code" + ], + "grant_types": [ + "authorization_code", + "refresh_token" ] + "access_token_signed_response_alg": "none", + "userinfo_signed_response_alg": "none", + "token_endpoint_auth_method": "client_secret_basic" } diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 index e529c5d..cf665bf 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 @@ -1,20 +1,33 @@ { - "client_id": "{{var_authelia_for_owncloud_ios_client_id}}", + "client_id": "{{cfg_authelia_for_owncloud.ios.client_id}}", "client_secret": "{{temp_authelia_for_owncloud_ios_client_secret_hashed.stdout}}", "client_name": "ownCloud | iOS Client", + + "public": false, "authorization_policy": "one_factor", + "require_pkce": true, + "pkce_challenge_method": "S256", "scopes": [ "openid", + "offline_access", "groups", "profile", - "email", - "offline_access" - ], - "response_types": [ - "code" + "email" ], "redirect_uris": [ "oc://ios.owncloud.com", "oc.ios://ios.owncloud.com" + + + ], + "response_types": [ + "code" + ], + "grant_types": [ + "authorization_code", + "refresh_token" ] + "access_token_signed_response_alg": "none", + "userinfo_signed_response_alg": "none", + "token_endpoint_auth_method": "client_secret_basic" } diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 index 45b6983..0970c43 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 @@ -1,20 +1,33 @@ { - "client_id": "{{var_authelia_for_owncloud_web_client_id}}", + "client_id": "{{cfg_authelia_for_owncloud.web.client_id}}", + "client_name": "ownCloud | Web Client", + "lifespan": "ocis", "public": true, "authorization_policy": "one_factor", + "require_pkce": true, + "pkce_challenge_method": "S256", "scopes": [ "openid", - "email", + "offline_access", + "groups", "profile", - "groups" - ], - "response_types": [ - "code" + "email" ], "redirect_uris": [ "{{var_authelia_for_owncloud_owncloud_url_base}}", "{{var_authelia_for_owncloud_owncloud_url_base}}/oidc-callback.html", - "{{var_authelia_for_owncloud_owncloud_url_base}}/oidc-silent-redirect.html" + "{{var_authelia_for_owncloud_owncloud_url_base}}/oidc-silent-redirect.html", + "{{var_authelia_for_owncloud_owncloud_url_base}}/apps/openidconnect/redirect" + ], + "response_types": [ + "code" + ], + "grant_types": [ + "authorization_code", + "refresh_token" ] + "access_token_signed_response_alg": "none", + "userinfo_signed_response_alg": "none", + "token_endpoint_auth_method": "none" } diff --git a/roles/authelia-for-owncloud/vardef.json b/roles/authelia-for-owncloud/vardef.json deleted file mode 100644 index 531604d..0000000 --- a/roles/authelia-for-owncloud/vardef.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "owncloud_url_base": { - "type": "string", - "mandatory": false - }, - "web_client_id": { - "type": "string", - "mandatory": false - }, - "android_client_id": { - "type": "string", - "mandatory": false - }, - "android_client_secret": { - "type": "string", - "mandatory": true - }, - "ios_client_id": { - "type": "string", - "mandatory": false - }, - "ios_client_secret": { - "type": "string", - "mandatory": true - }, - "dektop_client_id": { - "type": "string", - "mandatory": false - }, - "desktop_client_secret": { - "type": "string", - "mandatory": false - } -} diff --git a/roles/authelia/templates/conf-main.json.j2 b/roles/authelia/templates/conf-main.json.j2 index 84a4214..5d77df9 100644 --- a/roles/authelia/templates/conf-main.json.j2 +++ b/roles/authelia/templates/conf-main.json.j2 @@ -196,7 +196,13 @@ ], "lifespans": { "access_token": "{{var_authelia_oidc_lifespan_access_token}}", - "refresh_token": "{{var_authelia_oidc_lifespan_refresh_token}}" + "refresh_token": "{{var_authelia_oidc_lifespan_refresh_token}}", + "custom": { + "ocis": { + "access_token": "2d", + "refresh_token": "3d" + } + } }, "cors": { "allowed_origins_from_client_redirect_uris": true diff --git a/roles/owncloud/cfg.schema.json b/roles/owncloud/cfg.schema.json new file mode 100644 index 0000000..0b4ed0b --- /dev/null +++ b/roles/owncloud/cfg.schema.json @@ -0,0 +1,128 