[task-230] Entwürfe für Mealie

README.md

@@ -1,4 +1,4 @@
-# Ansible Collection - roydfalk.standard
+# Ansible Collection - linke.standard
 
 Sammlung von allgemeinen, wiederverwendbaren Ansible-Rollen
 

galaxy.yml

@@ -2,10 +2,10 @@
 # The namespace of the collection. This can be a company/brand/organization or product namespace under which all
 # content lives. May only contain alphanumeric lowercase characters and underscores. Namespaces cannot start with
 # underscores or numbers and cannot contain consecutive underscores
-namespace: fenris 
+namespace: linke
 
 # The name of the collection. Has the same character restrictions as 'namespace'
-name: base 
+name: standard
 
 # The version of the collection. Must be compatible with semantic versioning
 version: 1.0.0
@@ -16,12 +16,12 @@ readme: README.md
 # A list of the collection's content authors. Can be just the name or in the format 'Full Name <email> (url)
 # @nicks:irc/im.site#channel'
 authors:
-- Fenris <fenris@folksprak.org>
+- Royd Falk <roydfalk@folksprak.org>
 - Marius <marius@rasumi.net>
 
 ### OPTIONAL but strongly recommended
 # A short summary description of the collection
-description: "Sammlung von allgemeinen, wiederverwendbaren Ansible-Rollen"
+description: "Sammlung von allgemeinen, wiederverwendbaren Ansible-Rollen (ursprünglich für Infrastruktur der Partei 'DIE LINKE.')"
 
 # Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only
 # accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file'

roles/authelia-and-nginx/cfg.schema.json

@@ -1,24 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"domain": {
-			"nullable": false,
-			"type": "string"
-		},
-		"tls_mode": {
-			"nullable": false,
-			"type": "string",
-			"options": [
-				"disable",
-				"enable",
-				"force"
-			],
-			"enum": "force"
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"domain"
-	]
-}

roles/authelia-and-nginx/defaults/main.json

@@ -1,5 +1,4 @@
 {
-	"cfg_authelia_and_nginx_defaults": {
-		"tls_mode": "force"
-	}
+	"var_authelia_and_nginx_domain": "authelia.example.org",
+	"var_authelia_and_nginx_tls_mode": "force"
 }

roles/authelia-and-nginx/tasks/main.json

@@ -1,11 +1,4 @@
 [
-	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_authelia_and_nginx"
-		}
-	},
 	{
 		"name": "deactivate default site",
 		"become": true,
@@ -19,7 +12,7 @@
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "conf.j2",
-			"dest": "/etc/nginx/sites-available/{{cfg_authelia_and_nginx.domain}}"
+			"dest": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}"
 		}
 	},
 	{
@@ -27,8 +20,8 @@
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "link",
-			"src": "/etc/nginx/sites-available/{{cfg_authelia_and_nginx.domain}}",
-			"dest": "/etc/nginx/sites-enabled/{{cfg_authelia_and_nginx.domain}}"
+			"src": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}",
+			"dest": "/etc/nginx/sites-enabled/{{var_authelia_and_nginx_domain}}"
 		}
 	},
 	{

roles/authelia-and-nginx/templates/conf.j2

@@ -45,27 +45,27 @@
 {% endmacro %}
 
 server {
-	server_name {{cfg_authelia_and_nginx.domain}};
+	server_name {{var_authelia_and_nginx_domain}};
 	
 	listen 80;
 	listen [::]:80;
 	
-{% if (cfg_authelia_and_nginx.tls_mode == 'force') %}
+{% if (var_authelia_and_nginx_tls_mode == 'force') %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 {{ authelia_common() }}
 {% endif %}
 }
 
-{% if (cfg_authelia_and_nginx.tls_mode != 'disable') %}
+{% if (var_authelia_and_nginx_tls_mode != 'disable') %}
 server {
-	server_name {{cfg_authelia_and_nginx.domain}};
+	server_name {{var_authelia_and_nginx_domain}};
 	
 	listen [::]:443 ssl http2;
 	listen 443 ssl http2;
 	
-	ssl_certificate_key /etc/ssl/private/{{cfg_authelia_and_nginx.domain}}.pem;
-	ssl_certificate /etc/ssl/fullchains/{{cfg_authelia_and_nginx.domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	
 {{ authelia_common() }}

roles/authelia-and-nginx/vardef.json

@@ -0,0 +1,15 @@
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		],
+		"mandatory": false
+	}
+}

roles/authelia-for-hedgedoc/cfg.schema.json

@@ -1,25 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"hedgedoc_url_base": {
-			"nullable": false,
-			"type": "string"
-		},
-		"client_id": {
-			"nullable": false,
-			"type": "string",
-			"default": "hedgedoc"
-		},
-		"client_secret": {
-			"nullable": false,
-			"type": "string"
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"hedgedoc_url_base",
-		"client_id",
-		"client_secret"
-	]
-}

roles/authelia-for-hedgedoc/defaults/main.json

@@ -1,5 +1,5 @@
 {
-	"cfg_authelia_for_hedgedoc_defaults": {
-		"client_id": "hedgedoc"
-	}
+	"var_authelia_for_hedgedoc_hedgedoc_url_base": "https://hedgedoc.example.org",
+	"var_authelia_for_hedgedoc_client_id": "hedgedoc",
+	"var_authelia_for_hedgedoc_client_secret": "REPLACE_ME"
 }

roles/authelia-for-hedgedoc/tasks/main.json

@@ -1,16 +1,9 @@
 [
-	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_authelia_for_hedgedoc"
-		}
-	},
 	{
 		"name": "configuration | compute client secret hash",
 		"become": true,
 		"ansible.builtin.shell": {
-			"cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_hedgedoc.client_secret}} | cut --delimiter=' ' --fields='2-'"
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_hedgedoc_client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
 		"register": "temp_authelia_for_hedgedoc_client_secret_hashed"
 	},

roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2

@@ -1,5 +1,5 @@
 {
-	"client_id": "{{cfg_authelia_for_hedgedoc.client_id}}",
+	"client_id": "{{var_authelia_for_hedgedoc_client_id}}",
 	"client_secret": "{{temp_authelia_for_hedgedoc_client_secret_hashed.stdout}}",
 	"client_name": "Hedgedoc",
 	"public": false,
@@ -10,7 +10,7 @@
 		"profile"
 	],
 	"redirect_uris": [
-		"{{cfg_authelia_for_hedgedoc.hedgedoc_url_base}}/auth/oauth2/callback"
+		"{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback"
 	],
 	"response_types": [
 		"code"

roles/authelia-for-owncloud/cfg.schema.json

@@ -1,97 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"owncloud_url_base": {
-			"nullable": false,
-			"type": "string"
-		},
-		"web": {
-			"nullable": true,
-			"type": "object",
-			"properties": {
-				"client_id": {
-					"nullable": false,
-					"type": "string",
-					"default": "owncloud_web"
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-			],
-			"default": {
-			}
-		},
-		"desktop": {
-			"nullable": true,
-			"type": "object",
-			"properties": {
-				"client_id": {
-					"nullable": false,
-					"type": "string",
-					"default": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69"
-				},
-				"client_secret": {
-					"nullable": false,
-					"type": "string",
-					"default": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh"
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-			],
-			"default": {
-			}
-		},
-		"android": {
-			"nullable": true,
-			"type": "object",
-			"properties": {
-				"client_id": {
-					"nullable": false,
-					"type": "string",
-					"default": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD"
-				},
-				"client_secret": {
-					"nullable": false,
-					"type": "string",
-					"default": "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD"
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-			],
-			"default": {
-			}
-		},
-		"ios": {
-			"nullable": true,
-			"type": "object",
-			"properties": {
-				"client_id": {
-					"nullable": false,
-					"type": "string",
-					"default": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1"
-				},
-				"client_secret": {
-					"nullable": false,
-					"type": "string",
-					"default": "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx"
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-			],
-			"default": {
-			}
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"owncloud_url_base",
-		"web",
-		"desktop",
-		"android",
-		"ios"
-	]
-}

roles/authelia-for-owncloud/defaults/main.json

@@ -1,19 +1,10 @@
 {
-	"cfg_authelia_for_owncloud_defaults": {
-		"web": {
-			"client_id": "owncloud_web"
-		},
-		"desktop": {
-			"client_id": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
-			"client_secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh"
-		},
-		"android": {
-			"client_id": "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD",
-			"client_secret": "dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD"
-		},
-		"ios": {
-			"client_id": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1",
-			"client_secret": "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx"
-		}
-	}
+	"var_authelia_for_owncloud_owncloud_url_base": "https://owncloud.example.org",
+	"var_authelia_for_owncloud_web_client_id": "owncloud_web",
+	"var_authelia_for_owncloud_android_client_id": "owncloud_android",
+	"var_authelia_for_owncloud_android_client_secret": "REPLACE_ME",
+	"var_authelia_for_owncloud_ios_client_id": "owncloud_ios",
+	"var_authelia_for_owncloud_ios_client_secret": "REPLACE_ME",
+	"var_authelia_for_owncloud_desktop_client_id": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
+	"var_authelia_for_owncloud_desktop_client_secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh"
 }

roles/authelia-for-owncloud/tasks/main.json

@@ -1,95 +1,49 @@
 [
 	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_authelia_for_owncloud"
-		}
-	},
-	{
-		"name": "configuration | client",
-		"block": [
-			{
-				"name": "configuration | client | web",
-				"when": "cfg_authelia_for_owncloud.web != None",
-				"block": [
-					{
-						"name": "emplace",
-						"become": true,
-						"ansible.builtin.template": {
-							"src": "authelia-client-conf-web.json.j2",
-							"dest": "/etc/authelia/conf.d/clients/owncloud-web.json"
-						}
-					}
-				]
-			},
-			{
-				"name": "configuration | client | desktop",
-				"when": "cfg_authelia_for_owncloud.desktop != None",
-				"block": [
-					{
-						"name": "compute client secret hash",
+		"name": "configuration | compute client secret hash | web",
 		"become": true,
 		"ansible.builtin.shell": {
-							"cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.desktop.client_secret}} | cut --delimiter=' ' --fields='2-'"
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_owncloud_web_client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
-						"register": "temp_authelia_for_owncloud_desktop_client_secret_hashed"
+		"register": "temp_authelia_for_owncloud_web_client_secret_hashed"
 	},
 	{
-						"name": "emplace",
-						"become": true,
-						"ansible.builtin.template": {
-							"src": "authelia-client-conf-desktop.json.j2",
-							"dest": "/etc/authelia/conf.d/clients/owncloud-desktop.json"
-						}
-					}
-				]
-			},
-			{
-				"name": "configuration | client | android",
-				"when": "cfg_authelia_for_owncloud.android != None",
-				"block": [
-					{
-						"name": "compute client secret hash",
+		"name": "configuration | compute client secret hash | android",
 		"become": true,
 		"ansible.builtin.shell": {
-							"cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.android.client_secret}} | cut --delimiter=' ' --fields='2-'"
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_owncloud_android_client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
 		"register": "temp_authelia_for_owncloud_android_client_secret_hashed"
 	},
 	{
-						"name": "emplace",
-						"become": true,
-						"ansible.builtin.template": {
-							"src": "authelia-client-conf-android.json.j2",
-							"dest": "/etc/authelia/conf.d/clients/owncloud-android.json"
-						}
-					}
-				]
-			},
-			{
-				"name": "configuration | client | ios",
-				"when": "cfg_authelia_for_owncloud.ios != None",
-				"block": [
-					{
-						"name": "compute client secret hash",
+		"name": "configuration | compute client secret hash | ios",
 		"become": true,
 		"ansible.builtin.shell": {
-							"cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.ios.client_secret}} | cut --delimiter=' ' --fields='2-'"
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_owncloud_ios_client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
 		"register": "temp_authelia_for_owncloud_ios_client_secret_hashed"
 	},
 	{
-						"name": "emplace",
+		"name": "configuration | compute client secret hash | desktop",
 		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_owncloud_desktop_client_secret}} | cut --delimiter=' ' --fields='2-'"
+		},
+		"register": "temp_authelia_for_owncloud_desktop_client_secret_hashed"
+	},
+	{
+		"name": "configuration | emplace",
+		"become": true,
+		"loop": [
+			{"src": "authelia-client-conf-web.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-web.json"},
+			{"src": "authelia-client-conf-desktop.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-desktop.json"},
+			{"src": "authelia-client-conf-android.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-android.json"},
+			{"src": "authelia-client-conf-ios.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-ios.json"}
+		],
 		"ansible.builtin.template": {
-							"src": "authelia-client-conf-ios.json.j2",
-							"dest": "/etc/authelia/conf.d/clients/owncloud-ios.json"
+			"src": "{{item.src}}",
+			"dest": "{{item.dest}}"
 		}
-					}
-				]
-			}
-		]
 	},
 	{
 		"name": "configuration | apply",

roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2

@@ -1,33 +1,19 @@
 {
-	"client_id": "{{cfg_authelia_for_owncloud.android.client_id}}",
+	"client_id": "{{var_authelia_for_owncloud_android_client_id}}",
 	"client_secret": "{{temp_authelia_for_owncloud_android_client_secret_hashed.stdout}}",
 	"client_name": "ownCloud | Android Client",
-	
-	"public": false,
 	"authorization_policy": "one_factor",
-	"require_pkce": true,
-	"pkce_challenge_method": "S256",
 	"scopes": [
 		"openid",
-		"offline_access",
 		"groups",
 		"profile",
-		"email"
-	],
-	"redirect_uris": [
-		"oc://android.owncloud.com"
-		
-		
-		
+		"email",
+		"offline_access"
 	],
 	"response_types": [
 		"code"
 	],
-	"grant_types": [
-		"authorization_code",
-		"refresh_token"
-	],
-	"access_token_signed_response_alg": "none",
-	"userinfo_signed_response_alg": "none",
-	"token_endpoint_auth_method": "client_secret_basic"
+	"redirect_uris": [
+		"oc://android.owncloud.com"
+	]
 }

roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2

@@ -1,33 +1,20 @@
 {
-	"client_id": "{{cfg_authelia_for_owncloud.desktop.client_id}}",
+	"client_id": "{{var_authelia_for_owncloud_desktop_client_id}}",
 	"client_secret": "{{temp_authelia_for_owncloud_desktop_client_secret_hashed.stdout}}",
 	"client_name": "ownCloud | Desktop Client",
-	
-	"public": false,
 	"authorization_policy": "one_factor",
-	"require_pkce": true,
-	"pkce_challenge_method": "S256",
 	"scopes": [
 		"openid",
-		"offline_access",
 		"groups",
 		"profile",
-		"email"
-	],
-	"redirect_uris": [
-		"http://127.0.0.1",
-		"http://localhost"
-		
-		
+		"email",
+		"offline_access"
 	],
 	"response_types": [
 		"code"
 	],
-	"grant_types": [
-		"authorization_code",
-		"refresh_token"
-	],
-	"access_token_signed_response_alg": "none",
-	"userinfo_signed_response_alg": "none",
-	"token_endpoint_auth_method": "client_secret_basic"
+	"redirect_uris": [
+		"http://127.0.0.1",
+		"http://localhost"
+	]
 }

roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2

@@ -1,33 +1,20 @@
 {
-	"client_id": "{{cfg_authelia_for_owncloud.ios.client_id}}",
+	"client_id": "{{var_authelia_for_owncloud_ios_client_id}}",
 	"client_secret": "{{temp_authelia_for_owncloud_ios_client_secret_hashed.stdout}}",
 	"client_name": "ownCloud | iOS Client",
-	
-	"public": false,
 	"authorization_policy": "one_factor",
-	"require_pkce": true,
-	"pkce_challenge_method": "S256",
 	"scopes": [
 		"openid",
-		"offline_access",
 		"groups",
 		"profile",
-		"email"
-	],
-	"redirect_uris": [
-		"oc://ios.owncloud.com",
-		"oc.ios://ios.owncloud.com"
-		
-		
+		"email",
+		"offline_access"
 	],
 	"response_types": [
 		"code"
 	],
-	"grant_types": [
-		"authorization_code",
-		"refresh_token"
-	],
-	"access_token_signed_response_alg": "none",
-	"userinfo_signed_response_alg": "none",
-	"token_endpoint_auth_method": "client_secret_basic"
+	"redirect_uris": [
+		"oc://ios.owncloud.com",
+		"oc.ios://ios.owncloud.com"
+	]
 }

roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2

@@ -1,33 +1,20 @@
 {
-	"client_id": "{{cfg_authelia_for_owncloud.web.client_id}}",
-	
+	"client_id": "{{var_authelia_for_owncloud_web_client_id}}",
 	"client_name": "ownCloud | Web Client",
-	"lifespan": "long",
 	"public": true,
 	"authorization_policy": "one_factor",
-	"require_pkce": true,
-	"pkce_challenge_method": "S256",
 	"scopes": [
 		"openid",
-		"offline_access",
-		"groups",
+		"email",
 		"profile",
-		"email"
-	],
-	"redirect_uris": [
-		"https://{{cfg_authelia_for_owncloud.owncloud_url_base}}",
-		"https://{{cfg_authelia_for_owncloud.owncloud_url_base}}/oidc-callback.html",
-		"https://{{cfg_authelia_for_owncloud.owncloud_url_base}}/oidc-silent-redirect.html",
-		"https://{{cfg_authelia_for_owncloud.owncloud_url_base}}/apps/openidconnect/redirect"
+		"groups"
 	],
 	"response_types": [
 		"code"
 	],
-	"grant_types": [
-		"authorization_code",
-		"refresh_token"
-	],
-	"access_token_signed_response_alg": "none",
-	"userinfo_signed_response_alg": "none",
-	"token_endpoint_auth_method": "none"
+	"redirect_uris": [
+		"{{var_authelia_for_owncloud_owncloud_url_base}}",
+		"{{var_authelia_for_owncloud_owncloud_url_base}}/oidc-callback.html",
+		"{{var_authelia_for_owncloud_owncloud_url_base}}/oidc-silent-redirect.html"
+	]
 }

roles/authelia-for-owncloud/vardef.json

@@ -0,0 +1,34 @@
+{
+	"owncloud_url_base": {
+		"type": "string",
+		"mandatory": false
+	},
+	"web_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"android_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"android_client_secret": {
+		"type": "string",
+		"mandatory": true
+	},
+	"ios_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"ios_client_secret": {
+		"type": "string",
+		"mandatory": true
+	},
+	"dektop_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"desktop_client_secret": {
+		"type": "string",
+		"mandatory": false
+	}
+}

roles/authelia-for-tandoor/defaults/main.json

@@ -1,5 +0,0 @@
-{
-	"var_authelia_for_tandoor_tandoor_url_base": "https://tandoor.example.org",
-	"var_authelia_for_tandoor_client_id": "tandoor",
-	"var_authelia_for_tandoor_client_secret": "REPLACE_ME"
-}

roles/authelia-for-tandoor/info.md

@@ -1,8 +0,0 @@
-## Beschreibung
-
-Um [Tandoor](../tandoor) gegen [Authelia](../authelia) authentifizieren zu lassen
-
-
-## Verweise
-
-- [allauth-Dokumentation | Authelia](https://django-allauth.readthedocs.io/en/latest/socialaccount/providers/authelia.html)

roles/authelia-for-tandoor/tasks/main.json

@@ -1,33 +0,0 @@
-[
-	{
-		"name": "configuration | compute client secret hash",
-		"become": true,
-		"ansible.builtin.shell": {
-			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_tandoor_client_secret}} | cut --delimiter=' ' --fields='2-'"
-		},
-		"register": "temp_authelia_for_tandoor_client_secret_hashed"
-	},
-	{
-		"name": "configuration | emplace",
-		"become": true,
-		"ansible.builtin.template": {
-			"src": "authelia-client-conf.json.j2",
-			"dest": "/etc/authelia/conf.d/clients/tandoor.json"
-		}
-	},
-	{
-		"name": "configuration | apply",
-		"become": true,
-		"ansible.builtin.command": {
-			"cmd": "/usr/bin/authelia-conf-compose"
-		}
-	},
-	{
-		"name": "restart service",
-		"become": true,
-		"ansible.builtin.systemd_service": {
-			"state": "restarted",
-			"name": "authelia"
-		}
-	}
-]

roles/authelia-for-tandoor/templates/authelia-client-conf.json.j2

@@ -1,17 +0,0 @@
-{
-	"client_id": "{{var_authelia_for_tandoor_client_id}}",
-	"client_secret": "{{temp_authelia_for_tandoor_client_secret_hashed.stdout}}",
-	"client_name": "Tandoor",
-	"public": false,
-	"authorization_policy": "one_factor",
-	"redirect_uris": [
-		"{{var_authelia_for_tandoor_tandoor_url_base}}/accounts/oidc/authelia/login/callback/"
-	],
-	"scopes": [
-		"openid",
-		"email",
-		"profile"
-	],
-	"userinfo_signed_response_alg": "none",
-	"token_endpoint_auth_method": "client_secret_basic"
-}

roles/authelia/cfg.schema.json

@@ -1,449 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"listen_address": {
-			"nullable": false,
-			"type": "string",
-			"default": "0.0.0.0"
-		},
-		"domain": {
-			"nullable": false,
-			"type": "string"
-		},
-		"session_domain": {
-			"nullable": false,
-			"type": "string"
-		},
-		"redirect_url": {
-			"nullable": false,
-			"type": "string"
-		},
-		"jwt_secret": {
-			"nullable": false,
-			"type": "string"
-		},
-		"session_secret": {
-			"nullable": false,
-			"type": "string"
-		},
-		"storage_encryption_key": {
-			"nullable": false,
-			"type": "string"
-		},
-		"users_file_path": {
-			"nullable": false,
-			"type": "string",
-			"default": "/var/authelia/users.yml"
-		},
-		"log_file_path": {
-			"nullable": false,
-			"type": "string",
-			"default": "/var/authelia/log.jsonl"
-		},
-		"storage": {
-			"anyOf": [
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["sqlite"],
-							"default": "sqlite"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"path": {
-									"nullable": false,
-									"type": "string",
-									"default": "/var/authelia/state.db"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"path"
-							],
-							"default": {
-							}
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					],
-					"default": {
-					}
-				},
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["postgresql"]
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"host": {
-									"nullable": false,
-									"type": "string",
-									"ddefault": "localhost"
-								},
-								"port": {
-									"nullable": false,
-									"type": "integer",
-									"default": 5432
-								},
-								"username": {
-									"nullable": false,
-									"type": "string",
-									"default": "authelia_user"
-								},
-								"password": {
-									"nullable": false,
-									"type": "string"
-								},
-								"schema": {
-									"nullable": false,
-									"type": "string",
-									"default": "authelia"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"host",
-								"port",
-								"username",
-								"password",
-								"schema"
-							],
-							"default": {
-							}
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					],
-					"default": {
-					}
-				},
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["mariadb"]
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"host": {
-									"nullable": false,
-									"type": "string",
-									"ddefault": "localhost"
-								},
-								"port": {
-									"nullable": false,
-									"type": "integer",
-									"default": 3306
-								},
-								"username": {
-									"nullable": false,
-									"type": "string",
-									"default": "authelia_user"
-								},
-								"password": {
-									"nullable": false,
-									"type": "string"
-								},
-								"schema": {
-									"nullable": false,
-									"type": "string",
-									"default": "authelia"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"host",
-								"port",
-								"username",
-								"password",
-								"schema"
-							],
-							"default": {
-							}
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					],
-					"default": {
-					}
-				}
-			]
-		},
-		"ntp_server": {
-			"nullable": false,
-			"type": "string",
-			"default": "time.cloudflare.com:123"
-		},
-		"password_reset": {
-			"nullable": false,
-			"type": "object",
-			"properties": {
-				"enabled": {
-					"nullable": false,
-					"type": "boolean",
-					"default": false
-				},
-				"custom_url": {
-					"nullable": true,
-					"type": "string",
-					"default": null
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-				"enabled",
-				"custom_url"
-			],
-			"default": {
-			}
-		},
-		"notification": {
-			"anyOf": [
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["file"],
-							"default": "file"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"path": {
-									"nullable": false,
-									"type": "string",
-									"default": "/var/authelia/notifications"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"path"
-							],
-							"default": {
-							}
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					],
-					"default": {
-					}
-				},
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["smtp"],
-							"default": "smtp"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"host": {
-									"nullable": false,
-									"type": "string"
-								},
-								"port": {
-									"nullable": false,
-									"type": "integer",
-									"default": 465
-								},
-								"username": {
-									"nullable": false,
-									"type": "string",
-									"default": "authelia"
-								},
-								"password": {
-									"nullable": false,
-									"type": "string"
-								},
-								"sender": {
-									"nullable": false,
-									"type": "string",
-									"default": "authelia@example.org"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"host",
-								"port",
-								"username",
-								"password",
-								"sender"
-							]
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					],
-					"default": {
-					}
-				}
-			]
-		},
-		"oidc": {
-			"nullable": false,
-			"type": "object",
-			"properties": {
-				"hmac_secret": {
-					"nullable": false,
-					"type": "string"
-				},
-				"lifespan": {
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"default": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"access_token": {
-									"nullable": false,
-									"type": "string",
-									"default": "1h"
-								},
-								"refresh_token": {
-									"nullable": false,
-									"type": "string",
-									"default": "1m"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-							],
-							"default": {
-							}
-						},
-						"custom": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-							},
-							"additionalProperties": {
-								"nullable": false,
-								"type": "object",
-								"properties": {
-									"access_token": {
-										"nullable": false,
-										"type": "string"
-									},
-									"refresh_token": {
-										"nullable": false,
-										"type": "string"
-									}
-								},
-								"additionalProperties": false,
-								"required": [
-									"access_token",
-									"refresh_token"
-								]
-							},
-							"required": [
-							],
-							"default": {
-								"long": {
-									"access_token": "2d",
-									"refresh_token": "3d"
-								}
-							}
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-					],
-					"default": {
-					}
-				},
-				"cors_endpoints": {
-					"nullable": true,
-					"type": "array",
-					"items": {
-						"nullable": false,
-						"type": "string",
-						"enum": [
-							"authorization",
-							"pushed-authorization-request",
-							"token",
-							"revocation",
-							"introspection",
-							"userinfo"
-						]
-					},
-					"default": [
-						"authorization",
-						"token",
-						"revocation",
-						"introspection",
-						"userinfo"
-					]
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-				"hmac_secret",
-				"lifespan",
-				"cors_endpoints"
-			],
-			"default": {
-			}
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"listen_address",
-		"domain",
-		"session_domain",
-		"redirect_url",
-		"jwt_secret",
-		"session_secret",
-		"storage_encryption_key",
-		"users_file_path",
-		"log_file_path",
-		"storage",
-		"ntp_server",
-		"notification",
-		"oidc"
-	],
-	"default": {
-	}
-}

roles/authelia/defaults/main.json

@@ -1,45 +1,39 @@
 {
-	"cfg_authelia_defaults": {
-		"listen_address": "0.0.0.0",
-		"users_file_path": "/var/authelia/users.yml",
-		"log_file_path": "/var/authelia/log.jsonl",
-		"storage": {
-			"kind": "sqlite",
-			"data": {
-				"path": "/var/authelia/state.db"
-			}
-		},
-		"ntp_server": "time.cloudflare.com:123",
-		"password_reset": {
-			"enabled": false,
-			"custom_url": null
-		},
-		"notification": {
-			"kind": "file",
-			"data": {
-				"path": "/var/authelia/notifications"
-			}
-		},
-		"oidc": {
-			"lifespan": {
-				"default": {
-					"access_token": "1d",
-					"refresh_token": "1h"
-				},
-				"custom": {
-					"long": {
-						"access_token": "2d",
-						"refresh_token": "3d"
-					}
-				}
-			},
-			"cors_endpoints": [
-				"authorization",
-				"token",
-				"revocation",
-				"introspection",
-				"userinfo"
-			]
-		}
-	}
+	"var_authelia_version": "4.37.5",
+	"var_authelia_architecture": "amd64",
+	"var_authelia_listen_address": "0.0.0.0",
+	"var_authelia_jwt_secret": "REPLACE_ME",
+	"var_authelia_users_file_path": "/var/authelia/users.yml",
+	"var_authelia_log_file_path": "/var/authelia/log.jsonl",
+	"var_authelia_domain": "authelia.example.org",
+	"var_authelia_redirect_url": "https://example.org",
+	"var_authelia_session_domain": "example.org",
+	"var_authelia_session_secret": "REPLACE_ME",
+	"var_authelia_storage_encryption_key": "REPLACE_ME",
+	"var_authelia_storage_kind": "sqlite",
+	"var_authelia_storage_data_sqlite_path": "/var/authelia/state.db",
+	"var_authelia_storage_data_postgresql_host": "localhost",
+	"var_authelia_storage_data_postgresql_port": 5432,
+	"var_authelia_storage_data_postgresql_username": "authelia_user",
+	"var_authelia_storage_data_postgresql_password": "REPLACE_ME",
+	"var_authelia_storage_data_postgresql_schema": "authelia",
+	"var_authelia_storage_data_mariadb_host": "localhost",
+	"var_authelia_storage_data_mariadb_port": 3306,
+	"var_authelia_storage_data_mariadb_username": "authelia_user",
+	"var_authelia_storage_data_mariadb_password": "REPLACE_ME",
+	"var_authelia_storage_data_mariadb_schema": "authelia",
+	"var_authelia_ntp_server": "time.cloudflare.com:123",
+	"var_authelia_password_reset_enabled": false,
+	"var_authelia_password_reset_custom_url": null,
+	"var_authelia_notification_mode": "smtp",
+	"var_authelia_notification_file_path": "/var/authelia/notifications",
+	"var_authelia_notification_smtp_host": "smtp.example.org",
+	"var_authelia_notification_smtp_port": 465,
+	"var_authelia_notification_smtp_username": "authelia",
+	"var_authelia_notification_smtp_password": "REPLACE_ME",
+	"var_authelia_notification_smtp_sender": "authelia@example.org",
+	"var_authelia_oidc_hmac_secret": "REPLACE_ME",
+	"var_authelia_oidc_lifespan_access_token": "1h",
+	"var_authelia_oidc_lifespan_refresh_token": "1m",
+	"var_authelia_oidc_cors_endpoints": null
 }

roles/authelia/tasks/main.json

@@ -1,45 +1,32 @@
 [
 	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_authelia"
-		}
-	},
-	{
-		"name": "packages",
-		"block": [
-			{
-				"name": "prerequisites",
+		"name": "packages | prerequisites",
 		"become": true,
 		"ansible.builtin.apt": {
 			"update_cache": true,
 			"pkg": [
 				"apt-transport-https",
-						"ca-certificates",
 				"gpg"
 			]
 		}
 	},
 	{
-				"name": "keys",
+		"name": "packages | keys",
 		"become": true,
-				"ansible.builtin.get_url": {
-					"url": "https://www.authelia.com/keys/authelia-security.gpg",
-					"dest": "/usr/share/keyrings/authelia-security.gpg"
+		"ansible.builtin.apt_key": {
+			"url": "https://apt.authelia.com/organization/signing.asc"
 		}
 	},
 	{
-				"name": "repository",
+		"name": "packages | repository",
 		"become": true,
-				"ansible.builtin.shell": {
-					"cmd": "echo \"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/authelia-security.gpg] https://apt.authelia.com stable main\" > /etc/apt/sources.list.d/authelia.list",
-					"creates": "/etc/apt/sources.list.d/authelia.list"
+		"ansible.builtin.apt_repository": {
+			"repo": "deb https://apt.authelia.com/stable/debian/debian/ all main"
 		}
 
