[fix] role:synapse:apt stuff

README.md

@@ -1,4 +1,4 @@
-# Ansible Collection - roydfalk.standard
+# Ansible Collection - linke.standard
 
 Sammlung von allgemeinen, wiederverwendbaren Ansible-Rollen
 

galaxy.yml

@@ -2,10 +2,10 @@
 # The namespace of the collection. This can be a company/brand/organization or product namespace under which all
 # content lives. May only contain alphanumeric lowercase characters and underscores. Namespaces cannot start with
 # underscores or numbers and cannot contain consecutive underscores
-namespace: fenris 
+namespace: linke
 
 # The name of the collection. Has the same character restrictions as 'namespace'
-name: base 
+name: standard
 
 # The version of the collection. Must be compatible with semantic versioning
 version: 1.0.0
@@ -16,12 +16,12 @@ readme: README.md
 # A list of the collection's content authors. Can be just the name or in the format 'Full Name <email> (url)
 # @nicks:irc/im.site#channel'
 authors:
-- Fenris <fenris@folksprak.org>
+- Royd Falk <roydfalk@folksprak.org>
 - Marius <marius@rasumi.net>
 
 ### OPTIONAL but strongly recommended
 # A short summary description of the collection
-description: "Sammlung von allgemeinen, wiederverwendbaren Ansible-Rollen"
+description: "Sammlung von allgemeinen, wiederverwendbaren Ansible-Rollen (ursprünglich für Infrastruktur der Partei 'DIE LINKE.')"
 
 # Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only
 # accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file'

roles/authelia-and-nginx/cfg.schema.json

@@ -1,24 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"domain": {
-			"nullable": false,
-			"type": "string"
-		},
-		"tls_mode": {
-			"nullable": false,
-			"type": "string",
-			"options": [
-				"disable",
-				"enable",
-				"force"
-			],
-			"enum": "force"
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"domain"
-	]
-}

roles/authelia-and-nginx/defaults/main.json

@@ -1,5 +1,4 @@
 {
-	"cfg_authelia_and_nginx_defaults": {
+	"var_authelia_and_nginx_domain": "authelia.example.org",
-		"tls_mode": "force"
+	"var_authelia_and_nginx_tls_mode": "force"
-	}
 }

roles/authelia-and-nginx/tasks/main.json

@@ -1,11 +1,4 @@
 [
-	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_authelia_and_nginx"
-		}
-	},
 	{
 		"name": "deactivate default site",
 		"become": true,
@@ -19,7 +12,7 @@
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "conf.j2",
-			"dest": "/etc/nginx/sites-available/{{cfg_authelia_and_nginx.domain}}"
+			"dest": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}"
 		}
 	},
 	{
@@ -27,8 +20,8 @@
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "link",
-			"src": "/etc/nginx/sites-available/{{cfg_authelia_and_nginx.domain}}",
+			"src": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}",
-			"dest": "/etc/nginx/sites-enabled/{{cfg_authelia_and_nginx.domain}}"
+			"dest": "/etc/nginx/sites-enabled/{{var_authelia_and_nginx_domain}}"
 		}
 	},
 	{

roles/authelia-and-nginx/templates/conf.j2

@@ -45,27 +45,27 @@
 {% endmacro %}
 
 server {
-	server_name {{cfg_authelia_and_nginx.domain}};
+	server_name {{var_authelia_and_nginx_domain}};
 	
 	listen 80;
 	listen [::]:80;
 	
-{% if (cfg_authelia_and_nginx.tls_mode == 'force') %}
+{% if (var_authelia_and_nginx_tls_mode == 'force') %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 {{ authelia_common() }}
 {% endif %}
 }
 
-{% if (cfg_authelia_and_nginx.tls_mode != 'disable') %}
+{% if (var_authelia_and_nginx_tls_mode != 'disable') %}
 server {
-	server_name {{cfg_authelia_and_nginx.domain}};
+	server_name {{var_authelia_and_nginx_domain}};
 	
 	listen [::]:443 ssl http2;
 	listen 443 ssl http2;
 	
-	ssl_certificate_key /etc/ssl/private/{{cfg_authelia_and_nginx.domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
-	ssl_certificate /etc/ssl/fullchains/{{cfg_authelia_and_nginx.domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	
 {{ authelia_common() }}

roles/authelia-and-nginx/vardef.json

@@ -0,0 +1,15 @@
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		],
+		"mandatory": false
+	}
+}

roles/authelia-for-dokuwiki/tasks/main.json

@@ -1,12 +1,4 @@
 [
-	{
-		"name": "configuration | compute client secret hash",
-		"become": true,
-		"ansible.builtin.shell": {
-			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_dokuwiki_client_secret}} | cut --delimiter=' ' --fields='2-'"
-		},
-		"register": "temp_authelia_for_dokuwiki_client_secret_hashed"
-	},
 	{
 		"name": "configuration | emplace",
 		"become": true,

roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2

@@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_dokuwiki_client_id}}",
-	"client_secret": "{{temp_authelia_for_dokuwiki_client_secret_hashed.stdout}}",
+	"client_secret": "{{var_authelia_for_dokuwiki_client_secret}}",
 	"client_name": "DokuWiki",
 	"public": false,
 	"authorization_policy": "one_factor",

roles/authelia-for-forgejo/tasks/main.json

@@ -1,12 +1,4 @@
 [
-	{
-		"name": "configuration | compute client secret hash",
-		"become": true,
-		"ansible.builtin.shell": {
-			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_forgejo_client_secret}} | cut --delimiter=' ' --fields='2-'"
-		},
-		"register": "temp_authelia_for_forgejo_client_secret_hashed"
-	},
 	{
 		"name": "configuration | emplace",
 		"become": true,

roles/authelia-for-forgejo/templates/authelia-client-conf.json.j2

@@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_forgejo_client_id}}",
-	"client_secret": "{{temp_authelia_for_forgejo_client_secret_hashed.stdout}}",
+	"client_secret": "{{var_authelia_for_forgejo_client_secret}}",
 	"client_name": "Forgejo",
 	"public": false,
 	"authorization_policy": "one_factor",

roles/authelia-for-gitlab/tasks/main.json

@@ -1,12 +1,4 @@
 [
-	{
-		"name": "configuration | compute client secret hash",
-		"become": true,
-		"ansible.builtin.shell": {
-			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_gitlab_client_secret}} | cut --delimiter=' ' --fields='2-'"
-		},
-		"register": "temp_authelia_for_gitlab_client_secret_hashed"
-	},
 	{
 		"name": "configuration | emplace",
 		"become": true,

roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2

@@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_gitlab_client_id}}",
-	"client_secret": "{{temp_authelia_for_gitlab_client_secret_hashed.stdout}}",
+	"client_secret": "{{var_authelia_for_gitlab_client_secret}}",
 	"client_name": "GitLab",
 	"public": false,
 	"authorization_policy": "one_factor",

roles/authelia-for-hedgedoc/cfg.schema.json

@@ -1,25 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"hedgedoc_url_base": {
-			"nullable": false,
-			"type": "string"
-		},
-		"client_id": {
-			"nullable": false,
-			"type": "string",
-			"default": "hedgedoc"
-		},
-		"client_secret": {
-			"nullable": false,
-			"type": "string"
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"hedgedoc_url_base",
-		"client_id",
-		"client_secret"
-	]
-}

roles/authelia-for-hedgedoc/defaults/main.json

@@ -1,5 +1,5 @@
 {
-	"cfg_authelia_for_hedgedoc_defaults": {
+	"var_authelia_for_hedgedoc_hedgedoc_url_base": "https://hedgedoc.example.org",
-		"client_id": "hedgedoc"
+	"var_authelia_for_hedgedoc_client_id": "hedgedoc",
-	}
+	"var_authelia_for_hedgedoc_client_secret": "REPLACE_ME"
 }

roles/authelia-for-hedgedoc/tasks/main.json

@@ -1,19 +1,4 @@
 [
-	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_authelia_for_hedgedoc"
-		}
-	},
-	{
-		"name": "configuration | compute client secret hash",
-		"become": true,
-		"ansible.builtin.shell": {
-			"cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_hedgedoc.client_secret}} | cut --delimiter=' ' --fields='2-'"
-		},
-		"register": "temp_authelia_for_hedgedoc_client_secret_hashed"
-	},
 	{
 		"name": "configuration | emplace",
 		"become": true,

roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2

@@ -1,6 +1,6 @@
 {
-	"client_id": "{{cfg_authelia_for_hedgedoc.client_id}}",
+	"client_id": "{{var_authelia_for_hedgedoc_client_id}}",
-	"client_secret": "{{temp_authelia_for_hedgedoc_client_secret_hashed.stdout}}",
+	"client_secret": "{{var_authelia_for_hedgedoc_client_secret}}",
 	"client_name": "Hedgedoc",
 	"public": false,
 	"authorization_policy": "one_factor",
@@ -10,7 +10,11 @@
 		"profile"
 	],
 	"redirect_uris": [
-		"{{cfg_authelia_for_hedgedoc.hedgedoc_url_base}}/auth/oauth2/callback"
+		"{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback"
+	],
+	"grant_types": [
+		"refresh_token",
+		"authorization_code"
 	],
 	"response_types": [
 		"code"

roles/authelia-for-mas/defaults/main.json

@@ -0,0 +1,6 @@
+{
+	"var_authelia_for_mas_mas_url_base": "https://mas.example.org",
+	"var_authelia_for_mas_id": "01JADRQ54Y0KCQS0AEJQ4YTY36",
+	"var_authelia_for_mas_client_id": "mas",
+	"var_authelia_for_mas_client_secret": "REPLACE_ME"
+}

roles/authelia-for-mas/info.md

@@ -0,0 +1,8 @@
+## Beschreibung
+
+Um [MAS](../mas) gegen [Authelia](../authelia) authentifizieren zu lassen
+
+
+## Verweise
+
+- [MAS-Dokumentation | Configure an upstream SSO provider](https://element-hq.github.io/matrix-authentication-service/setup/sso.html)

roles/authelia-for-mas/tasks/main.json

@@ -1,18 +1,10 @@
 [
-	{
-		"name": "configuration | compute client secret hash",
-		"become": true,
-		"ansible.builtin.shell": {
-			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_tandoor_client_secret}} | cut --delimiter=' ' --fields='2-'"
-		},
-		"register": "temp_authelia_for_tandoor_client_secret_hashed"
-	},
 	{
 		"name": "configuration | emplace",
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "authelia-client-conf.json.j2",
-			"dest": "/etc/authelia/conf.d/clients/tandoor.json"
+			"dest": "/etc/authelia/conf.d/clients/mas.json"
 		}
 	},
 	{

roles/authelia-for-mas/templates/authelia-client-conf.json.j2

@@ -0,0 +1,16 @@
+{
+	"client_id": "{{var_authelia_for_mas_client_id}}",
+	"client_secret": "{{var_authelia_for_mas_client_secret}}",
+	"client_name": "MAS",
+	"public": false,
+	"authorization_policy": "one_factor",
+	"redirect_uris": [
+		"{{var_authelia_for_mas_mas_url_base}}/upstream/callback/{{var_authelia_for_mas_id}}"
+	],
+	"scopes": [
+		"openid",
+		"email",
+		"profile"
+	],
+	"token_endpoint_auth_method": "client_secret_basic"
+}

roles/authelia-for-mas/vardef.json

@@ -0,0 +1,19 @@
+{
+	"mas_url_base": {
+		"type": "string",
+		"mandatory": false
+	},
+	"id": {
+		"type": "string",
+		"mandatory": false,
+		"description": "needs to be a ULID"
+	},
+	"client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"client_secret": {
+		"type": "string",
+		"mandatory": false
+	}
+}

roles/authelia-for-owncloud/cfg.schema.json

@@ -1,97 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"owncloud_url_base": {
-			"nullable": false,
-			"type": "string"
-		},
-		"web": {
-			"nullable": true,
-			"type": "object",
-			"properties": {
-				"client_id": {
-					"nullable": false,
-					"type": "string",
-					"default": "owncloud_web"
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-			],
-			"default": {
-			}
-		},
-		"desktop": {
-			"nullable": true,
-			"type": "object",
-			"properties": {
-				"client_id": {
-					"nullable": false,
-					"type": "string",
-					"default": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69"
-				},
-				"client_secret": {
-					"nullable": false,
-					"type": "string",
-					"default": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh"
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-			],
-			"default": {
-			}
-		},
-		"android": {
-			"nullable": true,
-			"type": "object",
-			"properties": {
-				"client_id": {
-					"nullable": false,
-					"type": "string",
-					"default": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD"
-				},
-				"client_secret": {
-					"nullable": false,
-					"type": "string",
-					"default": "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD"
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-			],
-			"default": {
-			}
-		},
-		"ios": {
-			"nullable": true,
-			"type": "object",
-			"properties": {
-				"client_id": {
-					"nullable": false,
-					"type": "string",
-					"default": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1"
-				},
-				"client_secret": {
-					"nullable": false,
-					"type": "string",
-					"default": "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx"
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-			],
-			"default": {
-			}
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"owncloud_url_base",
-		"web",
-		"desktop",
-		"android",
-		"ios"
-	]
-}

roles/authelia-for-owncloud/defaults/main.json

@@ -1,19 +1,8 @@
 {
-	"cfg_authelia_for_owncloud_defaults": {
+	"var_authelia_for_owncloud_owncloud_url_base": "https://owncloud.example.org",
-		"web": {
+	"var_authelia_for_owncloud_web_client_id": "owncloud_web",
-			"client_id": "owncloud_web"
+	"var_authelia_for_owncloud_android_client_id": "owncloud_android",
-		},
+	"var_authelia_for_owncloud_android_client_secret": "REPLACE_ME",
-		"desktop": {
+	"var_authelia_for_owncloud_ios_client_id": "owncloud_ios",
-			"client_id": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
+	"var_authelia_for_owncloud_ios_client_secret": "REPLACE_ME"
-			"client_secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh"
-		},
-		"android": {
-			"client_id": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD",
-			"client_secret": "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD"
-		},
-		"ios": {
-			"client_id": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1",
-			"client_secret": "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx"
-		}
-	}
 }

roles/authelia-for-owncloud/tasks/main.json

@@ -1,95 +1,17 @@
 [
 	{
-		"name": "show vars",
+		"name": "configuration | emplace",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_authelia_for_owncloud"
-		}
-	},
-	{
-		"name": "configuration | client",
-		"block": [
-			{
-				"name": "configuration | client | web",
-				"when": "cfg_authelia_for_owncloud.web != None",
-				"block": [
-					{
-						"name": "emplace",
 		"become": true,
+		"loop": [
+			{"src": "authelia-client-conf-web.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-web.json"},
+			{"src": "authelia-client-conf-desktop.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-desktop.json"},
+			{"src": "authelia-client-conf-android.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-android.json"},
+			{"src": "authelia-client-conf-ios.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-ios.json"}
+		],
 		"ansible.builtin.template": {
-							"src": "authelia-client-conf-web.json.j2",
+			"src": "{{item.src}}",
-							"dest": "/etc/authelia/conf.d/clients/owncloud-web.json"
+			"dest": "{{item.dest}}"
 		}
-					}
-				]
-			},
-			{
-				"name": "configuration | client | desktop",
-				"when": "cfg_authelia_for_owncloud.desktop != None",
-				"block": [
-					{
-						"name": "compute client secret hash",
-						"become": true,
-						"ansible.builtin.shell": {
-							"cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.desktop.client_secret}} | cut --delimiter=' ' --fields='2-'"
-						},
-						"register": "temp_authelia_for_owncloud_desktop_client_secret_hashed"
-					},
-					{
-						"name": "emplace",
-						"become": true,
-						"ansible.builtin.template": {
-							"src": "authelia-client-conf-desktop.json.j2",
-							"dest": "/etc/authelia/conf.d/clients/owncloud-desktop.json"
-						}
-					}
-				]
-			},
-			{
-				"name": "configuration | client | android",
-				"when": "cfg_authelia_for_owncloud.android != None",
-				"block": [
-					{
-						"name": "compute client secret hash",
-						"become": true,
-						"ansible.builtin.shell": {
-							"cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.android.client_secret}} | cut --delimiter=' ' --fields='2-'"
-						},
-						"register": "temp_authelia_for_owncloud_android_client_secret_hashed"
-					},
-					{
-						"name": "emplace",
-						"become": true,
-						"ansible.builtin.template": {
-							"src": "authelia-client-conf-android.json.j2",
-							"dest": "/etc/authelia/conf.d/clients/owncloud-android.json"
-						}
-					}
-				]
-			},
-			{
-				"name": "configuration | client | ios",
-				"when": "cfg_authelia_for_owncloud.ios != None",
-				"block": [
-					{
-						"name": "compute client secret hash",
-						"become": true,
-						"ansible.builtin.shell": {
-							"cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.ios.client_secret}} | cut --delimiter=' ' --fields='2-'"
-						},
-						"register": "temp_authelia_for_owncloud_ios_client_secret_hashed"
-					},
-					{
-						"name": "emplace",
-						"become": true,
-						"ansible.builtin.template": {
-							"src": "authelia-client-conf-ios.json.j2",
-							"dest": "/etc/authelia/conf.d/clients/owncloud-ios.json"
-						}
-					}
-				]
-			}
-		]
 	},
 	{
 		"name": "configuration | apply",

roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2

@@ -1,33 +1,16 @@
 {
-	"client_id": "{{cfg_authelia_for_owncloud.android.client_id}}",
+	"client_id": "{{var_authelia_for_owncloud_android_client_id}}",
-	"client_secret": "{{temp_authelia_for_owncloud_android_client_secret_hashed.stdout}}",
+	"client_secret": "{{var_authelia_for_owncloud_android_client_secret}}",
 	"client_name": "ownCloud | Android Client",
-	
-	"public": false,
 	"authorization_policy": "one_factor",
-	"require_pkce": true,
-	"pkce_challenge_method": "S256",
 	"scopes": [
 		"openid",
-		"offline_access",
 		"groups",
 		"profile",
-		"email"
+		"email",
+		"offline_access"
 	],
 	"redirect_uris": [
 		"oc://android.owncloud.com"
-		
+	]
-		
-		
-	],
-	"response_types": [
-		"code"
-	],
-	"grant_types": [
-		"authorization_code",
-		"refresh_token"
-	],
-	"access_token_signed_response_alg": "none",
-	"userinfo_signed_response_alg": "none",
-	"token_endpoint_auth_method": "client_secret_basic"
 }

roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2

@@ -1,33 +1,17 @@
 {
-	"client_id": "{{cfg_authelia_for_owncloud.desktop.client_id}}",
+	"client_id": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
-	"client_secret": "{{temp_authelia_for_owncloud_desktop_client_secret_hashed.stdout}}",
+	"client_secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh",
 	"client_name": "ownCloud | Desktop Client",
-	
-	"public": false,
 	"authorization_policy": "one_factor",
-	"require_pkce": true,
-	"pkce_challenge_method": "S256",
 	"scopes": [
 		"openid",
-		"offline_access",
 		"groups",
 		"profile",
-		"email"
+		"email",
+		"offline_access"
 	],
 	"redirect_uris": [
 		"http://127.0.0.1",
 		"http://localhost"
-		
+	]
-		
-	],
-	"response_types": [
-		"code"
-	],
-	"grant_types": [
-		"authorization_code",
-		"refresh_token"
-	],
-	"access_token_signed_response_alg": "none",
-	"userinfo_signed_response_alg": "none",
-	"token_endpoint_auth_method": "client_secret_basic"
 }

roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2

@@ -1,33 +1,17 @@
 {
-	"client_id": "{{cfg_authelia_for_owncloud.ios.client_id}}",
+	"client_id": "{{var_authelia_for_owncloud_ios_client_id}}",
-	"client_secret": "{{temp_authelia_for_owncloud_ios_client_secret_hashed.stdout}}",
+	"client_secret": "{{var_authelia_for_owncloud_ios_client_secret}}",
 	"client_name": "ownCloud | iOS Client",
-	
-	"public": false,
 	"authorization_policy": "one_factor",
-	"require_pkce": true,
-	"pkce_challenge_method": "S256",
 	"scopes": [
 		"openid",
-		"offline_access",
 		"groups",
 		"profile",
-		"email"
+		"email",
+		"offline_access"
 	],
 	"redirect_uris": [
 		"oc://ios.owncloud.com",
 		"oc.ios://ios.owncloud.com"
-		
+	]
-		
-	],
-	"response_types": [
-		"code"
-	],
-	"grant_types": [
-		"authorization_code",
-		"refresh_token"
-	],
-	"access_token_signed_response_alg": "none",
-	"userinfo_signed_response_alg": "none",
-	"token_endpoint_auth_method": "client_secret_basic"
 }

roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2

@@ -1,33 +1,20 @@
 {
-	"client_id": "{{cfg_authelia_for_owncloud.web.client_id}}",
+	"client_id": "{{var_authelia_for_owncloud_web_client_id}}",
-	
 	"client_name": "ownCloud | Web Client",
-	"lifespan": "long",
 	"public": true,
 	"authorization_policy": "one_factor",
-	"require_pkce": true,
-	"pkce_challenge_method": "S256",
 	"scopes": [
 		"openid",
-		"offline_access",
+		"email",
-		"groups",
 		"profile",
-		"email"
+		"groups"
-	],
-	"redirect_uris": [
-		"https://{{cfg_authelia_for_owncloud.owncloud_url_base}}",
-		"https://{{cfg_authelia_for_owncloud.owncloud_url_base}}/oidc-callback.html",
-		"https://{{cfg_authelia_for_owncloud.owncloud_url_base}}/oidc-silent-redirect.html",
-		"https://{{cfg_authelia_for_owncloud.owncloud_url_base}}/apps/openidconnect/redirect"
 	],
 	"response_types": [
 		"code"
 	],
-	"grant_types": [
+	"redirect_uris": [
-		"authorization_code",
+		"{{var_authelia_for_owncloud_owncloud_url_base}}",
-		"refresh_token"
+		"{{var_authelia_for_owncloud_owncloud_url_base}}/oidc-callback.html",
-	],
+		"{{var_authelia_for_owncloud_owncloud_url_base}}/oidc-silent-redirect.html"
-	"access_token_signed_response_alg": "none",
+	]
-	"userinfo_signed_response_alg": "none",
-	"token_endpoint_auth_method": "none"
 }

roles/authelia-for-owncloud/vardef.json

@@ -0,0 +1,26 @@
+{
+	"owncloud_url_base": {
+		"type": "string",
+		"mandatory": false
+	},
+	"web_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"android_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"android_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"ios_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"ios_client_secret": {
+		"type": "string",
+		"mandatory": false
+	}
+}

roles/authelia-for-synapse/tasks/main.json

@@ -1,12 +1,4 @@
 [
-	{
-		"name": "configuration | compute client secret hash",
-		"become": true,
-		"ansible.builtin.shell": {
-			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_synapse_client_secret}} | cut --delimiter=' ' --fields='2-'"
-		},
-		"register": "temp_authelia_for_synapse_client_secret_hashed"
-	},
 	{
 		"name": "configuration | emplace",
 		"become": true,

roles/authelia-for-synapse/templates/authelia-client-conf.json.j2

@@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_synapse_client_id}}",
-	"client_secret": "{{temp_authelia_for_synapse_client_secret_hashed.stdout}}",
+	"client_secret": "{{var_authelia_for_synapse_client_secret}}",
 	"client_name": "Synapse",
 	"public": false,
 	"authorization_policy": "one_factor",

roles/authelia-for-tandoor/defaults/main.json

@@ -1,5 +0,0 @@
-{
-	"var_authelia_for_tandoor_tandoor_url_base": "https://tandoor.example.org",
-	"var_authelia_for_tandoor_client_id": "tandoor",
-	"var_authelia_for_tandoor_client_secret": "REPLACE_ME"
-}

roles/authelia-for-tandoor/info.md

@@ -1,8 +0,0 @@
-## Beschreibung
-
-Um [Tandoor](../tandoor) gegen [Authelia](../authelia) authentifizieren zu lassen
-
-
-## Verweise
-
-- [allauth-Dokumentation | Authelia](https://django-allauth.readthedocs.io/en/latest/socialaccount/providers/authelia.html)

roles/authelia-for-tandoor/templates/authelia-client-conf.json.j2

@@ -1,17 +0,0 @@
-{
-	"client_id": "{{var_authelia_for_tandoor_client_id}}",
-	"client_secret": "{{temp_authelia_for_tandoor_client_secret_hashed.stdout}}",
-	"client_name": "Tandoor",
-	"public": false,
-	"authorization_policy": "one_factor",
-	"redirect_uris": [
-		"{{var_authelia_for_tandoor_tandoor_url_base}}/accounts/oidc/authelia/login/callback/"
-	],
-	"scopes": [
-		"openid",
-		"email",
-		"profile"
-	],
-	"userinfo_signed_response_alg": "none",
-	"token_endpoint_auth_method": "client_secret_basic"
-}

roles/authelia-for-vikunja/tasks/main.json

@@ -1,12 +1,4 @@
 [
-	{
-		"name": "configuration | compute client secret hash",
-		"become": true,
-		"ansible.builtin.shell": {
-			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_vikunja_client_secret}} | cut --delimiter=' ' --fields='2-'"
-		},
-		"register": "temp_authelia_for_vikunja_client_secret_hashed"
-	},
 	{
 		"name": "configuration | emplace",
 		"become": true,

roles/authelia-for-vikunja/templates/authelia-client-conf.json.j2

@@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_vikunja_client_id}}",
-	"client_secret": "{{temp_authelia_for_vikunja_client_secret_hashed.stdout}}",
+	"client_secret": "{{var_authelia_for_vikunja_client_secret}}",
 	"client_name": "Vikunja",
 	"public": false,
 	"authorization_policy": "one_factor",

roles/authelia-for-wiki_js/tasks/main.json

@@ -1,12 +1,4 @@
 [
-	{
-		"name": "configuration | compute client secret hash",
-		"become": true,
-		"ansible.builtin.shell": {
-			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_wiki_js_client_secret}} | cut --delimiter=' ' --fields='2-'"
-		},
-		"register": "temp_authelia_for_wiki_js_client_secret_hashed"
-	},
 	{
 		"name": "configuration | emplace",
 		"become": true,

roles/authelia-for-wiki_js/templates/authelia-client-conf.json.j2

@@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_wiki_js_client_id}}",
-	"client_secret": "{{temp_authelia_for_wiki_js_client_secret_hashed.stdout}}",
+	"client_secret": "{{var_authelia_for_wiki_js_client_secret}}",
 	"client_name": "Wiki.js",
 	"public": false,
 	"authorization_policy": "one_factor",
@@ -10,8 +10,7 @@
 	"scopes": [
 		"openid",
 		"email",
-		"profile",
+		"profile"
-		"groups"
 	],
 	"userinfo_signed_response_alg": "none",
 	"token_endpoint_auth_method": "client_secret_post"

roles/authelia/cfg.schema.json

@@ -1,449 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"listen_address": {
-			"nullable": false,
-			"type": "string",
-			"default": "0.0.0.0"
-		},
-		"domain": {
-			"nullable": false,
-			"type": "string"
-		},
-		"session_domain": {
-			"nullable": false,
-			"type": "string"
-		},
-		"redirect_url": {
-			"nullable": false,
-			"type": "string"
-		},
-		"jwt_secret": {
-			"nullable": false,
-			"type": "string"
-		},
-		"session_secret": {
-			"nullable": false,
-			"type": "string"
-		},
-		"storage_encryption_key": {
-			"nullable": false,
-			"type": "string"
-		},
-		"users_file_path": {
-			"nullable": false,
-			"type": "string",
-			"default": "/var/authelia/users.yml"
-		},
-		"log_file_path": {
-			"nullable": false,
-			"type": "string",
-			"default": "/var/authelia/log.jsonl"
-		},
-		"storage": {
-			"anyOf": [
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["sqlite"],
-							"default": "sqlite"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"path": {
-									"nullable": false,
-									"type": "string",
-									"default": "/var/authelia/state.db"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"path"
-							],
-							"default": {
-							}
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					],
-					"default": {
-					}
-				},
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["postgresql"]
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"host": {
-									"nullable": false,
-									"type": "string",
-									"ddefault": "localhost"
-								},
-								"port": {
-									"nullable": false,
-									"type": "integer",
-									"default": 5432
-								},
-								"username": {
-									"nullable": false,
-									"type": "string",
-									"default": "authelia_user"
-								},
-								"password": {
-									"nullable": false,
-									"type": "string"
-								},
-								"schema": {
-									"nullable": false,
-									"type": "string",
-									"default": "authelia"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"host",
-								"port",
-								"username",
-								"password",
-								"schema"
-							],
-							"default": {
-							}
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					],
-					"default": {
-					}
-				},
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["mariadb"]
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"host": {
-									"nullable": false,
-									"type": "string",
-									"ddefault": "localhost"
-								},
-								"port": {
-									"nullable": false,
-									"type": "integer",
-									"default": 3306
-								},
-								"username": {
-									"nullable": false,
-									"type": "string",
-									"default": "authelia_user"
-								},
-								"password": {
-									"nullable": false,
-									"type": "string"
-								},
-								"schema": {
-									"nullable": false,
-									"type": "string",
-									"default": "authelia"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"host",
-								"port",
-								"username",
-								"password",
-								"schema"
-							],
-							"default": {
-							}
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					],
-					"default": {
-					}
-				}
-			]
-		},
-		"ntp_server": {
-			"nullable": false,
-			"type": "string",
-			"default": "time.cloudflare.com:123"
-		},
-		"password_reset": {
-			"nullable": false,
-			"type": "object",
-			"properties": {
-				"enabled": {
-					"nullable": false,
-					"type": "boolean",
-					"default": false
-				},
-				"custom_url": {
-					"nullable": true,
-					"type": "string",
-					"default": null
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-				"enabled",
-				"custom_url"
-			],
-			"default": {
-			}
-		},
-		"notification": {
-			"anyOf": [
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["file"],
-							"default": "file"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"path": {
-									"nullable": false,
-									"type": "string",
-									"default": "/var/authelia/notifications"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"path"
-							],
-							"default": {
-							}
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					],
-					"default": {
-					}
-				},
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["smtp"],
-							"default": "smtp"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"host": {
-									"nullable": false,
-									"type": "string"
-								},
-								"port": {
-									"nullable": false,
-									"type": "integer",
-									"default": 465
-								},
-								"username": {
-									"nullable": false,
-									"type": "string",
-									"default": "authelia"
-								},
-								"password": {
-									"nullable": false,
-									"type": "string"
-								},
-								"sender": {
-									"nullable": false,
-									"type": "string",
-									"default": "authelia@example.org"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"host",
-								"port",
-								"username",
-								"password",
-								"sender"
-							]
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					],
-					"default": {
-					}
-				}
-			]
-		},
-		"oidc": {
-			"nullable": false,
-			"type": "object",
-			"properties": {
-				"hmac_secret": {
-					"nullable": false,
-					"type": "string"
-				},
-				"lifespan": {
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"default": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"access_token": {
-									"nullable": false,
-									"type": "string",
-									"default": "1h"
-								},
-								"refresh_token": {
-									"nullable": false,
-									"type": "string",
-									"default": "1m"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-							],
-							"default": {
-							}
-						},
-						"custom": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-							},
-							"additionalProperties": {
-								"nullable": false,
-								"type": "object",
-								"properties": {
-									"access_token": {
-										"nullable": false,
-										"type": "string"
-									},
-									"refresh_token": {
-										"nullable": false,
-										"type": "string"
-									}
-								},
-								"additionalProperties": false,
-								"required": [
-									"access_token",
-									"refresh_token"
-								]
-							},
-							"required": [
-							],
-							"default": {
-								"long": {
-									"access_token": "2d",
-									"refresh_token": "3d"
-								}
-							}
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-					],
-					"default": {
-					}
-				},
-				"cors_endpoints": {
-					"nullable": true,
-					"type": "array",
-					"items": {
-						"nullable": false,
-						"type": "string",
-						"enum": [
-							"authorization",
-							"pushed-authorization-request",
-							"token",
-							"revocation",
-							"introspection",
-							"userinfo"
-						]
-					},
-					"default": [
-						"authorization",
-						"token",
-						"revocation",
-						"introspection",
-						"userinfo"
-					]
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-				"hmac_secret",
-				"lifespan",
-				"cors_endpoints"
-			],
-			"default": {
-			}
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"listen_address",
-		"domain",
-		"session_domain",
-		"redirect_url",
-		"jwt_secret",
-		"session_secret",
-		"storage_encryption_key",
-		"users_file_path",
-		"log_file_path",
-		"storage",
-		"ntp_server",
-		"notification",
-		"oidc"
-	],
-	"default": {
-	}
-}

roles/authelia/defaults/main.json

@@ -1,45 +1,39 @@
 {
-	"cfg_authelia_defaults": {
+	"var_authelia_version": "4.37.5",
-		"listen_address": "0.0.0.0",
+	"var_authelia_architecture": "amd64",
-		"users_file_path": "/var/authelia/users.yml",
+	"var_authelia_listen_address": "0.0.0.0",
-		"log_file_path": "/var/authelia/log.jsonl",
+	"var_authelia_jwt_secret": "REPLACE_ME",
-		"storage": {
+	"var_authelia_users_file_path": "/var/authelia/users.yml",
-			"kind": "sqlite",
+	"var_authelia_log_file_path": "/var/authelia/log.jsonl",
-			"data": {
+	"var_authelia_domain": "authelia.example.org",
-				"path": "/var/authelia/state.db"
+	"var_authelia_redirect_url": "https://example.org",
-			}
+	"var_authelia_session_domain": "example.org",
-		},
+	"var_authelia_session_secret": "REPLACE_ME",
-		"ntp_server": "time.cloudflare.com:123",
+	"var_authelia_storage_encryption_key": "REPLACE_ME",
-		"password_reset": {
+	"var_authelia_storage_kind": "sqlite",
-			"enabled": false,
+	"var_authelia_storage_data_sqlite_path": "/var/authelia/state.db",
-			"custom_url": null
+	"var_authelia_storage_data_postgresql_host": "localhost",
-		},
+	"var_authelia_storage_data_postgresql_port": 5432,
-		"notification": {
+	"var_authelia_storage_data_postgresql_username": "authelia_user",
-			"kind": "file",
+	"var_authelia_storage_data_postgresql_password": "REPLACE_ME",
-			"data": {
+	"var_authelia_storage_data_postgresql_schema": "authelia",
-				"path": "/var/authelia/notifications"
+	"var_authelia_storage_data_mariadb_host": "localhost",
-			}
+	"var_authelia_storage_data_mariadb_port": 3306,
-		},
+	"var_authelia_storage_data_mariadb_username": "authelia_user",
-		"oidc": {
+	"var_authelia_storage_data_mariadb_password": "REPLACE_ME",
-			"lifespan": {
+	"var_authelia_storage_data_mariadb_schema": "authelia",
-				"default": {
+	"var_authelia_ntp_server": "time.cloudflare.com:123",
-					"access_token": "1d",
+	"var_authelia_password_reset_enabled": false,
-					"refresh_token": "1h"
+	"var_authelia_password_reset_custom_url": null,
-				},
+	"var_authelia_notification_mode": "smtp",
-				"custom": {
+	"var_authelia_notification_file_path": "/var/authelia/notifications",
-					"long": {
+	"var_authelia_notification_smtp_host": "smtp.example.org",
-						"access_token": "2d",
+	"var_authelia_notification_smtp_port": 465,
-						"refresh_token": "3d"
+	"var_authelia_notification_smtp_username": "authelia",
-					}
+	"var_authelia_notification_smtp_password": "REPLACE_ME",
-				}
+	"var_authelia_notification_smtp_sender": "authelia@example.org",
-			},
+	"var_authelia_oidc_hmac_secret": "REPLACE_ME",
-			"cors_endpoints": [
+	"var_authelia_oidc_lifespan_access_token": "1h",
-				"authorization",
+	"var_authelia_oidc_lifespan_refresh_token": "1m",
-				"token",
+	"var_authelia_oidc_cors_endpoints": null
-				"revocation",
-				"introspection",
-				"userinfo"
-			]
-		}
-	}
 }

roles/authelia/tasks/main.json

@@ -1,45 +1,32 @@
 [
 	{
-		"name": "show vars",
+		"name": "packages | prerequisites",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_authelia"
-		}
-	},
-	{
-		"name": "packages",
-		"block": [
-			{
-				"name": "prerequisites",
 		"become": true,
 		"ansible.builtin.apt": {
 			"update_cache": true,
 			"pkg": [
 				"apt-transport-https",
-						"ca-certificates",
 				"gpg"
 			]
 		}
 	},
 	{
-				"name": "keys",
+		"name": "packages | keys",
 		"become": true,
-				"ansible.builtin.get_url": {
+		"ansible.builtin.apt_key": {
-					"url": "https://www.authelia.com/keys/authelia-security.gpg",
+			"url": "https://apt.authelia.com/organization/signing.asc"
-					"dest": "/usr/share/keyrings/authelia-security.gpg"
 		}
 	},
 	{
-				"name": "repository",
+		"name": "packages | repository",
 		"become": true,
-				"ansible.builtin.shell": {
+		"ansible.builtin.apt_repository": {
-					"cmd": "echo \"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/authelia-security.gpg] https://apt.authelia.com stable main\" > /etc/apt/sources.list.d/authelia.list",
+			"repo": "deb https://apt.authelia.com/stable/debian/debian/ all main"
-					"creates": "/etc/apt/sources.list.d/authelia.list"
 		}
 
