Merge branch 'main' into dev-gitlab

ansible/roles/authelia-and-nginx/defaults/main.json

@@ -0,0 +1,3 @@
+{
+	"var_authelia_and_nginx_domain": "authelia.example.org"
+}

ansible/roles/authelia-and-nginx/info.md

@@ -0,0 +1,3 @@
+## Verweise
+
+- [Authelia-Dokumentation](https://www.authelia.com/integration/proxies/nginx/)

ansible/roles/authelia-and-nginx/tasks/main.json

@@ -0,0 +1,35 @@
+[
+	{
+		"name": "deactivate default site",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "absent",
+			"dest": "/etc/nginx/sites-enabled/default"
+		}
+	},
+	{
+		"name": "emplace configuration | data",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "emplace configuration | link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}",
+			"dest": "/etc/nginx/sites-enabled/{{var_authelia_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "restart nginx",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "nginx"
+		}
+	}
+]

ansible/roles/authelia-and-nginx/templates/conf.j2

@@ -0,0 +1,62 @@
+server {
+	server_name {{var_authelia_and_nginx_domain}};
+	
+	listen [::]:80;
+	listen 80;
+	
+	return 301 https://$server_name$request_uri;
+}
+
+server {
+	server_name {{var_authelia_and_nginx_domain}};
+	
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	
+	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
+	
+	location / {
+		## Headers
+		proxy_set_header Host $host;
+		proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header X-Forwarded-Host $http_host;
+		proxy_set_header X-Forwarded-Uri $request_uri;
+		proxy_set_header X-Forwarded-Ssl on;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header Connection "";
+
+		## Basic Proxy Configuration
+		client_body_buffer_size 128k;
+		proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
+		proxy_redirect  http://  $scheme://;
+		proxy_http_version 1.1;
+		proxy_cache_bypass $cookie_session;
+		proxy_no_cache $cookie_session;
+		proxy_buffers 64 256k;
+
+		## Trusted Proxies Configuration
+		## Please read the following documentation before configuring this:
+		##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
+		# set_real_ip_from 10.0.0.0/8;
+		# set_real_ip_from 172.16.0.0/12;
+		# set_real_ip_from 192.168.0.0/16;
+		# set_real_ip_from fc00::/7;
+		real_ip_header X-Forwarded-For;
+		real_ip_recursive on;
+
+		## Advanced Proxy Configuration
+		send_timeout 5m;
+		proxy_read_timeout 360;
+		proxy_send_timeout 360;
+		proxy_connect_timeout 360;
+		
+		proxy_pass http://localhost:9091;
+	}
+	
+	location /api/verify {
+		proxy_pass http://localhost:9091;
+	}
+}

ansible/roles/authelia-for-hedgedoc/defaults/main.json

@@ -0,0 +1,5 @@
+{
+	"var_authelia_for_hedgedoc_hedgedoc_url_base": "https://hedgedoc.example.org",
+	"var_authelia_for_hedgedoc_client_id": "hedgedoc",
+	"var_authelia_for_hedgedoc_client_secret": "REPLACE_ME"
+}

ansible/roles/authelia-for-hedgedoc/info.md

@@ -0,0 +1,10 @@
+## Beschreibung
+
+Um [Hedgedoc](../hedgedoc) gegen [Authelia](../authelia) authentifizieren zu lassen
+
+
+## Verweise
+
+- [Authelia-Dokumentation | Configuration: OpenID Connect: Client](https://www.authelia.com/configuration/identity-providers/open-id-connect/#clients)
+- [Hedgedoc-Dokumentation | Authelia](https://docs.hedgedoc.org/guides/auth/authelia/)
+- [Hedgedoc-Dokumentation | Conf: OAuth2 Login](https://docs.hedgedoc.org/configuration/#oauth2-login)

ansible/roles/authelia-for-hedgedoc/tasks/main.json

@@ -0,0 +1,25 @@
+[
+	{
+		"name": "configuration | emplace",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "authelia-client-conf.json.j2",
+			"dest": "/etc/authelia/conf.d/clients/hedgedoc.json"
+		}
+	},
+	{
+		"name": "configuration | apply",
+		"become": true,
+		"ansible.builtin.command": {
+			"cmd": "/usr/bin/authelia-conf-compose"
+		}
+	},
+	{
+		"name": "restart service",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "authelia"
+		}
+	}
+]

ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2

@@ -0,0 +1,28 @@
+{
+	"client_id": "{{var_authelia_for_hedgedoc_client_id}}",
+	"client_secret": "{{var_authelia_for_hedgedoc_client_secret}}",
+	"client_name": "Hedgedoc",
+	"public": false,
+	"authorization_policy": "one_factor",
+	"scopes": [
+		"openid",
+		"email",
+		"profile"
+	],
+	"redirect_uris": [
+		"{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback"
+	],
+	"grant_types": [
+		"refresh_token",
+		"authorization_code"
+	],
+	"response_types": [
+		"code"
+	],
+	"response_modes": [
+		"form_post",
+		"query",
+		"fragment"
+	],
+	"userinfo_signed_response_alg": "none"
+}

ansible/roles/authelia-for-synapse/defaults/main.json

@@ -0,0 +1,5 @@
+{
+	"var_authelia_for_synapse_synapse_url_base": "https://matrix.example.org",
+	"var_authelia_for_synapse_client_id": "synapse",
+	"var_authelia_for_synapse_client_secret": "REPLACE_ME"
+}

ansible/roles/authelia-for-synapse/info.md

@@ -0,0 +1,9 @@
+## Beschreibung
+
+Um [Synapse](../synapse) gegen [Authelia](../authelia) authentifizieren zu lassen
+
+
+## Verweise
+
+- [Authelia-Dokumentation | Synapse Integration](https://www.authelia.com/integration/openid-connect/synapse/)
+- [Synapse-Dokumentation | OpenID Connect](https://matrix-org.github.io/synapse/latest/openid.html)

ansible/roles/authelia-for-synapse/tasks/main.json

@@ -0,0 +1,25 @@
+[
+	{
+		"name": "configuration | emplace",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "authelia-client-conf.json.j2",
+			"dest": "/etc/authelia/conf.d/clients/synapse.json"
+		}
+	},
+	{
+		"name": "configuration | apply",
+		"become": true,
+		"ansible.builtin.command": {
+			"cmd": "/usr/bin/authelia-conf-compose"
+		}
+	},
+	{
+		"name": "restart service",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "authelia"
+		}
+	}
+]

ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2

@@ -0,0 +1,16 @@
+{
+	"client_id": "{{var_authelia_for_synapse_client_id}}",
+	"client_secret": "{{var_authelia_for_synapse_client_secret}}",
+	"client_name": "Synapse",
+	"public": false,
+	"authorization_policy": "one_factor",
+	"redirect_uris": [
+		"{{var_authelia_for_synapse_synapse_url_base}}/_synapse/client/oidc/callback"
+	],
+	"scopes": [
+		"openid",
+		"email",
+		"profile"
+	],
+	"userinfo_signed_response_alg": "none"
+}

ansible/roles/authelia/defaults/main.json

@@ -0,0 +1,33 @@
+{
+	"var_authelia_version": "4.37.5",
+	"var_authelia_architecture": "amd64",
+	"var_authelia_listen_address": "0.0.0.0",
+	"var_authelia_jwt_secret": "REPLACE_ME",
+	"var_authelia_users_file_path": "/var/authelia/users.yml",
+	"var_authelia_log_file_path": "/var/authelia/log.jsonl",
+	"var_authelia_session_domain": "example.org",
+	"var_authelia_session_secret": "REPLACE_ME",
+	"var_authelia_storage_encryption_key": "REPLACE_ME",
+	"var_authelia_storage_kind": "sqlite",
+	"var_authelia_storage_data_sqlite_path": "/var/authelia/state.db",
+	"var_authelia_storage_data_postgresql_host": "localhost",
+	"var_authelia_storage_data_postgresql_port": 5432,
+	"var_authelia_storage_data_postgresql_username": "authelia_user",
+	"var_authelia_storage_data_postgresql_password": "REPLACE_ME",
+	"var_authelia_storage_data_postgresql_schema": "authelia",
+	"var_authelia_storage_data_mariadb_host": "localhost",
+	"var_authelia_storage_data_mariadb_port": 3306,
+	"var_authelia_storage_data_mariadb_username": "authelia_user",
+	"var_authelia_storage_data_mariadb_password": "REPLACE_ME",
+	"var_authelia_storage_data_mariadb_schema": "authelia",
+	"var_authelia_ntp_server": "time.cloudflare.com:123",
+	"var_authelia_password_reset_enabled": false,
+	"var_authelia_notification_mode": "smtp",
+	"var_authelia_notification_file_path": "/var/authelia/notifications",
+	"var_authelia_notification_smtp_host": "smtp.example.org",
+	"var_authelia_notification_smtp_port": 465,
+	"var_authelia_notification_smtp_username": "authelia",
+	"var_authelia_notification_smtp_password": "REPLACE_ME",
+	"var_authelia_notification_smtp_sender": "authelia@example.org",
+	"var_authelia_oidc_hmac_secret": "REPLACE_ME"
+}

