From 762bb0c590b501e3d167648a7d4b7476f40091c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Sun, 17 Dec 2023 15:07:55 +0100
Subject: [PATCH 01/15] [add] role:dokuwiki

---
 ansible/roles/dokuwiki/defaults/main.json    |   4 +
 ansible/roles/dokuwiki/info.md               |   4 +
 ansible/roles/dokuwiki/tasks/main.json       |  52 ++++++
 ansible/roles/dokuwiki/templates/conf.php.j2 | 179 +++++++++++++++++++
 4 files changed, 239 insertions(+)
 create mode 100644 ansible/roles/dokuwiki/defaults/main.json
 create mode 100644 ansible/roles/dokuwiki/info.md
 create mode 100644 ansible/roles/dokuwiki/tasks/main.json
 create mode 100644 ansible/roles/dokuwiki/templates/conf.php.j2

diff --git a/ansible/roles/dokuwiki/defaults/main.json b/ansible/roles/dokuwiki/defaults/main.json
new file mode 100644
index 0000000..d16f8f2
--- /dev/null
+++ b/ansible/roles/dokuwiki/defaults/main.json
@@ -0,0 +1,4 @@
+{
+	"var_dokuwiki_directory": "/opt/dokuwiki",
+	"var_dokuwiki_title": "DokuWiki"
+}
diff --git a/ansible/roles/dokuwiki/info.md b/ansible/roles/dokuwiki/info.md
new file mode 100644
index 0000000..d670d5c
--- /dev/null
+++ b/ansible/roles/dokuwiki/info.md
@@ -0,0 +1,4 @@
+## Beschreibung
+
+Für das leicht-gewichtige Wiki-System [DokuWiki](https://www.dokuwiki.org/dokuwiki)
+
diff --git a/ansible/roles/dokuwiki/tasks/main.json b/ansible/roles/dokuwiki/tasks/main.json
new file mode 100644
index 0000000..e451cd5
--- /dev/null
+++ b/ansible/roles/dokuwiki/tasks/main.json
@@ -0,0 +1,52 @@
+[
+	{
+		"name": "directory",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{var_dokuwiki_directory}}",
+			"owner": "www-data"
+		}
+	},
+	{
+		"name": "acquisition",
+		"ansible.builtin.url_get": {
+			"url": "https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz",
+			"dest": "/tmp/dokuwiki.tgz"
+		}
+	},
+	{
+		"name": "extraction",
+		"ansible.builtin.unarchive": {
+			"remote_src": true,
+			"src": "/tmp/dokuwiki.tgz",
+			"dest": "/tmp"
+		}
+	},
+	{
+		"name": "version retrieval",
+		"ansible.builtin.shell": {
+			"cmd": "ls -1 /tmp/ | grep dokuwiki-"
+		},
+		"register": "temp_version_output"
+	},
+	{
+		"name": "emplacement",
+		"become": true,
+		"ansible.builtin.copy": {
+			"remote_src": true,
+			"state": "directory",
+			"src": "/tmp/{{temp_version_output}}",
+			"dest": "{{var_dokuwiki_directory}}",
+			"owner": "www-data"
+		}
+	},
+	{
+		"name": "configuration",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.php.j2",
+			"dest": "{{var_dokuwiki_directory}}/conf/dokuwiki.php"
+		}
+	}
+]
diff --git a/ansible/roles/dokuwiki/templates/conf.php.j2 b/ansible/roles/dokuwiki/templates/conf.php.j2
new file mode 100644
index 0000000..e911e8f
--- /dev/null
+++ b/ansible/roles/dokuwiki/templates/conf.php.j2
@@ -0,0 +1,179 @@
+<?php
+/**
+ * This is DokuWiki's Main Configuration file
+ *
+ * All the default values are kept here, you should not modify it but use
+ * a local.php file instead to override the settings from here.
+ *
+ * This is a piece of PHP code so PHP syntax applies!
+ *
+ * For help with the configuration and a more detailed explanation of the various options
+ * see https://www.dokuwiki.org/config
+ */
+
+
+/* Basic Settings */
+$conf['title']       = '{{var_dokuwiki_title}}';        //what to show in the title
+$conf['start']       = 'start';           //name of start page
+$conf['lang']        = 'en';              //your language
+$conf['template']    = 'dokuwiki';         //see lib/tpl directory
+$conf['tagline']     = '';                //tagline in header (if template supports it)
+$conf['sidebar']     = 'sidebar';         //name of sidebar in root namespace (if template supports it)
+$conf['license']     = 'cc-by-nc-sa';     //see conf/license.php
+$conf['savedir']     = './data';          //where to store all the files
+$conf['basedir']     = '';                //absolute dir from serveroot - blank for autodetection
+$conf['baseurl']     = '';                //URL to server including protocol - blank for autodetect
+$conf['cookiedir']   = '';                //path to use in cookies - blank for basedir
+$conf['dmode']       = 0755;              //set directory creation mode
+$conf['fmode']       = 0644;              //set file creation mode
+$conf['allowdebug']  = 0;                 //allow debug output, enable if needed 0|1
+
+/* Display Settings */
+$conf['recent']      = 20;                //how many entries to show in recent
+$conf['recent_days'] = 7;                 //How many days of recent changes to keep. (days)
+$conf['breadcrumbs'] = 10;                //how many recent visited pages to show
+$conf['youarehere']  = 0;                 //show "You are here" navigation? 0|1
+$conf['fullpath']    = 0;                 //show full path of the document or relative to datadir only? 0|1
+$conf['typography']  = 1;                 //smartquote conversion 0=off, 1=doublequotes, 2=all quotes
+$conf['dformat']     = '%Y/%m/%d %H:%M';  //dateformat accepted by PHPs strftime() function
+$conf['signature']   = ' --- //[[@MAIL@|@NAME@]] @DATE@//'; //signature see wiki page for details
+$conf['showuseras']  = 'loginname';       // 'loginname' users login name
+                                          // 'username' users full name
+                                          // 'email' e-mail address (will be obfuscated as per mailguard)
+                                          // 'email_link' e-mail address as a mailto: link (obfuscated)
+$conf['toptoclevel'] = 1;                 //Level starting with and below to include in AutoTOC (max. 5)
+$conf['tocminheads'] = 3;                 //Minimum amount of headlines that determines if a TOC is built
+$conf['maxtoclevel'] = 3;                 //Up to which level include into AutoTOC (max. 5)
+$conf['maxseclevel'] = 3;                 //Up to which level create editable sections (max. 5)
+$conf['camelcase']   = 0;                 //Use CamelCase for linking? (I don't like it) 0|1
+$conf['deaccent']    = 1;                 //deaccented chars in pagenames (1) or romanize (2) or keep (0)?
+$conf['useheading']  = 0;                 //use the first heading in a page as its name
+$conf['sneaky_index']= 0;                 //check for namespace read permission in index view (0|1) (1 might cause unexpected behavior)
+$conf['hidepages']   = '';                //Regexp for pages to be skipped from RSS, Search and Recent Changes
+
+/* Authentication Settings */
+$conf['useacl']      = 0;                //Use Access Control Lists to restrict access?
+$conf['autopasswd']  = 1;                //autogenerate passwords and email them to user
+$conf['authtype']    = 'authplain';      //which authentication backend should be used
+$conf['passcrypt']   = 'bcrypt';           //Used crypt method (smd5,md5,sha1,ssha,crypt,mysql,my411,bcrypt)
+$conf['defaultgroup']= 'user';           //Default groups new Users are added to
+$conf['superuser']   = '!!not set!!';    //The admin can be user or @group or comma separated list user1,@group1,user2
+$conf['manager']     = '!!not set!!';    //The manager can be user or @group or comma separated list user1,@group1,user2
+$conf['profileconfirm'] = 1;             //Require current password to confirm changes to user profile
+$conf['rememberme'] = 1;                 //Enable/disable remember me on login
+$conf['disableactions'] = '';            //comma separated list of actions to disable
+$conf['auth_security_timeout'] = 900;    //time (seconds) auth data is considered valid, set to 0 to recheck on every page view
+$conf['securecookie'] = 1;               //never send HTTPS cookies via HTTP
+$conf['remote']      = 0;                //Enable/disable remote interfaces
+$conf['remoteuser']  = '!!not set!!';    //user/groups that have access to remote interface (comma separated). leave empty to allow all users
+$conf['remotecors']  = '';               //enable Cross-Origin Resource Sharing (CORS) for the remote interfaces. Asterisk (*) to allow all origins. leave empty to deny.
+
+/* Antispam Features */
+$conf['usewordblock']= 1;                //block spam based on words? 0|1
+$conf['relnofollow'] = 1;                //use rel="ugc nofollow" for external links?
+$conf['indexdelay']  = 60*60*24*5;       //allow indexing after this time (seconds) default is 5 days
+$conf['mailguard']   = 'hex';            //obfuscate email addresses against spam harvesters?
+                                         //valid entries are:
+                                         //  'visible' - replace @ with [at], . with [dot] and - with [dash]
+                                         //  'hex'     - use hex entities to encode the mail address
+                                         //  'none'    - do not obfuscate addresses
+$conf['iexssprotect']= 1;                // check for JavaScript and HTML in uploaded files 0|1
+
+/* Editing Settings */
+$conf['usedraft']    = 1;                //automatically save a draft while editing (0|1)
+$conf['locktime']    = 15*60;            //maximum age for lockfiles (defaults to 15 minutes)
+$conf['cachetime']   = 60*60*24;         //maximum age for cachefile in seconds (defaults to a day)
+
+/* Link Settings */
+// Set target to use when creating links - leave empty for same window
+$conf['target']['wiki']      = '';
+$conf['target']['interwiki'] = '';
+$conf['target']['extern']    = '';
+$conf['target']['media']     = '';
+$conf['target']['windows']   = '';
+
+/* Media Settings */
+$conf['mediarevisions'] = 1;             //enable/disable media revisions
+$conf['refcheck']    = 1;                //check for references before deleting media files
+$conf['gdlib']       = 2;                //the GDlib version (0, 1 or 2) 2 tries to autodetect
+$conf['im_convert']  = '';               //path to ImageMagicks convert (will be used instead of GD)
+$conf['jpg_quality'] = '70';             //quality of compression when scaling jpg images (0-100)
+$conf['fetchsize']   = 0;                //maximum size (bytes) fetch.php may download from extern, disabled by default
+
+/* Notification Settings */
+$conf['subscribers'] = 0;                //enable change notice subscription support
+$conf['subscribe_time'] = 24*60*60;      //Time after which digests / lists are sent (in sec, default 1 day)
+                                         //Should be smaller than the time specified in recent_days
+$conf['notify']      = '';               //send change info to this email (leave blank for nobody)
+$conf['registernotify'] = '';            //send info about newly registered users to this email (leave blank for nobody)
+$conf['mailfrom']    = '';               //use this email when sending mails
+$conf['mailreturnpath']    = '';         //use this email as returnpath for bounce mails
+$conf['mailprefix']  = '';               //use this as prefix of outgoing mails
+$conf['htmlmail']    = 1;                //send HTML multipart mails
+$conf['dontlog'] = 'debug';              //logging facilities that should be disabled
+
+/* Syndication Settings */
+$conf['sitemap']     = 0;                //Create a Google sitemap? How often? In days.
+$conf['rss_type']    = 'rss1';           //type of RSS feed to provide, by default:
+                                         //  'rss'  - RSS 0.91
+                                         //  'rss1' - RSS 1.0
+                                         //  'rss2' - RSS 2.0
+                                         //  'atom' - Atom 0.3
+                                         //  'atom1' - Atom 1.0
+$conf['rss_linkto'] = 'diff';            //what page RSS entries link to:
+                                         //  'diff'    - page showing revision differences
+                                         //  'page'    - the revised page itself
+                                         //  'rev'     - page showing all revisions
+                                         //  'current' - most recent revision of page
+$conf['rss_content'] = 'abstract';       //what to put in the items by default?
+                                         //  'abstract' - plain text, first paragraph or so
+                                         //  'diff'     - plain text unified diff wrapped in <pre> tags
+                                         //  'htmldiff' - diff as HTML table
+                                         //  'html'     - the full page rendered in XHTML
+$conf['rss_media']   = 'both';           //what should be listed?
+                                         //  'both'     - page and media changes
+                                         //  'pages'    - page changes only
+                                         //  'media'    - media changes only
+$conf['rss_update'] = 5*60;              //Update the RSS feed every n seconds (defaults to 5 minutes)
+$conf['rss_show_summary'] = 1;           //Add revision summary to title? 0|1
+$conf['rss_show_deleted'] = 1;           //Show deleted items 0|1
+
+/* Advanced Settings */
+$conf['updatecheck'] = 1;                //automatically check for new releases?
+$conf['userewrite']  = 0;                //this makes nice URLs: 0: off 1: .htaccess 2: internal
+$conf['useslash']    = 0;                //use slash instead of colon? only when rewrite is on
+$conf['sepchar']     = '_';              //word separator character in page names; may be a
+                                         //  letter, a digit, '_', '-', or '.'.
+$conf['canonical']   = 0;                //Should all URLs use full canonical http://... style?
+$conf['fnencode']    = 'url';            //encode filenames (url|safe|utf-8)
+$conf['autoplural']  = 0;                //try (non)plural form of nonexistent files?
+$conf['compression'] = 'gz';             //compress old revisions: (0: off) ('gz': gnuzip) ('bz2': bzip)
+                                         //  bz2 generates smaller files, but needs more cpu-power
+$conf['gzip_output'] = 0;                //use gzip content encoding for the output xhtml (if allowed by browser)
+$conf['compress']    = 1;                //Strip whitespaces and comments from Styles and JavaScript? 1|0
+$conf['cssdatauri']  = 512;              //Maximum byte size of small images to embed into CSS, won't work on IE<8
+$conf['send404']     = 0;                //Send an HTTP 404 status for nonexistent pages?
+$conf['broken_iua']  = 0;                //Platform with broken ignore_user_abort (IIS+CGI) 0|1
+$conf['xsendfile']   = 0;                //Use X-Sendfile (1 = lighttpd, 2 = standard)
+$conf['renderer_xhtml'] = 'xhtml';       //renderer to use for main page generation
+$conf['readdircache'] = 0;               //time cache in second for the readdir operation, 0 to deactivate.
+$conf['search_nslimit'] = 0;             //limit the search to the current X namespaces
+$conf['search_fragment'] = 'exact';      //specify the default fragment search behavior
+$conf['trustedproxy'] = '^(::1|[fF][eE]80:|127\.|10\.|192\.168\.|172\.((1[6-9])|(2[0-9])|(3[0-1]))\.)';
+                                         //Regexp of trusted proxy address when reading IP using HTTP header
+                                         //  if blank, do not trust any proxy (including local IP)
+
+/* Feature Flags */
+$conf['defer_js'] = 1;                   // Defer javascript to be executed after the page's HTML has been parsed. Setting will be removed in the next release.
+$conf['hidewarnings'] = 0;               // Hide warnings
+
+/* Network Settings */
+$conf['dnslookups'] = 1;                 //disable to disallow IP to hostname lookups
+$conf['jquerycdn']  = 0;                 //use a CDN for delivering jQuery?
+// Proxy setup - if your Server needs a proxy to access the web set these
+$conf['proxy']['host']    = '';
+$conf['proxy']['port']    = '';
+$conf['proxy']['user']    = '';
+$conf['proxy']['pass']    = '';
+$conf['proxy']['ssl']     = 0;
+$conf['proxy']['except']  = '';