 	},
 	{
-				"name": "installation",
+		"name": "packages | installation",
 		"become": true,
 		"ansible.builtin.apt": {
 			"update_cache": true,
@@ -50,8 +37,6 @@
 				"authelia"
 			]
 		}
-			}
-		]
 	},
 	{
 		"name": "generate private key for signing OIDC JWTs",
@@ -64,9 +49,6 @@
 		},
 		"register": "temp_tls_result"
 	},
-	{
-		"name": "configuration",
-		"block": [
 	{
 		"name": "configuration | compose script",
 		"become": true,
@@ -102,51 +84,40 @@
 		"ansible.builtin.command": {
 			"cmd": "/usr/bin/authelia-conf-compose --main-file-path=/etc/authelia/conf.d/main.json --clients-directory-path=/etc/authelia/conf.d/clients --output-format=yaml --output-path=/etc/authelia/configuration.yml"
 		}
-			}
-		]
 	},
 	{
 		"name": "setup log directory",
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "directory",
-			"owner": "authelia",
-			"group": "authelia",
-			"path": "{{cfg_authelia.log_file_path | dirname}}"
+			"path": "{{var_authelia_log_file_path | dirname}}"
 		}
 	},
 	{
-		"name": "users",
-		"block": [
-			{
-				"name": "directory",
+		"name": "users | directory",
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "directory",
-					"owner": "authelia",
-					"group": "authelia",
-					"path": "{{cfg_authelia.users_file_path | dirname}}"
+			"path": "{{var_authelia_users_file_path | dirname}}"
 		}
 	},
 	{
-				"name": "initial file",
+		"name": "users | initial file",
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "users.yml.j2",
-					"dest": "{{cfg_authelia.users_file_path}}",
+			"dest": "{{var_authelia_users_file_path}}",
 			"force": false
 		}
 	},
 	{
-				"name": "management script",
+		"name": "users | management script",
 		"become": true,
 		"ansible.builtin.copy": {
 			"src": "user-manage.py",
 			"dest": "/usr/bin/authelia-user-manage",
 			"mode": "0700"
 		}
-			}
-		]
 	},
 	{
 		"name": "apply",

roles/authelia/templates/conf-main.json.j2

@@ -2,12 +2,12 @@
 	"theme": "auto",
 	"identity_validation": {
 		"reset_password": {
-			"jwt_secret": "{{cfg_authelia.jwt_secret}}"
+			"jwt_secret": "{{var_authelia_jwt_secret}}"
 		}
 	},
 	"default_2fa_method": "totp",
 	"server": {
-		"address": "{{cfg_authelia.listen_address}}:9091",
+		"address": "{{var_authelia_listen_address}}:9091",
 		"endpoints": {
 			"enable_pprof": false,
 			"enable_expvars": false
@@ -17,7 +17,7 @@
 	"log": {
 		"level": "info",
 		"format": "json",
-		"file_path": "{{cfg_authelia.log_file_path}}",
+		"file_path": "{{var_authelia_log_file_path}}",
 		"keep_stdout": false
 	},
 	"telemetry": {
@@ -43,7 +43,7 @@
 		"user_verification": "preferred"
 	},
 	"ntp": {
-		"address": "{{cfg_authelia.ntp_server}}",
+		"address": "{{var_authelia_ntp_server}}",
 		"version": 4,
 		"max_desync": "3s",
 		"disable_startup_check": false,
@@ -51,16 +51,16 @@
 	},
 	"authentication_backend": {
 		"password_reset": {
-{% if cfg_authelia.password_reset.enabled %}
+{% if var_authelia_password_reset_enabled %}
 			"disable": false,
 {% else %}
 			"disable": true,
 {% endif %}
-			"custom_url": {{cfg_authelia.password_reset.custom_url | to_json}}
+			"custom_url": "{{var_authelia_password_reset_custom_url}}"
 		},
 		"refresh_interval": "5m",
 		"file": {
-			"path": "{{cfg_authelia.users_file_path}}",
+			"path": "{{var_authelia_users_file_path}}",
 			"watch": true,
 			"search": {
 				"email": false,
@@ -121,15 +121,15 @@
 	"session": {
 		"name": "authelia_session",
 		"same_site": "lax",
-		"secret": "{{cfg_authelia.session_secret}}",
+		"secret": "{{var_authelia_session_secret}}",
 		"expiration": "1h",
 		"inactivity": "5m",
 		"remember_me": "1M",
 		"cookies": [
 			{
-				"domain": "{{cfg_authelia.session_domain}}",
-				"authelia_url": "https://{{cfg_authelia.domain}}/",
-				"default_redirection_url": "{{cfg_authelia.redirect_url}}"
+				"domain": "{{var_authelia_session_domain}}",
+				"authelia_url": "https://{{var_authelia_domain}}/",
+				"default_redirection_url": "{{var_authelia_redirect_url}}"
 			}
 		]
 	},
@@ -139,44 +139,44 @@
 		"ban_time": "5m"
 	},
 	"storage": {
-		"encryption_key": "{{cfg_authelia.storage_encryption_key}}",
-{% if cfg_authelia.storage.kind == "sqlite" %}
+		"encryption_key": "{{var_authelia_storage_encryption_key}}",
+{% if var_authelia_storage_kind == "sqlite" %}
 		"local": {
-			"path": "{{cfg_authelia.storage.data.path}}"
+			"path": "{{var_authelia_storage_data_sqlite_path}}"
 		}
 {% endif %}
-{% if cfg_authelia.storage.kind == "postgresql" %}
+{% if var_authelia_storage_kind == "postgresql" %}
 		"postgres": {
-			"address": "{{cfg_authelia.storage.data.host}}:{{cfg_authelia.storage.data.port | string}}",
+			"address": "{{var_authelia_storage_data_postgresql_host}}:{{var_authelia_storage_data_postgresql_port | string}}",
 			"schema": "public",
-			"username": "{{cfg_authelia.storage.data.username}}",
-			"password": "{{cfg_authelia.storage.data.password}}",
-			"database": "{{cfg_authelia.storage.data.schema}}"
+			"username": "{{var_authelia_storage_data_postgresql_username}}",
+			"password": "{{var_authelia_storage_data_postgresql_password}}",
+			"database": "{{var_authelia_storage_data_postgresql_schema}}"
 		}
 {% endif %}
-{% if cfg_authelia.storage.kind == "mariadb" %}
+{% if var_authelia_storage_kind == "mariadb" %}
 		"mysql": {
-			"host": "{{cfg_authelia.storage.data.host}}",
-			"port": {{cfg_authelia.storage.data.port | string}},
-			"username": "{{cfg_authelia.storage.data.username}}",
-			"password": "{{cfg_authelia.storage.data.password}}",
-			"database": "{{cfg_authelia.storage.data.schema}}"
+			"host": "{{var_authelia_storage_data_mariadb_host}}",
+			"port": {{var_authelia_storage_data_mariadb_port | string}},
+			"username": "{{var_authelia_storage_data_mariadb_username}}",
+			"password": "{{var_authelia_storage_data_mariadb_password}}",
+			"database": "{{var_authelia_storage_data_mariadb_schema}}"
 		}
 {% endif %}
 	},
 	"notifier": {
 		"disable_startup_check": true,
-{% if cfg_authelia.notification.kind == "file" %}
+{% if var_authelia_notification_mode == "file" %}
 		"filesystem": {
-			"filename": "{{cfg_authelia.notification.data.path}}"
+			"filename": "{{var_authelia_notification_file_path}}"
 		}
 {% endif %}
-{% if cfg_authelia.notification.kind == "smtp" %}
+{% if var_authelia_notification_mode == "smtp" %}
 		"smtp": {
-			"address": "{{cfg_authelia.notification.data.host}}:{{cfg_authelia.notification.data.port | string}}",
-			"username": "{{cfg_authelia.notification.data.username}}",
-			"password": "{{cfg_authelia.notification.data.password}}",
-			"sender": "{{cfg_authelia.notification.data.sender}}",
+			"address": "{{var_authelia_notification_smtp_host}}:{{var_authelia_notification_smtp_port | string}}",
+			"username": "{{var_authelia_notification_smtp_username}}",
+			"password": "{{var_authelia_notification_smtp_password}}",
+			"sender": "{{var_authelia_notification_smtp_sender}}",
 			"disable_require_tls": false,
 			"disable_html_emails": false,
 			"tls": {
@@ -187,7 +187,7 @@
 	},
 	"identity_providers": {
 		"oidc": {
-			"hmac_secret": "{{cfg_authelia.oidc.hmac_secret}}",
+			"hmac_secret": "{{var_authelia_oidc_hmac_secret}}",
 			"jwks": [
 				{
 					"algorithm": "RS256",
@@ -195,15 +195,14 @@
 				}
 			],
 			"lifespans": {
-				"access_token": "{{cfg_authelia.oidc.lifespan.default.access_token}}",
-				"refresh_token": "{{cfg_authelia.oidc.lifespan.default.refresh_token}}",
-				"custom": {{cfg_authelia.oidc.lifespan.custom | to_json}}
+				"access_token": "{{var_authelia_oidc_lifespan_access_token}}",
+				"refresh_token": "{{var_authelia_oidc_lifespan_refresh_token}}"
 			},
 			"cors": {
 				"allowed_origins_from_client_redirect_uris": true
-{% if cfg_authelia.oidc.cors_endpoints == None %}
+{% if var_authelia_oidc_cors_endpoints == None %}
 {% else %}
-				,"endpoints": {{cfg_authelia.oidc.cors_endpoints | to_json}}
+				,"endpoints": {{var_authelia_oidc_cors_endpoints | to_json}}
 {% endif %}
 			},
 			"clients": [

roles/authelia/vardef.json

@@ -0,0 +1,169 @@
+{
+	"version": {
+		"type": "string",
+		"mandatory": false
+	},
+	"architecture": {
+		"type": "string",
+		"mandatory": false
+	},
+	"listen_address": {
+		"type": "string",
+		"mandatory": false
+	},
+	"jwt_secret": {
+		"type": "string",
+		"mandatory": true
+	},
+	"users_file_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"log_file_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"redirect_url": {
+		"type": "string",
+		"mandatory": false
+	},
+	"session_domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"session_secret": {
+		"type": "string",
+		"mandatory": true
+	},
+	"storage_encryption_key": {
+		"type": "string",
+		"mandatory": true
+	},
+	"storage_kind": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_sqlite_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_postgresql_host": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_postgresql_port": {
+		"type": "integer",
+		"mandatory": false
+	},
+	"storage_data_postgresql_username": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_postgresql_password": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_postgresql_schema": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_mariadb_host": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_mariadb_port": {
+		"type": "integer",
+		"mandatory": false
+	},
+	"storage_data_mariadb_username": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_mariadb_password": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_mariadb_schema": {
+		"type": "string",
+		"mandatory": false
+	},
+	"ntp_server": {
+		"type": "string",
+		"mandatory": false
+	},
+	"password_reset_enabled": {
+		"type": "boolean",
+		"mandatory": false
+	},
+	"password_reset_custom_url": {
+		"nullable": true,
+		"type": "string",
+		"mandatory": false
+	},
+	"notification_mode": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"file",
+			"smtp"
+		]
+	},
+	"notification_file_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"notification_smtp_host": {
+		"type": "string",
+		"mandatory": false
+	},
+	"notification_smtp_port": {
+		"type": "integer",
+		"mandatory": false
+	},
+	"notification_smtp_username": {
+		"type": "string",
+		"mandatory": false
+	},
+	"notification_smtp_password": {
+		"type": "string",
+		"mandatory": false
+	},
+	"notification_smtp_sender": {
+		"type": "string",
+		"mandatory": false
+	},
+	"oidc_hmac_secret": {
+		"type": "string",
+		"mandatory": true
+	},
+	"oidc_lifespan_access_token": {
+		"nullable": true,
+		"type": "string",
+		"mandatory": false
+	},
+	"oidc_lifespan_refresh_token": {
+		"nullable": true,
+		"type": "string",
+		"mandatory": false
+	},
+	"oidc_cors_endpoints": {
+		"nullable": true,
+		"type": "array",
+		"items": {
+			"type": "string",
+			"enum": [
+				"authorization",
+				"pushed-authorization-request",
+				"token",
+				"revocation",
+				"introspection",
+				"userinfo"
+			]
+		},
+		"mandatory": false
+	}
+}

roles/forgejo/defaults/main.json

@@ -2,7 +2,7 @@
 	"var_forgejo_user": "forgejo",
 	"var_forgejo_directory_main": "/opt/forgejo",
 	"var_forgejo_directory_repositories": "/var/forgejo/repositories",
-	"var_forgejo_version": "10.0.3",
+	"var_forgejo_version": "7.0.5",
 	"var_forgejo_platform": "linux-amd64",
 	"var_forgejo_secret_key": "REPLACE_ME",
 	"var_forgejo_internal_token": "REPLACE_ME",

roles/hedgedoc-and-nginx/cfg.schema.json

@@ -1,24 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"domain": {
-			"nullable": false,
-			"type": "string"
-		},
-		"tls_mode": {
-			"nullable": false,
-			"type": "string",
-			"options": [
-				"disable",
-				"enable",
-				"force"
-			],
-			"default": "force"
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"domain"
-	]
-}

roles/hedgedoc-and-nginx/defaults/main.json

@@ -1,5 +1,4 @@
 {
-	"cfg_hedgedoc_and_nginx_defaults": {
-		"tls_mode": "force"
-	}
+	"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org",
+	"var_hedgedoc_and_nginx_tls_mode": "force"
 }

roles/hedgedoc-and-nginx/tasks/main.json

@@ -1,11 +1,4 @@
 [
-	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_hedgedoc_and_nginx"
-		}
-	},
 	{
 		"name": "deactivate default site",
 		"become": true,
@@ -19,7 +12,7 @@
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "conf.j2",
-			"dest": "/etc/nginx/sites-available/{{cfg_hedgedoc_and_nginx.domain}}"
+			"dest": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}"
 		}
 	},
 	{
@@ -27,8 +20,8 @@
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "link",
-			"src": "/etc/nginx/sites-available/{{cfg_hedgedoc_and_nginx.domain}}",
-			"dest": "/etc/nginx/sites-enabled/{{cfg_hedgedoc_and_nginx.domain}}"
+			"src": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}",
+			"dest": "/etc/nginx/sites-enabled/{{var_hedgedoc_and_nginx_domain}}"
 		}
 	},
 	{

roles/hedgedoc-and-nginx/templates/conf.j2

@@ -24,27 +24,27 @@ map $http_upgrade $connection_upgrade {
 {% endmacro %}
 
 server {
-	server_name {{cfg_hedgedoc_and_nginx.domain}};
+	server_name {{var_hedgedoc_and_nginx_domain}};
 	
 	listen 80;
 	listen [::]:80;
 	
