misc/ansible-base
0
0
Fork 0
Code Issues Pull requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: misc:main
Branches Tags
misc:main
misc:task-406-synapse
misc:temp-20251008
misc:task-230-mealie
misc:dev-mas
misc:dev-mastodon
misc:dev-fail2ban
misc:dev-forgejo
misc:dev-gitea
misc:dev-webdav
misc:temp
misc:dev-tls_auto
misc:dev-synapse_bridge_telegram
..
compare: misc:dev-fail2ban
Branches Tags
misc:task-406-synapse
misc:main
misc:temp-20251008
misc:task-230-mealie
misc:dev-mas
misc:dev-mastodon
misc:dev-fail2ban
misc:dev-forgejo
misc:dev-gitea
misc:dev-webdav
misc:temp
misc:dev-tls_auto
misc:dev-synapse_bridge_telegram

1 commit
main ... dev-fail2b

Author SHA1 Message Date
Christian Fraß 791ac70681 [mod] role:system_basics:fail2ban mit installieren 2024-07-30 15:54:04 +02:00
130 changed files with 616 additions and 5102 deletions
Show stats Expand all files Collapse all files

2
README.md
View file

@ -1,4 +1,4 @@
# Ansible Collection - roydfalk.standard
# Ansible Collection - linke.standard
Sammlung von allgemeinen, wiederverwendbaren Ansible-Rollen

8
galaxy.yml
View file

@ -2,10 +2,10 @@
# The namespace of the collection. This can be a company/brand/organization or product namespace under which all
# content lives. May only contain alphanumeric lowercase characters and underscores. Namespaces cannot start with
# underscores or numbers and cannot contain consecutive underscores
namespace: fenris
namespace: linke
# The name of the collection. Has the same character restrictions as 'namespace'
name: base
name: standard
# The version of the collection. Must be compatible with semantic versioning
version: 1.0.0
@ -16,12 +16,12 @@ readme: README.md
# A list of the collection's content authors. Can be just the name or in the format 'Full Name <email> (url)
# @nicks:irc/im.site#channel'
authors:
- Fenris <fenris@folksprak.org>
- Royd Falk <roydfalk@folksprak.org>
- Marius <marius@rasumi.net>
### OPTIONAL but strongly recommended
# A short summary description of the collection
description: "Sammlung von allgemeinen, wiederverwendbaren Ansible-Rollen"
description: "Sammlung von allgemeinen, wiederverwendbaren Ansible-Rollen (ursprünglich für Infrastruktur der Partei 'DIE LINKE.')"
# Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only
# accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file'

24
roles/authelia-and-nginx/cfg.schema.json
View file

@ -1,24 +0,0 @@
{
"nullable": false,
"type": "object",
"properties": {
"domain": {
"nullable": false,
"type": "string"
},
"tls_mode": {
"nullable": false,
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"enum": "force"
}
},
"additionalProperties": false,
"required": [
"domain"
]
}

5
roles/authelia-and-nginx/defaults/main.json
View file

@ -1,5 +1,4 @@
{
"cfg_authelia_and_nginx_defaults": {
"tls_mode": "force"
}
"var_authelia_and_nginx_domain": "authelia.example.org",
"var_authelia_and_nginx_tls_mode": "force"
}

13
roles/authelia-and-nginx/tasks/main.json
View file

@ -1,11 +1,4 @@
[
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_authelia_and_nginx"
}
},
{
"name": "deactivate default site",
"become": true,
@ -19,7 +12,7 @@
"become": true,
"ansible.builtin.template": {
"src": "conf.j2",
"dest": "/etc/nginx/sites-available/{{cfg_authelia_and_nginx.domain}}"
"dest": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}"
}
},
{
@ -27,8 +20,8 @@
"become": true,
"ansible.builtin.file": {
"state": "link",
"src": "/etc/nginx/sites-available/{{cfg_authelia_and_nginx.domain}}",
"dest": "/etc/nginx/sites-enabled/{{cfg_authelia_and_nginx.domain}}"
"src": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}",
"dest": "/etc/nginx/sites-enabled/{{var_authelia_and_nginx_domain}}"
}
},
{

12
roles/authelia-and-nginx/templates/conf.j2
View file

@ -45,27 +45,27 @@
{% endmacro %}
server {
server_name {{cfg_authelia_and_nginx.domain}};
server_name {{var_authelia_and_nginx_domain}};
listen 80;
listen [::]:80;
{% if (cfg_authelia_and_nginx.tls_mode == 'force') %}
{% if (var_authelia_and_nginx_tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
{{ authelia_common() }}
{% endif %}
}
{% if (cfg_authelia_and_nginx.tls_mode != 'disable') %}
{% if (var_authelia_and_nginx_tls_mode != 'disable') %}
server {
server_name {{cfg_authelia_and_nginx.domain}};
server_name {{var_authelia_and_nginx_domain}};
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate_key /etc/ssl/private/{{cfg_authelia_and_nginx.domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{cfg_authelia_and_nginx.domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ authelia_common() }}

4
roles/wiki_js-and-nginx/vardef.json → roles/authelia-and-nginx/vardef.json
View file

@ -3,10 +3,6 @@
"type": "string",
"mandatory": false
},
"internal_port": {
"type": "integer",
"mandatory": false
},
"tls_mode": {
"type": "string",
"options": [

8
roles/authelia-for-dokuwiki/tasks/main.json
View file

@ -1,12 +1,4 @@
[
{
"name": "configuration | compute client secret hash",
"become": true,
"ansible.builtin.shell": {
"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_dokuwiki_client_secret}} | cut --delimiter=' ' --fields='2-'"
},
"register": "temp_authelia_for_dokuwiki_client_secret_hashed"
},
{
"name": "configuration | emplace",
"become": true,

2
roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2
View file

@ -1,6 +1,6 @@
{
"client_id": "{{var_authelia_for_dokuwiki_client_id}}",
"client_secret": "{{temp_authelia_for_dokuwiki_client_secret_hashed.stdout}}",
"client_secret": "{{var_authelia_for_dokuwiki_client_secret}}",
"client_name": "DokuWiki",
"public": false,
"authorization_policy": "one_factor",

5
roles/authelia-for-forgejo/defaults/main.json
View file

@ -1,5 +0,0 @@
{
"var_authelia_for_forgejo_forgejo_url_base": "https://forgejo.example.org",
"var_authelia_for_forgejo_client_id": "forgejo",
"var_authelia_for_forgejo_client_secret": "REPLACE_ME"
}

9
roles/authelia-for-forgejo/info.md
View file

@ -1,9 +0,0 @@
## Beschreibung
Um [Forgejo](../forgejo) gegen [Authelia](../authelia) authentifizieren zu lassen
## Verweise
- [Forgejo-Dokumentation | Configuration | OpenID](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#openid-openid)
- [Authelia-Dokumentation | Gitea Integration](https://www.authelia.com/integration/openid-connect/gitea/)

33
roles/authelia-for-forgejo/tasks/main.json
View file

@ -1,33 +0,0 @@
[
{
"name": "configuration | compute client secret hash",
"become": true,
"ansible.builtin.shell": {
"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_forgejo_client_secret}} | cut --delimiter=' ' --fields='2-'"
},
"register": "temp_authelia_for_forgejo_client_secret_hashed"
},
{
"name": "configuration | emplace",
"become": true,
"ansible.builtin.template": {
"src": "authelia-client-conf.json.j2",
"dest": "/etc/authelia/conf.d/clients/forgejo.json"
}
},
{
"name": "configuration | apply",
"become": true,
"ansible.builtin.command": {
"cmd": "/usr/bin/authelia-conf-compose"
}
},
{
"name": "restart service",
"become": true,
"ansible.builtin.systemd_service": {
"state": "restarted",
"name": "authelia"
}
}
]

17
roles/authelia-for-forgejo/templates/authelia-client-conf.json.j2
View file

@ -1,17 +0,0 @@
{
"client_id": "{{var_authelia_for_forgejo_client_id}}",
"client_secret": "{{temp_authelia_for_forgejo_client_secret_hashed.stdout}}",
"client_name": "Forgejo",
"public": false,
"authorization_policy": "one_factor",
"redirect_uris": [
"{{var_authelia_for_forgejo_forgejo_url_base}}/user/oauth2/authelia/callback"
],
"scopes": [
"openid",
"email",
"profile"
],
"userinfo_signed_response_alg": "none",
"token_endpoint_auth_method": "client_secret_basic"
}

8
roles/authelia-for-gitlab/tasks/main.json
View file

@ -1,12 +1,4 @@
[
{
"name": "configuration | compute client secret hash",
"become": true,
"ansible.builtin.shell": {
"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_gitlab_client_secret}} | cut --delimiter=' ' --fields='2-'"
},
"register": "temp_authelia_for_gitlab_client_secret_hashed"
},
{
"name": "configuration | emplace",
"become": true,

2
roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2
View file

@ -1,6 +1,6 @@
{
"client_id": "{{var_authelia_for_gitlab_client_id}}",
"client_secret": "{{temp_authelia_for_gitlab_client_secret_hashed.stdout}}",
"client_secret": "{{var_authelia_for_gitlab_client_secret}}",
"client_name": "GitLab",
"public": false,
"authorization_policy": "one_factor",

25
roles/authelia-for-hedgedoc/cfg.schema.json
View file

@ -1,25 +0,0 @@
{
"nullable": false,
"type": "object",
"properties": {
"hedgedoc_url_base": {
"nullable": false,
"type": "string"
},
"client_id": {
"nullable": false,
"type": "string",
"default": "hedgedoc"
},
"client_secret": {
"nullable": false,
"type": "string"
}
},
"additionalProperties": false,
"required": [
"hedgedoc_url_base",
"client_id",
"client_secret"
]
}

6
roles/authelia-for-hedgedoc/defaults/main.json
View file

@ -1,5 +1,5 @@
{
"cfg_authelia_for_hedgedoc_defaults": {
"client_id": "hedgedoc"
}
"var_authelia_for_hedgedoc_hedgedoc_url_base": "https://hedgedoc.example.org",
"var_authelia_for_hedgedoc_client_id": "hedgedoc",
"var_authelia_for_hedgedoc_client_secret": "REPLACE_ME"
}

15
roles/authelia-for-hedgedoc/tasks/main.json
View file

@ -1,19 +1,4 @@
[
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_authelia_for_hedgedoc"
}
},
{
"name": "configuration | compute client secret hash",
"become": true,
"ansible.builtin.shell": {
"cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_hedgedoc.client_secret}} | cut --delimiter=' ' --fields='2-'"
},
"register": "temp_authelia_for_hedgedoc_client_secret_hashed"
},
{
"name": "configuration | emplace",
"become": true,

10
roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2
View file

@ -1,6 +1,6 @@
{
"client_id": "{{cfg_authelia_for_hedgedoc.client_id}}",
"client_secret": "{{temp_authelia_for_hedgedoc_client_secret_hashed.stdout}}",
"client_id": "{{var_authelia_for_hedgedoc_client_id}}",
"client_secret": "{{var_authelia_for_hedgedoc_client_secret}}",
"client_name": "Hedgedoc",
"public": false,
"authorization_policy": "one_factor",
@ -10,7 +10,11 @@
"profile"
],
"redirect_uris": [
"{{cfg_authelia_for_hedgedoc.hedgedoc_url_base}}/auth/oauth2/callback"
"{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback"
],
"grant_types": [
"refresh_token",
"authorization_code"
],
"response_types": [
"code"

97
roles/authelia-for-owncloud/cfg.schema.json
View file

@ -1,97 +0,0 @@
{
"nullable": false,
"type": "object",
"properties": {
"owncloud_url_base": {
"nullable": false,
"type": "string"
},
"web": {
"nullable": true,
"type": "object",
"properties": {
"client_id": {
"nullable": false,
"type": "string",
"default": "owncloud_web"
}
},
"additionalProperties": false,
"required": [
],
"default": {
}
},
"desktop": {
"nullable": true,
"type": "object",
"properties": {
"client_id": {
"nullable": false,
"type": "string",
"default": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69"
},
"client_secret": {
"nullable": false,
"type": "string",
"default": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh"
}
},
"additionalProperties": false,
"required": [
],
"default": {
}
},
"android": {
"nullable": true,
"type": "object",
"properties": {
"client_id": {
"nullable": false,
"type": "string",
"default": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD"
},
"client_secret": {
"nullable": false,
"type": "string",
"default": "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD"
}
},
"additionalProperties": false,
"required": [
],
"default": {
}
},
"ios": {
"nullable": true,
"type": "object",
"properties": {
"client_id": {
"nullable": false,
"type": "string",
"default": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1"
},
"client_secret": {
"nullable": false,
"type": "string",
"default": "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx"
}
},
"additionalProperties": false,
"required": [
],
"default": {
}
}
},
"additionalProperties": false,
"required": [
"owncloud_url_base",
"web",
"desktop",
"android",
"ios"
]
}

19
roles/authelia-for-owncloud/defaults/main.json
View file

@ -1,19 +0,0 @@
{
"cfg_authelia_for_owncloud_defaults": {
"web": {
"client_id": "owncloud_web"
},
"desktop": {
"client_id": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
"client_secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh"
},
"android": {
"client_id": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD",
"client_secret": "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD"
},
"ios": {
"client_id": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1",
"client_secret": "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx"
}
}
}

10
roles/authelia-for-owncloud/info.md
View file

@ -1,10 +0,0 @@
## Beschreibung
Um [ownCloud](../owncloud) gegen [Authelia](../authelia) authentifizieren zu lassen
## Verweise
- [Authelia-Dokumentation | ownCloud Infinite Scale Integration](https://www.authelia.com/integration/openid-connect/ocis/)
- [Helge Klein | SSO via Authelia: ownCloud OpenID Connect Authentication](https://helgeklein.com/blog/owncloud-infinite-scale-with-openid-connect-authentication-for-home-networks/#sso-via-authelia-owncloud-openid-connect-authentication)
- [ownCloud Forums | OCIS + Authelia](https://central.owncloud.org/t/ocis-authelia/44222)