 	},
 	{
-				"name": "installation",
+		"name": "packages | installation",
 		"become": true,
 		"ansible.builtin.apt": {
 			"update_cache": true,
@@ -50,8 +37,6 @@
 				"authelia"
 			]
 		}
-			}
-		]
 	},
 	{
 		"name": "generate private key for signing OIDC JWTs",
@@ -64,9 +49,6 @@
 		},
 		"register": "temp_tls_result"
 	},
-	{
-		"name": "configuration",
-		"block": [
 	{
 		"name": "configuration | compose script",
 		"become": true,
@@ -102,51 +84,40 @@
 		"ansible.builtin.command": {
 			"cmd": "/usr/bin/authelia-conf-compose --main-file-path=/etc/authelia/conf.d/main.json --clients-directory-path=/etc/authelia/conf.d/clients --output-format=yaml --output-path=/etc/authelia/configuration.yml"
 		}
-			}
-		]
 	},
 	{
 		"name": "setup log directory",
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "directory",
-			"owner": "authelia",
+			"path": "{{var_authelia_log_file_path | dirname}}"
-			"group": "authelia",
-			"path": "{{cfg_authelia.log_file_path | dirname}}"
 		}
 	},
 	{
-		"name": "users",
+		"name": "users | directory",
-		"block": [
-			{
-				"name": "directory",
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "directory",
-					"owner": "authelia",
+			"path": "{{var_authelia_users_file_path | dirname}}"
-					"group": "authelia",
-					"path": "{{cfg_authelia.users_file_path | dirname}}"
 		}
 	},
 	{
-				"name": "initial file",
+		"name": "users | initial file",
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "users.yml.j2",
-					"dest": "{{cfg_authelia.users_file_path}}",
+			"dest": "{{var_authelia_users_file_path}}",
 			"force": false
 		}
 	},
 	{
-				"name": "management script",
+		"name": "users | management script",
 		"become": true,
 		"ansible.builtin.copy": {
 			"src": "user-manage.py",
 			"dest": "/usr/bin/authelia-user-manage",
 			"mode": "0700"
 		}
-			}
-		]
 	},
 	{
 		"name": "apply",

roles/authelia/templates/conf-main.json.j2

@@ -2,12 +2,12 @@
 	"theme": "auto",
 	"identity_validation": {
 		"reset_password": {
-			"jwt_secret": "{{cfg_authelia.jwt_secret}}"
+			"jwt_secret": "{{var_authelia_jwt_secret}}"
 		}
 	},
 	"default_2fa_method": "totp",
 	"server": {
-		"address": "{{cfg_authelia.listen_address}}:9091",
+		"address": "{{var_authelia_listen_address}}:9091",
 		"endpoints": {
 			"enable_pprof": false,
 			"enable_expvars": false
@@ -17,7 +17,7 @@
 	"log": {
 		"level": "info",
 		"format": "json",
-		"file_path": "{{cfg_authelia.log_file_path}}",
+		"file_path": "{{var_authelia_log_file_path}}",
 		"keep_stdout": false
 	},
 	"telemetry": {
@@ -43,7 +43,7 @@
 		"user_verification": "preferred"
 	},
 	"ntp": {
-		"address": "{{cfg_authelia.ntp_server}}",
+		"address": "{{var_authelia_ntp_server}}",
 		"version": 4,
 		"max_desync": "3s",
 		"disable_startup_check": false,
@@ -51,16 +51,16 @@
 	},
 	"authentication_backend": {
 		"password_reset": {
-{% if cfg_authelia.password_reset.enabled %}
+{% if var_authelia_password_reset_enabled %}
 			"disable": false,
 {% else %}
 			"disable": true,
 {% endif %}
-			"custom_url": {{cfg_authelia.password_reset.custom_url | to_json}}
+			"custom_url": "{{var_authelia_password_reset_custom_url}}"
 		},
 		"refresh_interval": "5m",
 		"file": {
-			"path": "{{cfg_authelia.users_file_path}}",
+			"path": "{{var_authelia_users_file_path}}",
 			"watch": true,
 			"search": {
 				"email": false,
@@ -121,15 +121,15 @@
 	"session": {
 		"name": "authelia_session",
 		"same_site": "lax",
-		"secret": "{{cfg_authelia.session_secret}}",
+		"secret": "{{var_authelia_session_secret}}",
 		"expiration": "1h",
 		"inactivity": "5m",
 		"remember_me": "1M",
 		"cookies": [
 			{
-				"domain": "{{cfg_authelia.session_domain}}",
+				"domain": "{{var_authelia_session_domain}}",
-				"authelia_url": "https://{{cfg_authelia.domain}}/",
+				"authelia_url": "https://{{var_authelia_domain}}/",
-				"default_redirection_url": "{{cfg_authelia.redirect_url}}"
+				"default_redirection_url": "{{var_authelia_redirect_url}}"
 			}
 		]
 	},
@@ -139,44 +139,45 @@
 		"ban_time": "5m"
 	},
 	"storage": {
-		"encryption_key": "{{cfg_authelia.storage_encryption_key}}",
+		"encryption_key": "{{var_authelia_storage_encryption_key}}",
-{% if cfg_authelia.storage.kind == "sqlite" %}
+{% if var_authelia_storage_kind == "sqlite" %}
 		"local": {
-			"path": "{{cfg_authelia.storage.data.path}}"
+			"path": "{{var_authelia_storage_data_sqlite_path}}"
 		}
 {% endif %}
-{% if cfg_authelia.storage.kind == "postgresql" %}
+{% if var_authelia_storage_kind == "postgresql" %}
 		"postgres": {
-			"address": "{{cfg_authelia.storage.data.host}}:{{cfg_authelia.storage.data.port | string}}",
+			"address": "{{var_authelia_storage_data_postgresql_host}}:{{var_authelia_storage_data_postgresql_port | string}}",
 			"schema": "public",
-			"username": "{{cfg_authelia.storage.data.username}}",
+			"username": "{{var_authelia_storage_data_postgresql_username}}",
-			"password": "{{cfg_authelia.storage.data.password}}",
+			"password": "{{var_authelia_storage_data_postgresql_password}}",
-			"database": "{{cfg_authelia.storage.data.schema}}"
+			"database": "{{var_authelia_storage_data_postgresql_schema}}"
 		}
 {% endif %}
-{% if cfg_authelia.storage.kind == "mariadb" %}
+{% if var_authelia_storage_kind == "mariadb" %}
 		"mysql": {
-			"host": "{{cfg_authelia.storage.data.host}}",
+			"host": "{{var_authelia_storage_data_mariadb_host}}",
-			"port": {{cfg_authelia.storage.data.port | string}},
+			"port": {{var_authelia_storage_data_mariadb_port | string}},
-			"username": "{{cfg_authelia.storage.data.username}}",
+			"username": "{{var_authelia_storage_data_mariadb_username}}",
-			"password": "{{cfg_authelia.storage.data.password}}",
+			"password": "{{var_authelia_storage_data_mariadb_password}}",
-			"database": "{{cfg_authelia.storage.data.schema}}"
+			"database": "{{var_authelia_storage_data_mariadb_schema}}"
 		}
 {% endif %}
 	},
 	"notifier": {
 		"disable_startup_check": true,
-{% if cfg_authelia.notification.kind == "file" %}
+{% if var_authelia_notification_mode == "file" %}
 		"filesystem": {
-			"filename": "{{cfg_authelia.notification.data.path}}"
+			"filename": "{{var_authelia_notification_file_path}}"
 		}
 {% endif %}
-{% if cfg_authelia.notification.kind == "smtp" %}
+{% if var_authelia_notification_mode == "smtp" %}
 		"smtp": {
-			"address": "{{cfg_authelia.notification.data.host}}:{{cfg_authelia.notification.data.port | string}}",
+			"host": "{{var_authelia_notification_smtp_host}}",
-			"username": "{{cfg_authelia.notification.data.username}}",
+			"port": {{var_authelia_notification_smtp_port | string}},
-			"password": "{{cfg_authelia.notification.data.password}}",
+			"username": "{{var_authelia_notification_smtp_username}}",
-			"sender": "{{cfg_authelia.notification.data.sender}}",
+			"password": "{{var_authelia_notification_smtp_password}}",
+			"sender": "{{var_authelia_notification_smtp_sender}}",
 			"disable_require_tls": false,
 			"disable_html_emails": false,
 			"tls": {
@@ -187,23 +188,17 @@
 	},
 	"identity_providers": {
 		"oidc": {
-			"hmac_secret": "{{cfg_authelia.oidc.hmac_secret}}",
+			"hmac_secret": "{{var_authelia_oidc_hmac_secret}}",
-			"jwks": [
+			"issuer_private_key": "{{temp_tls_result.privatekey | replace('\n', '\\n')}}",
-				{
-					"algorithm": "RS256",
-					"key": "{{temp_tls_result.privatekey | replace('\n', '\\n')}}"
-				}
-			],
 			"lifespans": {
-				"access_token": "{{cfg_authelia.oidc.lifespan.default.access_token}}",
+				"access_token": "{{var_authelia_oidc_lifespan_access_token}}",
-				"refresh_token": "{{cfg_authelia.oidc.lifespan.default.refresh_token}}",
+				"refresh_token": "{{var_authelia_oidc_lifespan_refresh_token}}"
-				"custom": {{cfg_authelia.oidc.lifespan.custom | to_json}}
 			},
 			"cors": {
 				"allowed_origins_from_client_redirect_uris": true
-{% if cfg_authelia.oidc.cors_endpoints == None %}
+{% if var_authelia_oidc_cors_endpoints == None %}
 {% else %}
-				,"endpoints": {{cfg_authelia.oidc.cors_endpoints | to_json}}
+				,"endpoints": {{var_authelia_oidc_cors_endpoints | to_json}}
 {% endif %}
 			},
 			"clients": [

roles/authelia/vardef.json

@@ -0,0 +1,169 @@
+{
+	"version": {
+		"type": "string",
+		"mandatory": false
+	},
+	"architecture": {
+		"type": "string",
+		"mandatory": false
+	},
+	"listen_address": {
+		"type": "string",
+		"mandatory": false
+	},
+	"jwt_secret": {
+		"type": "string",
+		"mandatory": true
+	},
+	"users_file_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"log_file_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"redirect_url": {
+		"type": "string",
+		"mandatory": false
+	},
+	"session_domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"session_secret": {
+		"type": "string",
+		"mandatory": true
+	},
+	"storage_encryption_key": {
+		"type": "string",
+		"mandatory": true
+	},
+	"storage_kind": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_sqlite_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_postgresql_host": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_postgresql_port": {
+		"type": "integer",
+		"mandatory": false
+	},
+	"storage_data_postgresql_username": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_postgresql_password": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_postgresql_schema": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_mariadb_host": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_mariadb_port": {
+		"type": "integer",
+		"mandatory": false
+	},
+	"storage_data_mariadb_username": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_mariadb_password": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_mariadb_schema": {
+		"type": "string",
+		"mandatory": false
+	},
+	"ntp_server": {
+		"type": "string",
+		"mandatory": false
+	},
+	"password_reset_enabled": {
+		"type": "boolean",
+		"mandatory": false
+	},
+	"password_reset_custom_url": {
+		"nullable": true,
+		"type": "string",
+		"mandatory": false
+	},
+	"notification_mode": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"file",
+			"smtp"
+		]
+	},
+	"notification_file_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"notification_smtp_host": {
+		"type": "string",
+		"mandatory": false
+	},
+	"notification_smtp_port": {
+		"type": "integer",
+		"mandatory": false
+	},
+	"notification_smtp_username": {
+		"type": "string",
+		"mandatory": false
+	},
+	"notification_smtp_password": {
+		"type": "string",
+		"mandatory": false
+	},
+	"notification_smtp_sender": {
+		"type": "string",
+		"mandatory": false
+	},
+	"oidc_hmac_secret": {
+		"type": "string",
+		"mandatory": true
+	},
+	"oidc_lifespan_access_token": {
+		"nullable": true,
+		"type": "string",
+		"mandatory": false
+	},
+	"oidc_lifespan_refresh_token": {
+		"nullable": true,
+		"type": "string",
+		"mandatory": false
+	},
+	"oidc_cors_endpoints": {
+		"nullable": true,
+		"type": "array",
+		"items": {
+			"type": "string",
+			"enum": [
+				"authorization",
+				"pushed-authorization-request",
+				"token",
+				"revocation",
+				"introspection",
+				"userinfo"
+			]
+		},
+		"mandatory": false
+	}
+}

roles/forgejo/defaults/main.json

@@ -2,7 +2,7 @@
 	"var_forgejo_user": "forgejo",
 	"var_forgejo_directory_main": "/opt/forgejo",
 	"var_forgejo_directory_repositories": "/var/forgejo/repositories",
-	"var_forgejo_version": "10.0.3",
+	"var_forgejo_version": "7.0.5",
 	"var_forgejo_platform": "linux-amd64",
 	"var_forgejo_secret_key": "REPLACE_ME",
 	"var_forgejo_internal_token": "REPLACE_ME",

roles/hedgedoc-and-nginx/cfg.schema.json

@@ -1,24 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"domain": {
-			"nullable": false,
-			"type": "string"
-		},
-		"tls_mode": {
-			"nullable": false,
-			"type": "string",
-			"options": [
-				"disable",
-				"enable",
-				"force"
-			],
-			"default": "force"
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"domain"
-	]
-}

roles/hedgedoc-and-nginx/defaults/main.json

@@ -1,5 +1,4 @@
 {
-	"cfg_hedgedoc_and_nginx_defaults": {
+	"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org",
-		"tls_mode": "force"
+	"var_hedgedoc_and_nginx_tls_mode": "force"
-	}
 }

roles/hedgedoc-and-nginx/tasks/main.json

@@ -1,11 +1,4 @@
 [
-	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_hedgedoc_and_nginx"
-		}
-	},
 	{
 		"name": "deactivate default site",
 		"become": true,
@@ -19,7 +12,7 @@
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "conf.j2",
-			"dest": "/etc/nginx/sites-available/{{cfg_hedgedoc_and_nginx.domain}}"
+			"dest": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}"
 		}
 	},
 	{
@@ -27,8 +20,8 @@
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "link",
-			"src": "/etc/nginx/sites-available/{{cfg_hedgedoc_and_nginx.domain}}",
+			"src": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}",
-			"dest": "/etc/nginx/sites-enabled/{{cfg_hedgedoc_and_nginx.domain}}"
+			"dest": "/etc/nginx/sites-enabled/{{var_hedgedoc_and_nginx_domain}}"
 		}
 	},
 	{

roles/hedgedoc-and-nginx/templates/conf.j2

@@ -24,27 +24,27 @@ map $http_upgrade $connection_upgrade {
 {% endmacro %}
 
 server {
-	server_name {{cfg_hedgedoc_and_nginx.domain}};
+	server_name {{var_hedgedoc_and_nginx_domain}};
 	
 	listen 80;
 	listen [::]:80;
 	
-{% if (cfg_hedgedoc_and_nginx.tls_mode == 'force') %}
+{% if (var_element_and_nginx_tls_mode == 'force') %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 {{ hedgedoc_common() }}
 {% endif %}
 }
 
-{% if (cfg_hedgedoc_and_nginx.tls_mode != 'disable') %}
+{% if (var_hedgedoc_and_nginx_tls_mode != 'disable') %}
 server {
-	server_name {{cfg_hedgedoc_and_nginx.domain}};
+	server_name {{var_hedgedoc_and_nginx_domain}};
 	
 	listen [::]:443 ssl http2;
 	listen 443 ssl http2;
 	