From 2b46ccfb0947cf3af77d04e07a7561be4da066c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Sun, 17 Dec 2023 15:08:08 +0100
Subject: [PATCH 02/15] [add] role:dokuwiki-and-nginx

---
 .../dokuwiki-and-nginx/defaults/main.json     |  5 +++
 ansible/roles/dokuwiki-and-nginx/info.md      |  3 ++
 .../roles/dokuwiki-and-nginx/tasks/main.json  | 35 +++++++++++++++++++
 .../dokuwiki-and-nginx/templates/conf.j2      | 15 ++++++++
 4 files changed, 58 insertions(+)
 create mode 100644 ansible/roles/dokuwiki-and-nginx/defaults/main.json
 create mode 100644 ansible/roles/dokuwiki-and-nginx/info.md
 create mode 100644 ansible/roles/dokuwiki-and-nginx/tasks/main.json
 create mode 100644 ansible/roles/dokuwiki-and-nginx/templates/conf.j2

diff --git a/ansible/roles/dokuwiki-and-nginx/defaults/main.json b/ansible/roles/dokuwiki-and-nginx/defaults/main.json
new file mode 100644
index 0000000..22367fe
--- /dev/null
+++ b/ansible/roles/dokuwiki-and-nginx/defaults/main.json
@@ -0,0 +1,5 @@
+{
+	"var_dokuwiki_and_nginx_directory": "/opt/dokuwiki",
+	"var_dokuwiki_and_nginx_domain": "dokuwiki.example.org",
+	"var_dokuwiki_and_nginx_tls_enable": true
+}
diff --git a/ansible/roles/dokuwiki-and-nginx/info.md b/ansible/roles/dokuwiki-and-nginx/info.md
new file mode 100644
index 0000000..8cbeec2
--- /dev/null
+++ b/ansible/roles/dokuwiki-and-nginx/info.md
@@ -0,0 +1,3 @@
+## Beschreibung
+
+- zur Einrichtung von [nginx](../nginx) als Reverse-Proxy für [DokuWiki](../dokuwiki)
diff --git a/ansible/roles/dokuwiki-and-nginx/tasks/main.json b/ansible/roles/dokuwiki-and-nginx/tasks/main.json
new file mode 100644
index 0000000..e0b7959
--- /dev/null
+++ b/ansible/roles/dokuwiki-and-nginx/tasks/main.json
@@ -0,0 +1,35 @@
+[
+	{
+		"name": "deactivate default site",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "absent",
+			"dest": "/etc/nginx/sites-enabled/default"
+		}
+	},
+	{
+		"name": "emplace configuration | data",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "/etc/nginx/sites-available/{{var_dokuwiki_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "emplace configuration | link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/etc/nginx/sites-available/{{var_dokuwiki_and_nginx_domain}}",
+			"dest": "/etc/nginx/sites-enabled/{{var_dokuwiki_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "restart nginx",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "nginx"
+		}
+	}
+]
diff --git a/ansible/roles/dokuwiki-and-nginx/templates/conf.j2 b/ansible/roles/dokuwiki-and-nginx/templates/conf.j2
new file mode 100644
index 0000000..085847c
--- /dev/null
+++ b/ansible/roles/dokuwiki-and-nginx/templates/conf.j2
@@ -0,0 +1,15 @@
+server {
+	listen 80;
+	listen [::]:80;
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	
+	server_name {{var_dokuwiki_and_nginx_domain}};
+
+{% if var_dokuwiki_and_nginx_tls_enable %}
+	ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
+{% endif %}
+	
+	document_root {{var_dokuwiki_and_nginx_directory}}
+}

From 9ff307b47f3ea87386111c3920d69f9adc3a5878 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Mon, 18 Dec 2023 08:13:17 +0100
Subject: [PATCH 03/15] [mod] role:dokuwiki

---
 ansible/roles/dokuwiki/defaults/main.json     |  13 +-
 ansible/roles/dokuwiki/info.md                |   7 +
 ansible/roles/dokuwiki/tasks/main.json        | 192 +++++++++++++++---
 .../dokuwiki/templates/conf-acl.auth.php.j2   |   1 +
 .../dokuwiki/templates/conf-local.php.j2      |  23 +++
 .../templates/conf-plugins.local.php.j2       |   9 +
 .../dokuwiki/templates/conf-users.auth.php.j2 |   9 +
 ansible/roles/dokuwiki/templates/conf.php.j2  | 179 ----------------
 8 files changed, 224 insertions(+), 209 deletions(-)
 create mode 100644 ansible/roles/dokuwiki/templates/conf-acl.auth.php.j2
 create mode 100644 ansible/roles/dokuwiki/templates/conf-local.php.j2
 create mode 100644 ansible/roles/dokuwiki/templates/conf-plugins.local.php.j2
 create mode 100644 ansible/roles/dokuwiki/templates/conf-users.auth.php.j2
 delete mode 100644 ansible/roles/dokuwiki/templates/conf.php.j2

diff --git a/ansible/roles/dokuwiki/defaults/main.json b/ansible/roles/dokuwiki/defaults/main.json
index d16f8f2..691ea9e 100644
--- a/ansible/roles/dokuwiki/defaults/main.json
+++ b/ansible/roles/dokuwiki/defaults/main.json
@@ -1,4 +1,15 @@
 {
 	"var_dokuwiki_directory": "/opt/dokuwiki",
-	"var_dokuwiki_title": "DokuWiki"
+	"var_dokuwiki_title": "DokuWiki",
+	"var_dokuwiki_oauth2_enable": false,
+	"var_dokuwiki_oauth2_title": "external auth",
+	"var_dokuwiki_oauth2_client_id": "dokuwiki",
+	"var_dokuwiki_oauth2_client_secret": "REPLACE_ME",
+	"var_dokuwiki_oauth2_auth_url": "https://auth.example.org/api/oidc/authorize",
+	"var_dokuwiki_oauth2_token_url": "https://auth.example.org/api/oidc/token",
+	"var_dokuwiki_oauth2_user_url": "https://auth.example.org/api/oidc/userinfo",
+	"var_dokuwiki_admin_user_define": true,
+	"var_dokuwiki_admin_user_name": "admin",
+	"var_dokuwiki_admin_user_password": "REPLACE_ME",
+	"var_dokuwiki_admin_user_email_address": "dokuwiki-admin@example.org"
 }
diff --git a/ansible/roles/dokuwiki/info.md b/ansible/roles/dokuwiki/info.md
index d670d5c..25eac97 100644
--- a/ansible/roles/dokuwiki/info.md
+++ b/ansible/roles/dokuwiki/info.md
@@ -2,3 +2,10 @@
 
 Für das leicht-gewichtige Wiki-System [DokuWiki](https://www.dokuwiki.org/dokuwiki)
 