109
roles/authelia-for-owncloud/tasks/main.json
View file

@ -1,109 +0,0 @@
[
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_authelia_for_owncloud"
}
},
{
"name": "configuration | client",
"block": [
{
"name": "configuration | client | web",
"when": "cfg_authelia_for_owncloud.web != None",
"block": [
{
"name": "emplace",
"become": true,
"ansible.builtin.template": {
"src": "authelia-client-conf-web.json.j2",
"dest": "/etc/authelia/conf.d/clients/owncloud-web.json"
}
}
]
},
{
"name": "configuration | client | desktop",
"when": "cfg_authelia_for_owncloud.desktop != None",
"block": [
{
"name": "compute client secret hash",
"become": true,
"ansible.builtin.shell": {
"cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.desktop.client_secret}} | cut --delimiter=' ' --fields='2-'"
},
"register": "temp_authelia_for_owncloud_desktop_client_secret_hashed"
},
{
"name": "emplace",
"become": true,
"ansible.builtin.template": {
"src": "authelia-client-conf-desktop.json.j2",
"dest": "/etc/authelia/conf.d/clients/owncloud-desktop.json"
}
}
]
},
{
"name": "configuration | client | android",
"when": "cfg_authelia_for_owncloud.android != None",
"block": [
{
"name": "compute client secret hash",
"become": true,
"ansible.builtin.shell": {
"cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.android.client_secret}} | cut --delimiter=' ' --fields='2-'"
},
"register": "temp_authelia_for_owncloud_android_client_secret_hashed"
},
{
"name": "emplace",
"become": true,
"ansible.builtin.template": {
"src": "authelia-client-conf-android.json.j2",
"dest": "/etc/authelia/conf.d/clients/owncloud-android.json"
}
}
]
},
{
"name": "configuration | client | ios",
"when": "cfg_authelia_for_owncloud.ios != None",
"block": [
{
"name": "compute client secret hash",
"become": true,
"ansible.builtin.shell": {
"cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.ios.client_secret}} | cut --delimiter=' ' --fields='2-'"
},
"register": "temp_authelia_for_owncloud_ios_client_secret_hashed"
},
{
"name": "emplace",
"become": true,
"ansible.builtin.template": {
"src": "authelia-client-conf-ios.json.j2",
"dest": "/etc/authelia/conf.d/clients/owncloud-ios.json"
}
}
]
}
]
},
{
"name": "configuration | apply",
"become": true,
"ansible.builtin.command": {
"cmd": "/usr/bin/authelia-conf-compose"
}
},
{
"name": "restart service",
"become": true,
"ansible.builtin.systemd_service": {
"state": "restarted",
"name": "authelia"
}
}
]

33
roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2
View file

@ -1,33 +0,0 @@
{
"client_id": "{{cfg_authelia_for_owncloud.android.client_id}}",
"client_secret": "{{temp_authelia_for_owncloud_android_client_secret_hashed.stdout}}",
"client_name": "ownCloud | Android Client",
"public": false,
"authorization_policy": "one_factor",
"require_pkce": true,
"pkce_challenge_method": "S256",
"scopes": [
"openid",
"offline_access",
"groups",
"profile",
"email"
],
"redirect_uris": [
"oc://android.owncloud.com"
],
"response_types": [
"code"
],
"grant_types": [
"authorization_code",
"refresh_token"
],
"access_token_signed_response_alg": "none",
"userinfo_signed_response_alg": "none",
"token_endpoint_auth_method": "client_secret_basic"
}

33
roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2
View file

@ -1,33 +0,0 @@
{
"client_id": "{{cfg_authelia_for_owncloud.desktop.client_id}}",
"client_secret": "{{temp_authelia_for_owncloud_desktop_client_secret_hashed.stdout}}",
"client_name": "ownCloud | Desktop Client",
"public": false,
"authorization_policy": "one_factor",
"require_pkce": true,
"pkce_challenge_method": "S256",
"scopes": [
"openid",
"offline_access",
"groups",
"profile",
"email"
],
"redirect_uris": [
"http://127.0.0.1",
"http://localhost"
],
"response_types": [
"code"
],
"grant_types": [
"authorization_code",
"refresh_token"
],
"access_token_signed_response_alg": "none",
"userinfo_signed_response_alg": "none",
"token_endpoint_auth_method": "client_secret_basic"
}

33
roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2
View file

@ -1,33 +0,0 @@
{
"client_id": "{{cfg_authelia_for_owncloud.ios.client_id}}",
"client_secret": "{{temp_authelia_for_owncloud_ios_client_secret_hashed.stdout}}",
"client_name": "ownCloud | iOS Client",
"public": false,
"authorization_policy": "one_factor",
"require_pkce": true,
"pkce_challenge_method": "S256",
"scopes": [
"openid",
"offline_access",
"groups",
"profile",
"email"
],
"redirect_uris": [
"oc://ios.owncloud.com",
"oc.ios://ios.owncloud.com"
],
"response_types": [
"code"
],
"grant_types": [
"authorization_code",
"refresh_token"
],
"access_token_signed_response_alg": "none",
"userinfo_signed_response_alg": "none",
"token_endpoint_auth_method": "client_secret_basic"
}

33
roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2
View file

@ -1,33 +0,0 @@
{
"client_id": "{{cfg_authelia_for_owncloud.web.client_id}}",
"client_name": "ownCloud | Web Client",
"lifespan": "long",
"public": true,
"authorization_policy": "one_factor",
"require_pkce": true,
"pkce_challenge_method": "S256",
"scopes": [
"openid",
"offline_access",
"groups",
"profile",
"email"
],
"redirect_uris": [
"https://{{cfg_authelia_for_owncloud.owncloud_url_base}}",
"https://{{cfg_authelia_for_owncloud.owncloud_url_base}}/oidc-callback.html",
"https://{{cfg_authelia_for_owncloud.owncloud_url_base}}/oidc-silent-redirect.html",
"https://{{cfg_authelia_for_owncloud.owncloud_url_base}}/apps/openidconnect/redirect"
],
"response_types": [
"code"
],
"grant_types": [
"authorization_code",
"refresh_token"
],
"access_token_signed_response_alg": "none",
"userinfo_signed_response_alg": "none",
"token_endpoint_auth_method": "none"
}

8
roles/authelia-for-synapse/tasks/main.json
View file

@ -1,12 +1,4 @@
[
{
"name": "configuration | compute client secret hash",
"become": true,
"ansible.builtin.shell": {
"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_synapse_client_secret}} | cut --delimiter=' ' --fields='2-'"
},
"register": "temp_authelia_for_synapse_client_secret_hashed"
},
{
"name": "configuration | emplace",
"become": true,

2
roles/authelia-for-synapse/templates/authelia-client-conf.json.j2
View file

@ -1,6 +1,6 @@
{
"client_id": "{{var_authelia_for_synapse_client_id}}",
"client_secret": "{{temp_authelia_for_synapse_client_secret_hashed.stdout}}",
"client_secret": "{{var_authelia_for_synapse_client_secret}}",
"client_name": "Synapse",
"public": false,
"authorization_policy": "one_factor",

5
roles/authelia-for-tandoor/defaults/main.json
View file

@ -1,5 +0,0 @@
{
"var_authelia_for_tandoor_tandoor_url_base": "https://tandoor.example.org",
"var_authelia_for_tandoor_client_id": "tandoor",
"var_authelia_for_tandoor_client_secret": "REPLACE_ME"
}

8
roles/authelia-for-tandoor/info.md
View file

@ -1,8 +0,0 @@
## Beschreibung
Um [Tandoor](../tandoor) gegen [Authelia](../authelia) authentifizieren zu lassen
## Verweise
- [allauth-Dokumentation | Authelia](https://django-allauth.readthedocs.io/en/latest/socialaccount/providers/authelia.html)

33
roles/authelia-for-tandoor/tasks/main.json
View file

@ -1,33 +0,0 @@
[
{
"name": "configuration | compute client secret hash",
"become": true,
"ansible.builtin.shell": {
"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_tandoor_client_secret}} | cut --delimiter=' ' --fields='2-'"
},
"register": "temp_authelia_for_tandoor_client_secret_hashed"
},
{
"name": "configuration | emplace",
"become": true,
"ansible.builtin.template": {
"src": "authelia-client-conf.json.j2",
"dest": "/etc/authelia/conf.d/clients/tandoor.json"
}
},
{
"name": "configuration | apply",
"become": true,
"ansible.builtin.command": {
"cmd": "/usr/bin/authelia-conf-compose"
}
},
{
"name": "restart service",
"become": true,
"ansible.builtin.systemd_service": {
"state": "restarted",
"name": "authelia"
}
}
]

17
roles/authelia-for-tandoor/templates/authelia-client-conf.json.j2
View file

@ -1,17 +0,0 @@
{
"client_id": "{{var_authelia_for_tandoor_client_id}}",
"client_secret": "{{temp_authelia_for_tandoor_client_secret_hashed.stdout}}",
"client_name": "Tandoor",
"public": false,
"authorization_policy": "one_factor",
"redirect_uris": [
"{{var_authelia_for_tandoor_tandoor_url_base}}/accounts/oidc/authelia/login/callback/"
],
"scopes": [
"openid",
"email",
"profile"
],
"userinfo_signed_response_alg": "none",
"token_endpoint_auth_method": "client_secret_basic"
}

8
roles/authelia-for-vikunja/tasks/main.json
View file

@ -1,12 +1,4 @@
[
{
"name": "configuration | compute client secret hash",
"become": true,
"ansible.builtin.shell": {
"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_vikunja_client_secret}} | cut --delimiter=' ' --fields='2-'"
},
"register": "temp_authelia_for_vikunja_client_secret_hashed"
},
{
"name": "configuration | emplace",
"become": true,

2
roles/authelia-for-vikunja/templates/authelia-client-conf.json.j2
View file

@ -1,6 +1,6 @@
{
"client_id": "{{var_authelia_for_vikunja_client_id}}",
"client_secret": "{{temp_authelia_for_vikunja_client_secret_hashed.stdout}}",
"client_secret": "{{var_authelia_for_vikunja_client_secret}}",
"client_name": "Vikunja",
"public": false,
"authorization_policy": "one_factor",

6
roles/authelia-for-wiki_js/defaults/main.json
View file

@ -1,6 +0,0 @@
{
"var_authelia_for_wiki_js_wiki_js_url_base": "https://wiki-js.example.org",
"var_authelia_for_wiki_js_client_id": "wiki_js",
"var_authelia_for_wiki_js_client_secret": "REPLACE_ME",
"var_authelia_for_wiki_js_strategy_id": "authelia"
}

9
roles/authelia-for-wiki_js/info.md
View file

@ -1,9 +0,0 @@
## Beschreibung
Um [Wiki.js](../wiki.js) gegen [Authelia](../authelia) authentifizieren zu lassen
## Verweise
[Wiki.js-Dokumentation | Authentication](https://docs.requarks.io/auth)
[Authelia-Dokumentation | Wiki.js Integration](https://www.authelia.com/integration/openid-connect/wikijs/)

33
roles/authelia-for-wiki_js/tasks/main.json
View file

@ -1,33 +0,0 @@
[
{
"name": "configuration | compute client secret hash",
"become": true,
"ansible.builtin.shell": {
"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_wiki_js_client_secret}} | cut --delimiter=' ' --fields='2-'"
},
"register": "temp_authelia_for_wiki_js_client_secret_hashed"
},
{
"name": "configuration | emplace",
"become": true,
"ansible.builtin.template": {
"src": "authelia-client-conf.json.j2",
"dest": "/etc/authelia/conf.d/clients/wiki_js.json"
}
},
{
"name": "configuration | apply",
"become": true,
"ansible.builtin.command": {
"cmd": "/usr/bin/authelia-conf-compose"
}
},
{
"name": "restart service",
"become": true,
"ansible.builtin.systemd_service": {
"state": "restarted",
"name": "authelia"
}
}
]

17
roles/authelia-for-wiki_js/templates/authelia-client-conf.json.j2
View file

@ -1,17 +0,0 @@
{
"client_id": "{{var_authelia_for_wiki_js_client_id}}",
"client_secret": "{{temp_authelia_for_wiki_js_client_secret_hashed.stdout}}",
"client_name": "Wiki.js",
"public": false,
"authorization_policy": "one_factor",
"redirect_uris": [
"{{var_authelia_for_wiki_js_wiki_js_url_base}}/login/{{var_authelia_for_wiki_js_strategy_id}}/callback"
],
"scopes": [
"openid",
"email",
"profile"
],
"userinfo_signed_response_alg": "none",
"token_endpoint_auth_method": "client_secret_post"
}

