From 14ff9dfc9fa135029fe8d56678a022d1a5510162 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?=
 <christian.frass@dielinke-glauchau.de>
Date: Wed, 20 Mar 2024 20:47:09 +0100
Subject: [PATCH] [mod] role:gitlab

---
 ansible/roles/gitlab/defaults/main.json     | 11 ++++----
 ansible/roles/gitlab/info.md                |  1 +
 ansible/roles/gitlab/templates/gitlab.rb.j2 | 25 ++++++++++-------
 ansible/roles/gitlab/vardef.json            | 30 +++++++++++++++++++++
 4 files changed, 51 insertions(+), 16 deletions(-)
 create mode 100644 ansible/roles/gitlab/vardef.json

diff --git a/ansible/roles/gitlab/defaults/main.json b/ansible/roles/gitlab/defaults/main.json
index 9687f38..76a58b0 100644
--- a/ansible/roles/gitlab/defaults/main.json
+++ b/ansible/roles/gitlab/defaults/main.json
@@ -1,9 +1,8 @@
 {
 	"var_gitlab_domain": "gitlab.example.org",
-	"var_gitlab_oauth2_enable": false,
-	"var_gitlab_oauth2_label": "external auth",
-	"var_gitlab_oauth2_client_id": "gitlab",
-	"var_gitlab_oauth2_client_secret": "REPLACE_ME",
-	"var_gitlab_oauth2_issuer_url": "https://auth.example.org"
-
+	"var_gitlab_authentication_kind": "internal",
+	"var_gitlab_authentication_data_authelia_url_base": "https://authelia.example.org",
+	"var_gitlab_authentication_data_authelia_client_id": "gitlab",
+	"var_gitlab_authentication_data_authelia_client_secret": "REPLACE_ME",
+	"var_gitlab_authentication_data_authelia_label": "Authelia"
 }
diff --git a/ansible/roles/gitlab/info.md b/ansible/roles/gitlab/info.md
index 3a3f775..3031aba 100644
--- a/ansible/roles/gitlab/info.md
+++ b/ansible/roles/gitlab/info.md
@@ -8,3 +8,4 @@ Software-Entwickler-Plattform [GitLab](https://about.gitlab.com/)
 - [Dokumentation | Install self-managed](https://about.gitlab.com/install/)
 - [LinuxTechi | How to Install GitLab on Debian 12 Step-by-Step](https://www.linuxtechi.com/how-to-install-gitlab-on-debian/)
 - [Dokumentation | Configuration](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md)
+- [Authelia | Dokumentation | Integration for GitLab](https://www.authelia.com/integration/openid-connect/gitlab/#application)
diff --git a/ansible/roles/gitlab/templates/gitlab.rb.j2 b/ansible/roles/gitlab/templates/gitlab.rb.j2
index c7044f6..3df9ca0 100644
--- a/ansible/roles/gitlab/templates/gitlab.rb.j2
+++ b/ansible/roles/gitlab/templates/gitlab.rb.j2
@@ -570,24 +570,29 @@ external_url 'http://{{var_gitlab_domain}}'
 # gitlab_rails['omniauth_auto_link_user'] = ['twitter']
 # gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
 # gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']
-{% if var_gitlab_oauth2_enable %}
+{% if var_gitlab_authentication_kind == 'internal' %}
+{% endif %}
+{% if var_gitlab_authentication_kind == 'authelia' %}
 gitlab_rails['omniauth_providers'] = [
   {
     name: "openid_connect",
-    label: "{{var_gitlab_oauth2_client_label}}",
-    # icon: "https://www.authelia.com/images/branding/logo-cropped.png",
+    label: "{{var_gitlab_authentication_data_authelia_label}}",
+    icon: "https://www.authelia.com/images/branding/logo-cropped.png",
     args: {
       name: "openid_connect",
-      scope: ["openid","profile","email","groups"],
-      response_type: "code",
-      issuer: "{{var_gitlab_oauth2_issuer_url}}",
+      strategy_class: "OmniAuth::Strategies::OpenIDConnect",
+      issuer: "{{authentication_data_authelia_url_base}}",
       discovery: true,
-      client_auth_method: "query",
+      scope: ["openid","profile","email","groups"],
+      client_auth_method: "basic",
+      response_type: "code",
+      response_mode: "query",
       uid_field: "preferred_username",
-      send_scope_to_token_endpoint: "false",
+      send_scope_to_token_endpoint: true,
+      pkce: true,
       client_options: {
-        identifier: "{{var_gitlab_oauth2_client_id}}",
-        secret: ""{{var_gitlab_oauth2_client_secret}}",
+        identifier: "{{var_gitlab_authentication_data_authelia_client_id}}",
+        secret: "{{var_gitlab_authentication_data_authelia_client_secret}}",
         redirect_uri: "https://{{var_gitlab_domain}}/users/auth/openid_connect/callback"
       }
     }
diff --git a/ansible/roles/gitlab/vardef.json b/ansible/roles/gitlab/vardef.json
new file mode 100644
index 0000000..6124299
--- /dev/null
+++ b/ansible/roles/gitlab/vardef.json
@@ -0,0 +1,30 @@
+{
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_kind": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"internal",
+			"authelia"
+		]
+	},
+	"authentication_data_authelia_url_base": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_label": {
+		"type": "string",
+		"mandatory": false
+	}
+}