Merge branch 'main' into dev-hedgedoc

ansible/roles/element-and-nginx/templates/conf.j2

@@ -6,7 +6,7 @@ server {
 	
 	server_name {{var_element_and_nginx_domain}};
 	
-	ssl_certificate /etc/ssl/certs/{{var_element_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem;
 	
 	root {{var_element_and_nginx_path}};

ansible/roles/element/defaults/main.json

@@ -2,5 +2,5 @@
 	"var_element_version": "v1.11.47",
 	"var_element_path": "/opt/element",
 	"var_element_matrix_baseurl": "https://matrix.example.org",
-	"var_element_server_name": "REPLACE_ME"
+	"var_element_server_name": "example"
 }

ansible/roles/synapse-and-nginx/templates/conf.j2

@@ -10,7 +10,7 @@ server {
 	
 	server_name {{var_synapse_and_nginx_domain}};
 	
-	ssl_certificate /etc/ssl/certs/{{var_synapse_and_nginx_domain}}.pem;
+	ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;
     
 	location ~ ^(/_matrix|/_synapse/client) {

ansible/roles/synapse/defaults/main.json

@@ -1,17 +1,24 @@
 {
 	"var_synapse_scheme": "https",
 	"var_synapse_domain": "matrix.example.org",
-	"var_synaspe_database_kind": "postgresql",
+	"var_synaspe_database_kind": "sqlite",
+	"var_synaspe_database_sqlite_path": "/var/synapse/data.sqlite",
 	"var_synaspe_database_postgresql_host": "localhost",
 	"var_synaspe_database_postgresql_port": "5432",
 	"var_synaspe_database_postgresql_username": "synapse_user",
-	"var_synaspe_database_postgresql_password": "synapse_password",
+	"var_synaspe_database_postgresql_password": "REPLACE_ME",
 	"var_synaspe_database_postgresql_schema": "synapse",
 	"var_synapse_element_url": "https://element.example.org",
 	"var_synapse_title": "Example | Matrix",
 	"var_synapse_federation_whitelist": "[]",
 	"var_synapse_password_strict_policy": "true",
 	"var_synapse_registration_shared_secret": "REPLACE_ME",
+	"var_synapse_oidc_enable": false,
+	"var_synapse_oidc_provider_id": "external_auth",
+	"var_synapse_oidc_provider_name": "external auth",
+	"var_synapse_oidc_client_id": "synapse",
+	"var_synapse_oidc_client_secret": "REPLACE_ME",
+	"var_synapse_oidc_issuer_url": "https://auth.example.org",
 	"var_synapse_smtp_host": "smtp.example.org",
 	"var_synapse_smtp_port": "587",
 	"var_synapse_smtp_username": "matrix@smtp.example.org",

ansible/roles/synapse/tasks/main.json

@@ -33,10 +33,23 @@
 		"ansible.builtin.apt": {
 			"update_cache": true,
 			"pkg": [
+				"python3-authlib",
 				"matrix-synapse"
 			]
 		}
 	},
+	{
+		"name": "directories",
+		"become": true,
+		"loop": [
+			"/var/synapse"
+		],
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{item}}",
+			"owner": "matrix-synapse"
+		}
+	},
 	{
 		"name": "emplace configuration",
 		"become": true,

ansible/roles/synapse/templates/homeserver.yaml.j2

@@ -1,3 +1,10 @@
+{% if var_synaspe_database_kind == 'sqlite' %}
+database:
+  name: sqlite3
+  args:
+    database: {{var_synaspe_database_sqlite_path}}
+{% endif %}
+
 {% if var_synaspe_database_kind == 'postgresql' %}
 database:
   name: psycopg2
@@ -31,7 +38,7 @@ listeners:
       - '127.0.0.1'
     type: http
     tls: false
-    x_forwarded: false
+    x_forwarded: true
     resources:
       - names: [client]
         compress: true
@@ -78,12 +85,42 @@ url_preview_enabled: false
 max_spider_size: "10M"
 
 enable_registration_captcha: false
-
 recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
 
-enable_registration_without_verification: true
+registration_shared_secret: "{{var_synapse_registration_shared_secret}}"
 
+{% if var_synapse_oidc_enable %}
+enable_registration: false
+enable_registration_without_verification: false
+{% else %}
 enable_registration: true
+enable_registration_without_verification: true
+{% endif %}
+
+oidc_config:
+  user_mapping_provider:
+    config:
+      # NOT an Ansible variable
+      localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}"
+
+{% if var_synapse_oidc_enable %}
+oidc_providers:
+  - idp_id: "{{var_synapse_oidc_provider_id}}"
+    idp_name: "{{var_synapse_oidc_provider_name}}"
+    # idp_icon: "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI"
+    discover: true
+    issuer: "{{var_synapse_oidc_issuer_url}}"
+    client_id: "{{var_synapse_oidc_client_id}}"
+    client_secret: "{{var_synapse_oidc_client_secret}}"
+    scopes: ["openid", "profile", "email"]
+    allow_existing_users: true
+    user_mapping_provider:
+      config:
+        subject_claim: "sub"
+        localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}"
+        display_name_template: "{{"{{"}} user.name {{"}}"}}"
+        email_template: "{{"{{"}} user.email {{"}}"}}"
+{% endif %}
 
 account_validity:
 
@@ -118,12 +155,6 @@ saml2_config:
   user_mapping_provider:
     config:
 
-oidc_config:
-  user_mapping_provider:
-    config:
-      # NOT an Ansible variable
-      localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}"
-
 password_config:
    enabled: true
    policy:
@@ -148,5 +179,3 @@ enable_group_creation: true
 
 templates:
   custom_templates_directory: "/etc/matrix-synapse/templates"
-
-registration_shared_secret: "{{var_synapse_registration_shared_secret}}"

ansible/roles/tlscert_existing/defaults/main.json

@@ -1,6 +1,7 @@
 {
 	"var_tlscert_existing_key_path": "/tmp/key.pem",
 	"var_tlscert_existing_cert_path": "/tmp/cert.pem",
+	"var_tlscert_existing_fullchain_path": "/tmp/fullchain.pem",
 	"var_tlscert_existing_domain_base": "example.org",
 	"var_tlscert_existing_domain_path": "foo",
 	"var_tlscert_existing_ssl_directory": "/etc/ssl"

ansible/roles/tlscert_existing/tasks/main.json

@@ -28,5 +28,22 @@
 			"src": "{{var_tlscert_existing_cert_path}}",
 			"dest": "{{var_tlscert_existing_ssl_directory}}/certs/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem"
 		}
+	},
+	{
+		"name": "fullchain | insert",
+		"when": "var_tlscert_existing_fullchain_path != None",
+		"become": true,
+		"ansible.builtin.copy": {
+			"src": "{{var_tlscert_existing_fullchain_path}}",
+			"dest": "{{var_tlscert_existing_ssl_directory}}/fullchains/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem"
+		}
+	},
+	{
+		"name": "fullchain | compose",
+		"when": "var_tlscert_existing_fullchain_path == None",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "cat {{var_tlscert_existing_ssl_directory}}/certs/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem > {{var_tlscert_existing_ssl_directory}}/fullchains/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem"
+		}
 	}
 ]

readme.md

@@ -1,3 +1,8 @@
 # Ansible Base
 
 Sammlung von allgemeinen, wiederverwendbaren Ansible-Rollen
+
+
+## ToDo
+
+- [Blocks](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_blocks.html) verwenden