From b31e9f1e577ac34d19caf6840040bb4c6f89000b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 17 Sep 2025 23:43:22 +0200 Subject: [PATCH 01/41] [task-377] [int] --- roles/owncloud/defaults/main.json | 2 +- roles/owncloud/info.md | 11 +++++++++++ roles/owncloud/templates/csp.yaml.j2 | 6 ++++++ roles/owncloud/templates/env.j2 | 1 + 4 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 roles/owncloud/templates/csp.yaml.j2 diff --git a/roles/owncloud/defaults/main.json b/roles/owncloud/defaults/main.json index 1101e12..75cdfab 100644 --- a/roles/owncloud/defaults/main.json +++ b/roles/owncloud/defaults/main.json @@ -1,7 +1,7 @@ { "var_owncloud_user": "owncloud", "var_owncloud_directory": "/opt/owncloud", - "var_owncloud_version": "5.0.0", + "var_owncloud_version": "7.2.0", "var_owncloud_platform": "linux-amd64", "var_owncloud_domain": "owncloud.example.org", "var_owncloud_admin_password": "REPLACE_ME", diff --git a/roles/owncloud/info.md b/roles/owncloud/info.md index b74ee6d..c5df2ed 100644 --- a/roles/owncloud/info.md +++ b/roles/owncloud/info.md @@ -7,6 +7,7 @@ Cloud-Plattform [ownCloud](https://owncloud.com/) (the rewrite in Go named "Infi - [ownCloud-Dokumentation | How to install ownCloud Infinite Scale Tech Preview in three easy steps](https://owncloud.com/news/howto-install-owncloud-infinite-scale-tech-preview/) - [ownCloud-Dokumentation | oCIS](https://owncloud.dev/ocis/) +- [ownCloud-Dokumentation | Upgrading](https://doc.owncloud.com/ocis/next/migration/upgrading-ocis.html) - [ownCloud-Dokumentation | Service | Proxy](https://doc.owncloud.com/ocis/next/deployment/services/s-list/proxy.html) - [ownCloud-Dokumentation | Service | Web](https://doc.owncloud.com/ocis/next/deployment/services/s-list/web.html) - [ownCloud-Dokumentation | Service | Sharing](https://doc.owncloud.com/ocis/next/deployment/services/s-list/sharing.html) @@ -14,6 +15,16 @@ Cloud-Plattform [ownCloud](https://owncloud.com/) (the rewrite in Go named "Infi - [ownCloud-Foren | OCIS + Authelia](https://central.owncloud.org/t/ocis-authelia/44222) +## Bemerkungen + +- die `.ocis/config/ocis.yaml` wird erzeugt auf Grundlage der `.env` +- wenn man sich plötzlich nicht mehr über OIDC anmelden kann, kann das daran lieget, dass `.ocis/idm/ldap.crt` abgelaufen ist — siehe dazu [diesen Thread](https://central.owncloud.org/t/certificate-error-after-upgrade-to-5-0-0-from-4-0-6/47824/7); man könnte auch `OCIS_LDAP_INSECURE` auf `true` setzen, aber naja… + + ## ToDo - Download prüfen +- `csp.yaml` einsetzen +- prüfen ob folgende `.env`-Variablen gebraucht werden: + - `PROXY_OIDC_ISSUER` + - `PROXY_OIDC_SKIP_USER_INFO` diff --git a/roles/owncloud/templates/csp.yaml.j2 b/roles/owncloud/templates/csp.yaml.j2 new file mode 100644 index 0000000..8a96314 --- /dev/null +++ b/roles/owncloud/templates/csp.yaml.j2 @@ -0,0 +1,6 @@ +directives: + connect-src: + - '''self''' +{% if var_owncloud_authentication_kind == 'authelia' %} + - '{{var_owncloud_authentication_data_authelia_url_base}}' +{% endif %} diff --git a/roles/owncloud/templates/env.j2 b/roles/owncloud/templates/env.j2 index 1c53400..8a39760 100644 --- a/roles/owncloud/templates/env.j2 +++ b/roles/owncloud/templates/env.j2 @@ -42,3 +42,4 @@ OCIS_SHARING_PASSWORD_POLICY_DISABLED="false" {% else %} OCIS_SHARING_PASSWORD_POLICY_DISABLED="true" {% endif %} + -- 2.47.3 From 8953d1ee9938ea8804f26a21ff343fb46ccfb3cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Mon, 22 Sep 2025 21:50:54 +0200 Subject: [PATCH 02/41] [mod] galaxy definition [mod] readme --- README.md | 2 +- galaxy.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7dcacdf..33930a9 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Ansible Collection - linke.standard +# Ansible Collection - roydfalk.standard Sammlung von allgemeinen, wiederverwendbaren Ansible-Rollen diff --git a/galaxy.yml b/galaxy.yml index 8a1d7ac..d7ab6b4 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -2,7 +2,7 @@ # The namespace of the collection. This can be a company/brand/organization or product namespace under which all # content lives. May only contain alphanumeric lowercase characters and underscores. Namespaces cannot start with # underscores or numbers and cannot contain consecutive underscores -namespace: linke +namespace: roydfalk # The name of the collection. Has the same character restrictions as 'namespace' name: standard @@ -21,7 +21,7 @@ authors: ### OPTIONAL but strongly recommended # A short summary description of the collection -description: "Sammlung von allgemeinen, wiederverwendbaren Ansible-Rollen (ursprünglich für Infrastruktur der Partei 'DIE LINKE.')" +description: "Sammlung von allgemeinen, wiederverwendbaren Ansible-Rollen" # Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only # accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file' -- 2.47.3 From 4a439cf3753d7f15282c108f4ba1fd4fde985ee8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 15:58:18 +0200 Subject: [PATCH 03/41] [int] --- roles/authelia/cfg.schema.json | 388 +++++++++++++++++++++ roles/authelia/defaults/main.json | 87 +++-- roles/authelia/templates/conf-main.json.j2 | 81 ++--- roles/authelia/vardef.json | 169 --------- 4 files changed, 476 insertions(+), 249 deletions(-) create mode 100644 roles/authelia/cfg.schema.json delete mode 100644 roles/authelia/vardef.json diff --git a/roles/authelia/cfg.schema.json b/roles/authelia/cfg.schema.json new file mode 100644 index 0000000..ce77684 --- /dev/null +++ b/roles/authelia/cfg.schema.json @@ -0,0 +1,388 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "listen_address": { + "nullable": false, + "type": "string", + "default": "0.0.0.0" + }, + "jwt_secret": { + "nullable": false, + "type": "string" + }, + "users_file_path": { + "nullable": false, + "type": "string", + "default": "/var/authelia/users.yml" + }, + "log_file_path": { + "nullable": false, + "type": "string", + "default": "/var/authelia/log.jsonl" + }, + "domain": { + "nullable": false, + "type": "string", + "default": "authelia.example.org" + }, + "redirect_url": { + "nullable": false, + "type": "string", + "default": "https://example.org" + }, + "session_domain": { + "nullable": false, + "type": "string", + "default": "example.org" + }, + "session_secret": { + "nullable": false, + "type": "string" + }, + "storage_encryption_key": { + "nullable": false, + "type": "string" + }, + "storage": { + "anyOf": [ + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["sqlite"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "path": { + "nullable": false, + "type": "string", + "default": "/var/authelia/state.db" + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + } + }, + "additionalProperties": false, + "required": [ + "kind" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["postgresql"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "host": { + "nullable": false, + "type": "string", + "ddefault": "localhost" + }, + "port": { + "nullable": false, + "type": "integer", + "default": 5432 + }, + "username": { + "nullable": false, + "type": "string", + "default": "authelia_user" + }, + "password": { + "nullable": false, + "type": "string" + }, + "schema": { + "nullable": false, + "type": "string", + "default": "authelia" + } + }, + "additionalProperties": false, + "required": [ + "password" + ] + } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["mariadb"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "host": { + "nullable": false, + "type": "string", + "ddefault": "localhost" + }, + "port": { + "nullable": false, + "type": "integer", + "default": 3306 + }, + "username": { + "nullable": false, + "type": "string", + "default": "authelia_user" + }, + "password": { + "nullable": false, + "type": "string" + }, + "schema": { + "nullable": false, + "type": "string", + "default": "authelia" + } + }, + "additionalProperties": false, + "required": [ + "password" + ] + } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" + ] + } + ] + }, + "ntp_server": { + "nullable": false, + "type": "string", + "mandatory": false + }, + "password_reset": { + "nullable": false, + "type": "object", + "properties": { + "enabled": { + "nullable": false, + "type": "boolean", + "default": false + }, + "custom_url": { + "nullable": true, + "type": "string", + "default": null + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + }, + "notification": { + "anyOf": [ + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["file"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + } + }, + "additionalProperties": false, + "required": [ + "kind" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["smtp"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "host": { + "nullable": false, + "type": "string", + "default": "smtp.example.org" + }, + "port": { + "nullable": false, + "type": "integer", + "default": 465 + }, + "username": { + "nullable": false, + "type": "string", + "default": "authelia" + }, + "password": { + "nullable": false, + "type": "string" + }, + "sender": { + "nullable": false, + "type": "string", + "default": "authelia@example.org" + } + }, + "additionalProperties": false, + "required": [ + "password" + ] + } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" + ] + } + ] + }, + "oidc": { + "nullable": false, + "type": "object", + "properties": { + "hmac_secret": { + "nullable": false, + "type": "string" + }, + "lifespan": { + "nullable": false, + "type": "object", + "properties": { + "default": { + "nullable": false, + "type": "object", + "properties": { + "access_token": { + "nullable": false, + "type": "string", + "default": "1h" + }, + "refresh_token": { + "nullable": false, + "type": "string", + "default": "1m" + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + }, + "custom": { + "nullable": false, + "type": "object", + "properties": { + }, + "additionalProperties": { + "nullable": false, + "type": "object", + "properties": { + "access_token": { + "nullable": false, + "type": "string" + }, + "refresh_token": { + "nullable": false, + "type": "string" + } + }, + "additionalProperties": false, + "required": [ + "acces_token", + "refresh_token" + ] + }, + "required": [ + ], + "default": { + } + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + }, + "cors_endpoints": { + "nullable": true, + "type": "array", + "items": { + "nullable": false, + "type": "string", + "enum": [ + "authorization", + "pushed-authorization-request", + "token", + "revocation", + "introspection", + "userinfo" + ] + }, + "default": null + } + }, + "additionalProperties": false, + "required": [ + "hmac_secret" + ] + } + }, + "additionalProperties": false, + "required": [ + "jwt_secret", + "session_secret", + "storage_encryption_key", + "oidc" + ] +} diff --git a/roles/authelia/defaults/main.json b/roles/authelia/defaults/main.json index 04a1f7f..422c3af 100644 --- a/roles/authelia/defaults/main.json +++ b/roles/authelia/defaults/main.json @@ -1,39 +1,52 @@ { - "var_authelia_version": "4.37.5", - "var_authelia_architecture": "amd64", - "var_authelia_listen_address": "0.0.0.0", - "var_authelia_jwt_secret": "REPLACE_ME", - "var_authelia_users_file_path": "/var/authelia/users.yml", - "var_authelia_log_file_path": "/var/authelia/log.jsonl", - "var_authelia_domain": "authelia.example.org", - "var_authelia_redirect_url": "https://example.org", - "var_authelia_session_domain": "example.org", - "var_authelia_session_secret": "REPLACE_ME", - "var_authelia_storage_encryption_key": "REPLACE_ME", - "var_authelia_storage_kind": "sqlite", - "var_authelia_storage_data_sqlite_path": "/var/authelia/state.db", - "var_authelia_storage_data_postgresql_host": "localhost", - "var_authelia_storage_data_postgresql_port": 5432, - "var_authelia_storage_data_postgresql_username": "authelia_user", - "var_authelia_storage_data_postgresql_password": "REPLACE_ME", - "var_authelia_storage_data_postgresql_schema": "authelia", - "var_authelia_storage_data_mariadb_host": "localhost", - "var_authelia_storage_data_mariadb_port": 3306, - "var_authelia_storage_data_mariadb_username": "authelia_user", - "var_authelia_storage_data_mariadb_password": "REPLACE_ME", - "var_authelia_storage_data_mariadb_schema": "authelia", - "var_authelia_ntp_server": "time.cloudflare.com:123", - "var_authelia_password_reset_enabled": false, - "var_authelia_password_reset_custom_url": null, - "var_authelia_notification_mode": "smtp", - "var_authelia_notification_file_path": "/var/authelia/notifications", - "var_authelia_notification_smtp_host": "smtp.example.org", - "var_authelia_notification_smtp_port": 465, - "var_authelia_notification_smtp_username": "authelia", - "var_authelia_notification_smtp_password": "REPLACE_ME", - "var_authelia_notification_smtp_sender": "authelia@example.org", - "var_authelia_oidc_hmac_secret": "REPLACE_ME", - "var_authelia_oidc_lifespan_access_token": "1h", - "var_authelia_oidc_lifespan_refresh_token": "1m", - "var_authelia_oidc_cors_endpoints": null + "cfg_authelia_defaults": { + "listen_address": "0.0.0.0", + "users_file_path": "/var/authelia/users.yml", + "log_file_path": "/var/authelia/log.jsonl", + "domain": "authelia.example.org", + "redirect_url": "https://example.org", + "session_domain": "example.org", + "storage": { + "kind": "sqlite", + "data": { + "sqlite": { + "path": "/var/authelia/state.db" + }, + "postgresql": { + "host": "localhost", + "port": 5432, + "username": "authelia_user", + "schema": "authelia" + }, + "mariadb": { + "host": "localhost", + "port": 3306, + "username": "authelia_user", + "schema": "authelia" + } + } + }, + "ntp_server": "time.cloudflare.com:123", + "password_reset": { + "enabled": false, + "custom_url": null + }, + "notification": { + "kind": "file", + "data": { + "path": "/var/authelia/notifications" + } + }, + "oidc": { + "lifespan": { + "default": { + "access_token": "1d", + "refresh_token": "1h" + }, + "custom": { + } + }, + "cors_endpoints": null + } + } } diff --git a/roles/authelia/templates/conf-main.json.j2 b/roles/authelia/templates/conf-main.json.j2 index 5d77df9..97a00c8 100644 --- a/roles/authelia/templates/conf-main.json.j2 +++ b/roles/authelia/templates/conf-main.json.j2 @@ -2,12 +2,12 @@ "theme": "auto", "identity_validation": { "reset_password": { - "jwt_secret": "{{var_authelia_jwt_secret}}" + "jwt_secret": "{{cfg_authelia.jwt_secret}}" } }, "default_2fa_method": "totp", "server": { - "address": "{{var_authelia_listen_address}}:9091", + "address": "{{cfg_authelia.listen_address}}:9091", "endpoints": { "enable_pprof": false, "enable_expvars": false @@ -17,7 +17,7 @@ "log": { "level": "info", "format": "json", - "file_path": "{{var_authelia_log_file_path}}", + "file_path": "{{cfg_authelia.log_file_path}}", "keep_stdout": false }, "telemetry": { @@ -43,7 +43,7 @@ "user_verification": "preferred" }, "ntp": { - "address": "{{var_authelia_ntp_server}}", + "address": "{{cfg_authelia.ntp_server}}", "version": 4, "max_desync": "3s", "disable_startup_check": false, @@ -51,16 +51,16 @@ }, "authentication_backend": { "password_reset": { -{% if var_authelia_password_reset_enabled %} +{% if cfg_authelia.password_reset.enabled %} "disable": false, {% else %} "disable": true, {% endif %} - "custom_url": "{{var_authelia_password_reset_custom_url}}" + "custom_url": "{{cfg_authelia.password_reset.custom_url}}" }, "refresh_interval": "5m", "file": { - "path": "{{var_authelia_users_file_path}}", + "path": "{{cfg_authelia.users_file_path}}", "watch": true, "search": { "email": false, @@ -121,15 +121,15 @@ "session": { "name": "authelia_session", "same_site": "lax", - "secret": "{{var_authelia_session_secret}}", + "secret": "{{cfg_authelia.session_secret}}", "expiration": "1h", "inactivity": "5m", "remember_me": "1M", "cookies": [ { - "domain": "{{var_authelia_session_domain}}", - "authelia_url": "https://{{var_authelia_domain}}/", - "default_redirection_url": "{{var_authelia_redirect_url}}" + "domain": "{{cfg_authelia.session_domain}}", + "authelia_url": "https://{{cfg_authelia.domain}}/", + "default_redirection_url": "{{cfg_authelia.redirect_url}}" } ] }, @@ -139,44 +139,44 @@ "ban_time": "5m" }, "storage": { - "encryption_key": "{{var_authelia_storage_encryption_key}}", -{% if var_authelia_storage_kind == "sqlite" %} + "encryption_key": "{{cfg_authelia.storage_encryption_key}}", +{% if cfg_authelia.storage.kind == "sqlite" %} "local": { - "path": "{{var_authelia_storage_data_sqlite_path}}" + "path": "{{cfg_authelia.storage.data.path}}" } {% endif %} -{% if var_authelia_storage_kind == "postgresql" %} +{% if cfg_authelia.storage.kind == "postgresql" %} "postgres": { - "address": "{{var_authelia_storage_data_postgresql_host}}:{{var_authelia_storage_data_postgresql_port | string}}", + "address": "{{cfg_authelia.storage.data.host}}:{{cfg_authelia.storage.data.port | string}}", "schema": "public", - "username": "{{var_authelia_storage_data_postgresql_username}}", - "password": "{{var_authelia_storage_data_postgresql_password}}", - "database": "{{var_authelia_storage_data_postgresql_schema}}" + "username": "{{cfg_authelia.storage.data.username}}", + "password": "{{cfg_authelia.storage.data.password}}", + "database": "{{cfg_authelia.storage.data.schema}}" } {% endif %} -{% if var_authelia_storage_kind == "mariadb" %} +{% if cfg_authelia.storage_kind == "mariadb" %} "mysql": { - "host": "{{var_authelia_storage_data_mariadb_host}}", - "port": {{var_authelia_storage_data_mariadb_port | string}}, - "username": "{{var_authelia_storage_data_mariadb_username}}", - "password": "{{var_authelia_storage_data_mariadb_password}}", - "database": "{{var_authelia_storage_data_mariadb_schema}}" + "host": "{{cfg_authelia.storage.data.host}}", + "port": {{cfg_authelia.storage.data.port | string}}, + "username": "{{cfg_authelia.storage.data.username}}", + "password": "{{cfg_authelia.storage.data.password}}", + "database": "{{cfg_authelia.storage.data.schema}}" } {% endif %} }, "notifier": { "disable_startup_check": true, -{% if var_authelia_notification_mode == "file" %} +{% if cfg_authelia.notification.kind == "file" %} "filesystem": { - "filename": "{{var_authelia_notification_file_path}}" + "filename": "{{cfg_authelia.notification.data.path}}" } {% endif %} -{% if var_authelia_notification_mode == "smtp" %} +{% if cfg_authelia.notification_mode == "smtp" %} "smtp": { - "address": "{{var_authelia_notification_smtp_host}}:{{var_authelia_notification_smtp_port | string}}", - "username": "{{var_authelia_notification_smtp_username}}", - "password": "{{var_authelia_notification_smtp_password}}", - "sender": "{{var_authelia_notification_smtp_sender}}", + "address": "{{cfg_authelia.notification.data.host}}:{{cfg_authelia.notification.data.port | string}}", + "username": "{{cfg_authelia.notification.data.username}}", + "password": "{{cfg_authelia.notification.data.password}}", + "sender": "{{cfg_authelia.notification.data.sender}}", "disable_require_tls": false, "disable_html_emails": false, "tls": { @@ -187,7 +187,7 @@ }, "identity_providers": { "oidc": { - "hmac_secret": "{{var_authelia_oidc_hmac_secret}}", + "hmac_secret": "{{cfg_authelia.oidc.hmac_secret}}", "jwks": [ { "algorithm": "RS256", @@ -195,20 +195,15 @@ } ], "lifespans": { - "access_token": "{{var_authelia_oidc_lifespan_access_token}}", - "refresh_token": "{{var_authelia_oidc_lifespan_refresh_token}}", - "custom": { - "ocis": { - "access_token": "2d", - "refresh_token": "3d" - } - } + "access_token": "{{cfg_authelia.oidc.lifespan.default.access_token}}", + "refresh_token": "{{cfg_authelia.oidc.lifespan.default.refresh_token}}", + "custom": "{{cfg_authelia.oidc.lifespan.custom | to_json}}", }, "cors": { "allowed_origins_from_client_redirect_uris": true -{% if var_authelia_oidc_cors_endpoints == None %} +{% if cfg_authelia.oidc.cors_endpoints == None %} {% else %} - ,"endpoints": {{var_authelia_oidc_cors_endpoints | to_json}} + ,"endpoints": {{cfg_authelia.oidc.cors_endpoints | to_json}} {% endif %} }, "clients": [ diff --git a/roles/authelia/vardef.json b/roles/authelia/vardef.json deleted file mode 100644 index 9b651a1..0000000 --- a/roles/authelia/vardef.json +++ /dev/null @@ -1,169 +0,0 @@ -{ - "version": { - "type": "string", - "mandatory": false - }, - "architecture": { - "type": "string", - "mandatory": false - }, - "listen_address": { - "type": "string", - "mandatory": false - }, - "jwt_secret": { - "type": "string", - "mandatory": true - }, - "users_file_path": { - "type": "string", - "mandatory": false - }, - "log_file_path": { - "type": "string", - "mandatory": false - }, - "domain": { - "type": "string", - "mandatory": false - }, - "redirect_url": { - "type": "string", - "mandatory": false - }, - "session_domain": { - "type": "string", - "mandatory": false - }, - "session_secret": { - "type": "string", - "mandatory": true - }, - "storage_encryption_key": { - "type": "string", - "mandatory": true - }, - "storage_kind": { - "type": "string", - "mandatory": false - }, - "storage_data_sqlite_path": { - "type": "string", - "mandatory": false - }, - "storage_data_postgresql_host": { - "type": "string", - "mandatory": false - }, - "storage_data_postgresql_port": { - "type": "integer", - "mandatory": false - }, - "storage_data_postgresql_username": { - "type": "string", - "mandatory": false - }, - "storage_data_postgresql_password": { - "type": "string", - "mandatory": false - }, - "storage_data_postgresql_schema": { - "type": "string", - "mandatory": false - }, - "storage_data_mariadb_host": { - "type": "string", - "mandatory": false - }, - "storage_data_mariadb_port": { - "type": "integer", - "mandatory": false - }, - "storage_data_mariadb_username": { - "type": "string", - "mandatory": false - }, - "storage_data_mariadb_password": { - "type": "string", - "mandatory": false - }, - "storage_data_mariadb_schema": { - "type": "string", - "mandatory": false - }, - "ntp_server": { - "type": "string", - "mandatory": false - }, - "password_reset_enabled": { - "type": "boolean", - "mandatory": false - }, - "password_reset_custom_url": { - "nullable": true, - "type": "string", - "mandatory": false - }, - "notification_mode": { - "type": "string", - "mandatory": false, - "options": [ - "file", - "smtp" - ] - }, - "notification_file_path": { - "type": "string", - "mandatory": false - }, - "notification_smtp_host": { - "type": "string", - "mandatory": false - }, - "notification_smtp_port": { - "type": "integer", - "mandatory": false - }, - "notification_smtp_username": { - "type": "string", - "mandatory": false - }, - "notification_smtp_password": { - "type": "string", - "mandatory": false - }, - "notification_smtp_sender": { - "type": "string", - "mandatory": false - }, - "oidc_hmac_secret": { - "type": "string", - "mandatory": true - }, - "oidc_lifespan_access_token": { - "nullable": true, - "type": "string", - "mandatory": false - }, - "oidc_lifespan_refresh_token": { - "nullable": true, - "type": "string", - "mandatory": false - }, - "oidc_cors_endpoints": { - "nullable": true, - "type": "array", - "items": { - "type": "string", - "enum": [ - "authorization", - "pushed-authorization-request", - "token", - "revocation", - "introspection", - "userinfo" - ] - }, - "mandatory": false - } -} -- 2.47.3 From 4a7a75651c00030c4a75ac72d8df692df800b103 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:04:07 +0200 Subject: [PATCH 04/41] [int] --- roles/authelia/cfg.schema.json | 8 +++++++- roles/authelia/defaults/main.json | 8 +++++++- roles/nginx/defaults/main.json | 3 ++- roles/nginx/tasks/main.json | 2 +- 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/roles/authelia/cfg.schema.json b/roles/authelia/cfg.schema.json index ce77684..0b948e9 100644 --- a/roles/authelia/cfg.schema.json +++ b/roles/authelia/cfg.schema.json @@ -369,7 +369,13 @@ "userinfo" ] }, - "default": null + "default": [ + "authorization", + "token", + "revocation", + "introspection", + "userinfo" + ] } }, "additionalProperties": false, diff --git a/roles/authelia/defaults/main.json b/roles/authelia/defaults/main.json index 422c3af..f28370a 100644 --- a/roles/authelia/defaults/main.json +++ b/roles/authelia/defaults/main.json @@ -46,7 +46,13 @@ "custom": { } }, - "cors_endpoints": null + "cors_endpoints": [ + "authorization", + "token", + "revocation", + "introspection", + "userinfo" + ] } } } diff --git a/roles/nginx/defaults/main.json b/roles/nginx/defaults/main.json index 997702e..912c519 100644 --- a/roles/nginx/defaults/main.json +++ b/roles/nginx/defaults/main.json @@ -1,3 +1,4 @@ { - "var_nginx_auto_reload_interval": null + "var_nginx_auto_reload_interval": null, + "var_nginx_dhparam_size": 2048 } diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 9748e6d..1edc2e2 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -14,7 +14,7 @@ "name": "generate dhparams file", "become": true, "ansible.builtin.command": { - "cmd": "openssl dhparam -out /etc/nginx/dhparam 4096" + "cmd": "openssl dhparam -out /etc/nginx/dhparam {{var_nginx_dhparam_size | string}}" }, "args": { "creates": "/etc/nginx/dhparam" -- 2.47.3 From c4db57b83ab6126845e6ac862ec855b80ac99f72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:07:09 +0200 Subject: [PATCH 05/41] [int] --- roles/nginx/defaults/main.json | 2 +- roles/nginx/tasks/main.json | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/nginx/defaults/main.json b/roles/nginx/defaults/main.json index 912c519..4edfc40 100644 --- a/roles/nginx/defaults/main.json +++ b/roles/nginx/defaults/main.json @@ -1,4 +1,4 @@ { "var_nginx_auto_reload_interval": null, - "var_nginx_dhparam_size": 2048 + "var_nginx_improved_security": false } diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 1edc2e2..46f353c 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -13,8 +13,9 @@ { "name": "generate dhparams file", "become": true, + "when": "var_nginx_improved_security", "ansible.builtin.command": { - "cmd": "openssl dhparam -out /etc/nginx/dhparam {{var_nginx_dhparam_size | string}}" + "cmd": "openssl dhparam -out /etc/nginx/dhparam 4096" }, "args": { "creates": "/etc/nginx/dhparam" @@ -22,6 +23,7 @@ }, { "name": "place hardening config", + "when": "var_nginx_improved_security", "become": true, "ansible.builtin.copy": { "src": "ssl-hardening.conf", -- 2.47.3 From da1e27459fbd1344e8333eafebb56f00f9944ecd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:12:13 +0200 Subject: [PATCH 06/41] [int] --- roles/nginx/cfg.schema.json | 20 ++++++++++++++++++++ roles/nginx/defaults/main.json | 6 ++++-- roles/nginx/tasks/main.json | 12 ++++++------ roles/nginx/vardef.json | 8 -------- 4 files changed, 30 insertions(+), 16 deletions(-) create mode 100644 roles/nginx/cfg.schema.json delete mode 100644 roles/nginx/vardef.json diff --git a/roles/nginx/cfg.schema.json b/roles/nginx/cfg.schema.json new file mode 100644 index 0000000..d557b5f --- /dev/null +++ b/roles/nginx/cfg.schema.json @@ -0,0 +1,20 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "auto_reload_interval": { + "nullable": true, + "type": "integer", + "description": "in hours", + "default": null + }, + "improved_security": { + "nullable": false, + "type": "boolean", + "default": false + } + }, + "additionalProperties": false, + "required": [ + ] +} diff --git a/roles/nginx/defaults/main.json b/roles/nginx/defaults/main.json index 4edfc40..c85ab4c 100644 --- a/roles/nginx/defaults/main.json +++ b/roles/nginx/defaults/main.json @@ -1,4 +1,6 @@ { - "var_nginx_auto_reload_interval": null, - "var_nginx_improved_security": false + "cfg_nginx_defaults": { + "auto_reload_interval": null, + "improved_security": false + } } diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 46f353c..d8b8ce0 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -12,8 +12,8 @@ }, { "name": "generate dhparams file", + "when": "cfg_nginx.improved_security", "become": true, - "when": "var_nginx_improved_security", "ansible.builtin.command": { "cmd": "openssl dhparam -out /etc/nginx/dhparam 4096" }, @@ -23,7 +23,7 @@ }, { "name": "place hardening config", - "when": "var_nginx_improved_security", + "when": "cfg_nginx.improved_security", "become": true, "ansible.builtin.copy": { "src": "ssl-hardening.conf", @@ -61,13 +61,13 @@ }, { "name": "auto reload", - "when": "var_nginx_auto_reload_interval == None", + "when": "cfg_nginx.auto_reload_interval == None", "become": true, "ansible.builtin.cron": { "name": "nginx_auto_reload", "disabled": true, "minute": "0", - "hour": "*/{{var_nginx_auto_reload_interval | string}}", + "hour": "*/{{cfg_nginx.auto_reload_interval | string}}", "day": "*", "month": "*", "weekday": "*", @@ -76,13 +76,13 @@ }, { "name": "auto reload", - "when": "var_nginx_auto_reload_interval != None", + "when": "cfg_nginx.auto_reload_interval != None", "become": true, "ansible.builtin.cron": { "name": "nginx_auto_reload", "disabled": false, "minute": "0", - "hour": "*/{{var_nginx_auto_reload_interval | string}}", + "hour": "*/{{cfg_nginx.auto_reload_interval | string}}", "day": "*", "month": "*", "weekday": "*", diff --git a/roles/nginx/vardef.json b/roles/nginx/vardef.json deleted file mode 100644 index c03ddc6..0000000 --- a/roles/nginx/vardef.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "auto_reload_interval": { - "description": "in hours", - "nullable": true, - "type": "integer", - "mandatory": false - } -} -- 2.47.3 From 71aea3040ac3cb9446a29e3535428c10e8df3ff3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:15:58 +0200 Subject: [PATCH 07/41] [int] --- roles/nginx/tasks/main.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index d8b8ce0..6c2a199 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -1,4 +1,10 @@ [ + { + "name": "show vars", + "ansible.builtin.debug": { + "var": "vars" + } + }, { "name": "install packages", "become": true, -- 2.47.3 From 52e14d8f8da5f31c20264711da6fa36e11373afc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:22:00 +0200 Subject: [PATCH 08/41] [int] --- roles/authelia/tasks/main.json | 209 ++++++++++++++++++--------------- roles/nginx/tasks/main.json | 2 +- 2 files changed, 116 insertions(+), 95 deletions(-) diff --git a/roles/authelia/tasks/main.json b/roles/authelia/tasks/main.json index 3ae8267..5aed8c7 100644 --- a/roles/authelia/tasks/main.json +++ b/roles/authelia/tasks/main.json @@ -1,45 +1,56 @@ [ { - "name": "packages | prerequisites", - "become": true, - "ansible.builtin.apt": { - "update_cache": true, - "pkg": [ - "apt-transport-https", - "ca-certificates", - "gpg" - ] + "name": "show vars", + "ansible.builtin.debug": { + "var": "vars.cfg_authelia" } }, { - "name": "packages | keys", - "become": true, - "ansible.builtin.get_url": { - "url": "https://www.authelia.com/keys/authelia-security.gpg", - "dest": "/usr/share/keyrings/authelia-security.gpg" - } - }, - { - "name": "packages | repository", - "become": true, - "ansible.builtin.shell": { - "cmd": "echo \"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/authelia-security.gpg] https://apt.authelia.com stable main\" > /etc/apt/sources.list.d/authelia.list", - "creates": "/etc/apt/sources.list.d/authelia.list" - } + "name": "packages", + "block": [ + { + "name": "prerequisites", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "apt-transport-https", + "ca-certificates", + "gpg" + ] + } + }, + { + "name": "keys", + "become": true, + "ansible.builtin.get_url": { + "url": "https://www.authelia.com/keys/authelia-security.gpg", + "dest": "/usr/share/keyrings/authelia-security.gpg" + } + }, + { + "name": "repository", + "become": true, + "ansible.builtin.shell": { + "cmd": "echo \"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/authelia-security.gpg] https://apt.authelia.com stable main\" > /etc/apt/sources.list.d/authelia.list", + "creates": "/etc/apt/sources.list.d/authelia.list" + } - }, - { - "name": "packages | installation", - "become": true, - "ansible.builtin.apt": { - "update_cache": true, - "pkg": [ - "openssl", - "python3-cryptography", - "python3-yaml", - "authelia" - ] - } + }, + { + "name": "installation", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "openssl", + "python3-cryptography", + "python3-yaml", + "authelia" + ] + } + } + ] }, { "name": "generate private key for signing OIDC JWTs", @@ -53,40 +64,45 @@ "register": "temp_tls_result" }, { - "name": "configuration | compose script", - "become": true, - "ansible.builtin.copy": { - "src": "conf-compose.py", - "dest": "/usr/bin/authelia-conf-compose", - "mode": "0700" - } - }, - { - "name": "configuration | directories", - "become": true, - "loop": [ - "/etc/authelia/conf.d", - "/etc/authelia/conf.d/clients" - ], - "ansible.builtin.file": { - "state": "directory", - "path": "{{item}}" - } - }, - { - "name": "configuration | main", - "become": true, - "ansible.builtin.template": { - "src": "conf-main.json.j2", - "dest": "/etc/authelia/conf.d/main.json" - } - }, - { - "name": "configuration | compose", - "become": true, - "ansible.builtin.command": { - "cmd": "/usr/bin/authelia-conf-compose --main-file-path=/etc/authelia/conf.d/main.json --clients-directory-path=/etc/authelia/conf.d/clients --output-format=yaml --output-path=/etc/authelia/configuration.yml" - } + "name": "configuration", + "block": [ + { + "name": "compose script", + "become": true, + "ansible.builtin.copy": { + "src": "conf-compose.py", + "dest": "/usr/bin/authelia-conf-compose", + "mode": "0700" + } + }, + { + "name": "directories", + "become": true, + "loop": [ + "/etc/authelia/conf.d", + "/etc/authelia/conf.d/clients" + ], + "ansible.builtin.file": { + "state": "directory", + "path": "{{item}}" + } + }, + { + "name": "main", + "become": true, + "ansible.builtin.template": { + "src": "conf-main.json.j2", + "dest": "/etc/authelia/conf.d/main.json" + } + }, + { + "name": "compose", + "become": true, + "ansible.builtin.command": { + "cmd": "/usr/bin/authelia-conf-compose --main-file-path=/etc/authelia/conf.d/main.json --clients-directory-path=/etc/authelia/conf.d/clients --output-format=yaml --output-path=/etc/authelia/configuration.yml" + } + } + ] }, { "name": "setup log directory", @@ -97,30 +113,35 @@ } }, { - "name": "users | directory", - "become": true, - "ansible.builtin.file": { - "state": "directory", - "path": "{{var_authelia_users_file_path | dirname}}" - } - }, - { - "name": "users | initial file", - "become": true, - "ansible.builtin.template": { - "src": "users.yml.j2", - "dest": "{{var_authelia_users_file_path}}", - "force": false - } - }, - { - "name": "users | management script", - "become": true, - "ansible.builtin.copy": { - "src": "user-manage.py", - "dest": "/usr/bin/authelia-user-manage", - "mode": "0700" - } + "name": "users", + "block": [ + { + "name": "directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "{{var_authelia_users_file_path | dirname}}" + } + }, + { + "name": "initial file", + "become": true, + "ansible.builtin.template": { + "src": "users.yml.j2", + "dest": "{{var_authelia_users_file_path}}", + "force": false + } + }, + { + "name": "management script", + "become": true, + "ansible.builtin.copy": { + "src": "user-manage.py", + "dest": "/usr/bin/authelia-user-manage", + "mode": "0700" + } + } + ] }, { "name": "apply", diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 6c2a199..1b7d843 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -2,7 +2,7 @@ { "name": "show vars", "ansible.builtin.debug": { - "var": "vars" + "var": "vars.cfg_nginx" } }, { -- 2.47.3 From 326296d6ceee57c3a4a322a54b05cd2390189fd5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:24:43 +0200 Subject: [PATCH 09/41] [int] --- roles/authelia/defaults/main.json | 16 +-------- roles/nginx/tasks/main.json | 59 +++++++++++++++++-------------- 2 files changed, 33 insertions(+), 42 deletions(-) diff --git a/roles/authelia/defaults/main.json b/roles/authelia/defaults/main.json index f28370a..7de0a8c 100644 --- a/roles/authelia/defaults/main.json +++ b/roles/authelia/defaults/main.json @@ -9,21 +9,7 @@ "storage": { "kind": "sqlite", "data": { - "sqlite": { - "path": "/var/authelia/state.db" - }, - "postgresql": { - "host": "localhost", - "port": 5432, - "username": "authelia_user", - "schema": "authelia" - }, - "mariadb": { - "host": "localhost", - "port": 3306, - "username": "authelia_user", - "schema": "authelia" - } + "path": "/var/authelia/state.db" } }, "ntp_server": "time.cloudflare.com:123", diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 1b7d843..e0e78cd 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -37,33 +37,38 @@ } }, { - "name": "ufw | check", - "become": true, - "check_mode": true, - "community.general.ufw": { - "state": "enabled" - }, - "register": "ufw_enable_check" - }, - { - "name": "ufw | allow port 80", - "when": "not ufw_enable_check.changed", - "become": true, - "community.general.ufw": { - "rule": "allow", - "port": "80", - "proto": "tcp" - } - }, - { - "name": "ufw | allow port 443", - "when": "not ufw_enable_check.changed", - "become": true, - "community.general.ufw": { - "rule": "allow", - "port": "443", - "proto": "tcp" - } + "name": "ufw", + "block": [ + { + "name": "check", + "become": true, + "check_mode": true, + "community.general.ufw": { + "state": "enabled" + }, + "register": "ufw_enable_check" + }, + { + "name": "allow port 80", + "when": "not ufw_enable_check.changed", + "become": true, + "community.general.ufw": { + "rule": "allow", + "port": "80", + "proto": "tcp" + } + }, + { + "name": "allow port 443", + "when": "not ufw_enable_check.changed", + "become": true, + "community.general.ufw": { + "rule": "allow", + "port": "443", + "proto": "tcp" + } + }, + ] }, { "name": "auto reload", -- 2.47.3 From 0002ae76af41d52f2d6af3523ff624f88a6498c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:26:01 +0200 Subject: [PATCH 10/41] [int] --- roles/authelia/templates/conf-main.