-	ssl_certificate_key /etc/ssl/private/{{cfg_hedgedoc_and_nginx.domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
-	ssl_certificate /etc/ssl/fullchains/{{cfg_hedgedoc_and_nginx.domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	
 {{ hedgedoc_common() }}

roles/hedgedoc-and-nginx/vardef.json

@@ -0,0 +1,15 @@
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		],
+		"mandatory": false
+	}
+}

roles/hedgedoc/cfg.schema.json

@@ -1,248 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"user_name": {
-			"nullable": false,
-			"type": "string",
-			"default": "hedgedoc"
-		},
-		"directory": {
-			"nullable": false,
-			"type": "string",
-			"default": "/opt/hedgedoc"
-		},
-		"version": {
-			"nullable": false,
-			"type": "string",
-			"default": "1.10.3"
-		},
-		"domain": {
-			"nullable": false,
-			"type": "string"
-		},
-		"session_secret": {
-			"nullable": false,
-			"type": "string"
-		},
-		"database": {
-			"anyOf": [
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["sqlite"],
-							"default": "sqlite"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"path": {
-									"nullable": false,
-									"type": "string",
-									"default": "/var/hedgedoc/data.sqlite"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"path"
-							],
-							"default": {
-							}
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					]
-				},
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["postgresql"],
-							"default": "postgresql"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"host": {
-									"nullable": false,
-									"type": "string",
-									"default": "localhost"
-								},
-								"port": {
-									"nullable": false,
-									"type": "integer",
-									"default": 5432
-								},
-								"username": {
-									"nullable": false,
-									"type": "string",
-									"default": "hedgedoc_user"
-								},
-								"password": {
-									"nullable": false,
-									"type": "string"
-								},
-								"schema": {
-									"nullable": false,
-									"type": "string",
-									"default": "hedgedoc"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"host",
-								"port",
-								"username",
-								"password",
-								"schema"
-							]
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					]
-				}
-			]
-		},
-		"authentication": {
-			"anyOf": [
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["internal"],
-							"default": "internal"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-							},
-							"additionalProperties": false,
-							"required": [
-							],
-							"default": {
-							}
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					]
-				},
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["authelia"],
-							"default": "authelia"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"url_base": {
-									"nullable": false,
-									"type": "string"
-								},
-								"client_id": {
-									"nullable": false,
-									"type": "string",
-									"default": "hedgedoc"
-								},
-								"client_secret": {
-									"nullable": false,
-									"type": "string"
-								},
-								"provider_name": {
-									"nullable": false,
-									"type": "string",
-									"default": "Authelia"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"url_base",
-								"client_id",
-								"client_secret",
-								"provider_name"
-							]	
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					]
-				}
-			]
-		},
-		"guest_allow_create": {
-			"nullable": false,
-			"type": "boolean",
-			"default": false
-		},
-		"guest_allow_change": {
-			"nullable": false,
-			"type": "boolean",
-			"default": false
-		},
-		"free_names_mode": {
-			"nullable": false,
-			"type": "string",
-			"enum": [
-				"never",
-				"authed",
-				"always"
-			],
-			"default": "authed"
-		},
-		"log_level": {
-			"nullable": false,
-			"type": "string",
-			"enum": [
-				"debug",
-				"verbose",
-				"info",
-				"warn",
-				"error"
-			],
-			"default": "error"
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"user_name",
-		"directory",
-		"version",
-		"domain",
-		"session_secret",
-		"database",
-		"authentication",
-		"guest_allow_create",
-		"guest_allow_change",
-		"free_names_mode",
-		"log_level"
-	]
-}

roles/hedgedoc/defaults/main.json

@@ -1,22 +1,21 @@
 {
-	"cfg_hedgedoc_defaults": {
+	"var_hedgedoc_user_name": "hedgedoc",
-		"user_name": "hedgedoc",
+	"var_hedgedoc_directory": "/opt/hedgedoc",
-		"directory": "/opt/hedgedoc",
+	"var_hedgedoc_version": "1.9.9",
-		"version": "1.10.3",
+	"var_hedgedoc_session_secret": "REPLACE_ME",
-		"database": {
+	"var_hedgedoc_database_kind": "sqlite",
-			"kind": "sqlite",
+	"var_hedgedoc_database_data_sqlite_path": "/var/hedgedoc/data.sqlite",
-			"data": {
+	"var_hedgedoc_database_data_postgresql_host": "localhost",
-				"path": "/var/hedgedoc/data.sqlite"
+	"var_hedgedoc_database_data_postgresql_port": 5432,
-			}
+	"var_hedgedoc_database_data_postgresql_username": "hedgedoc_user",
-		},
+	"var_hedgedoc_database_data_postgresql_password": "REPLACE_ME",
-		"authentication": {
+	"var_hedgedoc_database_data_postgresql_schema": "hedgedoc",
-			"kind": "internal",
+	"var_hedgedoc_domain": "hedgedoc.example.org",
-			"data": {
+	"var_hedgedoc_authentication_kind": "internal",
-			}
+	"var_hedgedoc_authentication_data_authelia_client_id": "hedgedoc",
-		},
+	"var_hedgedoc_authentication_data_authelia_client_secret": "REPLACE_ME",
-		"guest_allow_create": false,
+	"var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.example.org",
-		"guest_allow_change": false,
+	"var_hedgedoc_guest_allow_create": false,
-		"free_names_mode": "authed",
+	"var_hedgedoc_guest_allow_change": false,
-		"log_level": "error"
+	"var_hedgedoc_free_names_mode": "authed"
-	}
 }

roles/hedgedoc/tasks/main.json

@@ -1,11 +1,4 @@
 [
-	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_hedgedoc"
-		}
-	},
 	{
 		"name": "packages",
 		"become": true,
@@ -33,41 +26,16 @@
 		"name": "user",
 		"become": true,
 		"ansible.builtin.user": {
-			"name": "{{cfg_hedgedoc.user_name}}",
+			"name": "{{var_hedgedoc_user_name}}",
 			"create_home": true,
-			"home": "{{cfg_hedgedoc.directory}}"
+			"home": "{{var_hedgedoc_directory}}"
 		}
 	},
-	{
-		"name": "database",
-		"when": "cfg_hedgedoc.database.kind == 'sqlite'",
-		"block": [
-			{
-				"name": "database | directory",
-				"become": true,
-				"ansible.builtin.file": {
-					"state": "directory",
-					"path": "{{cfg_hedgedoc.database.data.sqlite.path | dirname}}",
-					"owner": "{{cfg_hedgedoc.user_name}}"
-				}
-			},
-			{
-				"name": "database | file",
-				"become": true,
-				"ansible.builtin.file": {
-					"state": "touch",
-					"path": "{{cfg_hedgedoc.database.data.sqlite.path}}",
-					"owner": "{{cfg_hedgedoc.user_name}}"
-				}
-			}
-		]
-
-	},
 	{
 		"name": "download",
 		"become": false,
 		"ansible.builtin.get_url": {
-			"url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{cfg_hedgedoc.version}}/hedgedoc-{{cfg_hedgedoc.version}}.tar.gz",
+			"url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{var_hedgedoc_version}}/hedgedoc-{{var_hedgedoc_version}}.tar.gz",
 			"dest": "/tmp/hedgedoc.tar.gz"
 		}
 	},
@@ -77,8 +45,8 @@
 		"ansible.builtin.unarchive": {
 			"remote_src": true,
 			"src": "/tmp/hedgedoc.tar.gz",
-			"dest": "{{cfg_hedgedoc.directory | dirname}}",
+			"dest": "{{var_hedgedoc_directory | dirname}}",
-			"owner": "{{cfg_hedgedoc.user_name}}"
+			"owner": "{{var_hedgedoc_user_name}}"
 		}
 	},
 	{
@@ -86,7 +54,7 @@
 		"become": true,
 		"become_user": "hedgedoc",
 		"ansible.builtin.command": {
-			"chdir": "{{cfg_hedgedoc.directory}}",
+			"chdir": "{{var_hedgedoc_directory}}",
 			"cmd": "bin/setup"
 		}
 	},
@@ -95,7 +63,7 @@
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "config.json.j2",
-			"dest": "{{cfg_hedgedoc.directory}}/config.json"
+			"dest": "{{var_hedgedoc_directory}}/config.json"
 		}
 	},
 	{

roles/hedgedoc/templates/config.json.j2

@@ -1,61 +1,61 @@
 {
 	"production": {
-		"loglevel": "{{cfg_hedgedoc.log_level}}",
+		"loglevel": "error",
-{% if cfg_hedgedoc.database.kind == 'sqlite' %}
+{% if var_hedgedoc_database_kind == 'sqlite' %}
 		"db": {
 			"dialect": "sqlite",
-			"storage": "{{cfg_hedgedoc.database.data.sqlite.path}}"
+			"storage": "{{var_hedgedoc_database_data_sqlite_path}}"
 		},
 {% endif %}
-{% if cfg_hedgedoc.database.kind == 'postgresql' %}
+{% if var_hedgedoc_database_kind == 'postgresql' %}
 		"db": {
 			"dialect": "postgres",
-			"host": "{{cfg_hedgedoc.database.data.postgresql.host}}",
+			"host": "{{var_hedgedoc_database_data_postgresql_host}}",
-			"port": {{cfg_hedgedoc.database.data.postgresql.port | to_json}},
+			"port": {{var_hedgedoc_database_data_postgresql_port | to_json}},
-			"username": "{{cfg_hedgedoc.database.data.postgresql.username}}",
+			"username": "{{var_hedgedoc_database_data_postgresql_username}}",
-			"password": "{{cfg_hedgedoc.database.data.postgresql.password}}",
+			"password": "{{var_hedgedoc_database_data_postgresql_password}}",
-			"database": "{{cfg_hedgedoc.database.data.postgresql.schema}}"
+			"database": "{{var_hedgedoc_database_data_postgresql_schema}}"
 		},
 {% endif %}
-		"sessionSecret": "{{cfg_hedgedoc.session_secret}}",
+		"sessionSecret": "{{var_hedgedoc_session_secret}}",
 		"host": "localhost",
 		"allowOrigin": [
 			"localhost"
 		],
-		"domain": "{{cfg_hedgedoc.domain}}",
+		"domain": "{{var_hedgedoc_domain}}",
 		"urlAddPort": false,
 		"protocolUseSSL": true,
-{% if cfg_hedgedoc.authentication.kind == 'internal' %}
+{% if var_hedgedoc_authentication_kind == 'internal' %}
 		"email": true,
 		"allowEmailRegister": true,
 {% endif %}
-{% if cfg_hedgedoc.authentication.kind == 'authelia' %}
+{% if var_hedgedoc_authentication_kind == 'authelia' %}
 		"oauth2": {
-			"providerName": "{{cfg_hedgedoc.authentication.data.authelia.provider_name}}",
+			"providerName": "{{var_hedgedoc_authentication_data_authelia_provider_name}}",
-			"clientID": "{{cfg_hedgedoc.authentication.data.authelia.client_id}}",
+			"clientID": "{{var_hedgedoc_authentication_data_authelia_client_id}}",
-			"clientSecret": "{{cfg_hedgedoc.authentication.data.authelia.client_secret}}",
+			"clientSecret": "{{var_hedgedoc_authentication_data_authelia_client_secret}}",
 			"scope": "openid email profile",
 			"userProfileUsernameAttr": "sub",
 			"userProfileDisplayNameAttr": "name",
 			"userProfileEmailAttr": "email",
-			"userProfileURL": "{{cfg_hedgedoc.authentication.data.authelia.url_base}}/api/oidc/userinfo",
+			"userProfileURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/userinfo",
-			"tokenURL": "{{cfg_hedgedoc.authentication.data.authelia.url_base}}/api/oidc/token",
+			"tokenURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/token",
-			"authorizationURL": "{{cfg_hedgedoc.authentication.data.authelia.url_base}}/api/oidc/authorization"
+			"authorizationURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/authorize"
 		},
 		"email": false,
 		"allowEmailRegister": false,
 {% endif %}
-		"allowAnonymous": {{cfg_hedgedoc.guest_allow_create | to_json}},
+		"allowAnonymous": {{var_hedgedoc_guest_allow_create | to_json}},
-		"allowAnonymousEdits": {{cfg_hedgedoc.guest_allow_change | to_json}},
+		"allowAnonymousEdits": {{var_hedgedoc_guest_allow_change | to_json}},
-{% if cfg_hedgedoc.free_names_mode == 'never' %}
+{% if var_hedgedoc_free_names_mode == 'never' %}
 		"allowFreeURL": false,
 		"requireFreeURLAuthentication": false,
 {% endif %}
-{% if cfg_hedgedoc.free_names_mode == 'authed' %}
+{% if var_hedgedoc_free_names_mode == 'authed' %}
 		"allowFreeURL": true,
 		"requireFreeURLAuthentication": true,
 {% endif %}
-{% if cfg_hedgedoc.free_names_mode == 'always' %}
+{% if var_hedgedoc_free_names_mode == 'always' %}
 		"allowFreeURL": true,
 		"requireFreeURLAuthentication": false,
 {% endif %}

roles/hedgedoc/templates/systemd-unit.j2

@@ -3,8 +3,8 @@ Description=Hedgedoc
 After=multi-user.target
 
 [Service]
-WorkingDirectory={{cfg_hedgedoc.directory}}
+WorkingDirectory={{var_hedgedoc_directory}}
-User={{cfg_hedgedoc.user_name}}
+User={{var_hedgedoc_user_name}}
 Environment="NODE_ENV=production"
 ExecStart=yarn start
 SyslogIdentifier=hedgedoc

roles/hedgedoc/vardef.json

@@ -0,0 +1,87 @@
+{
+	"user_name": {
+		"type": "string",
+		"mandatory": false
+	},
+	"directory": {
+		"type": "string",
+		"mandatory": false
+	},
+	"version": {
+		"type": "string",
+		"mandatory": false
+	},
+	"session_secret": {
+		"type": "string",
+		"mandatory": true
+	},
+	"database_kind": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"sqlite",
+			"postgresql",
+			"mariadb"
+		]
+	},
+	"database_data_sqlite_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"database_data_postgresql_host": {
+		"type": "string",
+		"mandatory": false
+	},
+	"database_data_postgresql_port": {
+		"type": "integer",
+		"mandatory": false
+	},
+	"database_data_postgresql_username": {
+		"type": "string",
+		"mandatory": false
+	},
+	"database_data_postgresql_password": {
+		"type": "string",
+		"mandatory": false
+	},
+	"database_data_postgresql_schema": {
+		"type": "string",
+		"mandatory": false
+	},
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_kind": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"internal",
+			"authelia"
+		]
+	},
+	"authentication_data_authelia_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_url_base": {
+		"type": "string",
+		"mandatory": false
+	},
+	"guest_allow_create": {
+		"type": "boolean",
+		"mandatory": false
+	},
+	"guest_allow_change": {
+		"type": "boolean",
+		"mandatory": false
+	},
+	"free_names_mode": {
+		"type": "string",
+		"mandatory": false
+	}
+}

roles/mas-and-nginx/defaults/main.json

@@ -0,0 +1,5 @@
+{
+	"var_mas_and_nginx_server_port": 2839,
+	"var_mas_and_nginx_domain": "REPLACE_ME",
+	"var_mas_and_nginx_tls_mode": "force"
+}

roles/mas-and-nginx/info.md

@@ -0,0 +1,8 @@
+## Beschreibung
+
+- zur Einrichtung von [nginx](../nginx) als Reverse-Proxy für [MAS](../mas)
+
+
+## Verweise
+
+- [MAS-Dokumentation | Configuring a reverse proxy](https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html)

roles/mas-and-nginx/tasks/main.json

@@ -12,7 +12,7 @@
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "conf.j2",
-			"dest": "/etc/nginx/sites-available/{{var_tandoor_and_nginx_domain}}"
+			"dest": "/etc/nginx/sites-available/{{var_mas_and_nginx_domain}}"
 		}
 	},
 	{
@@ -20,8 +20,8 @@
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "link",
-			"src": "/etc/nginx/sites-available/{{var_tandoor_and_nginx_domain}}",
+			"src": "/etc/nginx/sites-available/{{var_mas_and_nginx_domain}}",
-			"dest": "/etc/nginx/sites-enabled/{{var_tandoor_and_nginx_domain}}"
+			"dest": "/etc/nginx/sites-enabled/{{var_mas_and_nginx_domain}}"
 		}
 	},
 	{

roles/mas-and-nginx/templates/conf.j2

@@ -0,0 +1,36 @@
+{% macro mas_common() %}
+	location / {
+		proxy_http_version 1.1;
+		proxy_pass http://localhost:{{var_mas_and_nginx_server_port | string}};
+		
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	}
+{% endmacro %}
+
+server {
+	server_name {{var_mas_and_nginx_domain}};
+	
+	listen 80;
+	listen [::]:80;
+	
+{% if (var_mas_and_nginx_tls_mode == 'force') %}
+	return 301 https://$http_host$request_uri;
+{% else %}
+{{ mas_common() }}
+{% endif %}
+}
+
+{% if (var_mas_and_nginx_tls_mode != 'disable') %}
+server {
+	server_name {{var_mas_and_nginx_domain}};
+	
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	
+	ssl_certificate_key /etc/ssl/private/{{var_mas_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_mas_and_nginx_domain}}.pem;
+	include /etc/nginx/ssl-hardening.conf;
+	
+{{ mas_common() }}
+}
+{% endif %}

roles/mas-and-nginx/vardef.json

@@ -1,19 +1,19 @@
 {
-	"domain": {
-		"mandatory": false,
-		"type": "string"
-	},
 	"port": {
-		"mandatory": false,
+		"type": "integer",
-		"type": "integer"
+		"mandatory": false
+	},
+	"domain": {
+		"type": "string",
+		"mandatory": false
 	},
 	"tls_mode": {
-		"mandatory": false,
 		"type": "string",
 		"options": [
 			"disable",
 			"enable",
 			"force"
-		]
+		],
+		"mandatory": false
 	}
 }

roles/mas-for-synapse/defaults/main.json

@@ -0,0 +1,5 @@
+{
+	"var_mas_for_synapse_synapse_url_base": "https://synapse.example.org",
+	"var_mas_for_synapse_client_id": "01JAE3YFB91XFWEDQY0WFDW5VN",
+	"var_mas_for_synapse_client_secret": "REPLACE_ME"
+}

roles/mas-for-synapse/info.md

@@ -0,0 +1,9 @@
+## Beschreibung
+
+Um [Synapse](../synapse) gegen [MAS](../mas) authentifizieren zu lassen
+
+
+## Verweise
+
+- [Synapse-Dokumentation | OpenID Connect](https://matrix-org.github.io/synapse/latest/openid.html)
+- [MAS-Dokumentation | Homeserver configuration](https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html)

roles/mas-for-synapse/tasks/main.json

@@ -0,0 +1,25 @@
+[
+	{
+		"name": "configuration | emplace",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "mas-client-conf.json.j2",
+			"dest": "/opt/mas/conf.d/clients/synapse.json"
+		}
+	},
+	{
+		"name": "configuration | apply",
+		"become": true,
+		"ansible.builtin.command": {
+			"cmd": "/usr/local/bin/mas-conf-compose"
+		}
+	},
+	{
+		"name": "restart service",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "mas"
+		}
+	}
+]

roles/mas-for-synapse/templates/mas-client-conf.json.j2

@@ -0,0 +1,5 @@
+{
+	"client_id": "{{var_mas_for_synapse_client_id}}",
+	"client_secret": "{{var_mas_for_synapse_client_secret}}",
+	"client_auth_method": "client_secret_basic"
+}