449
roles/authelia/cfg.schema.json
View file

@ -1,449 +0,0 @@
{
"nullable": false,
"type": "object",
"properties": {
"listen_address": {
"nullable": false,
"type": "string",
"default": "0.0.0.0"
},
"domain": {
"nullable": false,
"type": "string"
},
"session_domain": {
"nullable": false,
"type": "string"
},
"redirect_url": {
"nullable": false,
"type": "string"
},
"jwt_secret": {
"nullable": false,
"type": "string"
},
"session_secret": {
"nullable": false,
"type": "string"
},
"storage_encryption_key": {
"nullable": false,
"type": "string"
},
"users_file_path": {
"nullable": false,
"type": "string",
"default": "/var/authelia/users.yml"
},
"log_file_path": {
"nullable": false,
"type": "string",
"default": "/var/authelia/log.jsonl"
},
"storage": {
"anyOf": [
{
"nullable": false,
"type": "object",
"properties": {
"kind": {
"nullable": false,
"type": "string",
"enum": ["sqlite"],
"default": "sqlite"
},
"data": {
"nullable": false,
"type": "object",
"properties": {
"path": {
"nullable": false,
"type": "string",
"default": "/var/authelia/state.db"
}
},
"additionalProperties": false,
"required": [
"path"
],
"default": {
}
}
},
"additionalProperties": false,
"required": [
"kind",
"data"
],
"default": {
}
},
{
"nullable": false,
"type": "object",
"properties": {
"kind": {
"nullable": false,
"type": "string",
"enum": ["postgresql"]
},
"data": {
"nullable": false,
"type": "object",
"properties": {
"host": {
"nullable": false,
"type": "string",
"ddefault": "localhost"
},
"port": {
"nullable": false,
"type": "integer",
"default": 5432
},
"username": {
"nullable": false,
"type": "string",
"default": "authelia_user"
},
"password": {
"nullable": false,
"type": "string"
},
"schema": {
"nullable": false,
"type": "string",
"default": "authelia"
}
},
"additionalProperties": false,
"required": [
"host",
"port",
"username",
"password",
"schema"
],
"default": {
}
}
},
"additionalProperties": false,
"required": [
"kind",
"data"
],
"default": {
}
},
{
"nullable": false,
"type": "object",
"properties": {
"kind": {
"nullable": false,
"type": "string",
"enum": ["mariadb"]
},
"data": {
"nullable": false,
"type": "object",
"properties": {
"host": {
"nullable": false,
"type": "string",
"ddefault": "localhost"
},
"port": {
"nullable": false,
"type": "integer",
"default": 3306
},
"username": {
"nullable": false,
"type": "string",
"default": "authelia_user"
},
"password": {
"nullable": false,
"type": "string"
},
"schema": {
"nullable": false,
"type": "string",
"default": "authelia"
}
},
"additionalProperties": false,
"required": [
"host",
"port",
"username",
"password",
"schema"
],
"default": {
}
}
},
"additionalProperties": false,
"required": [
"kind",
"data"
],
"default": {
}
}
]
},
"ntp_server": {
"nullable": false,
"type": "string",
"default": "time.cloudflare.com:123"
},
"password_reset": {
"nullable": false,
"type": "object",
"properties": {
"enabled": {
"nullable": false,
"type": "boolean",
"default": false
},
"custom_url": {
"nullable": true,
"type": "string",
"default": null
}
},
"additionalProperties": false,
"required": [
"enabled",
"custom_url"
],
"default": {
}
},
"notification": {
"anyOf": [
{
"nullable": false,
"type": "object",
"properties": {
"kind": {
"nullable": false,
"type": "string",
"enum": ["file"],
"default": "file"
},
"data": {
"nullable": false,
"type": "object",
"properties": {
"path": {
"nullable": false,
"type": "string",
"default": "/var/authelia/notifications"
}
},
"additionalProperties": false,
"required": [
"path"
],
"default": {
}
}
},
"additionalProperties": false,
"required": [
"kind",
"data"
],
"default": {
}
},
{
"nullable": false,
"type": "object",
"properties": {
"kind": {
"nullable": false,
"type": "string",
"enum": ["smtp"],
"default": "smtp"
},
"data": {
"nullable": false,
"type": "object",
"properties": {
"host": {
"nullable": false,
"type": "string"
},
"port": {
"nullable": false,
"type": "integer",
"default": 465
},
"username": {
"nullable": false,
"type": "string",
"default": "authelia"
},
"password": {
"nullable": false,
"type": "string"
},
"sender": {
"nullable": false,
"type": "string",
"default": "authelia@example.org"
}
},
"additionalProperties": false,
"required": [
"host",
"port",
"username",
"password",
"sender"
]
}
},
"additionalProperties": false,
"required": [
"kind",
"data"
],
"default": {
}
}
]
},
"oidc": {
"nullable": false,
"type": "object",
"properties": {
"hmac_secret": {
"nullable": false,
"type": "string"
},
"lifespan": {
"nullable": false,
"type": "object",
"properties": {
"default": {
"nullable": false,
"type": "object",
"properties": {
"access_token": {
"nullable": false,
"type": "string",
"default": "1h"
},
"refresh_token": {
"nullable": false,
"type": "string",
"default": "1m"
}
},
"additionalProperties": false,
"required": [
],
"default": {
}
},
"custom": {
"nullable": false,
"type": "object",
"properties": {
},
"additionalProperties": {
"nullable": false,
"type": "object",
"properties": {
"access_token": {
"nullable": false,
"type": "string"
},
"refresh_token": {
"nullable": false,
"type": "string"
}
},
"additionalProperties": false,
"required": [
"access_token",
"refresh_token"
]
},
"required": [
],
"default": {
"long": {
"access_token": "2d",
"refresh_token": "3d"
}
}
}
},
"additionalProperties": false,
"required": [
],
"default": {
}
},
"cors_endpoints": {
"nullable": true,
"type": "array",
"items": {
"nullable": false,
"type": "string",
"enum": [
"authorization",
"pushed-authorization-request",
"token",
"revocation",
"introspection",
"userinfo"
]
},
"default": [
"authorization",
"token",
"revocation",
"introspection",
"userinfo"
]
}
},
"additionalProperties": false,
"required": [
"hmac_secret",
"lifespan",
"cors_endpoints"
],
"default": {
}
}
},
"additionalProperties": false,
"required": [
"listen_address",
"domain",
"session_domain",
"redirect_url",
"jwt_secret",
"session_secret",
"storage_encryption_key",
"users_file_path",
"log_file_path",
"storage",
"ntp_server",
"notification",
"oidc"
],
"default": {
}
}

77
roles/authelia/defaults/main.json
View file

@ -1,45 +1,36 @@
{
"cfg_authelia_defaults": {
"listen_address": "0.0.0.0",
"users_file_path": "/var/authelia/users.yml",
"log_file_path": "/var/authelia/log.jsonl",
"storage": {
"kind": "sqlite",
"data": {
"path": "/var/authelia/state.db"
}
},
"ntp_server": "time.cloudflare.com:123",
"password_reset": {
"enabled": false,
"custom_url": null
},
"notification": {
"kind": "file",
"data": {
"path": "/var/authelia/notifications"
}
},
"oidc": {
"lifespan": {
"default": {
"access_token": "1d",
"refresh_token": "1h"
},
"custom": {
"long": {
"access_token": "2d",
"refresh_token": "3d"
}
}
},
"cors_endpoints": [
"authorization",
"token",
"revocation",
"introspection",
"userinfo"
]
}
}
"var_authelia_version": "4.37.5",
"var_authelia_architecture": "amd64",
"var_authelia_listen_address": "0.0.0.0",
"var_authelia_jwt_secret": "REPLACE_ME",
"var_authelia_users_file_path": "/var/authelia/users.yml",
"var_authelia_log_file_path": "/var/authelia/log.jsonl",
"var_authelia_domain": "authelia.example.org",
"var_authelia_redirect_url": "https://example.org",
"var_authelia_session_domain": "example.org",
"var_authelia_session_secret": "REPLACE_ME",
"var_authelia_storage_encryption_key": "REPLACE_ME",
"var_authelia_storage_kind": "sqlite",
"var_authelia_storage_data_sqlite_path": "/var/authelia/state.db",
"var_authelia_storage_data_postgresql_host": "localhost",
"var_authelia_storage_data_postgresql_port": 5432,
"var_authelia_storage_data_postgresql_username": "authelia_user",
"var_authelia_storage_data_postgresql_password": "REPLACE_ME",
"var_authelia_storage_data_postgresql_schema": "authelia",
"var_authelia_storage_data_mariadb_host": "localhost",
"var_authelia_storage_data_mariadb_port": 3306,
"var_authelia_storage_data_mariadb_username": "authelia_user",
"var_authelia_storage_data_mariadb_password": "REPLACE_ME",
"var_authelia_storage_data_mariadb_schema": "authelia",
"var_authelia_ntp_server": "time.cloudflare.com:123",
"var_authelia_password_reset_enabled": false,
"var_authelia_password_reset_custom_url": null,
"var_authelia_notification_mode": "smtp",
"var_authelia_notification_file_path": "/var/authelia/notifications",
"var_authelia_notification_smtp_host": "smtp.example.org",
"var_authelia_notification_smtp_port": 465,
"var_authelia_notification_smtp_username": "authelia",
"var_authelia_notification_smtp_password": "REPLACE_ME",
"var_authelia_notification_smtp_sender": "authelia@example.org",
"var_authelia_oidc_hmac_secret": "REPLACE_ME"
}

213
roles/authelia/tasks/main.json
View file

@ -1,57 +1,42 @@
[
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_authelia"
"name": "packages | prerequisites",
"become": true,
"ansible.builtin.apt": {
"update_cache": true,
"pkg": [
"apt-transport-https",
"gpg"
]
}
},
{
"name": "packages",
"block": [
{
"name": "prerequisites",
"become": true,
"ansible.builtin.apt": {
"update_cache": true,
"pkg": [
"apt-transport-https",
"ca-certificates",
"gpg"
]
}
},
{
"name": "keys",
"become": true,
"ansible.builtin.get_url": {
"url": "https://www.authelia.com/keys/authelia-security.gpg",
"dest": "/usr/share/keyrings/authelia-security.gpg"
}
},
{
"name": "repository",
"become": true,
"ansible.builtin.shell": {
"cmd": "echo \"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/authelia-security.gpg] https://apt.authelia.com stable main\" > /etc/apt/sources.list.d/authelia.list",
"creates": "/etc/apt/sources.list.d/authelia.list"
}
"name": "packages | keys",
"become": true,
"ansible.builtin.apt_key": {
"url": "https://apt.authelia.com/organization/signing.asc"
}
},
{
"name": "packages | repository",
"become": true,
"ansible.builtin.apt_repository": {
"repo": "deb https://apt.authelia.com/stable/debian/debian/ all main"
}
},
{
"name": "installation",
"become": true,
"ansible.builtin.apt": {
"update_cache": true,
"pkg": [
"openssl",
"python3-cryptography",
"python3-yaml",
"authelia"
]
}
}
]
},
{
"name": "packages | installation",
"become": true,
"ansible.builtin.apt": {
"update_cache": true,
"pkg": [
"openssl",
"python3-cryptography",
"python3-yaml",
"authelia"
]
}
},
{
"name": "generate private key for signing OIDC JWTs",
@ -65,88 +50,74 @@
"register": "temp_tls_result"
},
{
"name": "configuration",
"block": [
{
"name": "configuration | compose script",
"become": true,
"ansible.builtin.copy": {
"src": "conf-compose.py",
"dest": "/usr/bin/authelia-conf-compose",
"mode": "0700"
}
},
{
"name": "configuration | directories",
"become": true,
"loop": [
"/etc/authelia/conf.d",
"/etc/authelia/conf.d/clients"
],
"ansible.builtin.file": {
"state": "directory",
"path": "{{item}}"
}
},
{
"name": "configuration | main",
"become": true,
"ansible.builtin.template": {
"src": "conf-main.json.j2",
"dest": "/etc/authelia/conf.d/main.json"
}
},
{
"name": "configuration | compose",
"become": true,
"ansible.builtin.command": {
"cmd": "/usr/bin/authelia-conf-compose --main-file-path=/etc/authelia/conf.d/main.json --clients-directory-path=/etc/authelia/conf.d/clients --output-format=yaml --output-path=/etc/authelia/configuration.yml"
}
}
]
"name": "configuration | compose script",
"become": true,
"ansible.builtin.copy": {
"src": "conf-compose.py",
"dest": "/usr/bin/authelia-conf-compose",
"mode": "0700"
}
},
{
"name": "configuration | directories",
"become": true,
"loop": [
"/etc/authelia/conf.d",
"/etc/authelia/conf.d/clients"
],
"ansible.builtin.file": {
"state": "directory",
"path": "{{item}}"
}
},
{
"name": "configuration | main",
"become": true,
"ansible.builtin.template": {
"src": "conf-main.json.j2",
"dest": "/etc/authelia/conf.d/main.json"
}
},
{
"name": "configuration | compose",
"become": true,
"ansible.builtin.command": {
"cmd": "/usr/bin/authelia-conf-compose --main-file-path=/etc/authelia/conf.d/main.json --clients-directory-path=/etc/authelia/conf.d/clients --output-format=yaml --output-path=/etc/authelia/configuration.yml"
}
},
{
"name": "setup log directory",
"become": true,
"ansible.builtin.file": {
"state": "directory",
"owner": "authelia",
"group": "authelia",
"path": "{{cfg_authelia.log_file_path | dirname}}"
"path": "{{var_authelia_log_file_path | dirname}}"
}
},
{
"name": "users",
"block": [
{
"name": "directory",
"become": true,
"ansible.builtin.file": {
"state": "directory",
"owner": "authelia",
"group": "authelia",
"path": "{{cfg_authelia.users_file_path | dirname}}"
}
},
{
"name": "initial file",
"become": true,
"ansible.builtin.template": {
"src": "users.yml.j2",
"dest": "{{cfg_authelia.users_file_path}}",
"force": false
}
},
{
"name": "management script",
"become": true,
"ansible.builtin.copy": {
"src": "user-manage.py",
"dest": "/usr/bin/authelia-user-manage",
"mode": "0700"
}
}
]
"name": "users | directory",
"become": true,
"ansible.builtin.file": {
"state": "directory",
"path": "{{var_authelia_users_file_path | dirname}}"
}
},
{
"name": "users | initial file",
"become": true,
"ansible.builtin.template": {
"src": "users.yml.j2",
"dest": "{{var_authelia_users_file_path}}",
"force": false
}
},
{
"name": "users | management script",
"become": true,
"ansible.builtin.copy": {
"src": "user-manage.py",
"dest": "/usr/bin/authelia-user-manage",
"mode": "0700"
}
},
{
"name": "apply",