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "user": { + "nullable": false, + "type": "string", + "default": "owncloud" + }, + "directory": { + "nullable": false, + "type": "string", + "default": "/opt/owncloud" + }, + "version": { + "nullable": false, + "type": "string", + "default": "7.2.0" + }, + "platform": { + "nullable": false, + "type": "string", + "default": "linux-amd64" + }, + "domain": { + "nullable": false, + "type": "string", + "default": "owncloud.example.org" + }, + "admin_password": { + "nullable": false, + "type": "string" + }, + "authentication": { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": [ + "internal", + "authelia" + ], + "default": "internal" + }, + "data": { + "anyOf": [ + { + "nullable": false, + "type": "object", + "properties": { + "authelia": { + "nullable": false, + "type": "object", + "properties": { + "url_base": { + "nullable": false, + "type": "string" + }, + "web": { + "nullable": true, + "type": "object", + "properties": { + "client_id": { + "type": "string", + "mandatory": false, + "default": "owncloud_web" + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + } + }, + "additionalProperties": false, + "required": [ + "url_base" + ] + } + }, + "additionalProperties": false, + "required": [ + "authelia" + ] + } + ] + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + }, + "public_share": { + "nullable": false, + "type": "object", + "properties": { + "password_necessity": { + "nullable": false, + "type": "string", + "enum": [ + "nothing", + "writable", + "all" + ], + "default": "writable" + }, + "password_policy_active": { + "nullable": false, + "type": "boolean", + "default": true + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + } + }, + "additionalProperties": false, + "required": [ + "admin_password" + ] +} diff --git a/roles/owncloud/defaults/main.json b/roles/owncloud/defaults/main.json index 1101e12..0c24d09 100644 --- a/roles/owncloud/defaults/main.json +++ b/roles/owncloud/defaults/main.json @@ -1,18 +1,24 @@ { - "var_owncloud_user": "owncloud", - "var_owncloud_directory": "/opt/owncloud", - "var_owncloud_version": "5.0.0", - "var_owncloud_platform": "linux-amd64", - "var_owncloud_domain": "owncloud.example.org", - "var_owncloud_admin_password": "REPLACE_ME", - "var_owncloud_authentication_kind": "internal", - "var_owncloud_authentication_data_authelia_url_base": "https://authelia.example.org", - "var_owncloud_authentication_data_authelia_web_client_id": "owncloud_web", - "var_owncloud_authentication_data_authelia_web_client_secret": "REPLACE_ME", - "var_owncloud_authentication_data_authelia_android_client_id": "owncloud_android", - "var_owncloud_authentication_data_authelia_android_client_secret": "REPLACE_ME", - "var_owncloud_authentication_data_authelia_ios_client_id": "owncloud_ios", - "var_owncloud_authentication_data_authelia_ios_client_secret": "REPLACE_ME", - "var_owncloud_public_share_password_necessity": "writable", - "var_owncloud_public_share_password_policy_active": true + "cfg_owncloud_defaults": { + "user": "owncloud", + "directory": "/opt/owncloud", + "version": "7.2.0", + "platform": "linux-amd64", + "domain": "owncloud.example.org", + "authentication": { + "kind": "internal", + "data": { + "authelia": { + "url_base": "https://authelia.example.org", + "web": { + "client_id": "owncloud_web" + } + } + } + }, + "public_share": { + "password_necessity": "writable", + "password_policy_active": true + } + } } diff --git a/roles/owncloud/info.md b/roles/owncloud/info.md index b74ee6d..8424eaf 100644 --- a/roles/owncloud/info.md +++ b/roles/owncloud/info.md @@ -7,6 +7,7 @@ Cloud-Plattform [ownCloud](https://owncloud.com/) (the rewrite in Go named "Infi - [ownCloud-Dokumentation | How to install ownCloud Infinite Scale Tech Preview in three easy steps](https://owncloud.com/news/howto-install-owncloud-infinite-scale-tech-preview/) - [ownCloud-Dokumentation | oCIS](https://owncloud.dev/ocis/) +- [ownCloud-Dokumentation | env var types](https://doc.owncloud.com/ocis/next/deployment/services/envvar-types-description.html) - [ownCloud-Dokumentation | Service | Proxy](https://doc.owncloud.com/ocis/next/deployment/services/s-list/proxy.html) - [ownCloud-Dokumentation | Service | Web](https://doc.owncloud.com/ocis/next/deployment/services/s-list/web.html) - [ownCloud-Dokumentation | Service | Sharing](https://doc.owncloud.com/ocis/next/deployment/services/s-list/sharing.html) @@ -14,6 +15,11 @@ Cloud-Plattform [ownCloud](https://owncloud.com/) (the rewrite in Go named "Infi - [ownCloud-Foren | OCIS + Authelia](https://central.owncloud.org/t/ocis-authelia/44222) +## Bermerkungen + +- die Konfiguration ist zweistufig: man trägt Werte in die `.env`-Datei ein und lässt dann von owncloud auf Basis dessen eine vollwertige Konfiguration (`.ocis/config/ocis.yaml`) erstellen, welche nicht händisch angelegt oder geändert werden sollte + + ## ToDo - Download prüfen diff --git a/roles/owncloud/tasks/main.json b/roles/owncloud/tasks/main.json index 0a6e356..d76f3ad 100644 --- a/roles/owncloud/tasks/main.json +++ b/roles/owncloud/tasks/main.json @@ -3,37 +3,50 @@ "name": "user", "become": true, "ansible.builtin.user": { - "name": "{{var_owncloud_user}}", + "name": "{{cfg_owncloud.user}}", "create_home": true, - "home": "{{var_owncloud_directory}}" + "home": "{{cfg_owncloud.directory}}" } }, { "name": "download", "become": true, - "become_user": "{{var_owncloud_user}}", + "become_user": "{{cfg_owncloud.user}}", "ansible.builtin.get_url": { - "url": "https://download.owncloud.com/ocis/ocis/stable/{{var_owncloud_version}}/ocis-{{var_owncloud_version}}-{{var_owncloud_platform}}", - "dest": "{{var_owncloud_directory}}/ocis", + "url": "https://download.owncloud.com/ocis/ocis/stable/{{cfg_owncloud.version}}/ocis-{{cfg_owncloud.version}}-{{cfg_owncloud.platform}}", + "dest": "{{cfg_owncloud.directory}}/ocis", "mode": "u+rx" } }, + { + "name": "directories", + "become": true, + "become_user": "{{cfg_owncloud.user}}", + "loop": [ + "log" + ], + "ansible.builtin.file": { + "state": "directory", + "recurse": true, + "path": "{{cfg_owncloud.directory}}/{{item}}" + } + }, { "name": "setup", "become": true, - "become_user": "{{var_owncloud_user}}", + "become_user": "{{cfg_owncloud.user}}", "ansible.builtin.shell": { - "chdir": "{{var_owncloud_directory}}", - "cmd": "rm -f {{var_owncloud_directory}}/.ocis/config/ocis.yaml && ./ocis init --insecure no --admin-password={{var_owncloud_admin_password}}" + "chdir": "{{cfg_owncloud.directory}}", + "cmd": "rm -f {{cfg_owncloud.directory}}/.ocis/config/ocis.yaml && ./ocis init --insecure no --admin-password={{cfg_owncloud.admin_password}}" } }, { "name": "configuration", "become": true, - "become_user": "{{var_owncloud_user}}", + "become_user": "{{cfg_owncloud.user}}", "ansible.builtin.template": { "src": "env.j2", - "dest": "{{var_owncloud_directory}}/.env" + "dest": "{{cfg_owncloud.directory}}/.env" } }, { diff --git a/roles/owncloud/templates/env.j2 b/roles/owncloud/templates/env.j2 index 1c53400..e8426ef 100644 --- a/roles/owncloud/templates/env.j2 +++ b/roles/owncloud/templates/env.j2 @@ -1,44 +1,57 @@ -OCIS_URL="https://{{var_owncloud_domain}}" -OCIS_INSECURE="false" - -PROXY_TLS="false" - -{% if var_owncloud_authentication_kind == 'internal' %} -PROXY_AUTOPROVISION_ACCOUNTS="false" +## web client +WEB_LOG_LEVEL=info +WEB_LOG_FILE={{cfg_owncloud.directory}}/log/web +WEB_LOG_PRETTY=true +WEB_LOG_COLOR=true +{% if cfg_owncloud.authentication_kind == 'internal' %} +{% endif %} +{% if cfg_owncloud.authentication_kind == 'authelia' %} +WEB_OIDC_AUTHORITY={{cfg_owncloud.authentication.data.authelia.url_base}} +WEB_OIDC_CLIENT_ID={{cfg_owncloud.authentication.data.authelia.web.client_id}} +WEB_OIDC_RESPONSE_TYPE=code +WEB_OIDC_SCOPE=openid profile email groups +WEB_OPTION_LOGIN_URL={{cfg_owncloud.authentication.data.authelia.url_base}} +WEB_OPTION_LOGOUT_URL={{cfg_owncloud.authentication.data.authelia.url_base}} {% endif %} -{% if var_owncloud_authentication_kind == 'authelia' %} -OCIS_OIDC_CLIENT_ID="{{var_owncloud_authentication_data_authelia_web_client_id}}" -OCIS_OIDC_ISSUER="{{var_owncloud_authentication_data_authelia_url_base}}" - -PROXY_AUTOPROVISION_ACCOUNTS="true" -PROXY_OIDC_REWRITE_WELLKNOWN="true" -PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD="none" -PROXY_OIDC_INSECURE="false" -PROXY_USER_OIDC_CLAIM="name" -PROXY_USER_CS3_CLAIM="username" - -WEB_OIDC_AUTHORITY="{{var_owncloud_authentication_data_authelia_url_base}}" -WEB_OIDC_METADATA_URL="{{var_owncloud_authentication_data_authelia_url_base}}/.well-known/openid-configuration" -WEB_OIDC_CLIENT_ID="{{var_owncloud_authentication_data_authelia_web_client_id}}" -WEB_OIDC_SCOPE="openid