+
+## Verweise
+
+- [Dokumentation | Installation](https://www.dokuwiki.org/install)
+- [Dokumentation | Ansible](https://www.dokuwiki.org/install:ansible)
+- [Plugin: oAuth](https://www.dokuwiki.org/plugin:oauth)
+- [Plugin: oAuthGeneric](https://www.dokuwiki.org/plugin:oauthgeneric)
diff --git a/ansible/roles/dokuwiki/tasks/main.json b/ansible/roles/dokuwiki/tasks/main.json
index e451cd5..c4c0563 100644
--- a/ansible/roles/dokuwiki/tasks/main.json
+++ b/ansible/roles/dokuwiki/tasks/main.json
@@ -1,6 +1,40 @@
 [
 	{
-		"name": "directory",
+		"name": "packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"pkg": [
+				"unzip",
+				"php8.2-fpm",
+				"php8.2-xml",
+				"php8.2-json"
+			]
+		}
+	},
+	{
+		"name": "core | acquisition",
+		"ansible.builtin.get_url": {
+			"url": "https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz",
+			"dest": "/tmp/dokuwiki.tgz"
+		}
+	},
+	{
+		"name": "core | extraction",
+		"ansible.builtin.unarchive": {
+			"remote_src": true,
+			"src": "/tmp/dokuwiki.tgz",
+			"dest": "/tmp"
+		}
+	},
+	{
+		"name": "core | version retrieval",
+		"ansible.builtin.shell": {
+			"cmd": "ls -1 /tmp/ | grep dokuwiki- | grep -v plugin"
+		},
+		"register": "temp_core_version_output"
+	},
+	{
+		"name": "core | directory",
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "directory",
@@ -9,44 +43,144 @@
 		}
 	},
 	{
-		"name": "acquisition",
-		"ansible.builtin.url_get": {
-			"url": "https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz",
-			"dest": "/tmp/dokuwiki.tgz"
-		}
-	},
-	{
-		"name": "extraction",
-		"ansible.builtin.unarchive": {
-			"remote_src": true,
-			"src": "/tmp/dokuwiki.tgz",
-			"dest": "/tmp"
-		}
-	},
-	{
-		"name": "version retrieval",
-		"ansible.builtin.shell": {
-			"cmd": "ls -1 /tmp/ | grep dokuwiki-"
-		},
-		"register": "temp_version_output"
-	},
-	{
-		"name": "emplacement",
+		"name": "core | emplacement",
 		"become": true,
 		"ansible.builtin.copy": {
 			"remote_src": true,
-			"state": "directory",
-			"src": "/tmp/{{temp_version_output}}",
+			"src": "/tmp/{{temp_core_version_output.stdout}}/",
 			"dest": "{{var_dokuwiki_directory}}",
 			"owner": "www-data"
 		}
 	},
 	{
-		"name": "configuration",
+		"name": "plugin oauth2 base | acquisition",
+		"when": "var_dokuwiki_oauth2_enable",
+		"ansible.builtin.get_url": {
+			"url": "https://github.com/cosmocode/dokuwiki-plugin-oauth/zipball/master",
+			"dest": "/tmp/dokuwiki-plugin-oauth-base.zip"
+		}
+	},
+	{
+		"name": "plugin oauth2 base | extraction",
+		"when": "var_dokuwiki_oauth2_enable",
+		"ansible.builtin.unarchive": {
+			"remote_src": true,
+			"src": "/tmp/dokuwiki-plugin-oauth-base.zip",
+			"dest": "/tmp"
+		}
+	},
+	{
+		"name": "plugin oauth2 base | version retrieval",
+		"when": "var_dokuwiki_oauth2_enable",
+		"ansible.builtin.shell": {
+			"cmd": "ls -1 /tmp/ | grep cosmocode-dokuwiki-plugin-oauth-"
+		},
+		"register": "temp_plugin_oauth_base_version_output"
+	},
+	{
+		"name": "plugin oauth2 base | directory",
+		"when": "var_dokuwiki_oauth2_enable",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"dest": "{{var_dokuwiki_directory}}/lib/plugins/oauth",
+			"owner": "www-data"
+		}
+	},
+	{
+		"name": "plugin oauth2 base | emplacement",
+		"when": "var_dokuwiki_oauth2_enable",
+		"become": true,
+		"ansible.builtin.copy": {
+			"remote_src": true,
+			"src": "/tmp/{{temp_plugin_oauth_base_version_output.stdout}}/",
+			"dest": "{{var_dokuwiki_directory}}/lib/plugins/oauth",
+			"owner": "www-data"
+		}
+	},
+	{
+		"name": "plugin oauth2 generic | acquisition",
+		"when": "var_dokuwiki_oauth2_enable",
+		"ansible.builtin.get_url": {
+			"url": "https://github.com/cosmocode/dokuwiki-plugin-oauthgeneric/zipball/master",
+			"dest": "/tmp/dokuwiki-plugin-oauth-generic.zip"
+		}
+	},
+	{
+		"name": "plugin oauth2 generic | extraction",
+		"when": "var_dokuwiki_oauth2_enable",
+		"ansible.builtin.unarchive": {
+			"remote_src": true,
+			"src": "/tmp/dokuwiki-plugin-oauth-generic.zip",
+			"dest": "/tmp"
+		}
+	},
+	{
+		"name": "plugin oauth2 generic | version retrieval",
+		"when": "var_dokuwiki_oauth2_enable",
+		"ansible.builtin.shell": {
+			"cmd": "ls -1 /tmp/ | grep cosmocode-dokuwiki-plugin-oauthgeneric-"
+		},
+		"register": "temp_plugin_oauth_generic_version_output"
+	},
+	{
+		"name": "plugin oauth2 generic | directory",
+		"when": "var_dokuwiki_oauth2_enable",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"dest": "{{var_dokuwiki_directory}}/lib/plugins/oauthgeneric",
+			"owner": "www-data"
+		}
+	},
+	{
+		"name": "plugin oauth2 generic | emplacement",
+		"when": "var_dokuwiki_oauth2_enable",
+		"become": true,
+		"ansible.builtin.copy": {
+			"remote_src": true,
+			"src": "/tmp/{{temp_plugin_oauth_generic_version_output.stdout}}/",
+			"dest": "{{var_dokuwiki_directory}}/lib/plugins/oauthgeneric",
+			"owner": "www-data"
+		}
+	},
+	{
+		"name": "admin user | password hash",
+		"when": "var_dokuwiki_admin_user_define",
+		"set_fact": {
+			"temp_password_hash": "{{var_dokuwiki_admin_user_password | ansible.builtin.password_hash(hashtype=blowfish,rounds=10)}}"
+		}
+	},
+	{
+		"name": "configuration | local",
 		"become": true,
 		"ansible.builtin.template": {
-			"src": "conf.php.j2",
-			"dest": "{{var_dokuwiki_directory}}/conf/dokuwiki.php"
+			"src": "conf-local.php.j2",
+			"dest": "{{var_dokuwiki_directory}}/conf/local.php"
+		}
+	},
+	{
+		"name": "configuration | plugins",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf-plugins.local.php.j2",
+			"dest": "{{var_dokuwiki_directory}}/conf/plugins.local.php"
+		}
+	},
+	{
+		"name": "configuration | acl",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf-acl.auth.php.j2",
+			"dest": "{{var_dokuwiki_directory}}/conf/acl.auth.php"
+		}
+	},
+	{
+		"name": "configuration | users",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf-users.auth.php.j2",
+			"dest": "{{var_dokuwiki_directory}}/conf/users.auth.php"
 		}
 	}
 ]
diff --git a/ansible/roles/dokuwiki/templates/conf-acl.auth.php.j2 b/ansible/roles/dokuwiki/templates/conf-acl.auth.php.j2
new file mode 100644
index 0000000..cacd42c
--- /dev/null
+++ b/ansible/roles/dokuwiki/templates/conf-acl.auth.php.j2
@@ -0,0 +1 @@
+*               @ALL          8
diff --git a/ansible/roles/dokuwiki/templates/conf-local.php.j2 b/ansible/roles/dokuwiki/templates/conf-local.php.j2
new file mode 100644
index 0000000..194df94
--- /dev/null
+++ b/ansible/roles/dokuwiki/templates/conf-local.php.j2
@@ -0,0 +1,23 @@
+<?php
+$conf['title'] = '{{var_dokuwiki_title}}';
+$conf['lang'] = 'en';
+$conf['license'] = 'cc-by-sa';
+$conf['useacl'] = 1;
+$conf['superuser'] = '@admin';
+$conf['disableactions'] = 'register';
+
+{% if var_dokuwiki_oauth2_enable %}
+$conf['authtype']    = 'oauth';
+$conf['plugin']['oauthgeneric']['key'] = '{{var_dokuwiki_oauth2_client_id}}';
+$conf['plugin']['oauthgeneric']['secret'] = '{{var_dokuwiki_oauth2_client_secret}}';
+$conf['plugin']['oauthgeneric']['authurl'] = '{{var_dokuwiki_oauth2_auth_url}}';
+$conf['plugin']['oauthgeneric']['tokenurl'] = '{{var_dokuwiki_oauth2_token_url}}';
+$conf['plugin']['oauthgeneric']['userurl'] = '{{var_dokuwiki_oauth2_user_url}}';
+$conf['plugin']['oauthgeneric']['scopes'] = array('openid email profile');
+$conf['plugin']['oauthgeneric']['json-user'] = '.sub';
+$conf['plugin']['oauthgeneric']['json-name'] = '.name';
+$conf['plugin']['oauthgeneric']['json-mail'] = '.email';
+$conf['plugin']['oauthgeneric']['label'] = '{{var_dokuwiki_oauth2_title}}';
+{% else %}
+$conf['authtype']    = 'authplain';
+{% endif %}
diff --git a/ansible/roles/dokuwiki/templates/conf-plugins.local.php.j2 b/ansible/roles/dokuwiki/templates/conf-plugins.local.php.j2
new file mode 100644
index 0000000..17855fc
--- /dev/null
+++ b/ansible/roles/dokuwiki/templates/conf-plugins.local.php.j2
@@ -0,0 +1,9 @@
+<?php
+$plugins['authad'] = 0;
+$plugins['authldap'] = 0;
+$plugins['authmysql'] = 0;
+$plugins['authpgsql'] = 0;
+{% if var_dokuwiki_oauth2_enable %}
+$plugins['oauth'] = 1;
+$plugins['oauthgeneric'] = 1;
+{% endif %}
diff --git a/ansible/roles/dokuwiki/templates/conf-users.auth.php.j2 b/ansible/roles/dokuwiki/templates/conf-users.auth.php.j2
new file mode 100644
index 0000000..8c09514
--- /dev/null
+++ b/ansible/roles/dokuwiki/templates/conf-users.auth.php.j2
@@ -0,0 +1,9 @@
+# users.auth.php
+# <?php exit()?>
+# Don't modify the lines above
+#
+# Userfile
+
+{% if var_dokuwiki_admin_user_define %}
+{{var_dokuwiki_admin_user_name}}:{{temp_password_hash}}:var_dokuwiki_admin_user_email_address:admin,user
+{% endif %}
diff --git a/ansible/roles/dokuwiki/templates/conf.php.j2 b/ansible/roles/dokuwiki/templates/conf.php.j2
deleted file mode 100644
index e911e8f..0000000
--- a/ansible/roles/dokuwiki/templates/conf.php.j2
+++ /dev/null
@@ -1,179 +0,0 @@
-<?php
-/**
- * This is DokuWiki's Main Configuration file
- *
- * All the default values are kept here, you should not modify it but use
- * a local.php file instead to override the settings from here.
- *
- * This is a piece of PHP code so PHP syntax applies!
- *
- * For help with the configuration and a more detailed explanation of the various options
- * see https://www.dokuwiki.org/config
- */
-
-
-/* Basic Settings */
-$conf['title']       = '{{var_dokuwiki_title}}';        //what to show in the title
-$conf['start']       = 'start';           //name of start page
-$conf['lang']        = 'en';              //your language
-$conf['template']    = 'dokuwiki';         //see lib/tpl directory
-$conf['tagline']     = '';                //tagline in header (if template supports it)
-$conf['sidebar']     = 'sidebar';         //name of sidebar in root namespace (if template supports it)
-$conf['license']     = 'cc-by-nc-sa';     //see conf/license.php
-$conf['savedir']     = './data';          //where to store all the files
-$conf['basedir']     = '';                //absolute dir from serveroot - blank for autodetection
-$conf['baseurl']     = '';                //URL to server including protocol - blank for autodetect
-$conf['cookiedir']   = '';                //path to use in cookies - blank for basedir
-$conf['dmode']       = 0755;              //set directory creation mode
-$conf['fmode']       = 0644;              //set file creation mode
-$conf['allowdebug']  = 0;                 //allow debug output, enable if needed 0|1
-
-/* Display Settings */
-$conf['recent']      = 20;                //how many entries to show in recent
-$conf['recent_days'] = 7;                 //How many days of recent changes to keep. (days)
-$conf['breadcrumbs'] = 10;                //how many recent visited pages to show
-$conf['youarehere']  = 0;                 //show "You are here" navigation? 0|1
-$conf['fullpath']    = 0;                 //show full path of the document or relative to datadir only? 0|1
-$conf['typography']  = 1;                 //smartquote conversion 0=off, 1=doublequotes, 2=all quotes