83
roles/authelia/templates/conf-main.json.j2
View file

@ -2,12 +2,12 @@
"theme": "auto",
"identity_validation": {
"reset_password": {
"jwt_secret": "{{cfg_authelia.jwt_secret}}"
"jwt_secret": "{{var_authelia_jwt_secret}}"
}
},
"default_2fa_method": "totp",
"server": {
"address": "{{cfg_authelia.listen_address}}:9091",
"address": "{{var_authelia_listen_address}}:9091",
"endpoints": {
"enable_pprof": false,
"enable_expvars": false
@ -17,7 +17,7 @@
"log": {
"level": "info",
"format": "json",
"file_path": "{{cfg_authelia.log_file_path}}",
"file_path": "{{var_authelia_log_file_path}}",
"keep_stdout": false
},
"telemetry": {
@ -43,7 +43,7 @@
"user_verification": "preferred"
},
"ntp": {
"address": "{{cfg_authelia.ntp_server}}",
"address": "{{var_authelia_ntp_server}}",
"version": 4,
"max_desync": "3s",
"disable_startup_check": false,
@ -51,16 +51,16 @@
},
"authentication_backend": {
"password_reset": {
{% if cfg_authelia.password_reset.enabled %}
{% if var_authelia_password_reset_enabled %}
"disable": false,
{% else %}
"disable": true,
{% endif %}
"custom_url": {{cfg_authelia.password_reset.custom_url | to_json}}
"custom_url": "{{var_authelia_password_reset_custom_url}}"
},
"refresh_interval": "5m",
"file": {
"path": "{{cfg_authelia.users_file_path}}",
"path": "{{var_authelia_users_file_path}}",
"watch": true,
"search": {
"email": false,
@ -121,15 +121,15 @@
"session": {
"name": "authelia_session",
"same_site": "lax",
"secret": "{{cfg_authelia.session_secret}}",
"secret": "{{var_authelia_session_secret}}",
"expiration": "1h",
"inactivity": "5m",
"remember_me": "1M",
"cookies": [
{
"domain": "{{cfg_authelia.session_domain}}",
"authelia_url": "https://{{cfg_authelia.domain}}/",
"default_redirection_url": "{{cfg_authelia.redirect_url}}"
"domain": "{{var_authelia_session_domain}}",
"authelia_url": "https://{{var_authelia_domain}}/",
"default_redirection_url": "{{var_authelia_redirect_url}}"
}
]
},
@ -139,44 +139,45 @@
"ban_time": "5m"
},
"storage": {
"encryption_key": "{{cfg_authelia.storage_encryption_key}}",
{% if cfg_authelia.storage.kind == "sqlite" %}
"encryption_key": "{{var_authelia_storage_encryption_key}}",
{% if var_authelia_storage_kind == "sqlite" %}
"local": {
"path": "{{cfg_authelia.storage.data.path}}"
"path": "{{var_authelia_storage_data_sqlite_path}}"
}
{% endif %}
{% if cfg_authelia.storage.kind == "postgresql" %}
{% if var_authelia_storage_kind == "postgresql" %}
"postgres": {
"address": "{{cfg_authelia.storage.data.host}}:{{cfg_authelia.storage.data.port | string}}",
"address": "{{var_authelia_storage_data_postgresql_host}}:{{var_authelia_storage_data_postgresql_port | string}}",
"schema": "public",
"username": "{{cfg_authelia.storage.data.username}}",
"password": "{{cfg_authelia.storage.data.password}}",
"database": "{{cfg_authelia.storage.data.schema}}"
"username": "{{var_authelia_storage_data_postgresql_username}}",
"password": "{{var_authelia_storage_data_postgresql_password}}",
"database": "{{var_authelia_storage_data_postgresql_schema}}"
}
{% endif %}
{% if cfg_authelia.storage.kind == "mariadb" %}
{% if var_authelia_storage_kind == "mariadb" %}
"mysql": {
"host": "{{cfg_authelia.storage.data.host}}",
"port": {{cfg_authelia.storage.data.port | string}},
"username": "{{cfg_authelia.storage.data.username}}",
"password": "{{cfg_authelia.storage.data.password}}",
"database": "{{cfg_authelia.storage.data.schema}}"
"host": "{{var_authelia_storage_data_mariadb_host}}",
"port": {{var_authelia_storage_data_mariadb_port | string}},
"username": "{{var_authelia_storage_data_mariadb_username}}",
"password": "{{var_authelia_storage_data_mariadb_password}}",
"database": "{{var_authelia_storage_data_mariadb_schema}}"
}
{% endif %}
},
"notifier": {
"disable_startup_check": true,
{% if cfg_authelia.notification.kind == "file" %}
{% if var_authelia_notification_mode == "file" %}
"filesystem": {
"filename": "{{cfg_authelia.notification.data.path}}"
"filename": "{{var_authelia_notification_file_path}}"
}
{% endif %}
{% if cfg_authelia.notification.kind == "smtp" %}
{% if var_authelia_notification_mode == "smtp" %}
"smtp": {
"address": "{{cfg_authelia.notification.data.host}}:{{cfg_authelia.notification.data.port | string}}",
"username": "{{cfg_authelia.notification.data.username}}",
"password": "{{cfg_authelia.notification.data.password}}",
"sender": "{{cfg_authelia.notification.data.sender}}",
"host": "{{var_authelia_notification_smtp_host}}",
"port": {{var_authelia_notification_smtp_port | string}},
"username": "{{var_authelia_notification_smtp_username}}",
"password": "{{var_authelia_notification_smtp_password}}",
"sender": "{{var_authelia_notification_smtp_sender}}",
"disable_require_tls": false,
"disable_html_emails": false,
"tls": {
@ -187,24 +188,10 @@
},
"identity_providers": {
"oidc": {
"hmac_secret": "{{cfg_authelia.oidc.hmac_secret}}",
"jwks": [
{
"algorithm": "RS256",
"key": "{{temp_tls_result.privatekey | replace('\n', '\\n')}}"
}
],
"lifespans": {
"access_token": "{{cfg_authelia.oidc.lifespan.default.access_token}}",
"refresh_token": "{{cfg_authelia.oidc.lifespan.default.refresh_token}}",
"custom": {{cfg_authelia.oidc.lifespan.custom | to_json}}
},
"hmac_secret": "{{var_authelia_oidc_hmac_secret}}",
"issuer_private_key": "{{temp_tls_result.privatekey | replace('\n', '\\n')}}",
"cors": {
"allowed_origins_from_client_redirect_uris": true
{% if cfg_authelia.oidc.cors_endpoints == None %}
{% else %}
,"endpoints": {{cfg_authelia.oidc.cors_endpoints | to_json}}
{% endif %}
},
"clients": [
]

143
roles/authelia/vardef.json Normal file
View file

@ -0,0 +1,143 @@
{
"version": {
"type": "string",
"mandatory": false
},
"architecture": {
"type": "string",
"mandatory": false
},
"listen_address": {
"type": "string",
"mandatory": false
},
"jwt_secret": {
"type": "string",
"mandatory": true
},
"users_file_path": {
"type": "string",
"mandatory": false
},
"log_file_path": {
"type": "string",
"mandatory": false
},
"domain": {
"type": "string",
"mandatory": false
},
"redirect_url": {
"type": "string",
"mandatory": false
},
"session_domain": {
"type": "string",
"mandatory": false
},
"session_secret": {
"type": "string",
"mandatory": true
},
"storage_encryption_key": {
"type": "string",
"mandatory": true
},
"storage_kind": {
"type": "string",
"mandatory": false
},
"storage_data_sqlite_path": {
"type": "string",
"mandatory": false
},
"storage_data_postgresql_host": {
"type": "string",
"mandatory": false
},
"storage_data_postgresql_port": {
"type": "integer",
"mandatory": false
},
"storage_data_postgresql_username": {
"type": "string",
"mandatory": false
},
"storage_data_postgresql_password": {
"type": "string",
"mandatory": false
},
"storage_data_postgresql_schema": {
"type": "string",
"mandatory": false
},
"storage_data_mariadb_host": {
"type": "string",
"mandatory": false
},
"storage_data_mariadb_port": {
"type": "integer",
"mandatory": false
},
"storage_data_mariadb_username": {
"type": "string",
"mandatory": false
},
"storage_data_mariadb_password": {
"type": "string",
"mandatory": false
},
"storage_data_mariadb_schema": {
"type": "string",
"mandatory": false
},
"ntp_server": {
"type": "string",
"mandatory": false
},
"password_reset_enabled": {
"type": "boolean",
"mandatory": false
},
"password_reset_custom_url": {
"nullable": true,
"type": "string",
"mandatory": false
},
"notification_mode": {
"type": "string",
"mandatory": false,
"options": [
"file",
"smtp"
]
},
"notification_file_path": {
"type": "string",
"mandatory": false
},
"notification_smtp_host": {
"type": "string",
"mandatory": false
},
"notification_smtp_port": {
"type": "integer",
"mandatory": false
},
"notification_smtp_username": {
"type": "string",
"mandatory": false
},
"notification_smtp_password": {
"type": "string",
"mandatory": false
},
"notification_smtp_sender": {
"type": "string",
"mandatory": false
},
"oidc_hmac_secret": {
"type": "string",
"mandatory": true
}
}

5
roles/forgejo-and-nginx/defaults/main.json
View file

@ -1,5 +0,0 @@
{
"var_forgejo_and_nginx_domain": "forgejo.example.org",
"var_forgejo_and_nginx_port": 2378,
"var_forgejo_and_nginx_tls_mode": "force"
}

1
roles/forgejo-and-nginx/info.md
View file

@ -1 +0,0 @@

35
roles/forgejo-and-nginx/tasks/main.json
View file

@ -1,35 +0,0 @@
[
{
"name": "deactivate default site",
"become": true,
"ansible.builtin.file": {
"state": "absent",
"dest": "/etc/nginx/sites-enabled/default"
}
},
{
"name": "emplace configuration | data",
"become": true,
"ansible.builtin.template": {
"src": "conf.j2",
"dest": "/etc/nginx/sites-available/{{var_forgejo_and_nginx_domain}}"
}
},
{
"name": "emplace configuration | link",
"become": true,
"ansible.builtin.file": {
"state": "link",
"src": "/etc/nginx/sites-available/{{var_forgejo_and_nginx_domain}}",
"dest": "/etc/nginx/sites-enabled/{{var_forgejo_and_nginx_domain}}"
}
},
{
"name": "restart nginx",
"become": true,
"ansible.builtin.systemd_service": {
"state": "restarted",
"name": "nginx"
}
}
]

34
roles/forgejo-and-nginx/templates/conf.j2
View file

@ -1,34 +0,0 @@
{% macro forgejo_common() %}
location / {
proxy_pass http://localhost:{{var_forgejo_and_nginx_port | string}};
client_max_body_size 20M;
}
{% endmacro %}
server {
listen 80;
listen [::]:80;
server_name {{var_forgejo_and_nginx_domain}};
{% if var_forgejo_and_nginx_tls_mode == 'force' %}
return 301 https://$http_host$request_uri;
{% else %}
{{ forgejo_common() }}
{% endif %}
}
{% if var_forgejo_and_nginx_tls_mode != 'disable' %}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name {{var_forgejo_and_nginx_domain}};
ssl_certificate_key /etc/ssl/private/{{var_forgejo_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_forgejo_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ forgejo_common() }}
}
{% endif %}

19
roles/forgejo-and-nginx/vardef.json
View file

@ -1,19 +0,0 @@
{
"domain": {
"mandatory": false,
"type": "string"
},
"port": {
"mandatory": false,
"type": "integer"
},
"tls_mode": {
"mandatory": false,
"type": "string",
"options": [
"disable",
"enable",
"force"
]
}
}

31
roles/forgejo/defaults/main.json
View file

@ -1,31 +0,0 @@
{
"var_forgejo_user": "forgejo",
"var_forgejo_directory_main": "/opt/forgejo",
"var_forgejo_directory_repositories": "/var/forgejo/repositories",
"var_forgejo_version": "10.0.3",
"var_forgejo_platform": "linux-amd64",
"var_forgejo_secret_key": "REPLACE_ME",
"var_forgejo_internal_token": "REPLACE_ME",
"var_forgejo_domain": "forgejo.example.org",
"var_forgejo_listen_address": "0.0.0.0",
"var_forgejo_listen_port": 2378,
"var_forgejo_database_kind": "sqlite",
"var_forgejo_database_data_sqlite_path": "/var/forgejo/data.sqlite",
"var_forgejo_database_data_postgresql_host": "postgresql.example.org",
"var_forgejo_database_data_postgresql_port": 5432,
"var_forgejo_database_data_postgresql_username": "forgejo_user",
"var_forgejo_database_data_postgresql_password": "REPLACE_ME",
"var_forgejo_database_data_postgresql_scheme": "forgejo",
"var_forgejo_authentication_kind": "internal",
"var_forgejo_authentication_data_authelia_url_base": "https://authelia.example.org",
"var_forgejo_authentication_data_authelia_client_id": "forgejo",
"var_forgejo_authentication_data_authelia_client_secret": "REPLACE_ME",
"var_forgejo_smtp_host": "smtp.example.org",
"var_forgejo_smtp_port": 465,
"var_forgejo_smtp_username": "REPLACE_ME",
"var_forgejo_smtp_password": "REPLACE_ME",
"var_forgejo_email_sending_enabled": false,
"var_forgejo_email_sending_sender": "forgejo@example.org",
"var_forgejo_email_sending_html": false,
"var_forgejo_title": "Forgejo: Beyond coding. We Forge."
}

14
roles/forgejo/info.md
View file

@ -1,14 +0,0 @@
## Beschreibung
Zur Einrichtung der DevOps-Platform [Forgejo](https://forgejo.org/)
## Verweise
- [Forgejo | Documentation | Administrator Guide](https://forgejo.org/docs/latest/admin/)
- [Forgejo | Documentation | Configuration Cheat Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/)
## ToDo
- Download verfizieren

101
roles/forgejo/tasks/main.json
View file

@ -1,101 +0,0 @@
[
{
"name": "packages",
"become": true,
"ansible.builtin.apt": {
"update_cache": true,
"pkg": [
"git"
]
}
},
{
"name": "user",
"become": true,
"ansible.builtin.user": {
"name": "{{var_forgejo_user}}",
"create_home": true,
"home": "{{var_forgejo_directory_main}}"
}
},
{
"name": "directories | external",
"become": true,
"loop": [
"{{var_forgejo_database_data_sqlite_path | dirname}}",
"{{var_forgejo_directory_repositories}}"
],
"ansible.builtin.file": {
"path": "{{item}}",
"state": "directory",
"owner": "{{var_forgejo_user}}"
}
},
{
"name": "directories | internal",
"become": true,
"become_user": "{{var_forgejo_user}}",
"loop": [
"{{var_forgejo_directory_main}}/custom/conf"
],
"ansible.builtin.file": {
"path": "{{item}}",
"state": "directory"
}
},
{
"name": "download",
"become": true,
"become_user": "{{var_forgejo_user}}",
"ansible.builtin.get_url": {
"url": "https://codeberg.org/forgejo/forgejo/releases/download/v{{var_forgejo_version}}/forgejo-{{var_forgejo_version}}-{{var_forgejo_platform}}",
"dest": "{{var_forgejo_directory_main}}/forgejo",
"mode": "u+rx"
}
},
{
"name": "config | base",
"become": true,
"become_user": "{{var_forgejo_user}}",
"ansible.builtin.template": {
"src": "config.ini.j2",
"dest": "{{var_forgejo_directory_main}}/custom/conf/app.ini"
}
},
{
"name": "config | database",
"become": true,
"become_user": "{{var_forgejo_user}}",
"ansible.builtin.command": {
"chdir": "{{var_forgejo_directory_main}}",
"cmd": "./forgejo migrate"
}
},
{
"name": "config | authelia",
"when": "var_forgejo_authentication_kind == 'authelia'",
"become": true,
"become_user": "{{var_forgejo_user}}",
"ansible.builtin.shell": {
"chdir": "{{var_forgejo_directory_main}}",
"cmd": "(./forgejo admin auth list | grep authelia) || ./forgejo admin auth add-oauth --provider='openidConnect' --name='authelia' --key={{var_forgejo_authentication_data_authelia_client_id}} --secret={{var_forgejo_authentication_data_authelia_client_secret}} --auto-discover-url='{{var_forgejo_authentication_data_authelia_url_base}}/.well-known/openid-configuration' --scopes='openid email profile'"
}
},
{
"name": "systemd unit",
"become": true,
"ansible.builtin.template": {
"src": "systemd-unit.j2",
"dest": "/etc/systemd/system/forgejo.service"
}
},
{
"name": "start",
"become": true,
"ansible.builtin.systemd_service": {
"enabled": true,
"state": "restarted",
"name": "forgejo"
}
}
]

