From cce7ab2b5452d13690c561bc118295e11256db34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Fri, 22 Dec 2023 19:23:11 +0100 Subject: [PATCH 01/30] [add] role:murmur --- ansible/roles/murmur/defaults/main.json | 6 + ansible/roles/murmur/info.md | 12 + ansible/roles/murmur/tasks/main.json | 35 ++ .../murmur/templates/mumble-server.ini.j2 | 380 ++++++++++++++++++ 4 files changed, 433 insertions(+) create mode 100644 ansible/roles/murmur/defaults/main.json create mode 100644 ansible/roles/murmur/info.md create mode 100644 ansible/roles/murmur/tasks/main.json create mode 100644 ansible/roles/murmur/templates/mumble-server.ini.j2 diff --git a/ansible/roles/murmur/defaults/main.json b/ansible/roles/murmur/defaults/main.json new file mode 100644 index 0000000..33156cb --- /dev/null +++ b/ansible/roles/murmur/defaults/main.json @@ -0,0 +1,6 @@ +{ + "var_murmur_database_path": "/var/lib/mumble-server/mumble-server.sqlite", + "var_murmur_port": 64738, + "var_murmur_welcome_text": "
Welcome to this server running Murmur.
Enjoy your stay!
", + "var_murmur_admin_password": "REPLACE_ME" +} diff --git a/ansible/roles/murmur/info.md b/ansible/roles/murmur/info.md new file mode 100644 index 0000000..9067faa --- /dev/null +++ b/ansible/roles/murmur/info.md @@ -0,0 +1,12 @@ +## Beschreibung + +Server-Implementierung _Murmur_ für den Audiokonferenz-Software [Mumble](https://www.mumble.info/) + + +## Verweise + +- [Wikipedia-Artikel zu Mumble](https://de.m.wikipedia.org/wiki/Mumblehttps://de.m.wikipedia.org/wiki/Mumble) +- [Mumble-Wiki | Hauptseite](https://wiki.mumble.info/wiki/Main_Page) +- [Mumble-Wiki | Running Murmur](https://wiki.mumble.info/wiki/Running_Murmur) +- [Mumble-Wiki | Murmurguide](https://wiki.mumble.info/wiki/Murmurguide) +- [Mumble-Wiki | Authentication](https://wiki.mumble.info/wiki/Authentication) diff --git a/ansible/roles/murmur/tasks/main.json b/ansible/roles/murmur/tasks/main.json new file mode 100644 index 0000000..b135abb --- /dev/null +++ b/ansible/roles/murmur/tasks/main.json @@ -0,0 +1,35 @@ +[ + { + "name": "packages", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "mumble-server" + ] + } + }, + { + "name": "configuration", + "become": true, + "ansible.builtin.template": { + "src": "mumble-server.ini.j2", + "dest": "/etc/mumble-server.ini", + "group": "mumble-server" + } + }, + { + "name": "admin account", + "become": true, + "ansible.builtin.command": { + "cmd": "murmurd -ini /etc/mumble-server.ini -supw {{var_murmur_admin_password}}" + } + }, + { + "name": "service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "mumble-server" + } + } +] diff --git a/ansible/roles/murmur/templates/mumble-server.ini.j2 b/ansible/roles/murmur/templates/mumble-server.ini.j2 new file mode 100644 index 0000000..4db3508 --- /dev/null +++ b/ansible/roles/murmur/templates/mumble-server.ini.j2 @@ -0,0 +1,380 @@ +; Murmur configuration file. +; +; General notes: +; * Settings in this file are default settings and many of them can be overridden +; with virtual server specific configuration via the Ice or DBus interface. +; * Due to the way this configuration file is read some rules have to be +; followed when specifying variable values (as in variable = value): +; * Make sure to quote the value when using commas in strings or passwords. +; NOT variable = super,secret BUT variable = "super,secret" +; * Make sure to escape special characters like '\' or '"' correctly +; NOT variable = """ BUT variable = "\"" +; NOT regex = \w* BUT regex = \\w* + +; Path to database. If blank, will search for +; murmur.sqlite in default locations or create it if not found. +database={{var_murmur_database_path}} + +; Murmur defaults to using SQLite with its default rollback journal. +; In some situations, using SQLite's write-ahead log (WAL) can be +; advantageous. +; If you encounter slowdowns when moving between channels and similar +; operations, enabling the SQLite write-ahead log might help. +; +; To use SQLite's write-ahead log, set sqlite_wal to one of the following +; values: +; +; 0 - Use SQLite's default rollback journal. +; 1 - Use write-ahead log with synchronous=NORMAL. +; If Murmur crashes, the database will be in a consistent state, but +; the most recent changes might be lost if the operating system did +; not write them to disk yet. This option can improve Murmur's +; interactivity on busy servers, or servers with slow storage. +; 2 - Use write-ahead log with synchronous=FULL. +; All database writes are synchronized to disk when they are made. +; If Murmur crashes, the database will be include all completed writes. +;sqlite_wal=0 + +; If you wish to use something other than SQLite, you'll need to set the name +; of the database above, and also uncomment the below. +; Sticking with SQLite is strongly recommended, as it's the most well tested +; and by far the fastest solution. +; +;dbDriver=QMYSQL +;dbUsername= +;dbPassword= +;dbHost= +;dbPort= +;dbPrefix=murmur_ +;dbOpts= + +; Murmur defaults to not using D-Bus. If you wish to use dbus, which is one of the +; RPC methods available in Murmur, please specify so here. +; +;dbus=system + +; Alternate D-Bus service name. Only use if you are running distinct +; murmurd processes connected to the same D-Bus daemon. +;dbusservice=net.sourceforge.mumble.murmur + +; If you want to use ZeroC Ice to communicate with Murmur, you need +; to specify the endpoint to use. Since there is no authentication +; with ICE, you should only use it if you trust all the users who have +; shell access to your machine. +; Please see the ICE documentation on how to specify endpoints. +#ice="tcp -h 127.0.0.1 -p 6502" + +; Ice primarily uses local sockets. This means anyone who has a +; user account on your machine can connect to the Ice services. +; You can set a plaintext "secret" on the Ice connection, and +; any script attempting to access must then have this secret +; (as context with name "secret"). +; Access is split in read (look only) and write (modify) +; operations. Write access always includes read access, +; unless read is explicitly denied (see note below). +; +; Note that if this is uncommented and with empty content, +; access will be denied. + +;icesecretread= +icesecretwrite= + +; If you want to expose Murmur's experimental gRPC API, you +; need to specify an address to bind on. +; Note: not all builds of Murmur support gRPC. If gRPC is not +; available, Murmur will warn you in its log output. +;grpc="127.0.0.1:50051" +; Specifying both a certificate and key file below will cause gRPC to use +; secured, TLS connections. +;grpccert="" +;grpckey="" + +; Specifies the file Murmur should log to. By default, Murmur +; logs to the file 'murmur.log'. If you leave this field blank +; on Unix-like systems, Murmur will force itself into foreground +; mode which logs to the console. +logfile=/var/log/mumble-server/mumble-server.log + +; If set, Murmur will write its process ID to this file +; when running in daemon mode (when the -fg flag is not +; specified on the command line). Only available on +; Unix-like systems. +pidfile=/run/mumble-server/mumble-server.pid + +; The below will be used as defaults for new configured servers. +; If you're just running one server (the default), it's easier to +; configure it here than through D-Bus or Ice. +; +; Welcome message sent to clients when they connect. +; If the welcome message is set to an empty string, +; no welcome message will be sent to clients. +welcometext="{{var_murmur_welcome_text}}" + +; Port to bind TCP and UDP sockets to. +port={{var_murmur_port | string}} + +; Specific IP or hostname to bind to. +; If this is left blank (default), Murmur will bind to all available addresses. +;host= + +; Password to join server. +serverpassword= + +; Maximum bandwidth (in bits per second) clients are allowed +; to send speech at. +bandwidth=72000 + +; Murmur and Mumble are usually pretty good about cleaning up hung clients, but +; occasionally one will get stuck on the server. The timeout setting will cause +; a periodic check of all clients who haven't communicated with the server in +; this many seconds - causing zombie clients to be disconnected. +; +; Note that this has no effect on idle clients or people who are AFK. It will +; only affect people who are already disconnected, and just haven't told the +; server. +;timeout=30 + +; Maximum number of concurrent clients allowed. +users=100 + +; Where users sets a blanket limit on the number of clients per virtual server, +; usersperchannel sets a limit on the number per channel. The default is 0, for +; no limit. +;usersperchannel=0 + +; Per-user rate limiting +; +; These two settings allow to configure the per-user rate limiter for some +; command messages sent from the client to the server. The messageburst setting +; specifies an amount of messages which are allowed in short bursts. The +; messagelimit setting specifies the number of messages per second allowed over +; a longer period. If a user hits the rate limit, his packages are then ignored +; for some time. Both of these settings have a minimum of 1 as setting either to +; 0 could render the server unusable. +messageburst=5 +messagelimit=1 + +; Respond to UDP ping packets. +; +; Setting to true exposes the current user count, the maximum user count, and +; the server's maximum bandwidth per client to unauthenticated users. In the +; Mumble client, this information is shown in the Connect dialog. +allowping=true + +; Amount of users with Opus support needed to force Opus usage, in percent. +; 0 = Always enable Opus, 100 = enable Opus if it's supported by all clients. +;opusthreshold=100 + +; Maximum depth of channel nesting. Note that some databases like MySQL using +; InnoDB will fail when operating on deeply nested channels. +;channelnestinglimit=10 + +; Maximum number of channels per server. 