ansible/roles/authelia/files/conf-compose.py

@@ -0,0 +1,150 @@
+#!/usr/bin/env python3
+
+import sys as _sys
+import os as _os
+import yaml as _yaml
+import json as _json
+import argparse as _argparse
+
+
+def file_read(path):
+	handle = open(path, "r")
+	content = handle.read()
+	handle.close()
+	return content
+	
+
+def file_write(path, content):
+	directory = _os.path.dirname(path)
+	if (not _os.path.exists(directory)):
+		_os.makedirs(directory, exist_ok = True)
+	else:
+		pass
+	handle = open(path, "w")
+	handle.write(content)
+	handle.close()
+	return content
+	
+
+def dict_merge(core, mantle, path = None):
+	if (path is None):
+		path = []
+	result = {}
+	for source in [core, mantle]:
+		for (key, value_new, ) in source.items():
+			path_ = (path + [key])
+			type_new = type(value_new)
+			if (not (key in result)):
+				result[key] = value_new
+			else:
+				value_old = result[key]
+				type_old = type(value_old)
+				if (value_old is None):
+					result[key] = value_new
+				else:
+					if (not (type_old == type_new)):
+						raise ValueError(
+							"type mismatch at path %s: %s vs. %s"
+							% (
+								".".join(path),
+								str(type_old),
+								str(type_new),
+							)
+						)
+					else:
+						if (type_old == dict):
+							result[key] = dict_merge(value_old, value_new, path_)
+						elif (type_old == list):
+							result[key] = (value_old + value_new)
+						else:
+							result[key] = value_new
+	return result
+	
+
+def main():
+	## args
+	argument_parser = _argparse.ArgumentParser()
+	argument_parser.add_argument(
+		"-m",
+		"--main-file-path",
+		type = str,
+		dest = "main_file_path",
+		default = "/etc/authelia/conf.d/main.json",
+		metavar = "<main-file-path>",
+	)
+	argument_parser.add_argument(
+		"-c",
+		"--clients-directory-path",
+		type = str,
+		dest = "clients_directory_path",
+		default = "/etc/authelia/conf.d/clients",
+		metavar = "<clients-directory-path>",
+	)
+	argument_parser.add_argument(
+		"-f",
+		"--output-format",
+		type = str,
+		choices = ["json", "yaml"],
+		dest = "output_format",
+		default = "yaml",
+		metavar = "<output-format>",
+	)
+	argument_parser.add_argument(
+		"-o",
+		"--output-path",
+		type = str,
+		dest = "output_path",
+		default = "/etc/authelia/configuration.yml",
+		metavar = "<output-path>",
+	)
+	args = argument_parser.parse_args()
+	
+	## exec
+	data = {}
+	### main
+	if True:
+		data_ = _json.loads(file_read(args.main_file_path))
+		data = dict_merge(data, data_)
+	### clients
+	if True:
+		for name in _os.listdir(args.clients_directory_path):
+			data__ = _json.loads(file_read(_os.path.join(args.clients_directory_path, name)))
+			data_ = {
+				"identity_providers": {
+					"oidc": {
+						"clients": [data__]
+					}
+				}
+			}
+			data = dict_merge(data, data_)
+	### postprocess
+	if True:
+		if (len(data["identity_providers"]["oidc"]["clients"]) <= 0):
+			data["identity_providers"]["oidc"]["clients"].append(
+				{
+					"public": False,
+					"id": "_dummy",
+					"description": "not a real client; just here to make Authelia run",
+					"authorization_policy": "one_factor",
+					"secret": "",
+					"scopes": [],
+					"redirect_uris": [],
+					"grant_types": [],
+					"response_types": [],
+					"response_modes": [],
+				}
+			)
+		else:
+			pass
+	## output
+	if True:
+		if (args.output_format == "json"):
+			output_content = _json.dumps(data, indent = "\t")
+		elif (args.output_format == "yaml"):
+			output_content = _yaml.dump(data)
+		else:
+			raise ValueError("invalid output format")
+		file_write(args.output_path, output_content)
+	
+
+main()

ansible/roles/authelia/files/user-manage.py

@@ -0,0 +1,205 @@
+#!/usr/bin/env python3
+
+import sys as _sys
+import os as _os
+import subprocess as _subprocess
+import argparse as _argparse
+import yaml as _yaml
+import string as _string
+import random as _random
+
+
+def file_read(path):
+	handle = open(path, "r")
+	content = handle.read()
+	handle.close()
+	return content
+	
+
+def file_write(path, content):
+	directory = _os.path.dirname(path)
+	if (not _os.path.exists(directory)):
+		_os.makedirs(directory, exist_ok = True)
+	else:
+		pass
+	handle = open(path, "w")
+	handle.write(content)
+	handle.close()
+	return content
+	
+
+def get_password_hash(binary_file_path, conf_file_path, password):
+	# /usr/bin/authelia --config=/etc/authelia/configuration.yml crypto hash generate bcrypt --password=alice
+	output = _subprocess.check_output([
+		binary_file_path,
+		"--config=%s" % conf_file_path,
+		"crypto",
+		"hash",
+		"generate",
+		"bcrypt",
+		"--password=%s" % password,
+	])
+	return output.decode("utf-8").split("\n")[0].split(" ")[1]
+	
+
+def postprocess(binary_file_path, conf_file_path, data):
+	password = "".join(map(lambda x: _random.choice(_string.ascii_lowercase), range(16)))
+	if (len(data["users"]) <= 0):
+		data["users"]["_dummy"] = {
+			"displayname": "(Dummy)",
+			"password": get_password_hash(binary_file_path, conf_file_path, password),
+			"email": "dummy@nowhere.net",
+			"groups": [],
+		}
+	else:
+		pass
+	return data
+	
+
+def data_read(user_file_path):
+	data = _yaml.safe_load(file_read(user_file_path))
+	data["users"].pop("_dummy", None)
+	return data
+	
+
+def data_write(binary_file_path, conf_file_path, user_file_path, data):
+	file_write(user_file_path, _yaml.dump(postprocess(binary_file_path, conf_file_path, data)))
+	
+
+def main():
+	## args
+	argument_parser = _argparse.ArgumentParser()
+	argument_parser.add_argument(
+		"command",
+		type = str,
+		choices = ["list", "show", "add", "change", "remove"],
+		default = "list",
+		help = "command to execute",
+	)
+	argument_parser.add_argument(
+		"-b",
+		"--binary-file-path",
+		type = str,
+		default = "/usr/bin/authelia",
+		help = "path to the Authelia binary file",
+	)
+	argument_parser.add_argument(
+		"-c",
+		"--conf-file-path",
+		type = str,
+		default = "/etc/authelia/configuration.yml",
+		help = "path to the Authelia configuration file",
+	)
+	argument_parser.add_argument(
+		"-u",
+		"--user-file-path",
+		type = str,
+		default = "/var/authelia/users.yml",
+		help = "path to the user database file",
+	)
+	argument_parser.add_argument(
+		"-n",
+		"--login-name",
+		type = str,
+		default = None,
+		help = "login name of the user; has to be unique",
+	)
+	argument_parser.add_argument(
+		"-p",
+		"--password",
+		type = str,
+		default = None,
+		help = "password of the user",
+	)
+	argument_parser.add_argument(
+		"-d",
+		"--display-name",
+		type = str,
+		default = None,
+		help = "display name of the user",
+	)
+	argument_parser.add_argument(
+		"-e",
+		"--email",
+		type = str,
+		default = None,
+		help = "e-mail address of the user",
+	)
+	argument_parser.add_argument(
+		"-x",
+		"--deactivated",
+		type = str,
+		default = "no",
+		choices = ["no", "yes"],
+		help = "whether the user shall be deactivated",
+	)
+	args = argument_parser.parse_args()
+	
+	## exec
+	data = data_read(args.user_file_path)
+	if (args.command == "list"):
+		names = sorted(data["users"].keys())
+		for name in names:
+			_sys.stdout.write("%s\n" % name)
+	elif (args.command == "show"):
+		if (args.login_name is None):
+			raise ValueError("name required")
+		else:
+			if (not (args.login_name in data["users"])):
+				raise ValueError("no such user")
+			else:
+				entry = data["users"][args.login_name]
+				_sys.stdout.write("%s\n" % _yaml.dump(entry))
+	elif (args.command == "add"):
+		if (args.login_name is None):
+			raise ValueError("name required")
+		else:
+			if (args.password is None):
+				raise ValueError("password required")
+			else:
+				entry = {
+					"disabled": (args.deactivated == "yes"),
+					"displayname": (args.display_name or args.login_name),
+					"password": get_password_hash(args.binary_file_path, args.conf_file_path, args.login_name),
+					"email": args.email,
+					"groups": [],
+				}
+				data["users"][args.login_name] = entry
+				data_write(args.binary_file_path, args.conf_file_path, args.user_file_path, data)
+	elif (args.command == "change"):
+		if (args.login_name is None):
+			raise ValueError("name required")
+		else:
+			entry = data["users"][args.login_name]
+			if (args.deactivated is None):
+				pass
+			else:
+				entry["disabled"] = (args.deactivated == "yes")
+			if (args.password is None):
+				pass
+			else:
+				entry["password"] = get_password_hash(args.binary_file_path, args.conf_file_path, args.login_name)
+			if (args.display_name is None):
+				pass
+			else:
+				entry["displayname"] = args.display_name
+			if (args.email is None):
+				pass
+			else:
+				entry["email"] = args.email
+			data["users"][args.login_name] = entry
+			data_write(args.binary_file_path, args.conf_file_path, args.user_file_path, data)
+	elif (args.command == "remove"):
+		if (args.login_name is None):
+			raise ValueError("name required")
+		else:
+			if (not (args.login_name in data["users"])):
+				raise ValueError("no such user")
+			else:
+				del data["users"][args.login_name]
+				data_write(args.binary_file_path, args.conf_file_path, args.user_file_path, data)
+	else:
+		raise NotImplementedError()
+
+
+main()