roles/mas/defaults/main.json

@@ -0,0 +1,23 @@
+{
+	"var_mas_user": "mas",
+	"var_mas_directory": "/opt/mas",
+	"var_mas_server_server_address": "[::]",
+	"var_mas_server_server_port": 2839,
+	"var_mas_server_server_domain": "mas.example.org",
+	"var_mas_database_host": "postgresql.example.org",
+	"var_mas_database_port": 5432,
+	"var_mas_database_username": "mas_user",
+	"var_mas_database_password": "REPLACE_ME",
+	"var_mas_database_schema": "mas",
+	"var_mas_matrix_server": "synapse.example.org",
+	"var_mas_matrix_secret": "REPLACE_ME",
+	"var_mas_matrix_endpoint": "https://synapse.example.org/",
+	"var_mas_encryption_key": "REPLACE_ME",
+	"var_mas_authentication_upstream_kind": "none",
+	"var_mas_authentication_upstream_data_authelia_url_base": "https://authelia.example.org",
+	"var_mas_authentication_upstream_data_authelia_auth_method": "client_secret_basic",
+	"var_mas_authentication_upstream_data_authelia_scope": "openid profile email",
+	"var_mas_authentication_upstream_data_authelia_id": "01JADRQ54Y0KCQS0AEJQ4YTY36",
+	"var_mas_authentication_upstream_data_authelia_client_id": "mas",
+	"var_mas_authentication_upstream_data_authelia_client_secret": "REPLACE_ME"
+}

roles/mas/files/conf-compose.py

@@ -0,0 +1,160 @@
+#!/usr/bin/env python3
+
+import sys as _sys
+import os as _os
+import yaml as _yaml
+import json as _json
+import argparse as _argparse
+
+
+def file_read(path):
+	handle = open(path, "r")
+	content = handle.read()
+	handle.close()
+	return content
+	
+
+def file_write(path, content):
+	directory = _os.path.dirname(path)
+	if (not _os.path.exists(directory)):
+		_os.makedirs(directory, exist_ok = True)
+	else:
+		pass
+	handle = open(path, "w")
+	handle.write(content)
+	handle.close()
+	return content
+	
+
+def dict_merge(core, mantle, path = None):
+	if (path is None):
+		path = []
+	result = {}
+	for source in [core, mantle]:
+		for (key, value_new, ) in source.items():
+			path_ = (path + [key])
+			type_new = type(value_new)
+			if (not (key in result)):
+				result[key] = value_new
+			else:
+				value_old = result[key]
+				type_old = type(value_old)
+				if (value_old is None):
+					result[key] = value_new
+				else:
+					if (not (type_old == type_new)):
+						raise ValueError(
+							"type mismatch at path %s: %s vs. %s"
+							% (
+								".".join(path),
+								str(type_old),
+								str(type_new),
+							)
+						)
+					else:
+						if (type_old == dict):
+							result[key] = dict_merge(value_old, value_new, path_)
+						elif (type_old == list):
+							result[key] = (value_old + value_new)
+						else:
+							result[key] = value_new
+	return result
+	
+
+def main():
+	## args
+	argument_parser = _argparse.ArgumentParser()
+	argument_parser.add_argument(
+		"-s",
+		"--source-directory",
+		type = str,
+		dest = "source_directory",
+		default = "/opt/mas/conf.d",
+		metavar = "<source-directory>",
+	)
+	argument_parser.add_argument(
+		"-f",
+		"--output-format",
+		type = str,
+		choices = ["json", "yaml"],
+		dest = "output_format",
+		default = "yaml",
+		metavar = "<output-format>",
+	)
+	argument_parser.add_argument(
+		"-o",
+		"--output-path",
+		type = str,
+		dest = "output_path",
+		default = "/opt/mas/config.yaml",
+		metavar = "<output-path>",
+	)
+	args = argument_parser.parse_args()
+	
+	## exec
+	data = {}
+	### base
+	if True:
+		data_raw = _yaml.safe_load(file_read(_os.path.join(args.source_directory, "base.yaml")))
+		data = dict_merge(
+			data,
+			{
+				"secrets": data_raw["secrets"],
+				"passwords": data_raw["passwords"],
+			}
+		)
+	### database
+	if True:
+		data = dict_merge(
+			data,
+			_json.loads(file_read(_os.path.join(args.source_directory, "database.json")))
+		)
+	### http
+	if True:
+		data = dict_merge(
+			data,
+			_json.loads(file_read(_os.path.join(args.source_directory, "http.json")))
+		)
+	### matrix
+	if True:
+		data = dict_merge(
+			data,
+			_json.loads(file_read(_os.path.join(args.source_directory, "matrix.json")))
+		)
+	### upstream
+	if True:
+		data = dict_merge(
+			data,
+			_json.loads(file_read(_os.path.join(args.source_directory, "upstream.json")))
+		)
+	### email
+	if True:
+		data = dict_merge(
+			data,
+			_json.loads(file_read(_os.path.join(args.source_directory, "email.json")))
+		)
+	### clients
+	if True:
+		data = dict_merge(
+			data,
+			{
+				"clients": list(
+					map(
+						lambda name: _json.loads(file_read(_os.path.join(args.source_directory, "clients", name))),
+						_os.listdir(_os.path.join(args.source_directory, "clients"))
+					)
+				),
+			}
+		)
+	## output
+	if True:
+		if (args.output_format == "json"):
+			output_content = _json.dumps(data, indent = "\t")
+		elif (args.output_format == "yaml"):
+			output_content = _yaml.dump(data)
+		else:
+			raise ValueError("invalid output format")
+		file_write(args.output_path, output_content)
+	
+
+main()

roles/mas/info.md

@@ -0,0 +1,8 @@
+## Beschreibung
+
+für [Matrix Authentication Service](https://github.com/element-hq/matrix-authentication-service), was eine OIDC-Portal für [Synapse](../synapse) ist
+
+
+## Verweise
+
+- [Dokumentation](https://element-hq.github.io/matrix-authentication-service/index.html)

roles/mas/tasks/main.json

@@ -0,0 +1,123 @@
+[
+	{
+		"name": "user",
+		"become": true,
+		"ansible.builtin.user": {
+			"name": "{{var_mas_user}}",
+			"create_home": true,
+			"home": "{{var_mas_directory}}"
+		}
+	},
+	{
+		"name": "directories",
+		"become": true,
+		"loop": [
+			"{{var_mas_directory}}/conf.d",
+			"{{var_mas_directory}}/conf.d/clients",
+			"{{var_mas_directory}}/scripts"
+		],
+		"ansible.builtin.file": {
+			"state": "directory",
+			"owner": "{{var_mas_user}}",
+			"path": "{{item}}"
+		}
+	},
+	{
+		"name": "download",
+		"become": true,
+		"become_user": "{{var_mas_user}}",
+		"ansible.builtin.get_url": {
+			"url": "https://github.com/element-hq/matrix-authentication-service/releases/latest/download/mas-cli-x86_64-linux.tar.gz",
+			"dest": "/tmp/mas.tar.gz"
+		}
+	},
+	{
+		"name": "extract",
+		"become": true,
+		"become_user": "{{var_mas_user}}",
+		"ansible.builtin.unarchive": {
+			"remote_src": true,
+			"src": "/tmp/mas.tar.gz",
+			"dest": "{{var_mas_directory}}",
+			"owner": "{{var_mas_user}}"
+		}
+	},
+	{
+		"name": "configuration | compose script",
+		"become": true,
+		"ansible.builtin.copy": {
+			"src": "conf-compose.py",
+			"dest": "/usr/local/bin/mas-conf-compose",
+			"mode": "0555"
+		}
+	},
+	{
+		"name": "configuration | base",
+		"become": true,
+		"become_user": "{{var_mas_user}}",
+		"ansible.builtin.shell": {
+			"cmd": "./mas-cli config generate > {{var_mas_directory}}/conf.d/base.yaml",
+			"chdir": "{{var_mas_directory}}"
+		}
+	},
+	{
+		"name": "configuration | database",
+		"become": true,
+		"become_user": "{{var_mas_user}}",
+		"ansible.builtin.template": {
+			"src": "config-database.json.j2",
+			"dest": "{{var_mas_directory}}/conf.d/database.json"
+		}
+	},
+	{
+		"name": "configuration | http",
+		"become": true,
+		"become_user": "{{var_mas_user}}",
+		"ansible.builtin.template": {
+			"src": "config-http.json.j2",
+			"dest": "{{var_mas_directory}}/conf.d/http.json"
+		}
+	},
+	{
+		"name": "configuration | matrix",
+		"become": true,
+		"become_user": "{{var_mas_user}}",
+		"ansible.builtin.template": {
+			"src": "config-matrix.json.j2",
+			"dest": "{{var_mas_directory}}/conf.d/matrix.json"
+		}
+	},
+	{
+		"name": "configuration | upstream",
+		"become": true,
+		"become_user": "{{var_mas_user}}",
+		"ansible.builtin.template": {
+			"src": "config-upstream.json.j2",
+			"dest": "{{var_mas_directory}}/conf.d/upstream.json"
+		}
+	},
+	{
+		"name": "configuration | apply",
+		"become": true,
+		"ansible.builtin.command": {
+			"cmd": "/usr/local/bin/mas-conf-compose"
+		}
+	},
+	{
+		"name": "systemd unit",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "systemd_unit.j2",
+			"dest": "/etc/systemd/system/mas.service"
+		}
+	},
+	{
+		"name": "run",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"name": "mas",
+			"enabled": true,
+			"state": "restarted"
+		}
+	}
+]

roles/mas/templates/config-database.json.j2

@@ -0,0 +1,9 @@
+{
+	"database": {
+		"host": "{{var_mas_database_host}}",
+		"port": {{var_mas_database_port | string}},
+		"username": "{{var_mas_database_username}}",
+		"password": "{{var_mas_database_password}}",
+		"database": "{{var_mas_database_schema}}"
+	}
+}

roles/mas/templates/config-email.json.j2

@@ -0,0 +1,7 @@
+{
+	"email": {
+		"from": "Authentication Service <root@localhost>",
+		"reply_to": "Authentication Service <root@localhost>",
+		"transport": "blackhole"
+	}
+}

roles/mas/templates/config-http.json.j2

@@ -0,0 +1,60 @@
+{
+	"http": {
+		"listeners": [
+			{
+				"name": "web",
+				"resources": [
+					{
+						"name": "discovery"
+					},
+					{
+						"name": "human"
+					},
+					{
+						"name": "oauth"
+					},
+					{
+						"name": "compat"
+					},
+					{
+						"name": "graphql"
+					},
+					{
+						"name": "assets"
+					}
+				],
+				"binds": [
+					{
+						"address": "{{var_mas_server_server_address}}:{{var_mas_server_server_port | string}}"
+					}
+				],
+				"proxy_protocol": false
+			},
+			{
+				"name": "internal",
+				"resources": [
+					{
+						"name": "health"
+					}
+				],
+				"binds": [
+					{
+						"host": "localhost",
+						"port": 8081
+					}
+				],
+				"proxy_protocol": false
+			}
+		],
+		"trusted_proxies": [
+			"192.168.0.0/16",
+			"172.16.0.0/12",
+			"10.0.0.0/10",
+			"127.0.0.1/8",
+			"fd00::/8",
+			"::1/128"
+		],
+		"public_base": "https://{{var_mas_server_server_domain}}/",
+		"issuer": "https://{{var_mas_server_server_domain}}/"
+	}
+}

roles/mas/templates/config-matrix.json.j2

@@ -0,0 +1,7 @@
+{
+	"matrix": {
+		"homeserver": "{{var_mas_matrix_server}}",
+		"secret": "{{var_mas_matrix_secret}}",
+		"endpoint": "{{var_mas_matrix_endpoint}}"
+	}
+}

roles/mas/templates/config-upstream.json.j2

@@ -0,0 +1,35 @@
+{
+{% if var_mas_authentication_upstream_kind == 'none' %}
+{% endif %}
+{% if var_mas_authentication_upstream_kind == 'authelia' %}
+	"upstream_oauth2": {
+		"providers": [
+			{
+				"id": "{{var_mas_authentication_upstream_data_authelia_id}}",
+				"issuer": "{{var_mas_authentication_upstream_data_authelia_url_base}}",
+				"authorization_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/authorization",
+				"token_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/token",
+				"token_endpoint_auth_method": "{{var_mas_authentication_upstream_data_authelia_auth_method}}",
+				"scope": "{{var_mas_authentication_upstream_data_authelia_scope}}",
+				"discovery_mode": "insecure",
+				"client_id": "{{var_mas_authentication_upstream_data_authelia_client_id}}",
+				"client_secret": "{{var_mas_authentication_upstream_data_authelia_client_secret}}",
+				"claims_imports": {
+					"localpart": {
+						"action": "require",
+						"template": "{{"{{"}} user.preferred_username {{"}}"}}"
+					},
+					"displayname": {
+						"action": "suggest",
+						"template": "{{"{{"}} user.name {{"}}"}}"
+					},
+					"email": {
+						"action": "suggest",
+						"template": "{{"{{"}} user.email {{"}}"}}",
+						"set_email_verification": "always"
+					}
+				}
+		]
+	}
+{% endif %}	
+}

roles/mas/templates/systemd_unit.j2

@@ -0,0 +1,15 @@
+[Unit]
+Description=MAS
+After=network.target
+
+[Service]
+WorkingDirectory={{var_mas_directory}}
+ExecStart={{var_mas_directory}}/mas-cli server
+Type=simple
+Restart=always
+User={{var_mas_user}}
+
+[Install]
+WantedBy=default.target
+RequiredBy=network.target
+

roles/mas/vardef.json

@@ -0,0 +1,91 @@
+{
+	"user": {
+		"type": "string",
+		"mandatory": false
+	},
+	"directory": {
+		"type": "string",
+		"mandatory": false
+	},
+	"server_address": {
+		"type": "string",
+		"mandatory": false
+	},
+	"server_port": {
+		"type": "string",
+		"mandatory": false
+	},
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"database_host": {
+		"type": "string",
+		"mandatory": false
+	},
+	"database_port": {
+		"type": "integer",
+		"mandatory": false
+	},
+	"database_username": {
+		"type": "string",
+		"mandatory": false
+	},
+	"database_password": {
+		"type": "string",
+		"mandatory": true
+	},
+	"database_schema": {
+		"type": "string",
+		"mandatory": false
+	},
+	"matrix_server": {
+		"type": "string",
+		"mandatory": false
+	},
+	"matrix_secret": {
+		"type": "string",
+		"mandatory": true
+	},
+	"matrix_endpoint": {
+		"type": "string",
+		"mandatory": false
+	},
+	"encryption_key": {
+		"type": "string",
+		"mandatory": true
+	},
+	"authentication_upstream_kind": {
+		"nullable": false,
+		"type": "string",
+		"options": [
+			"none",
+			"authelia"
+		]
+	},
+	"authentication_upstream_data_authelia_url_base": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_upstream_data_authelia_auth_method": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_upstream_data_authelia_scope": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_upstream_data_authelia_id": {
+		"type": "string",
+		"mandatory": false,
+		"description": "needs to be a ULID"
+	},
+	"authentication_upstream_data_authelia_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_upstream_data_authelia_client_secret": {
+		"type": "string",
+		"mandatory": false
+	}
+}

roles/mautrix_signal/cfg.schema.json

@@ -1,158 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"user_name": {
-			"nullable": false,
-			"type": "string",
-			"default": "mautrix"
-		},
-		"directory": {
-			"nullable": false,
-			"type": "string",
-			"default": "/opt/mautrix-signal"
-		},
-		"database": {
-			"nullable": false,
-			"type": "object",
-			"properties": {
-				"host": {
-					"nullable": false,
-					"type": "string",
-					"default": "localhost"
-				},
-				"port": {
-					"nullable": false,
-					"type": "integer",
-					"default": 5432
-				},
-				"username": {
-					"nullable": false,
-					"type": "string",
-					"default": "mautrix_signal_user"
-				},
-				"password": {
-					"nullable": false,
-					"type": "string"
-				},
-				"schema": {
-					"nullable": false,
-					"type": "string",
-					"default": "mautrix_signal"
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-				"password"
-			]
-		},
-		"homeserver": {
-			"nullable": false,
-			"type": "object",
-			"properties": {
-				"address": {
-					"nullable": false,
-					"type": "string",
-					"default": "http://localhost:8008"
-				},
-				"domain": {
-					"nullable": false,
-					"type": "string",
-					"default": "synapse.example.org"
-				},
-				"conf_directory": {
-					"nullable": false,
-					"type": "string",
-					"default": "/etc/matrix-synapse/conf.d"
-				},
-				"appservices_directory": {
-					"nullable": false,
-					"type": "string",
-					"default": "/etc/matrix-synapse/appservices.d"
-				},
-				"user_name": {
-					"nullable": false,
-					"type": "string",
-					"default": "matrix-synapse"
-				},
-				"service_name": {
-					"nullable": false,
-					"type": "string",
-					"default": "matrix-synapse"
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-			]
-		},
-		"formats": {
-			"nullable": false,
-			"type": "object",
-			"properties": {
-				"displayname": {
-					"nullable": false,
-					"type": "string"
-				},
-				"messages": {
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"displayname": {
-							"nullable": false,
-							"type": "string"
-						},
-						"text": {
-							"nullable": false,
-							"type": "string",
-							"default": "<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}"
-						},
-						"notice": {
-							"nullable": false,
-							"type": "string",
-							"default": "<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}"
-						},
-						"emote": {
-							"nullable": false,
-							"type": "string",
-							"default": "* <b>{{ .Sender.DisambiguatedName }}</b> {{ .Message }}"
-						},
-						"file": {
-							"nullable": false,
-							"type": "string",
-							"default": "<b>{{ .Sender.DisambiguatedName }}</b> sent a file{{ if .Caption }}: {{ .Caption }}{{ end }}"
-						},
-						"image": {
-							"nullable": false,
-							"type": "string",
-							"default": "<b>{{ .Sender.DisambiguatedName }}</b> sent an image{{ if .Caption }}: {{ .Caption }}{{ end }}"
-						},
-						"audio": {
-							"nullable": false,
-							"type": "string",
-							"default": "<b>{{ .Sender.DisambiguatedName }}</b> sent an audio file{{ if .Caption }}: {{ .Caption }}{{ end }}"
-						},
-						"video": {
-							"nullable": false,
-							"type": "string",
-							"default": "<b>{{ .Sender.DisambiguatedName }}</b> sent a video{{ if .Caption }}: {{ .Caption }}{{ end }}"
-						},
-						"location": {
-							"nullable": false,
-							"type": "string",
-							"default": "<b>{{ .Sender.DisambiguatedName }}</b> sent a location{{ if .Caption }}: {{ .Caption }}{{ end }}"
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-					]
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-			]
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-	]
-}