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authelia/templates/conf-main.json.j2 b/roles/authelia/templates/conf-main.json.j2 index 97a00c8..2be6e2f 100644 --- a/roles/authelia/templates/conf-main.json.j2 +++ b/roles/authelia/templates/conf-main.json.j2 @@ -154,7 +154,7 @@ "database": "{{cfg_authelia.storage.data.schema}}" } {% endif %} -{% if cfg_authelia.storage_kind == "mariadb" %} +{% if cfg_authelia.storage.kind == "mariadb" %} "mysql": { "host": "{{cfg_authelia.storage.data.host}}", "port": {{cfg_authelia.storage.data.port | string}}, -- 2.47.3 From 2da64d257ff8cd0101f5df06a4845e21de26f932 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:26:49 +0200 Subject: [PATCH 11/41] [int] --- roles/authelia/templates/conf-main.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authelia/templates/conf-main.json.j2 b/roles/authelia/templates/conf-main.json.j2 index 2be6e2f..e5307e8 100644 --- a/roles/authelia/templates/conf-main.json.j2 +++ b/roles/authelia/templates/conf-main.json.j2 @@ -171,7 +171,7 @@ "filename": "{{cfg_authelia.notification.data.path}}" } {% endif %} -{% if cfg_authelia.notification_mode == "smtp" %} +{% if cfg_authelia.notification.kind == "smtp" %} "smtp": { "address": "{{cfg_authelia.notification.data.host}}:{{cfg_authelia.notification.data.port | string}}", "username": "{{cfg_authelia.notification.data.username}}", -- 2.47.3 From 1c50d0223f45b8c0d30c1a717e7d5ca118fb2b23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:28:52 +0200 Subject: [PATCH 12/41] [int] --- roles/authelia/templates/conf-main.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authelia/templates/conf-main.json.j2 b/roles/authelia/templates/conf-main.json.j2 index e5307e8..0b75b5a 100644 --- a/roles/authelia/templates/conf-main.json.j2 +++ b/roles/authelia/templates/conf-main.json.j2 @@ -197,7 +197,7 @@ "lifespans": { "access_token": "{{cfg_authelia.oidc.lifespan.default.access_token}}", "refresh_token": "{{cfg_authelia.oidc.lifespan.default.refresh_token}}", - "custom": "{{cfg_authelia.oidc.lifespan.custom | to_json}}", + "custom": {{cfg_authelia.oidc.lifespan.custom | to_json}} }, "cors": { "allowed_origins_from_client_redirect_uris": true -- 2.47.3 From f3b8a3c4eceb9a89f376c432bee0ecdc8c6ed61d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:30:10 +0200 Subject: [PATCH 13/41] [int] --- roles/authelia/tasks/main.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/authelia/tasks/main.json b/roles/authelia/tasks/main.json index 5aed8c7..834477c 100644 --- a/roles/authelia/tasks/main.json +++ b/roles/authelia/tasks/main.json @@ -109,7 +109,7 @@ "become": true, "ansible.builtin.file": { "state": "directory", - "path": "{{var_authelia_log_file_path | dirname}}" + "path": "{{cfg_authelia.log_file_path | dirname}}" } }, { @@ -120,7 +120,7 @@ "become": true, "ansible.builtin.file": { "state": "directory", - "path": "{{var_authelia_users_file_path | dirname}}" + "path": "{{cfg_authelia.users_file_path | dirname}}" } }, { @@ -128,7 +128,7 @@ "become": true, "ansible.builtin.template": { "src": "users.yml.j2", - "dest": "{{var_authelia_users_file_path}}", + "dest": "{{cfg_authelia.users_file_path}}", "force": false } }, -- 2.47.3 From a2f22c3b7009c037a3e800759befc1a094323f6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:41:07 +0200 Subject: [PATCH 14/41] [int] --- roles/nginx/cfg.schema.json | 5 +++++ roles/nginx/defaults/main.json | 2 +- roles/nginx/tasks/main.json | 7 +++---- .../ssl-hardening.conf => templates/ssl-hardening.conf.j2} | 2 ++ 4 files changed, 11 insertions(+), 5 deletions(-) rename roles/nginx/{files/ssl-hardening.conf => templates/ssl-hardening.conf.j2} (93%) diff --git a/roles/nginx/cfg.schema.json b/roles/nginx/cfg.schema.json index d557b5f..b04f70f 100644 --- a/roles/nginx/cfg.schema.json +++ b/roles/nginx/cfg.schema.json @@ -8,6 +8,11 @@ "description": "in hours", "default": null }, + "dhparam_size": { + "nullable": false, + "type": "integer", + "default": null + }, "improved_security": { "nullable": false, "type": "boolean", diff --git a/roles/nginx/defaults/main.json b/roles/nginx/defaults/main.json index c85ab4c..21dfe39 100644 --- a/roles/nginx/defaults/main.json +++ b/roles/nginx/defaults/main.json @@ -1,6 +1,6 @@ { "cfg_nginx_defaults": { "auto_reload_interval": null, - "improved_security": false + "dhparam_size": 2048 } } diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index e0e78cd..7743c90 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -18,10 +18,10 @@ }, { "name": "generate dhparams file", - "when": "cfg_nginx.improved_security", + "when": "cfg_nginx.dhparam_size != None", "become": true, "ansible.builtin.command": { - "cmd": "openssl dhparam -out /etc/nginx/dhparam 4096" + "cmd": "openssl dhparam -out /etc/nginx/dhparam {{cfg_nginx.dhparam_size | string}}" }, "args": { "creates": "/etc/nginx/dhparam" @@ -29,9 +29,8 @@ }, { "name": "place hardening config", - "when": "cfg_nginx.improved_security", "become": true, - "ansible.builtin.copy": { + "ansible.builtin.template": { "src": "ssl-hardening.conf", "dest": "/etc/nginx/ssl-hardening.conf" } diff --git a/roles/nginx/files/ssl-hardening.conf b/roles/nginx/templates/ssl-hardening.conf.j2 similarity index 93% rename from roles/nginx/files/ssl-hardening.conf rename to roles/nginx/templates/ssl-hardening.conf.j2 index 1d5f5f4..26d4e15 100644 --- a/roles/nginx/files/ssl-hardening.conf +++ b/roles/nginx/templates/ssl-hardening.conf.j2 @@ -3,7 +3,9 @@ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam +{% if cfg_nginx.dhparam_size != None %} ssl_dhparam /etc/nginx/dhparam; +{% endif %} # intermediate configuration ssl_protocols TLSv1.2 TLSv1.3; -- 2.47.3 From 8dac3eef4f026d63fcd269ce39a9990ece2b8a09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:41:57 +0200 Subject: [PATCH 15/41] [int] --- roles/nginx/tasks/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 7743c90..2fba6a9 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -31,7 +31,7 @@ "name": "place hardening config", "become": true, "ansible.builtin.template": { - "src": "ssl-hardening.conf", + "src": "ssl-hardening.conf.j2", "dest": "/etc/nginx/ssl-hardening.conf" } }, -- 2.47.3 From 8eed714d881df48bca5ea6ad3ba96bd5967ecbc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:47:45 +0200 Subject: [PATCH 16/41] [int] --- roles/nginx/tasks/main.json | 2 +- roles/owncloud/cfg.schema.json | 97 +++++++++++++++++-------------- roles/owncloud/defaults/main.json | 10 +--- 3 files changed, 56 insertions(+), 53 deletions(-) diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 2fba6a9..47d4246 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -66,7 +66,7 @@ "port": "443", "proto": "tcp" } - }, + } ] }, { diff --git a/roles/owncloud/cfg.schema.json b/roles/owncloud/cfg.schema.json index 0b4ed0b..1dde09d 100644 --- a/roles/owncloud/cfg.schema.json +++ b/roles/owncloud/cfg.schema.json @@ -32,67 +32,78 @@ "type": "string" }, "authentication": { - "nullable": false, - "type": "object", - "properties": { - "kind": { - "type": "string", - "enum": [ - "internal", - "authelia" - ], - "default": "internal" - }, - "data": { - "anyOf": [ - { + "anyOf": [ + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": ["internal"] + }, + "data": { "nullable": false, "type": "object", "properties": { - "authelia": { + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + } + }, + "additionalProperties": false, + "required": [ + "kind" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "type": "string", + "enum": ["authelia"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "url_base": { "nullable": false, + "type": "string" + }, + "web": { + "nullable": true, "type": "object", "properties": { - "url_base": { - "nullable": false, - "type": "string" - }, - "web": { - "nullable": true, - "type": "object", - "properties": { - "client_id": { - "type": "string", - "mandatory": false, - "default": "owncloud_web" - } - }, - "additionalProperties": false, - "required": [ - ], - "default": { - } + "client_id": { + "type": "string", + "mandatory": false, + "default": "owncloud_web" } }, "additionalProperties": false, "required": [ - "url_base" - ] + ], + "default": { + } } }, "additionalProperties": false, "required": [ - "authelia" + "url_base" ] } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" ] } - }, - "additionalProperties": false, - "required": [ - ], - "default": { - } + ] }, "public_share": { "nullable": false, diff --git a/roles/owncloud/defaults/main.json b/roles/owncloud/defaults/main.json index 0c24d09..94f4742 100644 --- a/roles/owncloud/defaults/main.json +++ b/roles/owncloud/defaults/main.json @@ -6,15 +6,7 @@ "platform": "linux-amd64", "domain": "owncloud.example.org", "authentication": { - "kind": "internal", - "data": { - "authelia": { - "url_base": "https://authelia.example.org", - "web": { - "client_id": "owncloud_web" - } - } - } + "kind": "internal" }, "public_share": { "password_necessity": "writable", -- 2.47.3 From d9c266aafb32e11a00c3223dd31862c403ccf599 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:51:48 +0200 Subject: [PATCH 17/41] [int] --- roles/owncloud/tasks/main.json | 9 +++++++++ roles/owncloud/templates/env.j2 | 15 ++++++++------- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/roles/owncloud/tasks/main.json b/roles/owncloud/tasks/main.json index d76f3ad..73261a0 100644 --- a/roles/owncloud/tasks/main.json +++ b/roles/owncloud/tasks/main.json @@ -31,6 +31,15 @@ "path": "{{cfg_owncloud.directory}}/{{item}}" } }, + { + "name": "csp", + "become": true, + "become_user": "{{cfg_owncloud.user}}", + "ansible.builtin.template": { + "src": "csp.yaml.j2", + "dest": "{{cfg_owncloud.directory}}/csp.yaml" + } + }, { "name": "setup", "become": true, diff --git a/roles/owncloud/templates/env.j2 b/roles/owncloud/templates/env.j2 index 49f3a4e..505b765 100644 --- a/roles/owncloud/templates/env.j2 +++ b/roles/owncloud/templates/env.j2 @@ -6,12 +6,12 @@ WEB_LOG_COLOR=true {% if cfg_owncloud.authentication_kind == 'internal' %} {% endif %} {% if cfg_owncloud.authentication_kind == 'authelia' %} -WEB_OIDC_AUTHORITY={{cfg_owncloud.authentication.data.authelia.url_base}} -WEB_OIDC_CLIENT_ID={{cfg_owncloud.authentication.data.authelia.web.client_id}} +WEB_OIDC_AUTHORITY={{cfg_owncloud.authentication.data.url_base}} +WEB_OIDC_CLIENT_ID={{cfg_owncloud.authentication.data.web.client_id}} WEB_OIDC_RESPONSE_TYPE=code WEB_OIDC_SCOPE=openid profile email groups -WEB_OPTION_LOGIN_URL={{cfg_owncloud.authentication.data.authelia.url_base}} -WEB_OPTION_LOGOUT_URL={{cfg_owncloud.authentication.data.authelia.url_base}} +WEB_OPTION_LOGIN_URL={{cfg_owncloud.authentication.data.url_base}} +WEB_OPTION_LOGOUT_URL={{cfg_owncloud.authentication.data.url_base}} {% endif %} ## other clients @@ -19,12 +19,13 @@ PROXY_LOG_LEVEL=info PROXY_LOG_FILE={{cfg_owncloud.directory}}/log/proxy PROXY_LOG_PRETTY=true PROXY_LOG_COLOR=true +PROXY_CSP_CONFIG_FILE_LOCATION={{cfg_owncloud.directory}}/csp.yaml PROXY_TLS=false -{% if cfg_owncloud.authentication_kind == 'internal' %} +{% if cfg_owncloud.authentication.kind == 'internal' %} PROXY_AUTOPROVISION_ACCOUNTS=false {% endif %} -{% if cfg_owncloud.authentication_kind == 'authelia' %} -PROXY_OIDC_ISSUER={{cfg_owncloud.authentication.data.authelia.url_base}} +{% if cfg_owncloud.authentication.kind == 'authelia' %} +PROXY_OIDC_ISSUER={{cfg_owncloud.authentication.data.url_base}} PROXY_OIDC_REWRITE_WELLKNOWN=true PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none PROXY_OIDC_SKIP_USER_INFO=false -- 2.47.3 From 2d7a0abd5d58038e82473f631ecdce752e4a4dc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:54:04 +0200 Subject: [PATCH 18/41] [int] --- roles/authelia/tasks/main.json | 1 + roles/nginx/tasks/main.json | 1 + roles/owncloud/tasks/main.json | 7 +++++++ roles/owncloud/templates/csp.yaml.j2 | 4 ++-- 4 files changed, 11 insertions(+), 2 deletions(-) diff --git a/roles/authelia/tasks/main.json b/roles/authelia/tasks/main.json index 834477c..facf158 100644 --- a/roles/authelia/tasks/main.json +++ b/roles/authelia/tasks/main.json @@ -1,6 +1,7 @@ [ { "name": "show vars", + "when": "switch_debug", "ansible.builtin.debug": { "var": "vars.cfg_authelia" } diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 47d4246..981fdf5 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -1,6 +1,7 @@ [ { "name": "show vars", + "when": "switch_debug", "ansible.builtin.debug": { "var": "vars.cfg_nginx" } diff --git a/roles/owncloud/tasks/main.json b/roles/owncloud/tasks/main.json index 73261a0..e9d4a0d 100644 --- a/roles/owncloud/tasks/main.json +++ b/roles/owncloud/tasks/main.json @@ -1,4 +1,11 @@ [ + { + "name": "show vars", + "when": "switch_debug", + "ansible.builtin.debug": { + "var": "vars.cfg_owncloud" + } + }, { "name": "user", "become": true, diff --git a/roles/owncloud/templates/csp.yaml.j2 b/roles/owncloud/templates/csp.yaml.j2 index 8a96314..7953508 100644 --- a/roles/owncloud/templates/csp.yaml.j2 +++ b/roles/owncloud/templates/csp.yaml.j2 @@ -1,6 +1,6 @@ directives: connect-src: - '''self''' -{% if var_owncloud_authentication_kind == 'authelia' %} - - '{{var_owncloud_authentication_data_authelia_url_base}}' +{% if cfg_owncloud.authentication.kind == 'authelia' %} + - '{{cfg_owncloud.authentication.data.url_base}}' {% endif %} -- 2.47.3 From 639917512a281dc73b7b2d3d5aac43d585a82102 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:55:26 +0200 Subject: [PATCH 19/41] [int] --- roles/authelia/tasks/main.json | 2 +- roles/nginx/tasks/main.json | 2 +- roles/owncloud/tasks/main.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/authelia/tasks/main.json b/roles/authelia/tasks/main.json index facf158..7893041 100644 --- a/roles/authelia/tasks/main.json +++ b/roles/authelia/tasks/main.json @@ -1,7 +1,7 @@ [ { "name": "show vars", - "when": "switch_debug", + "when": "switch_show_vars", "ansible.builtin.debug": { "var": "vars.cfg_authelia" } diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 981fdf5..b03c46c 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -1,7 +1,7 @@ [ { "name": "show vars", - "when": "switch_debug", + "when": "switch_show_vars", "ansible.builtin.debug": { "var": "vars.cfg_nginx" } diff --git a/roles/owncloud/tasks/main.json b/roles/owncloud/tasks/main.json index e9d4a0d..147e58b 100644 --- a/roles/owncloud/tasks/main.json +++ b/roles/owncloud/tasks/main.json @@ -1,7 +1,7 @@ [ { "name": "show vars", - "when": "switch_debug", + "when": "switch_show_vars", "ansible.builtin.debug": { "var": "vars.cfg_owncloud" } -- 2.47.3 From beb8bb2c5177ffe42e06bbf580054738135de544 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 16:59:40 +0200 Subject: [PATCH 20/41] [int] --- roles/owncloud/templates/env.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/owncloud/templates/env.j2 b/roles/owncloud/templates/env.j2 index 505b765..17d0957 100644 --- a/roles/owncloud/templates/env.j2 +++ b/roles/owncloud/templates/env.j2 @@ -3,9 +3,9 @@ WEB_LOG_LEVEL=info WEB_LOG_FILE={{cfg_owncloud.directory}}/log/web WEB_LOG_PRETTY=true WEB_LOG_COLOR=true -{% if cfg_owncloud.authentication_kind == 'internal' %} +{% if cfg_owncloud.authentication.kind == 'internal' %} {% endif %} -{% if cfg_owncloud.authentication_kind == 'authelia' %} +{% if cfg_owncloud.authentication.kind == 'authelia' %} WEB_OIDC_AUTHORITY={{cfg_owncloud.authentication.data.url_base}} WEB_OIDC_CLIENT_ID={{cfg_owncloud.authentication.data.web.client_id}} WEB_OIDC_RESPONSE_TYPE=code -- 2.47.3 From 01a3fa5fb7958cfb1c3a459f3398bda8cc79b4a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 17:01:45 +0200 Subject: [PATCH 21/41] [int] --- roles/owncloud/templates/systemd_unit.