Merge branch 'main' into dev-dokuwiki

ansible/roles/authelia-and-nginx/defaults/main.json

@@ -0,0 +1,3 @@
+{
+	"var_authelia_and_nginx_domain": "authelia.example.org"
+}

ansible/roles/authelia-and-nginx/info.md

@@ -0,0 +1,3 @@
+## Verweise
+
+- [Authelia-Dokumentation](https://www.authelia.com/integration/proxies/nginx/)

ansible/roles/authelia-and-nginx/tasks/main.json

@@ -0,0 +1,35 @@
+[
+	{
+		"name": "deactivate default site",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "absent",
+			"dest": "/etc/nginx/sites-enabled/default"
+		}
+	},
+	{
+		"name": "emplace configuration | data",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "emplace configuration | link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}",
+			"dest": "/etc/nginx/sites-enabled/{{var_authelia_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "restart nginx",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "nginx"
+		}
+	}
+]

ansible/roles/authelia-and-nginx/templates/conf.j2

@@ -0,0 +1,62 @@
+server {
+	server_name {{var_authelia_and_nginx_domain}};
+	
+	listen [::]:80;
+	listen 80;
+	
+	return 301 https://$server_name$request_uri;
+}
+
+server {
+	server_name {{var_authelia_and_nginx_domain}};
+	
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	
+	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
+	
+	location / {
+		## Headers
+		proxy_set_header Host $host;
+		proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header X-Forwarded-Host $http_host;
+		proxy_set_header X-Forwarded-Uri $request_uri;
+		proxy_set_header X-Forwarded-Ssl on;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header Connection "";
+
+		## Basic Proxy Configuration
+		client_body_buffer_size 128k;
+		proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
+		proxy_redirect  http://  $scheme://;
+		proxy_http_version 1.1;
+		proxy_cache_bypass $cookie_session;
+		proxy_no_cache $cookie_session;
+		proxy_buffers 64 256k;
+
+		## Trusted Proxies Configuration
+		## Please read the following documentation before configuring this:
+		##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
+		# set_real_ip_from 10.0.0.0/8;
+		# set_real_ip_from 172.16.0.0/12;
+		# set_real_ip_from 192.168.0.0/16;
+		# set_real_ip_from fc00::/7;
+		real_ip_header X-Forwarded-For;
+		real_ip_recursive on;
+
+		## Advanced Proxy Configuration
+		send_timeout 5m;
+		proxy_read_timeout 360;
+		proxy_send_timeout 360;
+		proxy_connect_timeout 360;
+		
+		proxy_pass http://localhost:9091;
+	}
+	
+	location /api/verify {
+		proxy_pass http://localhost:9091;
+	}
+}

ansible/roles/authelia-for-hedgedoc/defaults/main.json

@@ -0,0 +1,5 @@
+{
+	"var_authelia_for_hedgedoc_hedgedoc_url_base": "https://hedgedoc.example.org",
+	"var_authelia_for_hedgedoc_client_id": "hedgedoc",
+	"var_authelia_for_hedgedoc_client_secret": "REPLACE_ME"
+}

ansible/roles/authelia-for-hedgedoc/info.md

@@ -0,0 +1,10 @@
+## Beschreibung
+
+Um [Hedgedoc](../hedgedoc) gegen [Authelia](../authelia) authentifizieren zu lassen
+
+
+## Verweise
+
+- [Authelia-Dokumentation | Configuration: OpenID Connect: Client](https://www.authelia.com/configuration/identity-providers/open-id-connect/#clients)
+- [Hedgedoc-Dokumentation | Authelia](https://docs.hedgedoc.org/guides/auth/authelia/)
+- [Hedgedoc-Dokumentation | Conf: OAuth2 Login](https://docs.hedgedoc.org/configuration/#oauth2-login)

ansible/roles/authelia-for-hedgedoc/tasks/main.json

@@ -0,0 +1,25 @@
+[
+	{
+		"name": "configuration | emplace",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "authelia-client-conf.json.j2",
+			"dest": "/etc/authelia/conf.d/clients/hedgedoc.json"
+		}
+	},
+	{
+		"name": "configuration | apply",
+		"become": true,
+		"ansible.builtin.command": {
+			"cmd": "/usr/bin/authelia-conf-compose"
+		}
+	},
+	{
+		"name": "restart service",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "authelia"
+		}
+	}
+]

ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2

@@ -0,0 +1,28 @@
+{
+	"id": "{{var_authelia_for_hedgedoc_client_id}}",
+	"description": "Hedgedoc",
+	"secret": "{{var_authelia_for_hedgedoc_client_secret}}",
+	"public": false,
+	"authorization_policy": "one_factor",
+	"scopes": [
+		"openid",
+		"email",
+		"profile"
+	],
+	"redirect_uris": [
+		"{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback"
+	],
+	"grant_types": [
+		"refresh_token",
+		"authorization_code"
+	],
+	"response_types": [
+		"code"
+	],
+	"response_modes": [
+		"form_post",
+		"query",
+		"fragment"
+	],
+	"userinfo_signing_algorithm": "none"
+}

ansible/roles/authelia-for-synapse/defaults/main.json

@@ -0,0 +1,5 @@
+{
+	"var_authelia_for_synapse_synapse_url_base": "https://matrix.example.org",
+	"var_authelia_for_synapse_client_id": "synapse",
+	"var_authelia_for_synapse_client_secret": "REPLACE_ME"
+}