0 for unlimited. Note that an +; excessive number of channels will impact server performance +;channelcountlimit=1000 + +; Regular expression used to validate channel names. +; (Note that you have to escape backslashes with \ ) +;channelname=[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+ + +; Regular expression used to validate user names. +; (Note that you have to escape backslashes with \ ) +;username=[-=\\w\\[\\]\\{\\}\\(\\)\\@\\|\\.]+ + +; If a user has no stored channel (they've never been connected to the server +; before, or rememberchannel is set to false) and the client hasn't been given +; a URL that includes a channel path, the default behavior is that they will +; end up in the root channel. +; +; You can set this setting to a channel ID, and the user will automatically be +; moved into that channel instead. Note that this is the numeric ID of the +; channel, which can be a little tricky to get (you'll either need to use an +; RPC mechanism, watch the console of a debug client, or root around through +; the Murmur Database to get it). +; +;defaultchannel=0 + +; When a user connects to a server they've already been on, by default the +; server will remember the last channel they were in and move them to it +; automatically. Toggling this setting to false will disable that feature. +; +;rememberchannel=true + +; Maximum length of text messages in characters. 0 for no limit. +;textmessagelength=5000 + +; Maximum length of text messages in characters, with image data. 0 for no limit. +;imagemessagelength=131072 + +; Allow clients to use HTML in messages, user comments and channel descriptions? +;allowhtml=true + +; Murmur retains the per-server log entries in an internal database which +; allows it to be accessed over D-Bus/ICE. +; How many days should such entries be kept? +; Set to 0 to keep forever, or -1 to disable logging to the DB. +;logdays=31 + +; To enable public server registration, the serverpassword must be blank, and +; this must all be filled out. +; The password here is used to create a registry for the server name; subsequent +; updates will need the same password. Don't lose your password. +; The URL is your own website, and only set the registerHostname for static IP +; addresses. +; Location is typically the country of typical users of the server, in +; two-letter TLD style (ISO 3166-1 alpha-2 country code) +; +; If you only wish to give your "Root" channel a custom name, then only +; uncomment the 'registerName' parameter. +; +;registerName=Mumble Server +;registerPassword=secret +;registerUrl=http://www.mumble.info/ +;registerHostname= +;registerLocation= + +; If this option is enabled, the server will announce its presence via the +; bonjour service discovery protocol. To change the name announced by bonjour +; adjust the registerName variable. +; See http://developer.apple.com/networking/bonjour/index.html for more information +; about bonjour. +;bonjour=True + +; If you have a proper SSL certificate, you can provide the filenames here. +; Otherwise, Murmur will create its own certificate automatically. +;sslCert= +;sslKey= + +; If the keyfile specified above is encrypted with a passphrase, you can enter +; it in this setting. It must be plaintext, so you may wish to adjust the +; permissions on your murmur.ini file accordingly. +;sslPassPhrase= + +; If your certificate is signed by an authority that uses a sub-signed or +; "intermediate" certificate, you probably need to bundle it with your +; certificate in order to get Murmur to accept it. You can either concatenate +; the two certificates into one file, or you can put it in a file by itself and +; put the path to that PEM-file in sslCA. +;sslCA= + +; The sslDHParams option allows you to specify a PEM-encoded file with +; Diffie-Hellman parameters, which will be used as the default Diffie- +; Hellman parameters for all virtual servers. +; +; Instead of pointing sslDHParams to a file, you can also use the option +; to specify a named set of Diffie-Hellman parameters for Murmur to use. +; Murmur comes bundled with the Diffie-Hellman parameters from RFC 7919. +; These parameters are available by using the following names: +; +; @ffdhe2048, @ffdhe3072, @ffdhe4096, @ffdhe6144, @ffdhe8192 +; +; By default, Murmur uses @ffdhe2048. +;sslDHParams=@ffdhe2048 + +; The sslCiphers option chooses the cipher suites to make available for use +; in SSL/TLS. This option is server-wide, and cannot be set on a +; per-virtual-server basis. +; +; This option is specified using OpenSSL cipher list notation (see +; https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT). +; +; It is recommended that you try your cipher string using 'openssl ciphers ' +; before setting it here, to get a feel for which cipher suites you will get. +; +; After setting this option, it is recommend that you inspect your Murmur log +; to ensure that Murmur is using the cipher suites that you expected it to. +; +; Note: Changing this option may impact the backwards compatibility of your +; Murmur server, and can remove the ability for older Mumble clients to be able +; to connect to it. +;sslCiphers=EECDH+AESGCM:EDH+aRSA+AESGCM:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA + +; If Murmur is started as root, which user should it switch to? +; This option is ignored if Murmur isn't started with root privileges. +uname=mumble-server + +; By default, in log files and in the user status window for privileged users, +; Mumble will show IP addresses - in some situations you may find this unwanted +; behavior. If obfuscate is set to true, Murmur will randomize the IP addresses +; of connecting users. +; +; The obfuscate function only affects the log file and DOES NOT effect the user +; information section in the client window. +;obfuscate=false + +; If this options is enabled, only clients which have a certificate are allowed +; to connect. +;certrequired=False + +; If enabled, clients are sent information about the servers version and operating +; system. +;sendversion=True + +; You can set a recommended minimum version for your server, and clients will +; be notified in their log when they connect if their client does not meet the +; minimum requirements. suggestVersion expects the version in the format X.X.X. +; +; Note that the suggest* options appeared after 1.2.3 and will have no effect +; on client versions 1.2.3 and earlier. +; +;suggestVersion= + +; Setting this to "true" will alert any user who does not have positional audio +; enabled that the server administrators recommend enabling it. Setting it to +; "false" will have the opposite effect - if you do not care whether the user +; enables positional audio or not, set it to blank. The message will appear in +; the log window upon connection, but only if the user's settings do not match +; what the server requests. +; +; Note that the suggest* options appeared after 1.2.3 and will have no effect +; on client versions 1.2.3 and earlier. +; +;suggestPositional= + +; Setting this to "true" will alert any user who does not have Push-To-Talk +; enabled that the server administrators recommend enabling it. Setting it to +; "false" will have the opposite effect - if you do not care whether the user +; enables PTT or not, set it to blank. The