-{% if (cfg_hedgedoc_and_nginx.tls_mode == 'force') %}
+{% if (var_element_and_nginx_tls_mode == 'force') %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 {{ hedgedoc_common() }}
 {% endif %}
 }
 
-{% if (cfg_hedgedoc_and_nginx.tls_mode != 'disable') %}
+{% if (var_hedgedoc_and_nginx_tls_mode != 'disable') %}
 server {
-	server_name {{cfg_hedgedoc_and_nginx.domain}};
+	server_name {{var_hedgedoc_and_nginx_domain}};
 	
 	listen [::]:443 ssl http2;
 	listen 443 ssl http2;
 	
-	ssl_certificate_key /etc/ssl/private/{{cfg_hedgedoc_and_nginx.domain}}.pem;
-	ssl_certificate /etc/ssl/fullchains/{{cfg_hedgedoc_and_nginx.domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	
 {{ hedgedoc_common() }}

roles/hedgedoc-and-nginx/vardef.json

@@ -0,0 +1,15 @@
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+		"type": "string",
+		"options": [
+			"disable",
+			"enable",
+			"force"
+		],
+		"mandatory": false
+	}
+}

roles/hedgedoc/cfg.schema.json

@@ -1,248 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"user_name": {
-			"nullable": false,
-			"type": "string",
-			"default": "hedgedoc"
-		},
-		"directory": {
-			"nullable": false,
-			"type": "string",
-			"default": "/opt/hedgedoc"
-		},
-		"version": {
-			"nullable": false,
-			"type": "string",
-			"default": "1.10.3"
-		},
-		"domain": {
-			"nullable": false,
-			"type": "string"
-		},
-		"session_secret": {
-			"nullable": false,
-			"type": "string"
-		},
-		"database": {
-			"anyOf": [
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["sqlite"],
-							"default": "sqlite"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"path": {
-									"nullable": false,
-									"type": "string",
-									"default": "/var/hedgedoc/data.sqlite"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"path"
-							],
-							"default": {
-							}
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					]
-				},
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["postgresql"],
-							"default": "postgresql"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"host": {
-									"nullable": false,
-									"type": "string",
-									"default": "localhost"
-								},
-								"port": {
-									"nullable": false,
-									"type": "integer",
-									"default": 5432
-								},
-								"username": {
-									"nullable": false,
-									"type": "string",
-									"default": "hedgedoc_user"
-								},
-								"password": {
-									"nullable": false,
-									"type": "string"
-								},
-								"schema": {
-									"nullable": false,
-									"type": "string",
-									"default": "hedgedoc"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"host",
-								"port",
-								"username",
-								"password",
-								"schema"
-							]
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					]
-				}
-			]
-		},
-		"authentication": {
-			"anyOf": [
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["internal"],
-							"default": "internal"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-							},
-							"additionalProperties": false,
-							"required": [
-							],
-							"default": {
-							}
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					]
-				},
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"nullable": false,
-							"type": "string",
-							"enum": ["authelia"],
-							"default": "authelia"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"url_base": {
-									"nullable": false,
-									"type": "string"
-								},
-								"client_id": {
-									"nullable": false,
-									"type": "string",
-									"default": "hedgedoc"
-								},
-								"client_secret": {
-									"nullable": false,
-									"type": "string"
-								},
-								"provider_name": {
-									"nullable": false,
-									"type": "string",
-									"default": "Authelia"
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"url_base",
-								"client_id",
-								"client_secret",
-								"provider_name"
-							]	
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					]
-				}
-			]
-		},
-		"guest_allow_create": {
-			"nullable": false,
-			"type": "boolean",
-			"default": false
-		},
-		"guest_allow_change": {
-			"nullable": false,
-			"type": "boolean",
-			"default": false
-		},
-		"free_names_mode": {
-			"nullable": false,
-			"type": "string",
-			"enum": [
-				"never",
-				"authed",
-				"always"
-			],
-			"default": "authed"
-		},
-		"log_level": {
-			"nullable": false,
-			"type": "string",
-			"enum": [
-				"debug",
-				"verbose",
-				"info",
-				"warn",
-				"error"
-			],
-			"default": "error"
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"user_name",
-		"directory",
-		"version",
-		"domain",
-		"session_secret",
-		"database",
-		"authentication",
-		"guest_allow_create",
-		"guest_allow_change",
-		"free_names_mode",
-		"log_level"
-	]
-}

roles/hedgedoc/defaults/main.json

@@ -1,22 +1,21 @@
 {
-	"cfg_hedgedoc_defaults": {
-		"user_name": "hedgedoc",
-		"directory": "/opt/hedgedoc",
-		"version": "1.10.3",
-		"database": {
-			"kind": "sqlite",
-			"data": {
-				"path": "/var/hedgedoc/data.sqlite"
-			}
-		},
-		"authentication": {
-			"kind": "internal",
-			"data": {
-			}
-		},
-		"guest_allow_create": false,
-		"guest_allow_change": false,
-		"free_names_mode": "authed",
-		"log_level": "error"
-	}
+	"var_hedgedoc_user_name": "hedgedoc",
+	"var_hedgedoc_directory": "/opt/hedgedoc",
+	"var_hedgedoc_version": "1.9.9",
+	"var_hedgedoc_session_secret": "REPLACE_ME",
+	"var_hedgedoc_database_kind": "sqlite",
+	"var_hedgedoc_database_data_sqlite_path": "/var/hedgedoc/data.sqlite",
+	"var_hedgedoc_database_data_postgresql_host": "localhost",
+	"var_hedgedoc_database_data_postgresql_port": 5432,
+	"var_hedgedoc_database_data_postgresql_username": "hedgedoc_user",
+	"var_hedgedoc_database_data_postgresql_password": "REPLACE_ME",
+	"var_hedgedoc_database_data_postgresql_schema": "hedgedoc",
+	"var_hedgedoc_domain": "hedgedoc.example.org",
+	"var_hedgedoc_authentication_kind": "internal",
+	"var_hedgedoc_authentication_data_authelia_client_id": "hedgedoc",
+	"var_hedgedoc_authentication_data_authelia_client_secret": "REPLACE_ME",
+	"var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.example.org",
+	"var_hedgedoc_guest_allow_create": false,
+	"var_hedgedoc_guest_allow_change": false,
+	"var_hedgedoc_free_names_mode": "authed"
 }

roles/hedgedoc/tasks/main.json

@@ -1,11 +1,4 @@
 [
-	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_hedgedoc"
-		}
-	},
 	{
 		"name": "packages",
 		"become": true,
@@ -33,41 +26,16 @@
 		"name": "user",
 		"become": true,
 		"ansible.builtin.user": {
-			"name": "{{cfg_hedgedoc.user_name}}",
+			"name": "{{var_hedgedoc_user_name}}",
 			"create_home": true,
-			"home": "{{cfg_hedgedoc.directory}}"
+			"home": "{{var_hedgedoc_directory}}"
 		}
 	},
-	{
-		"name": "database",
-		"when": "cfg_hedgedoc.database.kind == 'sqlite'",
-		"block": [
-			{
-				"name": "database | directory",
-				"become": true,
-				"ansible.builtin.file": {
-					"state": "directory",
-					"path": "{{cfg_hedgedoc.database.data.sqlite.path | dirname}}",
-					"owner": "{{cfg_hedgedoc.user_name}}"
-				}
-			},
-			{
-				"name": "database | file",
-				"become": true,
-				"ansible.builtin.file": {
-					"state": "touch",
-					"path": "{{cfg_hedgedoc.database.data.sqlite.path}}",
-					"owner": "{{cfg_hedgedoc.user_name}}"
-				}
-			}
-		]
-
-	},
 	{
 		"name": "download",
 		"become": false,
 		"ansible.builtin.get_url": {
-			"url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{cfg_hedgedoc.version}}/hedgedoc-{{cfg_hedgedoc.version}}.tar.gz",
+			"url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{var_hedgedoc_version}}/hedgedoc-{{var_hedgedoc_version}}.tar.gz",
 			"dest": "/tmp/hedgedoc.tar.gz"
 		}
 	},
@@ -77,8 +45,8 @@
 		"ansible.builtin.unarchive": {
 			"remote_src": true,
 			"src": "/tmp/hedgedoc.tar.gz",
-			"dest": "{{cfg_hedgedoc.directory | dirname}}",
-			"owner": "{{cfg_hedgedoc.user_name}}"
+			"dest": "{{var_hedgedoc_directory | dirname}}",
+			"owner": "{{var_hedgedoc_user_name}}"
 		}
 	},
 	{
@@ -86,7 +54,7 @@
 		"become": true,
 		"become_user": "hedgedoc",
 		"ansible.builtin.command": {
-			"chdir": "{{cfg_hedgedoc.directory}}",
+			"chdir": "{{var_hedgedoc_directory}}",
 			"cmd": "bin/setup"
 		}
 	},
@@ -95,7 +63,7 @@
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "config.json.j2",
-			"dest": "{{cfg_hedgedoc.directory}}/config.json"
+			"dest": "{{var_hedgedoc_directory}}/config.json"
 		}
 	},
 	{

roles/hedgedoc/templates/config.json.j2

@@ -1,61 +1,61 @@
 {
 	"production": {
-		"loglevel": "{{cfg_hedgedoc.log_level}}",
-{% if cfg_hedgedoc.database.kind == 'sqlite' %}
+		"loglevel": "error",
+{% if var_hedgedoc_database_kind == 'sqlite' %}
 		"db": {
 			"dialect": "sqlite",
-			"storage": "{{cfg_hedgedoc.database.data.sqlite.path}}"
+			"storage": "{{var_hedgedoc_database_data_sqlite_path}}"
 		},
 {% endif %}
-{% if cfg_hedgedoc.database.kind == 'postgresql' %}
+{% if var_hedgedoc_database_kind == 'postgresql' %}
 		"db": {
 			"dialect": "postgres",
-			"host": "{{cfg_hedgedoc.database.data.postgresql.host}}",
-			"port": {{cfg_hedgedoc.database.data.postgresql.port | to_json}},
-			"username": "{{cfg_hedgedoc.database.data.postgresql.username}}",
-			"password": "{{cfg_hedgedoc.database.data.postgresql.password}}",
-			"database": "{{cfg_hedgedoc.database.data.postgresql.schema}}"
+			"host": "{{var_hedgedoc_database_data_postgresql_host}}",
+			"port": {{var_hedgedoc_database_data_postgresql_port | to_json}},
+			"username": "{{var_hedgedoc_database_data_postgresql_username}}",
+			"password": "{{var_hedgedoc_database_data_postgresql_password}}",
+			"database": "{{var_hedgedoc_database_data_postgresql_schema}}"
 		},
 {% endif %}
-		"sessionSecret": "{{cfg_hedgedoc.session_secret}}",
+		"sessionSecret": "{{var_hedgedoc_session_secret}}",
 		"host": "localhost",
 		"allowOrigin": [
 			"localhost"
 		],
-		"domain": "{{cfg_hedgedoc.domain}}",
+		"domain": "{{var_hedgedoc_domain}}",
 		"urlAddPort": false,
 		"protocolUseSSL": true,
-{% if cfg_hedgedoc.authentication.kind == 'internal' %}
+{% if var_hedgedoc_authentication_kind == 'internal' %}
 		"email": true,
 		"allowEmailRegister": true,
 {% endif %}
-{% if cfg_hedgedoc.authentication.kind == 'authelia' %}
+{% if var_hedgedoc_authentication_kind == 'authelia' %}
 		"oauth2": {
-			"providerName": "{{cfg_hedgedoc.authentication.data.authelia.provider_name}}",
-			"clientID": "{{cfg_hedgedoc.authentication.data.authelia.client_id}}",
-			"clientSecret": "{{cfg_hedgedoc.authentication.data.authelia.client_secret}}",
+			"providerName": "{{var_hedgedoc_authentication_data_authelia_provider_name}}",
+			"clientID": "{{var_hedgedoc_authentication_data_authelia_client_id}}",
+			"clientSecret": "{{var_hedgedoc_authentication_data_authelia_client_secret}}",
 			"scope": "openid email profile",
 			"userProfileUsernameAttr": "sub",
 			"userProfileDisplayNameAttr": "name",
 			"userProfileEmailAttr": "email",
-			"userProfileURL": "{{cfg_hedgedoc.authentication.data.authelia.url_base}}/api/oidc/userinfo",
-			"tokenURL": "{{cfg_hedgedoc.authentication.data.authelia.url_base}}/api/oidc/token",
-			"authorizationURL": "{{cfg_hedgedoc.authentication.data.authelia.url_base}}/api/oidc/authorization"
+			"userProfileURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/userinfo",
+			"tokenURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/token",
+			"authorizationURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/authorize"
 		},
 		"email": false,
 		"allowEmailRegister": false,
 {% endif %}
-		"allowAnonymous": {{cfg_hedgedoc.guest_allow_create | to_json}},
-		"allowAnonymousEdits": {{cfg_hedgedoc.guest_allow_change | to_json}},
-{% if cfg_hedgedoc.free_names_mode == 'never' %}
+		"allowAnonymous": {{var_hedgedoc_guest_allow_create | to_json}},
+		"allowAnonymousEdits": {{var_hedgedoc_guest_allow_change | to_json}},
+{% if var_hedgedoc_free_names_mode == 'never' %}
 		"allowFreeURL": false,
 		"requireFreeURLAuthentication": false,
 {% endif %}
-{% if cfg_hedgedoc.free_names_mode == 'authed' %}
+{% if var_hedgedoc_free_names_mode == 'authed' %}
 		"allowFreeURL": true,
 		"requireFreeURLAuthentication": true,
 {% endif %}
-{% if cfg_hedgedoc.free_names_mode == 'always' %}
+{% if var_hedgedoc_free_names_mode == 'always' %}
 		"allowFreeURL": true,
 		"requireFreeURLAuthentication": false,
 {% endif %}

roles/hedgedoc/templates/systemd-unit.j2

@@ -3,8 +3,8 @@ Description=Hedgedoc
 After=multi-user.target
 
 [Service]
-WorkingDirectory={{cfg_hedgedoc.directory}}
-User={{cfg_hedgedoc.user_name}}
+WorkingDirectory={{var_hedgedoc_directory}}
+User={{var_hedgedoc_user_name}}
 Environment="NODE_ENV=production"
 ExecStart=yarn start
 SyslogIdentifier=hedgedoc

roles/hedgedoc/vardef.json

@@ -0,0 +1,87 @@
+{
+	"user_name": {
+		"type": "string",
+		"mandatory": false
+	},
+	"directory": {
+		"type": "string",
+		"mandatory": false
+	},
+	"version": {
+		"type": "string",
+		"mandatory": false
+	},
+	"session_secret": {
+		"type": "string",
+		"mandatory": true
+	},
+	"database_kind": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"sqlite",
+			"postgresql",
+			"mariadb"
+		]
+	},
+	"database_data_sqlite_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"database_data_postgresql_host": {
+		"type": "string",
+		"mandatory": false
+	},
+	"database_data_postgresql_port": {
+		"type": "integer",
+		"mandatory": false
+	},
+	"database_data_postgresql_username": {
+		"type": "string",
+		"mandatory": false
+	},
+	"database_data_postgresql_password": {
+		"type": "string",
+		"mandatory": false
+	},
+	"database_data_postgresql_schema": {
+		"type": "string",
+		"mandatory": false
+	},
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_kind": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"internal",
+			"authelia"
+		]
+	},
+	"authentication_data_authelia_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_url_base": {
+		"type": "string",
+		"mandatory": false
+	},
+	"guest_allow_create": {
+		"type": "boolean",
+		"mandatory": false
+	},
+	"guest_allow_change": {
+		"type": "boolean",
+		"mandatory": false
+	},
+	"free_names_mode": {
+		"type": "string",
+		"mandatory": false
+	}
+}