ansible/roles/authelia-for-synapse/info.md

@@ -0,0 +1,9 @@
+## Beschreibung
+
+Um [Synapse](../synapse) gegen [Authelia](../authelia) authentifizieren zu lassen
+
+
+## Verweise
+
+- [Authelia-Dokumentation | Synapse Integration](https://www.authelia.com/integration/openid-connect/synapse/)
+- [Synapse-Dokumentation | OpenID Connect](https://matrix-org.github.io/synapse/latest/openid.html)

ansible/roles/authelia-for-synapse/tasks/main.json

@@ -0,0 +1,25 @@
+[
+	{
+		"name": "configuration | emplace",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "authelia-client-conf.json.j2",
+			"dest": "/etc/authelia/conf.d/clients/synapse.json"
+		}
+	},
+	{
+		"name": "configuration | apply",
+		"become": true,
+		"ansible.builtin.command": {
+			"cmd": "/usr/bin/authelia-conf-compose"
+		}
+	},
+	{
+		"name": "restart service",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "authelia"
+		}
+	}
+]

ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2

@@ -0,0 +1,16 @@
+{
+	"id": "{{var_authelia_for_synapse_client_id}}",
+	"description": "Synapse",
+	"secret": "{{var_authelia_for_synapse_client_secret}}",
+	"public": false,
+	"authorization_policy": "one_factor",
+	"redirect_uris": [
+		"{{var_authelia_for_synapse_synapse_url_base}}/_synapse/client/oidc/callback"
+	],
+	"scopes": [
+		"openid",
+		"email",
+		"profile"
+	],
+	"userinfo_signing_algorithm": "none"
+}

ansible/roles/authelia/defaults/main.json

@@ -0,0 +1,21 @@
+{
+	"var_authelia_version": "4.37.5",
+	"var_authelia_architecture": "amd64",
+	"var_authelia_listen_address": "0.0.0.0",
+	"var_authelia_jwt_secret": "REPLACE_ME",
+	"var_authelia_users_file_path": "/var/authelia/users.yml",
+	"var_authelia_log_file_path": "/var/authelia/log.jsonl",
+	"var_authelia_session_domain": "example.org",
+	"var_authelia_session_secret": "REPLACE_ME",
+	"var_authelia_storage_path": "/var/authelia/state.db",
+	"var_authelia_storage_encryption_key": "storage_encryption_key",
+	"var_authelia_ntp_server": "time.cloudflare.com:123",
+	"var_authelia_notification_mode": "smtp",
+	"var_authelia_notification_file_path": "/var/authelia/notifications",
+	"var_authelia_notification_smtp_host": "smtp.example.org",
+	"var_authelia_notification_smtp_port": "465",
+	"var_authelia_notification_smtp_username": "authelia",
+	"var_authelia_notification_smtp_password": "smtp_password",
+	"var_authelia_notification_smtp_sender": "Authelia",
+	"var_authelia_oidc_hmac_secret": "oidc_hmac_secret"
+}

ansible/roles/authelia/files/conf-compose.py

@@ -0,0 +1,150 @@
+#!/usr/bin/env python3
+
+import sys as _sys
+import os as _os
+import yaml as _yaml
+import json as _json
+import argparse as _argparse
+
+
+def file_read(path):
+	handle = open(path, "r")
+	content = handle.read()
+	handle.close()
+	return content
+	
+
+def file_write(path, content):
+	directory = _os.path.dirname(path)
+	if (not _os.path.exists(directory)):
+		_os.makedirs(directory, exist_ok = True)
+	else:
+		pass
+	handle = open(path, "w")
+	handle.write(content)
+	handle.close()
+	return content
+	
+
+def dict_merge(core, mantle, path = None):
+	if (path is None):
+		path = []
+	result = {}
+	for source in [core, mantle]:
+		for (key, value_new, ) in source.items():
+			path_ = (path + [key])
+			type_new = type(value_new)
+			if (not (key in result)):
+				result[key] = value_new
+			else:
+				value_old = result[key]
+				type_old = type(value_old)
+				if (value_old is None):
+					result[key] = value_new
+				else:
+					if (not (type_old == type_new)):
+						raise ValueError(
+							"type mismatch at path %s: %s vs. %s"
+							% (
+								".".join(path),
+								str(type_old),
+								str(type_new),
+							)
+						)
+					else:
+						if (type_old == dict):
+							result[key] = dict_merge(value_old, value_new, path_)
+						elif (type_old == list):
+							result[key] = (value_old + value_new)
+						else:
+							result[key] = value_new
+	return result
+	
+
+def main():
+	## args
+	argument_parser = _argparse.ArgumentParser()
+	argument_parser.add_argument(
+		"-m",
+		"--main-file-path",
+		type = str,
+		dest = "main_file_path",
+		default = "/etc/authelia/conf.d/main.json",
+		metavar = "<main-file-path>",
+	)
+	argument_parser.add_argument(
+		"-c",
+		"--clients-directory-path",
+		type = str,
+		dest = "clients_directory_path",
+		default = "/etc/authelia/conf.d/clients",
+		metavar = "<clients-directory-path>",
+	)
+	argument_parser.add_argument(
+		"-f",
+		"--output-format",
+		type = str,
+		choices = ["json", "yaml"],
+		dest = "output_format",
+		default = "yaml",
+		metavar = "<output-format>",
+	)
+	argument_parser.add_argument(
+		"-o",
+		"--output-path",
+		type = str,
+		dest = "output_path",
+		default = "/etc/authelia/configuration.yml",
+		metavar = "<output-path>",
+	)
+	args = argument_parser.parse_args()
+	
+	## exec
+	data = {}
+	### main
+	if True:
+		data_ = _json.loads(file_read(args.main_file_path))
+		data = dict_merge(data, data_)
+	### clients
+	if True:
+		for name in _os.listdir(args.clients_directory_path):
+			data__ = _json.loads(file_read(_os.path.join(args.clients_directory_path, name)))
+			data_ = {
+				"identity_providers": {
+					"oidc": {
+						"clients": [data__]
+					}
+				}
+			}
+			data = dict_merge(data, data_)
+	### postprocess
+	if True:
+		if (len(data["identity_providers"]["oidc"]["clients"]) <= 0):
+			data["identity_providers"]["oidc"]["clients"].append(
+				{
+					"public": False,
+					"id": "_dummy",
+					"description": "not a real client; just here to make Authelia run",
+					"authorization_policy": "one_factor",
+					"secret": "",
+					"scopes": [],
+					"redirect_uris": [],
+					"grant_types": [],
+					"response_types": [],
+					"response_modes": [],
+				}
+			)
+		else:
+			pass
+	## output
+	if True:
+		if (args.output_format == "json"):
+			output_content = _json.dumps(data, indent = "\t")
+		elif (args.output_format == "yaml"):
+			output_content = _yaml.dump(data)
+		else:
+			raise ValueError("invalid output format")
+		file_write(args.output_path, output_content)
+	
+
+main()