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/owncloud/templates/systemd_unit.j2 b/roles/owncloud/templates/systemd_unit.j2 index 7e43971..8db49d4 100644 --- a/roles/owncloud/templates/systemd_unit.j2 +++ b/roles/owncloud/templates/systemd_unit.j2 @@ -3,12 +3,12 @@ Description=ownCloud After=network.target [Service] -WorkingDirectory={{var_owncloud_directory}} -EnvironmentFile={{var_owncloud_directory}}/.env -ExecStart={{var_owncloud_directory}}/ocis server +WorkingDirectory={{cfg_owncloud.directory}} +EnvironmentFile={{cfg_owncloud.directory}}/.env +ExecStart={{cfg_owncloud.directory}}/ocis server Type=simple Restart=always -User={{var_owncloud_user}} +User={{cfg_owncloud.user}} [Install] WantedBy=default.target -- 2.47.3 From d5ae0ac07436b4490ec5d3c38e6b9960ad0411a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 17:04:47 +0200 Subject: [PATCH 22/41] [int] --- roles/authelia-for-owncloud/tasks/main.json | 152 ++++++++++---------- 1 file changed, 78 insertions(+), 74 deletions(-) diff --git a/roles/authelia-for-owncloud/tasks/main.json b/roles/authelia-for-owncloud/tasks/main.json index 45ec048..7540977 100644 --- a/roles/authelia-for-owncloud/tasks/main.json +++ b/roles/authelia-for-owncloud/tasks/main.json @@ -1,89 +1,93 @@ [ { - "name": "configuration | client | web", - "when": "cfg_authelia_for_owncloud.web != None", - "block": [ - { - "name": "compute client secret hash", - "become": true, - "ansible.builtin.shell": { - "cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.web.client_secret}} | cut --delimiter=' ' --fields='2-'" - }, - "register": "temp_authelia_for_owncloud_web_client_secret_hashed" - }, - { - "name": "emplace", - "become": true, - "ansible.builtin.template": { - "src": "authelia-client-conf-web.json.j2", - "dest": "/etc/authelia/conf.d/clients/owncloud-web.json" - } - } - ] + "name": "show vars", + "when": "switch_show_vars", + "ansible.builtin.debug": { + "var": "vars.cfg_authelia_for_owncloud" + } }, { - "name": "configuration | client | desktop", - "when": "cfg_authelia_for_ownloud.desktop != None", + "name": "configuration | client", "block": [ { - "name": "compute client secret hash", - "become": true, - "ansible.builtin.shell": { - "cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.desktop.client_secret}} | cut --delimiter=' ' --fields='2-'" - }, - "register": "temp_authelia_for_owncloud_desktop_client_secret_hashed" + "name": "configuration | client | web", + "when": "cfg_authelia_for_owncloud.web != None", + "block": [ + { + "name": "emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf-web.json.j2", + "dest": "/etc/authelia/conf.d/clients/owncloud-web.json" + } + } + ] }, { - "name": "emplace", - "become": true, - "ansible.builtin.template": { - "src": "authelia-client-conf-desktop.json.j2", - "dest": "/etc/authelia/conf.d/clients/owncloud-desktop.json" - } - } - ] - }, - { - "name": "configuration | client | android", - "when": "cfg_authelia_for_ownloud.android != None", - "block": [ - { - "name": "compute client secret hash", - "become": true, - "ansible.builtin.shell": { - "cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.android.client_secret}} | cut --delimiter=' ' --fields='2-'" - }, - "register": "temp_authelia_for_owncloud_android_client_secret_hashed" + "name": "configuration | client | desktop", + "when": "cfg_authelia_for_ownloud.desktop != None", + "block": [ + { + "name": "compute client secret hash", + "become": true, + "ansible.builtin.shell": { + "cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.desktop.client_secret}} | cut --delimiter=' ' --fields='2-'" + }, + "register": "temp_authelia_for_owncloud_desktop_client_secret_hashed" + }, + { + "name": "emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf-desktop.json.j2", + "dest": "/etc/authelia/conf.d/clients/owncloud-desktop.json" + } + } + ] }, { - "name": "emplace", - "become": true, - "ansible.builtin.template": { - "src": "authelia-client-conf-android.json.j2", - "dest": "/etc/authelia/conf.d/clients/owncloud-android.json" - } - } - ] - }, - { - "name": "configuration | client | ios", - "when": "cfg_authelia_for_ownloud.ios != None", - "block": [ - { - "name": "compute client secret hash", - "become": true, - "ansible.builtin.shell": { - "cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.ios.client_secret}} | cut --delimiter=' ' --fields='2-'" - }, - "register": "temp_authelia_for_owncloud_ios_client_secret_hashed" + "name": "configuration | client | android", + "when": "cfg_authelia_for_ownloud.android != None", + "block": [ + { + "name": "compute client secret hash", + "become": true, + "ansible.builtin.shell": { + "cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.android.client_secret}} | cut --delimiter=' ' --fields='2-'" + }, + "register": "temp_authelia_for_owncloud_android_client_secret_hashed" + }, + { + "name": "emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf-android.json.j2", + "dest": "/etc/authelia/conf.d/clients/owncloud-android.json" + } + } + ] }, { - "name": "emplace", - "become": true, - "ansible.builtin.template": { - "src": "authelia-client-conf-ios.json.j2", - "dest": "/etc/authelia/conf.d/clients/owncloud-ios.json" - } + "name": "configuration | client | ios", + "when": "cfg_authelia_for_ownloud.ios != None", + "block": [ + { + "name": "compute client secret hash", + "become": true, + "ansible.builtin.shell": { + "cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_owncloud.ios.client_secret}} | cut --delimiter=' ' --fields='2-'" + }, + "register": "temp_authelia_for_owncloud_ios_client_secret_hashed" + }, + { + "name": "emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf-ios.json.j2", + "dest": "/etc/authelia/conf.d/clients/owncloud-ios.json" + } + } + ] } ] }, -- 2.47.3 From 29d3d26dfccfba902ff111f8f4c4c05c64927b3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 17:06:19 +0200 Subject: [PATCH 23/41] [int] --- .../templates/authelia-client-conf-web.json.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 index 0970c43..cd6d796 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 @@ -15,10 +15,10 @@ "email" ], "redirect_uris": [ - "{{var_authelia_for_owncloud_owncloud_url_base}}", - "{{var_authelia_for_owncloud_owncloud_url_base}}/oidc-callback.html", - "{{var_authelia_for_owncloud_owncloud_url_base}}/oidc-silent-redirect.html", - "{{var_authelia_for_owncloud_owncloud_url_base}}/apps/openidconnect/redirect" + "{{cfg_authelia_for_owncloud.owncloud_url_base}}", + "{{cfg_authelia_for_owncloud.owncloud_url_base}}/oidc-callback.html", + "{{cfg_authelia_for_owncloud.owncloud_url_base}}/oidc-silent-redirect.html", + "{{cfg_authelia_for_owncloud.owncloud_url_base}}/apps/openidconnect/redirect" ], "response_types": [ "code" -- 2.47.3 From 3ebae9194ac6adcb4b99bf5021691b8e3612710d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 17:07:08 +0200 Subject: [PATCH 24/41] [int] --- roles/authelia-for-owncloud/tasks/main.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/authelia-for-owncloud/tasks/main.json b/roles/authelia-for-owncloud/tasks/main.json index 7540977..8c956db 100644 --- a/roles/authelia-for-owncloud/tasks/main.json +++ b/roles/authelia-for-owncloud/tasks/main.json @@ -25,7 +25,7 @@ }, { "name": "configuration | client | desktop", - "when": "cfg_authelia_for_ownloud.desktop != None", + "when": "cfg_authelia_for_owncloud.desktop != None", "block": [ { "name": "compute client secret hash", @@ -47,7 +47,7 @@ }, { "name": "configuration | client | android", - "when": "cfg_authelia_for_ownloud.android != None", + "when": "cfg_authelia_for_owncloud.android != None", "block": [ { "name": "compute client secret hash", @@ -69,7 +69,7 @@ }, { "name": "configuration | client | ios", - "when": "cfg_authelia_for_ownloud.ios != None", + "when": "cfg_authelia_for_owncloud.ios != None", "block": [ { "name": "compute client secret hash", -- 2.47.3 From ccfcc4ab79401b0e44da06543849451612cf815e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 17:09:03 +0200 Subject: [PATCH 25/41] [int] --- .../templates/authelia-client-conf-android.json.j2 | 2 +- .../templates/authelia-client-conf-desktop.json.j2 | 2 +- .../templates/authelia-client-conf-ios.json.j2 | 2 +- .../templates/authelia-client-conf-web.json.j2 | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 index 60ff3ae..d21c360 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 @@ -26,7 +26,7 @@ "grant_types": [ "authorization_code", "refresh_token" - ] + ], "access_token_signed_response_alg": "none", "userinfo_signed_response_alg": "none", "token_endpoint_auth_method": "client_secret_basic" diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 index 23b5d22..e314bf2 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 @@ -26,7 +26,7 @@ "grant_types": [ "authorization_code", "refresh_token" - ] + ], "access_token_signed_response_alg": "none", "userinfo_signed_response_alg": "none", "token_endpoint_auth_method": "client_secret_basic" diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 index cf665bf..01eefe2 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 @@ -26,7 +26,7 @@ "grant_types": [ "authorization_code", "refresh_token" - ] + ], "access_token_signed_response_alg": "none", "userinfo_signed_response_alg": "none", "token_endpoint_auth_method": "client_secret_basic" diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 index cd6d796..e2b951a 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 @@ -26,7 +26,7 @@ "grant_types": [ "authorization_code", "refresh_token" - ] + ], "access_token_signed_response_alg": "none", "userinfo_signed_response_alg": "none", "token_endpoint_auth_method": "none" -- 2.47.3 From 7c6ad2cef68aff347029a960370a8166c3f299c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 17:17:01 +0200 Subject: [PATCH 26/41] [int] --- .../templates/authelia-client-conf-web.json.j2 | 8 ++++---- roles/authelia/cfg.schema.json | 4 ++++ roles/authelia/defaults/main.json | 4 ++++ 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 index e2b951a..2ccadd2 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 @@ -15,10 +15,10 @@ "email" ], "redirect_uris": [ - "{{cfg_authelia_for_owncloud.owncloud_url_base}}", - "{{cfg_authelia_for_owncloud.owncloud_url_base}}/oidc-callback.html", - "{{cfg_authelia_for_owncloud.owncloud_url_base}}/oidc-silent-redirect.html", - "{{cfg_authelia_for_owncloud.owncloud_url_base}}/apps/openidconnect/redirect" + "https://{{cfg_authelia_for_owncloud.owncloud_url_base}}", + "https://{{cfg_authelia_for_owncloud.owncloud_url_base}}/oidc-callback.html", + "https://{{cfg_authelia_for_owncloud.owncloud_url_base}}/oidc-silent-redirect.html", + "https://{{cfg_authelia_for_owncloud.owncloud_url_base}}/apps/openidconnect/redirect" ], "response_types": [ "code" diff --git a/roles/authelia/cfg.schema.json b/roles/authelia/cfg.schema.json index 0b948e9..8efff86 100644 --- a/roles/authelia/cfg.schema.json +++ b/roles/authelia/cfg.schema.json @@ -345,6 +345,10 @@ "required": [ ], "default": { + "long": { + "access_token": "2d", + "refresh_token": "3d" + } } } }, diff --git a/roles/authelia/defaults/main.json b/roles/authelia/defaults/main.json index 7de0a8c..cf65251 100644 --- a/roles/authelia/defaults/main.json +++ b/roles/authelia/defaults/main.json @@ -30,6 +30,10 @@ "refresh_token": "1h" }, "custom": { + "long": { + "access_token": "2d", + "refresh_token": "3d" + } } }, "cors_endpoints": [ -- 2.47.3 From cbfde41f550bcb7ce935d630abb1b4ac11a755b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 17:18:25 +0200 Subject: [PATCH 27/41] [int] --- .../templates/authelia-client-conf-web.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 index 2ccadd2..8a30c04 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 @@ -2,7 +2,7 @@ "client_id": "{{cfg_authelia_for_owncloud.web.client_id}}", "client_name": "ownCloud | Web Client", - "lifespan": "ocis", + "lifespan": "long", "public": true, "authorization_policy": "one_factor", "require_pkce": true, -- 2.47.3 From b356e6c1afca9e304f31a7bc131ed157d496b2dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 17:26:16 +0200 Subject: [PATCH 28/41] [int] --- roles/authelia/templates/conf-main.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authelia/templates/conf-main.json.j2 b/roles/authelia/templates/conf-main.json.j2 index 0b75b5a..eee90ef 100644 --- a/roles/authelia/templates/conf-main.json.j2 +++ b/roles/authelia/templates/conf-main.json.j2 @@ -56,7 +56,7 @@ {% else %} "disable": true, {% endif %} - "custom_url": "{{cfg_authelia.password_reset.custom_url}}" + "custom_url": {{cfg_authelia.password_reset.custom_url | to_json}} }, "refresh_interval": "5m", "file": { -- 2.47.3 From cdeedc7ac335e34d2e37c559f0c98678ac11069d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 7 Oct 2025 18:27:51 +0200 Subject: [PATCH 29/41] [int] --- roles/authelia/tasks/main.json | 12 ++++++++---- roles/owncloud/info.md | 2 +- roles/owncloud/tasks/main.json | 20 +++++++++++--------- roles/owncloud/templates/env.j2 | 2 ++ 4 files changed, 22 insertions(+), 14 deletions(-) diff --git a/roles/authelia/tasks/main.json b/roles/authelia/tasks/main.json index 7893041..6502607 100644 --- a/roles/authelia/tasks/main.json +++ b/roles/authelia/tasks/main.json @@ -68,7 +68,7 @@ "name": "configuration", "block": [ { - "name": "compose script", + "name": "configuration | compose script", "become": true, "ansible.builtin.copy": { "src": "conf-compose.py", @@ -77,7 +77,7 @@ } }, { - "name": "directories", + "name": "configuration | directories", "become": true, "loop": [ "/etc/authelia/conf.d", @@ -89,7 +89,7 @@ } }, { - "name": "main", + "name": "configuration | main", "become": true, "ansible.builtin.template": { "src": "conf-main.json.j2", @@ -97,7 +97,7 @@ } }, { - "name": "compose", + "name": "configuration | compose", "become": true, "ansible.builtin.command": { "cmd": "/usr/bin/authelia-conf-compose --main-file-path=/etc/authelia/conf.d/main.json --clients-directory-path=/etc/authelia/conf.d/clients --output-format=yaml --output-path=/etc/authelia/configuration.yml" @@ -110,6 +110,8 @@ "become": true, "ansible.builtin.file": { "state": "directory", + "owner": "authelia", + "group": "authelia", "path": "{{cfg_authelia.log_file_path | dirname}}" } }, @@ -121,6 +123,8 @@ "become": true, "ansible.builtin.file": { "state": "directory", + "owner": "authelia", + "group": "authelia", "path": "{{cfg_authelia.users_file_path | dirname}}" } }, diff --git a/roles/owncloud/info.md b/roles/owncloud/info.md index fdf6627..962bd4f 100644 --- a/roles/owncloud/info.md +++ b/roles/owncloud/info.md @@ -9,8 +9,8 @@ Cloud-Plattform [ownCloud](https://owncloud.com/) (the rewrite in Go named "Infi - [ownCloud-Dokumentation | oCIS](https://owncloud.dev/ocis/) - [ownCloud-Dokumentation | Upgrading](https://doc.owncloud.com/ocis/next/migration/upgrading-ocis.html) - [ownCloud-Dokumentation | env var types](https://doc.owncloud.com/ocis/next/deployment/services/envvar-types-description.html) -- [ownCloud-Dokumentation | Service | Proxy](https://doc.owncloud.com/ocis/next/deployment/services/s-list/proxy.html) - [ownCloud-Dokumentation | Service | Web](https://doc.owncloud.com/ocis/next/deployment/services/s-list/web.html) +- [ownCloud-Dokumentation | Service | Proxy](https://doc.owncloud.com/ocis/next/deployment/services/s-list/proxy.html) - [ownCloud-Dokumentation | Service | Sharing](https://doc.owncloud.com/ocis/next/deployment/services/s-list/sharing.html) - [GitHub | ocis](https://github.com/owncloud/ocis/) - [ownCloud-Foren | OCIS + Authelia](https://central.owncloud.org/t/ocis-authelia/44222) diff --git a/roles/owncloud/tasks/main.json b/roles/owncloud/tasks/main.json index 147e58b..4bfed90 100644 --- a/roles/owncloud/tasks/main.json +++ b/roles/owncloud/tasks/main.json @@ -44,9 +44,20 @@ "become_user": "{{cfg_owncloud.user}}", "ansible.builtin.template": { "src": "csp.yaml.j2", + "mode": "644", "dest": "{{cfg_owncloud.directory}}/csp.yaml" } }, + { + "name": "env", + "become": true, + "become_user": "{{cfg_owncloud.user}}", + "ansible.builtin.template": { + "src": "env.j2", + "mode": "644", + "dest": "{{cfg_owncloud.directory}}/.env" + } + }, { "name": "setup", "become": true, @@ -56,15 +67,6 @@ "cmd": "rm -f {{cfg_owncloud.directory}}/.ocis/config/ocis.yaml && ./ocis init --insecure no --admin-password={{cfg_owncloud.admin_password}}" } }, - { - "name": "configuration", - "become": true, - "become_user": "{{cfg_owncloud.user}}", - "ansible.builtin.template": { - "src": "env.j2", - "dest": "{{cfg_owncloud.directory}}/.env" - } - }, { "name": "systemd unit", "become": true, diff --git a/roles/owncloud/templates/env.j2 b/roles/owncloud/templates/env.j2 index 17d0957..6511309 100644 --- a/roles/owncloud/templates/env.j2 +++ b/roles/owncloud/templates/env.j2 @@ -12,6 +12,8 @@ WEB_OIDC_RESPONSE_TYPE=code WEB_OIDC_SCOPE=openid profile email groups WEB_OPTION_LOGIN_URL={{cfg_owncloud.authentication.data.url_base}} WEB_OPTION_LOGOUT_URL={{cfg_owncloud.authentication.data.url_base}} +WEB_UI_THEME_SERVER={{cfg_owncloud.domain}} +WEB_UI_CONFIG_SERVER={{cfg_owncloud.domain}} {% endif %} ## other clients -- 2.47.3 From 33491acb3768a12a777a2980dafd6cb87860c72c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 8 Oct 2025 11:20:09 +0200 Subject: [PATCH 30/41] [int] --- roles/authelia-and-nginx/cfg.schema.json | 24 ++ roles/authelia-and-nginx/defaults/main.json | 5 +- roles/authelia-and-nginx/tasks/main.json | 13 +- roles/authelia-and-nginx/templates/conf.j2 | 12 +- roles/authelia-and-nginx/vardef.json | 15 - roles/authelia-for-hedgedoc/cfg.schema.json | 24 ++ .../authelia-for-hedgedoc/defaults/main.json | 6 +- roles/authelia-for-hedgedoc/tasks/main.json | 9 +- .../templates/authelia-client-conf.json.j2 | 4 +- roles/hedgedoc-and-nginx/cfg.schema.json | 24 ++ roles/hedgedoc-and-nginx/defaults/main.json | 5 +- roles/hedgedoc-and-nginx/tasks/main.json | 13 +- roles/hedgedoc-and-nginx/templates/conf.j2 | 10 +- roles/hedgedoc-and-nginx/vardef.json | 15 - roles/hedgedoc/cfg.schema.json | 264 ++++++++++++++++++ roles/hedgedoc/defaults/main.json | 37 ++- roles/hedgedoc/tasks/main.json | 21 +- roles/hedgedoc/templates/config.json.j2 | 48 ++-- roles/hedgedoc/templates/systemd-unit.j2 | 4 +- roles/hedgedoc/vardef.json | 87 ------ roles/owncloud-and-nginx/cfg.schema.json | 28 ++ roles/owncloud-and-nginx/defaults/main.json | 7 +- roles/owncloud-and-nginx/tasks/main.json | 13 +- roles/owncloud-and-nginx/templates/conf.j2 | 14 +- roles/owncloud-and-nginx/vardef.json | 20 -- roles/owncloud/templates/csp.yaml.j2 | 1 + roles/owncloud/templates/env.j2 | 4 +- roles/tlscert_selfsigned/cfg.schema.json | 14 + roles/tlscert_selfsigned/defaults/main.json | 3 +- roles/tlscert_selfsigned/tasks/main.json | 25 +- 30 files changed, 528 insertions(+), 241 deletions(-) create mode 100644 roles/authelia-and-nginx/cfg.schema.json delete mode 100644 roles/authelia-and-nginx/vardef.json create mode 100644 roles/authelia-for-hedgedoc/cfg.schema.json create mode 100644 roles/hedgedoc-and-nginx/cfg.schema.json delete mode 100644 roles/hedgedoc-and-nginx/vardef.json create mode 100644 roles/hedgedoc/cfg.schema.json delete mode 100644 roles/hedgedoc/vardef.json create mode 100644 roles/owncloud-and-nginx/cfg.schema.json delete mode 100644 roles/owncloud-and-nginx/vardef.json create mode 100644 roles/tlscert_selfsigned/cfg.schema.json diff --git a/roles/authelia-and-nginx/cfg.schema.json b/roles/authelia-and-nginx/cfg.schema.json new file mode 100644 index 0000000..59e399d --- /dev/null +++ b/roles/authelia-and-nginx/cfg.schema.json @@ -0,0 +1,24 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "domain": { + "nullable": false, + "type": "string" + }, + "tls_mode": { + "nullable": false, + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "enum": "force" + } + }, + "additionalProperties": false, + "required": [ + "domain" + ] +} diff --git a/roles/authelia-and-nginx/defaults/main.json b/roles/authelia-and-nginx/defaults/main.json index 0aaf1b7..28e3be5 100644 --- a/roles/authelia-and-nginx/defaults/main.json +++ b/roles/authelia-and-nginx/defaults/main.json @@ -1,4 +1,5 @@ { - "var_authelia_and_nginx_domain": "authelia.example.org", - "var_authelia_and_nginx_tls_mode": "force" + "cfg_authelia_and_nginx_defaults": { + "tls_mode": "force" + } } diff --git a/roles/authelia-and-nginx/tasks/main.json b/roles/authelia-and-nginx/tasks/main.json index 87dcf2b..c56c915 100644 --- a/roles/authelia-and-nginx/tasks/main.json +++ b/roles/authelia-and-nginx/tasks/main.json @@ -1,4 +1,11 @@ [ + { + "name": "show vars", + "when": "switch_show_vars", + "ansible.builtin.debug": { + "var": "vars.cfg_authelia_and_nginx" + } + }, { "name": "deactivate default site", "become": true, @@ -12,7 +19,7 @@ "become": true, "ansible.builtin.template": { "src": "conf.j2", - "dest": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}" + "dest": "/etc/nginx/sites-available/{{cfg_authelia_and_nginx.domain}}" } }, { @@ -20,8 +27,8 @@ "become": true, "ansible.builtin.file": { "state": "link", - "src": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}", - "dest": "/etc/nginx/sites-enabled/{{var_authelia_and_nginx_domain}}" + "src": "/etc/nginx/sites-available/{{cfg_authelia_and_nginx.domain}}", + "dest": "/etc/nginx/sites-enabled/{{cfg_authelia_and_nginx.domain}}" } }, { diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2 index cd3b8d6..2b99bcb 100644 --- a/roles/authelia-and-nginx/templates/conf.j2 +++ b/roles/authelia-and-nginx/templates/conf.j2 @@ -45,27 +45,27 @@ {% endmacro %} server { - server_name {{var_authelia_and_nginx_domain}}; + server_name {{cfg_authelia_and_nginx.domain}}; listen 80; listen [::]:80; -{% if (var_authelia_and_nginx_tls_mode == 'force') %} +{% if (cfg_authelia_and_nginx.tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ authelia_common() }} {% endif %} } -{% if (var_authelia_and_nginx_tls_mode != 'disable') %} +{% if (cfg_authelia_and_nginx.tls_mode != 'disable') %} server { - server_name {{var_authelia_and_nginx_domain}}; + server_name {{cfg_authelia_and_nginx.domain}}; listen [::]:443 ssl http2; listen 443 ssl http2; - ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; - ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{cfg_authelia_and_nginx.domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{cfg_authelia_and_nginx.domain}}.pem; include /etc/nginx/ssl-hardening.conf; {{ authelia_common() }} diff --git a/roles/authelia-and-nginx/vardef.json b/roles/authelia-and-nginx/vardef.json deleted file mode 100644 index b78ac7a..0000000 --- a/roles/authelia-and-nginx/vardef.