profile email groups" +## other clients +PROXY_LOG_LEVEL=info +PROXY_LOG_FILE={{cfg_owncloud.directory}}/log/proxy +PROXY_LOG_PRETTY=true +PROXY_LOG_COLOR=true +PROXY_TLS=false +{% if cfg_owncloud.authentication_kind == 'internal' %} +PROXY_AUTOPROVISION_ACCOUNTS=false +{% endif %} +{% if cfg_owncloud.authentication_kind == 'authelia' %} +PROXY_OIDC_ISSUER={{cfg_owncloud.authentication.data.authelia.url_base}} +PROXY_OIDC_REWRITE_WELLKNOWN=true +PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none +PROXY_OIDC_SKIP_USER_INFO=false +PROXY_AUTOPROVISION_ACCOUNTS=true +PROXY_AUTOPROVISION_CLAIM_USERNAME=preferred_username +PROXY_AUTOPROVISION_CLAIM_EMAIL=email +PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME=name +PROXY_AUTOPROVISION_CLAIM_GROUPS=groups +PROXY_USER_OIDC_CLAIM=preferred_username +PROXY_USER_CS3_CLAIM=username {% endif %} -{% if var_owncloud_public_share_password_necessity == 'nothing' %} -OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="false" -OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="false" +## sharing +{% if cfg_owncloud.public_share.password_necessity == 'nothing' %} +OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=false +OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=false {% endif %} -{% if var_owncloud_public_share_password_necessity == 'writable' %} -OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="false" -OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="true" +{% if cfg_owncloud.public_share.password_necessity == 'writable' %} +OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=false +OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=true {% endif %} -{% if var_owncloud_public_share_password_necessity == 'all' %} -OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="true" -OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="true" +{% if cfg_owncloud.public_share.password_necessity == 'all' %} +OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=true +OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=true {% endif %} - -{% if var_owncloud_public_share_password_policy_active %} -OCIS_SHARING_PASSWORD_POLICY_DISABLED="false" +{% if cfg_owncloud.public_share.password_policy_active %} +OCIS_SHARING_PASSWORD_POLICY_DISABLED=false {% else %} -OCIS_SHARING_PASSWORD_POLICY_DISABLED="true" +OCIS_SHARING_PASSWORD_POLICY_DISABLED=true {% endif %} diff --git a/roles/owncloud/vardef.json b/roles/owncloud/vardef.json deleted file mode 100644 index 6641a03..0000000 --- a/roles/owncloud/vardef.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "user": { - "type": "string", - "mandatory": false - }, - "directory": { - "type": "string", - "mandatory": false - }, - "version": { - "type": "string", - "mandatory": false - }, - "platform": { - "type": "string", - "mandatory": false - }, - "domain": { - "type": "string", - "mandatory": false - }, - "admin_password": { - "type": "string", - "mandatory": true - }, - "authentication_kind": { - "type": "string", - "mandatory": false, - "options": [ - "internal", - "authelia" - ] - }, - "authentication_data_authelia_url_base": { - "type": "string", - "mandatory": false - }, - "authentication_data_authelia_web_client_id": { - "type": "string", - "mandatory": false - }, - "authentication_data_authelia_web_client_secret": { - "type": "string", - "mandatory": false - }, - "authentication_data_authelia_android_client_id": { - "type": "string", - "mandatory": false - }, - "authentication_data_authelia_android_client_secret": { - "type": "string", - "mandatory": false - }, - "authentication_data_authelia_ios_client_id": { - "type": "string", - "mandatory": false - }, - "authentication_data_authelia_ios_client_secret": { - "type": "string", - "mandatory": false - }, - "public_share_password_necessity": { - "type": "string", - "mandatory": false, - "options": [ - "nothing", - "writable", - "all" - ] - }, - "public_share_password_policy_active": { - "type": "boolean", - "mandatory": false - } -}