-$conf['dformat']     = '%Y/%m/%d %H:%M';  //dateformat accepted by PHPs strftime() function
-$conf['signature']   = ' --- //[[@MAIL@|@NAME@]] @DATE@//'; //signature see wiki page for details
-$conf['showuseras']  = 'loginname';       // 'loginname' users login name
-                                          // 'username' users full name
-                                          // 'email' e-mail address (will be obfuscated as per mailguard)
-                                          // 'email_link' e-mail address as a mailto: link (obfuscated)
-$conf['toptoclevel'] = 1;                 //Level starting with and below to include in AutoTOC (max. 5)
-$conf['tocminheads'] = 3;                 //Minimum amount of headlines that determines if a TOC is built
-$conf['maxtoclevel'] = 3;                 //Up to which level include into AutoTOC (max. 5)
-$conf['maxseclevel'] = 3;                 //Up to which level create editable sections (max. 5)
-$conf['camelcase']   = 0;                 //Use CamelCase for linking? (I don't like it) 0|1
-$conf['deaccent']    = 1;                 //deaccented chars in pagenames (1) or romanize (2) or keep (0)?
-$conf['useheading']  = 0;                 //use the first heading in a page as its name
-$conf['sneaky_index']= 0;                 //check for namespace read permission in index view (0|1) (1 might cause unexpected behavior)
-$conf['hidepages']   = '';                //Regexp for pages to be skipped from RSS, Search and Recent Changes
-
-/* Authentication Settings */
-$conf['useacl']      = 0;                //Use Access Control Lists to restrict access?
-$conf['autopasswd']  = 1;                //autogenerate passwords and email them to user
-$conf['authtype']    = 'authplain';      //which authentication backend should be used
-$conf['passcrypt']   = 'bcrypt';           //Used crypt method (smd5,md5,sha1,ssha,crypt,mysql,my411,bcrypt)
-$conf['defaultgroup']= 'user';           //Default groups new Users are added to
-$conf['superuser']   = '!!not set!!';    //The admin can be user or @group or comma separated list user1,@group1,user2
-$conf['manager']     = '!!not set!!';    //The manager can be user or @group or comma separated list user1,@group1,user2
-$conf['profileconfirm'] = 1;             //Require current password to confirm changes to user profile
-$conf['rememberme'] = 1;                 //Enable/disable remember me on login
-$conf['disableactions'] = '';            //comma separated list of actions to disable
-$conf['auth_security_timeout'] = 900;    //time (seconds) auth data is considered valid, set to 0 to recheck on every page view
-$conf['securecookie'] = 1;               //never send HTTPS cookies via HTTP
-$conf['remote']      = 0;                //Enable/disable remote interfaces
-$conf['remoteuser']  = '!!not set!!';    //user/groups that have access to remote interface (comma separated). leave empty to allow all users
-$conf['remotecors']  = '';               //enable Cross-Origin Resource Sharing (CORS) for the remote interfaces. Asterisk (*) to allow all origins. leave empty to deny.
-
-/* Antispam Features */
-$conf['usewordblock']= 1;                //block spam based on words? 0|1
-$conf['relnofollow'] = 1;                //use rel="ugc nofollow" for external links?
-$conf['indexdelay']  = 60*60*24*5;       //allow indexing after this time (seconds) default is 5 days
-$conf['mailguard']   = 'hex';            //obfuscate email addresses against spam harvesters?
-                                         //valid entries are:
-                                         //  'visible' - replace @ with [at], . with [dot] and - with [dash]
-                                         //  'hex'     - use hex entities to encode the mail address
-                                         //  'none'    - do not obfuscate addresses
-$conf['iexssprotect']= 1;                // check for JavaScript and HTML in uploaded files 0|1
-
-/* Editing Settings */
-$conf['usedraft']    = 1;                //automatically save a draft while editing (0|1)
-$conf['locktime']    = 15*60;            //maximum age for lockfiles (defaults to 15 minutes)
-$conf['cachetime']   = 60*60*24;         //maximum age for cachefile in seconds (defaults to a day)
-
-/* Link Settings */
-// Set target to use when creating links - leave empty for same window
-$conf['target']['wiki']      = '';
-$conf['target']['interwiki'] = '';
-$conf['target']['extern']    = '';
-$conf['target']['media']     = '';
-$conf['target']['windows']   = '';
-
-/* Media Settings */
-$conf['mediarevisions'] = 1;             //enable/disable media revisions
-$conf['refcheck']    = 1;                //check for references before deleting media files
-$conf['gdlib']       = 2;                //the GDlib version (0, 1 or 2) 2 tries to autodetect
-$conf['im_convert']  = '';               //path to ImageMagicks convert (will be used instead of GD)
-$conf['jpg_quality'] = '70';             //quality of compression when scaling jpg images (0-100)
-$conf['fetchsize']   = 0;                //maximum size (bytes) fetch.php may download from extern, disabled by default
-
-/* Notification Settings */
-$conf['subscribers'] = 0;                //enable change notice subscription support
-$conf['subscribe_time'] = 24*60*60;      //Time after which digests / lists are sent (in sec, default 1 day)
-                                         //Should be smaller than the time specified in recent_days
-$conf['notify']      = '';               //send change info to this email (leave blank for nobody)
-$conf['registernotify'] = '';            //send info about newly registered users to this email (leave blank for nobody)
-$conf['mailfrom']    = '';               //use this email when sending mails
-$conf['mailreturnpath']    = '';         //use this email as returnpath for bounce mails
-$conf['mailprefix']  = '';               //use this as prefix of outgoing mails
-$conf['htmlmail']    = 1;                //send HTML multipart mails
-$conf['dontlog'] = 'debug';              //logging facilities that should be disabled
-
-/* Syndication Settings */
-$conf['sitemap']     = 0;                //Create a Google sitemap? How often? In days.
-$conf['rss_type']    = 'rss1';           //type of RSS feed to provide, by default:
-                                         //  'rss'  - RSS 0.91
-                                         //  'rss1' - RSS 1.0
-                                         //  'rss2' - RSS 2.0
-                                         //  'atom' - Atom 0.3
-                                         //  'atom1' - Atom 1.0
-$conf['rss_linkto'] = 'diff';            //what page RSS entries link to:
-                                         //  'diff'    - page showing revision differences
-                                         //  'page'    - the revised page itself
-                                         //  'rev'     - page showing all revisions
-                                         //  'current' - most recent revision of page
-$conf['rss_content'] = 'abstract';       //what to put in the items by default?
-                                         //  'abstract' - plain text, first paragraph or so
-                                         //  'diff'     - plain text unified diff wrapped in <pre> tags
-                                         //  'htmldiff' - diff as HTML table
-                                         //  'html'     - the full page rendered in XHTML
-$conf['rss_media']   = 'both';           //what should be listed?
-                                         //  'both'     - page and media changes
-                                         //  'pages'    - page changes only
-                                         //  'media'    - media changes only
-$conf['rss_update'] = 5*60;              //Update the RSS feed every n seconds (defaults to 5 minutes)
-$conf['rss_show_summary'] = 1;           //Add revision summary to title? 0|1
-$conf['rss_show_deleted'] = 1;           //Show deleted items 0|1
-
-/* Advanced Settings */
-$conf['updatecheck'] = 1;                //automatically check for new releases?
-$conf['userewrite']  = 0;                //this makes nice URLs: 0: off 1: .htaccess 2: internal
-$conf['useslash']    = 0;                //use slash instead of colon? only when rewrite is on
-$conf['sepchar']     = '_';              //word separator character in page names; may be a
-                                         //  letter, a digit, '_', '-', or '.'.
-$conf['canonical']   = 0;                //Should all URLs use full canonical http://... style?
-$conf['fnencode']    = 'url';            //encode filenames (url|safe|utf-8)
-$conf['autoplural']  = 0;                //try (non)plural form of nonexistent files?
-$conf['compression'] = 'gz';             //compress old revisions: (0: off) ('gz': gnuzip) ('bz2': bzip)
-                                         //  bz2 generates smaller files, but needs more cpu-power
-$conf['gzip_output'] = 0;                //use gzip content encoding for the output xhtml (if allowed by browser)
-$conf['compress']    = 1;                //Strip whitespaces and comments from Styles and JavaScript? 1|0
-$conf['cssdatauri']  = 512;              //Maximum byte size of small images to embed into CSS, won't work on IE<8
-$conf['send404']     = 0;                //Send an HTTP 404 status for nonexistent pages?
-$conf['broken_iua']  = 0;                //Platform with broken ignore_user_abort (IIS+CGI) 0|1
-$conf['xsendfile']   = 0;                //Use X-Sendfile (1 = lighttpd, 2 = standard)
-$conf['renderer_xhtml'] = 'xhtml';       //renderer to use for main page generation
-$conf['readdircache'] = 0;               //time cache in second for the readdir operation, 0 to deactivate.
-$conf['search_nslimit'] = 0;             //limit the search to the current X namespaces
-$conf['search_fragment'] = 'exact';      //specify the default fragment search behavior
-$conf['trustedproxy'] = '^(::1|[fF][eE]80:|127\.|10\.|192\.168\.|172\.((1[6-9])|(2[0-9])|(3[0-1]))\.)';
-                                         //Regexp of trusted proxy address when reading IP using HTTP header
-                                         //  if blank, do not trust any proxy (including local IP)
-
-/* Feature Flags */
-$conf['defer_js'] = 1;                   // Defer javascript to be executed after the page's HTML has been parsed. Setting will be removed in the next release.
-$conf['hidewarnings'] = 0;               // Hide warnings
-
-/* Network Settings */
-$conf['dnslookups'] = 1;                 //disable to disallow IP to hostname lookups
-$conf['jquerycdn']  = 0;                 //use a CDN for delivering jQuery?
-// Proxy setup - if your Server needs a proxy to access the web set these
-$conf['proxy']['host']    = '';
-$conf['proxy']['port']    = '';
-$conf['proxy']['user']    = '';
-$conf['proxy']['pass']    = '';
-$conf['proxy']['ssl']     = 0;
-$conf['proxy']['except']  = '';