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "domain": { - "type": "string", - "mandatory": false - }, - "tls_mode": { - "type": "string", - "options": [ - "disable", - "enable", - "force" - ], - "mandatory": false - } -} diff --git a/roles/authelia-for-hedgedoc/cfg.schema.json b/roles/authelia-for-hedgedoc/cfg.schema.json new file mode 100644 index 0000000..03e83ff --- /dev/null +++ b/roles/authelia-for-hedgedoc/cfg.schema.json @@ -0,0 +1,24 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "hedgedoc_url_base": { + "nullable": false, + "type": "string", + "default": "https://hedgedoc.example.org" + }, + "client_id": { + "nullable": false, + "type": "string", + "default": "hedgedoc" + }, + "client_secret": { + "nullable": false, + "type": "string" + } + }, + "additionalProperties": false, + "required": [ + "client_secret" + ] +} diff --git a/roles/authelia-for-hedgedoc/defaults/main.json b/roles/authelia-for-hedgedoc/defaults/main.json index b1e3329..603c7fe 100644 --- a/roles/authelia-for-hedgedoc/defaults/main.json +++ b/roles/authelia-for-hedgedoc/defaults/main.json @@ -1,5 +1,5 @@ { - "var_authelia_for_hedgedoc_hedgedoc_url_base": "https://hedgedoc.example.org", - "var_authelia_for_hedgedoc_client_id": "hedgedoc", - "var_authelia_for_hedgedoc_client_secret": "REPLACE_ME" + "cfg_authelia_for_hedgedoc_defaults": { + "client_id": "hedgedoc" + } } diff --git a/roles/authelia-for-hedgedoc/tasks/main.json b/roles/authelia-for-hedgedoc/tasks/main.json index d229a17..7447ebc 100644 --- a/roles/authelia-for-hedgedoc/tasks/main.json +++ b/roles/authelia-for-hedgedoc/tasks/main.json @@ -1,9 +1,16 @@ [ + { + "name": "show vars", + "when": "switch_show_vars", + "ansible.builtin.debug": { + "var": "vars.cfg_authelia_for_hedgedoc" + } + }, { "name": "configuration | compute client secret hash", "become": true, "ansible.builtin.shell": { - "cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_hedgedoc_client_secret}} | cut --delimiter=' ' --fields='2-'" + "cmd": "authelia crypto hash generate bcrypt --password {{cfg_authelia_for_hedgedoc.client_secret}} | cut --delimiter=' ' --fields='2-'" }, "register": "temp_authelia_for_hedgedoc_client_secret_hashed" }, diff --git a/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 b/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 index 49a0c41..4547107 100644 --- a/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 +++ b/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 @@ -1,5 +1,5 @@ { - "client_id": "{{var_authelia_for_hedgedoc_client_id}}", + "client_id": "{{cfg_authelia_for_hedgedoc.client_id}}", "client_secret": "{{temp_authelia_for_hedgedoc_client_secret_hashed.stdout}}", "client_name": "Hedgedoc", "public": false, @@ -10,7 +10,7 @@ "profile" ], "redirect_uris": [ - "{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback" + "{{cfg_authelia_for_hedgedoc.hedgedoc_url_base}}/auth/oauth2/callback" ], "response_types": [ "code" diff --git a/roles/hedgedoc-and-nginx/cfg.schema.json b/roles/hedgedoc-and-nginx/cfg.schema.json new file mode 100644 index 0000000..a56a3c2 --- /dev/null +++ b/roles/hedgedoc-and-nginx/cfg.schema.json @@ -0,0 +1,24 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "domain": { + "nullable": false, + "type": "string" + }, + "tls_mode": { + "nullable": false, + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "default": "force" + } + }, + "additionalProperties": false, + "required": [ + "domain" + ] +} diff --git a/roles/hedgedoc-and-nginx/defaults/main.json b/roles/hedgedoc-and-nginx/defaults/main.json index aec6aa3..fec05a1 100644 --- a/roles/hedgedoc-and-nginx/defaults/main.json +++ b/roles/hedgedoc-and-nginx/defaults/main.json @@ -1,4 +1,5 @@ { - "var_hedgedoc_and_nginx_domain": "hedgedoc.example.org", - "var_hedgedoc_and_nginx_tls_mode": "force" + "cfg_hedgedoc_and_nginx_defaults": { + "tls_mode": "force" + } } diff --git a/roles/hedgedoc-and-nginx/tasks/main.json b/roles/hedgedoc-and-nginx/tasks/main.json index 40614bb..560d8a3 100644 --- a/roles/hedgedoc-and-nginx/tasks/main.json +++ b/roles/hedgedoc-and-nginx/tasks/main.json @@ -1,4 +1,11 @@ [ + { + "name": "show vars", + "when": "switch_show_vars", + "ansible.builtin.debug": { + "var": "vars.cfg_hedgedoc_and_nginx" + } + }, { "name": "deactivate default site", "become": true, @@ -12,7 +19,7 @@ "become": true, "ansible.builtin.template": { "src": "conf.j2", - "dest": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}" + "dest": "/etc/nginx/sites-available/{{cfg_hedgedoc_and_nginx.domain}}" } }, { @@ -20,8 +27,8 @@ "become": true, "ansible.builtin.file": { "state": "link", - "src": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}", - "dest": "/etc/nginx/sites-enabled/{{var_hedgedoc_and_nginx_domain}}" + "src": "/etc/nginx/sites-available/{{cfg_hedgedoc_and_nginx.domain}}", + "dest": "/etc/nginx/sites-enabled/{{cfg_hedgedoc_and_nginx.domain}}" } }, { diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index b9c6601..b6c6521 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -24,7 +24,7 @@ map $http_upgrade $connection_upgrade { {% endmacro %} server { - server_name {{var_hedgedoc_and_nginx_domain}}; + server_name {{cfg_hedgedoc_and_nginx.domain}}; listen 80; listen [::]:80; @@ -36,15 +36,15 @@ server { {% endif %} } -{% if (var_hedgedoc_and_nginx_tls_mode != 'disable') %} +{% if (cfg_hedgedoc_and_nginx.tls_mode != 'disable') %} server { - server_name {{var_hedgedoc_and_nginx_domain}}; + server_name {{cfg_hedgedoc_and_nginx.domain}}; listen [::]:443 ssl http2; listen 443 ssl http2; - ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem; - ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{cfg_hedgedoc_and_nginx.domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{cfg_hedgedoc_and_nginx.domain}}.pem; include /etc/nginx/ssl-hardening.conf; {{ hedgedoc_common() }} diff --git a/roles/hedgedoc-and-nginx/vardef.json b/roles/hedgedoc-and-nginx/vardef.json deleted file mode 100644 index b78ac7a..0000000 --- a/roles/hedgedoc-and-nginx/vardef.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "domain": { - "type": "string", - "mandatory": false - }, - "tls_mode": { - "type": "string", - "options": [ - "disable", - "enable", - "force" - ], - "mandatory": false - } -} diff --git a/roles/hedgedoc/cfg.schema.json b/roles/hedgedoc/cfg.schema.json new file mode 100644 index 0000000..11bd79b --- /dev/null +++ b/roles/hedgedoc/cfg.schema.json @@ -0,0 +1,264 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "user_name": { + "nullable": false, + "type": "string", + "default": "hedgedoc" + }, + "directory": { + "nullable": false, + "type": "string", + "default": "/opt/hedgedoc" + }, + "version": { + "nullable": false, + "type": "string", + "version": "1.9.9" + }, + "session_secret": { + "nullable": false, + "type": "string" + }, + "domain": { + "nullable": false, + "type": "string", + "default": "hedgedoc.example.org" + }, + "database": { + "anyOf": [ + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["sqlite"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "path": { + "nullable": false, + "type": "string", + "default": "/var/hedgedoc/data.sqlite" + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + } + }, + "additionalProperties": false, + "required": [ + "kind" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["postgresql"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "host": { + "nullable": false, + "type": "string", + "default": "localhost" + }, + "port": { + "nullable": false, + "type": "integer", + "default": 5432 + }, + "username": { + "nullable": false, + "type": "string", + "default": "hedgedoc_user" + }, + "password": { + "nullable": false, + "type": "string" + }, + "schema": { + "nullable": false, + "type": "string", + "default": "hedgedoc" + } + }, + "additionalProperties": false, + "required": [ + "password" + ] + } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["mariadb"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "host": { + "nullable": false, + "type": "string", + "default": "localhost" + }, + "port": { + "nullable": false, + "type": "integer", + "default": 3306 + }, + "username": { + "nullable": false, + "type": "string", + "default": "hedgedoc_user" + }, + "password": { + "nullable": false, + "type": "string" + }, + "schema": { + "nullable": false, + "type": "string", + "default": "hedgedoc" + } + }, + "additionalProperties": false, + "required": [ + "password" + ] + } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" + ] + } + ] + }, + "authentication": { + "anyOf": [ + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["internal"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + }, + "additionalProperties": false, + "required": [ + ] + } + }, + "additionalProperties": false, + "required": [ + "kind" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["authelia"] + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "url_base": { + "nullable": false, + "type": "string" + }, + "client_id": { + "nullable": false, + "type": "string", + "default": "hedgedoc" + }, + "client_secret": { + "nullable": false, + "type": "string" + } + }, + "additionalProperties": false, + "required": [ + "url_base", + "client_secret" + ] + } + }, + "additionalProperties": false, + "required": [ + "kind" + ] + } + ] + }, + "log_level": { + "nullable": false, + "type": "string", + "enum": [ + "debug", + "verbose", + "info", + "warn", + "error" + ], + "default": "error" + }, + "guest_allow_create": { + "nullable": false, + "type": "boolean", + "default": false + }, + "guest_allow_change": { + "nullable": false, + "type": "boolean", + "default": false + }, + "free_names_mode": { + "nullable": false, + "type": "string", + "default": "authed" + } + }, + "additionalProperties": false, + "required": [ + "domain", + "session_secret" + ] +} diff --git a/roles/hedgedoc/defaults/main.json b/roles/hedgedoc/defaults/main.json index 5dc2820..98e2b3d 100644 --- a/roles/hedgedoc/defaults/main.json +++ b/roles/hedgedoc/defaults/main.json @@ -1,21 +1,20 @@ { - "var_hedgedoc_user_name": "hedgedoc", - "var_hedgedoc_directory": "/opt/hedgedoc", - "var_hedgedoc_version": "1.9.9", - "var_hedgedoc_session_secret": "REPLACE_ME", - "var_hedgedoc_database_kind": "sqlite", - "var_hedgedoc_database_data_sqlite_path": "/var/hedgedoc/data.sqlite", - "var_hedgedoc_database_data_postgresql_host": "localhost", - "var_hedgedoc_database_data_postgresql_port": 5432, - "var_hedgedoc_database_data_postgresql_username": "hedgedoc_user", - "var_hedgedoc_database_data_postgresql_password": "REPLACE_ME", - "var_hedgedoc_database_data_postgresql_schema": "hedgedoc", - "var_hedgedoc_domain": "hedgedoc.example.org", - "var_hedgedoc_authentication_kind": "internal", - "var_hedgedoc_authentication_data_authelia_client_id": "hedgedoc", - "var_hedgedoc_authentication_data_authelia_client_secret": "REPLACE_ME", - "var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.example.org", - "var_hedgedoc_guest_allow_create": false, - "var_hedgedoc_guest_allow_change": false, - "var_hedgedoc_free_names_mode": "authed" + "cfg_hedgedoc_defaults": { + "user_name": "hedgedoc", + "directory": "/opt/hedgedoc", + "version": "1.9.9", + "database": { + "kind": "sqlite", + "data": { + "path": "/var/hedgedoc/data.sqlite" + } + }, + "authentication": { + "kind": "internal" + }, + "log_level": "error", + "guest_allow_create": false, + "guest_allow_change": false, + "free_names_mode": "authed" + } } diff --git a/roles/hedgedoc/tasks/main.json b/roles/hedgedoc/tasks/main.json index 5347cc1..8b97d27 100644 --- a/roles/hedgedoc/tasks/main.json +++ b/roles/hedgedoc/tasks/main.json @@ -1,4 +1,11 @@ [ + { + "name": "show vars", + "when": "switch_show_vars", + "ansible.builtin.debug": { + "var": "vars.cfg_hedgedoc" + } + }, { "name": "packages", "become": true, @@ -26,16 +33,16 @@ "name": "user", "become": true, "ansible.builtin.user": { - "name": "{{var_hedgedoc_user_name}}", + "name": "{{cfg_hedgedoc.user_name}}", "create_home": true, - "home": "{{var_hedgedoc_directory}}" + "home": "{{cfg_hedgedoc.directory}}" } }, { "name": "download", "become": false, "ansible.builtin.get_url": { - "url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{var_hedgedoc_version}}/hedgedoc-{{var_hedgedoc_version}}.tar.gz", + "url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{cfg_hedgedoc.version}}/hedgedoc-{{cfg_hedgedoc.version}}.tar.gz", "dest": "/tmp/hedgedoc.tar.gz" } }, @@ -45,8 +52,8 @@ "ansible.builtin.unarchive": { "remote_src": true, "src": "/tmp/hedgedoc.tar.gz", - "dest": "{{var_hedgedoc_directory | dirname}}", - "owner": "{{var_hedgedoc_user_name}}" + "dest": "{{cfg_hedgedoc.directory | dirname}}", + "owner": "{{cfg_hedgedoc.user_name}}" } }, { @@ -54,7 +61,7 @@ "become": true, "become_user": "hedgedoc", "ansible.builtin.command": { - "chdir": "{{var_hedgedoc_directory}}", + "chdir": "{{cfg_hedgedoc.directory}}", "cmd": "bin/setup" } }, @@ -63,7 +70,7 @@ "become": true, "ansible.builtin.template": { "src": "config.json.j2", - "dest": "{{var_hedgedoc_directory}}/config.json" + "dest": "{{cfg_hedgedoc.directory}}/config.json" } }, { diff --git a/roles/hedgedoc/templates/config.json.j2 b/roles/hedgedoc/templates/config.json.j2 index 509e4b6..b4dddc1 100644 --- a/roles/hedgedoc/templates/config.json.j2 +++ b/roles/hedgedoc/templates/config.json.j2 @@ -1,61 +1,61 @@ { "production": { - "loglevel": "error", -{% if var_hedgedoc_database_kind == 'sqlite' %} + "loglevel": "{{cfg_hedgedoc.log_level}}", +{% if cfg_hedgedoc.database.kind == 'sqlite' %} "db": { "dialect": "sqlite", - "storage": "{{var_hedgedoc_database_data_sqlite_path}}" + "storage": "{{cfg_hedgedoc.database.data.path}}" }, {% endif %} -{% if var_hedgedoc_database_kind == 'postgresql' %} +{% if cfg_hedgedoc.database.kind == 'postgresql' %} "db": { "dialect": "postgres", - "host": "{{var_hedgedoc_database_data_postgresql_host}}", - "port": {{var_hedgedoc_database_data_postgresql_port | to_json}}, - "username": "{{var_hedgedoc_database_data_postgresql_username}}", - "password": "{{var_hedgedoc_database_data_postgresql_password}}", - "database": "{{var_hedgedoc_database_data_postgresql_schema}}" + "host": "{{cfg_hedgedoc.database.data.host}}", + "port": {{cfg_hedgedoc.database.data.port | to_json}}, + "username": "{{cfg_hedgedoc.database.data.username}}", + "password": "{{cfg_hedgedoc.database.data.password}}", + "database": "{{cfg_hedgedoc.database.data.schema}}" }, {% endif %} - "sessionSecret": "{{var_hedgedoc_session_secret}}", + "sessionSecret": "{{cfg_hedgedoc.session_secret}}", "host": "localhost", "allowOrigin": [ "localhost" ], - "domain": "{{var_hedgedoc_domain}}", + "domain": "{{cfg_hedgedoc.domain}}", "urlAddPort": false, "protocolUseSSL": true, -{% if var_hedgedoc_authentication_kind == 'internal' %} +{% if cfg_hedgedoc.authentication.kind == 'internal' %} "email": true, "allowEmailRegister": true, {% endif %} -{% if var_hedgedoc_authentication_kind == 'authelia' %} +{% if cfg_hedgedoc.authentication.kind == 'authelia' %} "oauth2": { - "providerName": "{{var_hedgedoc_authentication_data_authelia_provider_name}}", - "clientID": "{{var_hedgedoc_authentication_data_authelia_client_id}}", - "clientSecret": "{{var_hedgedoc_authentication_data_authelia_client_secret}}", + "providerName": "{{cfg_hedgedoc.authentication.data.provider_name}}", + "clientID": "{{cfg_hedgedoc.authentication.data.client_id}}", + "clientSecret": "{{cfg_hedgedoc.authentication.data.client_secret}}", "scope": "openid email profile", "userProfileUsernameAttr": "sub", "userProfileDisplayNameAttr": "name", "userProfileEmailAttr": "email", - "userProfileURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/userinfo", - "tokenURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/token", - "authorizationURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/api/oidc/authorization" + "userProfileURL": "{{cfg_hedgedoc.authentication.data.url_base}}/api/oidc/userinfo", + "tokenURL": "{{cfg_hedgedoc.authentication.data.url_base}}/api/oidc/token", + "authorizationURL": "{{cfg_hedgedoc.authentication.data.url_base}}/api/oidc/authorization" }, "email": false, "allowEmailRegister": false, {% endif %} - "allowAnonymous": {{var_hedgedoc_guest_allow_create | to_json}}, - "allowAnonymousEdits": {{var_hedgedoc_guest_allow_change | to_json}}, -{% if var_hedgedoc_free_names_mode == 'never' %} + "allowAnonymous": {{cfg_hedgedoc.guest_allow_create | to_json}}, + "allowAnonymousEdits": {{cfg_hedgedoc.guest_allow_change | to_json}}, +{% if cfg_hedgedoc.free_names_mode == 'never' %} "allowFreeURL": false, "requireFreeURLAuthentication": false, {% endif %} -{% if var_hedgedoc_free_names_mode == 'authed' %} +{% if cfg_hedgedoc.free_names_mode == 'authed' %} "allowFreeURL": true, "requireFreeURLAuthentication": true, {% endif %} -{% if var_hedgedoc_free_names_mode == 