roles/mealie/defaults/main.json

@@ -0,0 +1,3 @@
+{
+	"var_mealie_port": 9000
+}

roles/mealie/files/prepare.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env sh
+
+## vars
+
+packages=""
+packages="${packages} libldap2-dev"
+packages="${packages} libsasl2-dev"
+
+
+## exec
+
+apt install ${packages}

roles/mealie/files/setup.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+## consts
+
+source_directory="/home/projekte/fremde/mealie"
+target_directory="/tmp/mealie"
+python_modules=""
+python_modules="${python_modules} uvicorn"
+python_modules="${python_modules} fastapi"
+python_modules="${python_modules} itsdangerous"
+python_modules="${python_modules} python-dotenv"
+python_modules="${python_modules} python-dateutil"
+python_modules="${python_modules} pydantic_settings"
+python_modules="${python_modules} sqlalchemy"
+python_modules="${python_modules} pyjwt"
+python_modules="${python_modules} text_unidecode"
+python_modules="${python_modules} python-slugify"
+python_modules="${python_modules} pyhumps"
+python_modules="${python_modules} isodate"
+python_modules="${python_modules} apprise"
+python_modules="${python_modules} recipe_scrapers"
+python_modules="${python_modules} bcrypt"
+python_modules="${python_modules} python-ldap"
+python_modules="${python_modules} authlib"
+python_modules="${python_modules} alembic"
+python_modules="${python_modules} python-multipart"
+python_modules="${python_modules} openai"
+python_modules="${python_modules} pillow"
+python_modules="${python_modules} pillow-heif"
+python_modules="${python_modules} jinja2"
+python_modules="${python_modules} html2text"
+python_modules="${python_modules} orjson"
+python_modules="${python_modules} rapidfuzz"
+
+
+### exec
+
+### create venv
+python3 -m venv ${target_directory}
+
+### copy files
+cp -r ${source_directory}/alembic ${target_directory}/alembic
+cp -r ${source_directory}/alembic.ini ${target_directory}/alembic.ini
+cp -r ${source_directory}/mealie ${target_directory}/mealie
+
+### enter venv
+cd ${target_directory}
+source bin/activate
+
+### install dependencies
+pip3 install ${python_modules}
+# poetry install -E pgsql --only main
+
+### init
+$PYTHONPATH:${target_directory} python3 ${target_directory}/mealie/scripts/install_model.py
+
+### frontend
+cp -r ${source_directory}/frontend ${target_directory}/frontend
+npm install
+npm install webpack@4.47.0
+mkdir ${target_directory}/frontend/dist

roles/mealie/files/start-backend.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+## consts
+
+target_directory="/tmp/mealie"
+
+
+## exec
+
+### enter venv
+cd ${target_directory}
+source bin/activate
+
+### set environment variables
+export PYTHONPATH=$PYTHONPATH:${target_directory}
+export DATA_DIR=${target_directory}
+export DATA_DIR=${target_directory}
+# BASE_URL
+# SMTP_HOST
+# SMTP_FROM_EMAIL
+# DEFAULT_EMAIL
+# DEFAULT_GROUP
+# DEFAULT_HOUSEHOLD
+export LDAP_AUTH_ENABLED="false"
+export OIDC_AUTH_ENABLED="false"
+export PRODUCTION="true"
+
+### run
+python3 mealie/main.py

roles/mealie/files/start-frontend.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+## consts
+
+target_directory="/tmp/mealie"
+
+
+## exec
+
+cd ${target_directory}/frontend
+npm run generate
+npm run start

roles/mealie/info.md

@@ -0,0 +1,8 @@
+## Beschreibung
+
+Zum Aufsetzen der Rezepte-Sammlung [Mealie](https://mealie.io/)
+
+
+## Verweise
+
+- [Documentation | Backend Configuration](https://docs.mealie.io/documentation/getting-started/installation/backend-config/)

roles/mealie/vardef.json

@@ -0,0 +1,6 @@
+{
+	"port": {
+		"type": "integer",
+		"mandatory": false
+	}
+}

roles/nginx/cfg.schema.json

@@ -1,28 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"auto_reload_interval": {
-			"nullable": true,
-			"type": "integer",
-			"description": "in hours",
-			"default": null
-		},
-		"dhparam_size": {
-			"nullable": true,
-			"type": "integer",
-			"default": null
-		},
-		"improved_security": {
-			"nullable": false,
-			"type": "boolean",
-			"default": false
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"auto_reload_interval",
-		"dhparam_size",
-		"improved_security"
-	]
-}

roles/nginx/defaults/main.json

@@ -1,7 +1,3 @@
 {
-	"cfg_nginx_defaults": {
-		"auto_reload_interval": null,
-		"dhparam_size": null,
-		"improved_security": false
-	}
+	"var_nginx_auto_reload_interval": null
 }

roles/nginx/files/ssl-hardening.conf

@@ -3,9 +3,7 @@ ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
 ssl_session_tickets off;
 
 # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
-{% if cfg_nginx.dhparam_size != None %}
 ssl_dhparam /etc/nginx/dhparam;
-{% endif %}
 
 # intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;

roles/nginx/tasks/main.json

@@ -1,11 +1,4 @@
 [
-	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_nginx"
-		}
-	},
 	{
 		"name": "install packages",
 		"become": true,
@@ -19,10 +12,9 @@
 	},
 	{
 		"name": "generate dhparams file",
-		"when": "cfg_nginx.dhparam_size != None",
 		"become": true,
 		"ansible.builtin.command": {
-			"cmd": "openssl dhparam -out /etc/nginx/dhparam {{cfg_nginx.dhparam_size | string}}"
+			"cmd": "openssl dhparam -out /etc/nginx/dhparam 4096"
 		},
 		"args": {
 			"creates": "/etc/nginx/dhparam"
@@ -31,16 +23,13 @@
 	{
 		"name": "place hardening config",
 		"become": true,
-		"ansible.builtin.template": {
-			"src": "ssl-hardening.conf.j2",
+		"ansible.builtin.copy": {
+			"src": "ssl-hardening.conf",
 			"dest": "/etc/nginx/ssl-hardening.conf"
 		}
 	},
 	{
-		"name": "ufw",
-		"block": [
-			{
-				"name": "check",
+		"name": "ufw | check",
 		"become": true,
 		"check_mode": true,
 		"community.general.ufw": {
@@ -49,7 +38,7 @@
 		"register": "ufw_enable_check"
 	},
 	{
-				"name": "allow port 80",
+		"name": "ufw | allow port 80",
 		"when": "not ufw_enable_check.changed",
 		"become": true,
 		"community.general.ufw": {
@@ -59,7 +48,7 @@
 		}
 	},
 	{
-				"name": "allow port 443",
+		"name": "ufw | allow port 443",
 		"when": "not ufw_enable_check.changed",
 		"become": true,
 		"community.general.ufw": {
@@ -67,18 +56,16 @@
 			"port": "443",
 			"proto": "tcp"
 		}
-			}
-		]
 	},
 	{
 		"name": "auto reload",
-		"when": "cfg_nginx.auto_reload_interval == None",
+		"when": "var_nginx_auto_reload_interval == None",
 		"become": true,
 		"ansible.builtin.cron": {
 			"name": "nginx_auto_reload",
 			"disabled": true,
 			"minute": "0",
-			"hour": "*/{{cfg_nginx.auto_reload_interval | string}}",
+			"hour": "*/{{var_nginx_auto_reload_interval | string}}",
 			"day": "*",
 			"month": "*",
 			"weekday": "*",
@@ -87,13 +74,13 @@
 	},
 	{
 		"name": "auto reload",
-		"when": "cfg_nginx.auto_reload_interval != None",
+		"when": "var_nginx_auto_reload_interval != None",
 		"become": true,
 		"ansible.builtin.cron": {
 			"name": "nginx_auto_reload",
 			"disabled": false,
 			"minute": "0",
-			"hour": "*/{{cfg_nginx.auto_reload_interval | string}}",
+			"hour": "*/{{var_nginx_auto_reload_interval | string}}",
 			"day": "*",
 			"month": "*",
 			"weekday": "*",

roles/nginx/vardef.json

@@ -0,0 +1,8 @@
+{
+	"auto_reload_interval": {
+		"description": "in hours",
+		"nullable": true,
+		"type": "integer",
+		"mandatory": false
+	}
+}

roles/owncloud-and-nginx/cfg.schema.json

@@ -1,31 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"domain": {
-			"nullable": false,
-			"type": "string"
-		},
-		"tls_mode": {
-			"nullable": false,
-			"type": "string",
-			"enum": [
-				"disable",
-				"enable",
-				"force"
-			],
-			"default": "force"
-		},
-		"maximum_upload_size": {
-			"nullable": false,
-			"type": "string",
-			"default": "1G"
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"domain",
-		"tls_mode",
-		"maximum_upload_size"
-	]
-}

roles/owncloud-and-nginx/defaults/main.json

@@ -1,6 +1,5 @@
 {
-	"cfg_owncloud_and_nginx_defaults": {
-		"tls_mode": "force",
-		"maximum_upload_size": "1G"
-	}
+	"var_owncloud_and_nginx_domain": "owncloud.example.org",
+	"var_owncloud_and_nginx_tls_mode": "force",
+	"var_owncloud_and_nginx_maximum_upload_size": "1G"
 }

roles/owncloud-and-nginx/tasks/main.json

@@ -1,11 +1,4 @@
 [
-	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_owncloud_and_nginx"
-		}
-	},
 	{
 		"name": "deactivate default site",
 		"become": true,
@@ -19,7 +12,7 @@
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "conf.j2",
-			"dest": "/etc/nginx/sites-available/{{cfg_owncloud_and_nginx.domain}}"
+			"dest": "/etc/nginx/sites-available/{{var_owncloud_and_nginx_domain}}"
 		}
 	},
 	{
@@ -27,8 +20,8 @@
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "link",
-			"src": "/etc/nginx/sites-available/{{cfg_owncloud_and_nginx.domain}}",
-			"dest": "/etc/nginx/sites-enabled/{{cfg_owncloud_and_nginx.domain}}"
+			"src": "/etc/nginx/sites-available/{{var_owncloud_and_nginx_domain}}",
+			"dest": "/etc/nginx/sites-enabled/{{var_owncloud_and_nginx_domain}}"
 		}
 	},
 	{

roles/owncloud-and-nginx/templates/conf.j2

@@ -1,7 +1,7 @@
 {% macro owncloud_common() %}
 	location / {
 		proxy_pass http://localhost:9200;
-		client_max_body_size {{cfg_owncloud_and_nginx.maximum_upload_size}};
+		client_max_body_size {{var_owncloud_and_nginx_maximum_upload_size}};
 	}
 {% endmacro %}
 
@@ -9,24 +9,24 @@ server {
 	listen 80;
 	listen [::]:80;
 	
-	server_name {{cfg_owncloud_and_nginx.domain}};
+	server_name {{var_owncloud_and_nginx_domain}};
 	
-{% if cfg_owncloud_and_nginx.tls_mode == 'force' %}
+{% if var_owncloud_and_nginx_tls_mode == 'force' %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 	{{ owncloud_common() }}
 {% endif %}
 }
 
-{% if cfg_owncloud_and_nginx.tls_mode != 'disable' %}
+{% if var_owncloud_and_nginx_tls_mode != 'disable' %}
 server {
 	listen 443 ssl;
 	listen [::]:443 ssl;
 	
-	server_name {{cfg_owncloud_and_nginx.domain}};
+	server_name {{var_owncloud_and_nginx_domain}};
 	
-	ssl_certificate_key /etc/ssl/private/{{cfg_owncloud_and_nginx.domain}}.pem;
-	ssl_certificate /etc/ssl/fullchains/{{cfg_owncloud_and_nginx.domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{var_owncloud_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_owncloud_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	
 	{{ owncloud_common() }}

roles/owncloud-and-nginx/vardef.json

@@ -0,0 +1,20 @@
+
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"tls_mode": {
+        "type": "string",
+        "options": [
+			"disable",
+			"enable",
+			"force"
+        ],
+        "mandatory": false
+	},
+	"maximum_upload_size": {
+		"type": "string",
+		"mandatory": false
+	}
+}

roles/owncloud/cfg.schema.json

@@ -1,152 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"user": {
-			"nullable": false,
-			"type": "string",
-			"default": "owncloud"
-		},
-		"directory": {
-			"nullable": false,
-			"type": "string",
-			"default": "/opt/owncloud"
-		},
-		"version": {
-			"nullable": false,
-			"type": "string",
-			"default": "7.2.0"
-		},
-		"platform": {
-			"nullable": false,
-			"type": "string",
-			"default": "linux-amd64"
-		},
-		"domain": {
-			"nullable": false,
-			"type": "string"
-		},
-		"admin_password": {
-			"nullable": false,
-			"type": "string"
-		},
-		"authentication": {
-			"anyOf": [
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"type": "string",
-							"enum": ["internal"],
-							"default": "internal"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-							},
-							"additionalProperties": false,
-							"required": [
-							],
-							"default": {
-							}
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					]
-				},
-				{
-					"nullable": false,
-					"type": "object",
-					"properties": {
-						"kind": {
-							"type": "string",
-							"enum": ["authelia"],
-							"default": "authelia"
-						},
-						"data": {
-							"nullable": false,
-							"type": "object",
-							"properties": {
-								"url_base": {
-									"nullable": false,
-									"type": "string"
-								},
-								"web": {
-									"nullable": true,
-									"type": "object",
-									"properties": {
-										"client_id": {
-											"type": "string",
-											"mandatory": false,
-											"default": "owncloud_web"
-										}
-									},
-									"additionalProperties": false,
-									"required": [
-										"client_id"
-									],
-									"default": {
-									}
-								}
-							},
-							"additionalProperties": false,
-							"required": [
-								"url_base",
-								"web"
-							]
-						}
-					},
-					"additionalProperties": false,
-					"required": [
-						"kind",
-						"data"
-					]
-				}
-			]
-		},
-		"public_share": {
-			"nullable": false,
-			"type": "object",
-			"properties": {
-				"password_necessity": {
-					"nullable": false,
-					"type": "string",
-					"enum": [
-						"nothing",
-						"writable",
-						"all"
-					],
-					"default": "writable"
-				},
-				"password_policy_active": {
-					"nullable": false,
-					"type": "boolean",
-					"default": true
-				}
-			},
-			"additionalProperties": false,
-			"required": [
-				"password_necessity",
-				"password_policy_active"
-			],
-			"default": {
-			}
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"user",
-		"directory",
-		"version",
-		"platform",
-		"domain",
-		"admin_password",
-		"authentication",
-		"public_share"
-	]
-}

roles/owncloud/defaults/main.json

@@ -1,16 +1,18 @@
 {
-	"cfg_owncloud_defaults": {
-		"user": "owncloud",
-		"directory": "/opt/owncloud",
-		"version": "7.2.0",
-		"platform": "linux-amd64",
-		"domain": "owncloud.example.org",
-		"authentication": {
-			"kind": "internal"
-		},
-		"public_share": {
-			"password_necessity": "writable",
-			"password_policy_active": true
-		}
-	}
+	"var_owncloud_user": "owncloud",
+	"var_owncloud_directory": "/opt/owncloud",
+	"var_owncloud_version": "5.0.0",
+	"var_owncloud_platform": "linux-amd64",
+	"var_owncloud_domain": "owncloud.example.org",
+	"var_owncloud_admin_password": "REPLACE_ME",
+	"var_owncloud_authentication_kind": "internal",
+	"var_owncloud_authentication_data_authelia_url_base": "https://authelia.example.org",
+	"var_owncloud_authentication_data_authelia_web_client_id": "owncloud_web",
+	"var_owncloud_authentication_data_authelia_web_client_secret": "REPLACE_ME",
+	"var_owncloud_authentication_data_authelia_android_client_id": "owncloud_android",
+	"var_owncloud_authentication_data_authelia_android_client_secret": "REPLACE_ME",
+	"var_owncloud_authentication_data_authelia_ios_client_id": "owncloud_ios",
+	"var_owncloud_authentication_data_authelia_ios_client_secret": "REPLACE_ME",
+	"var_owncloud_public_share_password_necessity": "writable",
+	"var_owncloud_public_share_password_policy_active": true
 }

roles/owncloud/info.md

@@ -7,26 +7,13 @@ Cloud-Plattform [ownCloud](https://owncloud.com/) (the rewrite in Go named "Infi
 