From 05001b99cceeac2236cae28961139acb953255e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Mon, 18 Dec 2023 08:13:44 +0100
Subject: [PATCH 04/15] [mod] role:dokuwiki-and-nginx

---
 ansible/roles/dokuwiki-and-nginx/info.md      |  5 ++
 .../dokuwiki-and-nginx/templates/conf.j2      | 53 +++++++++++++++++--
 2 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/ansible/roles/dokuwiki-and-nginx/info.md b/ansible/roles/dokuwiki-and-nginx/info.md
index 8cbeec2..a0f970f 100644
--- a/ansible/roles/dokuwiki-and-nginx/info.md
+++ b/ansible/roles/dokuwiki-and-nginx/info.md
@@ -1,3 +1,8 @@
 ## Beschreibung
 
 - zur Einrichtung von [nginx](../nginx) als Reverse-Proxy für [DokuWiki](../dokuwiki)
+
+
+## Verweise
+
+- [DokuWiki-Dokumentation | nginx](https://www.dokuwiki.org/install:nginx)
diff --git a/ansible/roles/dokuwiki-and-nginx/templates/conf.j2 b/ansible/roles/dokuwiki-and-nginx/templates/conf.j2
index 085847c..3fa71ba 100644
--- a/ansible/roles/dokuwiki-and-nginx/templates/conf.j2
+++ b/ansible/roles/dokuwiki-and-nginx/templates/conf.j2
@@ -1,15 +1,62 @@
 server {
 	listen 80;
 	listen [::]:80;
-	listen 443 ssl;
+	server_name {{var_dokuwiki_and_nginx_domain}};
+	return 301 https://$server_name$request_uri;
+}
+ 
+server {
 	listen [::]:443 ssl;
+	listen 443 ssl;
 	
 	server_name {{var_dokuwiki_and_nginx_domain}};
-
+	
 {% if var_dokuwiki_and_nginx_tls_enable %}
 	ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
+	ssl_session_timeout 5m;
+	ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
 {% endif %}
 	
-	document_root {{var_dokuwiki_and_nginx_directory}}
+	# Maximum file upload size is 4MB - change accordingly if needed
+	client_max_body_size 4M;
+	client_body_buffer_size 128k;
+	
+	root {{var_dokuwiki_and_nginx_directory}};
+	index doku.php;
+	
+	#Remember to comment the below out when you're installing, and uncomment it when done.
+	location ~ /(conf/|bin/|inc/|vendor/|install.php) {
+		# deny all;
+	}
+	
+	#Support for X-Accel-Redirect
+	location ~ ^/data/ {
+		internal;
+	}
+	
+	location ~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$ {
+		expires 365d;
+	}
+	
+	location / {
+		try_files $uri $uri/ @dokuwiki;
+	}
+	
+	location @dokuwiki {
+		# rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page
+		rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
+		rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
+		rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
+		rewrite ^/(.*) /doku.php?id=$1&$args last;
+	}
+	
+	location ~ \.php$ {
+		try_files $uri $uri/ /doku.php;
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		fastcgi_param REDIRECT_STATUS 200;
+		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
+		# fastcgi_pass unix:/var/run/php5-fpm.sock; #old php version
+	}
 }

From acfa9c0745ab821b0045f549064ee5605405598b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Mon, 18 Dec 2023 08:14:07 +0100
Subject: [PATCH 05/15] [add] role:authelia-for-dokuwiki

---
 .../authelia-for-dokuwiki/defaults/main.json  |  5 ++++
 ansible/roles/authelia-for-dokuwiki/info.md   |  3 ++
 .../authelia-for-dokuwiki/tasks/main.json     | 25 +++++++++++++++++
 .../templates/authelia-client-conf.json.j2    | 28 +++++++++++++++++++
 4 files changed, 61 insertions(+)
 create mode 100644 ansible/roles/authelia-for-dokuwiki/defaults/main.json
 create mode 100644 ansible/roles/authelia-for-dokuwiki/info.md
 create mode 100644 ansible/roles/authelia-for-dokuwiki/tasks/main.json
 create mode 100644 ansible/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2

diff --git a/ansible/roles/authelia-for-dokuwiki/defaults/main.json b/ansible/roles/authelia-for-dokuwiki/defaults/main.json
new file mode 100644
index 0000000..66adc78
--- /dev/null
+++ b/ansible/roles/authelia-for-dokuwiki/defaults/main.json
@@ -0,0 +1,5 @@
+{
+	"var_authelia_for_dokuwiki_dokuwiki_url_base": "https://dokuwiki.example.org",
+	"var_authelia_for_dokuwiki_client_id": "dokuwiki",
+	"var_authelia_for_dokuwiki_client_secret": "REPLACE_ME"
+}
diff --git a/ansible/roles/authelia-for-dokuwiki/info.md b/ansible/roles/authelia-for-dokuwiki/info.md
new file mode 100644
index 0000000..71fc4ff
--- /dev/null
+++ b/ansible/roles/authelia-for-dokuwiki/info.md
@@ -0,0 +1,3 @@
+## Beschreibung
+
+Um [DokuWiki](../dokuwiki) gegen [Authelia](../authelia) authentifizieren zu lassen
diff --git a/ansible/roles/authelia-for-dokuwiki/tasks/main.json b/ansible/roles/authelia-for-dokuwiki/tasks/main.json
new file mode 100644
index 0000000..9bcb960
--- /dev/null
+++ b/ansible/roles/authelia-for-dokuwiki/tasks/main.json
@@ -0,0 +1,25 @@
+[
+	{
+		"name": "configuration | emplace",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "authelia-client-conf.json.j2",
+			"dest": "/etc/authelia/conf.d/clients/dokuwiki.json"
+		}
+	},
+	{
+		"name": "configuration | apply",
+		"become": true,
+		"ansible.builtin.command": {
+			"cmd": "/usr/bin/authelia-conf-compose"
+		}
+	},
+	{
+		"name": "restart service",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "authelia"
+		}
+	}
+]
diff --git a/ansible/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2
new file mode 100644
index 0000000..4540de7
--- /dev/null
+++ b/ansible/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2
@@ -0,0 +1,28 @@
+{
+	"id": "{{var_authelia_for_dokuwiki_client_id}}",
+	"description": "DokuWiki",
+	"secret": "{{var_authelia_for_dokuwiki_client_secret}}",
+	"public": false,
+	"authorization_policy": "one_factor",
+	"scopes": [
+		"openid",
+		"email",
+		"profile"
+	],
+	"redirect_uris": [
+		"{{var_authelia_for_dokuwiki_dokuwiki_url_base}}/doku.php"
+	],
+	"grant_types": [
+		"refresh_token",
+		"authorization_code"
+	],
+	"response_types": [
+		"code"
+	],
+	"response_modes": [
+		"form_post",
+		"query",
+		"fragment"
+	],
+	"userinfo_signing_algorithm": "none"
+}

From 89d806c27a732415bd8b9469142c64eacca93850 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Mon, 18 Dec 2023 08:40:46 +0100
Subject: [PATCH 06/15] [int]

---
 ansible/roles/dokuwiki-and-nginx/templates/conf.j2      | 2 +-
 ansible/roles/dokuwiki/tasks/main.json                  | 7 +++----
 ansible/roles/dokuwiki/templates/conf-local.php.j2      | 4 ++--
 ansible/roles/dokuwiki/templates/conf-users.auth.php.j2 | 2 +-
 4 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/ansible/roles/dokuwiki-and-nginx/templates/conf.j2 b/ansible/roles/dokuwiki-and-nginx/templates/conf.j2
index 3fa71ba..cd9c68d 100644
--- a/ansible/roles/dokuwiki-and-nginx/templates/conf.j2
+++ b/ansible/roles/dokuwiki-and-nginx/templates/conf.j2
@@ -27,7 +27,7 @@ server {
 	
 	#Remember to comment the below out when you're installing, and uncomment it when done.
 	location ~ /(conf/|bin/|inc/|vendor/|install.php) {
-		# deny all;
+		deny all;
 	}
 	
 	#Support for X-Accel-Redirect
diff --git a/ansible/roles/dokuwiki/tasks/main.json b/ansible/roles/dokuwiki/tasks/main.json
index c4c0563..d3ec7ee 100644
--- a/ansible/roles/dokuwiki/tasks/main.json
+++ b/ansible/roles/dokuwiki/tasks/main.json
@@ -6,8 +6,7 @@
 			"pkg": [
 				"unzip",
 				"php8.2-fpm",
-				"php8.2-xml",
-				"php8.2-json"
+				"php8.2-xml"
 			]
 		}
 	},
@@ -147,8 +146,8 @@
 	{
 		"name": "admin user | password hash",
 		"when": "var_dokuwiki_admin_user_define",
-		"set_fact": {
-			"temp_password_hash": "{{var_dokuwiki_admin_user_password | ansible.builtin.password_hash(hashtype=blowfish,rounds=10)}}"
+		"ansible.builtin.set_fact": {
+			"temp_password_hash": "{{var_dokuwiki_admin_user_password | ansible.builtin.password_hash(hashtype='blowfish',rounds=10)}}"
 		}
 	},
 	{
diff --git a/ansible/roles/dokuwiki/templates/conf-local.php.j2 b/ansible/roles/dokuwiki/templates/conf-local.php.j2
index 194df94..7878a7d 100644
--- a/ansible/roles/dokuwiki/templates/conf-local.php.j2
+++ b/ansible/roles/dokuwiki/templates/conf-local.php.j2
@@ -7,7 +7,7 @@ $conf['superuser'] = '@admin';
 $conf['disableactions'] = 'register';
 
 {% if var_dokuwiki_oauth2_enable %}
-$conf['authtype']    = 'oauth';
+$conf['authtype'] = 'oauth';
 $conf['plugin']['oauthgeneric']['key'] = '{{var_dokuwiki_oauth2_client_id}}';
 $conf['plugin']['oauthgeneric']['secret'] = '{{var_dokuwiki_oauth2_client_secret}}';
 $conf['plugin']['oauthgeneric']['authurl'] = '{{var_dokuwiki_oauth2_auth_url}}';
@@ -19,5 +19,5 @@ $conf['plugin']['oauthgeneric']['json-name'] = '.name';
 $conf['plugin']['oauthgeneric']['json-mail'] = '.email';
 $conf['plugin']['oauthgeneric']['label'] = '{{var_dokuwiki_oauth2_title}}';
 {% else %}
-$conf['authtype']    = 'authplain';
+$conf['authtype'] = 'authplain';
 {% endif %}
diff --git a/ansible/roles/dokuwiki/templates/conf-users.auth.php.j2 b/ansible/roles/dokuwiki/templates/conf-users.auth.php.j2
index 8c09514..972be0b 100644
--- a/ansible/roles/dokuwiki/templates/conf-users.auth.php.j2
+++ b/ansible/roles/dokuwiki/templates/conf-users.auth.php.j2
@@ -5,5 +5,5 @@
 # Userfile
 
 {% if var_dokuwiki_admin_user_define %}
-{{var_dokuwiki_admin_user_name}}:{{temp_password_hash}}:var_dokuwiki_admin_user_email_address:admin,user
+{{var_dokuwiki_admin_user_name}}:{{temp_password_hash}}:{{var_dokuwiki_admin_user_email_address}}:admin,user
 {% endif %}

From 846930b52d945313c0775e78125fb738d8293ce3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Tue, 19 Dec 2023 23:09:23 +0100
Subject: [PATCH 07/15] [fix] role:dokuwiki