message will appear in the log +; window upon connection, but only if the user's settings do not match what the +; server requests. +; +; Note that the suggest* options appeared after 1.2.3 and will have no effect +; on client versions 1.2.3 and earlier. +; +;suggestPushToTalk= + +; This sets password hash storage to legacy mode (1.2.4 and before) +; (Note that setting this to true is insecure and should not be used unless absolutely necessary) +;legacyPasswordHash=false + +; By default a strong amount of PBKDF2 iterations are chosen automatically. If >0 this setting +; overrides the automatic benchmark and forces a specific number of iterations. +; (Note that you should only change this value if you know what you are doing) +;kdfIterations=-1 + +; In order to prevent misconfigured, impolite or malicious clients from +; affecting the low-latency of other users, Murmur has a rudimentary global-ban +; system. It's configured using the autobanAttempts, autobanTimeframe and +; autobanTime settings. +; +; If a client attempts autobanAttempts connections in autobanTimeframe seconds, +; they will be banned for autobanTime seconds. This is a global ban, from all +; virtual servers on the Murmur process. It will not show up in any of the +; ban-lists on the server, and they can't be removed without restarting the +; Murmur process - just let them expire. A single, properly functioning client +; should not trip these bans. +; +; To disable, set autobanAttempts or autobanTimeframe to 0. Commenting these +; settings out will cause Murmur to use the defaults: +; +;autobanAttempts=10 +;autobanTimeframe=120 +;autobanTime=300 + +; You can configure any of the configuration options for Ice here. We recommend +; leave the defaults as they are. +; Please note that this section has to be last in the configuration file. +; +[Ice] +Ice.Warn.UnknownProperties=1 +Ice.MessageSizeMax=65536 From 07a681b4351b7d9e39eb007ba56fe796e15fb6c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 23 Dec 2023 12:19:29 +0100 Subject: [PATCH 02/30] =?UTF-8?q?[mod]=20role:authelia:Unterst=C3=BCtzung?= =?UTF-8?q?=20f=C3=BCr=20PostgreSQL=20und=20MariaDB?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/roles/authelia/defaults/main.json | 13 ++++++++++- .../authelia/templates/conf-main.json.j2 | 23 ++++++++++++++++++- 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index d2fbace..8206661 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -7,8 +7,19 @@ "var_authelia_log_file_path": "/var/authelia/log.jsonl", "var_authelia_session_domain": "example.org", "var_authelia_session_secret": "REPLACE_ME", - "var_authelia_storage_path": "/var/authelia/state.db", "var_authelia_storage_encryption_key": "storage_encryption_key", + "var_authelia_storage_kind": "sqlite", + "var_authelia_storage_data_sqlite_path": "/var/authelia/state.db", + "var_authelia_storage_data_postgresql_host": "localhost", + "var_authelia_storage_data_postgresql_port": 5432, + "var_authelia_storage_data_postgresql_username": "authelia_user", + "var_authelia_storage_data_postgresql_password": "REPLACE_ME", + "var_authelia_storage_data_postgresql_schema": "authelia", + "var_authelia_storage_data_mariadb_host": "localhost", + "var_authelia_storage_data_mariadb_port": 3306, + "var_authelia_storage_data_mariadb_username": "authelia_user", + "var_authelia_storage_data_mariadb_password": "REPLACE_ME", + "var_authelia_storage_data_mariadb_schema": "authelia", "var_authelia_ntp_server": "time.cloudflare.com:123", "var_authelia_notification_mode": "smtp", "var_authelia_notification_file_path": "/var/authelia/notifications", diff --git a/ansible/roles/authelia/templates/conf-main.json.j2 b/ansible/roles/authelia/templates/conf-main.json.j2 index 5fa6b6d..096774a 100644 --- a/ansible/roles/authelia/templates/conf-main.json.j2 +++ b/ansible/roles/authelia/templates/conf-main.json.j2 @@ -126,9 +126,30 @@ }, "storage": { "encryption_key": "{{var_authelia_storage_encryption_key}}", +{% if var_authelia_storage_kind == "sqlite" %} "local": { - "path": "{{var_authelia_storage_path}}" + "path": "{{var_authelia_storage_data_sqlite_path}}" } +{% endif %} +{% if var_authelia_storage_kind == "postgresql" %} + "postgres": { + "host": "{{var_authelia_storage_data_postgresql_host}}", + "port": {{var_authelia_storage_data_postgresql_port | string}}, + "schema": "public", + "username": "{{var_authelia_storage_data_postgresql_username}}", + "password": "{{var_authelia_storage_data_postgresql_password}}", + "database": "{{var_authelia_storage_data_postgresql_schema}}" + } +{% endif %} +{% if var_authelia_storage_kind == "mariadb" %} + "mysql": { + "host": "{{var_authelia_storage_data_mariadb_host}}", + "port": {{var_authelia_storage_data_mariadb_port | string}}, + "username": "{{var_authelia_storage_data_mariadb_username}}", + "password": "{{var_authelia_storage_data_mariadb_password}}", + "database": "{{var_authelia_storage_data_mariadb_schema}}" + } +{% endif %} }, "notifier": { "disable_startup_check": true, From dc219168dfa81f5186ccf3ef81c6689b67742031 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 23 Dec 2023 12:41:34 +0100 Subject: [PATCH 03/30] =?UTF-8?q?[mod]=20role:authelia:Neben-Task=20f?= =?UTF-8?q?=C3=BCr=20PostgreSQL-Einrichtung?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../authelia/tasks/database-postgresql.json | 45 +++++++++++++++++++ ansible/roles/authelia/tasks/main.json | 7 +++ 2 files changed, 52 insertions(+) create mode 100644 ansible/roles/authelia/tasks/database-postgresql.json diff --git a/ansible/roles/authelia/tasks/database-postgresql.json b/ansible/roles/authelia/tasks/database-postgresql.json new file mode 100644 index 0000000..ca69439 --- /dev/null +++ b/ansible/roles/authelia/tasks/database-postgresql.json @@ -0,0 +1,45 @@ +[ + { + "name": "database:postgresql | packages", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "acl", + "python3-psycopg2" + ] + } + }, + { + "name": "database:postgresql | user", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_user": { + "state": "present", + "name": "{{var_authelia_storage_data_postgresql_username}}", + "password": "{{var_authelia_storage_data_postgresql_password}}" + } + }, + { + "name": "database:postgresql | schema", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_db": { + "state": "present", + "name": "{{var_authelia_storage_data_postgresql_schema}}", + "owner": "{{var_authelia_storage_data_postgresql_username}}" + } + }, + { + "name": "database:postgresql | rights", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_privs": { + "state": "present", + "db": "{{var_authelia_storage_data_postgresql_schema}}", + "objs": "ALL_IN_SCHEMA", + "roles": "{{var_authelia_storage_data_postgresql_username}}", + "privs": "ALL", + "grant_option": true + } + } +] diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json index c765720..12bbe17 100644 --- a/ansible/roles/authelia/tasks/main.json +++ b/ansible/roles/authelia/tasks/main.json @@ -37,6 +37,13 @@ ] } }, + { + "name": "database", + "when": "var_authelia_storage_kind == 'postgresql'", + "ansible.builtin.include_tasks": { + "file": "database-postgresql.json" + } + }, { "name": "generate private key for signing OIDC JWTs", "become": true, From c332923f6504accd5d8215699ef964a724362e66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 23 Dec 2023 12:50:10 +0100 Subject: [PATCH 04/30] =?UTF-8?q?[mod]=20role:authelia:Unterst=C3=BCtzung?= =?UTF-8?q?=20f=C3=BCr=20"disabled"-Flag=20bei=20der=20Nutzer-Verwaltung?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/roles/authelia/files/user-manage.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/ansible/roles/authelia/files/user-manage.py b/ansible/roles/authelia/files/user-manage.py index 7d9a84e..1e4355a 100644 --- a/ansible/roles/authelia/files/user-manage.py +++ b/ansible/roles/authelia/files/user-manage.py @@ -121,6 +121,14 @@ def main(): default = None, help = "e-mail address of the user", ) + argument_parser.add_argument( + "-x", + "--deactivated", + type = str, + default = "no", + choices = ["no", "yes"], + help = "whether the user shall be deactivated", + ) args = argument_parser.parse_args() ## exec @@ -146,6 +154,7 @@ def main(): raise ValueError("password required") else: entry = { + "disabled": (args.deactivated == "yes"), "displayname": (args.display_name or args.login_name), "password": get_password_hash(args.binary_file_path, args.conf_file_path, args.login_name), "email": args.email, @@ -158,6 +167,10 @@ def main(): raise ValueError("name required") else: entry = data["users"][args.login_name] + if (args.deactivated is None): + pass + else: + entry["disabled"] = (args.deactivated == "yes") if (args.password is None): pass else: From 5c3f628e742a95c0eb9d798c8d16c3484d4e0d42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 23 Dec 2023 12:55:31 +0100 Subject: [PATCH 05/30] =?UTF-8?q?