123
roles/forgejo/templates/config.ini.j2
View file

@ -1,123 +0,0 @@
APP_NAME = {{var_forgejo_title}}
RUN_USER = {{var_forgejo_user}}
RUN_MODE = prod
[server]
DOMAIN = {{var_forgejo_domain}}
ROOT_URL = https://{{var_forgejo_domain}}
;HTTP_ADDR = {{var_forgejo_listen_address}}
HTTP_PORT = {{var_forgejo_listen_port | string}}
;LANDING_PAGE = home
[database]
{% if var_forgejo_database_kind == 'sqlite' %}
DB_TYPE = sqlite3
PATH = {{var_forgejo_database_data_sqlite_path}}
{% endif %}
{% if var_forgejo_database_kind == 'postgresql' %}
DB_TYPE = postgres
HOST = {{var_forgejo_database_data_postgresql_host}}:{{var_forgejo_database_data_postgresql_port | string}}
USER = {{var_forgejo_database_data_postgresql_username}}
PASSWD = {{var_forgejo_database_data_postgresql_password}}
NAME = {{var_forgejo_database_data_postgresql_scheme}}
{% endif %}
[security]
INSTALL_LOCK = true
SECRET_KEY = {{var_forgejo_secret_key}}
INTERNAL_TOKEN = {{var_forgejo_internal_token}}
DISABLE_GIT_HOOKS = true
[oauth2]
ENABLED = false
[log]
MODE = console
LEVEL = Info
[git]
HOME_PATH = {{var_forgejo_directory_main}}
[service]
REGISTER_EMAIL_CONFIRM = false
{% if var_forgejo_authentication_kind == 'internal' %}
DISABLE_REGISTRATION = false
ALLOW_ONLY_INTERNAL_REGISTRATION = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
SHOW_REGISTRATION_BUTTON = true
{% else %}
DISABLE_REGISTRATION = false
ALLOW_ONLY_INTERNAL_REGISTRATION = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = true
SHOW_REGISTRATION_BUTTON = false
{% endif %}
;REQUIRE_SIGNIN_VIEW = false
ENABLE_NOTIFY_MAIL = true
;ENABLE_BASIC_AUTHENTICATION = true
;ENABLE_REVERSE_PROXY_AUTHENTICATION = false
;ENABLE_REVERSE_PROXY_AUTHENTICATION_API = false
;ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
;ENABLE_REVERSE_PROXY_EMAIL = false
;ENABLE_REVERSE_PROXY_FULL_NAME = false
;DEFAULT_KEEP_EMAIL_PRIVATE = false
;DEFAULT_ALLOW_CREATE_ORGANIZATION = true
;DEFAULT_USER_IS_RESTRICTED = false
;DEFAULT_USER_VISIBILITY = public
;ALLOWED_USER_VISIBILITY_MODES = public,limited,private
;DEFAULT_ORG_VISIBILITY = public
;DEFAULT_ORG_MEMBER_VISIBLE = false
;DEFAULT_ENABLE_DEPENDENCIES = true
;ALLOW_CROSS_REPOSITORY_DEPENDENCIES = true
ENABLE_USER_HEATMAP = false
ENABLE_TIMETRACKING = false
DEFAULT_ENABLE_TIMETRACKING = false
{% if var_forgejo_authentication_kind == 'internal' %}
SHOW_REGISTRATION_BUTTON = true
{% else %}
SHOW_REGISTRATION_BUTTON = false
{% endif %}
AUTO_WATCH_NEW_REPOS = false
AUTO_WATCH_ON_CHANGES = false
[repository]
ROOT = {{var_forgejo_directory_repositories}}
{% if var_forgejo_authentication_kind == 'internal' %}
[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = false
{% else %}
[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = true
WHITELISTED_URIS = {{var_forgejo_authentication_data_authelia_url_base}}
[oauth2_client]
REGISTER_EMAIL_CONFIRM = false
OPENID_CONNECT_SCOPES = openid email profile
ENABLE_AUTO_REGISTRATION = true
USERNAME = nickname
{% endif %}
[mailer]
{% if var_forgejo_email_sending_enabled %}
ENABLED = true
SMTP_ADDR = {{var_forgejo_smtp_host}}
SMTP_PORT = {{var_forgejo_smtp_port | string}}
FROM = {{var_forgejo_email_sending_sender}}
USER = {{var_forgejo_smtp_username}}
PASSWD = {{var_forgejo_smtp_password}}
{% if var_forgejo_email_sending_html %}
SEND_AS_PLAIN_TEXT = false
{% else %}
SEND_AS_PLAIN_TEXT = true
{% endif %}
{% else %}
ENABLED = false
{% endif %}

21
roles/forgejo/templates/systemd-unit.j2
View file

@ -1,21 +0,0 @@
[Unit]
Description=Forgejo
After=network.target
{% if var_forgejo_database_kind == 'postgresql' %}
Wants=postgresql.service
After=postgresql.service
{% endif %}
[Service]
RestartSec=2s
Type=simple
User={{var_forgejo_user}}
Group={{var_forgejo_user}}
WorkingDirectory={{var_forgejo_directory_main}}
ExecStart={{var_forgejo_directory_main}}/forgejo web --config {{var_forgejo_directory_main}}/custom/conf/app.ini
Restart=always
# Environment=USER=git HOME=/home/git FORGEJO_WORK_DIR=/var/lib/forgejo
# Environment=PATH=/path/to/git/bin:/bin:/sbin:/usr/bin:/usr/sbin
[Install]
WantedBy=multi-user.target

126
roles/forgejo/vardef.json
View file

@ -1,126 +0,0 @@
{
"user": {
"type": "string",
"mandatory": false
},
"directory_main": {
"type": "string",
"mandatory": false
},
"directory_repositories": {
"type": "string",
"mandatory": false
},
"version": {
"type": "string",
"mandatory": false
},
"platform": {
"type": "string",
"mandatory": false
},
"secret_key": {
"type": "string",
"mandatory": true
},
"internal_token": {
"type": "string",
"mandatory": true
},
"domain": {
"type": "string",
"mandatory": false
},
"listen_address": {
"type": "string",
"mandatory": false
},
"listen_port": {
"type": "integer",
"mandatory": false
},
"database_kind": {
"mandatory": false,
"type": "string",
"options": [
"sqlite",
"postgresql"
]
},
"database_data_sqlite_path": {
"mandatory": false,
"type": "string"
},
"database_data_postgresql_host": {
"mandatory": false,
"type": "string"
},
"database_data_postgresql_port": {
"mandatory": false,
"type": "string"
},
"database_data_postgresql_username": {
"mandatory": false,
"type": "string"
},
"database_data_postgresql_password": {
"mandatory": false,
"type": "string"
},
"database_data_postgresql_schema": {
"mandatory": false,
"type": "string"
},
"authentication_kind": {
"mandatory": false,
"type": "string",
"options": [
"internal",
"authelia"
]
},
"authentication_data_authelia_url_base": {
"mandatory": false,
"type": "string"
},
"authentication_data_authelia_client_id": {
"mandatory": false,
"type": "string"
},
"authentication_data_authelia_client_secret": {
"mandatory": false,
"type": "string"
},
"smtp_host": {
"mandatory": false,
"type": "string"
},
"smtp_port": {
"mandatory": false,
"type": "integer"
},
"smtp_username": {
"mandatory": false,
"type": "string"
},
"smtp_password": {
"mandatory": false,
"type": "string"
},
"email_sending_enabled": {
"mandatory": false,
"type": "boolean"
},
"email_sending_sender": {
"mandatory": false,
"type": "string"
},
"email_sending_html": {
"mandatory": false,
"type": "boolean"
},
"title": {
"mandatory": false,
"type": "string"
}
}

24
roles/hedgedoc-and-nginx/cfg.schema.json
View file

@ -1,24 +0,0 @@
{
"nullable": false,
"type": "object",
"properties": {
"domain": {
"nullable": false,
"type": "string"
},
"tls_mode": {
"nullable": false,
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"default": "force"
}
},
"additionalProperties": false,
"required": [
"domain"
]
}

5
roles/hedgedoc-and-nginx/defaults/main.json
View file

@ -1,5 +1,4 @@
{
"cfg_hedgedoc_and_nginx_defaults": {
"tls_mode": "force"
}
"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org",
"var_hedgedoc_and_nginx_tls_mode": "force"
}

13
roles/hedgedoc-and-nginx/tasks/main.json
View file

@ -1,11 +1,4 @@
[
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_hedgedoc_and_nginx"
}
},
{
"name": "deactivate default site",
"become": true,
@ -19,7 +12,7 @@
"become": true,
"ansible.builtin.template": {
"src": "conf.j2",
"dest": "/etc/nginx/sites-available/{{cfg_hedgedoc_and_nginx.domain}}"
"dest": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}"
}
},
{
@ -27,8 +20,8 @@
"become": true,
"ansible.builtin.file": {
"state": "link",
"src": "/etc/nginx/sites-available/{{cfg_hedgedoc_and_nginx.domain}}",
"dest": "/etc/nginx/sites-enabled/{{cfg_hedgedoc_and_nginx.domain}}"
"src": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}",
"dest": "/etc/nginx/sites-enabled/{{var_hedgedoc_and_nginx_domain}}"
}
},
{

13
roles/hedgedoc-and-nginx/templates/conf.j2
View file

@ -24,29 +24,28 @@ map $http_upgrade $connection_upgrade {
{% endmacro %}
server {
server_name {{cfg_hedgedoc_and_nginx.domain}};
server_name {{var_hedgedoc_and_nginx_domain}};
listen 80;
listen [::]:80;
{% if (cfg_hedgedoc_and_nginx.tls_mode == 'force') %}
{% if (var_element_and_nginx_tls_mode == 'force') %}
return 301 https://$http_host$request_uri;
{% else %}
{{ hedgedoc_common() }}
{% endif %}
}
{% if (cfg_hedgedoc_and_nginx.tls_mode != 'disable') %}
{% if (var_hedgedoc_and_nginx_tls_mode != 'disable') %}
server {
server_name {{cfg_hedgedoc_and_nginx.domain}};
server_name {{var_hedgedoc_and_nginx_domain}};
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate_key /etc/ssl/private/{{cfg_hedgedoc_and_nginx.domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{cfg_hedgedoc_and_nginx.domain}}.pem;
ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ hedgedoc_common() }}
}
{% endif %}

15
roles/hedgedoc-and-nginx/vardef.json Normal file
View file

@ -0,0 +1,15 @@
{
"domain": {
"type": "string",
"mandatory": false
},
"tls_mode": {
"type": "string",
"options": [
"disable",
"enable",
"force"
],
"mandatory": false
}
}

248
roles/hedgedoc/cfg.schema.json
View file

@ -1,248 +0,0 @@
{
"nullable": false,
"type": "object",
"properties": {
"user_name": {
"nullable": false,
"type": "string",
"default": "hedgedoc"
},
"directory": {
"nullable": false,
"type": "string",
"default": "/opt/hedgedoc"
},
"version": {
"nullable": false,
"type": "string",
"default": "1.10.3"
},
"domain": {
"nullable": false,
"type": "string"
},
"session_secret": {
"nullable": false,
"type": "string"
},
"database": {
"anyOf": [
{
"nullable": false,
"type": "object",
"properties": {
"kind": {
"nullable": false,
"type": "string",
"enum": ["sqlite"],
"default": "sqlite"
},
"data": {
"nullable": false,
"type": "object",
"properties": {
"path": {
"nullable": false,
"type": "string",
"default": "/var/hedgedoc/data.sqlite"
}
},
"additionalProperties": false,
"required": [
"path"
],
"default": {
}
}
},
"additionalProperties": false,
"required": [
"kind",
"data"
]
},
{
"nullable": false,
"type": "object",
"properties": {
"kind": {
"nullable": false,
"type": "string",
"enum": ["postgresql"],
"default": "postgresql"
},
"data": {
"nullable": false,
"type": "object",
"properties": {
"host": {
"nullable": false,
"type": "string",
"default": "localhost"
},
"port": {
"nullable": false,
"type": "integer",
"default": 5432
},
"username": {
"nullable": false,
"type": "string",
"default": "hedgedoc_user"
},
"password": {
"nullable": false,
"type": "string"
},
"schema": {
"nullable": false,
"type": "string",
"default": "hedgedoc"
}
},
"additionalProperties": false,
"required": [
"host",
"port",
"username",
"password",
"schema"
]
}
},
"additionalProperties": false,
"required": [
"kind",
"data"
]
}
]
},
"authentication": {
"anyOf": [
{
"nullable": false,
"type": "object",
"properties": {
"kind": {
"nullable": false,
"type": "string",
"enum": ["internal"],
"default": "internal"
},
"data": {
"nullable": false,
"type": "object",
"properties": {
},
"additionalProperties": false,
"required": [
],
"default": {
}
}
},
"additionalProperties": false,
"required": [
"kind",
"data"
]
},
{
"nullable": false,
"type": "object",
"properties": {
"kind": {
"nullable": false,
"type": "string",
"enum": ["authelia"],
"default": "authelia"
},
"data": {
"nullable": false,
"type": "object",
"properties": {
"url_base": {
"nullable": false,
"type": "string"
},
"client_id": {
"nullable": false,
"type": "string",
"default": "hedgedoc"
},
"client_secret": {
"nullable": false,
"type": "string"
},
"provider_name": {
"nullable": false,
"type": "string",
"default": "Authelia"
}
},
"additionalProperties": false,
"required": [
"url_base",
"client_id",
"client_secret",
"provider_name"
]
}
},
"additionalProperties": false,
"required": [
"kind",
"data"
]
}
]
},
"guest_allow_create": {
"nullable": false,
"type": "boolean",
"default": false
},
"guest_allow_change": {
"nullable": false,
"type": "boolean",
"default": false
},
"free_names_mode": {
"nullable": false,
"type": "string",
"enum": [
"never",
"authed",
"always"
],
"default": "authed"
},
"log_level": {
"nullable": false,
"type": "string",
"enum": [
"debug",
"verbose",
"info",
"warn",
"error"
],
"default": "error"
}
},
"additionalProperties": false,
"required": [
"user_name",
"directory",
"version",
"domain",
"session_secret",
"database",
"authentication",
"guest_allow_create",
"guest_allow_change",
"free_names_mode",
"log_level"
]
}