'always' %} +{% if cfg_hedgedoc.free_names_mode == 'always' %} "allowFreeURL": true, "requireFreeURLAuthentication": false, {% endif %} diff --git a/roles/hedgedoc/templates/systemd-unit.j2 b/roles/hedgedoc/templates/systemd-unit.j2 index 000bd6e..7a1d54f 100644 --- a/roles/hedgedoc/templates/systemd-unit.j2 +++ b/roles/hedgedoc/templates/systemd-unit.j2 @@ -3,8 +3,8 @@ Description=Hedgedoc After=multi-user.target [Service] -WorkingDirectory={{var_hedgedoc_directory}} -User={{var_hedgedoc_user_name}} +WorkingDirectory={{cfg_hedgedoc.directory}} +User={{cfg_hedgedoc.user_name}} Environment="NODE_ENV=production" ExecStart=yarn start SyslogIdentifier=hedgedoc diff --git a/roles/hedgedoc/vardef.json b/roles/hedgedoc/vardef.json deleted file mode 100644 index cb6e8d6..0000000 --- a/roles/hedgedoc/vardef.json +++ /dev/null @@ -1,87 +0,0 @@ -{ - "user_name": { - "type": "string", - "mandatory": false - }, - "directory": { - "type": "string", - "mandatory": false - }, - "version": { - "type": "string", - "mandatory": false - }, - "session_secret": { - "type": "string", - "mandatory": true - }, - "database_kind": { - "type": "string", - "mandatory": false, - "options": [ - "sqlite", - "postgresql", - "mariadb" - ] - }, - "database_data_sqlite_path": { - "type": "string", - "mandatory": false - }, - "database_data_postgresql_host": { - "type": "string", - "mandatory": false - }, - "database_data_postgresql_port": { - "type": "integer", - "mandatory": false - }, - "database_data_postgresql_username": { - "type": "string", - "mandatory": false - }, - "database_data_postgresql_password": { - "type": "string", - "mandatory": false - }, - "database_data_postgresql_schema": { - "type": "string", - "mandatory": false - }, - "domain": { - "type": "string", - "mandatory": false - }, - "authentication_kind": { - "type": "string", - "mandatory": false, - "options": [ - "internal", - "authelia" - ] - }, - "authentication_data_authelia_client_id": { - "type": "string", - "mandatory": false - }, - "authentication_data_authelia_client_secret": { - "type": "string", - "mandatory": false - }, - "authentication_data_authelia_url_base": { - "type": "string", - "mandatory": false - }, - "guest_allow_create": { - "type": "boolean", - "mandatory": false - }, - "guest_allow_change": { - "type": "boolean", - "mandatory": false - }, - "free_names_mode": { - "type": "string", - "mandatory": false - } -} diff --git a/roles/owncloud-and-nginx/cfg.schema.json b/roles/owncloud-and-nginx/cfg.schema.json new file mode 100644 index 0000000..974342b --- /dev/null +++ b/roles/owncloud-and-nginx/cfg.schema.json @@ -0,0 +1,28 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "domain": { + "nullable": false, + "type": "string" + }, + "tls_mode": { + "nullable": false, + "type": "string", + "enum": [ + "disable", + "enable", + "force" + ], + "default": "force" + }, + "maximum_upload_size": { + "type": "string", + "default": "1G" + } + }, + "additionalProperties": false, + "required": [ + "domain" + ] +} diff --git a/roles/owncloud-and-nginx/defaults/main.json b/roles/owncloud-and-nginx/defaults/main.json index 9ad192e..cc7e319 100644 --- a/roles/owncloud-and-nginx/defaults/main.json +++ b/roles/owncloud-and-nginx/defaults/main.json @@ -1,5 +1,6 @@ { - "var_owncloud_and_nginx_domain": "owncloud.example.org", - "var_owncloud_and_nginx_tls_mode": "force", - "var_owncloud_and_nginx_maximum_upload_size": "1G" + "cfg_owncloud_and_nginx_defaults": { + "tls_mode": "force", + "maximum_upload_size": "1G" + } } diff --git a/roles/owncloud-and-nginx/tasks/main.json b/roles/owncloud-and-nginx/tasks/main.json index 004dfa3..19e3f42 100644 --- a/roles/owncloud-and-nginx/tasks/main.json +++ b/roles/owncloud-and-nginx/tasks/main.json @@ -1,4 +1,11 @@ [ + { + "name": "show vars", + "when": "switch_show_vars", + "ansible.builtin.debug": { + "var": "vars.cfg_owncloud_and_nginx" + } + }, { "name": "deactivate default site", "become": true, @@ -12,7 +19,7 @@ "become": true, "ansible.builtin.template": { "src": "conf.j2", - "dest": "/etc/nginx/sites-available/{{var_owncloud_and_nginx_domain}}" + "dest": "/etc/nginx/sites-available/{{cfg_owncloud_and_nginx.domain}}" } }, { @@ -20,8 +27,8 @@ "become": true, "ansible.builtin.file": { "state": "link", - "src": "/etc/nginx/sites-available/{{var_owncloud_and_nginx_domain}}", - "dest": "/etc/nginx/sites-enabled/{{var_owncloud_and_nginx_domain}}" + "src": "/etc/nginx/sites-available/{{cfg_owncloud_and_nginx.domain}}", + "dest": "/etc/nginx/sites-enabled/{{cfg_owncloud_and_nginx.domain}}" } }, { diff --git a/roles/owncloud-and-nginx/templates/conf.j2 b/roles/owncloud-and-nginx/templates/conf.j2 index 85e67ab..db4e6ac 100644 --- a/roles/owncloud-and-nginx/templates/conf.j2 +++ b/roles/owncloud-and-nginx/templates/conf.j2 @@ -1,7 +1,7 @@ {% macro owncloud_common() %} location / { proxy_pass http://localhost:9200; - client_max_body_size {{var_owncloud_and_nginx_maximum_upload_size}}; + client_max_body_size {{cfg_owncloud_and_nginx.maximum_upload_size}}; } {% endmacro %} @@ -9,24 +9,24 @@ server { listen 80; listen [::]:80; - server_name {{var_owncloud_and_nginx_domain}}; + server_name {{cfg_owncloud_and_nginx.domain}}; -{% if var_owncloud_and_nginx_tls_mode == 'force' %} +{% if cfg_owncloud_and_nginx.tls_mode == 'force' %} return 301 https://$http_host$request_uri; {% else %} {{ owncloud_common() }} {% endif %} } -{% if var_owncloud_and_nginx_tls_mode != 'disable' %} +{% if cfg_owncloud_and_nginx.tls_mode != 'disable' %} server { listen 443 ssl; listen [::]:443 ssl; - server_name {{var_owncloud_and_nginx_domain}}; + server_name {{cfg_owncloud_and_nginx.domain}}; - ssl_certificate_key /etc/ssl/private/{{var_owncloud_and_nginx_domain}}.pem; - ssl_certificate /etc/ssl/fullchains/{{var_owncloud_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{cfg_owncloud_and_nginx.domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{cfg_owncloud_and_nginx.domain}}.pem; include /etc/nginx/ssl-hardening.conf; {{ owncloud_common() }} diff --git a/roles/owncloud-and-nginx/vardef.json b/roles/owncloud-and-nginx/vardef.json deleted file mode 100644 index 7872cb8..0000000 --- a/roles/owncloud-and-nginx/vardef.json +++ /dev/null @@ -1,20 +0,0 @@ - -{ - "domain": { - "type": "string", - "mandatory": false - }, - "tls_mode": { - "type": "string", - "options": [ - "disable", - "enable", - "force" - ], - "mandatory": false - }, - "maximum_upload_size": { - "type": "string", - "mandatory": false - } -} diff --git a/roles/owncloud/templates/csp.yaml.j2 b/roles/owncloud/templates/csp.yaml.j2 index 7953508..2373aa5 100644 --- a/roles/owncloud/templates/csp.yaml.j2 +++ b/roles/owncloud/templates/csp.yaml.j2 @@ -1,6 +1,7 @@ directives: connect-src: - '''self''' + - 'https://{{cfg_owncloud.domain}}' {% if cfg_owncloud.authentication.kind == 'authelia' %} - '{{cfg_owncloud.authentication.data.url_base}}' {% endif %} diff --git a/roles/owncloud/templates/env.j2 b/roles/owncloud/templates/env.j2 index 6511309..642330f 100644 --- a/roles/owncloud/templates/env.j2 +++ b/roles/owncloud/templates/env.j2 @@ -12,8 +12,8 @@ WEB_OIDC_RESPONSE_TYPE=code WEB_OIDC_SCOPE=openid profile email groups WEB_OPTION_LOGIN_URL={{cfg_owncloud.authentication.data.url_base}} WEB_OPTION_LOGOUT_URL={{cfg_owncloud.authentication.data.url_base}} -WEB_UI_THEME_SERVER={{cfg_owncloud.domain}} -WEB_UI_CONFIG_SERVER={{cfg_owncloud.domain}} +WEB_UI_THEME_SERVER=https://{{cfg_owncloud.domain}} +WEB_UI_CONFIG_SERVER=https://{{cfg_owncloud.domain}} {% endif %} ## other clients diff --git a/roles/tlscert_selfsigned/cfg.schema.json b/roles/tlscert_selfsigned/cfg.schema.json new file mode 100644 index 0000000..c06145c --- /dev/null +++ b/roles/tlscert_selfsigned/cfg.schema.json @@ -0,0 +1,14 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "domain": { + "nullable": false, + "type": "string" + } + }, + "additionalProperties": false, + "required": [ + "domain" + ] +} diff --git a/roles/tlscert_selfsigned/defaults/main.json b/roles/tlscert_selfsigned/defaults/main.json index 06c1a9a..9fe02ee 100644 --- a/roles/tlscert_selfsigned/defaults/main.json +++ b/roles/tlscert_selfsigned/defaults/main.json @@ -1,3 +1,4 @@ { - "var_tlscert_selfsigned_domain": "foo.example.org" + "cfg_tlscert_selfsigned_defaults": { + } } diff --git a/roles/tlscert_selfsigned/tasks/main.json b/roles/tlscert_selfsigned/tasks/main.json index bed8255..cbe8ea6 100644 --- a/roles/tlscert_selfsigned/tasks/main.json +++ b/roles/tlscert_selfsigned/tasks/main.json @@ -1,4 +1,11 @@ [ + { + "name": "show vars", + "when": "switch_show_vars", + "ansible.builtin.debug": { + "var": "vars.cfg_tlscert_selfsigned" + } + }, { "name": "install packages", "become": true, @@ -28,19 +35,19 @@ "name": "csr | generate private key", "become": true, "community.crypto.openssl_privatekey": { - "path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem" + "path": "/etc/ssl/private/{{cfg_tlscert_selfsigned.domain}}.pem" } }, { "name": "csr | execute", "become": true, "community.crypto.openssl_csr": { - "privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem", - "common_name": "{{var_tlscert_selfsigned_domain}}", + "privatekey_path": "/etc/ssl/private/{{cfg_tlscert_selfsigned.domain}}.pem", + "common_name": "{{cfg_tlscert_selfsigned.domain}}", "subject_alt_name": [ - "DNS:{{var_tlscert_selfsigned_domain}}" + "DNS:{{cfg_tlscert_selfsigned.domain}}" ], - "path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem" + "path": "/etc/ssl/csr/{{cfg_tlscert_selfsigned.domain}}.pem" }, "register": "temp_csr" }, @@ -48,17 +55,17 @@ "name": "generate certificate", "become": true, "community.crypto.x509_certificate": { - "privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem", - "csr_path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem", + "privatekey_path": "/etc/ssl/private/{{cfg_tlscert_selfsigned.domain}}.pem", + "csr_path": "/etc/ssl/csr/{{cfg_tlscert_selfsigned.domain}}.pem", "provider": "selfsigned", - "path": "/etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem" + "path": "/etc/ssl/certs/{{cfg_tlscert_selfsigned.domain}}.pem" } }, { "name": "compose fullchain", "become": true, "ansible.builtin.shell": { - "cmd": "cat /etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem > /etc/ssl/fullchains/{{var_tlscert_selfsigned_domain}}.pem" + "cmd": "cat /etc/ssl/certs/{{cfg_tlscert_selfsigned.domain}}.pem > /etc/ssl/fullchains/{{cfg_tlscert_selfsigned.domain}}.pem" } } ] -- 2.47.3 From 1ebe98f23e7dc756e254b1651fa8162dc82de72b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 8 Oct 2025 11:31:00 +0200 Subject: [PATCH 31/41] [int] --- roles/authelia-for-hedgedoc/cfg.schema.json | 4 ++-- roles/authelia-for-owncloud/cfg.schema.json | 4 ++-- .../authelia-for-owncloud/defaults/main.json | 1 - roles/sqlite-for-hedgedoc/cfg.schema.json | 19 +++++++++++++++++++ roles/sqlite-for-hedgedoc/defaults/main.json | 6 ++++-- roles/sqlite-for-hedgedoc/tasks/main.json | 6 +++--- roles/sqlite-for-hedgedoc/vardef.json | 10 ---------- 7 files changed, 30 insertions(+), 20 deletions(-) create mode 100644 roles/sqlite-for-hedgedoc/cfg.schema.json delete mode 100644 roles/sqlite-for-hedgedoc/vardef.json diff --git a/roles/authelia-for-hedgedoc/cfg.schema.json b/roles/authelia-for-hedgedoc/cfg.schema.json index 03e83ff..b2da9bf 100644 --- a/roles/authelia-for-hedgedoc/cfg.schema.json +++ b/roles/authelia-for-hedgedoc/cfg.schema.json @@ -4,8 +4,7 @@ "properties": { "hedgedoc_url_base": { "nullable": false, - "type": "string", - "default": "https://hedgedoc.example.org" + "type": "string" }, "client_id": { "nullable": false, @@ -19,6 +18,7 @@ }, "additionalProperties": false, "required": [ + "hedgedoc_url_base", "client_secret" ] } diff --git a/roles/authelia-for-owncloud/cfg.schema.json b/roles/authelia-for-owncloud/cfg.schema.json index 42ae537..8df9dca 100644 --- a/roles/authelia-for-owncloud/cfg.schema.json +++ b/roles/authelia-for-owncloud/cfg.schema.json @@ -4,8 +4,7 @@ "properties": { "owncloud_url_base": { "nullable": false, - "type": "string", - "default": "https://owncloud.example.org" + "type": "string" }, "web": { "nullable": true, @@ -89,5 +88,6 @@ }, "additionalProperties": false, "required": [ + "owncloud_url_base" ] } diff --git a/roles/authelia-for-owncloud/defaults/main.json b/roles/authelia-for-owncloud/defaults/main.json index 71aba99..ad9f859 100644 --- a/roles/authelia-for-owncloud/defaults/main.json +++ b/roles/authelia-for-owncloud/defaults/main.json @@ -1,6 +1,5 @@ { "cfg_authelia_for_owncloud_defaults": { - "owncloud_url_base": "https://owncloud.example.org", "web": { "client_id": "owncloud_web" }, diff --git a/roles/sqlite-for-hedgedoc/cfg.schema.json b/roles/sqlite-for-hedgedoc/cfg.schema.json new file mode 100644 index 0000000..d6a5f43 --- /dev/null +++ b/roles/sqlite-for-hedgedoc/cfg.schema.json @@ -0,0 +1,19 @@ +{ + "nullable": false, + "type": "object", + "properties": { + "path": { + "nullable": false, + "type": "string", + "default": "/var/hedgedoc/data.sqlite" + }, + "user_name": { + "nullable": false, + "type": "string", + "default": "hedgedoc" + } + }, + "additionalProperties": false, + "required": [ + ] +} diff --git a/roles/sqlite-for-hedgedoc/defaults/main.json b/roles/sqlite-for-hedgedoc/defaults/main.json index e574eac..dcebc0b 100644 --- a/roles/sqlite-for-hedgedoc/defaults/main.json +++ b/roles/sqlite-for-hedgedoc/defaults/main.json @@ -1,4 +1,6 @@ { - "var_sqlite_for_hedgedoc_path": "/var/hedgedoc/data.sqlite", - "var_sqlite_for_hedgedoc_user_name": "hedgedoc" + "cfg_sqlite_for_hedgedoc": { + "path": "/var/hedgedoc/data.sqlite", + "user_name": "hedgedoc" + } } diff --git a/roles/sqlite-for-hedgedoc/tasks/main.json b/roles/sqlite-for-hedgedoc/tasks/main.json index 7495fca..e52c024 100644 --- a/roles/sqlite-for-hedgedoc/tasks/main.json +++ b/roles/sqlite-for-hedgedoc/tasks/main.json @@ -4,7 +4,7 @@ "become": true, "ansible.builtin.file": { "state": "directory", - "path": "{{var_sqlite_for_hedgedoc_path | dirname}}", + "path": "{{cfg_sqlite_for_hedgedocpath | dirname}}", "owner": "{{var_hedgedoc_user_name}}" } }, @@ -13,8 +13,8 @@ "become": true, "ansible.builtin.file": { "state": "touch", - "path": "{{var_sqlite_for_hedgedoc_path}}", - "owner": "{{var_sqlite_for_hedgedoc_user_name}}" + "path": "{{cfg_sqlite_for_hedgedocpath}}", + "owner": "{{cfg_sqlite_for_hedgedocuser_name}}" } } ] diff --git a/roles/sqlite-for-hedgedoc/vardef.json b/roles/sqlite-for-hedgedoc/vardef.json deleted file mode 100644 index e62f130..0000000 --- a/roles/sqlite-for-hedgedoc/vardef.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "path": { - "type": "string", - "mandatory": false - }, - "user_name": { - "type": "string", - "mandatory": false - } -} -- 2.47.3 From 01813a835d0d39f1d1a8de686c7ebd32cbb3ff58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 8 Oct 2025 11:32:28 +0200 Subject: [PATCH 32/41] [int] --- roles/sqlite-for-hedgedoc/tasks/main.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/sqlite-for-hedgedoc/tasks/main.json b/roles/sqlite-for-hedgedoc/tasks/main.json index e52c024..2af265b 100644 --- a/roles/sqlite-for-hedgedoc/tasks/main.json +++ b/roles/sqlite-for-hedgedoc/tasks/main.json @@ -4,8 +4,8 @@ "become": true, "ansible.builtin.file": { "state": "directory", - "path": "{{cfg_sqlite_for_hedgedocpath | dirname}}", - "owner": "{{var_hedgedoc_user_name}}" + "path": "{{cfg_sqlite_for_hedgedoc.path | dirname}}", + "owner": "{{cfg_sqlite_for_hedgedoc.user_name}}" } }, { @@ -13,8 +13,8 @@ "become": true, "ansible.builtin.file": { "state": "touch", - "path": "{{cfg_sqlite_for_hedgedocpath}}", - "owner": "{{cfg_sqlite_for_hedgedocuser_name}}" + "path": "{{cfg_sqlite_for_hedgedoc.path}}", + "owner": "{{cfg_sqlite_for_hedgedoc.user_name}}" } } ] -- 2.47.3 From 844e73885f22f256239f472c4556734a20ef18cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 8 Oct 2025 11:32:52 +0200 Subject: [PATCH 33/41] [int] --- roles/sqlite-for-hedgedoc/defaults/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/sqlite-for-hedgedoc/defaults/main.json b/roles/sqlite-for-hedgedoc/defaults/main.json index dcebc0b..3c547f8 100644 --- a/roles/sqlite-for-hedgedoc/defaults/main.json +++ b/roles/sqlite-for-hedgedoc/defaults/main.json @@ -1,5 +1,5 @@ { - "cfg_sqlite_for_hedgedoc": { + "cfg_sqlite_for_hedgedoc_defaults": { "path": "/var/hedgedoc/data.sqlite", "user_name": "hedgedoc" } -- 2.47.3 From bde16e09a98f293216ce6c4d5c7354d030f3475c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 8 Oct 2025 11:36:39 +0200 Subject: [PATCH 34/41] [int] --- roles/hedgedoc/tasks/main.json | 25 ++++++++++++++++++++ roles/sqlite-for-hedgedoc/cfg.schema.json | 19 --------------- roles/sqlite-for-hedgedoc/defaults/main.json | 6 ----- roles/sqlite-for-hedgedoc/tasks/main.json | 20 ---------------- 4 files changed, 25 insertions(+), 45 deletions(-) delete mode 100644 roles/sqlite-for-hedgedoc/cfg.schema.json delete mode 100644 roles/sqlite-for-hedgedoc/defaults/main.json delete mode 100644 roles/sqlite-for-hedgedoc/tasks/main.json diff --git a/roles/hedgedoc/tasks/main.json b/roles/hedgedoc/tasks/main.json index 8b97d27..b1325ea 100644 --- a/roles/hedgedoc/tasks/main.json +++ b/roles/hedgedoc/tasks/main.json @@ -38,6 +38,31 @@ "home": "{{cfg_hedgedoc.directory}}" } }, + { + "name": "database", + "when": "cfg_hedgedoc.database.kind == 'sqlite'", + "block": [ + { + "name": "database | directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "{{cfg_hedgedoc.database.data.path | dirname}}", + "owner": "{{cfg_hedgedoc.user_name}}" + } + }, + { + "name": "database | file", + "become": true, + "ansible.builtin.file": { + "state": "touch", + "path": "{{cfg_hedgedoc.database.data.path}}", + "owner": "{{cfg_hedgedoc.user_name}}" + } + } + ] + + }, { "name": "download", "become": false, diff --git a/roles/sqlite-for-hedgedoc/cfg.schema.json b/roles/sqlite-for-hedgedoc/cfg.schema.json deleted file mode 100644 index d6a5f43..0000000 --- a/roles/sqlite-for-hedgedoc/cfg.schema.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "nullable": false, - "type": "object", - "properties": { - "path": { - "nullable": false, - "type": "string", - "default": "/var/hedgedoc/data.sqlite" - }, - "user_name": { - "nullable": false, - "type": "string", - "default": "hedgedoc" - } - }, - "additionalProperties": false, - "required": [ - ] -} diff --git a/roles/sqlite-for-hedgedoc/defaults/main.json b/roles/sqlite-for-hedgedoc/defaults/main.json deleted file mode 100644 index 3c547f8..0000000 --- a/roles/sqlite-for-hedgedoc/defaults/main.