 - [ownCloud-Dokumentation | How to install ownCloud Infinite Scale Tech Preview in three easy steps](https://owncloud.com/news/howto-install-owncloud-infinite-scale-tech-preview/)
 - [ownCloud-Dokumentation | oCIS](https://owncloud.dev/ocis/)
-- [ownCloud-Dokumentation | Upgrading](https://doc.owncloud.com/ocis/next/migration/upgrading-ocis.html)
-- [ownCloud-Dokumentation | env var types](https://doc.owncloud.com/ocis/next/deployment/services/envvar-types-description.html)
-- [ownCloud-Dokumentation | Service | Web](https://doc.owncloud.com/ocis/next/deployment/services/s-list/web.html)
 - [ownCloud-Dokumentation | Service | Proxy](https://doc.owncloud.com/ocis/next/deployment/services/s-list/proxy.html)
+- [ownCloud-Dokumentation | Service | Web](https://doc.owncloud.com/ocis/next/deployment/services/s-list/web.html)
 - [ownCloud-Dokumentation | Service | Sharing](https://doc.owncloud.com/ocis/next/deployment/services/s-list/sharing.html)
 - [GitHub | ocis](https://github.com/owncloud/ocis/)
 - [ownCloud-Foren | OCIS + Authelia](https://central.owncloud.org/t/ocis-authelia/44222)
 
 
-## Bemerkungen
-
-- die `.ocis/config/ocis.yaml` wird erzeugt auf Grundlage der `.env`
-- `.ocis/config/ocis.yaml` sollte niemals einfach neu erstellt werden, da man sich sonst nicht mehr einloggen kann
-- wenn man sich plötzlich nicht mehr über OIDC anmelden kann, kann das daran lieget, dass `.ocis/idm/ldap.crt` abgelaufen ist — siehe dazu [diesen Thread](https://central.owncloud.org/t/certificate-error-after-upgrade-to-5-0-0-from-4-0-6/47824/7); man könnte auch `OCIS_LDAP_INSECURE` auf `true` setzen, aber naja…
-
-
 ## ToDo
 
 - Download prüfen
-- `csp.yaml` einsetzen
-- prüfen ob folgende `.env`-Variablen gebraucht werden:
-  - `PROXY_OIDC_ISSUER`
-  - `PROXY_OIDC_SKIP_USER_INFO`

roles/owncloud/tasks/main.json

@@ -1,70 +1,39 @@
 [
-	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_owncloud"
-		}
-	},
 	{
 		"name": "user",
 		"become": true,
 		"ansible.builtin.user": {
-			"name": "{{cfg_owncloud.user}}",
+			"name": "{{var_owncloud_user}}",
 			"create_home": true,
-			"home": "{{cfg_owncloud.directory}}"
+			"home": "{{var_owncloud_directory}}"
 		}
 	},
 	{
 		"name": "download",
 		"become": true,
-		"become_user": "{{cfg_owncloud.user}}",
+		"become_user": "{{var_owncloud_user}}",
 		"ansible.builtin.get_url": {
-			"url": "https://download.owncloud.com/ocis/ocis/stable/{{cfg_owncloud.version}}/ocis-{{cfg_owncloud.version}}-{{cfg_owncloud.platform}}",
-			"dest": "{{cfg_owncloud.directory}}/ocis",
+			"url": "https://download.owncloud.com/ocis/ocis/stable/{{var_owncloud_version}}/ocis-{{var_owncloud_version}}-{{var_owncloud_platform}}",
+			"dest": "{{var_owncloud_directory}}/ocis",
 			"mode": "u+rx"
 		}
 	},
-	{
-		"name": "directories",
-		"become": true,
-		"become_user": "{{cfg_owncloud.user}}",
-		"loop": [
-			"log"
-		],
-		"ansible.builtin.file": {
-			"state": "directory",
-			"recurse": true,
-			"path": "{{cfg_owncloud.directory}}/{{item}}"
-		}
-	},
-	{
-		"name": "csp",
-		"become": true,
-		"become_user": "{{cfg_owncloud.user}}",
-		"ansible.builtin.template": {
-			"src": "csp.yaml.j2",
-			"mode": "644",
-			"dest": "{{cfg_owncloud.directory}}/csp.yaml"
-		}
-	},
-	{
-		"name": "env",
-		"become": true,
-		"become_user": "{{cfg_owncloud.user}}",
-		"ansible.builtin.template": {
-			"src": "env.j2",
-			"mode": "644",
-			"dest": "{{cfg_owncloud.directory}}/.env"
-		}
-	},
 	{
 		"name": "setup",
 		"become": true,
-		"become_user": "{{cfg_owncloud.user}}",
+		"become_user": "{{var_owncloud_user}}",
 		"ansible.builtin.shell": {
-			"chdir": "{{cfg_owncloud.directory}}",
-			"cmd": "./ocis init --insecure no --admin-password={{cfg_owncloud.admin_password}}"
+			"chdir": "{{var_owncloud_directory}}",
+			"cmd": "rm -f {{var_owncloud_directory}}/.ocis/config/ocis.yaml && ./ocis init --insecure no --admin-password={{var_owncloud_admin_password}}"
+		}
+	},
+	{
+		"name": "configuration",
+		"become": true,
+		"become_user": "{{var_owncloud_user}}",
+		"ansible.builtin.template": {
+			"src": "env.j2",
+			"dest": "{{var_owncloud_directory}}/.env"
 		}
 	},
 	{

roles/owncloud/templates/csp.yaml.j2

@@ -1,7 +0,0 @@
-directives:
-  connect-src:
-    - '''self'''
-    - 'https://{{cfg_owncloud.domain}}'
-{% if cfg_owncloud.authentication.kind == 'authelia' %}
-    - '{{cfg_owncloud.authentication.data.url_base}}'
-{% endif %}

roles/owncloud/templates/env.j2

@@ -1,62 +1,44 @@
-## web client
-WEB_LOG_LEVEL=info
-WEB_LOG_FILE={{cfg_owncloud.directory}}/log/web
-WEB_LOG_PRETTY=true
-WEB_LOG_COLOR=true
-{% if cfg_owncloud.authentication.kind == 'internal' %}
-{% endif %}
-{% if cfg_owncloud.authentication.kind == 'authelia' %}
-WEB_OIDC_AUTHORITY={{cfg_owncloud.authentication.data.url_base}}
-WEB_OIDC_CLIENT_ID={{cfg_owncloud.authentication.data.web.client_id}}
-WEB_OIDC_RESPONSE_TYPE=code
-WEB_OIDC_SCOPE=openid profile email groups
-WEB_OPTION_LOGIN_URL={{cfg_owncloud.authentication.data.url_base}}
-WEB_OPTION_LOGOUT_URL={{cfg_owncloud.authentication.data.url_base}}
-WEB_UI_THEME_SERVER=https://{{cfg_owncloud.domain}}
-WEB_UI_CONFIG_SERVER=https://{{cfg_owncloud.domain}}
+OCIS_URL="https://{{var_owncloud_domain}}"
+OCIS_INSECURE="false"
+
+PROXY_TLS="false"
+
+{% if var_owncloud_authentication_kind == 'internal' %}
+PROXY_AUTOPROVISION_ACCOUNTS="false"
 {% endif %}
 
-## other clients
-PROXY_LOG_LEVEL=info
-PROXY_LOG_FILE={{cfg_owncloud.directory}}/log/proxy
-PROXY_LOG_PRETTY=true
-PROXY_LOG_COLOR=true
-PROXY_CSP_CONFIG_FILE_LOCATION={{cfg_owncloud.directory}}/csp.yaml
-PROXY_TLS=false
-{% if cfg_owncloud.authentication.kind == 'internal' %}
-PROXY_AUTOPROVISION_ACCOUNTS=false
-{% endif %}
-{% if cfg_owncloud.authentication.kind == 'authelia' %}
-OCIS_URL=https://{{cfg_owncloud.domain}}
-PROXY_OIDC_ISSUER={{cfg_owncloud.authentication.data.url_base}}
-PROXY_OIDC_REWRITE_WELLKNOWN=true
-PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
-PROXY_OIDC_SKIP_USER_INFO=false
-PROXY_AUTOPROVISION_ACCOUNTS=true
-PROXY_AUTOPROVISION_CLAIM_USERNAME=preferred_username
-PROXY_AUTOPROVISION_CLAIM_EMAIL=email
-PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME=name
-PROXY_AUTOPROVISION_CLAIM_GROUPS=groups
-PROXY_USER_OIDC_CLAIM=preferred_username
-PROXY_USER_CS3_CLAIM=username
+{% if var_owncloud_authentication_kind == 'authelia' %}
+OCIS_OIDC_CLIENT_ID="{{var_owncloud_authentication_data_authelia_web_client_id}}"
+OCIS_OIDC_ISSUER="{{var_owncloud_authentication_data_authelia_url_base}}"
+
+PROXY_AUTOPROVISION_ACCOUNTS="true"
+PROXY_OIDC_REWRITE_WELLKNOWN="true"
+PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD="none"
+PROXY_OIDC_INSECURE="false"
+PROXY_USER_OIDC_CLAIM="name"
+PROXY_USER_CS3_CLAIM="username"
+
+WEB_OIDC_AUTHORITY="{{var_owncloud_authentication_data_authelia_url_base}}"
+WEB_OIDC_METADATA_URL="{{var_owncloud_authentication_data_authelia_url_base}}/.well-known/openid-configuration"
+WEB_OIDC_CLIENT_ID="{{var_owncloud_authentication_data_authelia_web_client_id}}"
+WEB_OIDC_SCOPE="openid profile email groups"
 {% endif %}
 
-## sharing
-{% if cfg_owncloud.public_share.password_necessity == 'nothing' %}
-OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=false
-OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=false
+{% if var_owncloud_public_share_password_necessity == 'nothing' %}
+OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="false"
+OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="false"
 {% endif %}
-{% if cfg_owncloud.public_share.password_necessity == 'writable' %}
-OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=false
-OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=true
+{% if var_owncloud_public_share_password_necessity == 'writable' %}
+OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="false"
+OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="true"
 {% endif %}
-{% if cfg_owncloud.public_share.password_necessity == 'all' %}
-OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=true
-OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=true
+{% if var_owncloud_public_share_password_necessity == 'all' %}
+OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="true"
+OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="true"
 {% endif %}
-{% if cfg_owncloud.public_share.password_policy_active %}
-OCIS_SHARING_PASSWORD_POLICY_DISABLED=false
+
+{% if var_owncloud_public_share_password_policy_active %}
+OCIS_SHARING_PASSWORD_POLICY_DISABLED="false"
 {% else %}
-OCIS_SHARING_PASSWORD_POLICY_DISABLED=true
+OCIS_SHARING_PASSWORD_POLICY_DISABLED="true"
 {% endif %}
-

roles/owncloud/templates/systemd_unit.j2

@@ -3,12 +3,12 @@ Description=ownCloud
 After=network.target
 
 [Service]
-WorkingDirectory={{cfg_owncloud.directory}}
-EnvironmentFile={{cfg_owncloud.directory}}/.env
-ExecStart={{cfg_owncloud.directory}}/ocis server
+WorkingDirectory={{var_owncloud_directory}}
+EnvironmentFile={{var_owncloud_directory}}/.env
+ExecStart={{var_owncloud_directory}}/ocis server
 Type=simple
 Restart=always
-User={{cfg_owncloud.user}}
+User={{var_owncloud_user}}
 
 [Install]
 WantedBy=default.target

roles/owncloud/vardef.json

@@ -0,0 +1,75 @@
+{
+	"user": {
+		"type": "string",
+		"mandatory": false
+	},
+	"directory": {
+		"type": "string",
+		"mandatory": false
+	},
+	"version": {
+		"type": "string",
+		"mandatory": false
+	},
+	"platform": {
+		"type": "string",
+		"mandatory": false
+	},
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"admin_password": {
+		"type": "string",
+		"mandatory": true
+	},
+	"authentication_kind": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"internal",
+			"authelia"
+		]
+	},
+	"authentication_data_authelia_url_base": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_web_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_web_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_android_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_android_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_ios_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_ios_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"public_share_password_necessity": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"nothing",
+			"writable",
+			"all"
+		]
+	},
+	"public_share_password_policy_active": {
+		"type": "boolean",
+		"mandatory": false
+	}
+}

roles/postgresql-for-authelia/tasks/main.json

@@ -39,7 +39,7 @@
 		"become_user": "postgres",
 		"community.postgresql.postgresql_privs": {
 			"state": "present",
-			"login_db": "{{var_postgresql_for_authelia_schema}}",
+			"db": "{{var_postgresql_for_authelia_schema}}",
 			"objs": "ALL_IN_SCHEMA",
 			"roles": "{{var_postgresql_for_authelia_username}}",
 			"privs": "ALL",

roles/postgresql-for-forgejo/tasks/main.json

@@ -39,7 +39,7 @@
 		"become_user": "postgres",
 		"community.postgresql.postgresql_privs": {
 			"state": "present",
-			"login_db": "{{var_postgresql_for_forgejo_schema}}",
+			"db": "{{var_postgresql_for_forgejo_schema}}",
 			"objs": "ALL_IN_SCHEMA",
 			"roles": "{{var_postgresql_for_forgejo_username}}",
 			"privs": "ALL",

roles/postgresql-for-gitlab/tasks/main.json

@@ -39,7 +39,7 @@
 		"become_user": "postgres",
 		"community.postgresql.postgresql_privs": {
 			"state": "present",
-			"login_db": "{{var_postgresql_for_gitlab_schema}}",
+			"db": "{{var_postgresql_for_gitlab_schema}}",
 			"objs": "ALL_IN_SCHEMA",
 			"roles": "{{var_postgresql_for_gitlab_username}}",
 			"privs": "ALL",
@@ -57,7 +57,7 @@
 		],
 		"community.postgresql.postgresql_ext": {
 			"state": "present",
-			"login_db": "{{var_postgresql_for_gitlab_schema}}",
+			"db": "{{var_postgresql_for_gitlab_schema}}",
 			"name": "{{item}}"
 		}
 	}

roles/postgresql-for-hedgedoc/tasks/main.json

@@ -39,7 +39,7 @@
 		"become_user": "postgres",
 		"community.postgresql.postgresql_privs": {
 			"state": "present",
-			"login_db": "{{var_postgresql_for_hedgedoc_schema}}",
+			"db": "{{var_postgresql_for_hedgedoc_schema}}",
 			"objs": "ALL_IN_SCHEMA",
 			"roles": "{{var_postgresql_for_hedgedoc_username}}",
 			"privs": "ALL",