ansible/roles/authelia/files/user-manage.py

@@ -0,0 +1,188 @@
+#!/usr/bin/env python3
+
+import sys as _sys
+import os as _os
+import subprocess as _subprocess
+import argparse as _argparse
+import yaml as _yaml
+import string as _string
+import random as _random
+
+
+def file_read(path):
+	handle = open(path, "r")
+	content = handle.read()
+	handle.close()
+	return content
+	
+
+def file_write(path, content):
+	directory = _os.path.dirname(path)
+	if (not _os.path.exists(directory)):
+		_os.makedirs(directory, exist_ok = True)
+	else:
+		pass
+	handle = open(path, "w")
+	handle.write(content)
+	handle.close()
+	return content
+	
+
+def get_password_hash(binary_file_path, conf_file_path, name):
+	output = _subprocess.check_output([
+		binary_file_path,
+		"--config=%s" % conf_file_path,
+		"hash-password",
+		name
+	])
+	return output.decode("utf-8").split("\n")[0][8:]
+	
+
+def postprocess(binary_file_path, conf_file_path, data):
+	password = "".join(map(lambda x: _random.choice(_string.ascii_lowercase), range(16)))
+	if (len(data["users"]) <= 0):
+		data["users"]["_dummy"] = {
+			"displayname": "(Dummy)",
+			"password": get_password_hash(binary_file_path, conf_file_path, password),
+			"email": "dummy@nowhere.net",
+			"groups": [],
+		}
+	else:
+		pass
+	return data
+	
+
+def data_read(user_file_path):
+	data = _yaml.safe_load(file_read(user_file_path))
+	data["users"].pop("_dummy", None)
+	return data
+	
+
+def data_write(binary_file_path, conf_file_path, user_file_path, data):
+	file_write(user_file_path, _yaml.dump(postprocess(binary_file_path, conf_file_path, data)))
+	
+
+def main():
+	## args
+	argument_parser = _argparse.ArgumentParser()
+	argument_parser.add_argument(
+		"command",
+		type = str,
+		choices = ["list", "show", "add", "change", "remove"],
+		default = "list",
+		help = "command to execute",
+	)
+	argument_parser.add_argument(
+		"-b",
+		"--binary-file-path",
+		type = str,
+		default = "/usr/bin/authelia",
+		help = "path to the Authelia binary file",
+	)
+	argument_parser.add_argument(
+		"-c",
+		"--conf-file-path",
+		type = str,
+		default = "/etc/authelia/configuration.yml",
+		help = "path to the Authelia configuration file",
+	)
+	argument_parser.add_argument(
+		"-u",
+		"--user-file-path",
+		type = str,
+		default = "/var/authelia/users.yml",
+		help = "path to the user database file",
+	)
+	argument_parser.add_argument(
+		"-n",
+		"--login-name",
+		type = str,
+		default = None,
+		help = "login name of the user; has to be unique",
+	)
+	argument_parser.add_argument(
+		"-p",
+		"--password",
+		type = str,
+		default = None,
+		help = "password of the user",
+	)
+	argument_parser.add_argument(
+		"-d",
+		"--display-name",
+		type = str,
+		default = None,
+		help = "display name of the user",
+	)
+	argument_parser.add_argument(
+		"-e",
+		"--email",
+		type = str,
+		default = None,
+		help = "e-mail address of the user",
+	)
+	args = argument_parser.parse_args()
+	
+	## exec
+	data = data_read(args.user_file_path)
+	if (args.command == "list"):
+		names = sorted(data["users"].keys())
+		for name in names:
+			_sys.stdout.write("%s\n" % name)
+	elif (args.command == "show"):
+		if (args.login_name is None):
+			raise ValueError("name required")
+		else:
+			if (not (args.login_name in data["users"])):
+				raise ValueError("no such user")
+			else:
+				entry = data["users"][args.login_name]
+				_sys.stdout.write("%s\n" % _yaml.dump(entry))
+	elif (args.command == "add"):
+		if (args.login_name is None):
+			raise ValueError("name required")
+		else:
+			if (args.password is None):
+				raise ValueError("password required")
+			else:
+				entry = {
+					"displayname": (args.display_name or args.login_name),
+					"password": get_password_hash(args.binary_file_path, args.conf_file_path, args.login_name),
+					"email": args.email,
+					"groups": [],
+				}
+				data["users"][args.login_name] = entry
+				data_write(args.binary_file_path, args.conf_file_path, args.user_file_path, data)
+	elif (args.command == "change"):
+		if (args.login_name is None):
+			raise ValueError("name required")
+		else:
+			entry = data["users"][args.login_name]
+			if (args.password is None):
+				pass
+			else:
+				entry["password"] = get_password_hash(args.binary_file_path, args.conf_file_path, args.login_name)
+			if (args.display_name is None):
+				pass
+			else:
+				entry["displayname"] = args.display_name
+			if (args.email is None):
+				pass
+			else:
+				entry["email"] = args.email
+			data["users"][args.login_name] = entry
+			data_write(args.binary_file_path, args.conf_file_path, args.user_file_path, data)
+	elif (args.command == "remove"):
+		if (args.login_name is None):
+			raise ValueError("name required")
+		else:
+			if (not (args.login_name in data["users"])):
+				raise ValueError("no such user")
+			else:
+				del data["users"][args.login_name]
+				data_write(args.binary_file_path, args.conf_file_path, args.user_file_path, data)
+	else:
+		raise NotImplementedError()
+
+
+main()