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "cfg_sqlite_for_hedgedoc_defaults": { - "path": "/var/hedgedoc/data.sqlite", - "user_name": "hedgedoc" - } -} diff --git a/roles/sqlite-for-hedgedoc/tasks/main.json b/roles/sqlite-for-hedgedoc/tasks/main.json deleted file mode 100644 index 2af265b..0000000 --- a/roles/sqlite-for-hedgedoc/tasks/main.json +++ /dev/null @@ -1,20 +0,0 @@ -[ - { - "name": "directory", - "become": true, - "ansible.builtin.file": { - "state": "directory", - "path": "{{cfg_sqlite_for_hedgedoc.path | dirname}}", - "owner": "{{cfg_sqlite_for_hedgedoc.user_name}}" - } - }, - { - "name": "file", - "become": true, - "ansible.builtin.file": { - "state": "touch", - "path": "{{cfg_sqlite_for_hedgedoc.path}}", - "owner": "{{cfg_sqlite_for_hedgedoc.user_name}}" - } - } -] -- 2.47.3 From 17df903e147fc58574a5ee65fb3f448e921661ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 8 Oct 2025 11:55:25 +0200 Subject: [PATCH 35/41] [int] --- roles/hedgedoc-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index b6c6521..2212af7 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -29,7 +29,7 @@ server { listen 80; listen [::]:80; -{% if (var_element_and_nginx_tls_mode == 'force') %} +{% if (cfg_hedgedoc_and_nginx.tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ hedgedoc_common() }} -- 2.47.3 From c70362e5efc4c5348e96ad024358d27c7edc6f98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 8 Oct 2025 12:26:20 +0200 Subject: [PATCH 36/41] [int] --- roles/hedgedoc/cfg.schema.json | 312 +++++++++++------------- roles/hedgedoc/defaults/main.json | 22 +- roles/hedgedoc/tasks/main.json | 4 +- roles/hedgedoc/templates/config.json.j2 | 24 +- 4 files changed, 178 insertions(+), 184 deletions(-) diff --git a/roles/hedgedoc/cfg.schema.json b/roles/hedgedoc/cfg.schema.json index 11bd79b..d45def3 100644 --- a/roles/hedgedoc/cfg.schema.json +++ b/roles/hedgedoc/cfg.schema.json @@ -27,205 +27,181 @@ "default": "hedgedoc.example.org" }, "database": { - "anyOf": [ - { + "nullable": false, + "type": "object", + "properties": { + "kind": { "nullable": false, - "type": "object", - "properties": { - "kind": { - "nullable": false, - "type": "string", - "enum": ["sqlite"] - }, - "data": { - "nullable": false, - "type": "object", - "properties": { - "path": { - "nullable": false, - "type": "string", - "default": "/var/hedgedoc/data.sqlite" - } - }, - "additionalProperties": false, - "required": [ - ], - "default": { - } - } - }, - "additionalProperties": false, - "required": [ - "kind" - ] + "type": "string", + "enum": [ + "sqlite", + "postgresql" + ], + "default": "sqlite" }, - { - "nullable": false, - "type": "object", - "properties": { - "kind": { - "nullable": false, - "type": "string", - "enum": ["postgresql"] - }, - "data": { + "data": { + "anyOf": [ + { "nullable": false, "type": "object", "properties": { - "host": { + "sqlite": { "nullable": false, - "type": "string", - "default": "localhost" - }, - "port": { - "nullable": false, - "type": "integer", - "default": 5432 - }, - "username": { - "nullable": false, - "type": "string", - "default": "hedgedoc_user" - }, - "password": { - "nullable": false, - "type": "string" - }, - "schema": { - "nullable": false, - "type": "string", - "default": "hedgedoc" + "type": "object", + "properties": { + "path": { + "nullable": false, + "type": "string", + "default": "/var/hedgedoc/data.sqlite" + } + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } } }, "additionalProperties": false, "required": [ - "password" + "sqlite" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "postgresql": { + "nullable": false, + "type": "object", + "properties": { + "host": { + "nullable": false, + "type": "string", + "default": "localhost" + }, + "port": { + "nullable": false, + "type": "integer", + "default": 5432 + }, + "username": { + "nullable": false, + "type": "string", + "default": "hedgedoc_user" + }, + "password": { + "nullable": false, + "type": "string" + }, + "schema": { + "nullable": false, + "type": "string", + "default": "hedgedoc" + } + }, + "additionalProperties": false, + "required": [ + "password" + ] + } + }, + "additionalProperties": false, + "required": [ + "postgresql" ] } - }, - "additionalProperties": false, - "required": [ - "kind", - "data" - ] - }, - { - "nullable": false, - "type": "object", - "properties": { - "kind": { - "nullable": false, - "type": "string", - "enum": ["mariadb"] - }, - "data": { - "nullable": false, - "type": "object", - "properties": { - "host": { - "nullable": false, - "type": "string", - "default": "localhost" - }, - "port": { - "nullable": false, - "type": "integer", - "default": 3306 - }, - "username": { - "nullable": false, - "type": "string", - "default": "hedgedoc_user" - }, - "password": { - "nullable": false, - "type": "string" - }, - "schema": { - "nullable": false, - "type": "string", - "default": "hedgedoc" - } - }, - "additionalProperties": false, - "required": [ - "password" - ] - } - }, - "additionalProperties": false, - "required": [ - "kind", - "data" ] } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" ] }, "authentication": { - "anyOf": [ - { + "nullable": false, + "type": "object", + "properties": { + "kind": { "nullable": false, - "type": "object", - "properties": { - "kind": { - "nullable": false, - "type": "string", - "enum": ["internal"] - }, - "data": { - "nullable": false, - "type": "object", - "properties": { - }, - "additionalProperties": false, - "required": [ - ] - } - }, - "additionalProperties": false, - "required": [ - "kind" - ] + "type": "string", + "enum": [ + "internal", + "authelia" + ], + "default": "internal" }, - { - "nullable": false, - "type": "object", - "properties": { - "kind": { - "nullable": false, - "type": "string", - "enum": ["authelia"] - }, - "data": { + "data": { + "anyOf": [ + { "nullable": false, "type": "object", "properties": { - "url_base": { + "internal": { "nullable": false, - "type": "string" - }, - "client_id": { - "nullable": false, - "type": "string", - "default": "hedgedoc" - }, - "client_secret": { - "nullable": false, - "type": "string" + "type": "object", + "properties": { + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } } }, "additionalProperties": false, "required": [ - "url_base", - "client_secret" + "internal" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "authelia": { + "nullable": false, + "type": "object", + "properties": { + "url_base": { + "nullable": false, + "type": "string" + }, + "client_id": { + "nullable": false, + "type": "string", + "default": "hedgedoc" + }, + "client_secret": { + "nullable": false, + "type": "string" + }, + "provider_name": { + "nullable": false, + "type": "string", + "default": "Authelia" + } + }, + "additionalProperties": false, + "required": [ + "url_base", + "client_secret" + ] + } + }, + "additionalProperties": false, + "required": [ + "authelia" ] } - }, - "additionalProperties": false, - "required": [ - "kind" ] } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" ] }, "log_level": { diff --git a/roles/hedgedoc/defaults/main.json b/roles/hedgedoc/defaults/main.json index 98e2b3d..11a2904 100644 --- a/roles/hedgedoc/defaults/main.json +++ b/roles/hedgedoc/defaults/main.json @@ -6,11 +6,29 @@ "database": { "kind": "sqlite", "data": { - "path": "/var/hedgedoc/data.sqlite" + "sqlite": { + "path": "/var/hedgedoc/data.sqlite" + }, + "postgresql": { + "host": "localhost", + "port": 5432, + "username": "hedgedoc_user", + "password": "hedgedoc", + "schema": "hedgedoc" + } } }, "authentication": { - "kind": "internal" + "kind": "internal", + "data": { + "internal": { + }, + "authelia": { + "client_id": "hedgedoc", + "client_secret": "hedgedoc", + "provider_name": "Authelia" + } + } }, "log_level": "error", "guest_allow_create": false, diff --git a/roles/hedgedoc/tasks/main.json b/roles/hedgedoc/tasks/main.json index b1325ea..626c6cc 100644 --- a/roles/hedgedoc/tasks/main.json +++ b/roles/hedgedoc/tasks/main.json @@ -47,7 +47,7 @@ "become": true, "ansible.builtin.file": { "state": "directory", - "path": "{{cfg_hedgedoc.database.data.path | dirname}}", + "path": "{{cfg_hedgedoc.database.data.sqlite.path | dirname}}", "owner": "{{cfg_hedgedoc.user_name}}" } }, @@ -56,7 +56,7 @@ "become": true, "ansible.builtin.file": { "state": "touch", - "path": "{{cfg_hedgedoc.database.data.path}}", + "path": "{{cfg_hedgedoc.database.sqlite.data.path}}", "owner": "{{cfg_hedgedoc.user_name}}" } } diff --git a/roles/hedgedoc/templates/config.json.j2 b/roles/hedgedoc/templates/config.json.j2 index b4dddc1..2dc3b76 100644 --- a/roles/hedgedoc/templates/config.json.j2 +++ b/roles/hedgedoc/templates/config.json.j2 @@ -4,17 +4,17 @@ {% if cfg_hedgedoc.database.kind == 'sqlite' %} "db": { "dialect": "sqlite", - "storage": "{{cfg_hedgedoc.database.data.path}}" + "storage": "{{cfg_hedgedoc.database.data.sqlite.path}}" }, {% endif %} {% if cfg_hedgedoc.database.kind == 'postgresql' %} "db": { "dialect": "postgres", - "host": "{{cfg_hedgedoc.database.data.host}}", - "port": {{cfg_hedgedoc.database.data.port | to_json}}, - "username": "{{cfg_hedgedoc.database.data.username}}", - "password": "{{cfg_hedgedoc.database.data.password}}", - "database": "{{cfg_hedgedoc.database.data.schema}}" + "host": "{{cfg_hedgedoc.database.data.postgresql.host}}", + "port": {{cfg_hedgedoc.database.data.postgresql.port | to_json}}, + "username": "{{cfg_hedgedoc.database.data.postgresql.username}}", + "password": "{{cfg_hedgedoc.database.data.postgresql.password}}", + "database": "{{cfg_hedgedoc.database.data.postgresql.schema}}" }, {% endif %} "sessionSecret": "{{cfg_hedgedoc.session_secret}}", @@ -31,16 +31,16 @@ {% endif %} {% if cfg_hedgedoc.authentication.kind == 'authelia' %} "oauth2": { - "providerName": "{{cfg_hedgedoc.authentication.data.provider_name}}", - "clientID": "{{cfg_hedgedoc.authentication.data.client_id}}", - "clientSecret": "{{cfg_hedgedoc.authentication.data.client_secret}}", + "providerName": "{{cfg_hedgedoc.authentication.data.authelia.provider_name}}", + "clientID": "{{cfg_hedgedoc.authentication.data.authelia.client_id}}", + "clientSecret": "{{cfg_hedgedoc.authentication.data.authelia.client_secret}}", "scope": "openid email profile", "userProfileUsernameAttr": "sub", "userProfileDisplayNameAttr": "name", "userProfileEmailAttr": "email", - "userProfileURL": "{{cfg_hedgedoc.authentication.data.url_base}}/api/oidc/userinfo", - "tokenURL": "{{cfg_hedgedoc.authentication.data.url_base}}/api/oidc/token", - "authorizationURL": "{{cfg_hedgedoc.authentication.data.url_base}}/api/oidc/authorization" + "userProfileURL": "{{cfg_hedgedoc.authentication.data.authelia.url_base}}/api/oidc/userinfo", + "tokenURL": "{{cfg_hedgedoc.authentication.data.authelia.url_base}}/api/oidc/token", + "authorizationURL": "{{cfg_hedgedoc.authentication.data.authelia.url_base}}/api/oidc/authorization" }, "email": false, "allowEmailRegister": false, -- 2.47.3 From b21bb503c2f12007f74525edb3fe1e83c2dba74a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 8 Oct 2025 12:30:44 +0200 Subject: [PATCH 37/41] [int] --- roles/hedgedoc/tasks/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/hedgedoc/tasks/main.json b/roles/hedgedoc/tasks/main.json index 626c6cc..6b03c33 100644 --- a/roles/hedgedoc/tasks/main.json +++ b/roles/hedgedoc/tasks/main.json @@ -56,7 +56,7 @@ "become": true, "ansible.builtin.file": { "state": "touch", - "path": "{{cfg_hedgedoc.database.sqlite.data.path}}", + "path": "{{cfg_hedgedoc.database.data.sqlite.path}}", "owner": "{{cfg_hedgedoc.user_name}}" } } -- 2.47.3 From 1b86f871e59659c6b4c6593d1cdb21125f472b03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 8 Oct 2025 12:44:42 +0200 Subject: [PATCH 38/41] [int] --- roles/hedgedoc/cfg.schema.json | 2 +- roles/hedgedoc/defaults/main.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/hedgedoc/cfg.schema.json b/roles/hedgedoc/cfg.schema.json index d45def3..b6cc54b 100644 --- a/roles/hedgedoc/cfg.schema.json +++ b/roles/hedgedoc/cfg.schema.json @@ -15,7 +15,7 @@ "version": { "nullable": false, "type": "string", - "version": "1.9.9" + "version": "1.10.3" }, "session_secret": { "nullable": false, diff --git a/roles/hedgedoc/defaults/main.json b/roles/hedgedoc/defaults/main.json index 11a2904..8f0fd47 100644 --- a/roles/hedgedoc/defaults/main.json +++ b/roles/hedgedoc/defaults/main.json @@ -2,7 +2,7 @@ "cfg_hedgedoc_defaults": { "user_name": "hedgedoc", "directory": "/opt/hedgedoc", - "version": "1.9.9", + "version": "1.10.3", "database": { "kind": "sqlite", "data": { -- 2.47.3 From 520314d9326822882a1b3eb0ce70e2a01c5932ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 8 Oct 2025 13:23:28 +0200 Subject: [PATCH 39/41] [int] --- roles/dokuwiki-and-nginx/templates/conf.j2 | 2 +- roles/dokuwiki/tasks/main.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index e5e5252..bd54dce 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -37,7 +37,7 @@ include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param REDIRECT_STATUS 200; - fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; + fastcgi_pass unix:/var/run/php/php8.4-fpm.sock; # fastcgi_pass unix:/var/run/php5-fpm.sock; #old php version } {% endmacro %} diff --git a/roles/dokuwiki/tasks/main.json b/roles/dokuwiki/tasks/main.json index f404c5b..6baa11e 100644 --- a/roles/dokuwiki/tasks/main.json +++ b/roles/dokuwiki/tasks/main.json @@ -5,8 +5,8 @@ "ansible.builtin.apt": { "pkg": [ "unzip", - "php8.2-fpm", - "php8.2-xml" + "php-fpm", + "php-xml" ] } }, -- 2.47.3 From 13c84c7c70f736b40a608ce34ad1ada73704f24c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 8 Oct 2025 18:22:02 +0200 Subject: [PATCH 40/41] [int] --- roles/owncloud/info.md | 1 + roles/owncloud/tasks/main.json | 2 +- roles/owncloud/templates/env.j2 | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/owncloud/info.md b/roles/owncloud/info.md index 962bd4f..d8d8e95 100644 --- a/roles/owncloud/info.md +++ b/roles/owncloud/info.md @@ -19,6 +19,7 @@ Cloud-Plattform [ownCloud](https://owncloud.com/) (the rewrite in Go named "Infi ## Bemerkungen - die `.ocis/config/ocis.yaml` wird erzeugt auf Grundlage der `.env` +- `.ocis/config/ocis.yaml` sollte niemals einfach neu erstellt werden, da man sich sonst nicht mehr einloggen kann - wenn man sich plötzlich nicht mehr über OIDC anmelden kann, kann das daran lieget, dass `.ocis/idm/ldap.crt` abgelaufen ist — siehe dazu [diesen Thread](https://central.owncloud.org/t/certificate-error-after-upgrade-to-5-0-0-from-4-0-6/47824/7); man könnte auch `OCIS_LDAP_INSECURE` auf `true` setzen, aber naja… diff --git a/roles/owncloud/tasks/main.json b/roles/owncloud/tasks/main.json index 4bfed90..af5b1b3 100644 --- a/roles/owncloud/tasks/main.json +++ b/roles/owncloud/tasks/main.json @@ -64,7 +64,7 @@ "become_user": "{{cfg_owncloud.user}}", "ansible.builtin.shell": { "chdir": "{{cfg_owncloud.directory}}", - "cmd": "rm -f {{cfg_owncloud.directory}}/.ocis/config/ocis.yaml && ./ocis init --insecure no --admin-password={{cfg_owncloud.admin_password}}" + "cmd": "./ocis init --insecure no --admin-password={{cfg_owncloud.admin_password}}" } }, { diff --git a/roles/owncloud/templates/env.j2 b/roles/owncloud/templates/env.j2 index 642330f..e11062a 100644 --- a/roles/owncloud/templates/env.j2 +++ b/roles/owncloud/templates/env.j2 @@ -27,6 +27,7 @@ PROXY_TLS=false PROXY_AUTOPROVISION_ACCOUNTS=false {% endif %} {% if cfg_owncloud.authentication.kind == 'authelia' %} +OCIS_URL=https://{{cfg_owncloud.domain}} PROXY_OIDC_ISSUER={{cfg_owncloud.authentication.data.url_base}} PROXY_OIDC_REWRITE_WELLKNOWN=true PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none -- 2.47.3 From 767e53a2acdd78d36dd5bc9e24016a5e2140bd47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 9 Oct 2025 01:24:55 +0200 Subject: [PATCH 41/41] [int] --- roles/authelia-for-hedgedoc/cfg.schema.json | 1 + roles/authelia-for-owncloud/cfg.schema.json | 10 +- .../authelia-client-conf-android.json.j2 | 2 +- .../authelia-client-conf-desktop.json.j2 | 2 +- roles/authelia/cfg.schema.json | 141 +++++--- roles/authelia/defaults/main.json | 3 - roles/dokuwiki/tasks/main.json | 4 +- roles/hedgedoc-and-nginx/vardef.json | 15 + roles/hedgedoc/cfg.schema.json | 332 +++++++++--------- roles/hedgedoc/defaults/main.json | 22 +- roles/nginx/cfg.schema.json | 5 +- roles/nginx/defaults/main.json | 3 +- roles/owncloud-and-nginx/cfg.schema.json | 5 +- roles/owncloud/cfg.schema.json | 27 +- tools/cfg-man | 179 ++++++++++ 15 files changed, 505 insertions(+), 246 deletions(-) create mode 100644 roles/hedgedoc-and-nginx/vardef.json create mode 100755 tools/cfg-man diff --git a/roles/authelia-for-hedgedoc/cfg.schema.json b/roles/authelia-for-hedgedoc/cfg.schema.json index b2da9bf..c8bf2cb 100644 --- a/roles/authelia-for-hedgedoc/cfg.schema.json +++ b/roles/authelia-for-hedgedoc/cfg.schema.json @@ -19,6 +19,7 @@ "additionalProperties": false, "required": [ "hedgedoc_url_base", + "client_id", "client_secret" ] } diff --git a/roles/authelia-for-owncloud/cfg.schema.json b/roles/authelia-for-owncloud/cfg.schema.json index 8df9dca..4532214 100644 --- a/roles/authelia-for-owncloud/cfg.schema.json +++ b/roles/authelia-for-owncloud/cfg.schema.json @@ -68,12 +68,12 @@ "nullable": true, "type": "object", "properties": { - "ios_client_id": { + "client_id": { "nullable": false, "type": "string", "default": "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1" }, - "ios_client_secret": { + "client_secret": { "nullable": false, "type": "string", "default": "KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx" @@ -88,6 +88,10 @@ }, "additionalProperties": false, "required": [ - "owncloud_url_base" + "owncloud_url_base", + "web", + "desktop", + "android", + "ios" ] } diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 index d21c360..7c39744 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 @@ -2,7 +2,7 @@ "client_id": "{{cfg_authelia_for_owncloud.android.client_id}}", "client_secret": "{{temp_authelia_for_owncloud_android_client_secret_hashed.stdout}}", "client_name": "ownCloud | Android Client", - + "public": false, "authorization_policy": "one_factor", "require_pkce": true, diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 index e314bf2..2b33bf2 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 @@ -2,7 +2,7 @@ "client_id": "{{cfg_authelia_for_owncloud.desktop.client_id}}", "client_secret": "{{temp_authelia_for_owncloud_desktop_client_secret_hashed.stdout}}", "client_name": "ownCloud | Desktop Client", - + "public": false, "authorization_policy": "one_factor", "require_pkce": true, diff --git