[mod]=20role:authelia:Kennwort-R=C3=BCcks?= =?UTF-8?q?etz-Funktion=20steuern?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/roles/authelia/defaults/main.json | 1 + ansible/roles/authelia/templates/conf-main.json.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index 8206661..89c4e12 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -21,6 +21,7 @@ "var_authelia_storage_data_mariadb_password": "REPLACE_ME", "var_authelia_storage_data_mariadb_schema": "authelia", "var_authelia_ntp_server": "time.cloudflare.com:123", + "var_authelia_password_reset_enabled": false, "var_authelia_notification_mode": "smtp", "var_authelia_notification_file_path": "/var/authelia/notifications", "var_authelia_notification_smtp_host": "smtp.example.org", diff --git a/ansible/roles/authelia/templates/conf-main.json.j2 b/ansible/roles/authelia/templates/conf-main.json.j2 index 096774a..3b85291 100644 --- a/ansible/roles/authelia/templates/conf-main.json.j2 +++ b/ansible/roles/authelia/templates/conf-main.json.j2 @@ -47,7 +47,7 @@ }, "authentication_backend": { "password_reset": { - "disable": true, + "disable": {{not var_authelia_password_reset_enabled | to_json}}, "custom_url": "" }, "refresh_interval": "5m", From 3d30bc38d240401cdc037e7109acc91ee5d14f1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Mon, 1 Jan 2024 16:46:36 +0100 Subject: [PATCH 06/30] [fix] role:authelia --- ansible/roles/authelia/templates/conf-main.json.j2 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ansible/roles/authelia/templates/conf-main.json.j2 b/ansible/roles/authelia/templates/conf-main.json.j2 index 3b85291..4279742 100644 --- a/ansible/roles/authelia/templates/conf-main.json.j2 +++ b/ansible/roles/authelia/templates/conf-main.json.j2 @@ -47,7 +47,11 @@ }, "authentication_backend": { "password_reset": { - "disable": {{not var_authelia_password_reset_enabled | to_json}}, +{% if var_authelia_password_reset_enabled %} + "disable": false, +{% else %} + "disable": true, +{% endif %} "custom_url": "" }, "refresh_interval": "5m", From 5da8450f22150c063dda0d492963d754339001df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 7 Jan 2024 23:42:07 +0100 Subject: [PATCH 07/30] [mod] role:ansible:defaults:password --- ansible/roles/authelia/defaults/main.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index 89c4e12..de2bc43 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -27,7 +27,9 @@ "var_authelia_notification_smtp_host": "smtp.example.org", "var_authelia_notification_smtp_port": "465", "var_authelia_notification_smtp_username": "authelia", - "var_authelia_notification_smtp_password": "smtp_password", + "var_authelia_notification_smtp_password": "REPLACE_ME", "var_authelia_notification_smtp_sender": "Authelia", - "var_authelia_oidc_hmac_secret": "oidc_hmac_secret" + "var_authelia_oidc_hmac_secret": "REPLACE_ME", + "var_authelia_domain": "authelia.example.org", + "var_authelia_webportal_kind": "none" } From 944f75de59b5945f2b9a646c7d3d92d27e7e1026 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 7 Jan 2024 23:42:25 +0100 Subject: [PATCH 08/30] [mod] role:ansible:defaults:password --- ansible/roles/authelia/defaults/main.json | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index de2bc43..af34caa 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -29,7 +29,5 @@ "var_authelia_notification_smtp_username": "authelia", "var_authelia_notification_smtp_password": "REPLACE_ME", "var_authelia_notification_smtp_sender": "Authelia", - "var_authelia_oidc_hmac_secret": "REPLACE_ME", - "var_authelia_domain": "authelia.example.org", - "var_authelia_webportal_kind": "none" + "var_authelia_oidc_hmac_secret": "REPLACE_ME" } From b658f3057ca9f1c3689feb4fbdcc3f25db020c34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 19 Mar 2024 18:45:32 +0100 Subject: [PATCH 09/30] [add] role:postgresql-for-authelia --- .../defaults/main.json | 7 ++++++ .../tasks/main.json} | 20 ++++++++--------- .../roles/postgresql-for-authelia/vardef.json | 22 +++++++++++++++++++ 3 files changed, 39 insertions(+), 10 deletions(-) create mode 100644 ansible/roles/postgresql-for-authelia/defaults/main.json rename ansible/roles/{authelia/tasks/database-postgresql.json => postgresql-for-authelia/tasks/main.json} (50%) create mode 100644 ansible/roles/postgresql-for-authelia/vardef.json diff --git a/ansible/roles/postgresql-for-authelia/defaults/main.json b/ansible/roles/postgresql-for-authelia/defaults/main.json new file mode 100644 index 0000000..379cde9 --- /dev/null +++ b/ansible/roles/postgresql-for-authelia/defaults/main.json @@ -0,0 +1,7 @@ +{ + "var_postgresql_for_authelia_host": "localhost", + "var_postgresql_for_authelia_port": 5432, + "var_postgresql_for_authelia_username": "authelia_user", + "var_postgresql_for_authelia_password": "REPLACE_ME", + "var_postgresql_for_authelia_schema": "authelia" +} diff --git a/ansible/roles/authelia/tasks/database-postgresql.json b/ansible/roles/postgresql-for-authelia/tasks/main.json similarity index 50% rename from ansible/roles/authelia/tasks/database-postgresql.json rename to ansible/roles/postgresql-for-authelia/tasks/main.json index ca69439..0f053db 100644 --- a/ansible/roles/authelia/tasks/database-postgresql.json +++ b/ansible/roles/postgresql-for-authelia/tasks/main.json @@ -1,6 +1,6 @@ [ { - "name": "database:postgresql | packages", + "name": "packages", "become": true, "ansible.builtin.apt": { "pkg": [ @@ -10,34 +10,34 @@ } }, { - "name": "database:postgresql | user", + "name": "user", "become": true, "become_user": "postgres", "community.postgresql.postgresql_user": { "state": "present", - "name": "{{var_authelia_storage_data_postgresql_username}}", - "password": "{{var_authelia_storage_data_postgresql_password}}" + "name": "{{var_postgresql_for_authelia_username}}", + "password": "{{var_postgresql_for_authelia_password}}" } }, { - "name": "database:postgresql | schema", + "name": "schema", "become": true, "become_user": "postgres", "community.postgresql.postgresql_db": { "state": "present", - "name": "{{var_authelia_storage_data_postgresql_schema}}", - "owner": "{{var_authelia_storage_data_postgresql_username}}" + "name": "{{var_postgresql_for_authelia_schema}}", + "owner": "{{var_postgresql_for_authelia_username}}" } }, { - "name": "database:postgresql | rights", + "name": "rights", "become": true, "become_user": "postgres", "community.postgresql.postgresql_privs": { "state": "present", - "db": "{{var_authelia_storage_data_postgresql_schema}}", + "db": "{{var_postgresql_for_authelia_schema}}", "objs": "ALL_IN_SCHEMA", - "roles": "{{var_authelia_storage_data_postgresql_username}}", + "roles": "{{var_postgresql_for_authelia_username}}", "privs": "ALL", "grant_option": true } diff --git a/ansible/roles/postgresql-for-authelia/vardef.json b/ansible/roles/postgresql-for-authelia/vardef.json new file mode 100644 index 0000000..87b266f --- /dev/null +++ b/ansible/roles/postgresql-for-authelia/vardef.json @@ -0,0 +1,22 @@ +{ + "host": { + "mandatory": false, + "type": "string" + }, + "port": { + "mandatory": false, + "type": "integer" + }, + "username": { + "mandatory": false, + "type": "string" + }, + "password": { + "mandatory": true, + "type": "string" + }, + "schema": { + "mandatory": false, + "type": "string" + } +} From db0ce652945070e19621cfa325fd1c8fdb2e0589 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 19 Mar 2024 18:46:14 +0100 Subject: [PATCH 10/30] [fix] role:authelia --- ansible/roles/authelia/tasks/main.json | 7 ------- 1 file changed, 7 deletions(-) diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json index 12bbe17..c765720 100644 --- a/ansible/roles/authelia/tasks/main.json +++ b/ansible/roles/authelia/tasks/main.json @@ -37,13 +37,6 @@ ] } }, - { - "name": "database", - "when": "var_authelia_storage_kind == 'postgresql'", - "ansible.builtin.include_tasks": { - "file": "database-postgresql.json" - } - }, { "name": "generate private key for signing OIDC JWTs", "become": true, From 167e11ec2eb9aa2f6dac087b3a82bf702537c1d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:03:48 +0100 Subject: [PATCH 11/30] [fix] role:tlscert_acme_inwx:apt update --- ansible/roles/tlscert_acme_inwx/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/tlscert_acme_inwx/tasks/main.json b/ansible/roles/tlscert_acme_inwx/tasks/main.json