---
 ansible/roles/dokuwiki/defaults/main.json     |  3 +
 ansible/roles/dokuwiki/info.md                |  5 ++
 ansible/roles/dokuwiki/tasks/main.json        | 69 ++++++++++++-------
 .../dokuwiki/templates/conf-acl.auth.php.j2   |  8 ++-
 .../dokuwiki/templates/conf-local.php.j2      | 21 +++---
 .../dokuwiki/templates/conf-users.auth.php.j2 |  2 +-
 6 files changed, 74 insertions(+), 34 deletions(-)

diff --git a/ansible/roles/dokuwiki/defaults/main.json b/ansible/roles/dokuwiki/defaults/main.json
index 691ea9e..d37a59c 100644
--- a/ansible/roles/dokuwiki/defaults/main.json
+++ b/ansible/roles/dokuwiki/defaults/main.json
@@ -1,6 +1,8 @@
 {
 	"var_dokuwiki_directory": "/opt/dokuwiki",
 	"var_dokuwiki_title": "DokuWiki",
+	"var_dokuwiki_language": "en",
+	"var_dokuwiki_licence": "cc-by-sa",
 	"var_dokuwiki_oauth2_enable": false,
 	"var_dokuwiki_oauth2_title": "external auth",
 	"var_dokuwiki_oauth2_client_id": "dokuwiki",
@@ -11,5 +13,6 @@
 	"var_dokuwiki_admin_user_define": true,
 	"var_dokuwiki_admin_user_name": "admin",
 	"var_dokuwiki_admin_user_password": "REPLACE_ME",
+	"var_dokuwiki_admin_user_label": "Admin",
 	"var_dokuwiki_admin_user_email_address": "dokuwiki-admin@example.org"
 }
diff --git a/ansible/roles/dokuwiki/info.md b/ansible/roles/dokuwiki/info.md
index 25eac97..33c0bd2 100644
--- a/ansible/roles/dokuwiki/info.md
+++ b/ansible/roles/dokuwiki/info.md
@@ -9,3 +9,8 @@ Für das leicht-gewichtige Wiki-System [DokuWiki](https://www.dokuwiki.org/dokuw
 - [Dokumentation | Ansible](https://www.dokuwiki.org/install:ansible)
 - [Plugin: oAuth](https://www.dokuwiki.org/plugin:oauth)
 - [Plugin: oAuthGeneric](https://www.dokuwiki.org/plugin:oauthgeneric)
+
+
+## ToDo
+
+- Admin-Passwort richten
diff --git a/ansible/roles/dokuwiki/tasks/main.json b/ansible/roles/dokuwiki/tasks/main.json
index d3ec7ee..ab9339b 100644
--- a/ansible/roles/dokuwiki/tasks/main.json
+++ b/ansible/roles/dokuwiki/tasks/main.json
@@ -10,6 +10,13 @@
 			]
 		}
 	},
+	{
+		"name": "core | preparation",
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "/tmp/dokuwiki-core"
+		}
+	},
 	{
 		"name": "core | acquisition",
 		"ansible.builtin.get_url": {
@@ -22,13 +29,13 @@
 		"ansible.builtin.unarchive": {
 			"remote_src": true,
 			"src": "/tmp/dokuwiki.tgz",
-			"dest": "/tmp"
+			"dest": "/tmp/dokuwiki-core"
 		}
 	},
 	{
 		"name": "core | version retrieval",
-		"ansible.builtin.shell": {
-			"cmd": "ls -1 /tmp/ | grep dokuwiki- | grep -v plugin"
+		"ansible.builtin.command": {
+			"cmd": "ls /tmp/dokuwiki-core"
 		},
 		"register": "temp_core_version_output"
 	},
@@ -46,13 +53,20 @@
 		"become": true,
 		"ansible.builtin.copy": {
 			"remote_src": true,
-			"src": "/tmp/{{temp_core_version_output.stdout}}/",
+			"src": "/tmp/dokuwiki-core/{{temp_core_version_output.stdout}}/",
 			"dest": "{{var_dokuwiki_directory}}",
 			"owner": "www-data"
 		}
 	},
 	{
-		"name": "plugin oauth2 base | acquisition",
+		"name": "plugin 'oauth' | preparation",
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "/tmp/dokuwiki-plugin-oauth"
+		}
+	},
+	{
+		"name": "plugin 'oauth' | acquisition",
 		"when": "var_dokuwiki_oauth2_enable",
 		"ansible.builtin.get_url": {
 			"url": "https://github.com/cosmocode/dokuwiki-plugin-oauth/zipball/master",
@@ -60,24 +74,24 @@
 		}
 	},
 	{
-		"name": "plugin oauth2 base | extraction",
+		"name": "plugin 'oauth' | extraction",
 		"when": "var_dokuwiki_oauth2_enable",
 		"ansible.builtin.unarchive": {
 			"remote_src": true,
 			"src": "/tmp/dokuwiki-plugin-oauth-base.zip",
-			"dest": "/tmp"
+			"dest": "/tmp/dokuwiki-plugin-oauth"
 		}
 	},
 	{
-		"name": "plugin oauth2 base | version retrieval",
+		"name": "plugin 'oauth' | version retrieval",
 		"when": "var_dokuwiki_oauth2_enable",
-		"ansible.builtin.shell": {
-			"cmd": "ls -1 /tmp/ | grep cosmocode-dokuwiki-plugin-oauth-"
+		"ansible.builtin.command": {
+			"cmd": "ls -1 /tmp/dokuwiki-plugin-oauth"
 		},
 		"register": "temp_plugin_oauth_base_version_output"
 	},
 	{
-		"name": "plugin oauth2 base | directory",
+		"name": "plugin 'oauth' | directory",
 		"when": "var_dokuwiki_oauth2_enable",
 		"become": true,
 		"ansible.builtin.file": {
@@ -87,18 +101,25 @@
 		}
 	},
 	{
-		"name": "plugin oauth2 base | emplacement",
+		"name": "plugin 'oauth' | emplacement",
 		"when": "var_dokuwiki_oauth2_enable",
 		"become": true,
 		"ansible.builtin.copy": {
 			"remote_src": true,
-			"src": "/tmp/{{temp_plugin_oauth_base_version_output.stdout}}/",
+			"src": "/tmp/dokuwiki-plugin-oauth/{{temp_plugin_oauth_base_version_output.stdout}}/",
 			"dest": "{{var_dokuwiki_directory}}/lib/plugins/oauth",
 			"owner": "www-data"
 		}
 	},
 	{
-		"name": "plugin oauth2 generic | acquisition",
+		"name": "plugin 'oauthgeneric' | preparation",
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "/tmp/dokuwiki-plugin-oauthgeneric"
+		}
+	},
+	{
+		"name": "plugin 'oauthgeneric' | acquisition",
 		"when": "var_dokuwiki_oauth2_enable",
 		"ansible.builtin.get_url": {
 			"url": "https://github.com/cosmocode/dokuwiki-plugin-oauthgeneric/zipball/master",
@@ -106,24 +127,24 @@
 		}
 	},
 	{
-		"name": "plugin oauth2 generic | extraction",
+		"name": "plugin 'oauthgeneric' | extraction",
 		"when": "var_dokuwiki_oauth2_enable",
 		"ansible.builtin.unarchive": {
 			"remote_src": true,
 			"src": "/tmp/dokuwiki-plugin-oauth-generic.zip",
-			"dest": "/tmp"
+			"dest": "/tmp/dokuwiki-plugin-oauthgeneric"
 		}
 	},
 	{
-		"name": "plugin oauth2 generic | version retrieval",
+		"name": "plugin 'oauthgeneric' | version retrieval",
 		"when": "var_dokuwiki_oauth2_enable",
-		"ansible.builtin.shell": {
-			"cmd": "ls -1 /tmp/ | grep cosmocode-dokuwiki-plugin-oauthgeneric-"
+		"ansible.builtin.command": {
+			"cmd": "ls -1 /tmp/dokuwiki-plugin-oauthgeneric"
 		},
 		"register": "temp_plugin_oauth_generic_version_output"
 	},
 	{
-		"name": "plugin oauth2 generic | directory",
+		"name": "plugin 'oauthgeneric' | directory",
 		"when": "var_dokuwiki_oauth2_enable",
 		"become": true,
 		"ansible.builtin.file": {
@@ -133,21 +154,21 @@
 		}
 	},
 	{
-		"name": "plugin oauth2 generic | emplacement",
+		"name": "plugin 'oauthgeneric' | emplacement",
 		"when": "var_dokuwiki_oauth2_enable",
 		"become": true,
 		"ansible.builtin.copy": {
 			"remote_src": true,
-			"src": "/tmp/{{temp_plugin_oauth_generic_version_output.stdout}}/",
+			"src": "/tmp/dokuwiki-plugin-oauthgeneric/{{temp_plugin_oauth_generic_version_output.stdout}}/",
 			"dest": "{{var_dokuwiki_directory}}/lib/plugins/oauthgeneric",
 			"owner": "www-data"
 		}
 	},
 	{
-		"name": "admin user | password hash",
+		"name": "admin user password",
 		"when": "var_dokuwiki_admin_user_define",
 		"ansible.builtin.set_fact": {
-			"temp_password_hash": "{{var_dokuwiki_admin_user_password | ansible.builtin.password_hash(hashtype='blowfish',rounds=10)}}"
+			"temp_password_hash": "{{var_dokuwiki_admin_user_password | ansible.builtin.password_hash(hashtype='bcrypt',rounds=12)}}"
 		}
 	},
 	{
diff --git a/ansible/roles/dokuwiki/templates/conf-acl.auth.php.j2 b/ansible/roles/dokuwiki/templates/conf-acl.auth.php.j2
index cacd42c..63d73db 100644
--- a/ansible/roles/dokuwiki/templates/conf-acl.auth.php.j2
+++ b/ansible/roles/dokuwiki/templates/conf-acl.auth.php.j2
@@ -1 +1,7 @@
-*               @ALL          8
+# acl.auth.php
+# <?php exit()?>
+# Don't modify the lines above
+#
+# Access Control Lists
+*               @ALL          0
+*               @user         8
diff --git a/ansible/roles/dokuwiki/templates/conf-local.php.j2 b/ansible/roles/dokuwiki/templates/conf-local.php.j2
index 7878a7d..50b87bd 100644
--- a/ansible/roles/dokuwiki/templates/conf-local.php.j2
+++ b/ansible/roles/dokuwiki/templates/conf-local.php.j2
@@ -1,23 +1,28 @@
 <?php
 $conf['title'] = '{{var_dokuwiki_title}}';
-$conf['lang'] = 'en';
-$conf['license'] = 'cc-by-sa';
+$conf['lang'] = '{{var_dokuwiki_language}}';
+$conf['license'] = '{{var_dokuwiki_licence}}';
 $conf['useacl'] = 1;
 $conf['superuser'] = '@admin';
-$conf['disableactions'] = 'register';
-
+$conf['passcrypt'] = 'bcrypt';
 {% if var_dokuwiki_oauth2_enable %}
 $conf['authtype'] = 'oauth';
+$conf['disableactions'] = 'resendpwd,profile,profile_delete';
+$conf['plugin']['oauth']['singleService'] = 1;
 $conf['plugin']['oauthgeneric']['key'] = '{{var_dokuwiki_oauth2_client_id}}';
 $conf['plugin']['oauthgeneric']['secret'] = '{{var_dokuwiki_oauth2_client_secret}}';
 $conf['plugin']['oauthgeneric']['authurl'] = '{{var_dokuwiki_oauth2_auth_url}}';
 $conf['plugin']['oauthgeneric']['tokenurl'] = '{{var_dokuwiki_oauth2_token_url}}';
 $conf['plugin']['oauthgeneric']['userurl'] = '{{var_dokuwiki_oauth2_user_url}}';
-$conf['plugin']['oauthgeneric']['scopes'] = array('openid email profile');
-$conf['plugin']['oauthgeneric']['json-user'] = '.sub';
-$conf['plugin']['oauthgeneric']['json-name'] = '.name';
-$conf['plugin']['oauthgeneric']['json-mail'] = '.email';
+$conf['plugin']['oauthgeneric']['authmethod'] = 0;
+$conf['plugin']['oauthgeneric']['scopes'] = ['openid','email','profile','groups'];
+$conf['plugin']['oauthgeneric']['needs-state'] = 1;
+$conf['plugin']['oauthgeneric']['json-user'] = 'sub';
+$conf['plugin']['oauthgeneric']['json-name'] = 'name';
+$conf['plugin']['oauthgeneric']['json-mail'] = 'email';
+$conf['plugin']['oauthgeneric']['json-grps'] = 'groups';
 $conf['plugin']['oauthgeneric']['label'] = '{{var_dokuwiki_oauth2_title}}';
+$conf['plugin']['oauthgeneric']['color'] = '#333333';
 {% else %}
 $conf['authtype'] = 'authplain';
 {% endif %}
diff --git a/ansible/roles/dokuwiki/templates/conf-users.auth.php.j2 b/ansible/roles/dokuwiki/templates/conf-users.auth.php.j2
index 972be0b..60a5314 100644
--- a/ansible/roles/dokuwiki/templates/conf-users.auth.php.j2
+++ b/ansible/roles/dokuwiki/templates/conf-users.auth.php.j2
@@ -5,5 +5,5 @@
 # Userfile
 