ansible/roles/authelia/info.md

@@ -0,0 +1,17 @@
+## Beschreibung
+
+- zum Aufsetzen des Authentifizierungs-Dienstes [Authelia](https://www.authelia.com/)
+- um einen Clients hinzuzfügen, erstellt man eine entsprechende JSON-Datei in `/etc/authelia/conf.d/clients` und führt aus `authelia-conf-compose`
+- zum Verwalten der Nutzer kann man `authelia-user-manage` verwenden (`-h` anhängen für Erklärung)
+
+
+## Verweise
+
+- [GitHub-Seite](https://github.com/authelia/authelia)
+- [Installations-Anleitung](https://www.authelia.com/integration/deployment/bare-metal/)
+- [Dokumentation | Konfiguration](https://www.authelia.com/configuration/)
+
+
+## ToDo
+
+- Nutzer-Verwaltung verbessern (evtl. externalisieren)

ansible/roles/authelia/tasks/main.json

@@ -0,0 +1,128 @@
+[
+	{
+		"name": "packages | prerequisites",
+		"become": true,
+		"ansible.builtin.apt": {
+			"pkg": [
+				"apt-transport-https",
+				"gpg"
+			]
+		}
+	},
+	{
+		"name": "packages | keys",
+		"become": true,
+		"ansible.builtin.apt_key": {
+			"url": "https://apt.authelia.com/organization/signing.asc"
+		}
+	},
+	{
+		"name": "packages | repository",
+		"become": true,
+		"ansible.builtin.apt_repository": {
+			"repo": "deb https://apt.authelia.com/stable/debian/debian/ all main"
+		}
+
+	},
+	{
+		"name": "packages | installation",
+		"become": true,
+		"ansible.builtin.apt": {
+			"update_cache": true,
+			"pkg": [
+				"openssl",
+				"python3-cryptography",
+				"python3-yaml",
+				"authelia"
+			]
+		}
+	},
+	{
+		"name": "generate private key for signing OIDC JWTs",
+		"become": true,
+		"community.crypto.openssl_privatekey": {
+			"type": "RSA",
+			"size": 4096,
+			"path": "/etc/ssl/private/authelia-key.pem",
+			"return_content": true
+		},
+		"register": "temp_tls_result"
+	},
+	{
+		"name": "configuration | compose script",
+		"become": true,
+		"ansible.builtin.copy": {
+			"src": "conf-compose.py",
+			"dest": "/usr/bin/authelia-conf-compose",
+			"mode": "0700"
+		}
+	},
+	{
+		"name": "configuration | directories",
+		"become": true,
+		"loop": [
+			"/etc/authelia/conf.d",
+			"/etc/authelia/conf.d/clients"
+		],
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{item}}"
+		}
+	},
+	{
+		"name": "configuration | main",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf-main.json.j2",
+			"dest": "/etc/authelia/conf.d/main.json"
+		}
+	},
+	{
+		"name": "configuration | compose",
+		"become": true,
+		"ansible.builtin.command": {
+			"cmd": "/usr/bin/authelia-conf-compose --main-file-path=/etc/authelia/conf.d/main.json --clients-directory-path=/etc/authelia/conf.d/clients --output-format=yaml --output-path=/etc/authelia/configuration.yml"
+		}
+	},
+	{
+		"name": "setup log directory",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{var_authelia_log_file_path | dirname}}"
+		}
+	},
+	{
+		"name": "users | directory",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{var_authelia_users_file_path | dirname}}"
+		}
+	},
+	{
+		"name": "users | initial file",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "users.yml.j2",
+			"dest": "{{var_authelia_users_file_path}}"
+		}
+	},
+	{
+		"name": "users | management script",
+		"become": true,
+		"ansible.builtin.copy": {
+			"src": "user-manage.py",
+			"dest": "/usr/bin/authelia-user-manage",
+			"mode": "0700"
+		}
+	},
+	{
+		"name": "apply",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "authelia"
+		}
+	}
+]