index d7016ba..0e8a365 100644 --- a/ansible/roles/tlscert_acme_inwx/tasks/main.json +++ b/ansible/roles/tlscert_acme_inwx/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "openssl", "python3-cryptography" From f3e0d206fa732543cef7c12edf1d64d3fe452a34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:04:13 +0100 Subject: [PATCH 12/30] [fix] role:tlscert_selfsigned:apt update --- ansible/roles/tlscert_selfsigned/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/tlscert_selfsigned/tasks/main.json b/ansible/roles/tlscert_selfsigned/tasks/main.json index 96d3863..5b816f3 100644 --- a/ansible/roles/tlscert_selfsigned/tasks/main.json +++ b/ansible/roles/tlscert_selfsigned/tasks/main.json @@ -3,6 +3,7 @@ "name": "install packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "openssl", "python3-cryptography" From 368d2ecec26d24302a893f38c3465ff17e90949b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:04:43 +0100 Subject: [PATCH 13/30] [fix] role:tlscert_acme_netcup:apt update --- ansible/roles/tlscert_acme_netcup/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/tlscert_acme_netcup/tasks/main.json b/ansible/roles/tlscert_acme_netcup/tasks/main.json index 37ad51c..574ee11 100644 --- a/ansible/roles/tlscert_acme_netcup/tasks/main.json +++ b/ansible/roles/tlscert_acme_netcup/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages | debian", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "openssl", "python3-cryptography", From 8353f9ea908b865607ebc47244ba59ca97e23165 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:05:11 +0100 Subject: [PATCH 14/30] [fix] role:lighttpd:apt update --- ansible/roles/lighttpd/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/lighttpd/tasks/main.json b/ansible/roles/lighttpd/tasks/main.json index 5d8d887..1b6af91 100644 --- a/ansible/roles/lighttpd/tasks/main.json +++ b/ansible/roles/lighttpd/tasks/main.json @@ -3,6 +3,7 @@ "name": "install packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "lighttpd", "lighttpd-mod-openssl" From 2c5aa961c89de96710f28a17b2f9c0138f0e9f2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:05:24 +0100 Subject: [PATCH 15/30] [fix] role:murmur:apt update --- ansible/roles/murmur/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/murmur/tasks/main.json b/ansible/roles/murmur/tasks/main.json index b135abb..7341ac8 100644 --- a/ansible/roles/murmur/tasks/main.json +++ b/ansible/roles/murmur/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "mumble-server" ] From 64224db0e5b4c748c2f909052d9bfbcec8e0dc8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:05:42 +0100 Subject: [PATCH 16/30] [fix] role:nginx:apt update --- ansible/roles/nginx/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/nginx/tasks/main.json b/ansible/roles/nginx/tasks/main.json index d39c1e2..c8e2b40 100644 --- a/ansible/roles/nginx/tasks/main.json +++ b/ansible/roles/nginx/tasks/main.json @@ -3,6 +3,7 @@ "name": "install packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "nginx" ] From 26ca0b14c4e44dbd2c8beadc2f47be8ba4bf2c16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:06:17 +0100 Subject: [PATCH 17/30] [add] role:sqlite-for-hedgedoc --- .../sqlite-for-hedgedoc/defaults/main.json | 4 ++++ .../roles/sqlite-for-hedgedoc/tasks/main.json | 20 +++++++++++++++++++ ansible/roles/sqlite-for-hedgedoc/vardef.json | 10 ++++++++++ 3 files changed, 34 insertions(+) create mode 100644 ansible/roles/sqlite-for-hedgedoc/defaults/main.json create mode 100644 ansible/roles/sqlite-for-hedgedoc/tasks/main.json create mode 100644 ansible/roles/sqlite-for-hedgedoc/vardef.json diff --git a/ansible/roles/sqlite-for-hedgedoc/defaults/main.json b/ansible/roles/sqlite-for-hedgedoc/defaults/main.json new file mode 100644 index 0000000..e574eac --- /dev/null +++ b/ansible/roles/sqlite-for-hedgedoc/defaults/main.json @@ -0,0 +1,4 @@ +{ + "var_sqlite_for_hedgedoc_path": "/var/hedgedoc/data.sqlite", + "var_sqlite_for_hedgedoc_user_name": "hedgedoc" +} diff --git a/ansible/roles/sqlite-for-hedgedoc/tasks/main.json b/ansible/roles/sqlite-for-hedgedoc/tasks/main.json new file mode 100644 index 0000000..7495fca --- /dev/null +++ b/ansible/roles/sqlite-for-hedgedoc/tasks/main.json @@ -0,0 +1,20 @@ +[ + { + "name": "directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "{{var_sqlite_for_hedgedoc_path | dirname}}", + "owner": "{{var_hedgedoc_user_name}}" + } + }, + { + "name": "file", + "become": true, + "ansible.builtin.file": { + "state": "touch", + "path": "{{var_sqlite_for_hedgedoc_path}}", + "owner": "{{var_sqlite_for_hedgedoc_user_name}}" + } + } +] diff --git a/ansible/roles/sqlite-for-hedgedoc/vardef.json b/ansible/roles/sqlite-for-hedgedoc/vardef.json new file mode 100644 index 0000000..e62f130 --- /dev/null +++ b/ansible/roles/sqlite-for-hedgedoc/vardef.json @@ -0,0 +1,10 @@ +{ + "path": { + "type": "string", + "mandatory": false + }, + "user_name": { + "type": "string", + "mandatory": false + } +} From 342fc6dd9b7a0ce2f3ec31171ba64b180d89ad05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:06:32 +0100 Subject: [PATCH 18/30] [fix] role:proftpd:apt update --- ansible/roles/proftpd/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/proftpd/tasks/main.json b/ansible/roles/proftpd/tasks/main.json index 982ae45..d277bc0 100644 --- a/ansible/roles/proftpd/tasks/main.json +++ b/ansible/roles/proftpd/tasks/main.json @@ -3,6 +3,7 @@ "name": "install packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "proftpd-core" ] From 1849d6b7a19b4140986caa9a7f29277d5ecb0932 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:07:15 +0100 Subject: [PATCH 19/30] [fix] role:synapse:Variablennamen --- ansible/roles/synapse/defaults/main.json | 14 +++++++------- .../roles/synapse/templates/homeserver.yaml.j2 | 16 ++++++++-------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/ansible/roles/synapse/defaults/main.json b/ansible/roles/synapse/defaults/main.json index a57ac35..28ee5e3 100644 --- a/ansible/roles/synapse/defaults/main.json +++ b/ansible/roles/synapse/defaults/main.json @@ -1,13 +1,13 @@ { "var_synapse_scheme": "https", "var_synapse_domain": "synapse.example.org", - "var_synaspe_database_kind": "sqlite", - "var_synaspe_database_sqlite_path": "/var/synapse/data.sqlite", - "var_synaspe_database_postgresql_host": "localhost", - "var_synaspe_database_postgresql_port": "5432", - "var_synaspe_database_postgresql_username": "synapse_user", - "var_synaspe_database_postgresql_password": "REPLACE_ME", - "var_synaspe_database_postgresql_schema": "synapse", + "var_synapse_database_kind": "sqlite", + "var_synapse_database_data_sqlite_path": "/var/synapse/data.sqlite", + "var_synapse_database_data_postgresql_host": "localhost", + "var_synapse_database_data_postgresql_port": 5432, + "var_synapse_database_data_postgresql_username": "synapse_user", + "var_synapse_database_data_postgresql_password": "REPLACE_ME", + "var_synapse_database_data_postgresql_schema": "synapse", "var_synapse_element_url": "https://element.example.org", "var_synapse_title": "Example | Matrix", "var_synapse_federation_whitelist": [], diff --git a/ansible/roles/synapse/templates/homeserver.yaml.j2 b/ansible/roles/synapse/templates/homeserver.yaml.j2 index de8088e..06e7079 100644 --- a/ansible/roles/synapse/templates/homeserver.yaml.j2 +++ b/ansible/roles/synapse/templates/homeserver.yaml.j2 @@ -1,19 +1,19 @@ -{% if var_synaspe_database_kind == 'sqlite' %} +{% if var_synapse_database_kind == 'sqlite' %} database: name: sqlite3 args: - database: {{var_synaspe_database_sqlite_path}} + database: {{var_synapse_database_sqlite_path}} {% endif %} -{% if var_synaspe_database_kind == 'postgresql' %} +{% if var_synapse_database_kind == 'postgresql' %} database: name: psycopg2 args: - host: {{var_synapse_database_postgresql_host}} - port: {{var_synapse_database_postgresql_port}} - database: "{{var_synapse_database_postgresql_schema}}" - user: "{{var_synapse_database_postgresql_username}}" - password: "{{var_synapse_database_postgresql_password}}" + host: {{var_synapse_database_data_postgresql_host}} + port: {{var_synapse_database_data_postgresql_port | string}} + database: "{{var_synapse_database_data_postgresql_schema}}" + user: "{{var_synapse_database_data_postgresql_username}}" + password: "{{var_synapse_database_data_postgresql_password}}" cp_min: 5 cp_max: 10 {% endif %} From 6fc1f26af22b6a6284a1420aa1ecb49d8c76e101 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:07:58 +0100 Subject: [PATCH 20/30] [fix] role:hedgedoc --- ansible/roles/hedgedoc/defaults/main.json | 11 +-- ansible/roles/hedgedoc/tasks/main.json | 19 +--- .../roles/hedgedoc/templates/config.json.j2 | 25 +++--- ansible/roles/hedgedoc/vardef.json | 87 +++++++++++++++++++ 4 files changed, 105 insertions(+), 37 deletions(-) create mode 100644 ansible/roles/hedgedoc/vardef.json diff --git a/ansible/roles/hedgedoc/defaults/main.json b/ansible/roles/hedgedoc/defaults/main.json index 438eb14..e2a58c4 100644 --- a/ansible/roles/hedgedoc/defaults/main.json +++ b/ansible/roles/hedgedoc/defaults/main.json @@ -11,13 +11,10 @@ "var_hedgedoc_database_data_postgresql_password": "REPLACE_ME", "var_hedgedoc_database_data_postgresql_schema": "hedgedoc", "var_hedgedoc_domain": "hedgedoc.example.org", - "var_hedgedoc_oauth2_enable": false, - "var_hedgedoc_oauth2_provider_name": "external auth", - "var_hedgedoc_oauth2_client_id": "hedgedoc", - "var_hedgedoc_oauth2_client_secret": "REPLACE_ME", - "var_hedgedoc_oauth2_user_profile_url": "https://auth.example.org/profile", - "var_hedgedoc_oauth2_token_url": "https://auth.example.org/token", - "var_hedgedoc_oauth2_authorization_url": "https://auth.example.org/authorization", + "var_hedgedoc_authentication_kind": "authelia", + "var_hedgedoc_authentication_data_authelia_client_id": "hedgedoc", + "var_hedgedoc_authentication_data_authelia_client_secret": "REPLACE_ME", + "var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.linke.sx", "var_hedgedoc_guest_allow_create": false, "var_hedgedoc_guest_allow_change": false, "var_hedgedoc_free_names_mode": "authed" diff --git a/ansible/roles/hedgedoc/tasks/main.json b/ansible/roles/hedgedoc/tasks/main.json index 984e44d..b4fd779 100644 --- a/ansible/roles/hedgedoc/tasks/main.json +++ b/ansible/roles/hedgedoc/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "acl", "git", @@ -56,24 +57,6 @@ "cmd": "bin/setup" } }, - { - "name": "var directory", - "become": true, - "ansible.builtin.file": { - "state": "directory", - "path": "{{var_hedgedoc_database_path | dirname}}", - "owner": "{{var_hedgedoc_user_name}}" - } - }, - { - "name": "database", - "become": true, - "ansible.builtin.file": { - "state": "touch", - "path": "{{var_hedgedoc_database_path}}", - "owner": "{{var_hedgedoc_user_name}}" - } - }, { "name": "configuration", "become": true, diff --git a/ansible/roles/hedgedoc/templates/config.json.j2 b/ansible/roles/hedgedoc/templates/config.json.j2 index 6c953c5..a5d3184 100644 --- a/ansible/roles/hedgedoc/templates/config.json.j2 +++ b/ansible/roles/hedgedoc/templates/config.json.j2 @@ -4,7 +4,7 @@ {% if var_hedgedoc_database_kind == 'sqlite' %} "db": { "dialect": "sqlite", - "storage": "{{var_hedgedoc_database_path}}" + "storage": "{{var_hedgedoc_database_data_sqlite_path}}" }, {% endif %} {% if var_hedgedoc_database_kind == 'postgresql' %} @@ -25,27 +25,28 @@ "domain": "{{var_hedgedoc_domain}}", "urlAddPort": false, "protocolUseSSL": true, -{% if var_hedgedoc_oauth2_enable %} +{% if var_hedgedoc_authentication_kind == 'internal' %} + "email": true, + "allowEmailRegister": true, +{% endif %} +{% if var_hedgedoc_authentication_kind == 'authelia' %} "oauth2": { - "providerName": "{{var_hedgedoc_oauth2_provider_name}}", - "clientID": "{{var_hedgedoc_oauth2_client_id}}", - "clientSecret": "{{var_hedgedoc_oauth2_client_secret}}", + "providerName": "{{var_hedgedoc_authentication_data_authelia_provider_name}}", + "clientID": "{{var_hedgedoc_authentication_data_authelia_client_id}}", + "clientSecret": "{{var_hedgedoc_authentication_data_authelia_client_secret}}", "scope": "openid email profile", "userProfileUsernameAttr": "sub", "userProfileDisplayNameAttr": "name", "userProfileEmailAttr": "email", - "userProfileURL": "{{var_hedgedoc_oauth2_user_profile_url}}", - "tokenURL": "{{var_hedgedoc_oauth2_token_url}}", - "authorizationURL": "{{var_hedgedoc_oauth2_authorization_url}}" + "userProfileURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/profile", + "tokenURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/token", + "authorizationURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/authorization" }, "email": false, "allowEmailRegister": false, -{% else %} - "email": true, - "allowEmailRegister": true, {% endif %} "allowAnonymous": {{var_hedgedoc_guest_allow_create | to_json}}, - "allowAnonymousEdits": {{var_hedgedoc_guest_allow_edit | to_json}}, + "allowAnonymousEdits": {{var_hedgedoc_guest_allow_change | to_json}}, {% if var_hedgedoc_free_names_mode == 'never' %} "allowFreeURL": false, "requireFreeURLAuthentication": false, diff --git a/ansible/roles/hedgedoc/vardef.json b/ansible/roles/hedgedoc/vardef.json new file mode 100644 index 0000000..cb6e8d6 --- /dev/null +++ b/ansible/roles/hedgedoc/vardef.json @@ -0,0 +1,87 @@ +{ + "user_name": { + "type": "string", + "mandatory": false + }, + "directory": { + "type": "string", + "mandatory": false + }, + "version": { + "type": "string", + "mandatory": false + }, + "session_secret": { + "type": "string", + "mandatory": true + }, + "database_kind": { + "type": "string", + "mandatory": false, + "options": [ + "sqlite", + "postgresql", + "mariadb" + ] + }, + "database_data_sqlite_path": { + "type": "string", + "mandatory": false + }, + "database_data_postgresql_host": { + "type": "string", + "mandatory": false + }, + "database_data_postgresql_port": { + "type": "integer", + "mandatory": false + }, + "database_data_postgresql_username": { + "type": "string", + "mandatory": false + }, + "database_data_postgresql_password": { + "type": "string", + "mandatory": false + }, + "database_data_postgresql_schema": { + "type": "string", + "mandatory": false + }, + "domain": { + "type": "string", + "mandatory": false + }, + "authentication_kind": { + "type": "string", + "mandatory": false, + "options": [ + "internal", + "authelia" + ] + }, + "authentication_data_authelia_client_id": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_client_secret": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_url_base": { + "type": "string", + "mandatory": false + }, + "guest_allow_create": { + "type": "boolean", + "mandatory": false + }, + "guest_allow_change": { + "type": "boolean", + "mandatory": false + }, + "free_names_mode": { + "type": "string", + "mandatory": false + } +} From c2879c7bf2f36dd013d7791c4e0c05e138d86062 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:08:30 +0100 Subject: [PATCH 21/30] [fix] role:postgresql:apt update --- ansible/roles/postgresql/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/postgresql/tasks/main.json b/ansible/roles/postgresql/tasks/main.json index d870dc8..b87c19b 100644 --- a/ansible/roles/postgresql/tasks/main.json +++ b/ansible/roles/postgresql/tasks/main.json @@ -3,6 +3,7 @@ "name": "install packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "postgresql" ] From cb09bca26e9357ff1733dd84c42a0a3a77a29f37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:08:53 +0100 Subject: [PATCH 22/30] =?UTF-8?q?[mod]=20role:postgresql:Integer-Wert=20f?= =?UTF-8?q?=C3=BCr=20Port=20verwenden?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/roles/postgresql/defaults/main.json | 2 +- .../roles/postgresql/templates/postgresql.conf.j2 | 2 +- ansible/roles/postgresql/vardef.json | 15 +++++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 ansible/roles/postgresql/vardef.json diff --git a/ansible/roles/postgresql/defaults/main.json b/ansible/roles/postgresql/defaults/main.json index abd9af3..ff00ca2 100644 --- a/ansible/roles/postgresql/defaults/main.json +++ b/ansible/roles/postgresql/defaults/main.json @@ -1,5 +1,5 @@ { "var_postgresql_listen_address": "localhost", - "var_postgresql_port": "5432" + "var_postgresql_port": 5432 } diff --git a/ansible/roles/postgresql/templates/postgresql.conf.j2 b/ansible/roles/postgresql/templates/postgresql.conf.j2 index 1b5c664..3b2847f 100644 --- a/ansible/roles/postgresql/templates/postgresql.conf.j2 +++ b/ansible/roles/postgresql/templates/postgresql.conf.j2 @@ -61,7 +61,7 @@ listen_addresses = '{{var_postgresql_listen_address}}' # what IP address(es) to # comma-separated list of addresses; # defaults to 'localhost'; use '*' for all # (change requires restart) -port = {{var_postgresql_port}} # (change requires restart) +port = {{var_postgresql_port | string}} # (change requires restart) max_connections = 100 # (change requires restart) #superuser_reserved_connections = 3 # (change requires restart) unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories diff --git a/ansible/roles/postgresql/vardef.json b/ansible/roles/postgresql/vardef.json new file mode 100644 index 0000000..0fc124f --- /dev/null +++ b/ansible/roles/postgresql/vardef.json @@ -0,0 +1,15 @@ +{ + "listen_address": { + "mandatory": false, + "type": "string" + }, + "port": { + "mandatory": false, + "type": "integer" + }, + "allow_md5_auth": { + "mandatory": false, + "type": "boolean" + } +} + From b36bcf9b83a5cc46f8be8671be4cf0f47e95892b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:09:41 +0100 Subject: [PATCH 23/30] [fix] role:authelia --- ansible/roles/authelia/defaults/main.json | 6 +- ansible/roles/authelia/files/user-manage.py | 12 +- ansible/roles/authelia/tasks/main.json | 1 + .../authelia/templates/conf-main.json.j2 | 43 +++--- ansible/roles/authelia/templates/users.yml.j2 | 6 +- ansible/roles/authelia/vardef.json | 130 ++++++++++++++++++ 6 files changed, 170 insertions(+), 28 deletions(-) create mode 100644 ansible/roles/authelia/vardef.json diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index af34caa..9b5e676 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -7,7 +7,7 @@ "var_authelia_log_file_path": "/var/authelia/log.jsonl", "var_authelia_session_domain": "example.org", "var_authelia_session_secret": "REPLACE_ME", - "var_authelia_storage_encryption_key": "storage_encryption_key", + "var_authelia_storage_encryption_key": "REPLACE_ME", "var_authelia_storage_kind": "sqlite", "var_authelia_storage_data_sqlite_path": "/var/authelia/state.db", "var_authelia_storage_data_postgresql_host": "localhost", @@ -25,9 +25,9 @@ "var_authelia_notification_mode": "smtp", "var_authelia_notification_file_path": "/var/authelia/notifications", "var_authelia_notification_smtp_host": "smtp.example.org", - "var_authelia_notification_smtp_port": "465", + "var_authelia_notification_smtp_port": 465, "var_authelia_notification_smtp_username": "authelia", "var_authelia_notification_smtp_password": "REPLACE_ME", - "var_authelia_notification_smtp_sender": "Authelia", + "var_authelia_notification_smtp_sender": "authelia@example.org", "var_authelia_oidc_hmac_secret": "REPLACE_ME" } diff --git a/ansible/roles/authelia/files/user-manage.py b/ansible/roles/authelia/files/user-manage.py index 1e4355a..afd9171 100644 --- a/ansible/roles/authelia/files/user-manage.py +++ b/ansible/roles/authelia/files/user-manage.py @@ -28,14 +28,18 @@ def file_write(path, content): return content -def get_password_hash(binary_file_path, conf_file_path, name): +def get_password_hash(binary_file_path, conf_file_path, password): + # /usr/bin/authelia --config=/etc/authelia/configuration.yml crypto hash generate bcrypt --password=alice output = _subprocess.check_output([ binary_file_path, "--config=%s" % conf_file_path, - "hash-password", - name + "crypto", + "hash", + "generate", + "bcrypt", + "--password=%s" % password, ]) - return output.decode("utf-8").split("\n")[0][8:] + return output.decode("utf-8").split("\n")[0].split(" ")[1] def postprocess(binary_file_path, conf_file_path, data): diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json index c765720..92811fa 100644 --- a/ansible/roles/authelia/tasks/main.json +++ b/ansible/roles/authelia/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages | prerequisites", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "apt-transport-https", "gpg" diff --git a/ansible/roles/authelia/templates/conf-main.json.j2 b/ansible/roles/authelia/templates/conf-main.json.j2 index 4279742..98c0437 100644 --- a/ansible/roles/authelia/templates/conf-main.json.j2 +++ b/ansible/roles/authelia/templates/conf-main.json.j2 @@ -1,13 +1,17 @@ { "theme": "auto", - "jwt_secret": "{{var_authelia_jwt_secret}}", + "identity_validation": { + "reset_password": { + "jwt_secret": "{{var_authelia_jwt_secret}}" + } + }, "default_2fa_method": "totp", "server": { - "host": "{{var_authelia_listen_address}}", - "port": 9091, - "path": "", - "enable_pprof": false, - "enable_expvars": false, + "address": "{{var_authelia_listen_address}}:9091", + "endpoints": { + "enable_pprof": false, + "enable_expvars": false + }, "disable_healthcheck": false }, "log": { @@ -121,7 +125,7 @@ "secret": "{{var_authelia_session_secret}}", "expiration": "1h", "inactivity": "5m", - "remember_me_duration": "1M" + "remember_me": "1M" }, "regulation": { "max_retries": 3, @@ -137,8 +141,7 @@ {% endif %} {% if var_authelia_storage_kind == "postgresql" %} "postgres": { - "host": "{{var_authelia_storage_data_postgresql_host}}", - "port": {{var_authelia_storage_data_postgresql_port | string}}, + "address": "{{var_authelia_storage_data_postgresql_host}}:{{var_authelia_storage_data_postgresql_port | string}}", "schema": "public", "username": "{{var_authelia_storage_data_postgresql_username}}", "password": "{{var_authelia_storage_data_postgresql_password}}", @@ -163,18 +166,18 @@ } {% endif %} {% if var_authelia_notification_mode == "smtp" %} - "smtp": { - "host": "{{var_authelia_notification_smtp_host}}", - "port": {{var_authelia_notification_smtp_port}}, - "username": "{{var_authelia_notification_smtp_username}}", - "password": "{{var_authelia_notification_smtp_password}}", - "sender": "{{var_authelia_notification_smtp_sender}}", - "disable_require_tls": false, - "disable_html_emails": false, - "tls": { - "skip_verify": false + "smtp": { + "host": "{{var_authelia_notification_smtp_host}}", + "port": {{var_authelia_notification_smtp_port | string}}, + "username": "{{var_authelia_notification_smtp_username}}", + "password": "{{var_authelia_notification_smtp_password}}", + "sender": "{{var_authelia_notification_smtp_sender}}", + "disable_require_tls": false, + "disable_html_emails": false, + "tls": { + "skip_verify": false + } } - } {% endif %} }, "identity_providers": { diff --git a/ansible/roles/authelia/templates/users.yml.j2 b/ansible/roles/authelia/templates/users.yml.j2 index bf82e98..fcd822f 100644 --- a/ansible/roles/authelia/templates/users.yml.j2 +++ b/ansible/roles/authelia/templates/users.yml.j2 @@ -1 +1,5 @@ -users: {} +users: + _dummy: + displayname: dummy + password: "$2b$12$N5qptdk1VtpSlIlCxspLxeNeRIP6UEho4r1ZCoOlfpAtsIJQIjV/a" + email: dummy@example.org diff --git a/ansible/roles/authelia/vardef.json b/ansible/roles/authelia/vardef.json new file mode 100644 index 0000000..8370d6b --- /dev/null +++ b/ansible/roles/authelia/vardef.json @@ -0,0 +1,130 @@ +{ + "version": { + "type": "string", + "mandatory": false + }, + "architecture": { + "type": "string", + "mandatory": false + }, + "listen_address": { + "type": "string", + "mandatory": false + }, + "jwt_secret": { + "type": "string", + "mandatory": true + }, + "users_file_path": { + "type": "string", + "mandatory": false + }, + "log_file_path": { + "type": "string", + "mandatory": false + }, + "session_domain": { + "type": "string", + "mandatory": false + }, + "session_secret": { + "type": "string", + "mandatory": true + }, + "storage_encryption_key": { + "type": "string", + "mandatory": true + }, + "storage_kind": { + "type": "string", + "mandatory": false + }, + "storage_data_sqlite_path": { + "type": "string", + "mandatory": false + }, + "storage_data_postgresql_host": { + "type": "string", + "mandatory": false + }, + "storage_data_postgresql_port": { + "type": "integer", + "mandatory": false + }, + "storage_data_postgresql_username": { + "type": "string", + "mandatory": false + }, + "storage_data_postgresql_password": { + "type": "string", + "mandatory": false + }, + "storage_data_postgresql_schema": { + "type": "string", + "mandatory": false + }, + "storage_data_mariadb_host": { + "type": "string", + "mandatory": false + }, + "storage_data_mariadb_port": { + "type": "integer", + "mandatory": false + }, + "storage_data_mariadb_username": { + "type": "string", + "mandatory": false + }, + "storage_data_mariadb_password": { + "type": "string", + "mandatory": false + }, + "storage_data_mariadb_schema": { + "type": "string", + "mandatory": false + }, + "ntp_server": { + "type": "string", + "mandatory": false + }, + "password_reset_enabled": { + "type": "boolean", + "mandatory": false + }, + "notification_mode": { + "type": "string", + "mandatory": false, + "options": [ + "file", + "smtp" + ] + }, + "notification_file_path": { + "type": "string", + "mandatory": false + }, + "notification_smtp_host": { + "type": "string", + "mandatory": false + }, + "notification_smtp_port": { + "type": "integer", + "mandatory": false + }, + "notification_smtp_username": { + "type": "string", + "mandatory": false + }, + "notification_smtp_password": { + "type": "string", + "mandatory": false + }, + "notification_smtp_sender": { + "type": "string", + "mandatory": false + }, + "oidc_hmac_secret": { + "type": "string", + "mandatory": true + } +} From 090d7d419020c035d4bd02b0cfe6393bdea01f3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:10:16 +0100 Subject: [PATCH 24/30] [fix] role:authelia-for-hedgedoc --- .../templates/authelia-client-conf.json.j2 | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 index 3024226..10ad3cb 100644 --- a/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 +++ b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 @@ -1,7 +1,7 @@ { - "id": "{{var_authelia_for_hedgedoc_client_id}}", - "description": "Hedgedoc", - "secret": "{{var_authelia_for_hedgedoc_client_secret}}", + "client_id": "{{var_authelia_for_hedgedoc_client_id}}", + "client_secret": "{{var_authelia_for_hedgedoc_client_secret}}", + "client_name": "Hedgedoc", "public": false, "authorization_policy": "one_factor", "scopes": [ @@ -13,7 +13,6 @@ "{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback" ], "grant_types": [ - "refresh_token", "authorization_code" ], "response_types": [ @@ -24,5 +23,5 @@ "query", "fragment" ], - "userinfo_signing_algorithm": "none" + "userinfo_signed_response_alg": "none" } From b9ac243efe47c65a958a43739cb758fd640b9b0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:10:35 +0100 Subject: [PATCH 25/30] [fix] role:authelia-for-synapse --- .../templates/authelia-client-conf.json.