roles/mautrix_signal/defaults/main.json

@@ -1,33 +0,0 @@
-{
-	"cfg_mautrix_signal_defaults": {
-		"user_name": "mautrix",
-		"directory": "/opt/mautrix-signal",
-		"database": {
-			"host": "localhost",
-			"port": 5432,
-			"username": "mautrix_signal_user",
-			"schema": "mautrix_signal"
-		},
-		"homeserver": {
-			"address": "http://localhost:8008",
-			"domain": "synapse.example.org",
-			"conf_directory": "/etc/matrix-synapse/conf.d",
-			"appservices_directory": "/etc/matrix-synapse/appservices.d",
-			"user_name": "matrix-synapse",
-			"service_name": "matrix-synapse"
-		},
-		"formats": {
-			"displayname": "{{ .DisambiguatedName }}",
-			"messages": {
-				"text": "<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}",
-				"notice": "<b>{{ .Sender.DisambiguatedName }}</b>: {{ .Message }}",
-				"emote": "* <b>{{ .Sender.DisambiguatedName }}</b> {{ .Message }}",
-				"file": "<b>{{ .Sender.DisambiguatedName }}</b> sent a file{{ if .Caption }}: {{ .Caption }}{{ end }}",
-				"image": "<b>{{ .Sender.DisambiguatedName }}</b> sent an image{{ if .Caption }}: {{ .Caption }}{{ end }}",
-				"audio": "<b>{{ .Sender.DisambiguatedName }}</b> sent an audio file{{ if .Caption }}: {{ .Caption }}{{ end }}",
-				"video": "<b>{{ .Sender.DisambiguatedName }}</b> sent a video{{ if .Caption }}: {{ .Caption }}{{ end }}",
-				"location": "<b>{{ .Sender.DisambiguatedName }}</b> sent a location{{ if .Caption }}: {{ .Caption }}{{ end }}"
-			}
-		}
-	}
-}

roles/mautrix_signal/tasks/main.json

@@ -1,132 +0,0 @@
-[
-	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_mautrix_signal"
-		}
-	},
-	{
-		"name": "user",
-		"become": true,
-		"ansible.builtin.user": {
-			"name": "{{cfg_mautrix_signal.user_name}}",
-			"create_home": true,
-			"home": "{{cfg_mautrix_signal.directory}}"
-		}
-	},
-	{
-		"name": "fetch",
-		"ansible.builtin.block": [
-			{
-				"name": "download",
-				"ansible.builtin.get_url": {
-					"url": "https://mau.dev/mautrix/signal/-/jobs/artifacts/main/download?job=build%20amd64",
-					"dest": "/tmp/mautrix-signal.zip"
-				}
-			},
-			{
-				"name": "unpack",
-				"ansible.builtin.unarchive": {
-					"remote_src": true,
-					"src": "/tmp/mautrix-signal.zip",
-					"dest": "{{cfg_mautrix_signal.directory}}"
-				}
-			}
-		]
-	},
-	{
-		"name": "conf",
-		"ansible.builtin.block": [
-			{
-				"name": "conf | base",
-				"become": true,
-				"become_user": "{{cfg_mautrix_signal.user_name}}",
-				"ansible.builtin.template": {
-					"src": "config.yaml.j2",
-					"dest": "{{cfg_mautrix_signal.directory}}/config.yaml"
-				}
-			},
-			{
-				"name": "conf | appservice registration | generate",
-				"become": true,
-				"become_user": "{{cfg_mautrix_signal.user_name}}",
-				"ansible.builtin.command": {
-					"chdir": "{{cfg_mautrix_signal.directory}}",
-					"cmd": "./mautrix-signal --generate-registration --config {{cfg_mautrix_signal.directory}}/config.yaml --registration /tmp/registration.yaml"
-				}
-			},
-			{
-				"name": "conf | appservice registration | adjust",
-				"become": true,
-				"ansible.builtin.file": {
-					"path": "/tmp/registration.yaml",
-					"dest": "{{cfg_mautrix_signal.directory}}/registration.yaml",
-					"owner": "{{cfg_mautrix_signal.homeserver.user_name}}"
-				}
-			}
-		]
-	},
-	{
-		"name": "matrix homeserver",
-		"ansible.builtin.block": [
-			{
-				"name": "matrix homeserver | appservice directory",
-				"become": true,
-				"ansible.builtin.file": {
-					"mode": "directory",
-					"path": "{{cfg_mautrix_signal.homeserver.appservices_directory}}",
-					"owner": "{{cfg_mautrix_signal.homeserver.user_name}}"
-				}
-			},
-			{
-				"name": "matrix homeserver | insert appservice registration | copy to destination",
-				"become": true,
-				"ansible.builtin.copy": {
-					"remote_src": true,
-					"src": "{{cfg_mautrix_signal.directory}}/registration.yaml",
-					"dest": "{{cfg_mautrix_signal.homeserver.appservices_directory}}/bridge-mautrix-signal.yaml",
-					"owner": "{{cfg_mautrix_signal.homeserver.user_name}}"
-				}
-			},
-			{
-				"name": "matrix homeserver | insert appservice registration | delete source",
-				"become": true,
-				"ansible.builtin.file": {
-					"mode": "absent",
-					"path": "{{cfg_mautrix_signal.directory}}/registration.yaml"
-				}
-			},
-			{
-				"become": true,
-				"ansible.builtin.template": {
-					"src": "matrix-appservice.yaml.j2",
-					"dest": "{{cfg_mautrix_signal.homeserver.conf_directory}}/bridge-mautrix-signal.yaml",
-					"owner": "{{cfg_mautrix_signal.homeserver.user_name}}"
-				}
-			}
-		]
-	},
-	{
-		"name": "service",
-		"ansible.builtin.block": [
-			{
-				"name": "service | define",
-				"become": true,
-				"ansible.builtin.template": {
-					"src": "systemd-unit.j2",
-					"dest": "/etc/systemd/system/mautrix-signal.service"
-				}
-			},
-			{
-				"name": "service | start",
-				"become": true,
-				"ansible.builtin.systemd_service": {
-					"enabled": true,
-					"state": "started",
-					"name": "mautrix-signal"
-				}
-			}
-		]
-	}
-]

roles/mautrix_signal/templates/config.yaml.j2

@@ -1,500 +0,0 @@
-# Network-specific config options
-network:
-    # Displayname template for Signal users.
-    # {{.ProfileName}} - The Signal profile name set by the user.
-    # {{.ContactName}} - The name for the user from your phone's contact list. This is not safe on multi-user instances.
-    # {{.Nickname}} - The nickname set for the user in the native Signal app. This is not safe on multi-user instances.
-    # {{.PhoneNumber}} - The phone number of the user.
-    # {{.UUID}} - The UUID of the Signal user.
-    # {{.AboutEmoji}} - The emoji set by the user in their profile.
-    displayname_template: '{{or .ProfileName .PhoneNumber "Unknown user"}}'
-    # Should avatars from the user's contact list be used? This is not safe on multi-user instances.
-    use_contact_avatars: false
-    # Should the bridge request the user's contact list from the phone on startup?
-    sync_contacts_on_startup: true
-    # Should the bridge sync ghost user info even if profile fetching fails? This is not safe on multi-user instances.
-    use_outdated_profiles: false
-    # Should the Signal user's phone number be included in the room topic in private chat portal rooms?
-    number_in_topic: true
-    # Default device name that shows up in the Signal app.
-    device_name: mautrix-signal
-    # Avatar image for the Note to Self room.
-    note_to_self_avatar: mxc://maunium.net/REBIVrqjZwmaWpssCZpBlmlL
-    # Format for generating URLs from location messages for sending to Signal.
-    # Google Maps: 'https://www.google.com/maps/place/%[1]s,%[2]s'
-    # OpenStreetMap: 'https://www.openstreetmap.org/?mlat=%[1]s&mlon=%[2]s'
-    location_format: 'https://www.google.com/maps/place/%[1]s,%[2]s'
-    # Should view-once messages disappear shortly after sending a read receipt on Matrix?
-    disappear_view_once: false
-    # Should polls be sent using unstable MSC3381 event types?
-    extev_polls: false
-    
-
-# Config options that affect the central bridge module.
-bridge:
-    # The prefix for commands. Only required in non-management rooms.
-    command_prefix: '!signal'
-    # Should the bridge create a space for each login containing the rooms that account is in?
-    personal_filtering_spaces: true
-    # Whether the bridge should set names and avatars explicitly for DM portals.
-    # This is only necessary when using clients that don't support MSC4171.
-    private_chat_portal_meta: true
-    # Should events be handled asynchronously within portal rooms?
-    # If true, events may end up being out of order, but slow events won't block other ones.
-    # This is not yet safe to use.
-    async_events: false
-    # Should every user have their own portals rather than sharing them?
-    # By default, users who are in the same group on the remote network will be
-    # in the same Matrix room bridged to that group. If this is set to true,
-    # every user will get their own Matrix room instead.
-    # SETTING THIS IS IRREVERSIBLE AND POTENTIALLY DESTRUCTIVE IF PORTALS ALREADY EXIST.
-    split_portals: false
-    # Should the bridge resend `m.bridge` events to all portals on startup?
-    resend_bridge_info: false
-    # Should `m.bridge` events be sent without a state key?
-    # By default, the bridge uses a unique key that won't conflict with other bridges.
-    no_bridge_info_state_key: false
-    # Should bridge connection status be sent to the management room as `m.notice` events?
-    # These contain the same data that can be posted to an external HTTP server using homeserver -> status_endpoint.
-    # Allowed values: none, errors, all
-    bridge_status_notices: errors
-    # How long after an unknown error should the bridge attempt a full reconnect?
-    # Must be at least 1 minute. The bridge will add an extra ±20% jitter to this value.
-    unknown_error_auto_reconnect: null
-
-    # Should leaving Matrix rooms be bridged as leaving groups on the remote network?
-    bridge_matrix_leave: false
-    # Should `m.notice` messages be bridged?
-    bridge_notices: false
-    # Should room tags only be synced when creating the portal? Tags mean things like favorite/pin and archive/low priority.
-    # Tags currently can't be synced back to the remote network, so a continuous sync means tagging from Matrix will be undone.
-    tag_only_on_create: true
-    # List of tags to allow bridging. If empty, no tags will be bridged.
-    only_bridge_tags: [m.favourite, m.lowpriority]
-    # Should room mute status only be synced when creating the portal?
-    # Like tags, mutes can't currently be synced back to the remote network.
-    mute_only_on_create: true
-    # Should the bridge check the db to ensure that incoming events haven't been handled before
-    deduplicate_matrix_messages: false
-    # Should cross-room reply metadata be bridged?
-    # Most Matrix clients don't support this and servers may reject such messages too.
-    cross_room_replies: false
-    # If a state event fails to bridge, should the bridge revert any state changes made by that event?
-    revert_failed_state_changes: false
-    # In portals with no relay set, should Matrix users be kicked if they're
-    # not logged into an account that's in the remote chat?
-    kick_matrix_users: true
-
-    # What should be done to portal rooms when a user logs out or is logged out?
-    # Permitted values:
-    #   nothing - Do nothing, let the user stay in the portals
-    #   kick - Remove the user from the portal rooms, but don't delete them
-    #   unbridge - Remove all ghosts in the room and disassociate it from the remote chat
-    #   delete - Remove all ghosts and users from the room (i.e. delete it)
-    cleanup_on_logout:
-        # Should cleanup on logout be enabled at all?
-        enabled: false
-        # Settings for manual logouts (explicitly initiated by the Matrix user)
-        manual:
-            # Action for private portals which will never be shared with other Matrix users.
-            private: nothing
-            # Action for portals with a relay user configured.
-            relayed: nothing
-            # Action for portals which may be shared, but don't currently have any other Matrix users.
-            shared_no_users: nothing
-            # Action for portals which have other logged-in Matrix users.
-            shared_has_users: nothing
-        # Settings for credentials being invalidated (initiated by the remote network, possibly through user action).
-        # Keys have the same meanings as in the manual section.
-        bad_credentials:
-            private: nothing
-            relayed: nothing
-            shared_no_users: nothing
-            shared_has_users: nothing
-
-    # Settings for relay mode
-    relay:
-        # Whether relay mode should be allowed. If allowed, the set-relay command can be used to turn any
-        # authenticated user into a relaybot for that chat.
-        enabled: false
-        # Should only admins be allowed to set themselves as relay users?
-        # If true, non-admins can only set users listed in default_relays as relays in a room.
-        admin_only: true
-        # List of user login IDs which anyone can set as a relay, as long as the relay user is in the room.
-        default_relays: []
-        # The formats to use when sending messages via the relaybot.
-        # Available variables:
-        #   .Sender.UserID - The Matrix user ID of the sender.
-        #   .Sender.Displayname - The display name of the sender (if set).
-        #   .Sender.RequiresDisambiguation - Whether the sender's name may be confused with the name of another user in the room.
-        #   .Sender.DisambiguatedName - The disambiguated name of the sender. This will be the displayname if set,
-        #                               plus the user ID in parentheses if the displayname is not unique.
-        #                               If the displayname is not set, this is just the user ID.
-        #   .Message - The `formatted_body` field of the message.
-        #   .Caption - The `formatted_body` field of the message, if it's a caption. Otherwise an empty string.
-        #   .FileName - The name of the file being sent.
-        message_formats:
-            m.text: "{{cfg_mautrix_signal.formats.messages.text}}"
-            m.notice: "{{cfg_mautrix_signal.formats.messages.notice}}"
-            m.emote: "{{cfg_mautrix_signal.formats.messages.emote}}"
-            m.file: "{{cfg_mautrix_signal.formats.messages.file}}"
-            m.image: "{{cfg_mautrix_signal.formats.messages.image}}"
-            m.audio: "{{cfg_mautrix_signal.formats.messages.audio}}"
-            m.video: "{{cfg_mautrix_signal.formats.messages.video}}"
-            m.location: "{{cfg_mautrix_signal.formats.messages.location}}"
-        # For networks that support per-message displaynames (i.e. Slack and Discord), the template for those names.
-        # This has all the Sender variables available under message_formats (but without the .Sender prefix).
-        # Note that you need to manually remove the displayname from message_formats above.
-        displayname_format: "{{cfg_mautrix_signal.formats.displayname}}"
-
-    # Permissions for using the bridge.
-    # Permitted values:
-    #    relay - Talk through the relaybot (if enabled), no access otherwise
-    # commands - Access to use commands in the bridge, but not login.
-    #     user - Access to use the bridge with puppeting.
-    #    admin - Full access, user level with some additional administration tools.
-    # Permitted keys:
-    #        * - All Matrix users
-    #   domain - All users on that homeserver
-    #     mxid - Specific user
-    permissions:
-        "*": relay
-        "example.com": user
-        "@admin:example.com": admin
-
-# Config for the bridge's database.
-database:
-    # The database type. "sqlite3-fk-wal" and "postgres" are supported.
-    type: postgres
-    # The database URI.
-    #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
-    #           https://github.com/mattn/go-sqlite3#connection-string
-    #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
-    #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
-    uri: postgres://{{cfg_mautrix_signal.database.username}}:{{cfg_mautrix_signal.database.password}}@{{cfg_mautrix_signal.database.host}}:{{cfg_mautrix_signal.database.port | string}}/{{cfg_mautrix_signal.database.schema}}?sslmode=disable
-    # Maximum number of connections.
-    max_open_conns: 5
-    max_idle_conns: 1
-    # Maximum connection idle time and lifetime before they're closed. Disabled if null.
-    # Parsed with https://pkg.go.dev/time#ParseDuration
-    max_conn_idle_time: null
-    max_conn_lifetime: null
-
-# Homeserver details.
-homeserver:
-    # The address that this appservice can use to connect to the homeserver.
-    # Local addresses without HTTPS are generally recommended when the bridge is running on the same machine,
-    # but https also works if they run on different machines.
-    address: {{cfg_mautrix_signal.homeserver.address}}
-    # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
-    domain: {{cfg_mautrix_signal.homeserver.domain}}
-
-    # What software is the homeserver running?
-    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
-    software: standard
-    # The URL to push real-time bridge status to.
-    # If set, the bridge will make POST requests to this URL whenever a user's remote network connection state changes.
-    # The bridge will use the appservice as_token to authorize requests.
-    status_endpoint:
-    # Endpoint for reporting per-message status.
-    # If set, the bridge will make POST requests to this URL when processing a message from Matrix.
-    # It will make one request when receiving the message (step BRIDGE), one after decrypting if applicable
-    # (step DECRYPTED) and one after sending to the remote network (step REMOTE). Errors will also be reported.
-    # The bridge will use the appservice as_token to authorize requests.
-    message_send_checkpoint_endpoint:
-    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
-    async_media: false
-
-    # Should the bridge use a websocket for connecting to the homeserver?
-    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
-    # mautrix-asmux (deprecated), and hungryserv (proprietary).
-    websocket: false
-    # How often should the websocket be pinged? Pinging will be disabled if this is zero.
-    ping_interval_seconds: 0
-
-# Application service host/registration related details.
-# Changing these values requires regeneration of the registration (except when noted otherwise)
-appservice:
-    # The address that the homeserver can use to connect to this appservice.
-    # Like the homeserver address, a local non-https address is recommended when the bridge is on the same machine.
-    # If the bridge is elsewhere, you must secure the connection yourself (e.g. with https or wireguard)
-    # If you want to use https, you need to use a reverse proxy. The bridge does not have TLS support built in.
-    address: http://localhost:29328
-    # A public address that external services can use to reach this appservice.
-    # This is only needed for things like public media. A reverse proxy is generally necessary when using this field.
-    # This value doesn't affect the registration file.
-    public_address: https://bridge.example.com
-
-    # The hostname and port where this appservice should listen.
-    # For Docker, you generally have to change the hostname to 0.0.0.0.
-    hostname: 127.0.0.1
-    port: 29328
-
-    # The unique ID of this appservice.
-    id: signal
-    # Appservice bot details.
-    bot:
-        # Username of the appservice bot.
-        username: signalbot
-        # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
-        # to leave display name/avatar as-is.
-        displayname: Signal bridge bot
-        avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp
-
-    # Whether to receive ephemeral events via appservice transactions.
-    ephemeral_events: true
-    # Should incoming events be handled asynchronously?
-    # This may be necessary for large public instances with lots of messages going through.
-    # However, messages will not be guaranteed to be bridged in the same order they were sent in.
-    # This value doesn't affect the registration file.
-    async_transactions: false
-
-    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
-    as_token: "This value is generated when generating the registration"
-    hs_token: "This value is generated when generating the registration"
-
-    # Localpart template of MXIDs for remote users.
-    # {{.}} is replaced with the internal ID of the user.
-    username_template: signal_{{.}}
-
-# Config options that affect the Matrix connector of the bridge.
-matrix:
-    # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
-    message_status_events: false
-    # Whether the bridge should send a read receipt after successfully bridging a message.
-    delivery_receipts: false
-    # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
-    message_error_notices: true
-    # Whether the bridge should update the m.direct account data event when double puppeting is enabled.
-    sync_direct_chat_list: true
-    # Whether created rooms should have federation enabled. If false, created portal rooms
-    # will never be federated. Changing this option requires recreating rooms.
-    federate_rooms: true
-    # The threshold as bytes after which the bridge should roundtrip uploads via the disk
-    # rather than keeping the whole file in memory.
-    upload_file_threshold: 5242880
-
-# Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors.
-analytics:
-    # API key to send with tracking requests. Tracking is disabled if this is null.
-    token: null
-    # Address to send tracking requests to.
-    url: https://api.segment.io/v1/track
-    # Optional user ID for tracking events. If null, defaults to using Matrix user ID.
-    user_id: null
-
-# Settings for provisioning API
-provisioning:
-    # Shared secret for authentication. If set to "generate" or null, a random secret will be generated,
-    # or if set to "disable", the provisioning API will be disabled. Must be at least 16 characters.
-    shared_secret: generate
-    # Whether to allow provisioning API requests to be authed using Matrix access tokens.
-    # This follows the same rules as double puppeting to determine which server to contact to check the token,
-    # which means that by default, it only works for users on the same server as the bridge.
-    allow_matrix_auth: true
-    # Enable debug API at /debug with provisioning authentication.
-    debug_endpoints: false
-    # Enable session transfers between bridges. Note that this only validates Matrix or shared secret
-    # auth before passing live network client credentials down in the response.
-    enable_session_transfers: false
-
-# Some networks require publicly accessible media download links (e.g. for user avatars when using Discord webhooks).
-# These settings control whether the bridge will provide such public media access.
-public_media:
-    # Should public media be enabled at all?
-    # The public_address field under the appservice section MUST be set when enabling public media.
-    enabled: false
-    # A key for signing public media URLs.
-    # If set to "generate", a random key will be generated.
-    signing_key: generate
-    # Number of seconds that public media URLs are valid for.
-    # If set to 0, URLs will never expire.
-    expiry: 0
-    # Length of hash to use for public media URLs. Must be between 0 and 32.
-    hash_length: 32
-    # The path prefix for generated URLs. Note that this will NOT change the path where media is actually served.
-    # If you change this, you must configure your reverse proxy to rewrite the path accordingly.
-    path_prefix: /_mautrix/publicmedia
-    # Should the bridge store media metadata in the database in order to support encrypted media and generate shorter URLs?
-    # If false, the generated URLs will just have the MXC URI and a HMAC signature.
-    # The hash_length field will be used to decide the length of the generated URL.
-    # This also allows invalidating URLs by deleting the database entry.
-    use_database: false
-
-# Settings for converting remote media to custom mxc:// URIs instead of reuploading.
-# More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
-direct_media:
-    # Should custom mxc:// URIs be used instead of reuploading media?
-    enabled: false
-    # The server name to use for the custom mxc:// URIs.
-    # This server name will effectively be a real Matrix server, it just won't implement anything other than media.
-    # You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
-    server_name: discord-media.example.com
-    # Optionally a custom .well-known response. This defaults to `server_name:443`
-    well_known_response:
-    # Optionally specify a custom prefix for the media ID part of the MXC URI.
-    media_id_prefix:
-    # If the remote network supports media downloads over HTTP, then the bridge will use MSC3860/MSC3916
-    # media download redirects if the requester supports it. Optionally, you can force redirects
-    # and not allow proxying at all by setting this to false.
-    # This option does nothing if the remote network does not support media downloads over HTTP.
-    allow_proxy: true
-    # Matrix server signing key to make the federation tester pass, same format as synapse's .signing.key file.
-    # This key is also used to sign the mxc:// URIs to ensure only the bridge can generate them.
-    server_key: generate
-
-# Settings for backfilling messages.
-# Note that the exact way settings are applied depends on the network connector.
-# See https://docs.mau.fi/bridges/general/backfill.html for more details.
-backfill:
-    # Whether to do backfilling at all.
-    enabled: false
-    # Maximum number of messages to backfill in empty rooms.
-    max_initial_messages: 50
-    # Maximum number of missed messages to backfill after bridge restarts.
-    max_catchup_messages: 500
-    # If a backfilled chat is older than this number of hours,
-    # mark it as read even if it's unread on the remote network.
-    unread_hours_threshold: 720
-    # Settings for backfilling threads within other backfills.
-    threads:
-        # Maximum number of messages to backfill in a new thread.
-        max_initial_messages: 50
-    # Settings for the backwards backfill queue. This only applies when connecting to
-    # Beeper as standard Matrix servers don't support inserting messages into history.
-    queue:
-        # Should the backfill queue be enabled?
-        enabled: false
-        # Number of messages to backfill in one batch.
-        batch_size: 100
-        # Delay between batches in seconds.
-        batch_delay: 20
-        # Maximum number of batches to backfill per portal.
-        # If set to -1, all available messages will be backfilled.
-        max_batches: -1
-        # Optional network-specific overrides for max batches.
-        # Interpretation of this field depends on the network connector.
-        max_batches_override: {}
-
-# Settings for enabling double puppeting
-double_puppet:
-    # Servers to always allow double puppeting from.
-    # This is only for other servers and should NOT contain the server the bridge is on.
-    servers:
-        anotherserver.example.org: https://matrix.anotherserver.example.org
-    # Whether to allow client API URL discovery for other servers. When using this option,
-    # users on other servers can use double puppeting even if their server URLs aren't
-    # explicitly added to the servers map above.
-    allow_discovery: false
-    # Shared secrets for automatic double puppeting.
-    # See https://docs.mau.fi/bridges/general/double-puppeting.html for instructions.
-    secrets:
-        example.com: as_token:foobar
-
-# End-to-bridge encryption support options.
-#
-# See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
-encryption:
-    # Whether to enable encryption at all. If false, the bridge will not function in encrypted rooms.
-    allow: false
-    # Whether to force-enable encryption in all bridged rooms.
-    default: false
-    # Whether to require all messages to be encrypted and drop any unencrypted messages.
-    require: false
-    # Whether to use MSC3202/MSC4203 instead of /sync long polling for receiving encryption-related data.
-    # This option is not yet compatible with standard Matrix servers like Synapse and should not be used.
-    # Changing this option requires updating the appservice registration file.
-    appservice: false
-    # Whether to use MSC4190 instead of appservice login to create the bridge bot device.
-    # Requires the homeserver to support MSC4190 and the device masquerading parts of MSC3202.
-    # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861).
-    # Changing this option requires updating the appservice registration file.
-    msc4190: false
-    # Should the bridge bot generate a recovery key and cross-signing keys and verify itself?
-    # Note that without the latest version of MSC4190, this will fail if you reset the bridge database.
-    # The generated recovery key will be saved in the kv_store table under `recovery_key`.
-    self_sign: false
-    # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
-    # You must use a client that supports requesting keys from other users to use this feature.
-    allow_key_sharing: true
-    # Pickle key for encrypting encryption keys in the bridge database.
-    # If set to generate, a random key will be generated.
-    pickle_key: generate
-    # Options for deleting megolm sessions from the bridge.
-    delete_keys:
-        # Beeper-specific: delete outbound sessions when hungryserv confirms
-        # that the user has uploaded the key to key backup.
-        delete_outbound_on_ack: false
-        # Don't store outbound sessions in the inbound table.
-        dont_store_outbound: false
-        # Ratchet megolm sessions forward after decrypting messages.
-        ratchet_on_decrypt: false
-        # Delete fully used keys (index >= max_messages) after decrypting messages.
-        delete_fully_used_on_decrypt: false
-        # Delete previous megolm sessions from same device when receiving a new one.
-        delete_prev_on_new_session: false
-        # Delete megolm sessions received from a device when the device is deleted.
-        delete_on_device_delete: false
-        # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
-        periodically_delete_expired: false
-        # Delete inbound megolm sessions that don't have the received_at field used for
-        # automatic ratcheting and expired session deletion. This is meant as a migration
-        # to delete old keys prior to the bridge update.
-        delete_outdated_inbound: false
-    # What level of device verification should be required from users?
-    #
-    # Valid levels:
-    #   unverified - Send keys to all device in the room.
-    #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
-    #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
-    #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
-    #                           Note that creating user signatures from the bridge bot is not currently possible.
-    #   verified - Require manual per-device verification
-    #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
-    verification_levels:
-        # Minimum level for which the bridge should send keys to when bridging messages from the remote network to Matrix.
-        receive: unverified
-        # Minimum level that the bridge should accept for incoming Matrix messages.
-        send: unverified
-        # Minimum level that the bridge should require for accepting key requests.
-        share: cross-signed-tofu
-    # Options for Megolm room key rotation. These options allow you to configure the m.room.encryption event content.
-    # See https://spec.matrix.org/v1.10/client-server-api/#mroomencryption for more information about that event.
-    rotation:
-        # Enable custom Megolm room key rotation settings. Note that these
-        # settings will only apply to rooms created after this option is set.
-        enable_custom: false
-        # The maximum number of milliseconds a session should be used
-        # before changing it. The Matrix spec recommends 604800000 (a week)
-        # as the default.
-        milliseconds: 604800000
-        # The maximum number of messages that should be sent with a given a
-        # session before changing it. The Matrix spec recommends 100 as the
-        # default.
-        messages: 100
-        # Disable rotating keys when a user's devices change?
-        # You should not enable this option unless you understand all the implications.
-        disable_device_change_key_rotation: false
-
-# Prefix for environment variables. All variables with this prefix must map to valid config fields.
-# Nesting in variable names is represented with a dot (.).
-# If there are no dots in the name, two underscores (__) are replaced with a dot.
-#
-# e.g. if the prefix is set to `BRIDGE_`, then `BRIDGE_APPSERVICE__AS_TOKEN` will set appservice.as_token.
-# `BRIDGE_appservice.as_token` would work as well, but can't be set in a shell as easily.
-#
-# If this is null, reading config fields from environment will be disabled.
-env_config_prefix: null
-
-# Logging config. See https://github.com/tulir/zeroconfig for details.
-logging:
-    min_level: debug
-    writers:
-        - type: stdout
-          format: pretty-colored
-        - type: file
-          format: json
-          filename: ./logs/bridge.log
-          max_size: 100
-          max_backups: 10
-          compress: false