ansible/roles/authelia/info.md

@@ -0,0 +1,17 @@
+## Beschreibung
+
+- zum Aufsetzen des Authentifizierungs-Dienstes [Authelia](https://www.authelia.com/)
+- um einen Clients hinzuzfügen, erstellt man eine entsprechende JSON-Datei in `/etc/authelia/conf.d/clients` und führt aus `authelia-conf-compose`
+- zum Verwalten der Nutzer kann man `authelia-user-manage` verwenden (`-h` anhängen für Erklärung)
+
+
+## Verweise
+
+- [GitHub-Seite](https://github.com/authelia/authelia)
+- [Installations-Anleitung](https://www.authelia.com/integration/deployment/bare-metal/)
+- [Dokumentation | Konfiguration](https://www.authelia.com/configuration/)
+
+
+## ToDo
+
+- Nutzer-Verwaltung verbessern (evtl. externalisieren)

ansible/roles/authelia/tasks/main.json

@@ -0,0 +1,129 @@
+[
+	{
+		"name": "packages | prerequisites",
+		"become": true,
+		"ansible.builtin.apt": {
+			"update_cache": true,
+			"pkg": [
+				"apt-transport-https",
+				"gpg"
+			]
+		}
+	},
+	{
+		"name": "packages | keys",
+		"become": true,
+		"ansible.builtin.apt_key": {
+			"url": "https://apt.authelia.com/organization/signing.asc"
+		}
+	},
+	{
+		"name": "packages | repository",
+		"become": true,
+		"ansible.builtin.apt_repository": {
+			"repo": "deb https://apt.authelia.com/stable/debian/debian/ all main"
+		}
+
+	},
+	{
+		"name": "packages | installation",
+		"become": true,
+		"ansible.builtin.apt": {
+			"update_cache": true,
+			"pkg": [
+				"openssl",
+				"python3-cryptography",
+				"python3-yaml",
+				"authelia"
+			]
+		}
+	},
+	{
+		"name": "generate private key for signing OIDC JWTs",
+		"become": true,
+		"community.crypto.openssl_privatekey": {
+			"type": "RSA",
+			"size": 4096,
+			"path": "/etc/ssl/private/authelia-key.pem",
+			"return_content": true
+		},
+		"register": "temp_tls_result"
+	},
+	{
+		"name": "configuration | compose script",
+		"become": true,
+		"ansible.builtin.copy": {
+			"src": "conf-compose.py",
+			"dest": "/usr/bin/authelia-conf-compose",
+			"mode": "0700"
+		}
+	},
+	{
+		"name": "configuration | directories",
+		"become": true,
+		"loop": [
+			"/etc/authelia/conf.d",
+			"/etc/authelia/conf.d/clients"
+		],
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{item}}"
+		}
+	},
+	{
+		"name": "configuration | main",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf-main.json.j2",
+			"dest": "/etc/authelia/conf.d/main.json"
+		}
+	},
+	{
+		"name": "configuration | compose",
+		"become": true,
+		"ansible.builtin.command": {
+			"cmd": "/usr/bin/authelia-conf-compose --main-file-path=/etc/authelia/conf.d/main.json --clients-directory-path=/etc/authelia/conf.d/clients --output-format=yaml --output-path=/etc/authelia/configuration.yml"
+		}
+	},
+	{
+		"name": "setup log directory",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{var_authelia_log_file_path | dirname}}"
+		}
+	},
+	{
+		"name": "users | directory",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{var_authelia_users_file_path | dirname}}"
+		}
+	},
+	{
+		"name": "users | initial file",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "users.yml.j2",
+			"dest": "{{var_authelia_users_file_path}}"
+		}
+	},
+	{
+		"name": "users | management script",
+		"become": true,
+		"ansible.builtin.copy": {
+			"src": "user-manage.py",
+			"dest": "/usr/bin/authelia-user-manage",
+			"mode": "0700"
+		}
+	},
+	{
+		"name": "apply",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "authelia"
+		}
+	}
+]

ansible/roles/authelia/templates/conf-main.json.j2

@@ -0,0 +1,194 @@
+{
+	"theme": "auto",
+	"identity_validation": {
+		"reset_password": {
+			"jwt_secret": "{{var_authelia_jwt_secret}}"
+		}
+	},
+	"default_2fa_method": "totp",
+	"server": {
+		"address": "{{var_authelia_listen_address}}:9091",
+		"endpoints": {
+			"enable_pprof": false,
+			"enable_expvars": false
+		},
+		"disable_healthcheck": false
+	},
+	"log": {
+		"level": "info",
+		"format": "json",
+		"file_path": "{{var_authelia_log_file_path}}",
+		"keep_stdout": false
+	},
+	"telemetry": {
+		"metrics": {
+			"enabled": false,
+			"address": "tcp://0.0.0.0:9959"
+		}
+	},
+	"totp": {
+		"disable": false,
+		"issuer": "authelia.com",
+		"algorithm": "sha1",
+		"digits": 6,
+		"period": 30,
+		"skew": 1,
+		"secret_size": 32
+	},
+	"webauthn": {
+		"disable": true,
+		"timeout": "60s",
+		"display_name": "Authelia",
+		"attestation_conveyance_preference": "indirect",
+		"user_verification": "preferred"
+	},
+	"ntp": {
+		"address": "{{var_authelia_ntp_server}}",
+		"version": 4,
+		"max_desync": "3s",
+		"disable_startup_check": false,
+		"disable_failure": false
+	},
+	"authentication_backend": {
+		"password_reset": {
+{% if var_authelia_password_reset_enabled %}
+			"disable": false,
+{% else %}
+			"disable": true,
+{% endif %}
+			"custom_url": ""
+		},
+		"refresh_interval": "5m",
+		"file": {
+			"path": "{{var_authelia_users_file_path}}",
+			"watch": true,
+			"search": {
+				"email": false,
+				"case_insensitive": false
+			},
+			"password": {
+				"algorithm": "argon2",
+				"argon2": {
+					"variant": "argon2id",
+					"iterations": 3,
+					"memory": 65536,
+					"parallelism": 4,
+					"key_length": 32,
+					"salt_length": 16
+				},
+				"scrypt": {
+					"iterations": 16,
+					"block_size": 8,
+					"parallelism": 1,
+					"key_length": 32,
+					"salt_length": 16
+				},
+				"pbkdf2": {
+					"variant": "sha512",
+					"iterations": 310000,
+					"salt_length": 16
+				},
+				"sha2crypt": {
+					"variant": "sha512",
+					"iterations": 50000,
+					"salt_length": 16
+				},
+				"bcrypt": {
+					"variant": "standard",
+					"cost": 12
+				}
+			}
+		}
+	},
+	"password_policy": {
+		"standard": {
+			"enabled": false,
+			"min_length": 8,
+			"max_length": 0,
+			"require_uppercase": true,
+			"require_lowercase": true,
+			"require_number": true,
+			"require_special": true
+		},
+		"zxcvbn": {
+			"enabled": false,
+			"min_score": 3
+		}
+	},
+	"access_control": {
+		"default_policy": "one_factor"
+	},
+	"session": {
+		"name": "authelia_session",
+		"domain": "{{var_authelia_session_domain}}",
+		"same_site": "lax",
+		"secret": "{{var_authelia_session_secret}}",
+		"expiration": "1h",
+		"inactivity": "5m",
+		"remember_me": "1M"
+	},
+	"regulation": {
+		"max_retries": 3,
+		"find_time": "2m",
+		"ban_time": "5m"
+	},
+	"storage": {
+		"encryption_key": "{{var_authelia_storage_encryption_key}}",
+{% if var_authelia_storage_kind == "sqlite" %}
+		"local": {
+			"path": "{{var_authelia_storage_data_sqlite_path}}"
+		}
+{% endif %}
+{% if var_authelia_storage_kind == "postgresql" %}
+		"postgres": {
+			"address": "{{var_authelia_storage_data_postgresql_host}}:{{var_authelia_storage_data_postgresql_port | string}}",
+			"schema": "public",
+			"username": "{{var_authelia_storage_data_postgresql_username}}",
+			"password": "{{var_authelia_storage_data_postgresql_password}}",
+			"database": "{{var_authelia_storage_data_postgresql_schema}}"
+		}
+{% endif %}
+{% if var_authelia_storage_kind == "mariadb" %}
+		"mysql": {
+			"host": "{{var_authelia_storage_data_mariadb_host}}",
+			"port": {{var_authelia_storage_data_mariadb_port | string}},
+			"username": "{{var_authelia_storage_data_mariadb_username}}",
+			"password": "{{var_authelia_storage_data_mariadb_password}}",
+			"database": "{{var_authelia_storage_data_mariadb_schema}}"
+		}
+{% endif %}
+	},
+	"notifier": {
+		"disable_startup_check": true,
+{% if var_authelia_notification_mode == "file" %}
+		"filesystem": {
+			"filename": "{{var_authelia_notification_file_path}}"
+		}
+{% endif %}
+{% if var_authelia_notification_mode == "smtp" %}
+		"smtp": {
+			"host": "{{var_authelia_notification_smtp_host}}",
+			"port": {{var_authelia_notification_smtp_port | string}},
+			"username": "{{var_authelia_notification_smtp_username}}",
+			"password": "{{var_authelia_notification_smtp_password}}",
+			"sender": "{{var_authelia_notification_smtp_sender}}",
+			"disable_require_tls": false,
+			"disable_html_emails": false,
+			"tls": {
+				"skip_verify": false
+			}
+		}
+{% endif %}
+	},
+	"identity_providers": {
+		"oidc": {
+			"hmac_secret": "{{var_authelia_oidc_hmac_secret}}",
+			"issuer_private_key": "{{temp_tls_result.privatekey | replace('\n', '\\n')}}",
+			"cors": {
+				"allowed_origins_from_client_redirect_uris": true
+			},
+			"clients": [
+			]
+		}
+	}
+}