a/roles/authelia/cfg.schema.json b/roles/authelia/cfg.schema.json index 8efff86..30ca12f 100644 --- a/roles/authelia/cfg.schema.json +++ b/roles/authelia/cfg.schema.json @@ -7,10 +7,30 @@ "type": "string", "default": "0.0.0.0" }, + "domain": { + "nullable": false, + "type": "string" + }, + "session_domain": { + "nullable": false, + "type": "string" + }, + "redirect_url": { + "nullable": false, + "type": "string" + }, "jwt_secret": { "nullable": false, "type": "string" }, + "session_secret": { + "nullable": false, + "type": "string" + }, + "storage_encryption_key": { + "nullable": false, + "type": "string" + }, "users_file_path": { "nullable": false, "type": "string", @@ -21,29 +41,6 @@ "type": "string", "default": "/var/authelia/log.jsonl" }, - "domain": { - "nullable": false, - "type": "string", - "default": "authelia.example.org" - }, - "redirect_url": { - "nullable": false, - "type": "string", - "default": "https://example.org" - }, - "session_domain": { - "nullable": false, - "type": "string", - "default": "example.org" - }, - "session_secret": { - "nullable": false, - "type": "string" - }, - "storage_encryption_key": { - "nullable": false, - "type": "string" - }, "storage": { "anyOf": [ { @@ -53,7 +50,8 @@ "kind": { "nullable": false, "type": "string", - "enum": ["sqlite"] + "enum": ["sqlite"], + "default": "sqlite" }, "data": { "nullable": false, @@ -67,6 +65,7 @@ }, "additionalProperties": false, "required": [ + "path" ], "default": { } @@ -74,8 +73,11 @@ }, "additionalProperties": false, "required": [ - "kind" - ] + "kind", + "data" + ], + "default": { + } }, { "nullable": false, @@ -117,15 +119,23 @@ }, "additionalProperties": false, "required": [ - "password" - ] + "host", + "port", + "username", + "password", + "schema" + ], + "default": { + } } }, "additionalProperties": false, "required": [ "kind", "data" - ] + ], + "default": { + } }, { "nullable": false, @@ -167,22 +177,30 @@ }, "additionalProperties": false, "required": [ - "password" - ] + "host", + "port", + "username", + "password", + "schema" + ], + "default": { + } } }, "additionalProperties": false, "required": [ "kind", "data" - ] + ], + "default": { + } } ] }, "ntp_server": { "nullable": false, "type": "string", - "mandatory": false + "default": "time.cloudflare.com:123" }, "password_reset": { "nullable": false, @@ -201,6 +219,8 @@ }, "additionalProperties": false, "required": [ + "enabled", + "custom_url" ], "default": { } @@ -214,15 +234,22 @@ "kind": { "nullable": false, "type": "string", - "enum": ["file"] + "enum": ["file"], + "default": "file" }, "data": { "nullable": false, "type": "object", "properties": { + "path": { + "nullable": false, + "type": "string", + "default": "/var/authelia/notifications" + } }, "additionalProperties": false, "required": [ + "path" ], "default": { } @@ -230,8 +257,11 @@ }, "additionalProperties": false, "required": [ - "kind" - ] + "kind", + "data" + ], + "default": { + } }, { "nullable": false, @@ -240,7 +270,8 @@ "kind": { "nullable": false, "type": "string", - "enum": ["smtp"] + "enum": ["smtp"], + "default": "smtp" }, "data": { "nullable": false, @@ -248,8 +279,7 @@ "properties": { "host": { "nullable": false, - "type": "string", - "default": "smtp.example.org" + "type": "string" }, "port": { "nullable": false, @@ -273,7 +303,11 @@ }, "additionalProperties": false, "required": [ - "password" + "host", + "port", + "username", + "password", + "sender" ] } }, @@ -281,7 +315,9 @@ "required": [ "kind", "data" - ] + ], + "default": { + } } ] }, @@ -338,7 +374,7 @@ }, "additionalProperties": false, "required": [ - "acces_token", + "access_token", "refresh_token" ] }, @@ -384,15 +420,30 @@ }, "additionalProperties": false, "required": [ - "hmac_secret" - ] + "hmac_secret", + "lifespan", + "cors_endpoints" + ], + "default": { + } } }, "additionalProperties": false, "required": [ + "listen_address", + "domain", + "session_domain", + "redirect_url", "jwt_secret", "session_secret", "storage_encryption_key", + "users_file_path", + "log_file_path", + "storage", + "ntp_server", + "notification", "oidc" - ] + ], + "default": { + } } diff --git a/roles/authelia/defaults/main.json b/roles/authelia/defaults/main.json index cf65251..6b9e1f9 100644 --- a/roles/authelia/defaults/main.json +++ b/roles/authelia/defaults/main.json @@ -3,9 +3,6 @@ "listen_address": "0.0.0.0", "users_file_path": "/var/authelia/users.yml", "log_file_path": "/var/authelia/log.jsonl", - "domain": "authelia.example.org", - "redirect_url": "https://example.org", - "session_domain": "example.org", "storage": { "kind": "sqlite", "data": { diff --git a/roles/dokuwiki/tasks/main.json b/roles/dokuwiki/tasks/main.json index 6baa11e..f404c5b 100644 --- a/roles/dokuwiki/tasks/main.json +++ b/roles/dokuwiki/tasks/main.json @@ -5,8 +5,8 @@ "ansible.builtin.apt": { "pkg": [ "unzip", - "php-fpm", - "php-xml" + "php8.2-fpm", + "php8.2-xml" ] } }, diff --git a/roles/hedgedoc-and-nginx/vardef.json b/roles/hedgedoc-and-nginx/vardef.json new file mode 100644 index 0000000..b78ac7a --- /dev/null +++ b/roles/hedgedoc-and-nginx/vardef.json @@ -0,0 +1,15 @@ +{ + "domain": { + "type": "string", + "mandatory": false + }, + "tls_mode": { + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "mandatory": false + } +} diff --git a/roles/hedgedoc/cfg.schema.json b/roles/hedgedoc/cfg.schema.json index b6cc54b..d2dc549 100644 --- a/roles/hedgedoc/cfg.schema.json +++ b/roles/hedgedoc/cfg.schema.json @@ -15,207 +15,189 @@ "version": { "nullable": false, "type": "string", - "version": "1.10.3" + "default": "1.10.3" + }, + "domain": { + "nullable": false, + "type": "string" }, "session_secret": { "nullable": false, "type": "string" }, - "domain": { - "nullable": false, - "type": "string", - "default": "hedgedoc.example.org" - }, "database": { - "nullable": false, - "type": "object", - "properties": { - "kind": { + "anyOf": [ + { "nullable": false, - "type": "string", - "enum": [ - "sqlite", - "postgresql" - ], - "default": "sqlite" - }, - "data": { - "anyOf": [ - { + "type": "object", + "properties": { + "kind": { "nullable": false, - "type": "object", - "properties": { - "sqlite": { - "nullable": false, - "type": "object", - "properties": { - "path": { - "nullable": false, - "type": "string", - "default": "/var/hedgedoc/data.sqlite" - } - }, - "additionalProperties": false, - "required": [ - ], - "default": { - } - } - }, - "additionalProperties": false, - "required": [ - "sqlite" - ] + "type": "string", + "enum": ["sqlite"], + "default": "sqlite" }, - { + "data": { "nullable": false, "type": "object", "properties": { - "postgresql": { + "path": { "nullable": false, - "type": "object", - "properties": { - "host": { - "nullable": false, - "type": "string", - "default": "localhost" - }, - "port": { - "nullable": false, - "type": "integer", - "default": 5432 - }, - "username": { - "nullable": false, - "type": "string", - "default": "hedgedoc_user" - }, - "password": { - "nullable": false, - "type": "string" - }, - "schema": { - "nullable": false, - "type": "string", - "default": "hedgedoc" - } - }, - "additionalProperties": false, - "required": [ - "password" - ] + "type": "string", + "default": "/var/hedgedoc/data.sqlite" } }, "additionalProperties": false, "required": [ - "postgresql" + "path" + ], + "default": { + } + } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["postgresql"], + "default": "postgresql" + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "host": { + "nullable": false, + "type": "string", + "default": "localhost" + }, + "port": { + "nullable": false, + "type": "integer", + "default": 5432 + }, + "username": { + "nullable": false, + "type": "string", + "default": "hedgedoc_user" + }, + "password": { + "nullable": false, + "type": "string" + }, + "schema": { + "nullable": false, + "type": "string", + "default": "hedgedoc" + } + }, + "additionalProperties": false, + "required": [ + "host", + "port", + "username", + "password", + "schema" ] } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" ] } - }, - "additionalProperties": false, - "required": [ - "kind", - "data" ] }, "authentication": { - "nullable": false, - "type": "object", - "properties": { - "kind": { + "anyOf": [ + { "nullable": false, - "type": "string", - "enum": [ - "internal", - "authelia" - ], - "default": "internal" - }, - "data": { - "anyOf": [ - { + "type": "object", + "properties": { + "kind": { "nullable": false, - "type": "object", - "properties": { - "internal": { - "nullable": false, - "type": "object", - "properties": { - }, - "additionalProperties": false, - "required": [ - ], - "default": { - } - } - }, - "additionalProperties": false, - "required": [ - "internal" - ] + "type": "string", + "enum": ["internal"], + "default": "internal" }, - { + "data": { "nullable": false, "type": "object", "properties": { - "authelia": { + }, + "additionalProperties": false, + "required": [ + ], + "default": { + } + } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" + ] + }, + { + "nullable": false, + "type": "object", + "properties": { + "kind": { + "nullable": false, + "type": "string", + "enum": ["authelia"], + "default": "authelia" + }, + "data": { + "nullable": false, + "type": "object", + "properties": { + "url_base": { "nullable": false, - "type": "object", - "properties": { - "url_base": { - "nullable": false, - "type": "string" - }, - "client_id": { - "nullable": false, - "type": "string", - "default": "hedgedoc" - }, - "client_secret": { - "nullable": false, - "type": "string" - }, - "provider_name": { - "nullable": false, - "type": "string", - "default": "Authelia" - } - }, - "additionalProperties": false, - "required": [ - "url_base", - "client_secret" - ] + "type": "string" + }, + "client_id": { + "nullable": false, + "type": "string", + "default": "hedgedoc" + }, + "client_secret": { + "nullable": false, + "type": "string" + }, + "provider_name": { + "nullable": false, + "type": "string", + "default": "Authelia" } }, "additionalProperties": false, "required": [ - "authelia" - ] + "url_base", + "client_id", + "client_secret", + "provider_name" + ] } + }, + "additionalProperties": false, + "required": [ + "kind", + "data" ] } - }, - "additionalProperties": false, - "required": [ - "kind", - "data" ] }, - "log_level": { - "nullable": false, - "type": "string", - "enum": [ - "debug", - "verbose", - "info", - "warn", - "error" - ], - "default": "error" - }, "guest_allow_create": { "nullable": false, "type": "boolean", @@ -229,12 +211,38 @@ "free_names_mode": { "nullable": false, "type": "string", + "enum": [ + "never", + "authed", + "always" + ], "default": "authed" + }, + "log_level": { + "nullable": false, + "type": "string", + "enum": [ + "debug", + "verbose", + "info", + "warn", + "error" + ], + "default": "error" } }, "additionalProperties": false, "required": [ + "user_name", + "directory", + "version", "domain", - "session_secret" + "session_secret", + "database", + "authentication", + "guest_allow_create", + "guest_allow_change", + "free_names_mode", + "log_level" ] } diff --git a/roles/hedgedoc/defaults/main.json b/roles/hedgedoc/defaults/main.json index 8f0fd47..9f2da1f 100644 --- a/roles/hedgedoc/defaults/main.json +++ b/roles/hedgedoc/defaults/main.json @@ -6,33 +6,17 @@ "database": { "kind": "sqlite", "data": { - "sqlite": { - "path": "/var/hedgedoc/data.sqlite" - }, - "postgresql": { - "host": "localhost", - "port": 5432, - "username": "hedgedoc_user", - "password": "hedgedoc", - "schema": "hedgedoc" - } + "path": "/var/hedgedoc/data.sqlite" } }, "authentication": { "kind": "internal", "data": { - "internal": { - }, - "authelia": { - "client_id": "hedgedoc", - "client_secret": "hedgedoc", - "provider_name": "Authelia" - } } }, - "log_level": "error", "guest_allow_create": false, "guest_allow_change": false, - "free_names_mode": "authed" + "free_names_mode": "authed", + "log_level": "error" } } diff --git a/roles/nginx/cfg.schema.json b/roles/nginx/cfg.schema.json index b04f70f..13a8fcb 100644 --- a/roles/nginx/cfg.schema.json +++ b/roles/nginx/cfg.schema.json @@ -9,7 +9,7 @@ "default": null }, "dhparam_size": { - "nullable": false, + "nullable": true, "type": "integer", "default": null }, @@ -21,5 +21,8 @@ }, "additionalProperties": false, "required": [ + "auto_reload_interval", + "dhparam_size", + "improved_security" ] } diff --git a/roles/nginx/defaults/main.json b/roles/nginx/defaults/main.json index 21dfe39..e59898d 100644 --- a/roles/nginx/defaults/main.json +++ b/roles/nginx/defaults/main.json @@ -1,6 +1,7 @@ { "cfg_nginx_defaults": { "auto_reload_interval": null, - "dhparam_size": 2048 + "dhparam_size": null, + "improved_security": false } } diff --git a/roles/owncloud-and-nginx/cfg.schema.json b/roles/owncloud-and-nginx/cfg.schema.json index 974342b..070ca31 100644 --- a/roles/owncloud-and-nginx/cfg.schema.json +++ b/roles/owncloud-and-nginx/cfg.schema.json @@ -17,12 +17,15 @@ "default": "force" }, "maximum_upload_size": { + "nullable": false, "type": "string", "default": "1G" } }, "additionalProperties": false, "required": [ - "domain" + "domain", + "tls_mode", + "maximum_upload_size" ] } diff --git a/roles/owncloud/cfg.schema.json b/roles/owncloud/cfg.schema.json index 1dde09d..6c3c59d 100644 --- a/roles/owncloud/cfg.schema.json +++ b/roles/owncloud/cfg.schema.json @@ -24,8 +24,7 @@ }, "domain": { "nullable": false, - "type": "string", - "default": "owncloud.example.org" + "type": "string" }, "admin_password": { "nullable": false, @@ -39,7 +38,8 @@ "properties": { "kind": { "type": "string", - "enum": ["internal"] + "enum": ["internal"], + "default": "internal" }, "data": { "nullable": false, @@ -55,7 +55,8 @@ }, "additionalProperties": false, "required": [ - "kind" + "kind", + "data" ] }, { @@ -64,7 +65,8 @@ "properties": { "kind": { "type": "string", - "enum": ["authelia"] + "enum": ["authelia"], + "default": "authelia" }, "data": { "nullable": false, @@ -86,6 +88,7 @@ }, "additionalProperties": false, "required": [ + "client_id" ], "default": { } @@ -93,7 +96,8 @@ }, "additionalProperties": false, "required": [ - "url_base" + "url_base", + "web" ] } }, @@ -127,6 +131,8 @@ }, "additionalProperties": false, "required": [ + "password_necessity", + "password_policy_active" ], "default": { } @@ -134,6 +140,13 @@ }, "additionalProperties": false, "required": [ - "admin_password" + "user", + "directory", + "version", + "platform", + "domain", + "admin_password", + "authentication", + "public_share" ] } diff --git a/tools/cfg-man b/tools/cfg-man new file mode 100755 index 0000000..6aa543b --- /dev/null +++ b/tools/cfg-man @@ -0,0 +1,179 @@ +#!/usr/bin/env python3 + +import os as _os +import sys as _sys +import json as _json +import argparse as _argparse + + +def convey( + x, + fs +): + y = x + for f in fs: + y = f(y) + return y + + +def file_read( + path +): + handle = open(path, "r") + content = handle.read() + handle.close() + return content + + +class interface_option(object): + def is_filled(self): + raise NotImplementedError() + def cull(self): + raise NotImplementedError() + def propagate(self, function): + raise NotImplementedError() + + +class class_option_empty(interface_option): + def __init__(self): + pass + def is_filled(self): + return False + def cull(self): + raise ValueError("cull from empty") + def propagate(self, function): + return class_option_empty() + + +class class_option_filled(interface_option): + def __init__(self, value): + self.value = value + def is_filled(self): + return True + def cull(self): + return self.value + def propagate(self, function): + return function(self.value) + + +def generate_defaults( + schema_node +): + if ("anyOf" in schema_node): + ## todo: o'rly? + return generate_defaults(schema_node["anyOf"][0]) + else: + if (not ("type" in schema_node)): + raise ValueError(":?") + else: + if (not (schema_node["type"] == "object")): + if (not ("default" in schema_node)): + return class_option_empty() + else: + return class_option_filled(schema_node["default"]) + else: + result = {} + for (key, value, ) in schema_node["properties"].items(): + sub_result = generate_defaults(value) + if (not sub_result.is_filled()): + pass + else: + result[key] = sub_result.cull() + return class_option_filled(result) + + +def generate_overrides( + schema_node +): + if ("anyOf" in schema_node): + ## todo: o'rly? + return generate_overrides(schema_node["anyOf"][0]) + else: + if (not ("type" in schema_node)): + raise ValueError(":?") + else: + if (not (schema_node["type"] == "object")): + if ("default" in schema_node): + return class_option_empty() + else: + if ("enum" in schema_node): + return class_option_filled(schema_node["enum"][0]) + else: + if (schema_node.get("nullable", False)): + return class_option_filled(None) + else: + if (schema_node["type"] == "boolean"): + return class_option_filled(False) + elif (schema_node["type"] == "integer"): + return class_option_filled(0) + elif (schema_node["type"] == "number"): + return class_option_filled(0) + elif (schema_node["type"] == "string"): + return class_option_filled("") + else: + raise ValueError("unhandled type: %s" % schema_node["type"]) + else: + result = {} + for (key, value, ) in schema_node["properties"].items(): + sub_result = generate_overrides(value) + if (not sub_result.is_filled()): + pass + else: + result[key] = sub_result.cull() + return ( + class_option_empty() + if (len(result) <= 0) else + class_option_filled(result) + ) + + +def role_name_derive( + role_name +): + return role_name.replace("-", "_") + + +def main( +): + ## args + argument_parser = _argparse.ArgumentParser() + argument_parser.add_argument( + "action", + type = str, + choices = [ + "defaults", + "overrides", + ], + metavar = "", + ) + argument_parser.add_argument( + "role", + type = str, + metavar = "", + ) + args = argument_parser.parse_args() + + ## exec + cfg_schema = convey( + args.role, + [ + lambda x: _os.path.join("roles", x, "cfg.schema.json"), + file_read, + _json.loads, + ] + ) + if args.action == "defaults": + raw = generate_defaults(cfg_schema) + key = ("cfg_%s_defaults" % (role_name_derive(args.role))) + result = {key: (raw.cull() if raw.is_filled() else {})} + _sys.stdout.write(_json.dumps(result, indent = "\t") + "\n") + elif args.action == "overrides": + raw = generate_overrides(cfg_schema) + key = ("cfg_%s_overrides" % (role_name_derive(args.role))) + result = {key: (raw.cull() if raw.is_filled() else {})} + _sys.stdout.write(_json.dumps(result, indent = "\t") + "\n") + else: + raise ValueError("invalid action: %s" % args.action) + + +main() -- 2.47.3