roles/mautrix_signal/templates/matrix-appservice.yaml.j2

@@ -1 +0,0 @@
-app_service_config_files: [{{cfg_mautrix_signal.homeserver.appservices_directory}}/bridge-mautrix-signal.yaml]

roles/mautrix_signal/templates/systemd-unit.j2

@@ -1,12 +0,0 @@
-[Unit]
-Description=Mautrix Signal
-After=multi-user.target
-
-[Service]
-WorkingDirectory={{cfg_mautrix_signal.directory}}
-User={{cfg_mautrix_signal.user_name}}
-ExecStart={{cfg_mautrix_signal.directory}}/mautrix-signal
-SyslogIdentifier=mautrix-signal
-
-[Install]
-WantedBy=multi-user.target

roles/nginx/cfg.schema.json

@@ -1,28 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"auto_reload_interval": {
-			"nullable": true,
-			"type": "integer",
-			"description": "in hours",
-			"default": null
-		},
-		"dhparam_size": {
-			"nullable": true,
-			"type": "integer",
-			"default": null
-		},
-		"improved_security": {
-			"nullable": false,
-			"type": "boolean",
-			"default": false
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"auto_reload_interval",
-		"dhparam_size",
-		"improved_security"
-	]
-}

roles/nginx/defaults/main.json

@@ -1,7 +1,3 @@
 {
-	"cfg_nginx_defaults": {
+	"var_nginx_auto_reload_interval": null
-		"auto_reload_interval": null,
-		"dhparam_size": null,
-		"improved_security": false
-	}
 }

roles/nginx/files/ssl-hardening.conf

@@ -3,9 +3,7 @@ ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
 ssl_session_tickets off;
 
 # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
-{% if cfg_nginx.dhparam_size != None %}
 ssl_dhparam /etc/nginx/dhparam;
-{% endif %}
 
 # intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;

roles/nginx/tasks/main.json

@@ -1,11 +1,4 @@
 [
-	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_nginx"
-		}
-	},
 	{
 		"name": "install packages",
 		"become": true,
@@ -19,10 +12,9 @@
 	},
 	{
 		"name": "generate dhparams file",
-		"when": "cfg_nginx.dhparam_size != None",
 		"become": true,
 		"ansible.builtin.command": {
-			"cmd": "openssl dhparam -out /etc/nginx/dhparam {{cfg_nginx.dhparam_size | string}}"
+			"cmd": "openssl dhparam -out /etc/nginx/dhparam 4096"
 		},
 		"args": {
 			"creates": "/etc/nginx/dhparam"
@@ -31,16 +23,13 @@
 	{
 		"name": "place hardening config",
 		"become": true,
-		"ansible.builtin.template": {
+		"ansible.builtin.copy": {
-			"src": "ssl-hardening.conf.j2",
+			"src": "ssl-hardening.conf",
 			"dest": "/etc/nginx/ssl-hardening.conf"
 		}
 	},
 	{
-		"name": "ufw",
+		"name": "ufw | check",
-		"block": [
-			{
-				"name": "check",
 		"become": true,
 		"check_mode": true,
 		"community.general.ufw": {
@@ -49,7 +38,7 @@
 		"register": "ufw_enable_check"
 	},
 	{
-				"name": "allow port 80",
+		"name": "ufw | allow port 80",
 		"when": "not ufw_enable_check.changed",
 		"become": true,
 		"community.general.ufw": {
@@ -59,7 +48,7 @@
 		}
 	},
 	{
-				"name": "allow port 443",
+		"name": "ufw | allow port 443",
 		"when": "not ufw_enable_check.changed",
 		"become": true,
 		"community.general.ufw": {
@@ -67,18 +56,16 @@
 			"port": "443",
 			"proto": "tcp"
 		}
-			}
-		]
 	},
 	{
 		"name": "auto reload",
-		"when": "cfg_nginx.auto_reload_interval == None",
+		"when": "var_nginx_auto_reload_interval == None",
 		"become": true,
 		"ansible.builtin.cron": {
 			"name": "nginx_auto_reload",
 			"disabled": true,
 			"minute": "0",
-			"hour": "*/{{cfg_nginx.auto_reload_interval | string}}",
+			"hour": "*/{{var_nginx_auto_reload_interval | string}}",
 			"day": "*",
 			"month": "*",
 			"weekday": "*",
@@ -87,13 +74,13 @@
 	},
 	{
 		"name": "auto reload",
-		"when": "cfg_nginx.auto_reload_interval != None",
+		"when": "var_nginx_auto_reload_interval != None",
 		"become": true,
 		"ansible.builtin.cron": {
 			"name": "nginx_auto_reload",
 			"disabled": false,
 			"minute": "0",
-			"hour": "*/{{cfg_nginx.auto_reload_interval | string}}",
+			"hour": "*/{{var_nginx_auto_reload_interval | string}}",
 			"day": "*",
 			"month": "*",
 			"weekday": "*",

roles/nginx/vardef.json

@@ -0,0 +1,8 @@
+{
+	"auto_reload_interval": {
+		"description": "in hours",
+		"nullable": true,
+		"type": "integer",
+		"mandatory": false
+	}
+}

roles/owncloud-and-nginx/cfg.schema.json

@@ -1,31 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"domain": {
-			"nullable": false,
-			"type": "string"
-		},
-		"tls_mode": {
-			"nullable": false,
-			"type": "string",
-			"enum": [
-				"disable",
-				"enable",
-				"force"
-			],
-			"default": "force"
-		},
-		"maximum_upload_size": {
-			"nullable": false,
-			"type": "string",
-			"default": "1G"
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"domain",
-		"tls_mode",
-		"maximum_upload_size"
-	]
-}

roles/owncloud-and-nginx/defaults/main.json

@@ -1,6 +1,5 @@
 {
-	"cfg_owncloud_and_nginx_defaults": {
+	"var_owncloud_and_nginx_domain": "owncloud.example.org",
-		"tls_mode": "force",
+	"var_owncloud_and_nginx_tls_mode": "force",
-		"maximum_upload_size": "1G"
+	"var_owncloud_and_nginx_maximum_upload_size": "1G"
-	}
 }

roles/owncloud-and-nginx/tasks/main.json

@@ -1,11 +1,4 @@
 [
-	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_owncloud_and_nginx"
-		}
-	},
 	{
 		"name": "deactivate default site",
 		"become": true,
@@ -19,7 +12,7 @@
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "conf.j2",
-			"dest": "/etc/nginx/sites-available/{{cfg_owncloud_and_nginx.domain}}"
+			"dest": "/etc/nginx/sites-available/{{var_owncloud_and_nginx_domain}}"
 		}
 	},
 	{
@@ -27,8 +20,8 @@
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "link",
-			"src": "/etc/nginx/sites-available/{{cfg_owncloud_and_nginx.domain}}",
+			"src": "/etc/nginx/sites-available/{{var_owncloud_and_nginx_domain}}",
-			"dest": "/etc/nginx/sites-enabled/{{cfg_owncloud_and_nginx.domain}}"
+			"dest": "/etc/nginx/sites-enabled/{{var_owncloud_and_nginx_domain}}"
 		}
 	},
 	{

roles/owncloud-and-nginx/templates/conf.j2

@@ -1,7 +1,7 @@
 {% macro owncloud_common() %}
 	location / {
 		proxy_pass http://localhost:9200;
-		client_max_body_size {{cfg_owncloud_and_nginx.maximum_upload_size}};
+		client_max_body_size {{var_owncloud_and_nginx_maximum_upload_size}};
 	}
 {% endmacro %}
 