ansible/roles/authelia/templates/conf-main.json.j2

@@ -0,0 +1,166 @@
+{
+	"theme": "auto",
+	"jwt_secret": "{{var_authelia_jwt_secret}}",
+	"default_2fa_method": "totp",
+	"server": {
+		"host": "{{var_authelia_listen_address}}",
+		"port": 9091,
+		"path": "",
+		"enable_pprof": false,
+		"enable_expvars": false,
+		"disable_healthcheck": false
+	},
+	"log": {
+		"level": "info",
+		"format": "json",
+		"file_path": "{{var_authelia_log_file_path}}",
+		"keep_stdout": false
+	},
+	"telemetry": {
+		"metrics": {
+			"enabled": false,
+			"address": "tcp://0.0.0.0:9959"
+		}
+	},
+	"totp": {
+		"disable": false,
+		"issuer": "authelia.com",
+		"algorithm": "sha1",
+		"digits": 6,
+		"period": 30,
+		"skew": 1,
+		"secret_size": 32
+	},
+	"webauthn": {
+		"disable": true,
+		"timeout": "60s",
+		"display_name": "Authelia",
+		"attestation_conveyance_preference": "indirect",
+		"user_verification": "preferred"
+	},
+	"ntp": {
+		"address": "{{var_authelia_ntp_server}}",
+		"version": 4,
+		"max_desync": "3s",
+		"disable_startup_check": false,
+		"disable_failure": false
+	},
+	"authentication_backend": {
+		"password_reset": {
+			"disable": true,
+			"custom_url": ""
+		},
+		"refresh_interval": "5m",
+		"file": {
+			"path": "{{var_authelia_users_file_path}}",
+			"watch": true,
+			"search": {
+				"email": false,
+				"case_insensitive": false
+			},
+			"password": {
+				"algorithm": "argon2",
+				"argon2": {
+					"variant": "argon2id",
+					"iterations": 3,
+					"memory": 65536,
+					"parallelism": 4,
+					"key_length": 32,
+					"salt_length": 16
+				},
+				"scrypt": {
+					"iterations": 16,
+					"block_size": 8,
+					"parallelism": 1,
+					"key_length": 32,
+					"salt_length": 16
+				},
+				"pbkdf2": {
+					"variant": "sha512",
+					"iterations": 310000,
+					"salt_length": 16
+				},
+				"sha2crypt": {
+					"variant": "sha512",
+					"iterations": 50000,
+					"salt_length": 16
+				},
+				"bcrypt": {
+					"variant": "standard",
+					"cost": 12
+				}
+			}
+		}
+	},
+	"password_policy": {
+		"standard": {
+			"enabled": false,
+			"min_length": 8,
+			"max_length": 0,
+			"require_uppercase": true,
+			"require_lowercase": true,
+			"require_number": true,
+			"require_special": true
+		},
+		"zxcvbn": {
+			"enabled": false,
+			"min_score": 3
+		}
+	},
+	"access_control": {
+		"default_policy": "one_factor"
+	},
+	"session": {
+		"name": "authelia_session",
+		"domain": "{{var_authelia_session_domain}}",
+		"same_site": "lax",
+		"secret": "{{var_authelia_session_secret}}",
+		"expiration": "1h",
+		"inactivity": "5m",
+		"remember_me_duration": "1M"
+	},
+	"regulation": {
+		"max_retries": 3,
+		"find_time": "2m",
+		"ban_time": "5m"
+	},
+	"storage": {
+		"encryption_key": "{{var_authelia_storage_encryption_key}}",
+		"local": {
+			"path": "{{var_authelia_storage_path}}"
+		}
+	},
+	"notifier": {
+		"disable_startup_check": true,
+{% if var_authelia_notification_mode == "file" %}
+		"filesystem": {
+			"filename": "{{var_authelia_notification_file_path}}"
+		}
+{% endif %}
+{% if var_authelia_notification_mode == "smtp" %}
+	"smtp": {
+		"host": "{{var_authelia_notification_smtp_host}}",
+		"port": {{var_authelia_notification_smtp_port}},
+		"username": "{{var_authelia_notification_smtp_username}}",
+		"password": "{{var_authelia_notification_smtp_password}}",
+		"sender": "{{var_authelia_notification_smtp_sender}}",
+		"disable_require_tls": false,
+		"disable_html_emails": false,
+		"tls": {
+			"skip_verify": false
+		}
+	}
+{% endif %}
+	},
+	"identity_providers": {
+		"oidc": {
+			"hmac_secret": "{{var_authelia_oidc_hmac_secret}}",
+			"issuer_private_key": "{{temp_tls_result.privatekey | replace('\n', '\\n')}}",
+			"cors": {
+				"allowed_origins_from_client_redirect_uris": true
+			},
+			"clients": [
+			]
+		}
+	}
+}

ansible/roles/authelia/templates/users.yml.j2

@@ -0,0 +1 @@
+users: {}

ansible/roles/hedgedoc-and-lighttpd/defaults/main.json

@@ -0,0 +1,4 @@
+{
+	"var_hedgedoc_and_lighttpd_domain": "hedgedoc.example.org",
+	"var_hedgedoc_and_lighttpd_tls_enable": true
+}

ansible/roles/hedgedoc-and-lighttpd/info.md

@@ -0,0 +1,8 @@
+## Beschreibung
+
+- zur Einrichtung von [Lighttpd](../lighttpd) als Reverse-Proxy für [Hedgedoc](../hedgedoc)
+
+
+## Verweise
+
+- [Hedgedoc-Dokumentation | Using a Reverse Proxy](https://docs.hedgedoc.org/guides/reverse-proxy/)

ansible/roles/hedgedoc-and-lighttpd/tasks/main.json

@@ -0,0 +1,34 @@
+[
+	{
+		"name": "activate proxy module",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "lighttpd-enable-mod proxy || exit 0"
+		}
+	},
+	{
+		"name": "emplace configuration | data",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "/etc/lighttpd/conf-available/{{var_hedgedoc_and_lighttpd_domain}}.conf"
+		}
+	},
+	{
+		"name": "emplace configuration | link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/etc/lighttpd/conf-available/{{var_hedgedoc_and_lighttpd_domain}}.conf",
+			"dest": "/etc/lighttpd/conf-enabled/{{var_hedgedoc_and_lighttpd_domain}}.conf"
+		}
+	},
+	{
+		"name": "restart lighttpd",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "lighttpd"
+		}
+	}
+]

ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2

@@ -0,0 +1,33 @@
+$HTTP["host"] == "{{var_hedgedoc_and_lighttpd_domain}}" {
+	server.name = "{{var_hedgedoc_and_lighttpd_domain}}"
+	proxy.server = (
+		"" => (
+			"" => (
+				"host" => "127.0.0.1",
+				"port" => 2400
+			)
+		)
+	)
+	proxy.header = (
+		"upgrade" => "enable"
+	)
+	
+{% if var_hedgedoc_and_lighttpd_tls_enable %}
+	## alle Anfragen auf Port 80
+	$SERVER["socket"] == ":80" {
+		## auf HTTPS umleiten
+		url.redirect = ("^/(.*)$" => "https://{{var_hedgedoc_and_lighttpd_domain}}/$1")
+	}
+	
+	## alle Anfragen auf Port 443
+	$SERVER["socket"] == ":443" {
+		## mit dem SSL-Kram beglücken
+		ssl.engine  = "enable"
+		ssl.pemfile = "/etc/ssl/certs/{{var_hedgedoc_and_lighttpd_domain}}.pem"
+		ssl.privkey = "/etc/ssl/keys/{{var_hedgedoc_and_lighttpd_domain}}.pem"
+		ssl.ca-file = "/etc/ssl/fullchains/{{var_hedgedoc_and_lighttpd_domain}}.pem"
+		ssl.use-sslv2 = "disable"
+		ssl.use-sslv3 = "disable"
+	}
+{% endif %}
+}

ansible/roles/hedgedoc-and-nginx/defaults/main.json

@@ -0,0 +1,3 @@
+{
+	"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org"
+}

ansible/roles/hedgedoc-and-nginx/info.md

@@ -0,0 +1,8 @@
+## Beschreibung
+
+Um [Hedgedoc](../hedgedoc) mit mittels [nginx](../nginx)-reverse-proxy laufen zu lassen
+
+
+## Verweise
+
+- [Hedgedoc-Dokumentation](https://docs.hedgedoc.org/guides/reverse-proxy/#nginx)

ansible/roles/hedgedoc-and-nginx/tasks/main.json

@@ -0,0 +1,35 @@
+[
+	{
+		"name": "deactivate default site",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "absent",
+			"dest": "/etc/nginx/sites-enabled/default"
+		}
+	},
+	{
+		"name": "emplace configuration | data",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "emplace configuration | link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}",
+			"dest": "/etc/nginx/sites-enabled/{{var_hedgedoc_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "restart nginx",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "nginx"
+		}
+	}
+]

ansible/roles/hedgedoc-and-nginx/templates/conf.j2

@@ -0,0 +1,32 @@
+map $http_upgrade $connection_upgrade {
+	default upgrade;
+	'' close;
+}
+
+server {
+	server_name {{var_hedgedoc_and_nginx_domain}};
+	
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	
+	ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
+	
+	location / {
+		proxy_pass http://localhost:3000;
+		proxy_set_header Host $host; 
+		proxy_set_header X-Real-IP $remote_addr; 
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+	
+	location /socket.io/ {
+		proxy_pass http://localhost:3000;
+		proxy_set_header Host $host; 
+		proxy_set_header X-Real-IP $remote_addr; 
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+	}
+}

ansible/roles/hedgedoc/defaults/main.json

@@ -0,0 +1,24 @@
+{
+	"var_hedgedoc_user_name": "hedgedoc",
+	"var_hedgedoc_directory": "/opt/hedgedoc",
+	"var_hedgedoc_version": "1.9.9",
+	"var_hedgedoc_session_secret": "REPLACE_ME",
+	"var_hedgedoc_database_kind": "sqlite",
+	"var_hedgedoc_database_data_sqlite_path": "/var/hedgedoc/data.sqlite",
+	"var_hedgedoc_database_data_postgresql_host": "localhost",
+	"var_hedgedoc_database_data_postgresql_port": 5432,
+	"var_hedgedoc_database_data_postgresql_username": "hedgedoc_user",
+	"var_hedgedoc_database_data_postgresql_password": "REPLACE_ME",
+	"var_hedgedoc_database_data_postgresql_schema": "hedgedoc",
+	"var_hedgedoc_domain": "hedgedoc.example.org",
+	"var_hedgedoc_oauth2_enable": false,
+	"var_hedgedoc_oauth2_provider_name": "external auth",
+	"var_hedgedoc_oauth2_client_id": "hedgedoc",
+	"var_hedgedoc_oauth2_client_secret": "REPLACE_ME",
+	"var_hedgedoc_oauth2_user_profile_url": "https://auth.example.org/profile",
+	"var_hedgedoc_oauth2_token_url": "https://auth.example.org/token",
+	"var_hedgedoc_oauth2_authorization_url": "https://auth.example.org/authorization",
+	"var_hedgedoc_guest_allow_create": false,
+	"var_hedgedoc_guest_allow_change": false,
+	"var_hedgedoc_free_names_mode": "authed"
+}