ansible/roles/authelia/templates/users.yml.j2

@@ -0,0 +1,5 @@
+users:
+  _dummy:
+    displayname: dummy
+    password: "$2b$12$N5qptdk1VtpSlIlCxspLxeNeRIP6UEho4r1ZCoOlfpAtsIJQIjV/a"
+    email: dummy@example.org

ansible/roles/authelia/vardef.json

@@ -0,0 +1,130 @@
+{
+	"version": {
+		"type": "string",
+		"mandatory": false
+	},
+	"architecture": {
+		"type": "string",
+		"mandatory": false
+	},
+	"listen_address": {
+		"type": "string",
+		"mandatory": false
+	},
+	"jwt_secret": {
+		"type": "string",
+		"mandatory": true
+	},
+	"users_file_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"log_file_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"session_domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"session_secret": {
+		"type": "string",
+		"mandatory": true
+	},
+	"storage_encryption_key": {
+		"type": "string",
+		"mandatory": true
+	},
+	"storage_kind": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_sqlite_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_postgresql_host": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_postgresql_port": {
+		"type": "integer",
+		"mandatory": false
+	},
+	"storage_data_postgresql_username": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_postgresql_password": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_postgresql_schema": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_mariadb_host": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_mariadb_port": {
+		"type": "integer",
+		"mandatory": false
+	},
+	"storage_data_mariadb_username": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_mariadb_password": {
+		"type": "string",
+		"mandatory": false
+	},
+	"storage_data_mariadb_schema": {
+		"type": "string",
+		"mandatory": false
+	},
+	"ntp_server": {
+		"type": "string",
+		"mandatory": false
+	},
+	"password_reset_enabled": {
+		"type": "boolean",
+		"mandatory": false
+	},
+	"notification_mode": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"file",
+			"smtp"
+		]
+	},
+	"notification_file_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"notification_smtp_host": {
+		"type": "string",
+		"mandatory": false
+	},
+	"notification_smtp_port": {
+		"type": "integer",
+		"mandatory": false
+	},
+	"notification_smtp_username": {
+		"type": "string",
+		"mandatory": false
+	},
+	"notification_smtp_password": {
+		"type": "string",
+		"mandatory": false
+	},
+	"notification_smtp_sender": {
+		"type": "string",
+		"mandatory": false
+	},
+	"oidc_hmac_secret": {
+		"type": "string",
+		"mandatory": true
+	}
+}

ansible/roles/hedgedoc-and-lighttpd/defaults/main.json

@@ -0,0 +1,4 @@
+{
+	"var_hedgedoc_and_lighttpd_domain": "hedgedoc.example.org",
+	"var_hedgedoc_and_lighttpd_tls_enable": true
+}

ansible/roles/hedgedoc-and-lighttpd/info.md

@@ -0,0 +1,8 @@
+## Beschreibung
+
+- zur Einrichtung von [Lighttpd](../lighttpd) als Reverse-Proxy für [Hedgedoc](../hedgedoc)
+
+
+## Verweise
+
+- [Hedgedoc-Dokumentation | Using a Reverse Proxy](https://docs.hedgedoc.org/guides/reverse-proxy/)

ansible/roles/hedgedoc-and-lighttpd/tasks/main.json

@@ -0,0 +1,34 @@
+[
+	{
+		"name": "activate proxy module",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "lighttpd-enable-mod proxy || exit 0"
+		}
+	},
+	{
+		"name": "emplace configuration | data",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "/etc/lighttpd/conf-available/{{var_hedgedoc_and_lighttpd_domain}}.conf"
+		}
+	},
+	{
+		"name": "emplace configuration | link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/etc/lighttpd/conf-available/{{var_hedgedoc_and_lighttpd_domain}}.conf",
+			"dest": "/etc/lighttpd/conf-enabled/{{var_hedgedoc_and_lighttpd_domain}}.conf"
+		}
+	},
+	{
+		"name": "restart lighttpd",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "lighttpd"
+		}
+	}
+]

ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2

@@ -0,0 +1,33 @@
+$HTTP["host"] == "{{var_hedgedoc_and_lighttpd_domain}}" {
+	server.name = "{{var_hedgedoc_and_lighttpd_domain}}"
+	proxy.server = (
+		"" => (
+			"" => (
+				"host" => "127.0.0.1",
+				"port" => 2400
+			)
+		)
+	)
+	proxy.header = (
+		"upgrade" => "enable"
+	)
+	
+{% if var_hedgedoc_and_lighttpd_tls_enable %}
+	## alle Anfragen auf Port 80
+	$SERVER["socket"] == ":80" {
+		## auf HTTPS umleiten
+		url.redirect = ("^/(.*)$" => "https://{{var_hedgedoc_and_lighttpd_domain}}/$1")
+	}
+	
+	## alle Anfragen auf Port 443
+	$SERVER["socket"] == ":443" {
+		## mit dem SSL-Kram beglücken
+		ssl.engine  = "enable"
+		ssl.pemfile = "/etc/ssl/certs/{{var_hedgedoc_and_lighttpd_domain}}.pem"
+		ssl.privkey = "/etc/ssl/keys/{{var_hedgedoc_and_lighttpd_domain}}.pem"
+		ssl.ca-file = "/etc/ssl/fullchains/{{var_hedgedoc_and_lighttpd_domain}}.pem"
+		ssl.use-sslv2 = "disable"
+		ssl.use-sslv3 = "disable"
+	}
+{% endif %}
+}

ansible/roles/hedgedoc-and-nginx/defaults/main.json

@@ -0,0 +1,3 @@
+{
+	"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org"
+}

ansible/roles/hedgedoc-and-nginx/info.md

@@ -0,0 +1,8 @@
+## Beschreibung
+
+Um [Hedgedoc](../hedgedoc) mit mittels [nginx](../nginx)-reverse-proxy laufen zu lassen
+
+
+## Verweise
+
+- [Hedgedoc-Dokumentation](https://docs.hedgedoc.org/guides/reverse-proxy/#nginx)

ansible/roles/hedgedoc-and-nginx/tasks/main.json

@@ -0,0 +1,35 @@
+[
+	{
+		"name": "deactivate default site",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "absent",
+			"dest": "/etc/nginx/sites-enabled/default"
+		}
+	},
+	{
+		"name": "emplace configuration | data",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "emplace configuration | link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}",
+			"dest": "/etc/nginx/sites-enabled/{{var_hedgedoc_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "restart nginx",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "nginx"
+		}
+	}
+]

ansible/roles/hedgedoc-and-nginx/templates/conf.j2

@@ -0,0 +1,32 @@
+map $http_upgrade $connection_upgrade {
+	default upgrade;
+	'' close;
+}
+
+server {
+	server_name {{var_hedgedoc_and_nginx_domain}};
+	
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	
+	ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
+	
+	location / {
+		proxy_pass http://localhost:3000;
+		proxy_set_header Host $host; 
+		proxy_set_header X-Real-IP $remote_addr; 
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+	
+	location /socket.io/ {
+		proxy_pass http://localhost:3000;
+		proxy_set_header Host $host; 
+		proxy_set_header X-Real-IP $remote_addr; 
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+	}
+}

ansible/roles/hedgedoc/defaults/main.json

@@ -0,0 +1,21 @@
+{
+	"var_hedgedoc_user_name": "hedgedoc",
+	"var_hedgedoc_directory": "/opt/hedgedoc",
+	"var_hedgedoc_version": "1.9.9",
+	"var_hedgedoc_session_secret": "REPLACE_ME",
+	"var_hedgedoc_database_kind": "sqlite",
+	"var_hedgedoc_database_data_sqlite_path": "/var/hedgedoc/data.sqlite",
+	"var_hedgedoc_database_data_postgresql_host": "localhost",
+	"var_hedgedoc_database_data_postgresql_port": 5432,
+	"var_hedgedoc_database_data_postgresql_username": "hedgedoc_user",
+	"var_hedgedoc_database_data_postgresql_password": "REPLACE_ME",
+	"var_hedgedoc_database_data_postgresql_schema": "hedgedoc",
+	"var_hedgedoc_domain": "hedgedoc.example.org",
+	"var_hedgedoc_authentication_kind": "authelia",
+	"var_hedgedoc_authentication_data_authelia_client_id": "hedgedoc",
+	"var_hedgedoc_authentication_data_authelia_client_secret": "REPLACE_ME",
+	"var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.linke.sx",
+	"var_hedgedoc_guest_allow_create": false,
+	"var_hedgedoc_guest_allow_change": false,
+	"var_hedgedoc_free_names_mode": "authed"
+}

ansible/roles/hedgedoc/info.md

@@ -0,0 +1,14 @@
+## Beschreibung
+
+Kollaborativer Editor [Hedgedoc](https://docs.hedgedoc.org/)
+
+
+## Verweise
+
+- [Dokumentation | Manual Installation](https://docs.hedgedoc.org/setup/manual-setup/)
+- [Dokumentation | Configuration](https://docs.hedgedoc.org/configuration/)
+
+
+## Bemerkungen
+
+- Login über OAuth2 funktioniert vermutlich nicht mit abgelehnten TLS-Zertifikaten (z.B. selbst-signierten)