roles/postgresql-for-mealie/defaults/main.json

@@ -0,0 +1,5 @@
+{
+	"var_postgresql_for_mealie_username": "mealie_user",
+	"var_postgresql_for_mealie_password": "REPLACE_ME",
+	"var_postgresql_for_mealie_schema": "mealie"
+}

roles/postgresql-for-mealie/tasks/main.json

@@ -6,8 +6,7 @@
 			"update_cache": true,
 			"pkg": [
 				"acl",
-				"python3-psycopg2",
-				"libpq-dev"
+				"python3-psycopg2"
 			]
 		}
 	},
@@ -17,8 +16,8 @@
 		"become_user": "postgres",
 		"community.postgresql.postgresql_user": {
 			"state": "present",
-			"name": "{{var_postgresql_for_tandoor_username}}",
-			"password": "{{var_postgresql_for_tandoor_password}}"
+			"name": "{{var_postgresql_for_mealie_username}}",
+			"password": "{{var_postgresql_for_mealie_password}}"
 		},
 		"environment": {
 			"PGOPTIONS": "-c password_encryption=scram-sha-256"
@@ -30,8 +29,8 @@
 		"become_user": "postgres",
 		"community.postgresql.postgresql_db": {
 			"state": "present",
-			"name": "{{var_postgresql_for_tandoor_schema}}",
-			"owner": "{{var_postgresql_for_tandoor_username}}"
+			"name": "{{var_postgresql_for_mealie_schema}}",
+			"owner": "{{var_postgresql_for_mealie_username}}"
 		}
 	},
 	{
@@ -40,9 +39,9 @@
 		"become_user": "postgres",
 		"community.postgresql.postgresql_privs": {
 			"state": "present",
-			"login_db": "{{var_postgresql_for_tandoor_schema}}",
+			"db": "{{var_postgresql_for_mealie_schema}}",
 			"objs": "ALL_IN_SCHEMA",
-			"roles": "{{var_postgresql_for_tandoor_username}}",
+			"roles": "{{var_postgresql_for_mealie_username}}",
 			"privs": "ALL",
 			"grant_option": true
 		}

roles/postgresql-for-synapse/tasks/main.json

@@ -43,7 +43,7 @@
 		"become_user": "postgres",
 		"community.postgresql.postgresql_privs": {
 			"state": "present",
-			"login_db": "{{var_postgresql_for_synapse_schema}}",
+			"db": "{{var_postgresql_for_synapse_schema}}",
 			"objs": "ALL_IN_SCHEMA",
 			"roles": "{{var_postgresql_for_synapse_username}}",
 			"privs": "ALL",

roles/postgresql-for-tandoor/defaults/main.json

@@ -1,5 +0,0 @@
-{
-	"var_postgresql_for_tandoor_username": "tandoor_user",
-	"var_postgresql_for_tandoor_password": "REPLACE_ME",
-	"var_postgresql_for_tandoor_schema": "tandoor"
-}

roles/postgresql-for-vikunja/tasks/main.json

@@ -39,7 +39,7 @@
 		"become_user": "postgres",
 		"community.postgresql.postgresql_privs": {
 			"state": "present",
-			"login_db": "{{var_postgresql_for_vikunja_schema}}",
+			"db": "{{var_postgresql_for_vikunja_schema}}",
 			"objs": "ALL_IN_SCHEMA",
 			"roles": "{{var_postgresql_for_vikunja_username}}",
 			"privs": "ALL",

roles/postgresql-for-wiki_js/tasks/main.json

@@ -39,7 +39,7 @@
 		"become_user": "postgres",
 		"community.postgresql.postgresql_privs": {
 			"state": "present",
-			"login_db": "{{var_postgresql_for_wiki_js_schema}}",
+			"db": "{{var_postgresql_for_wiki_js_schema}}",
 			"objs": "ALL_IN_SCHEMA",
 			"roles": "{{var_postgresql_for_wiki_js_username}}",
 			"privs": "ALL",

roles/sqlite-for-hedgedoc/defaults/main.json

@@ -0,0 +1,4 @@
+{
+	"var_sqlite_for_hedgedoc_path": "/var/hedgedoc/data.sqlite",
+	"var_sqlite_for_hedgedoc_user_name": "hedgedoc"
+}

roles/sqlite-for-hedgedoc/tasks/main.json

@@ -0,0 +1,20 @@
+[
+	{
+		"name": "directory",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{var_sqlite_for_hedgedoc_path | dirname}}",
+			"owner": "{{var_hedgedoc_user_name}}"
+		}
+	},
+	{
+		"name": "file",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "touch",
+			"path": "{{var_sqlite_for_hedgedoc_path}}",
+			"owner": "{{var_sqlite_for_hedgedoc_user_name}}"
+		}
+	}
+]

roles/sqlite-for-hedgedoc/vardef.json

@@ -0,0 +1,10 @@
+{
+	"path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"user_name": {
+		"type": "string",
+		"mandatory": false
+	}
+}

roles/synapse/info.md

@@ -6,7 +6,6 @@ Zur Einrichtung des [matrix.org](https://matrix.org/)-Servers [Synapse](https://
 ## Verweise
 
 - [ubuntuusers-Wiki-Eintrag](https://wiki.ubuntuusers.de/Matrix_synapse/)
-- [GitHub-Repository](https://github.com/element-hq/synapse)
-- [Debian-Paket](https://element-hq.github.io/synapse/latest/setup/installation.html#debianubuntu)
-- [Configuration Manual](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html)
-- [Dokumentation | PostgreSQL](https://element-hq.github.io/synapse/latest/postgres.html#using-postgres)
+- [GitHub-Repository](https://github.com/matrix-org/synapse)
+- [Configuration Manual](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html)
+- [Dokumentation | PostgreSQL](https://matrix-org.github.io/synapse/latest/postgres.html#using-postgres)

roles/synapse/tasks/main.json

@@ -1,40 +1,21 @@
 [
 	{
-		"name": "preparation | install packages",
+		"name": "invoke required repositories",
 		"become": true,
-		"ansible.builtin.apt": {
-			"update_cache": true,
-			"pkg": [
-				"lsb-release",
-				"apt-transport-https"
-			]
+		"ansible.builtin.copy": {
+			"src": "sources-bullseye-backports.list",
+			"dest": "/etc/apt/sources.list.d/bullseye-backports-for-synapse.list"
 		}
 	},
 	{
-		"name": "preparation | get keyring",
-		"become": true,
-		"ansible.builtin.get_url": {
-			"url": "https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg",
-			"dest": "/usr/share/keyrings/matrix-org-archive-keyring.gpg"
-		}
-	},
-	{
-		"name": "preparation | add source",
-		"become": true,
-		"ansible.builtin.shell": {
-			"cmd": "echo \"deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main\" > /etc/apt/sources.list.d/synapse.list",
-			"creates": "/etc/apt/sources.list.d/synapse.list"
-		}
-	},
-	{
-		"name": "preparation | update package information",
+		"name": "update sources",
 		"become": true,
 		"ansible.builtin.apt": {
 			"update_cache": true
 		}
 	},
 	{
-		"name": "preparation | conf | server-name",
+		"name": "prepare package installation | server-name",
 		"become": true,
 		"ansible.builtin.debconf": {
 			"name": "matrix-synapse",
@@ -44,7 +25,7 @@
 		}
 	},
 	{
-		"name": "preparation | conf | report-stats",
+		"name": "prepare package installation | report-stats",
 		"become": true,
 		"ansible.builtin.debconf": {
 			"name": "matrix-synapse",
@@ -60,7 +41,7 @@
 			"update_cache": true,
 			"pkg": [
 				"python3-authlib",
-				"matrix-synapse-py3"
+				"matrix-synapse"
 			]
 		}
 	},
@@ -113,10 +94,10 @@
 	},
 	{
 		"name": "setup admin user",
-		"when": "var_synapse_admin_user_define",
 		"become": true,
 		"ansible.builtin.shell": {
 			"cmd": "synapse_register_new_matrix_user --config=/etc/matrix-synapse/homeserver.yaml --admin --user={{var_synapse_admin_user_name}} --password={{var_synapse_admin_user_password}} || true"
-		}
+		},
+		"when": "var_synapse_admin_user_define"
 	}
 ]

roles/synapse/templates/homeserver.yaml.j2

@@ -124,7 +124,6 @@ oidc_providers:
         localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}"
         display_name_template: "{{"{{"}} user.name {{"}}"}}"
         email_template: "{{"{{"}} user.email {{"}}"}}"
-    user_profile_method: "userinfo_endpoint"
 {% endif %}
 
 account_validity:
@@ -140,11 +139,10 @@ trusted_third_party_id_servers:
 
 enable_metrics: false
 
-app_service_config_files: [
+app_service_config_files:
   # - "/opt/mautrix-telegram/python-venv/registration.yaml"
   # - "/opt/mautrix-signal/python-venv/registration.yaml"
   # - "/opt/matrix-irc-bridge/appservice-registration-irc.yaml"
-]
 
 expire_access_token: false
 

roles/tandoor-and-nginx/defaults/main.json

@@ -1,5 +0,0 @@
-{
-	"var_tandoor_and_nginx_domain": "tandoor.example.org",
-	"var_tandoor_and_nginx_tls_mode": "force",
-	"var_tandoor_and_nginx_directory": "/opt/tandoor"
-}

roles/tandoor-and-nginx/info.md

@@ -1,4 +0,0 @@
-## Verweise
-
-- [Tandoor-Dokumentation | nginx](https://docs.tandoor.dev/install/manual/#nginx)
-

roles/tandoor-and-nginx/tasks/main.json

@@ -1,35 +0,0 @@
-[
-	{
-		"name": "deactivate default site",
-		"become": true,
-		"ansible.builtin.file": {
-			"state": "absent",
-			"dest": "/etc/nginx/sites-enabled/default"
-		}
-	},
-	{
-		"name": "emplace configuration | data",
-		"become": true,
-		"ansible.builtin.template": {
-			"src": "conf.j2",
-			"dest": "/etc/nginx/sites-available/{{var_tandoor_and_nginx_domain}}"
-		}
-	},
-	{
-		"name": "emplace configuration | link",
-		"become": true,
-		"ansible.builtin.file": {
-			"state": "link",
-			"src": "/etc/nginx/sites-available/{{var_tandoor_and_nginx_domain}}",
-			"dest": "/etc/nginx/sites-enabled/{{var_tandoor_and_nginx_domain}}"
-		}
-	},
-	{
-		"name": "restart nginx",
-		"become": true,
-		"ansible.builtin.systemd_service": {
-			"state": "restarted",
-			"name": "nginx"
-		}
-	}
-]

roles/tandoor-and-nginx/templates/conf.j2

@@ -1,43 +0,0 @@
-{% macro tandoor_common() %}
-	location /static {
-		alias {{var_tandoor_and_nginx_directory}}/program/staticfiles;
-	}
-	
-	location /media {
-		alias {{var_tandoor_and_nginx_directory}}/program/mediafiles;
-	}
-	
-	location / {
-		proxy_set_header Host $http_host;
-		proxy_pass http://unix:{{var_tandoor_and_nginx_directory}}/program/recipes.sock;
-		proxy_set_header X-Forwarded-Proto $scheme;
-	}
-{% endmacro %}
-
-server {
-	listen 80;
-	listen [::]:80;
-	
-	server_name {{var_tandoor_and_nginx_domain}};
-	
-{% if var_tandoor_and_nginx_tls_mode == 'force' %}
-	return 301 https://$http_host$request_uri;
-{% else %}
-{{ tandoor_common() }}
-{% endif %}
-}
-
-{% if var_tandoor_and_nginx_tls_mode != 'disable' %}
-server {
-	listen 443 ssl;
-	listen [::]:443 ssl;
-	
-	server_name {{var_tandoor_and_nginx_domain}};
-	
-	ssl_certificate_key /etc/ssl/private/{{var_tandoor_and_nginx_domain}}.pem;
-	ssl_certificate /etc/ssl/fullchains/{{var_tandoor_and_nginx_domain}}.pem;
-	include /etc/nginx/ssl-hardening.conf;
-	
-{{ tandoor_common() }}
-}
-{% endif %}

roles/tandoor-and-nginx/vardef.json

@@ -1,19 +0,0 @@
-{
-	"domain": {
-		"mandatory": false,
-		"type": "string"
-	},
-	"port": {
-		"mandatory": false,
-		"type": "integer"
-	},
-	"tls_mode": {
-		"mandatory": false,
-		"type": "string",
-		"options": [
-			"disable",
-			"enable",
-			"force"
-		]
-	}
-}

roles/tandoor/defaults/main.json

@@ -1,27 +0,0 @@
-{
-	"var_tandoor_user": "tandoor",
-	"var_tandoor_directory": "/opt/tandoor",
-	"var_tandoor_repository_url": "https://github.com/vabene1111/recipes.git",
-	"var_tandoor_repository_reference": "master",
-	"var_tandoor_database_kind": "sqlite",
-	"var_tandoor_database_data_postgresql_host": "postgresql.example.org",
-	"var_tandoor_database_data_postgresql_port": 5432,
-	"var_tandoor_database_data_postgresql_username": "tandoor_user",
-	"var_tandoor_database_data_postgresql_password": "REPLACE_ME",
-	"var_tandoor_database_data_postgresql_schema": "tandoor",
-	"var_tandoor_authentication_kind": "internal",
-	"var_tandoor_authentication_data_authelia_client_id": "REPLACE_ME",
-	"var_tandoor_authentication_data_authelia_client_secret": "REPLACE_ME",
-	"var_tandoor_authentication_data_authelia_url_base": "https://authelia.example.org",
-	"var_tandoor_authentication_data_authelia_label": "Authelia",
-	"var_tandoor_smtp_host": "smtp.example.org",
-	"var_tandoor_smtp_port": 587,
-	"var_tandoor_smtp_username": "tandoor@smtp.example.org",
-	"var_tandoor_smtp_password": "REPLACE_ME",
-	"var_tandoor_notification_sender": "notification@tandoor.example.org",
-	"var_tandoor_secret_key": "REPLACE_ME",
-	"var_tandoor_admin_username": "admin",
-	"var_tandoor_admin_password": "REPLACE_ME",
-	"var_tandoor_admin_email": "admin@tandoor.example.org",
-	"var_tandoor_domain": "tandoor.exmaple.org"
-}

roles/tandoor/info.md

@@ -1,24 +0,0 @@
-## Beschreibung
-
-Für Rezepte-Sammlung [Tandoor](https://tandoor.dev/)
-
-
-## Verweise
-
-- [Tandoor-Dokumentation | Installation](https://docs.tandoor.dev/install/manual/)
-- [Tandoor-Dokumentation | Konfiguration](https://docs.tandoor.dev/system/configuration/)
-- [Tandoor-Dokumentation | Allauth](https://docs.tandoor.dev/features/authentication/#allauth)
-- [Django-Dokumentation | Variable `DJANGO_SUPERUSER_PASSWORD`](https://docs.djangoproject.com/en/5.1/ref/django-admin/#envvar-DJANGO_SUPERUSER_PASSWORD)
-- [allauth-Dokumentation | OpenID Connect](https://docs.allauth.org/en/latest/socialaccount/providers/openid_connect.html)
-- [allauth-Dokumentation | Authelia](https://docs.allauth.org/en/latest/socialaccount/providers/authelia.html)
-
-
-## ToDo
-
-- Idempotenz
-
-
-## Bugs
-
-- `usersessions_usersession.ip` darf nicht `NULL` sein, wird es aber; workaround: `ALTER TABLE usersessions_usersession ALTER COLUMN ip DROP NOT NULL;`
-- Verzeichnis `mediafiles` fehlt noch