 {% if var_dokuwiki_admin_user_define %}
-{{var_dokuwiki_admin_user_name}}:{{temp_password_hash}}:{{var_dokuwiki_admin_user_email_address}}:admin,user
+{{var_dokuwiki_admin_user_name}}:{{temp_password_hash}}:{{var_dokuwiki_admin_user_label}}:{{var_dokuwiki_admin_user_email_address}}:admin,user
 {% endif %}

From b9a239c13c0158402f19dbb538ccc7ed4e345f89 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Tue, 19 Dec 2023 23:09:38 +0100
Subject: [PATCH 08/15] [mod] role:authelia-for-dokuwiki

---
 .../templates/authelia-client-conf.json.j2                     | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2
index 4540de7..6d8dc0f 100644
--- a/ansible/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2
+++ b/ansible/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2
@@ -7,7 +7,8 @@
 	"scopes": [
 		"openid",
 		"email",
-		"profile"
+		"profile",
+		"groups"
 	],
 	"redirect_uris": [
 		"{{var_authelia_for_dokuwiki_dokuwiki_url_base}}/doku.php"

From 393f0075916afddd27e078c3ee3dc8f194c60dae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Tue, 19 Dec 2023 23:33:31 +0100
Subject: [PATCH 09/15] [fix] role:dokuwiki

---
 ansible/roles/dokuwiki/tasks/main.json             | 12 ++++++++----
 ansible/roles/dokuwiki/templates/conf-local.php.j2 |  5 +++--
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/ansible/roles/dokuwiki/tasks/main.json b/ansible/roles/dokuwiki/tasks/main.json
index ab9339b..240e17f 100644
--- a/ansible/roles/dokuwiki/tasks/main.json
+++ b/ansible/roles/dokuwiki/tasks/main.json
@@ -176,7 +176,8 @@
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "conf-local.php.j2",
-			"dest": "{{var_dokuwiki_directory}}/conf/local.php"
+			"dest": "{{var_dokuwiki_directory}}/conf/local.php",
+			"owner": "www-data"
 		}
 	},
 	{
@@ -184,7 +185,8 @@
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "conf-plugins.local.php.j2",
-			"dest": "{{var_dokuwiki_directory}}/conf/plugins.local.php"
+			"dest": "{{var_dokuwiki_directory}}/conf/plugins.local.php",
+			"owner": "www-data"
 		}
 	},
 	{
@@ -192,7 +194,8 @@
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "conf-acl.auth.php.j2",
-			"dest": "{{var_dokuwiki_directory}}/conf/acl.auth.php"
+			"dest": "{{var_dokuwiki_directory}}/conf/acl.auth.php",
+			"owner": "www-data"
 		}
 	},
 	{
@@ -200,7 +203,8 @@
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "conf-users.auth.php.j2",
-			"dest": "{{var_dokuwiki_directory}}/conf/users.auth.php"
+			"dest": "{{var_dokuwiki_directory}}/conf/users.auth.php",
+			"owner": "www-data"
 		}
 	}
 ]
diff --git a/ansible/roles/dokuwiki/templates/conf-local.php.j2 b/ansible/roles/dokuwiki/templates/conf-local.php.j2
index 50b87bd..25bd096 100644
--- a/ansible/roles/dokuwiki/templates/conf-local.php.j2
+++ b/ansible/roles/dokuwiki/templates/conf-local.php.j2
@@ -7,14 +7,15 @@ $conf['superuser'] = '@admin';
 $conf['passcrypt'] = 'bcrypt';
 {% if var_dokuwiki_oauth2_enable %}
 $conf['authtype'] = 'oauth';
-$conf['disableactions'] = 'resendpwd,profile,profile_delete';
+$conf['disableactions'] = 'register,resendpwd,profile,profile_delete';
 $conf['plugin']['oauth']['singleService'] = 1;
+$conf['plugin']['oauth']['register-on-auth'] = 1;
 $conf['plugin']['oauthgeneric']['key'] = '{{var_dokuwiki_oauth2_client_id}}';
 $conf['plugin']['oauthgeneric']['secret'] = '{{var_dokuwiki_oauth2_client_secret}}';
 $conf['plugin']['oauthgeneric']['authurl'] = '{{var_dokuwiki_oauth2_auth_url}}';
 $conf['plugin']['oauthgeneric']['tokenurl'] = '{{var_dokuwiki_oauth2_token_url}}';
 $conf['plugin']['oauthgeneric']['userurl'] = '{{var_dokuwiki_oauth2_user_url}}';
-$conf['plugin']['oauthgeneric']['authmethod'] = 0;
+$conf['plugin']['oauthgeneric']['authmethod'] = 1;
 $conf['plugin']['oauthgeneric']['scopes'] = ['openid','email','profile','groups'];
 $conf['plugin']['oauthgeneric']['needs-state'] = 1;
 $conf['plugin']['oauthgeneric']['json-user'] = 'sub';

From 4be31f6a74a25a4f4d54e30bf0a8dff1341873a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?=
 <christian.frass@dielinke-glauchau.de>
Date: Thu, 21 Mar 2024 21:14:04 +0100
Subject: [PATCH 10/15] [mod] role:dokuwiki

---
 ansible/roles/dokuwiki/defaults/main.json     | 18 ++--
 .../dokuwiki/templates/conf-local.php.j2      | 40 +++++++--
 ansible/roles/dokuwiki/vardef.json            | 87 +++++++++++++++++++
 3 files changed, 129 insertions(+), 16 deletions(-)
 create mode 100644 ansible/roles/dokuwiki/vardef.json

diff --git a/ansible/roles/dokuwiki/defaults/main.json b/ansible/roles/dokuwiki/defaults/main.json
index d37a59c..686905f 100644
--- a/ansible/roles/dokuwiki/defaults/main.json
+++ b/ansible/roles/dokuwiki/defaults/main.json
@@ -3,13 +3,17 @@
 	"var_dokuwiki_title": "DokuWiki",
 	"var_dokuwiki_language": "en",
 	"var_dokuwiki_licence": "cc-by-sa",
-	"var_dokuwiki_oauth2_enable": false,
-	"var_dokuwiki_oauth2_title": "external auth",
-	"var_dokuwiki_oauth2_client_id": "dokuwiki",
-	"var_dokuwiki_oauth2_client_secret": "REPLACE_ME",
-	"var_dokuwiki_oauth2_auth_url": "https://auth.example.org/api/oidc/authorize",
-	"var_dokuwiki_oauth2_token_url": "https://auth.example.org/api/oidc/token",
-	"var_dokuwiki_oauth2_user_url": "https://auth.example.org/api/oidc/userinfo",
+	"var_dokuwiki_authentication_kind": "internal",
+	"var_dokuwiki_authentication_data_generic_auth_url": "https://auth.example.org/api/oidc/authorize",
+	"var_dokuwiki_authentication_data_generic_token_url": "https://auth.example.org/api/oidc/token",
+	"var_dokuwiki_authentication_data_generic_user_url": "https://auth.example.org/api/oidc/userinfo",
+	"var_dokuwiki_authentication_data_generic_client_id": "dokuwiki",
+	"var_dokuwiki_authentication_data_generic_client_secret": "REPLACE_ME",
+	"var_dokuwiki_authentication_data_generic_title": "external auth",
+	"var_dokuwiki_authentication_data_authelia_url_base": "https://authelia.example.org",
+	"var_dokuwiki_authentication_data_authelia_client_id": "dokuwiki",
+	"var_dokuwiki_authentication_data_authelia_client_secret": "REPLACE_ME",
+	"var_dokuwiki_authentication_data_authelia_label": "Authelia",
 	"var_dokuwiki_admin_user_define": true,
 	"var_dokuwiki_admin_user_name": "admin",
 	"var_dokuwiki_admin_user_password": "REPLACE_ME",
diff --git a/ansible/roles/dokuwiki/templates/conf-local.php.j2 b/ansible/roles/dokuwiki/templates/conf-local.php.j2
index 25bd096..41f151b 100644
--- a/ansible/roles/dokuwiki/templates/conf-local.php.j2
+++ b/ansible/roles/dokuwiki/templates/conf-local.php.j2
@@ -5,16 +5,19 @@ $conf['license'] = '{{var_dokuwiki_licence}}';
 $conf['useacl'] = 1;
 $conf['superuser'] = '@admin';
 $conf['passcrypt'] = 'bcrypt';
-{% if var_dokuwiki_oauth2_enable %}
+{% if var_dokuwiki_authentication_kind == 'internal' %}
+$conf['authtype'] = 'authplain';
+{% endif %}
+{% if var_dokuwiki_authentication_kind == 'generic' %}
 $conf['authtype'] = 'oauth';
 $conf['disableactions'] = 'register,resendpwd,profile,profile_delete';
 $conf['plugin']['oauth']['singleService'] = 1;
 $conf['plugin']['oauth']['register-on-auth'] = 1;
-$conf['plugin']['oauthgeneric']['key'] = '{{var_dokuwiki_oauth2_client_id}}';
-$conf['plugin']['oauthgeneric']['secret'] = '{{var_dokuwiki_oauth2_client_secret}}';
-$conf['plugin']['oauthgeneric']['authurl'] = '{{var_dokuwiki_oauth2_auth_url}}';
-$conf['plugin']['oauthgeneric']['tokenurl'] = '{{var_dokuwiki_oauth2_token_url}}';
-$conf['plugin']['oauthgeneric']['userurl'] = '{{var_dokuwiki_oauth2_user_url}}';
+$conf['plugin']['oauthgeneric']['key'] = '{{var_dokuwiki_authentication_data_generic_client_id}}';
+$conf['plugin']['oauthgeneric']['secret'] = '{{var_dokuwiki_authentication_data_generic_client_secret}}';
+$conf['plugin']['oauthgeneric']['authurl'] = '{{var_dokuwiki_authentication_data_generic_auth_url}}';
+$conf['plugin']['oauthgeneric']['tokenurl'] = '{{var_dokuwiki_authentication_data_generic_token_url}}';
+$conf['plugin']['oauthgeneric']['userurl'] = '{{var_dokuwiki_authentication_data_generic_user_url}}';
 $conf['plugin']['oauthgeneric']['authmethod'] = 1;
 $conf['plugin']['oauthgeneric']['scopes'] = ['openid','email','profile','groups'];
 $conf['plugin']['oauthgeneric']['needs-state'] = 1;
@@ -22,8 +25,27 @@ $conf['plugin']['oauthgeneric']['json-user'] = 'sub';
 $conf['plugin']['oauthgeneric']['json-name'] = 'name';
 $conf['plugin']['oauthgeneric']['json-mail'] = 'email';
 $conf['plugin']['oauthgeneric']['json-grps'] = 'groups';
-$conf['plugin']['oauthgeneric']['label'] = '{{var_dokuwiki_oauth2_title}}';
+$conf['plugin']['oauthgeneric']['label'] = '{{var_dokuwiki_authentication_data_generic_title}}';
 $conf['plugin']['oauthgeneric']['color'] = '#333333';
-{% else %}
-$conf['authtype'] = 'authplain';
 {% endif %}
+{% if var_dokuwiki_authentication_kind == 'authelia' %}
+$conf['authtype'] = 'oauth';
+$conf['disableactions'] = 'register,resendpwd,profile,profile_delete';
+$conf['plugin']['oauth']['singleService'] = 1;
+$conf['plugin']['oauth']['register-on-auth'] = 1;
+$conf['plugin']['oauthgeneric']['key'] = '{{var_dokuwiki_authentication_data_authelia_client_id}}';
+$conf['plugin']['oauthgeneric']['secret'] = '{{var_dokuwiki_authentication_data_authelia_client_secret}}';
+$conf['plugin']['oauthgeneric']['authurl'] = '{{var_dokuwiki_authentication_data_authelia_url_base}}/api/oidc/authorize';
+$conf['plugin']['oauthgeneric']['tokenurl'] = '{{var_dokuwiki_authentication_data_authelia_url_base}}/api/oidc/token';
+$conf['plugin']['oauthgeneric']['userurl'] = '{{var_dokuwiki_authentication_data_authelia_url_base}}/api/oidc/userinfo';
+$conf['plugin']['oauthgeneric']['authmethod'] = 1;
+$conf['plugin']['oauthgeneric']['scopes'] = ['openid','email','profile','groups'];
+$conf['plugin']['oauthgeneric']['needs-state'] = 1;
+$conf['plugin']['oauthgeneric']['json-user'] = 'sub';
+$conf['plugin']['oauthgeneric']['json-name'] = 'name';
+$conf['plugin']['oauthgeneric']['json-mail'] = 'email';
+$conf['plugin']['oauthgeneric']['json-grps'] = 'groups';
+$conf['plugin']['oauthgeneric']['label'] = '{{"var_dokuwiki_authentication_data_authelia_label}}';
+$conf['plugin']['oauthgeneric']['color'] = '#333333';
+{% endif %}
+
diff --git a/ansible/roles/dokuwiki/vardef.json b/ansible/roles/dokuwiki/vardef.json
new file mode 100644
index 0000000..4035f77
--- /dev/null
+++ b/ansible/roles/dokuwiki/vardef.json
@@ -0,0 +1,87 @@
+{
+	"directory": {
+		"type": "string",
+		"mandatory": false
+	},
+	"title": {
+		"type": "string",
+		"mandatory": false
+	},
+	"language": {
+		"type": "string",
+		"mandatory": false
+	},
+	"licence": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_kind": {
+		"type": "string",
+		"options": [
+			"internal",
+			"generic",
+			"authelia"
+		],
+		"mandatory": false
+	},
+	"authentication_data_generic_auth_url": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_generic_token_url": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_generic_user_url": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_generic_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_generic_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_generic_title": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_url_base": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_label": {
+		"type": "string",
+		"mandatory": false
+	},
+	"admin_user_define": {
+		"type": "boolean",
+		"mandatory": false
+	},
+	"admin_user_name": {
+		"type": "string",
+		"mandatory": false
+	},
+	"admin_user_password": {
+		"type": "string",
+		"mandatory": false
+	},
+	"admin_user_label": {
+		"type": "string",
+		"mandatory": false
+	},
+	"admin_user_email_address": {
+		"type": "string",
+		"mandatory": false
+	}
+}