ansible/roles/hedgedoc/tasks/main.json

@@ -0,0 +1,85 @@
+[
+	{
+		"name": "packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"update_cache": true,
+			"pkg": [
+				"acl",
+				"git",
+				"nodejs",
+				"npm",
+				"yarnpkg"
+			]
+		}
+	},
+	{
+		"name": "yarn link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/usr/bin/yarnpkg",
+			"dest": "/usr/bin/yarn"
+		}
+	},
+	{
+		"name": "user",
+		"become": true,
+		"ansible.builtin.user": {
+			"name": "{{var_hedgedoc_user_name}}",
+			"create_home": true
+		}
+	},
+	{
+		"name": "download",
+		"become": false,
+		"ansible.builtin.get_url": {
+			"url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{var_hedgedoc_version}}/hedgedoc-{{var_hedgedoc_version}}.tar.gz",
+			"dest": "/tmp/hedgedoc.tar.gz"
+		}
+	},
+	{
+		"name": "extract",
+		"become": true,
+		"ansible.builtin.unarchive": {
+			"remote_src": true,
+			"src": "/tmp/hedgedoc.tar.gz",
+			"dest": "{{var_hedgedoc_directory | dirname}}",
+			"owner": "{{var_hedgedoc_user_name}}"
+		}
+	},
+	{
+		"name": "setup script",
+		"become": true,
+		"become_user": "hedgedoc",
+		"ansible.builtin.command": {
+			"chdir": "{{var_hedgedoc_directory}}",
+			"cmd": "bin/setup"
+		}
+	},
+	{
+		"name": "configuration",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "config.json.j2",
+			"dest": "{{var_hedgedoc_directory}}/config.json"
+		}
+	},
+	{
+		"name": "systemd unit",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "systemd-unit.j2",
+			"dest": "/etc/systemd/system/hedgedoc.service"
+		}
+	},
+	{
+		"name": "start",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"enabled": true,
+			"state": "started",
+			"name": "hedgedoc"
+		}
+	}
+]

ansible/roles/hedgedoc/templates/config.json.j2

@@ -0,0 +1,64 @@
+{
+	"production": {
+		"loglevel": "error",
+{% if var_hedgedoc_database_kind == 'sqlite' %}
+		"db": {
+			"dialect": "sqlite",
+			"storage": "{{var_hedgedoc_database_data_sqlite_path}}"
+		},
+{% endif %}
+{% if var_hedgedoc_database_kind == 'postgresql' %}
+		"db": {
+			"dialect": "postgres",
+			"host": "{{var_hedgedoc_database_data_postgresql_host}}",
+			"port": {{var_hedgedoc_database_data_postgresql_port | to_json}},
+			"username": "{{var_hedgedoc_database_data_postgresql_username}}",
+			"password": "{{var_hedgedoc_database_data_postgresql_password}}",
+			"database": "{{var_hedgedoc_database_data_postgresql_schema}}"
+		},
+{% endif %}
+		"sessionSecret": "{{var_hedgedoc_session_secret}}",
+		"host": "localhost",
+		"allowOrigin": [
+			"localhost"
+		],
+		"domain": "{{var_hedgedoc_domain}}",
+		"urlAddPort": false,
+		"protocolUseSSL": true,
+{% if var_hedgedoc_authentication_kind == 'internal' %}
+		"email": true,
+		"allowEmailRegister": true,
+{% endif %}
+{% if var_hedgedoc_authentication_kind == 'authelia' %}
+		"oauth2": {
+			"providerName": "{{var_hedgedoc_authentication_data_authelia_provider_name}}",
+			"clientID": "{{var_hedgedoc_authentication_data_authelia_client_id}}",
+			"clientSecret": "{{var_hedgedoc_authentication_data_authelia_client_secret}}",
+			"scope": "openid email profile",
+			"userProfileUsernameAttr": "sub",
+			"userProfileDisplayNameAttr": "name",
+			"userProfileEmailAttr": "email",
+			"userProfileURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/profile",
+			"tokenURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/token",
+			"authorizationURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/authorization"
+		},
+		"email": false,
+		"allowEmailRegister": false,
+{% endif %}
+		"allowAnonymous": {{var_hedgedoc_guest_allow_create | to_json}},
+		"allowAnonymousEdits": {{var_hedgedoc_guest_allow_change | to_json}},
+{% if var_hedgedoc_free_names_mode == 'never' %}
+		"allowFreeURL": false,
+		"requireFreeURLAuthentication": false,
+{% endif %}
+{% if var_hedgedoc_free_names_mode == 'authed' %}
+		"allowFreeURL": true,
+		"requireFreeURLAuthentication": true,
+{% endif %}
+{% if var_hedgedoc_free_names_mode == 'always' %}
+		"allowFreeURL": true,
+		"requireFreeURLAuthentication": false,
+{% endif %}
+		"defaultPermission": "editable"
+	}
+}

ansible/roles/hedgedoc/templates/systemd-unit.j2

@@ -0,0 +1,14 @@
+[Unit]
+Description=Hedgedoc
+After=multi-user.target
+
+[Service]
+WorkingDirectory={{var_hedgedoc_directory}}
+User={{var_hedgedoc_user_name}}
+Environment="NODE_ENV=production"
+ExecStart=yarn start
+SyslogIdentifier=hedgedoc
+
+[Install]
+WantedBy=multi-user.target
+

ansible/roles/hedgedoc/vardef.json

@@ -0,0 +1,87 @@
+{
+	"user_name": {
+		"type": "string",
+		"mandatory": false
+	},
+	"directory": {
+		"type": "string",
+		"mandatory": false
+	},
+	"version": {
+		"type": "string",
+		"mandatory": false
+	},
+	"session_secret": {
+		"type": "string",
+		"mandatory": true
+	},
+	"database_kind": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"sqlite",
+			"postgresql",
+			"mariadb"
+		]
+	},
+	"database_data_sqlite_path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"database_data_postgresql_host": {
+		"type": "string",
+		"mandatory": false
+	},
+	"database_data_postgresql_port": {
+		"type": "integer",
+		"mandatory": false
+	},
+	"database_data_postgresql_username": {
+		"type": "string",
+		"mandatory": false
+	},
+	"database_data_postgresql_password": {
+		"type": "string",
+		"mandatory": false
+	},
+	"database_data_postgresql_schema": {
+		"type": "string",
+		"mandatory": false
+	},
+	"domain": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_kind": {
+		"type": "string",
+		"mandatory": false,
+		"options": [
+			"internal",
+			"authelia"
+		]
+	},
+	"authentication_data_authelia_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_client_secret": {
+		"type": "string",
+		"mandatory": false
+	},
+	"authentication_data_authelia_url_base": {
+		"type": "string",
+		"mandatory": false
+	},
+	"guest_allow_create": {
+		"type": "boolean",
+		"mandatory": false
+	},
+	"guest_allow_change": {
+		"type": "boolean",
+		"mandatory": false
+	},
+	"free_names_mode": {
+		"type": "string",
+		"mandatory": false
+	}
+}

ansible/roles/lighttpd/tasks/main.json

@@ -3,6 +3,7 @@
 		"name": "install packages",
 		"become": true,
 		"ansible.builtin.apt": {
+			"update_cache": true,
 			"pkg": [
 				"lighttpd",
 				"lighttpd-mod-openssl"

ansible/roles/murmur/defaults/main.json

@@ -0,0 +1,6 @@
+{
+	"var_murmur_database_path": "/var/lib/mumble-server/mumble-server.sqlite",
+	"var_murmur_port": 64738,
+	"var_murmur_welcome_text": "<br />Welcome to this server running <b>Murmur</b>.<br />Enjoy your stay!<br />",
+	"var_murmur_admin_password": "REPLACE_ME"
+}

ansible/roles/murmur/info.md

@@ -0,0 +1,12 @@
+## Beschreibung
+
+Server-Implementierung _Murmur_ für den Audiokonferenz-Software [Mumble](https://www.mumble.info/)
+
+
+## Verweise
+
+- [Wikipedia-Artikel zu Mumble](https://de.m.wikipedia.org/wiki/Mumblehttps://de.m.wikipedia.org/wiki/Mumble)
+- [Mumble-Wiki | Hauptseite](https://wiki.mumble.info/wiki/Main_Page)
+- [Mumble-Wiki | Running Murmur](https://wiki.mumble.info/wiki/Running_Murmur)
+- [Mumble-Wiki | Murmurguide](https://wiki.mumble.info/wiki/Murmurguide)
+- [Mumble-Wiki | Authentication](https://wiki.mumble.info/wiki/Authentication)

ansible/roles/murmur/tasks/main.json

@@ -0,0 +1,36 @@
+[
+	{
+		"name": "packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"update_cache": true,
+			"pkg": [
+				"mumble-server"
+			]
+		}
+	},
+	{
+		"name": "configuration",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "mumble-server.ini.j2",
+			"dest": "/etc/mumble-server.ini",
+			"group": "mumble-server"
+		}
+	},
+	{
+		"name": "admin account",
+		"become": true,
+		"ansible.builtin.command": {
+			"cmd": "murmurd -ini /etc/mumble-server.ini -supw {{var_murmur_admin_password}}"
+		}
+	},
+	{
+		"name": "service",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "mumble-server"
+		}
+	}
+]