roles/tandoor/tasks/main.json

@@ -1,135 +0,0 @@
-[
-	{
-		"name": "packages",
-		"become": true,
-		"ansible.builtin.apt": {
-			"update_cache": true,
-			"pkg": [
-				"git",
-				"gcc",
-				"libpq-dev",
-				"libldap2-dev",
-				"libsasl2-dev",
-				"python3-venv",
-				"python3-dev",
-				"nodejs",
-				"yarnpkg"
-			]
-		}
-	},
-	{
-		"name": "user and directory",
-		"become": true,
-		"ansible.builtin.user": {
-			"name": "{{var_tandoor_user}}",
-			"create_home": true,
-			"home": "{{var_tandoor_directory}}"
-		}
-	},
-	{
-		"name": "sources",
-		"become": true,
-		"become_user": "{{var_tandoor_user}}",
-		"ansible.builtin.git": {
-			"repo": "{{var_tandoor_repository_url}}",
-			"version": "{{var_tandoor_repository_reference}}",
-			"single_branch": true,
-			"dest": "{{var_tandoor_directory}}/program",
-			"force": true
-		}
-	},
-	{
-		"name": "venv",
-		"become": true,
-		"become_user": "{{var_tandoor_user}}",
-		"ansible.builtin.command": {
-			"chdir": "{{var_tandoor_directory}}",
-			"cmd": "python3 -m venv program"
-		}
-	},
-	{
-		"name": "configuration",
-		"become": true,
-		"become_user": "{{var_tandoor_user}}",
-		"ansible.builtin.template": {
-			"src": "conf.j2",
-			"dest": "{{var_tandoor_directory}}/program/.env",
-			"mode": "644"
-		}
-	},
-	{
-		"name": "python requirements",
-		"become": true,
-		"become_user": "{{var_tandoor_user}}",
-		"ansible.builtin.pip": {
-			"virtualenv": "{{var_tandoor_directory}}/program",
-			"virtualenv_python": "python3",
-			"requirements": "{{var_tandoor_directory}}/program/requirements.txt"
-		}
-	},
-	{
-		"name": "frontend stuff | core",
-		"become": true,
-		"become_user": "{{var_tandoor_user}}",
-		"ansible.builtin.shell": {
-			"chdir": "{{var_tandoor_directory}}/program/vue3",
-			"cmd": "yarn install && yarn build"
-		}
-	},
-	{
-		"name": "frontend stuff | link",
-		"become": true,
-		"become_user": "{{var_tandoor_user}}",
-		"ansible.builtin.file": {
-			"type": "link",
-			"src": "{{var_tandoor_directory}}/program/cookbook/static/vue3",
-			"dest": "{{var_tandoor_directory}}/program/staticfiles/vue3"
-		}
-	},
-	{
-		"name": "initialize",
-		"become": true,
-		"become_user": "{{var_tandoor_user}}",
-		"environment": {
-			"VIRTUAL_ENV": "{{var_tandoor_directory}}/program"
-		},
-		"loop": [
-			"migrate",
-			"collectstatic --no-input",
-			"collectstatic_js_reverse"
-		],
-		"ansible.builtin.shell": {
-			"chdir": "{{var_tandoor_directory}}/program",
-			"cmd": "bin/python3 manage.py {{item}}"
-		}
-	},
-	{
-		"name": "admin account",
-		"become": true,
-		"become_user": "{{var_tandoor_user}}",
-		"environment": {
-			"VIRTUAL_ENV": "{{var_tandoor_directory}}/program"
-		},
-		"ansible.builtin.shell": {
-			"chdir": "{{var_tandoor_directory}}/program",
-			"cmd": "DJANGO_SUPERUSER_PASSWORD={{var_tandoor_admin_password}} bin/python3 manage.py createsuperuser --no-input --username {{var_tandoor_admin_username}} --email {{var_tandoor_admin_email}}"
-		}
-	},
-	{
-		"name": "systemd unit",
-		"become": true,
-		"ansible.builtin.template": {
-			"src": "systemd-unit.j2",
-			"dest": "/etc/systemd/system/tandoor.service"
-		}
-	},
-	{
-		"name": "start",
-		"become": true,
-		"ansible.builtin.systemd_service": {
-			"enabled": true,
-			"state": "started",
-			"name": "tandoor"
-		}
-	}
-]

roles/tandoor/templates/conf.j2

@@ -1,41 +0,0 @@
-{% if var_tandoor_database_kind == 'sqlite' %}
-DB_ENGINE=django.db.backends.sqlite3
-{% endif %}
-
-{% if var_tandoor_database_kind == 'postgresql' %}
-DB_ENGINE=django.db.backends.postgresql
-POSTGRES_HOST={{var_tandoor_database_data_postgresql_host}}
-POSTGRES_DB={{var_tandoor_database_data_postgresql_schema}}
-POSTGRES_PORT={{var_tandoor_database_data_postgresql_port | string}}
-POSTGRES_USER={{var_tandoor_database_data_postgresql_username}}
-POSTGRES_PASSWORD={{var_tandoor_database_data_postgresql_password}}
-{% endif %}
-
-{% if var_tandoor_authentication_kind == 'internal' %}
-ENABLE_SIGNUP=1
-REMOTE_USER_AUTH=0
-{% endif %}
-
-{% if var_tandoor_authentication_kind == 'authelia' %}
-ENABLE_SIGNUP=0
-REMOTE_USER_AUTH=1
-SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect
-SOCIALACCOUNT_PROVIDERS={"openid_connect": {"OAUTH_PKCE_ENABLED": true, "APPS": [{"provider_id": "authelia", "name": "{{var_tandoor_authentication_data_authelia_label}}", "client_id": "{{var_tandoor_authentication_data_authelia_client_id}}", "secret": "{{var_tandoor_authentication_data_authelia_client_secret}}", "settings": {"server_url": "{{var_tandoor_authentication_data_authelia_url_base}}/.well-known/openid-configuration", "token_auth_method": "client_secret_basic"}}]}}
-{% endif %}
-
-EMAIL_HOST={{var_tandoor_smtp_host}}
-EMAIL_PORT={{var_tandoor_smtp_port | string}}
-EMAIL_HOST_USER={{var_tandoor_smtp_username}}
-EMAIL_HOST_PASSWORD={{var_tandoor_smtp_password}}
-EMAIL_USE_TLS=1
-EMAIL_USE_SSL=0
-DEFAULT_FROM_EMAIL={{var_tandoor_notification_sender}}
-
-SECRET_KEY={{var_tandoor_secret_key}}
-
-ALLOWED_HOSTS={{var_tandoor_domain}}
-
-ENABLE_METRICS=0
-ENABLE_PDF_EXPORT=0
-
-DEBUG=0

roles/tandoor/templates/systemd-unit.j2

@@ -1,16 +0,0 @@
-[Unit]
-Description=Tandoor (gunicorn daemon)
-After=network.target
-
-[Service]
-Type=simple
-Restart=always
-RestartSec=3
-User={{var_tandoor_user}}
-Group=www-data
-WorkingDirectory={{var_tandoor_directory}}/program
-EnvironmentFile={{var_tandoor_directory}}/program/.env
-ExecStart={{var_tandoor_directory}}/program/bin/gunicorn --capture-output --bind unix:{{var_tandoor_directory}}/program/recipes.sock recipes.wsgi:application
-
-[Install]
-WantedBy=multi-user.target

roles/tlscert_selfsigned/cfg.schema.json

@@ -1,14 +0,0 @@
-{
-	"nullable": false,
-	"type": "object",
-	"properties": {
-		"domain": {
-			"nullable": false,
-			"type": "string"
-		}
-	},
-	"additionalProperties": false,
-	"required": [
-		"domain"
-	]
-}

roles/tlscert_selfsigned/defaults/main.json

@@ -1,4 +1,3 @@
 {
-	"cfg_tlscert_selfsigned_defaults": {
-	}
+	"var_tlscert_selfsigned_domain": "foo.example.org"
 }

roles/tlscert_selfsigned/tasks/main.json

@@ -1,11 +1,4 @@
 [
-	{
-		"name": "show vars",
-		"when": "switch_show_vars",
-		"ansible.builtin.debug": {
-			"var": "vars.cfg_tlscert_selfsigned"
-		}
-	},
 	{
 		"name": "install packages",
 		"become": true,
@@ -35,19 +28,19 @@
 		"name": "csr | generate private key",
 		"become": true,
 		"community.crypto.openssl_privatekey": {
-			"path": "/etc/ssl/private/{{cfg_tlscert_selfsigned.domain}}.pem"
+			"path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem"
 		}
 	},
 	{
 		"name": "csr | execute",
 		"become": true,
 		"community.crypto.openssl_csr": {
-			"privatekey_path": "/etc/ssl/private/{{cfg_tlscert_selfsigned.domain}}.pem",
-			"common_name": "{{cfg_tlscert_selfsigned.domain}}",
+			"privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem",
+			"common_name": "{{var_tlscert_selfsigned_domain}}",
 			"subject_alt_name": [
-				"DNS:{{cfg_tlscert_selfsigned.domain}}"
+				"DNS:{{var_tlscert_selfsigned_domain}}"
 			],
-			"path": "/etc/ssl/csr/{{cfg_tlscert_selfsigned.domain}}.pem"
+			"path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem"
 		},
 		"register": "temp_csr"
 	},
@@ -55,17 +48,17 @@
 		"name": "generate certificate",
 		"become": true,
 		"community.crypto.x509_certificate": {
-			"privatekey_path": "/etc/ssl/private/{{cfg_tlscert_selfsigned.domain}}.pem",
-			"csr_path": "/etc/ssl/csr/{{cfg_tlscert_selfsigned.domain}}.pem",
+			"privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem",
+			"csr_path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem",
 			"provider": "selfsigned",
-			"path": "/etc/ssl/certs/{{cfg_tlscert_selfsigned.domain}}.pem"
+			"path": "/etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem"
 		}
 	},
 	{
 		"name": "compose fullchain",
 		"become": true,
 		"ansible.builtin.shell": {
-			"cmd": "cat /etc/ssl/certs/{{cfg_tlscert_selfsigned.domain}}.pem > /etc/ssl/fullchains/{{cfg_tlscert_selfsigned.domain}}.pem"
+			"cmd": "cat /etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem > /etc/ssl/fullchains/{{var_tlscert_selfsigned_domain}}.pem"
 		}
 	}
 ]

tools/cfg-man

@@ -1,179 +0,0 @@
-#!/usr/bin/env python3
-
-import os as _os
-import sys as _sys
-import json as _json
-import argparse as _argparse
-
-
-def convey(
-	x,
-	fs
-):
-	y = x
-	for f in fs:
-		y = f(y)
-	return y
-	
-
-def file_read(
-	path
-):
-	handle = open(path, "r")
-	content = handle.read()
-	handle.close()
-	return content
-	
-
-class interface_option(object):
-	def is_filled(self):
-		raise NotImplementedError()
-	def cull(self):
-		raise NotImplementedError()
-	def propagate(self, function):
-		raise NotImplementedError()
-	
-
-class class_option_empty(interface_option):
-	def __init__(self):
-		pass
-	def is_filled(self):
-		return False
-	def cull(self):
-		raise ValueError("cull from empty")
-	def propagate(self, function):
-		return class_option_empty()
-	
-
-class class_option_filled(interface_option):
-	def __init__(self, value):
-		self.value = value
-	def is_filled(self):
-		return True
-	def cull(self):
-		return self.value
-	def propagate(self, function):
-		return function(self.value)
-	
-
-def generate_defaults(
-	schema_node
-):
-	if ("anyOf" in schema_node):
-		## todo: o'rly?
-		return generate_defaults(schema_node["anyOf"][0])
-	else:
-		if (not ("type" in schema_node)):
-			raise ValueError(":?")
-		else:
-			if (not (schema_node["type"] == "object")):
-				if (not ("default" in schema_node)):
-					return class_option_empty()
-				else:
-					return class_option_filled(schema_node["default"])
-			else:
-				result = {}
-				for (key, value, ) in schema_node["properties"].items():
-					sub_result = generate_defaults(value)
-					if (not sub_result.is_filled()):
-						pass
-					else:
-						result[key] = sub_result.cull()
-				return class_option_filled(result)
-	
-
-def generate_overrides(
-	schema_node
-):
-	if ("anyOf" in schema_node):
-		## todo: o'rly?
-		return generate_overrides(schema_node["anyOf"][0])
-	else:
-		if (not ("type" in schema_node)):
-			raise ValueError(":?")
-		else:
-			if (not (schema_node["type"] == "object")):
-				if ("default" in schema_node):
-					return class_option_empty()
-				else:
-					if ("enum" in schema_node):
-						return class_option_filled(schema_node["enum"][0])
-					else:
-						if (schema_node.get("nullable", False)):
-							return class_option_filled(None)
-						else:
-							if (schema_node["type"] == "boolean"):
-								return class_option_filled(False)
-							elif (schema_node["type"] == "integer"):
-								return class_option_filled(0)
-							elif (schema_node["type"] == "number"):
-								return class_option_filled(0)
-							elif (schema_node["type"] == "string"):
-								return class_option_filled("")
-							else:
-								raise ValueError("unhandled type: %s" % schema_node["type"])
-			else:
-				result = {}
-				for (key, value, ) in schema_node["properties"].items():
-					sub_result = generate_overrides(value)
-					if (not sub_result.is_filled()):
-						pass
-					else:
-						result[key] = sub_result.cull()
-				return (
-					class_option_empty()
-					if (len(result) <= 0) else
-					class_option_filled(result)
-				)
-	
-
-def role_name_derive(
-	role_name
-):
-	return role_name.replace("-", "_")
-	
-
-def main(
-):
-	## args
-	argument_parser = _argparse.ArgumentParser()
-	argument_parser.add_argument(
-		"action",
-		type = str,
-		choices = [
-			"defaults",
-			"overrides",
-		],
-		metavar = "<action>",
-	)
-	argument_parser.add_argument(
-		"role",
-		type = str,
-		metavar = "<role>",
-	)
-	args = argument_parser.parse_args()
-	
-	## exec
-	cfg_schema = convey(
-		args.role,
-		[
-			lambda x: _os.path.join("roles", x, "cfg.schema.json"),
-			file_read,
-			_json.loads,
-		]
-	)
-	if args.action == "defaults":
-		raw = generate_defaults(cfg_schema)
-		key = ("cfg_%s_defaults" % (role_name_derive(args.role)))
-		result = {key: (raw.cull() if raw.is_filled() else {})}
-		_sys.stdout.write(_json.dumps(result, indent = "\t") + "\n")
-	elif args.action == "overrides":
-		raw = generate_overrides(cfg_schema)
-		key = ("cfg_%s_overrides" % (role_name_derive(args.role)))
-		result = {key: (raw.cull() if raw.is_filled() else {})}
-		_sys.stdout.write(_json.dumps(result, indent = "\t") + "\n")
-	else:
-		raise ValueError("invalid action: %s" % args.action)
-	
-
-main()

tools/check-json-syntax

@@ -8,7 +8,7 @@ dir_base="."
 ## exec
 
 flaws=0
-for path in $(find ${dir_base} -name "*.json" | sort)
+for path in $(find ${dir_base} -name "*.json")
 do
 	echo "-- ${path}"
 	python3 -m json.tool ${path} > /dev/null || ((flaws+=1))