@@ -9,24 +9,24 @@ server {
 	listen 80;
 	listen [::]:80;
 	
-	server_name {{cfg_owncloud_and_nginx.domain}};
+	server_name {{var_owncloud_and_nginx_domain}};
 	
-{% if cfg_owncloud_and_nginx.tls_mode == 'force' %}
+{% if var_owncloud_and_nginx_tls_mode == 'force' %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 	{{ owncloud_common() }}
 {% endif %}
 }
 
-{% if cfg_owncloud_and_nginx.tls_mode != 'disable' %}
+{% if var_owncloud_and_nginx_tls_mode != 'disable' %}
 server {
 	listen 443 ssl;
 	listen [::]:443 ssl;
 	
-	server_name {{cfg_owncloud_and_nginx.domain}};
+	server_name {{var_owncloud_and_nginx_domain}};
 	
-	ssl_certificate_key /etc/ssl/private/{{cfg_owncloud_and_nginx.domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{var_owncloud_and_nginx_domain}}.pem;
-	ssl_certificate /etc/ssl/fullchains/{{cfg_owncloud_and_nginx.domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_owncloud_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	
 	{{ owncloud_common() }}

roles/owncloud-and-nginx/vardef.json

@@ -0,0 +1,20 @@
+
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+        "type": "string",
+        "options": [
+			"disable",
+			"enable",
+			"force"
+        ],
+        "mandatory": false
+	},
+	"maximum_upload_size": {
+		"type": "string",
+		"mandatory": false
+	}
+}

roles/owncloud/cfg.schema.json

@@ -1,152 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"user": {
-			"nullable": false,
-			"type": "string",
-			"default": "owncloud"
-		},
-		"directory": {
-			"nullable": false,
-			"type": "string",
-			"default": "/opt/owncloud"
-		},
-		"version": {
-			"nullable": false,
-			"type": "string",
-			"default": "7.2.0"
-		},
-		"platform": {
-			"nullable": false,
-			"type": "string",
-			"default": "linux-amd64"
-		},
-		"domain": {
-			"nullable": false,
-			"type": "string"
-		},
-		"admin_password": {
-			"nullable": false,
-			"type": "string"
-		},
-		"authentication": {
-			"anyOf": [
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"type": "string",
-							"enum": ["internal"],
-							"default": "internal"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-							},
-							"additionalProperties": false,
-							"required": [
-							],
-							"default": {
-							}
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					]
-				},
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"type": "string",
-							"enum": ["authelia"],
-							"default": "authelia"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"url_base": {
-									"nullable": false,
-									"type": "string"
-								},
-								"web": {
-									"nullable": true,
-									"type": "object",
-									"properties": {
-										"client_id": {
-											"type": "string",
-											"mandatory": false,
-											"default": "owncloud_web"
-										}
-									},
-									"additionalProperties": false,
-									"required": [
-										"client_id"
-									],
-									"default": {
-									}
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"url_base",
-								"web"
-							]
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					]
-				}
-			]
-		},
-		"public_share": {
-			"nullable": false,
-			"type": "object",
-			"properties": {
-				"password_necessity": {
-					"nullable": false,
-					"type": "string",
-					"enum": [
-						"nothing",
-						"writable",
-						"all"
-					],
-					"default": "writable"
-				},
-				"password_policy_active": {
-					"nullable": false,
-					"type": "boolean",
-					"default": true
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-				"password_necessity",
-				"password_policy_active"
-			],
-			"default": {
-			}
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"user",
-		"directory",
-		"version",
-		"platform",
-		"domain",
-		"admin_password",
-		"authentication",
-		"public_share"
-	]
-}

roles/owncloud/defaults/main.json

@@ -1,16 +1,18 @@
 {
-	"cfg_owncloud_defaults": {
+	"var_owncloud_user": "owncloud",
-		"user": "owncloud",
+	"var_owncloud_directory": "/opt/owncloud",
-		"directory": "/opt/owncloud",
+	"var_owncloud_version": "5.0.0",
-		"version": "7.2.0",
+	"var_owncloud_platform": "linux-amd64",
-		"platform": "linux-amd64",
+	"var_owncloud_domain": "owncloud.example.org",
-		"domain": "owncloud.example.org",
+	"var_owncloud_admin_password": "REPLACE_ME",
-		"authentication": {
+	"var_owncloud_authentication_kind": "internal",
-			"kind": "internal"
+	"var_owncloud_authentication_data_authelia_url_base": "https://authelia.example.org",
-		},
+	"var_owncloud_authentication_data_authelia_web_client_id": "owncloud_web",
-		"public_share": {
+	"var_owncloud_authentication_data_authelia_web_client_secret": "REPLACE_ME",
-			"password_necessity": "writable",
+	"var_owncloud_authentication_data_authelia_android_client_id": "owncloud_android",
-			"password_policy_active": true
+	"var_owncloud_authentication_data_authelia_android_client_secret": "REPLACE_ME",
-		}
+	"var_owncloud_authentication_data_authelia_ios_client_id": "owncloud_ios",
-	}
+	"var_owncloud_authentication_data_authelia_ios_client_secret": "REPLACE_ME",
+	"var_owncloud_public_share_password_necessity": "writable",
+	"var_owncloud_public_share_password_policy_active": true
 }

roles/owncloud/info.md

@@ -7,26 +7,13 @@ Cloud-Plattform [ownCloud](https://owncloud.com/) (the rewrite in Go named "Infi
 
 - [ownCloud-Dokumentation | How to install ownCloud Infinite Scale Tech Preview in three easy steps](https://owncloud.com/news/howto-install-owncloud-infinite-scale-tech-preview/)
 - [ownCloud-Dokumentation | oCIS](https://owncloud.dev/ocis/)
-- [ownCloud-Dokumentation | Upgrading](https://doc.owncloud.com/ocis/next/migration/upgrading-ocis.html)
-- [ownCloud-Dokumentation | env var types](https://doc.owncloud.com/ocis/next/deployment/services/envvar-types-description.html)
-- [ownCloud-Dokumentation | Service | Web](https://doc.owncloud.com/ocis/next/deployment/services/s-list/web.html)
 - [ownCloud-Dokumentation | Service | Proxy](https://doc.owncloud.com/ocis/next/deployment/services/s-list/proxy.html)
+- [ownCloud-Dokumentation | Service | Web](https://doc.owncloud.com/ocis/next/deployment/services/s-list/web.html)
 - [ownCloud-Dokumentation | Service | Sharing](https://doc.owncloud.com/ocis/next/deployment/services/s-list/sharing.html)
 - [GitHub | ocis](https://github.com/owncloud/ocis/)
 - [ownCloud-Foren | OCIS + Authelia](https://central.owncloud.org/t/ocis-authelia/44222)
 
 
-## Bemerkungen
-
-- die `.ocis/config/ocis.yaml` wird erzeugt auf Grundlage der `.env`
-- `.ocis/config/ocis.yaml` sollte niemals einfach neu erstellt werden, da man sich sonst nicht mehr einloggen kann
-- wenn man sich plötzlich nicht mehr über OIDC anmelden kann, kann das daran lieget, dass `.ocis/idm/ldap.crt` abgelaufen ist — siehe dazu [diesen Thread](https://central.owncloud.org/t/certificate-error-after-upgrade-to-5-0-0-from-4-0-6/47824/7); man könnte auch `OCIS_LDAP_INSECURE` auf `true` setzen, aber naja…
-
-
 ## ToDo
 
 - Download prüfen
-- `csp.yaml` einsetzen
-- prüfen ob folgende `.env`-Variablen gebraucht werden:
-  - `PROXY_OIDC_ISSUER`
-  - `PROXY_OIDC_SKIP_USER_INFO`

roles/owncloud/tasks/main.json

@@ -1,70 +1,39 @@
 [
-	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_owncloud"
-		}
-	},
 	{
 		"name": "user",
 		"become": true,
 		"ansible.builtin.user": {
-			"name": "{{cfg_owncloud.user}}",
+			"name": "{{var_owncloud_user}}",
 			"create_home": true,
-			"home": "{{cfg_owncloud.directory}}"
+			"home": "{{var_owncloud_directory}}"
 		}
 	},
 	{
 		"name": "download",
 		"become": true,
-		"become_user": "{{cfg_owncloud.user}}",
+		"become_user": "{{var_owncloud_user}}",
 		"ansible.builtin.get_url": {
-			"url": "https://download.owncloud.com/ocis/ocis/stable/{{cfg_owncloud.version}}/ocis-{{cfg_owncloud.version}}-{{cfg_owncloud.platform}}",
+			"url": "https://download.owncloud.com/ocis/ocis/stable/{{var_owncloud_version}}/ocis-{{var_owncloud_version}}-{{var_owncloud_platform}}",
-			"dest": "{{cfg_owncloud.directory}}/ocis",
+			"dest": "{{var_owncloud_directory}}/ocis",
 			"mode": "u+rx"
 		}
 	},
-	{
-		"name": "directories",
-		"become": true,
-		"become_user": "{{cfg_owncloud.user}}",
-		"loop": [
-			"log"
-		],
-		"ansible.builtin.file": {
-			"state": "directory",
-			"recurse": true,
-			"path": "{{cfg_owncloud.directory}}/{{item}}"
-		}
-	},
-	{
-		"name": "csp",
-		"become": true,
-		"become_user": "{{cfg_owncloud.user}}",
-		"ansible.builtin.template": {
-			"src": "csp.yaml.j2",
-			"mode": "644",
-			"dest": "{{cfg_owncloud.directory}}/csp.yaml"
-		}
-	},
-	{
-		"name": "env",
-		"become": true,
-		"become_user": "{{cfg_owncloud.user}}",
-		"ansible.builtin.template": {
-			"src": "env.j2",
-			"mode": "644",
-			"dest": "{{cfg_owncloud.directory}}/.env"
-		}
-	},
 	{
 		"name": "setup",
 		"become": true,
-		"become_user": "{{cfg_owncloud.user}}",
+		"become_user": "{{var_owncloud_user}}",
 		"ansible.builtin.shell": {
-			"chdir": "{{cfg_owncloud.directory}}",
+			"chdir": "{{var_owncloud_directory}}",
-			"cmd": "./ocis init --insecure no --admin-password={{cfg_owncloud.admin_password}}"
+			"cmd": "rm -f {{var_owncloud_directory}}/.ocis/config/ocis.yaml && ./ocis init --insecure no --admin-password={{var_owncloud_admin_password}}"
+		}
+	},
+	{
+		"name": "configuration",
+		"become": true,
+		"become_user": "{{var_owncloud_user}}",
+		"ansible.builtin.template": {
+			"src": "env.j2",
+			"dest": "{{var_owncloud_directory}}/.env"
 		}
 	},
 	{

roles/owncloud/templates/csp.yaml.j2

@@ -1,7 +0,0 @@
-directives:
-  connect-src:
-    - '''self'''
-    - 'https://{{cfg_owncloud.domain}}'
-{% if cfg_owncloud.authentication.kind == 'authelia' %}
-    - '{{cfg_owncloud.authentication.data.url_base}}'
-{% endif %}

roles/owncloud/templates/env.j2

@@ -1,62 +1,44 @@
-## web client
+OCIS_URL="https://{{var_owncloud_domain}}"
-WEB_LOG_LEVEL=info
+OCIS_INSECURE="false"
-WEB_LOG_FILE={{cfg_owncloud.directory}}/log/web
+
-WEB_LOG_PRETTY=true
+PROXY_TLS="false"
-WEB_LOG_COLOR=true
+
-{% if cfg_owncloud.authentication.kind == 'internal' %}
+{% if var_owncloud_authentication_kind == 'internal' %}
-{% endif %}
+PROXY_AUTOPROVISION_ACCOUNTS="false"
-{% if cfg_owncloud.authentication.kind == 'authelia' %}
-WEB_OIDC_AUTHORITY={{cfg_owncloud.authentication.data.url_base}}
-WEB_OIDC_CLIENT_ID={{cfg_owncloud.authentication.data.web.client_id}}
-WEB_OIDC_RESPONSE_TYPE=code
-WEB_OIDC_SCOPE=openid profile email groups
-WEB_OPTION_LOGIN_URL={{cfg_owncloud.authentication.data.url_base}}
-WEB_OPTION_LOGOUT_URL={{cfg_owncloud.authentication.data.url_base}}
-WEB_UI_THEME_SERVER=https://{{cfg_owncloud.domain}}
-WEB_UI_CONFIG_SERVER=https://{{cfg_owncloud.domain}}
 {% endif %}
 
-## other clients
+{% if var_owncloud_authentication_kind == 'authelia' %}
-PROXY_LOG_LEVEL=info
+OCIS_OIDC_CLIENT_ID="{{var_owncloud_authentication_data_authelia_web_client_id}}"
-PROXY_LOG_FILE={{cfg_owncloud.directory}}/log/proxy
+OCIS_OIDC_ISSUER="{{var_owncloud_authentication_data_authelia_url_base}}"
-PROXY_LOG_PRETTY=true
+
-PROXY_LOG_COLOR=true
+PROXY_AUTOPROVISION_ACCOUNTS="true"
-PROXY_CSP_CONFIG_FILE_LOCATION={{cfg_owncloud.directory}}/csp.yaml
+PROXY_OIDC_REWRITE_WELLKNOWN="true"
-PROXY_TLS=false
+PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD="none"
-{% if cfg_owncloud.authentication.kind == 'internal' %}
+PROXY_OIDC_INSECURE="false"
-PROXY_AUTOPROVISION_ACCOUNTS=false
+PROXY_USER_OIDC_CLAIM="name"
-{% endif %}
+PROXY_USER_CS3_CLAIM="username"
-{% if cfg_owncloud.authentication.kind == 'authelia' %}
+
-OCIS_URL=https://{{cfg_owncloud.domain}}
+WEB_OIDC_AUTHORITY="{{var_owncloud_authentication_data_authelia_url_base}}"
-PROXY_OIDC_ISSUER={{cfg_owncloud.authentication.data.url_base}}
+WEB_OIDC_METADATA_URL="{{var_owncloud_authentication_data_authelia_url_base}}/.well-known/openid-configuration"
-PROXY_OIDC_REWRITE_WELLKNOWN=true
+WEB_OIDC_CLIENT_ID="{{var_owncloud_authentication_data_authelia_web_client_id}}"
-PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
+WEB_OIDC_SCOPE="openid profile email groups"
-PROXY_OIDC_SKIP_USER_INFO=false
-PROXY_AUTOPROVISION_ACCOUNTS=true
-PROXY_AUTOPROVISION_CLAIM_USERNAME=preferred_username
-PROXY_AUTOPROVISION_CLAIM_EMAIL=email
-PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME=name
-PROXY_AUTOPROVISION_CLAIM_GROUPS=groups
-PROXY_USER_OIDC_CLAIM=preferred_username
-PROXY_USER_CS3_CLAIM=username
 {% endif %}
 
-## sharing
+{% if var_owncloud_public_share_password_necessity == 'nothing' %}
-{% if cfg_owncloud.public_share.password_necessity == 'nothing' %}
+OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="false"
-OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=false
+OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="false"
-OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=false
 {% endif %}
-{% if cfg_owncloud.public_share.password_necessity == 'writable' %}
+{% if var_owncloud_public_share_password_necessity == 'writable' %}
-OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=false
+OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="false"
-OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=true
+OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="true"
 {% endif %}
-{% if cfg_owncloud.public_share.password_necessity == 'all' %}
+{% if var_owncloud_public_share_password_necessity == 'all' %}
-OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=true
+OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="true"
-OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=true
+OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="true"
 {% endif %}
-{% if cfg_owncloud.public_share.password_policy_active %}
+
-OCIS_SHARING_PASSWORD_POLICY_DISABLED=false
+{% if var_owncloud_public_share_password_policy_active %}
+OCIS_SHARING_PASSWORD_POLICY_DISABLED="false"
 {% else %}
-OCIS_SHARING_PASSWORD_POLICY_DISABLED=true
+OCIS_SHARING_PASSWORD_POLICY_DISABLED="true"
 {% endif %}
-

roles/owncloud/templates/systemd_unit.j2

@@ -3,12 +3,12 @@ Description=ownCloud
 After=network.target
 
 [Service]
-WorkingDirectory={{cfg_owncloud.directory}}
+WorkingDirectory={{var_owncloud_directory}}
-EnvironmentFile={{cfg_owncloud.directory}}/.env
+EnvironmentFile={{var_owncloud_directory}}/.env
-ExecStart={{cfg_owncloud.directory}}/ocis server
+ExecStart={{var_owncloud_directory}}/ocis server
 Type=simple
 Restart=always
-User={{cfg_owncloud.user}}
+User={{var_owncloud_user}}
 
 [Install]
 WantedBy=default.target

roles/owncloud/vardef.json

@@ -0,0 +1,75 @@
+{
+	"user": {
+		"type": "string",
+		"mandatory": false
+	},
+	"directory": {
+		"type": "string",
+		"mandatory": false
+	},
+	"version": {
+		"type": "string",
+		"mandatory": false
+	},
+	"platform": {
+		"type": "string",
+		"mandatory": false
+	},
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"admin_password": {
+		"type": "string",
+		"mandatory": true
+	},
+	"authentication_kind": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"internal",
+			"authelia"
+		]
+	},
+	"authentication_data_authelia_url_base": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_web_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_web_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_android_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_android_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_ios_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_ios_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"public_share_password_necessity": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"nothing",
+			"writable",
+			"all"
+		]
+	},
+	"public_share_password_policy_active": {
+		"type": "boolean",
+		"mandatory": false
+	}
+}