ansible/roles/murmur/templates/mumble-server.ini.j2

@@ -0,0 +1,380 @@
+; Murmur configuration file.
+;
+; General notes:
+; * Settings in this file are default settings and many of them can be overridden
+;   with virtual server specific configuration via the Ice or DBus interface.
+; * Due to the way this configuration file is read some rules have to be
+;   followed when specifying variable values (as in variable = value):
+;     * Make sure to quote the value when using commas in strings or passwords.
+;        NOT variable = super,secret BUT variable = "super,secret"
+;     * Make sure to escape special characters like '\' or '"' correctly
+;        NOT variable = """ BUT variable = "\""
+;        NOT regex = \w* BUT regex = \\w*
+
+; Path to database. If blank, will search for
+; murmur.sqlite in default locations or create it if not found.
+database={{var_murmur_database_path}}
+
+; Murmur defaults to using SQLite with its default rollback journal.
+; In some situations, using SQLite's write-ahead log (WAL) can be
+; advantageous.
+; If you encounter slowdowns when moving between channels and similar
+; operations, enabling the SQLite write-ahead log might help.
+;
+; To use SQLite's write-ahead log, set sqlite_wal to one of the following
+; values:
+;
+; 0 - Use SQLite's default rollback journal.
+; 1 - Use write-ahead log with synchronous=NORMAL.
+;     If Murmur crashes, the database will be in a consistent state, but
+;     the most recent changes might be lost if the operating system did
+;     not write them to disk yet. This option can improve Murmur's
+;     interactivity on busy servers, or servers with slow storage.
+; 2 - Use write-ahead log with synchronous=FULL.
+;     All database writes are synchronized to disk when they are made.
+;     If Murmur crashes, the database will be include all completed writes.
+;sqlite_wal=0
+
+; If you wish to use something other than SQLite, you'll need to set the name
+; of the database above, and also uncomment the below.
+; Sticking with SQLite is strongly recommended, as it's the most well tested
+; and by far the fastest solution.
+;
+;dbDriver=QMYSQL
+;dbUsername=
+;dbPassword=
+;dbHost=
+;dbPort=
+;dbPrefix=murmur_
+;dbOpts=
+
+; Murmur defaults to not using D-Bus. If you wish to use dbus, which is one of the
+; RPC methods available in Murmur, please specify so here.
+;
+;dbus=system
+
+; Alternate D-Bus service name. Only use if you are running distinct
+; murmurd processes connected to the same D-Bus daemon.
+;dbusservice=net.sourceforge.mumble.murmur
+
+; If you want to use ZeroC Ice to communicate with Murmur, you need
+; to specify the endpoint to use. Since there is no authentication
+; with ICE, you should only use it if you trust all the users who have
+; shell access to your machine.
+; Please see the ICE documentation on how to specify endpoints.
+#ice="tcp -h 127.0.0.1 -p 6502"
+
+; Ice primarily uses local sockets. This means anyone who has a
+; user account on your machine can connect to the Ice services.
+; You can set a plaintext "secret" on the Ice connection, and
+; any script attempting to access must then have this secret
+; (as context with name "secret").
+; Access is split in read (look only) and write (modify)
+; operations. Write access always includes read access,
+; unless read is explicitly denied (see note below).
+;
+; Note that if this is uncommented and with empty content,
+; access will be denied.
+
+;icesecretread=
+icesecretwrite=
+
+; If you want to expose Murmur's experimental gRPC API, you
+; need to specify an address to bind on.
+; Note: not all builds of Murmur support gRPC. If gRPC is not
+; available, Murmur will warn you in its log output.
+;grpc="127.0.0.1:50051"
+; Specifying both a certificate and key file below will cause gRPC to use
+; secured, TLS connections.
+;grpccert=""
+;grpckey=""
+
+; Specifies the file Murmur should log to. By default, Murmur
+; logs to the file 'murmur.log'. If you leave this field blank
+; on Unix-like systems, Murmur will force itself into foreground
+; mode which logs to the console.
+logfile=/var/log/mumble-server/mumble-server.log
+
+; If set, Murmur will write its process ID to this file
+; when running in daemon mode (when the -fg flag is not
+; specified on the command line). Only available on
+; Unix-like systems.
+pidfile=/run/mumble-server/mumble-server.pid
+
+; The below will be used as defaults for new configured servers.
+; If you're just running one server (the default), it's easier to
+; configure it here than through D-Bus or Ice.
+;
+; Welcome message sent to clients when they connect.
+; If the welcome message is set to an empty string,
+; no welcome message will be sent to clients.
+welcometext="{{var_murmur_welcome_text}}"
+
+; Port to bind TCP and UDP sockets to.
+port={{var_murmur_port | string}}
+
+; Specific IP or hostname to bind to.
+; If this is left blank (default), Murmur will bind to all available addresses.
+;host=
+
+; Password to join server.
+serverpassword=
+
+; Maximum bandwidth (in bits per second) clients are allowed
+; to send speech at.
+bandwidth=72000
+
+; Murmur and Mumble are usually pretty good about cleaning up hung clients, but
+; occasionally one will get stuck on the server. The timeout setting will cause
+; a periodic check of all clients who haven't communicated with the server in
+; this many seconds - causing zombie clients to be disconnected.
+;
+; Note that this has no effect on idle clients or people who are AFK. It will
+; only affect people who are already disconnected, and just haven't told the
+; server.
+;timeout=30
+
+; Maximum number of concurrent clients allowed.
+users=100
+
+; Where users sets a blanket limit on the number of clients per virtual server,
+; usersperchannel sets a limit on the number per channel. The default is 0, for
+; no limit.
+;usersperchannel=0
+
+; Per-user rate limiting
+;
+; These two settings allow to configure the per-user rate limiter for some
+; command messages sent from the client to the server. The messageburst setting
+; specifies an amount of messages which are allowed in short bursts. The
+; messagelimit setting specifies the number of messages per second allowed over
+; a longer period. If a user hits the rate limit, his packages are then ignored
+; for some time. Both of these settings have a minimum of 1 as setting either to
+; 0 could render the server unusable.
+messageburst=5
+messagelimit=1
+
+; Respond to UDP ping packets.
+;
+; Setting to true exposes the current user count, the maximum user count, and
+; the server's maximum bandwidth per client to unauthenticated users. In the
+; Mumble client, this information is shown in the Connect dialog.
+allowping=true
+
+; Amount of users with Opus support needed to force Opus usage, in percent.
+; 0 = Always enable Opus, 100 = enable Opus if it's supported by all clients.
+;opusthreshold=100
+
+; Maximum depth of channel nesting. Note that some databases like MySQL using
+; InnoDB will fail when operating on deeply nested channels.
+;channelnestinglimit=10
+
+; Maximum number of channels per server. 0 for unlimited. Note that an
+; excessive number of channels will impact server performance
+;channelcountlimit=1000
+
+; Regular expression used to validate channel names.
+; (Note that you have to escape backslashes with \ )
+;channelname=[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+
+
+; Regular expression used to validate user names.
+; (Note that you have to escape backslashes with \ )
+;username=[-=\\w\\[\\]\\{\\}\\(\\)\\@\\|\\.]+
+
+; If a user has no stored channel (they've never been connected to the server
+; before, or rememberchannel is set to false) and the client hasn't been given
+; a URL that includes a channel path, the default behavior is that they will
+; end up in the root channel.
+;
+; You can set this setting to a channel ID, and the user will automatically be
+; moved into that channel instead. Note that this is the numeric ID of the
+; channel, which can be a little tricky to get (you'll either need to use an
+; RPC mechanism, watch the console of a debug client, or root around through
+; the Murmur Database to get it).
+;
+;defaultchannel=0
+
+; When a user connects to a server they've already been on, by default the
+; server will remember the last channel they were in and move them to it
+; automatically. Toggling this setting to false will disable that feature.
+;
+;rememberchannel=true
+
+; Maximum length of text messages in characters. 0 for no limit.
+;textmessagelength=5000
+
+; Maximum length of text messages in characters, with image data. 0 for no limit.
+;imagemessagelength=131072
+
+; Allow clients to use HTML in messages, user comments and channel descriptions?
+;allowhtml=true
+
+; Murmur retains the per-server log entries in an internal database which
+; allows it to be accessed over D-Bus/ICE.
+; How many days should such entries be kept?
+; Set to 0 to keep forever, or -1 to disable logging to the DB.
+;logdays=31
+
+; To enable public server registration, the serverpassword must be blank, and
+; this must all be filled out.
+; The password here is used to create a registry for the server name; subsequent
+; updates will need the same password. Don't lose your password.
+; The URL is your own website, and only set the registerHostname for static IP
+; addresses.
+; Location is typically the country of typical users of the server, in
+; two-letter TLD style (ISO 3166-1 alpha-2 country code)
+;
+; If you only wish to give your "Root" channel a custom name, then only
+; uncomment the 'registerName' parameter.
+;
+;registerName=Mumble Server
+;registerPassword=secret
+;registerUrl=http://www.mumble.info/
+;registerHostname=
+;registerLocation=
+
+; If this option is enabled, the server will announce its presence via the
+; bonjour service discovery protocol. To change the name announced by bonjour
+; adjust the registerName variable.
+; See http://developer.apple.com/networking/bonjour/index.html for more information
+; about bonjour.
+;bonjour=True
+
+; If you have a proper SSL certificate, you can provide the filenames here.
+; Otherwise, Murmur will create its own certificate automatically.
+;sslCert=
+;sslKey=
+
+; If the keyfile specified above is encrypted with a passphrase, you can enter
+; it in this setting. It must be plaintext, so you may wish to adjust the
+; permissions on your murmur.ini file accordingly.
+;sslPassPhrase=
+
+; If your certificate is signed by an authority that uses a sub-signed or
+; "intermediate" certificate, you probably need to bundle it with your
+; certificate in order to get Murmur to accept it. You can either concatenate
+; the two certificates into one file, or you can put it in a file by itself and
+; put the path to that PEM-file in sslCA.
+;sslCA=
+
+; The sslDHParams option allows you to specify a PEM-encoded file with
+; Diffie-Hellman parameters, which will be used as the default Diffie-
+; Hellman parameters for all virtual servers.
+;
+; Instead of pointing sslDHParams to a file, you can also use the option
+; to specify a named set of Diffie-Hellman parameters for Murmur to use.
+; Murmur comes bundled with the Diffie-Hellman parameters from RFC 7919.
+; These parameters are available by using the following names:
+;
+; @ffdhe2048, @ffdhe3072, @ffdhe4096, @ffdhe6144, @ffdhe8192
+;
+; By default, Murmur uses @ffdhe2048.
+;sslDHParams=@ffdhe2048
+
+; The sslCiphers option chooses the cipher suites to make available for use
+; in SSL/TLS. This option is server-wide, and cannot be set on a
+; per-virtual-server basis.
+;
+; This option is specified using OpenSSL cipher list notation (see
+; https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT).
+;
+; It is recommended that you try your cipher string using 'openssl ciphers <string>'
+; before setting it here, to get a feel for which cipher suites you will get.
+;
+; After setting this option, it is recommend that you inspect your Murmur log
+; to ensure that Murmur is using the cipher suites that you expected it to.
+;
+; Note: Changing this option may impact the backwards compatibility of your
+; Murmur server, and can remove the ability for older Mumble clients to be able
+; to connect to it.
+;sslCiphers=EECDH+AESGCM:EDH+aRSA+AESGCM:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA
+
+; If Murmur is started as root, which user should it switch to?
+; This option is ignored if Murmur isn't started with root privileges.
+uname=mumble-server
+
+; By default, in log files and in the user status window for privileged users,
+; Mumble will show IP addresses - in some situations you may find this unwanted
+; behavior. If obfuscate is set to true, Murmur will randomize the IP addresses
+; of connecting users.
+;
+; The obfuscate function only affects the log file and DOES NOT effect the user
+; information section in the client window.
+;obfuscate=false
+
+; If this options is enabled, only clients which have a certificate are allowed
+; to connect.
+;certrequired=False
+
+; If enabled, clients are sent information about the servers version and operating
+; system.
+;sendversion=True
+
+; You can set a recommended minimum version for your server, and clients will
+; be notified in their log when they connect if their client does not meet the
+; minimum requirements. suggestVersion expects the version in the format X.X.X.
+;
+; Note that the suggest* options appeared after 1.2.3 and will have no effect
+; on client versions 1.2.3 and earlier.
+;
+;suggestVersion=
+
+; Setting this to "true" will alert any user who does not have positional audio
+; enabled that the server administrators recommend enabling it. Setting it to
+; "false" will have the opposite effect - if you do not care whether the user
+; enables positional audio or not, set it to blank. The message will appear in
+; the log window upon connection, but only if the user's settings do not match
+; what the server requests.
+;
+; Note that the suggest* options appeared after 1.2.3 and will have no effect
+; on client versions 1.2.3 and earlier.
+;
+;suggestPositional=
+
+; Setting this to "true" will alert any user who does not have Push-To-Talk
+; enabled that the server administrators recommend enabling it. Setting it to
+; "false" will have the opposite effect - if you do not care whether the user
+; enables PTT or not, set it to blank. The message will appear in the log
+; window upon connection, but only if the user's settings do not match what the
+; server requests.
+;
+; Note that the suggest* options appeared after 1.2.3 and will have no effect
+; on client versions 1.2.3 and earlier.
+;
+;suggestPushToTalk=
+
+; This sets password hash storage to legacy mode (1.2.4 and before)
+; (Note that setting this to true is insecure and should not be used unless absolutely necessary)
+;legacyPasswordHash=false
+
+; By default a strong amount of PBKDF2 iterations are chosen automatically. If >0 this setting
+; overrides the automatic benchmark and forces a specific number of iterations.
+; (Note that you should only change this value if you know what you are doing)
+;kdfIterations=-1
+
+; In order to prevent misconfigured, impolite or malicious clients from
+; affecting the low-latency of other users, Murmur has a rudimentary global-ban
+; system. It's configured using the autobanAttempts, autobanTimeframe and
+; autobanTime settings.
+;
+; If a client attempts autobanAttempts connections in autobanTimeframe seconds,
+; they will be banned for autobanTime seconds. This is a global ban, from all
+; virtual servers on the Murmur process. It will not show up in any of the
+; ban-lists on the server, and they can't be removed without restarting the
+; Murmur process - just let them expire. A single, properly functioning client
+; should not trip these bans.
+;
+; To disable, set autobanAttempts or autobanTimeframe to 0. Commenting these
+; settings out will cause Murmur to use the defaults:
+;
+;autobanAttempts=10
+;autobanTimeframe=120
+;autobanTime=300
+
+; You can configure any of the configuration options for Ice here. We recommend
+; leave the defaults as they are.
+; Please note that this section has to be last in the configuration file.
+;
+[Ice]
+Ice.Warn.UnknownProperties=1
+Ice.MessageSizeMax=65536