39
roles/hedgedoc/defaults/main.json
View file

@ -1,22 +1,21 @@
{
"cfg_hedgedoc_defaults": {
"user_name": "hedgedoc",
"directory": "/opt/hedgedoc",
"version": "1.10.3",
"database": {
"kind": "sqlite",
"data": {
"path": "/var/hedgedoc/data.sqlite"
}
},
"authentication": {
"kind": "internal",
"data": {
}
},
"guest_allow_create": false,
"guest_allow_change": false,
"free_names_mode": "authed",
"log_level": "error"
}
"var_hedgedoc_user_name": "hedgedoc",
"var_hedgedoc_directory": "/opt/hedgedoc",
"var_hedgedoc_version": "1.9.9",
"var_hedgedoc_session_secret": "REPLACE_ME",
"var_hedgedoc_database_kind": "sqlite",
"var_hedgedoc_database_data_sqlite_path": "/var/hedgedoc/data.sqlite",
"var_hedgedoc_database_data_postgresql_host": "localhost",
"var_hedgedoc_database_data_postgresql_port": 5432,
"var_hedgedoc_database_data_postgresql_username": "hedgedoc_user",
"var_hedgedoc_database_data_postgresql_password": "REPLACE_ME",
"var_hedgedoc_database_data_postgresql_schema": "hedgedoc",
"var_hedgedoc_domain": "hedgedoc.example.org",
"var_hedgedoc_authentication_kind": "authelia",
"var_hedgedoc_authentication_data_authelia_client_id": "hedgedoc",
"var_hedgedoc_authentication_data_authelia_client_secret": "REPLACE_ME",
"var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.example.org",
"var_hedgedoc_guest_allow_create": false,
"var_hedgedoc_guest_allow_change": false,
"var_hedgedoc_free_names_mode": "authed"
}

47
roles/hedgedoc/tasks/main.json
View file

@ -1,11 +1,4 @@
[
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_hedgedoc"
}
},
{
"name": "packages",
"become": true,
@ -33,41 +26,15 @@
"name": "user",
"become": true,
"ansible.builtin.user": {
"name": "{{cfg_hedgedoc.user_name}}",
"create_home": true,
"home": "{{cfg_hedgedoc.directory}}"
"name": "{{var_hedgedoc_user_name}}",
"create_home": true
}
},
{
"name": "database",
"when": "cfg_hedgedoc.database.kind == 'sqlite'",
"block": [
{
"name": "database | directory",
"become": true,
"ansible.builtin.file": {
"state": "directory",
"path": "{{cfg_hedgedoc.database.data.sqlite.path | dirname}}",
"owner": "{{cfg_hedgedoc.user_name}}"
}
},
{
"name": "database | file",
"become": true,
"ansible.builtin.file": {
"state": "touch",
"path": "{{cfg_hedgedoc.database.data.sqlite.path}}",
"owner": "{{cfg_hedgedoc.user_name}}"
}
}
]
},
{
"name": "download",
"become": false,
"ansible.builtin.get_url": {
"url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{cfg_hedgedoc.version}}/hedgedoc-{{cfg_hedgedoc.version}}.tar.gz",
"url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{var_hedgedoc_version}}/hedgedoc-{{var_hedgedoc_version}}.tar.gz",
"dest": "/tmp/hedgedoc.tar.gz"
}
},
@ -77,8 +44,8 @@
"ansible.builtin.unarchive": {
"remote_src": true,
"src": "/tmp/hedgedoc.tar.gz",
"dest": "{{cfg_hedgedoc.directory | dirname}}",
"owner": "{{cfg_hedgedoc.user_name}}"
"dest": "{{var_hedgedoc_directory | dirname}}",
"owner": "{{var_hedgedoc_user_name}}"
}
},
{
@ -86,7 +53,7 @@
"become": true,
"become_user": "hedgedoc",
"ansible.builtin.command": {
"chdir": "{{cfg_hedgedoc.directory}}",
"chdir": "{{var_hedgedoc_directory}}",
"cmd": "bin/setup"
}
},
@ -95,7 +62,7 @@
"become": true,
"ansible.builtin.template": {
"src": "config.json.j2",
"dest": "{{cfg_hedgedoc.directory}}/config.json"
"dest": "{{var_hedgedoc_directory}}/config.json"
}
},
{

48
roles/hedgedoc/templates/config.json.j2
View file

@ -1,61 +1,61 @@
{
"production": {
"loglevel": "{{cfg_hedgedoc.log_level}}",
{% if cfg_hedgedoc.database.kind == 'sqlite' %}
"loglevel": "error",
{% if var_hedgedoc_database_kind == 'sqlite' %}
"db": {
"dialect": "sqlite",
"storage": "{{cfg_hedgedoc.database.data.sqlite.path}}"
"storage": "{{var_hedgedoc_database_data_sqlite_path}}"
},
{% endif %}
{% if cfg_hedgedoc.database.kind == 'postgresql' %}
{% if var_hedgedoc_database_kind == 'postgresql' %}
"db": {
"dialect": "postgres",
"host": "{{cfg_hedgedoc.database.data.postgresql.host}}",
"port": {{cfg_hedgedoc.database.data.postgresql.port | to_json}},
"username": "{{cfg_hedgedoc.database.data.postgresql.username}}",
"password": "{{cfg_hedgedoc.database.data.postgresql.password}}",
"database": "{{cfg_hedgedoc.database.data.postgresql.schema}}"
"host": "{{var_hedgedoc_database_data_postgresql_host}}",
"port": {{var_hedgedoc_database_data_postgresql_port | to_json}},
"username": "{{var_hedgedoc_database_data_postgresql_username}}",
"password": "{{var_hedgedoc_database_data_postgresql_password}}",
"database": "{{var_hedgedoc_database_data_postgresql_schema}}"
},
{% endif %}
"sessionSecret": "{{cfg_hedgedoc.session_secret}}",
"sessionSecret": "{{var_hedgedoc_session_secret}}",
"host": "localhost",
"allowOrigin": [
"localhost"
],
"domain": "{{cfg_hedgedoc.domain}}",
"domain": "{{var_hedgedoc_domain}}",
"urlAddPort": false,
"protocolUseSSL": true,
{% if cfg_hedgedoc.authentication.kind == 'internal' %}
{% if var_hedgedoc_authentication_kind == 'internal' %}
"email": true,
"allowEmailRegister": true,
{% endif %}
{% if cfg_hedgedoc.authentication.kind == 'authelia' %}
{% if var_hedgedoc_authentication_kind == 'authelia' %}
"oauth2": {
"providerName": "{{cfg_hedgedoc.authentication.data.authelia.provider_name}}",
"clientID": "{{cfg_hedgedoc.authentication.data.authelia.client_id}}",
"clientSecret": "{{cfg_hedgedoc.authentication.data.authelia.client_secret}}",
"providerName": "{{var_hedgedoc_authentication_data_authelia_provider_name}}",
"clientID": "{{var_hedgedoc_authentication_data_authelia_client_id}}",
"clientSecret": "{{var_hedgedoc_authentication_data_authelia_client_secret}}",
"scope": "openid email profile",
"userProfileUsernameAttr": "sub",
"userProfileDisplayNameAttr": "name",
"userProfileEmailAttr": "email",
"userProfileURL": "{{cfg_hedgedoc.authentication.data.authelia.url_base}}/api/oidc/userinfo",
"tokenURL": "{{cfg_hedgedoc.authentication.data.authelia.url_base}}/api/oidc/token",
"authorizationURL": "{{cfg_hedgedoc.authentication.data.authelia.url_base}}/api/oidc/authorization"
"userProfileURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/userinfo",
"tokenURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/token",
"authorizationURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/authorize"
},
"email": false,
"allowEmailRegister": false,
{% endif %}
"allowAnonymous": {{cfg_hedgedoc.guest_allow_create | to_json}},
"allowAnonymousEdits": {{cfg_hedgedoc.guest_allow_change | to_json}},
{% if cfg_hedgedoc.free_names_mode == 'never' %}
"allowAnonymous": {{var_hedgedoc_guest_allow_create | to_json}},
"allowAnonymousEdits": {{var_hedgedoc_guest_allow_change | to_json}},
{% if var_hedgedoc_free_names_mode == 'never' %}
"allowFreeURL": false,
"requireFreeURLAuthentication": false,
{% endif %}
{% if cfg_hedgedoc.free_names_mode == 'authed' %}
{% if var_hedgedoc_free_names_mode == 'authed' %}
"allowFreeURL": true,
"requireFreeURLAuthentication": true,
{% endif %}
{% if cfg_hedgedoc.free_names_mode == 'always' %}
{% if var_hedgedoc_free_names_mode == 'always' %}
"allowFreeURL": true,
"requireFreeURLAuthentication": false,
{% endif %}

4
roles/hedgedoc/templates/systemd-unit.j2
View file

@ -3,8 +3,8 @@ Description=Hedgedoc
After=multi-user.target
[Service]
WorkingDirectory={{cfg_hedgedoc.directory}}
User={{cfg_hedgedoc.user_name}}
WorkingDirectory={{var_hedgedoc_directory}}
User={{var_hedgedoc_user_name}}
Environment="NODE_ENV=production"
ExecStart=yarn start
SyslogIdentifier=hedgedoc

87
roles/hedgedoc/vardef.json Normal file
View file

@ -0,0 +1,87 @@
{
"user_name": {
"type": "string",
"mandatory": false
},
"directory": {
"type": "string",
"mandatory": false
},
"version": {
"type": "string",
"mandatory": false
},
"session_secret": {
"type": "string",
"mandatory": true
},
"database_kind": {
"type": "string",
"mandatory": false,
"options": [
"sqlite",
"postgresql",
"mariadb"
]
},
"database_data_sqlite_path": {
"type": "string",
"mandatory": false
},
"database_data_postgresql_host": {
"type": "string",
"mandatory": false
},
"database_data_postgresql_port": {
"type": "integer",
"mandatory": false
},
"database_data_postgresql_username": {
"type": "string",
"mandatory": false
},
"database_data_postgresql_password": {
"type": "string",
"mandatory": false
},
"database_data_postgresql_schema": {
"type": "string",
"mandatory": false
},
"domain": {
"type": "string",
"mandatory": false
},
"authentication_kind": {
"type": "string",
"mandatory": false,
"options": [
"internal",
"authelia"
]
},
"authentication_data_authelia_client_id": {
"type": "string",
"mandatory": false
},
"authentication_data_authelia_client_secret": {
"type": "string",
"mandatory": false
},
"authentication_data_authelia_url_base": {
"type": "string",
"mandatory": false
},
"guest_allow_create": {
"type": "boolean",
"mandatory": false
},
"guest_allow_change": {
"type": "boolean",
"mandatory": false
},
"free_names_mode": {
"type": "string",
"mandatory": false
}
}

7
roles/murmur/tasks/main.json
View file

@ -15,7 +15,7 @@
"become": true,
"ansible.builtin.file": {
"state": "directory",
"path": "/var/murmurd"
"path": "/var/murmur"
}
},
{
@ -23,10 +23,11 @@
"when": "var_murmur_tls",
"become": true,
"loop": [
{"from": "/etc/ssl/private/{{var_murmur_domain}}.pem", "to": "/var/murmurd/tls-key.pem"},
{"from": "/etc/ssl/fullchains/{{var_murmur_domain}}.pem", "to": "/var/murmurd/tls-fullchain.pem"}
{"from": "/etc/ssl/private/{{var_murmur_domain}}.pem", "to": "/var/murmur/tls-key.pem"},
{"from": "/etc/ssl/fullchains/{{var_murmur_domain}}.pem", "to": "/var/murmur/tls-fullchain.pem"}
],
"ansible.builtin.copy": {
"state": "directory",
"remote_src": true,
"src": "{{item.from}}",
"dest": "{{item.to}}",

28
roles/nginx/cfg.schema.json
View file

@ -1,28 +0,0 @@
{
"nullable": false,
"type": "object",
"properties": {
"auto_reload_interval": {
"nullable": true,
"type": "integer",
"description": "in hours",
"default": null
},
"dhparam_size": {
"nullable": true,
"type": "integer",
"default": null
},
"improved_security": {
"nullable": false,
"type": "boolean",
"default": false
}
},
"additionalProperties": false,
"required": [
"auto_reload_interval",
"dhparam_size",
"improved_security"
]
}

6
roles/nginx/defaults/main.json
View file

@ -1,7 +1,3 @@
{
"cfg_nginx_defaults": {
"auto_reload_interval": null,
"dhparam_size": null,
"improved_security": false
}
"var_nginx_auto_reload_interval": null
}

2
roles/nginx/templates/ssl-hardening.conf.j2 → roles/nginx/files/ssl-hardening.conf
View file

@ -3,9 +3,7 @@ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
{% if cfg_nginx.dhparam_size != None %}
ssl_dhparam /etc/nginx/dhparam;
{% endif %}
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;