From 947f6e0e7465f791b05f5e9f39ab6a3959b71a53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?=
 <christian.frass@dielinke-glauchau.de>
Date: Thu, 21 Mar 2024 22:07:39 +0100
Subject: [PATCH 11/15] [fix] role:dokuwiki

---
 ansible/roles/dokuwiki/templates/conf-local.php.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/roles/dokuwiki/templates/conf-local.php.j2 b/ansible/roles/dokuwiki/templates/conf-local.php.j2
index 41f151b..d216e64 100644
--- a/ansible/roles/dokuwiki/templates/conf-local.php.j2
+++ b/ansible/roles/dokuwiki/templates/conf-local.php.j2
@@ -45,7 +45,7 @@ $conf['plugin']['oauthgeneric']['json-user'] = 'sub';
 $conf['plugin']['oauthgeneric']['json-name'] = 'name';
 $conf['plugin']['oauthgeneric']['json-mail'] = 'email';
 $conf['plugin']['oauthgeneric']['json-grps'] = 'groups';
-$conf['plugin']['oauthgeneric']['label'] = '{{"var_dokuwiki_authentication_data_authelia_label}}';
+$conf['plugin']['oauthgeneric']['label'] = '{{var_dokuwiki_authentication_data_authelia_label}}';
 $conf['plugin']['oauthgeneric']['color'] = '#333333';
 {% endif %}
 

From d5dc2c15e5f64329f1ecd89bd7172c4d262b8131 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?=
 <christian.frass@dielinke-glauchau.de>
Date: Thu, 21 Mar 2024 23:43:20 +0100
Subject: [PATCH 12/15] [fix] role:dokuwiki

---
 ansible/roles/dokuwiki/info.md                     | 5 -----
 ansible/roles/dokuwiki/tasks/main.json             | 2 +-
 ansible/roles/dokuwiki/templates/conf-local.php.j2 | 4 ++--
 3 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/ansible/roles/dokuwiki/info.md b/ansible/roles/dokuwiki/info.md
index 33c0bd2..25eac97 100644
--- a/ansible/roles/dokuwiki/info.md
+++ b/ansible/roles/dokuwiki/info.md
@@ -9,8 +9,3 @@ Für das leicht-gewichtige Wiki-System [DokuWiki](https://www.dokuwiki.org/dokuw
 - [Dokumentation | Ansible](https://www.dokuwiki.org/install:ansible)
 - [Plugin: oAuth](https://www.dokuwiki.org/plugin:oauth)
 - [Plugin: oAuthGeneric](https://www.dokuwiki.org/plugin:oauthgeneric)
-
-
-## ToDo
-
-- Admin-Passwort richten
diff --git a/ansible/roles/dokuwiki/tasks/main.json b/ansible/roles/dokuwiki/tasks/main.json
index 240e17f..f404c5b 100644
--- a/ansible/roles/dokuwiki/tasks/main.json
+++ b/ansible/roles/dokuwiki/tasks/main.json
@@ -168,7 +168,7 @@
 		"name": "admin user password",
 		"when": "var_dokuwiki_admin_user_define",
 		"ansible.builtin.set_fact": {
-			"temp_password_hash": "{{var_dokuwiki_admin_user_password | ansible.builtin.password_hash(hashtype='bcrypt',rounds=12)}}"
+			"temp_password_hash": "{{var_dokuwiki_admin_user_password | ansible.builtin.password_hash(hashtype='sha512')}}"
 		}
 	},
 	{
diff --git a/ansible/roles/dokuwiki/templates/conf-local.php.j2 b/ansible/roles/dokuwiki/templates/conf-local.php.j2
index d216e64..b3bed42 100644
--- a/ansible/roles/dokuwiki/templates/conf-local.php.j2
+++ b/ansible/roles/dokuwiki/templates/conf-local.php.j2
@@ -11,7 +11,7 @@ $conf['authtype'] = 'authplain';
 {% if var_dokuwiki_authentication_kind == 'generic' %}
 $conf['authtype'] = 'oauth';
 $conf['disableactions'] = 'register,resendpwd,profile,profile_delete';
-$conf['plugin']['oauth']['singleService'] = 1;
+$conf['plugin']['oauth']['singleService'] = 0;
 $conf['plugin']['oauth']['register-on-auth'] = 1;
 $conf['plugin']['oauthgeneric']['key'] = '{{var_dokuwiki_authentication_data_generic_client_id}}';
 $conf['plugin']['oauthgeneric']['secret'] = '{{var_dokuwiki_authentication_data_generic_client_secret}}';
@@ -31,7 +31,7 @@ $conf['plugin']['oauthgeneric']['color'] = '#333333';
 {% if var_dokuwiki_authentication_kind == 'authelia' %}
 $conf['authtype'] = 'oauth';
 $conf['disableactions'] = 'register,resendpwd,profile,profile_delete';
-$conf['plugin']['oauth']['singleService'] = 1;
+$conf['plugin']['oauth']['singleService'] = 0;
 $conf['plugin']['oauth']['register-on-auth'] = 1;
 $conf['plugin']['oauthgeneric']['key'] = '{{var_dokuwiki_authentication_data_authelia_client_id}}';
 $conf['plugin']['oauthgeneric']['secret'] = '{{var_dokuwiki_authentication_data_authelia_client_secret}}';

From dfacaf791f2cbcb0254bb3f2c6722784d4f3a283 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?=
 <christian.frass@dielinke-glauchau.de>
Date: Thu, 21 Mar 2024 23:44:26 +0100
Subject: [PATCH 13/15] [fix] role:authelia-for-dokuwiki

---
 .../templates/authelia-client-conf.json.j2    | 27 +++++--------------
 1 file changed, 7 insertions(+), 20 deletions(-)

diff --git a/ansible/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2
index 6d8dc0f..e5450b2 100644
--- a/ansible/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2
+++ b/ansible/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2
@@ -1,29 +1,16 @@
 {
-	"id": "{{var_authelia_for_dokuwiki_client_id}}",
-	"description": "DokuWiki",
-	"secret": "{{var_authelia_for_dokuwiki_client_secret}}",
+	"client_id": "{{var_authelia_for_dokuwiki_client_id}}",
+	"client_secret": "{{var_authelia_for_dokuwiki_client_secret}}",
+	"client_name": "DokuWiki",
 	"public": false,
 	"authorization_policy": "one_factor",
+	"redirect_uris": [
+		"{{var_authelia_for_dokuwiki_dokuwiki_url_base}}/doku.php"
+	],
 	"scopes": [
 		"openid",
 		"email",
 		"profile",
 		"groups"
-	],
-	"redirect_uris": [
-		"{{var_authelia_for_dokuwiki_dokuwiki_url_base}}/doku.php"
-	],
-	"grant_types": [
-		"refresh_token",
-		"authorization_code"
-	],
-	"response_types": [
-		"code"
-	],
-	"response_modes": [
-		"form_post",
-		"query",
-		"fragment"
-	],
-	"userinfo_signing_algorithm": "none"
+	]
 }

From cb404cdb7a7fa2d061c9518e98cc818df0720170 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?=
 <christian.frass@dielinke-glauchau.de>
Date: Thu, 21 Mar 2024 23:57:00 +0100
Subject: [PATCH 14/15] [fix] role:authelia-for-dokuwiki

---
 .../templates/authelia-client-conf.json.j2                     | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2
index e5450b2..2605a0f 100644
--- a/ansible/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2
+++ b/ansible/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2
@@ -12,5 +12,6 @@
 		"email",
 		"profile",
 		"groups"
-	]
+	],
+	"token_endpoint_auth_method": "client_secret_post"
 }

From f805a66dd54cf536e5d4c82fe547ee0e7433aaac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?=
 <christian.frass@dielinke-glauchau.de>
Date: Thu, 21 Mar 2024 23:59:44 +0100
Subject: [PATCH 15/15] [fix] role:hedgedoc

---
 .../templates/authelia-client-conf.json.j2                     | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2
index 2b9a311..f0c6af8 100644
--- a/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2
+++ b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2
@@ -24,5 +24,6 @@
 		"query",
 		"fragment"
 	],
-	"userinfo_signed_response_alg": "none"
+	"userinfo_signed_response_alg": "none",
+	"token_endpoint_auth_method": "client_secret_post"
 }