ansible/roles/nginx/tasks/main.json

@@ -3,6 +3,7 @@
 		"name": "install packages",
 		"become": true,
 		"ansible.builtin.apt": {
+			"update_cache": true,
 			"pkg": [
 				"nginx"
 			]

ansible/roles/postgresql-for-authelia/defaults/main.json

@@ -0,0 +1,7 @@
+{
+	"var_postgresql_for_authelia_host": "localhost",
+	"var_postgresql_for_authelia_port": 5432,
+	"var_postgresql_for_authelia_username": "authelia_user",
+	"var_postgresql_for_authelia_password": "REPLACE_ME",
+	"var_postgresql_for_authelia_schema": "authelia"
+}

ansible/roles/postgresql-for-authelia/tasks/main.json

@@ -0,0 +1,49 @@
+[
+	{
+		"name": "packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"update_cache": true,
+			"pkg": [
+				"acl",
+				"python3-psycopg2"
+			]
+		}
+	},
+	{
+		"name": "user",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_user": {
+			"state": "present",
+			"name": "{{var_postgresql_for_authelia_username}}",
+			"password": "{{var_postgresql_for_authelia_password}}"
+		},
+		"environment": {
+			"PGOPTIONS": "-c password_encryption=scram-sha-256"
+		}
+	},
+	{
+		"name": "schema",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_db": {
+			"state": "present",
+			"name": "{{var_postgresql_for_authelia_schema}}",
+			"owner": "{{var_postgresql_for_authelia_username}}"
+		}
+	},
+	{
+		"name": "rights",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_privs": {
+			"state": "present",
+			"db": "{{var_postgresql_for_authelia_schema}}",
+			"objs": "ALL_IN_SCHEMA",
+			"roles": "{{var_postgresql_for_authelia_username}}",
+			"privs": "ALL",
+			"grant_option": true
+		}
+	}
+]

ansible/roles/postgresql-for-authelia/vardef.json

@@ -0,0 +1,22 @@
+{
+	"host": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"port": {
+		"mandatory": false,
+		"type": "integer"
+	},
+	"username": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"password": {
+		"mandatory": true,
+		"type": "string"
+	},
+	"schema": {
+		"mandatory": false,
+		"type": "string"
+	}
+}

ansible/roles/postgresql-for-hedgedoc/defaults/main.json

@@ -0,0 +1,5 @@
+{
+	"var_postgresql_for_hedgedoc_username": "hedgedoc_user",
+	"var_postgresql_for_hedgedoc_password": "REPLACE_ME",
+	"var_postgresql_for_hedgedoc_schema": "hedgedoc"
+}

ansible/roles/postgresql-for-hedgedoc/tasks/main.json

@@ -0,0 +1,49 @@
+[
+	{
+		"name": "packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"update_cache": true,
+			"pkg": [
+				"acl",
+				"python3-psycopg2"
+			]
+		}
+	},
+	{
+		"name": "user",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_user": {
+			"state": "present",
+			"name": "{{var_postgresql_for_hedgedoc_username}}",
+			"password": "{{var_postgresql_for_hedgedoc_password}}"
+		},
+		"environment": {
+			"PGOPTIONS": "-c password_encryption=scram-sha-256"
+		}
+	},
+	{
+		"name": "schema",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_db": {
+			"state": "present",
+			"name": "{{var_postgresql_for_hedgedoc_schema}}",
+			"owner": "{{var_postgresql_for_hedgedoc_username}}"
+		}
+	},
+	{
+		"name": "rights",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_privs": {
+			"state": "present",
+			"db": "{{var_postgresql_for_hedgedoc_schema}}",
+			"objs": "ALL_IN_SCHEMA",
+			"roles": "{{var_postgresql_for_hedgedoc_username}}",
+			"privs": "ALL",
+			"grant_option": true
+		}
+	}
+]

ansible/roles/postgresql-for-synapse/defaults/main.json

@@ -1,5 +1,5 @@
 {
 	"var_postgresql_for_synapse_username": "synapse_user",
-	"var_postgresql_for_synapse_password": "synapse_password",
+	"var_postgresql_for_synapse_password": "REPLACE_ME",
 	"var_postgresql_for_synapse_schema": "synapse"
 }

ansible/roles/postgresql-for-synapse/tasks/main.json

@@ -3,6 +3,7 @@
 		"name": "packages",
 		"become": true,
 		"ansible.builtin.apt": {
+			"update_cache": true,
 			"pkg": [
 				"acl",
 				"python3-psycopg2"
@@ -17,6 +18,9 @@
 			"state": "present",
 			"name": "{{var_postgresql_for_synapse_username}}",
 			"password": "{{var_postgresql_for_synapse_password}}"
+		},
+		"environment": {
+			"PGOPTIONS": "-c password_encryption=scram-sha-256"
 		}
 	},
 	{