81
roles/nginx/tasks/main.json
View file

@ -1,11 +1,4 @@
[
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_nginx"
}
},
{
"name": "install packages",
"become": true,
@ -19,10 +12,9 @@
},
{
"name": "generate dhparams file",
"when": "cfg_nginx.dhparam_size != None",
"become": true,
"ansible.builtin.command": {
"cmd": "openssl dhparam -out /etc/nginx/dhparam {{cfg_nginx.dhparam_size | string}}"
"cmd": "openssl dhparam -out /etc/nginx/dhparam 4096"
},
"args": {
"creates": "/etc/nginx/dhparam"
@ -31,54 +23,49 @@
{
"name": "place hardening config",
"become": true,
"ansible.builtin.template": {
"src": "ssl-hardening.conf.j2",
"ansible.builtin.copy": {
"src": "ssl-hardening.conf",
"dest": "/etc/nginx/ssl-hardening.conf"
}
},
{
"name": "ufw",
"block": [
{
"name": "check",
"become": true,
"check_mode": true,
"community.general.ufw": {
"state": "enabled"
},
"register": "ufw_enable_check"
},
{
"name": "allow port 80",
"when": "not ufw_enable_check.changed",
"become": true,
"community.general.ufw": {
"rule": "allow",
"port": "80",
"proto": "tcp"
}
},
{
"name": "allow port 443",
"when": "not ufw_enable_check.changed",
"become": true,
"community.general.ufw": {
"rule": "allow",
"port": "443",
"proto": "tcp"
}
}
]
"name": "ufw | check",
"become": true,
"check_mode": true,
"community.general.ufw": {
"state": "enabled"
},
"register": "ufw_enable_check"
},
{
"name": "ufw | allow port 80",
"when": "not ufw_enable_check.changed",
"become": true,
"community.general.ufw": {
"rule": "allow",
"port": "80",
"proto": "tcp"
}
},
{
"name": "ufw | allow port 443",
"when": "not ufw_enable_check.changed",
"become": true,
"community.general.ufw": {
"rule": "allow",
"port": "443",
"proto": "tcp"
}
},
{
"name": "auto reload",
"when": "cfg_nginx.auto_reload_interval == None",
"when": "var_nginx_auto_reload_interval == None",
"become": true,
"ansible.builtin.cron": {
"name": "nginx_auto_reload",
"disabled": true,
"minute": "0",
"hour": "*/{{cfg_nginx.auto_reload_interval | string}}",
"hour": "*/{{var_nginx_auto_reload_interval | string}}",
"day": "*",
"month": "*",
"weekday": "*",
@ -87,13 +74,13 @@
},
{
"name": "auto reload",
"when": "cfg_nginx.auto_reload_interval != None",
"when": "var_nginx_auto_reload_interval != None",
"become": true,
"ansible.builtin.cron": {
"name": "nginx_auto_reload",
"disabled": false,
"minute": "0",
"hour": "*/{{cfg_nginx.auto_reload_interval | string}}",
"hour": "*/{{var_nginx_auto_reload_interval | string}}",
"day": "*",
"month": "*",
"weekday": "*",

8
roles/nginx/vardef.json Normal file
View file

@ -0,0 +1,8 @@
{
"auto_reload_interval": {
"description": "in hours",
"nullable": true,
"type": "integer",
"mandatory": false
}
}

31
roles/owncloud-and-nginx/cfg.schema.json
View file

@ -1,31 +0,0 @@
{
"nullable": false,
"type": "object",
"properties": {
"domain": {
"nullable": false,
"type": "string"
},
"tls_mode": {
"nullable": false,
"type": "string",
"enum": [
"disable",
"enable",
"force"
],
"default": "force"
},
"maximum_upload_size": {
"nullable": false,
"type": "string",
"default": "1G"
}
},
"additionalProperties": false,
"required": [
"domain",
"tls_mode",
"maximum_upload_size"
]
}

6
roles/owncloud-and-nginx/defaults/main.json
View file

@ -1,6 +0,0 @@
{
"cfg_owncloud_and_nginx_defaults": {
"tls_mode": "force",
"maximum_upload_size": "1G"
}
}

42
roles/owncloud-and-nginx/tasks/main.json
View file

@ -1,42 +0,0 @@
[
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_owncloud_and_nginx"
}
},
{
"name": "deactivate default site",
"become": true,
"ansible.builtin.file": {
"state": "absent",
"dest": "/etc/nginx/sites-enabled/default"
}
},
{
"name": "emplace configuration | data",
"become": true,
"ansible.builtin.template": {
"src": "conf.j2",
"dest": "/etc/nginx/sites-available/{{cfg_owncloud_and_nginx.domain}}"
}
},
{
"name": "emplace configuration | link",
"become": true,
"ansible.builtin.file": {
"state": "link",
"src": "/etc/nginx/sites-available/{{cfg_owncloud_and_nginx.domain}}",
"dest": "/etc/nginx/sites-enabled/{{cfg_owncloud_and_nginx.domain}}"
}
},
{
"name": "restart nginx",
"become": true,
"ansible.builtin.systemd_service": {
"state": "restarted",
"name": "nginx"
}
}
]

34
roles/owncloud-and-nginx/templates/conf.j2
View file

@ -1,34 +0,0 @@
{% macro owncloud_common() %}
location / {
proxy_pass http://localhost:9200;
client_max_body_size {{cfg_owncloud_and_nginx.maximum_upload_size}};
}
{% endmacro %}
server {
listen 80;
listen [::]:80;
server_name {{cfg_owncloud_and_nginx.domain}};
{% if cfg_owncloud_and_nginx.tls_mode == 'force' %}
return 301 https://$http_host$request_uri;
{% else %}
{{ owncloud_common() }}
{% endif %}
}
{% if cfg_owncloud_and_nginx.tls_mode != 'disable' %}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name {{cfg_owncloud_and_nginx.domain}};
ssl_certificate_key /etc/ssl/private/{{cfg_owncloud_and_nginx.domain}}.pem;
ssl_certificate /etc/ssl/fullchains/{{cfg_owncloud_and_nginx.domain}}.pem;
include /etc/nginx/ssl-hardening.conf;
{{ owncloud_common() }}
}
{% endif %}

152
roles/owncloud/cfg.schema.json
View file

@ -1,152 +0,0 @@
{
"nullable": false,
"type": "object",
"properties": {
"user": {
"nullable": false,
"type": "string",
"default": "owncloud"
},
"directory": {
"nullable": false,
"type": "string",
"default": "/opt/owncloud"
},
"version": {
"nullable": false,
"type": "string",
"default": "7.2.0"
},
"platform": {
"nullable": false,
"type": "string",
"default": "linux-amd64"
},
"domain": {
"nullable": false,
"type": "string"
},
"admin_password": {
"nullable": false,
"type": "string"
},
"authentication": {
"anyOf": [
{
"nullable": false,
"type": "object",
"properties": {
"kind": {
"type": "string",
"enum": ["internal"],
"default": "internal"
},
"data": {
"nullable": false,
"type": "object",
"properties": {
},
"additionalProperties": false,
"required": [
],
"default": {
}
}
},
"additionalProperties": false,
"required": [
"kind",
"data"
]
},
{
"nullable": false,
"type": "object",
"properties": {
"kind": {
"type": "string",
"enum": ["authelia"],
"default": "authelia"
},
"data": {
"nullable": false,
"type": "object",
"properties": {
"url_base": {
"nullable": false,
"type": "string"
},
"web": {
"nullable": true,
"type": "object",
"properties": {
"client_id": {
"type": "string",
"mandatory": false,
"default": "owncloud_web"
}
},
"additionalProperties": false,
"required": [
"client_id"
],
"default": {
}
}
},
"additionalProperties": false,
"required": [
"url_base",
"web"
]
}
},
"additionalProperties": false,
"required": [
"kind",
"data"
]
}
]
},
"public_share": {
"nullable": false,
"type": "object",
"properties": {
"password_necessity": {
"nullable": false,
"type": "string",
"enum": [
"nothing",
"writable",
"all"
],
"default": "writable"
},
"password_policy_active": {
"nullable": false,
"type": "boolean",
"default": true
}
},
"additionalProperties": false,
"required": [
"password_necessity",
"password_policy_active"
],
"default": {
}
}
},
"additionalProperties": false,
"required": [
"user",
"directory",
"version",
"platform",
"domain",
"admin_password",
"authentication",
"public_share"
]
}

16
roles/owncloud/defaults/main.json
View file

@ -1,16 +0,0 @@
{
"cfg_owncloud_defaults": {
"user": "owncloud",
"directory": "/opt/owncloud",
"version": "7.2.0",
"platform": "linux-amd64",
"domain": "owncloud.example.org",
"authentication": {
"kind": "internal"
},
"public_share": {
"password_necessity": "writable",
"password_policy_active": true
}
}
}

32
roles/owncloud/info.md
View file

@ -1,32 +0,0 @@
## Beschreibung
Cloud-Plattform [ownCloud](https://owncloud.com/) (the rewrite in Go named "Infinite Scale")
## Verweise
- [ownCloud-Dokumentation | How to install ownCloud Infinite Scale Tech Preview in three easy steps](https://owncloud.com/news/howto-install-owncloud-infinite-scale-tech-preview/)
- [ownCloud-Dokumentation | oCIS](https://owncloud.dev/ocis/)
- [ownCloud-Dokumentation | Upgrading](https://doc.owncloud.com/ocis/next/migration/upgrading-ocis.html)
- [ownCloud-Dokumentation | env var types](https://doc.owncloud.com/ocis/next/deployment/services/envvar-types-description.html)
- [ownCloud-Dokumentation | Service | Web](https://doc.owncloud.com/ocis/next/deployment/services/s-list/web.html)
- [ownCloud-Dokumentation | Service | Proxy](https://doc.owncloud.com/ocis/next/deployment/services/s-list/proxy.html)
- [ownCloud-Dokumentation | Service | Sharing](https://doc.owncloud.com/ocis/next/deployment/services/s-list/sharing.html)
- [GitHub | ocis](https://github.com/owncloud/ocis/)
- [ownCloud-Foren | OCIS + Authelia](https://central.owncloud.org/t/ocis-authelia/44222)
## Bemerkungen
- die `.ocis/config/ocis.yaml` wird erzeugt auf Grundlage der `.env`
- `.ocis/config/ocis.yaml` sollte niemals einfach neu erstellt werden, da man sich sonst nicht mehr einloggen kann
- wenn man sich plötzlich nicht mehr über OIDC anmelden kann, kann das daran lieget, dass `.ocis/idm/ldap.crt` abgelaufen ist — siehe dazu [diesen Thread](https://central.owncloud.org/t/certificate-error-after-upgrade-to-5-0-0-from-4-0-6/47824/7); man könnte auch `OCIS_LDAP_INSECURE` auf `true` setzen, aber naja…
## ToDo
- Download prüfen
- `csp.yaml` einsetzen
- prüfen ob folgende `.env`-Variablen gebraucht werden:
- `PROXY_OIDC_ISSUER`
- `PROXY_OIDC_SKIP_USER_INFO`

87
roles/owncloud/tasks/main.json
View file

@ -1,87 +0,0 @@
[
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_owncloud"
}
},
{
"name": "user",
"become": true,
"ansible.builtin.user": {
"name": "{{cfg_owncloud.user}}",
"create_home": true,
"home": "{{cfg_owncloud.directory}}"
}
},
{
"name": "download",
"become": true,
"become_user": "{{cfg_owncloud.user}}",
"ansible.builtin.get_url": {
"url": "https://download.owncloud.com/ocis/ocis/stable/{{cfg_owncloud.version}}/ocis-{{cfg_owncloud.version}}-{{cfg_owncloud.platform}}",
"dest": "{{cfg_owncloud.directory}}/ocis",
"mode": "u+rx"
}
},
{
"name": "directories",
"become": true,
"become_user": "{{cfg_owncloud.user}}",
"loop": [
"log"
],
"ansible.builtin.file": {
"state": "directory",
"recurse": true,
"path": "{{cfg_owncloud.directory}}/{{item}}"
}
},
{
"name": "csp",
"become": true,
"become_user": "{{cfg_owncloud.user}}",
"ansible.builtin.template": {
"src": "csp.yaml.j2",
"mode": "644",
"dest": "{{cfg_owncloud.directory}}/csp.yaml"
}
},
{
"name": "env",
"become": true,
"become_user": "{{cfg_owncloud.user}}",
"ansible.builtin.template": {
"src": "env.j2",
"mode": "644",
"dest": "{{cfg_owncloud.directory}}/.env"
}
},
{
"name": "setup",
"become": true,
"become_user": "{{cfg_owncloud.user}}",
"ansible.builtin.shell": {
"chdir": "{{cfg_owncloud.directory}}",
"cmd": "./ocis init --insecure no --admin-password={{cfg_owncloud.admin_password}}"
}
},
{
"name": "systemd unit",
"become": true,
"ansible.builtin.template": {
"src": "systemd_unit.j2",
"dest": "/etc/systemd/system/owncloud.service"
}
},
{
"name": "run",
"become": true,
"ansible.builtin.systemd_service": {
"name": "owncloud",
"enabled": true,
"state": "restarted"
}
}
]

7
roles/owncloud/templates/csp.yaml.j2
View file

@ -1,7 +0,0 @@
directives:
connect-src:
- '''self'''
- 'https://{{cfg_owncloud.domain}}'
{% if cfg_owncloud.authentication.kind == 'authelia' %}
- '{{cfg_owncloud.authentication.data.url_base}}'
{% endif %}