ansible/roles/hedgedoc/info.md

@@ -0,0 +1,14 @@
+## Beschreibung
+
+Kollaborativer Editor [Hedgedoc](https://docs.hedgedoc.org/)
+
+
+## Verweise
+
+- [Dokumentation | Manual Installation](https://docs.hedgedoc.org/setup/manual-setup/)
+- [Dokumentation | Configuration](https://docs.hedgedoc.org/configuration/)
+
+
+## Bemerkungen
+
+- Login über OAuth2 funktioniert vermutlich nicht mit abgelehnten TLS-Zertifikaten (z.B. selbst-signierten)

ansible/roles/hedgedoc/tasks/main.json

@@ -0,0 +1,102 @@
+[
+	{
+		"name": "packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"pkg": [
+				"acl",
+				"git",
+				"nodejs",
+				"npm",
+				"yarnpkg"
+			]
+		}
+	},
+	{
+		"name": "yarn link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/usr/bin/yarnpkg",
+			"dest": "/usr/bin/yarn"
+		}
+	},
+	{
+		"name": "user",
+		"become": true,
+		"ansible.builtin.user": {
+			"name": "{{var_hedgedoc_user_name}}",
+			"create_home": true
+		}
+	},
+	{
+		"name": "download",
+		"become": false,
+		"ansible.builtin.get_url": {
+			"url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{var_hedgedoc_version}}/hedgedoc-{{var_hedgedoc_version}}.tar.gz",
+			"dest": "/tmp/hedgedoc.tar.gz"
+		}
+	},
+	{
+		"name": "extract",
+		"become": true,
+		"ansible.builtin.unarchive": {
+			"remote_src": true,
+			"src": "/tmp/hedgedoc.tar.gz",
+			"dest": "{{var_hedgedoc_directory | dirname}}",
+			"owner": "{{var_hedgedoc_user_name}}"
+		}
+	},
+	{
+		"name": "setup script",
+		"become": true,
+		"become_user": "hedgedoc",
+		"ansible.builtin.command": {
+			"chdir": "{{var_hedgedoc_directory}}",
+			"cmd": "bin/setup"
+		}
+	},
+	{
+		"name": "var directory",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{var_hedgedoc_database_path | dirname}}",
+			"owner": "{{var_hedgedoc_user_name}}"
+		}
+	},
+	{
+		"name": "database",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "touch",
+			"path": "{{var_hedgedoc_database_path}}",
+			"owner": "{{var_hedgedoc_user_name}}"
+		}
+	},
+	{
+		"name": "configuration",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "config.json.j2",
+			"dest": "{{var_hedgedoc_directory}}/config.json"
+		}
+	},
+	{
+		"name": "systemd unit",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "systemd-unit.j2",
+			"dest": "/etc/systemd/system/hedgedoc.service"
+		}
+	},
+	{
+		"name": "start",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"enabled": true,
+			"state": "started",
+			"name": "hedgedoc"
+		}
+	}
+]

ansible/roles/hedgedoc/templates/config.json.j2

@@ -0,0 +1,63 @@
+{
+	"production": {
+		"loglevel": "error",
+{% if var_hedgedoc_database_kind == 'sqlite' %}
+		"db": {
+			"dialect": "sqlite",
+			"storage": "{{var_hedgedoc_database_path}}"
+		},
+{% endif %}
+{% if var_hedgedoc_database_kind == 'postgresql' %}
+		"db": {
+			"dialect": "postgres",
+			"host": "{{var_hedgedoc_database_data_postgresql_host}}",
+			"port": {{var_hedgedoc_database_data_postgresql_port | to_json}},
+			"username": "{{var_hedgedoc_database_data_postgresql_username}}",
+			"password": "{{var_hedgedoc_database_data_postgresql_password}}",
+			"database": "{{var_hedgedoc_database_data_postgresql_schema}}"
+		},
+{% endif %}
+		"sessionSecret": "{{var_hedgedoc_session_secret}}",
+		"host": "localhost",
+		"allowOrigin": [
+			"localhost"
+		],
+		"domain": "{{var_hedgedoc_domain}}",
+		"urlAddPort": false,
+		"protocolUseSSL": true,
+{% if var_hedgedoc_oauth2_enable %}
+		"oauth2": {
+			"providerName": "{{var_hedgedoc_oauth2_provider_name}}",
+			"clientID": "{{var_hedgedoc_oauth2_client_id}}",
+			"clientSecret": "{{var_hedgedoc_oauth2_client_secret}}",
+			"scope": "openid email profile",
+			"userProfileUsernameAttr": "sub",
+			"userProfileDisplayNameAttr": "name",
+			"userProfileEmailAttr": "email",
+			"userProfileURL": "{{var_hedgedoc_oauth2_user_profile_url}}",
+			"tokenURL": "{{var_hedgedoc_oauth2_token_url}}",
+			"authorizationURL": "{{var_hedgedoc_oauth2_authorization_url}}"
+		},
+		"email": false,
+		"allowEmailRegister": false,
+{% else %}
+		"email": true,
+		"allowEmailRegister": true,
+{% endif %}
+		"allowAnonymous": {{var_hedgedoc_guest_allow_create | to_json}},
+		"allowAnonymousEdits": {{var_hedgedoc_guest_allow_edit | to_json}},
+{% if var_hedgedoc_free_names_mode == 'never' %}
+		"allowFreeURL": false,
+		"requireFreeURLAuthentication": false,
+{% endif %}
+{% if var_hedgedoc_free_names_mode == 'authed' %}
+		"allowFreeURL": true,
+		"requireFreeURLAuthentication": true,
+{% endif %}
+{% if var_hedgedoc_free_names_mode == 'always' %}
+		"allowFreeURL": true,
+		"requireFreeURLAuthentication": false,
+{% endif %}
+		"defaultPermission": "editable"
+	}
+}

