[mod] role:gitlab

ansible/roles/gitlab/defaults/main.json

@@ -1,9 +1,8 @@
 {
 	"var_gitlab_domain": "gitlab.example.org",
-	"var_gitlab_oauth2_enable": false,
-	"var_gitlab_oauth2_label": "external auth",
-	"var_gitlab_oauth2_client_id": "gitlab",
-	"var_gitlab_oauth2_client_secret": "REPLACE_ME",
-	"var_gitlab_oauth2_issuer_url": "https://auth.example.org"
-
+	"var_gitlab_authentication_kind": "internal",
+	"var_gitlab_authentication_data_authelia_url_base": "https://authelia.example.org",
+	"var_gitlab_authentication_data_authelia_client_id": "gitlab",
+	"var_gitlab_authentication_data_authelia_client_secret": "REPLACE_ME",
+	"var_gitlab_authentication_data_authelia_label": "Authelia"
 }

ansible/roles/gitlab/info.md

@@ -8,3 +8,4 @@ Software-Entwickler-Plattform [GitLab](https://about.gitlab.com/)
 - [Dokumentation | Install self-managed](https://about.gitlab.com/install/)
 - [LinuxTechi | How to Install GitLab on Debian 12 Step-by-Step](https://www.linuxtechi.com/how-to-install-gitlab-on-debian/)
 - [Dokumentation | Configuration](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md)
+- [Authelia | Dokumentation | Integration for GitLab](https://www.authelia.com/integration/openid-connect/gitlab/#application)

ansible/roles/gitlab/templates/gitlab.rb.j2

@@ -570,24 +570,29 @@ external_url 'http://{{var_gitlab_domain}}'
 # gitlab_rails['omniauth_auto_link_user'] = ['twitter']
 # gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
 # gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']
-{% if var_gitlab_oauth2_enable %}
+{% if var_gitlab_authentication_kind == 'internal' %}
+{% endif %}
+{% if var_gitlab_authentication_kind == 'authelia' %}
 gitlab_rails['omniauth_providers'] = [
   {
     name: "openid_connect",
-    label: "{{var_gitlab_oauth2_client_label}}",
-    # icon: "https://www.authelia.com/images/branding/logo-cropped.png",
+    label: "{{var_gitlab_authentication_data_authelia_label}}",
+    icon: "https://www.authelia.com/images/branding/logo-cropped.png",
     args: {
       name: "openid_connect",
-      scope: ["openid","profile","email","groups"],
-      response_type: "code",
-      issuer: "{{var_gitlab_oauth2_issuer_url}}",
+      strategy_class: "OmniAuth::Strategies::OpenIDConnect",
+      issuer: "{{authentication_data_authelia_url_base}}",
       discovery: true,
-      client_auth_method: "query",
+      scope: ["openid","profile","email","groups"],
+      client_auth_method: "basic",
+      response_type: "code",
+      response_mode: "query",
       uid_field: "preferred_username",
-      send_scope_to_token_endpoint: "false",
+      send_scope_to_token_endpoint: true,
+      pkce: true,
       client_options: {
-        identifier: "{{var_gitlab_oauth2_client_id}}",
-        secret: ""{{var_gitlab_oauth2_client_secret}}",
+        identifier: "{{var_gitlab_authentication_data_authelia_client_id}}",
+        secret: "{{var_gitlab_authentication_data_authelia_client_secret}}",
         redirect_uri: "https://{{var_gitlab_domain}}/users/auth/openid_connect/callback"
       }
     }

ansible/roles/gitlab/vardef.json

@@ -0,0 +1,30 @@
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_kind": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"internal",
+			"authelia"
+		]
+	},
+	"authentication_data_authelia_url_base": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_label": {
+		"type": "string",
+		"mandatory": false
+	}
+}