62
roles/owncloud/templates/env.j2
View file

@ -1,62 +0,0 @@
## web client
WEB_LOG_LEVEL=info
WEB_LOG_FILE={{cfg_owncloud.directory}}/log/web
WEB_LOG_PRETTY=true
WEB_LOG_COLOR=true
{% if cfg_owncloud.authentication.kind == 'internal' %}
{% endif %}
{% if cfg_owncloud.authentication.kind == 'authelia' %}
WEB_OIDC_AUTHORITY={{cfg_owncloud.authentication.data.url_base}}
WEB_OIDC_CLIENT_ID={{cfg_owncloud.authentication.data.web.client_id}}
WEB_OIDC_RESPONSE_TYPE=code
WEB_OIDC_SCOPE=openid profile email groups
WEB_OPTION_LOGIN_URL={{cfg_owncloud.authentication.data.url_base}}
WEB_OPTION_LOGOUT_URL={{cfg_owncloud.authentication.data.url_base}}
WEB_UI_THEME_SERVER=https://{{cfg_owncloud.domain}}
WEB_UI_CONFIG_SERVER=https://{{cfg_owncloud.domain}}
{% endif %}
## other clients
PROXY_LOG_LEVEL=info
PROXY_LOG_FILE={{cfg_owncloud.directory}}/log/proxy
PROXY_LOG_PRETTY=true
PROXY_LOG_COLOR=true
PROXY_CSP_CONFIG_FILE_LOCATION={{cfg_owncloud.directory}}/csp.yaml
PROXY_TLS=false
{% if cfg_owncloud.authentication.kind == 'internal' %}
PROXY_AUTOPROVISION_ACCOUNTS=false
{% endif %}
{% if cfg_owncloud.authentication.kind == 'authelia' %}
OCIS_URL=https://{{cfg_owncloud.domain}}
PROXY_OIDC_ISSUER={{cfg_owncloud.authentication.data.url_base}}
PROXY_OIDC_REWRITE_WELLKNOWN=true
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
PROXY_OIDC_SKIP_USER_INFO=false
PROXY_AUTOPROVISION_ACCOUNTS=true
PROXY_AUTOPROVISION_CLAIM_USERNAME=preferred_username
PROXY_AUTOPROVISION_CLAIM_EMAIL=email
PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME=name
PROXY_AUTOPROVISION_CLAIM_GROUPS=groups
PROXY_USER_OIDC_CLAIM=preferred_username
PROXY_USER_CS3_CLAIM=username
{% endif %}
## sharing
{% if cfg_owncloud.public_share.password_necessity == 'nothing' %}
OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=false
OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=false
{% endif %}
{% if cfg_owncloud.public_share.password_necessity == 'writable' %}
OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=false
OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=true
{% endif %}
{% if cfg_owncloud.public_share.password_necessity == 'all' %}
OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=true
OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=true
{% endif %}
{% if cfg_owncloud.public_share.password_policy_active %}
OCIS_SHARING_PASSWORD_POLICY_DISABLED=false
{% else %}
OCIS_SHARING_PASSWORD_POLICY_DISABLED=true
{% endif %}

15
roles/owncloud/templates/systemd_unit.j2
View file

@ -1,15 +0,0 @@
[Unit]
Description=ownCloud
After=network.target
[Service]
WorkingDirectory={{cfg_owncloud.directory}}
EnvironmentFile={{cfg_owncloud.directory}}/.env
ExecStart={{cfg_owncloud.directory}}/ocis server
Type=simple
Restart=always
User={{cfg_owncloud.user}}
[Install]
WantedBy=default.target
RequiredBy=network.target

2
roles/postgresql-for-authelia/tasks/main.json
View file

@ -39,7 +39,7 @@
"become_user": "postgres",
"community.postgresql.postgresql_privs": {
"state": "present",
"login_db": "{{var_postgresql_for_authelia_schema}}",
"db": "{{var_postgresql_for_authelia_schema}}",
"objs": "ALL_IN_SCHEMA",
"roles": "{{var_postgresql_for_authelia_username}}",
"privs": "ALL",

5
roles/postgresql-for-forgejo/defaults/main.json
View file

@ -1,5 +0,0 @@
{
"var_postgresql_for_forgejo_username": "forgejo_user",
"var_postgresql_for_forgejo_password": "REPLACE_ME",
"var_postgresql_for_forgejo_schema": "forgejo"
}

49
roles/postgresql-for-forgejo/tasks/main.json
View file

@ -1,49 +0,0 @@
[
{
"name": "packages",
"become": true,
"ansible.builtin.apt": {
"update_cache": true,
"pkg": [
"acl",
"python3-psycopg2"
]
}
},
{
"name": "user",
"become": true,
"become_user": "postgres",
"community.postgresql.postgresql_user": {
"state": "present",
"name": "{{var_postgresql_for_forgejo_username}}",
"password": "{{var_postgresql_for_forgejo_password}}"
},
"environment": {
"PGOPTIONS": "-c password_encryption=scram-sha-256"
}
},
{
"name": "schema",
"become": true,
"become_user": "postgres",
"community.postgresql.postgresql_db": {
"state": "present",
"name": "{{var_postgresql_for_forgejo_schema}}",
"owner": "{{var_postgresql_for_forgejo_username}}"
}
},
{
"name": "rights",
"become": true,
"become_user": "postgres",
"community.postgresql.postgresql_privs": {
"state": "present",
"login_db": "{{var_postgresql_for_forgejo_schema}}",
"objs": "ALL_IN_SCHEMA",
"roles": "{{var_postgresql_for_forgejo_username}}",
"privs": "ALL",
"grant_option": true
}
}
]

4
roles/postgresql-for-gitlab/tasks/main.json
View file

@ -39,7 +39,7 @@
"become_user": "postgres",
"community.postgresql.postgresql_privs": {
"state": "present",
"login_db": "{{var_postgresql_for_gitlab_schema}}",
"db": "{{var_postgresql_for_gitlab_schema}}",
"objs": "ALL_IN_SCHEMA",
"roles": "{{var_postgresql_for_gitlab_username}}",
"privs": "ALL",
@ -57,7 +57,7 @@
],
"community.postgresql.postgresql_ext": {
"state": "present",
"login_db": "{{var_postgresql_for_gitlab_schema}}",
"db": "{{var_postgresql_for_gitlab_schema}}",
"name": "{{item}}"
}
}

2
roles/postgresql-for-hedgedoc/tasks/main.json
View file

@ -39,7 +39,7 @@
"become_user": "postgres",
"community.postgresql.postgresql_privs": {
"state": "present",
"login_db": "{{var_postgresql_for_hedgedoc_schema}}",
"db": "{{var_postgresql_for_hedgedoc_schema}}",
"objs": "ALL_IN_SCHEMA",
"roles": "{{var_postgresql_for_hedgedoc_username}}",
"privs": "ALL",

2
roles/postgresql-for-synapse/tasks/main.json
View file

@ -43,7 +43,7 @@
"become_user": "postgres",
"community.postgresql.postgresql_privs": {
"state": "present",
"login_db": "{{var_postgresql_for_synapse_schema}}",
"db": "{{var_postgresql_for_synapse_schema}}",
"objs": "ALL_IN_SCHEMA",
"roles": "{{var_postgresql_for_synapse_username}}",
"privs": "ALL",

5
roles/postgresql-for-tandoor/defaults/main.json
View file

@ -1,5 +0,0 @@
{
"var_postgresql_for_tandoor_username": "tandoor_user",
"var_postgresql_for_tandoor_password": "REPLACE_ME",
"var_postgresql_for_tandoor_schema": "tandoor"
}

50
roles/postgresql-for-tandoor/tasks/main.json
View file

@ -1,50 +0,0 @@
[
{
"name": "packages",
"become": true,
"ansible.builtin.apt": {
"update_cache": true,
"pkg": [
"acl",
"python3-psycopg2",
"libpq-dev"
]
}
},
{
"name": "user",
"become": true,
"become_user": "postgres",
"community.postgresql.postgresql_user": {
"state": "present",
"name": "{{var_postgresql_for_tandoor_username}}",
"password": "{{var_postgresql_for_tandoor_password}}"
},
"environment": {
"PGOPTIONS": "-c password_encryption=scram-sha-256"
}
},
{
"name": "schema",
"become": true,
"become_user": "postgres",
"community.postgresql.postgresql_db": {
"state": "present",
"name": "{{var_postgresql_for_tandoor_schema}}",
"owner": "{{var_postgresql_for_tandoor_username}}"
}
},
{
"name": "rights",
"become": true,
"become_user": "postgres",
"community.postgresql.postgresql_privs": {
"state": "present",
"login_db": "{{var_postgresql_for_tandoor_schema}}",
"objs": "ALL_IN_SCHEMA",
"roles": "{{var_postgresql_for_tandoor_username}}",
"privs": "ALL",
"grant_option": true
}
}
]

2
roles/postgresql-for-vikunja/tasks/main.json
View file

@ -39,7 +39,7 @@
"become_user": "postgres",
"community.postgresql.postgresql_privs": {
"state": "present",
"login_db": "{{var_postgresql_for_vikunja_schema}}",
"db": "{{var_postgresql_for_vikunja_schema}}",
"objs": "ALL_IN_SCHEMA",
"roles": "{{var_postgresql_for_vikunja_username}}",
"privs": "ALL",

5
roles/postgresql-for-wiki_js/defaults/main.json
View file

@ -1,5 +0,0 @@
{
"var_postgresql_for_wiki_js_username": "wiki_js_user",
"var_postgresql_for_wiki_js_password": "REPLACE_ME",
"var_postgresql_for_wiki_js_schema": "wiki_js"
}

49
roles/postgresql-for-wiki_js/tasks/main.json
View file

@ -1,49 +0,0 @@
[
{
"name": "packages",
"become": true,
"ansible.builtin.apt": {
"update_cache": true,
"pkg": [
"acl",
"python3-psycopg2"
]
}
},
{
"name": "user",
"become": true,
"become_user": "postgres",
"community.postgresql.postgresql_user": {
"state": "present",
"name": "{{var_postgresql_for_wiki_js_username}}",
"password": "{{var_postgresql_for_wiki_js_password}}"
},
"environment": {
"PGOPTIONS": "-c password_encryption=scram-sha-256"
}
},
{
"name": "schema",
"become": true,
"become_user": "postgres",
"community.postgresql.postgresql_db": {
"state": "present",
"name": "{{var_postgresql_for_wiki_js_schema}}",
"owner": "{{var_postgresql_for_wiki_js_username}}"
}
},
{
"name": "rights",
"become": true,
"become_user": "postgres",
"community.postgresql.postgresql_privs": {
"state": "present",
"login_db": "{{var_postgresql_for_wiki_js_schema}}",
"objs": "ALL_IN_SCHEMA",
"roles": "{{var_postgresql_for_wiki_js_username}}",
"privs": "ALL",
"grant_option": true
}
}
]

4
roles/sqlite-for-hedgedoc/defaults/main.json Normal file
View file

@ -0,0 +1,4 @@
{
"var_sqlite_for_hedgedoc_path": "/var/hedgedoc/data.sqlite",
"var_sqlite_for_hedgedoc_user_name": "hedgedoc"
}

20
roles/sqlite-for-hedgedoc/tasks/main.json Normal file
View file

@ -0,0 +1,20 @@
[
{
"name": "directory",
"become": true,
"ansible.builtin.file": {
"state": "directory",
"path": "{{var_sqlite_for_hedgedoc_path | dirname}}",
"owner": "{{var_hedgedoc_user_name}}"
}
},
{
"name": "file",
"become": true,
"ansible.builtin.file": {
"state": "touch",
"path": "{{var_sqlite_for_hedgedoc_path}}",
"owner": "{{var_sqlite_for_hedgedoc_user_name}}"
}
}
]

10
roles/sqlite-for-hedgedoc/vardef.json Normal file
View file

@ -0,0 +1,10 @@
{
"path": {
"type": "string",
"mandatory": false
},
"user_name": {
"type": "string",
"mandatory": false
}
}

3
roles/synapse/defaults/main.json
View file

@ -24,9 +24,6 @@
"var_synapse_smtp_port": 587,
"var_synapse_smtp_username": "synapse@smtp.example.org",
"var_synapse_smtp_password": "REPLACE_ME",
"var_synapse_notifications_source_address": "synapse@example.org",
"var_synapse_notifications_via_email_enabled_by_default": false,
"var_synapse_notifications_via_email_delay": "1h",
"var_synapse_admin_user_define": true,
"var_synapse_admin_user_name": "admin",
"var_synapse_admin_user_password": "REPLACE_ME"

9
roles/synapse/info.md
View file

@ -1,12 +1,11 @@
## Beschreibung
Zur Einrichtung des [matrix.org](https://matrix.org/)-Servers [Synapse](https://github.com/element-hq/synapse)
Zur Einrichtung des [matrix.org](https://matrix.org/)-Servers Synapse
## Verweise
- [ubuntuusers-Wiki-Eintrag](https://wiki.ubuntuusers.de/Matrix_synapse/)
- [GitHub-Repository](https://github.com/element-hq/synapse)
- [Debian-Paket](https://element-hq.github.io/synapse/latest/setup/installation.html#debianubuntu)
- [Configuration Manual](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html)
- [Dokumentation | PostgreSQL](https://element-hq.github.io/synapse/latest/postgres.html#using-postgres)
- [GitHub-Repository](https://github.com/matrix-org/synapse)
- [Configuration Manual](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html)
- [Dokumentation | PostgreSQL](https://matrix-org.github.io/synapse/latest/postgres.html#using-postgres)

44
roles/synapse/tasks/main.json
View file

@ -1,40 +1,14 @@
[
{
"name": "preparation | install packages",
"name": "invoke required repositories",
"become": true,
"ansible.builtin.apt": {
"update_cache": true,
"pkg": [
"lsb-release",
"apt-transport-https"
]
"ansible.builtin.copy": {
"src": "sources-bullseye-backports.list",
"dest": "/etc/apt/sources.list.d/bullseye-backports-for-synapse.list"
}
},
{
"name": "preparation | get keyring",
"become": true,
"ansible.builtin.get_url": {
"url": "https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg",
"dest": "/usr/share/keyrings/matrix-org-archive-keyring.gpg"
}
},
{
"name": "preparation | add source",
"become": true,
"ansible.builtin.shell": {
"cmd": "echo \"deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main\" > /etc/apt/sources.list.d/synapse.list",
"creates": "/etc/apt/sources.list.d/synapse.list"
}
},
{
"name": "preparation | update package information",
"become": true,
"ansible.builtin.apt": {
"update_cache": true
}
},
{
"name": "preparation | conf | server-name",
"name": "prepare package installation | server-name",
"become": true,
"ansible.builtin.debconf": {
"name": "matrix-synapse",
@ -44,7 +18,7 @@
}
},
{
"name": "preparation | conf | report-stats",
"name": "prepare package installation | report-stats",
"become": true,
"ansible.builtin.debconf": {
"name": "matrix-synapse",
@ -60,7 +34,7 @@
"update_cache": true,
"pkg": [
"python3-authlib",
"matrix-synapse-py3"
"matrix-synapse"
]
}
},
@ -113,10 +87,10 @@
},
{
"name": "setup admin user",
"when": "var_synapse_admin_user_define",
"become": true,
"ansible.builtin.shell": {
"cmd": "synapse_register_new_matrix_user --config=/etc/matrix-synapse/homeserver.yaml --admin --user={{var_synapse_admin_user_name}} --password={{var_synapse_admin_user_password}} || true"
}
},
"when": "var_synapse_admin_user_define"
}
]

Some files were not shown because too many files have changed in this diff Show more