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 index be88570..3f91cdf 100644 --- a/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 +++ b/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 @@ -1,7 +1,7 @@ { - "id": "{{var_authelia_for_synapse_client_id}}", - "description": "Synapse", - "secret": "{{var_authelia_for_synapse_client_secret}}", + "client_id": "{{var_authelia_for_synapse_client_id}}", + "client_secret": "{{var_authelia_for_synapse_client_secret}}", + "client_name": "Synapse", "public": false, "authorization_policy": "one_factor", "redirect_uris": [ @@ -12,5 +12,5 @@ "email", "profile" ], - "userinfo_signing_algorithm": "none" + "userinfo_signed_response_alg": "none" } From f392a17f5b37d4226e0dde641cbf1b17e41e7a8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:11:13 +0100 Subject: [PATCH 26/30] [fix] role:postgresql-for-authelia:apt update und pg options --- ansible/roles/postgresql-for-authelia/tasks/main.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ansible/roles/postgresql-for-authelia/tasks/main.json b/ansible/roles/postgresql-for-authelia/tasks/main.json index 0f053db..e2b3aa5 100644 --- a/ansible/roles/postgresql-for-authelia/tasks/main.json +++ b/ansible/roles/postgresql-for-authelia/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "acl", "python3-psycopg2" @@ -17,6 +18,9 @@ "state": "present", "name": "{{var_postgresql_for_authelia_username}}", "password": "{{var_postgresql_for_authelia_password}}" + }, + "environment": { + "PGOPTIONS": "-c password_encryption=scram-sha-256" } }, { From 9c03561b1aceea773729d4b54550065f7a6df7e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:11:32 +0100 Subject: [PATCH 27/30] [fix] role:postgresql-for-hedgedoc:apt update und pg options --- ansible/roles/postgresql-for-hedgedoc/tasks/main.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ansible/roles/postgresql-for-hedgedoc/tasks/main.json b/ansible/roles/postgresql-for-hedgedoc/tasks/main.json index 85431cc..3551075 100644 --- a/ansible/roles/postgresql-for-hedgedoc/tasks/main.json +++ b/ansible/roles/postgresql-for-hedgedoc/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "acl", "python3-psycopg2" @@ -17,6 +18,9 @@ "state": "present", "name": "{{var_postgresql_for_hedgedoc_username}}", "password": "{{var_postgresql_for_hedgedoc_password}}" + }, + "environment": { + "PGOPTIONS": "-c password_encryption=scram-sha-256" } }, { From 81bef7dd446d8f38c09c1ce1f2a6029a06f86637 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:11:48 +0100 Subject: [PATCH 28/30] [fix] role:postgresql-for-postgresql:apt update und pg options --- ansible/roles/postgresql-for-synapse/tasks/main.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ansible/roles/postgresql-for-synapse/tasks/main.json b/ansible/roles/postgresql-for-synapse/tasks/main.json index 7b6cee0..7f6ceb0 100644 --- a/ansible/roles/postgresql-for-synapse/tasks/main.json +++ b/ansible/roles/postgresql-for-synapse/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "acl", "python3-psycopg2" @@ -17,6 +18,9 @@ "state": "present", "name": "{{var_postgresql_for_synapse_username}}", "password": "{{var_postgresql_for_synapse_password}}" + }, + "environment": { + "PGOPTIONS": "-c password_encryption=scram-sha-256" } }, { From aefe805a10a2518b6bb590c8d4c8eccd738d33f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:47:45 +0100 Subject: [PATCH 29/30] [fix] role:synapse:auth --- ansible/roles/synapse/defaults/main.json | 12 ++++---- .../synapse/templates/homeserver.yaml.j2 | 30 +++++++++---------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/ansible/roles/synapse/defaults/main.json b/ansible/roles/synapse/defaults/main.json index 28ee5e3..bc84eb6 100644 --- a/ansible/roles/synapse/defaults/main.json +++ b/ansible/roles/synapse/defaults/main.json @@ -13,12 +13,12 @@ "var_synapse_federation_whitelist": [], "var_synapse_password_strict_policy": true, "var_synapse_registration_shared_secret": "REPLACE_ME", - "var_synapse_oidc_enable": false, - "var_synapse_oidc_provider_id": "external_auth", - "var_synapse_oidc_provider_name": "external auth", - "var_synapse_oidc_client_id": "synapse", - "var_synapse_oidc_client_secret": "REPLACE_ME", - "var_synapse_oidc_issuer_url": "https://auth.example.org", + "var_synapse_authentication_kind": "internal", + "var_synapse_authentication_data_authelia_provider_id": "authelia", + "var_synapse_authentication_data_authelia_provider_name": "Authelia", + "var_synapse_authentication_data_authelia_client_id": "synapse", + "var_synapse_authentication_data_authelia_client_secret": "REPLACE_ME", + "var_synapse_authentication_data_authelia_url_base": "https://authelia.example.org", "var_synapse_smtp_host": "smtp.example.org", "var_synapse_smtp_port": 587, "var_synapse_smtp_username": "synapse@smtp.example.org", diff --git a/ansible/roles/synapse/templates/homeserver.yaml.j2 b/ansible/roles/synapse/templates/homeserver.yaml.j2 index 06e7079..f5c310c 100644 --- a/ansible/roles/synapse/templates/homeserver.yaml.j2 +++ b/ansible/roles/synapse/templates/homeserver.yaml.j2 @@ -91,29 +91,29 @@ recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" registration_shared_secret: "{{var_synapse_registration_shared_secret}}" {% endif %} -{% if var_synapse_oidc_enable %} -enable_registration: false -enable_registration_without_verification: false -{% else %} -enable_registration: true -enable_registration_without_verification: true -{% endif %} - oidc_config: user_mapping_provider: config: # NOT an Ansible variable localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}" -{% if var_synapse_oidc_enable %} +{% if var_synapse_authentication_kind == 'internal' %} +enable_registration: true +enable_registration_without_verification: true +{% endif %} + +{% if var_synapse_authentication_kind == 'authelia' %} +enable_registration: false +enable_registration_without_verification: false + oidc_providers: - - idp_id: "{{var_synapse_oidc_provider_id}}" - idp_name: "{{var_synapse_oidc_provider_name}}" - # idp_icon: "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI" + - idp_id: "{{var_synapse_authentication_data_authelia_provider_id}}" + idp_name: "{{var_synapse_authentication_data_authelia_provider_name}}" + idp_icon: "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI" discover: true - issuer: "{{var_synapse_oidc_issuer_url}}" - client_id: "{{var_synapse_oidc_client_id}}" - client_secret: "{{var_synapse_oidc_client_secret}}" + issuer: "{{var_synapse_authentication_data_authelia_url_base}}" + client_id: "{{var_synapse_authentication_data_authelia_client_id}}" + client_secret: "{{var_synapse_authentication_data_authelia_client_secret}}" scopes: ["openid", "profile", "email"] allow_existing_users: true user_mapping_provider: From 78efa5297f47ac4b9949a764d0a409edd2405e29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:48:04 +0100 Subject: [PATCH 30/30] [mod] role:authelia-for-hedgedoc:refresh_token --- .../authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 index 10ad3cb..2b9a311 100644 --- a/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 +++ b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 @@ -13,6 +13,7 @@ "{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback" ], "grant_types": [ + "refresh_token", "authorization_code" ], "response_types": [