ansible/roles/hedgedoc/templates/systemd-unit.j2

@@ -0,0 +1,14 @@
+[Unit]
+Description=Hedgedoc
+After=multi-user.target
+
+[Service]
+WorkingDirectory={{var_hedgedoc_directory}}
+User={{var_hedgedoc_user_name}}
+Environment="NODE_ENV=production"
+ExecStart=yarn start
+SyslogIdentifier=hedgedoc
+
+[Install]
+WantedBy=multi-user.target
+

ansible/roles/postgresql-for-hedgedoc/defaults/main.json

@@ -0,0 +1,5 @@
+{
+	"var_postgresql_for_hedgedoc_username": "hedgedoc_user",
+	"var_postgresql_for_hedgedoc_password": "REPLACE_ME",
+	"var_postgresql_for_hedgedoc_schema": "hedgedoc"
+}

ansible/roles/postgresql-for-hedgedoc/tasks/main.json

@@ -0,0 +1,45 @@
+[
+	{
+		"name": "packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"pkg": [
+				"acl",
+				"python3-psycopg2"
+			]
+		}
+	},
+	{
+		"name": "user",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_user": {
+			"state": "present",
+			"name": "{{var_postgresql_for_hedgedoc_username}}",
+			"password": "{{var_postgresql_for_hedgedoc_password}}"
+		}
+	},
+	{
+		"name": "schema",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_db": {
+			"state": "present",
+			"name": "{{var_postgresql_for_hedgedoc_schema}}",
+			"owner": "{{var_postgresql_for_hedgedoc_username}}"
+		}
+	},
+	{
+		"name": "rights",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_privs": {
+			"state": "present",
+			"db": "{{var_postgresql_for_hedgedoc_schema}}",
+			"objs": "ALL_IN_SCHEMA",
+			"roles": "{{var_postgresql_for_hedgedoc_username}}",
+			"privs": "ALL",
+			"grant_option": true
+		}
+	}
+]

ansible/roles/postgresql-for-synapse/defaults/main.json

@@ -1,5 +1,5 @@
 {
 	"var_postgresql_for_synapse_username": "synapse_user",
-	"var_postgresql_for_synapse_password": "synapse_password",
+	"var_postgresql_for_synapse_password": "REPLACE_ME",
 	"var_postgresql_for_synapse_schema": "synapse"
 }

ansible/roles/synapse-and-lighttpd/defaults/main.json

@@ -1,3 +1,3 @@
 {
-	"var_synapse_and_lighttpd_domain": "REPLACE_ME"
+	"var_synapse_and_lighttpd_domain": "synapse.example.org"
 }

ansible/roles/synapse/defaults/main.json

@@ -1,6 +1,6 @@
 {
 	"var_synapse_scheme": "https",
-	"var_synapse_domain": "matrix.example.org",
+	"var_synapse_domain": "synapse.example.org",
 	"var_synaspe_database_kind": "sqlite",
 	"var_synaspe_database_sqlite_path": "/var/synapse/data.sqlite",
 	"var_synaspe_database_postgresql_host": "localhost",
@@ -10,8 +10,8 @@
 	"var_synaspe_database_postgresql_schema": "synapse",
 	"var_synapse_element_url": "https://element.example.org",
 	"var_synapse_title": "Example | Matrix",
-	"var_synapse_federation_whitelist": "[]",
+	"var_synapse_federation_whitelist": [],
-	"var_synapse_password_strict_policy": "true",
+	"var_synapse_password_strict_policy": true,
 	"var_synapse_registration_shared_secret": "REPLACE_ME",
 	"var_synapse_oidc_enable": false,
 	"var_synapse_oidc_provider_id": "external_auth",
@@ -20,8 +20,8 @@
 	"var_synapse_oidc_client_secret": "REPLACE_ME",
 	"var_synapse_oidc_issuer_url": "https://auth.example.org",
 	"var_synapse_smtp_host": "smtp.example.org",
-	"var_synapse_smtp_port": "587",
+	"var_synapse_smtp_port": 587,
-	"var_synapse_smtp_username": "matrix@smtp.example.org",
+	"var_synapse_smtp_username": "synapse@smtp.example.org",
 	"var_synapse_smtp_password": "REPLACE_ME",
 	"var_synapse_admin_user_define": true,
 	"var_synapse_admin_user_name": "admin",

ansible/roles/synapse/templates/homeserver.yaml.j2

@@ -45,7 +45,7 @@ listeners:
       - names: [federation]
         compress: false
 
-federation_domain_whitelist: {{var_synapse_federation_whitelist}}
+federation_domain_whitelist: {{var_synapse_federation_whitelist | to_yaml}}
     
 serve_server_wellknown: true
 
@@ -87,7 +87,9 @@ max_spider_size: "10M"
 enable_registration_captcha: false
 recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
 
+{% if var_synapse_registration_shared_secret != None %}
 registration_shared_secret: "{{var_synapse_registration_shared_secret}}"
+{% endif %}
 
 {% if var_synapse_oidc_enable %}
 enable_registration: false
@@ -158,11 +160,11 @@ saml2_config:
 password_config:
    enabled: true
    policy:
-     enabled: {{var_synapse_password_strict_policy}}
+     enabled: {{var_synapse_password_strict_policy | to_yaml}}
 
 email:
   smtp_host: "{{var_synapse_smtp_host}}"
-  smtp_port: {{var_synapse_smtp_port}}
+  smtp_port: {{var_synapse_smtp_port | to_yaml}}
   smtp_user: "{{var_synapse_smtp_username}}"
   smtp_pass: "{{var_synapse_smtp_password}}"
   require_transport_security: true