ansible/roles/postgresql/defaults/main.json

@@ -1,5 +1,5 @@
 {
 	"var_postgresql_listen_address": "localhost",
-	"var_postgresql_port": "5432"
+	"var_postgresql_port": 5432
 }
 

ansible/roles/postgresql/tasks/main.json

@@ -3,6 +3,7 @@
 		"name": "install packages",
 		"become": true,
 		"ansible.builtin.apt": {
+			"update_cache": true,
 			"pkg": [
 				"postgresql"
 			]

ansible/roles/postgresql/templates/postgresql.conf.j2

@@ -61,7 +61,7 @@ listen_addresses = '{{var_postgresql_listen_address}}'		# what IP address(es) to
 					# comma-separated list of addresses;
 					# defaults to 'localhost'; use '*' for all
 					# (change requires restart)
-port = {{var_postgresql_port}}				# (change requires restart)
+port = {{var_postgresql_port | string}}				# (change requires restart)
 max_connections = 100			# (change requires restart)
 #superuser_reserved_connections = 3	# (change requires restart)
 unix_socket_directories = '/var/run/postgresql'	# comma-separated list of directories

ansible/roles/postgresql/vardef.json

@@ -0,0 +1,15 @@
+{
+	"listen_address": {
+		"mandatory": false,
+		"type": "string"
+	},
+	"port": {
+		"mandatory": false,
+		"type": "integer"
+	},
+	"allow_md5_auth": {
+		"mandatory": false,
+		"type": "boolean"
+	}
+}
+

ansible/roles/proftpd/tasks/main.json

@@ -3,6 +3,7 @@
 		"name": "install packages",
 		"become": true,
 		"ansible.builtin.apt": {
+			"update_cache": true,
 			"pkg": [
 				"proftpd-core"
 			]

ansible/roles/sqlite-for-hedgedoc/defaults/main.json

@@ -0,0 +1,4 @@
+{
+	"var_sqlite_for_hedgedoc_path": "/var/hedgedoc/data.sqlite",
+	"var_sqlite_for_hedgedoc_user_name": "hedgedoc"
+}

ansible/roles/sqlite-for-hedgedoc/tasks/main.json

@@ -0,0 +1,20 @@
+[
+	{
+		"name": "directory",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{var_sqlite_for_hedgedoc_path | dirname}}",
+			"owner": "{{var_hedgedoc_user_name}}"
+		}
+	},
+	{
+		"name": "file",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "touch",
+			"path": "{{var_sqlite_for_hedgedoc_path}}",
+			"owner": "{{var_sqlite_for_hedgedoc_user_name}}"
+		}
+	}
+]

ansible/roles/sqlite-for-hedgedoc/vardef.json

@@ -0,0 +1,10 @@
+{
+	"path": {
+		"type": "string",
+		"mandatory": false
+	},
+	"user_name": {
+		"type": "string",
+		"mandatory": false
+	}
+}

ansible/roles/synapse-and-lighttpd/defaults/main.json

@@ -1,3 +1,3 @@
 {
-	"var_synapse_and_lighttpd_domain": "REPLACE_ME"
+	"var_synapse_and_lighttpd_domain": "synapse.example.org"
 }

ansible/roles/synapse/defaults/main.json

@@ -1,27 +1,27 @@
 {
 	"var_synapse_scheme": "https",
-	"var_synapse_domain": "matrix.example.org",
-	"var_synaspe_database_kind": "sqlite",
-	"var_synaspe_database_sqlite_path": "/var/synapse/data.sqlite",
-	"var_synaspe_database_postgresql_host": "localhost",
-	"var_synaspe_database_postgresql_port": "5432",
-	"var_synaspe_database_postgresql_username": "synapse_user",
-	"var_synaspe_database_postgresql_password": "REPLACE_ME",
-	"var_synaspe_database_postgresql_schema": "synapse",
+	"var_synapse_domain": "synapse.example.org",
+	"var_synapse_database_kind": "sqlite",
+	"var_synapse_database_data_sqlite_path": "/var/synapse/data.sqlite",
+	"var_synapse_database_data_postgresql_host": "localhost",
+	"var_synapse_database_data_postgresql_port": 5432,
+	"var_synapse_database_data_postgresql_username": "synapse_user",
+	"var_synapse_database_data_postgresql_password": "REPLACE_ME",
+	"var_synapse_database_data_postgresql_schema": "synapse",
 	"var_synapse_element_url": "https://element.example.org",
 	"var_synapse_title": "Example | Matrix",
-	"var_synapse_federation_whitelist": "[]",
-	"var_synapse_password_strict_policy": "true",
+	"var_synapse_federation_whitelist": [],
+	"var_synapse_password_strict_policy": true,
 	"var_synapse_registration_shared_secret": "REPLACE_ME",
-	"var_synapse_oidc_enable": false,
-	"var_synapse_oidc_provider_id": "external_auth",
-	"var_synapse_oidc_provider_name": "external auth",
-	"var_synapse_oidc_client_id": "synapse",
-	"var_synapse_oidc_client_secret": "REPLACE_ME",
-	"var_synapse_oidc_issuer_url": "https://auth.example.org",
+	"var_synapse_authentication_kind": "internal",
+	"var_synapse_authentication_data_authelia_provider_id": "authelia",
+	"var_synapse_authentication_data_authelia_provider_name": "Authelia",
+	"var_synapse_authentication_data_authelia_client_id": "synapse",
+	"var_synapse_authentication_data_authelia_client_secret": "REPLACE_ME",
+	"var_synapse_authentication_data_authelia_url_base": "https://authelia.example.org",
 	"var_synapse_smtp_host": "smtp.example.org",
-	"var_synapse_smtp_port": "587",
-	"var_synapse_smtp_username": "matrix@smtp.example.org",
+	"var_synapse_smtp_port": 587,
+	"var_synapse_smtp_username": "synapse@smtp.example.org",
 	"var_synapse_smtp_password": "REPLACE_ME",
 	"var_synapse_admin_user_define": true,
 	"var_synapse_admin_user_name": "admin",

ansible/roles/synapse/templates/homeserver.yaml.j2

@@ -1,19 +1,19 @@
-{% if var_synaspe_database_kind == 'sqlite' %}
+{% if var_synapse_database_kind == 'sqlite' %}
 database:
   name: sqlite3
   args:
-    database: {{var_synaspe_database_sqlite_path}}
+    database: {{var_synapse_database_sqlite_path}}
 {% endif %}
 
-{% if var_synaspe_database_kind == 'postgresql' %}
+{% if var_synapse_database_kind == 'postgresql' %}
 database:
   name: psycopg2
   args:
-    host: {{var_synapse_database_postgresql_host}}
-    port: {{var_synapse_database_postgresql_port}}
-    database: "{{var_synapse_database_postgresql_schema}}"
-    user: "{{var_synapse_database_postgresql_username}}"
-    password: "{{var_synapse_database_postgresql_password}}"
+    host: {{var_synapse_database_data_postgresql_host}}
+    port: {{var_synapse_database_data_postgresql_port | string}}
+    database: "{{var_synapse_database_data_postgresql_schema}}"
+    user: "{{var_synapse_database_data_postgresql_username}}"
+    password: "{{var_synapse_database_data_postgresql_password}}"
     cp_min: 5
     cp_max: 10
 {% endif %}
@@ -45,7 +45,7 @@ listeners:
       - names: [federation]
         compress: false
 
-federation_domain_whitelist: {{var_synapse_federation_whitelist}}
+federation_domain_whitelist: {{var_synapse_federation_whitelist | to_yaml}}
     
 serve_server_wellknown: true
 
@@ -87,14 +87,8 @@ max_spider_size: "10M"
 enable_registration_captcha: false
 recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
 
+{% if var_synapse_registration_shared_secret != None %}
 registration_shared_secret: "{{var_synapse_registration_shared_secret}}"
-
-{% if var_synapse_oidc_enable %}
-enable_registration: false
-enable_registration_without_verification: false
-{% else %}
-enable_registration: true
-enable_registration_without_verification: true
 {% endif %}
 
 oidc_config:
@@ -103,15 +97,23 @@ oidc_config:
       # NOT an Ansible variable
       localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}"
 
-{% if var_synapse_oidc_enable %}
+{% if var_synapse_authentication_kind == 'internal' %}
+enable_registration: true
+enable_registration_without_verification: true
+{% endif %}
+
+{% if var_synapse_authentication_kind == 'authelia' %}
+enable_registration: false
+enable_registration_without_verification: false
+
 oidc_providers:
-  - idp_id: "{{var_synapse_oidc_provider_id}}"
-    idp_name: "{{var_synapse_oidc_provider_name}}"
-    # idp_icon: "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI"
+  - idp_id: "{{var_synapse_authentication_data_authelia_provider_id}}"
+    idp_name: "{{var_synapse_authentication_data_authelia_provider_name}}"
+    idp_icon: "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI"
     discover: true
-    issuer: "{{var_synapse_oidc_issuer_url}}"
-    client_id: "{{var_synapse_oidc_client_id}}"
-    client_secret: "{{var_synapse_oidc_client_secret}}"
+    issuer: "{{var_synapse_authentication_data_authelia_url_base}}"
+    client_id: "{{var_synapse_authentication_data_authelia_client_id}}"
+    client_secret: "{{var_synapse_authentication_data_authelia_client_secret}}"
     scopes: ["openid", "profile", "email"]
     allow_existing_users: true
     user_mapping_provider:
@@ -158,11 +160,11 @@ saml2_config:
 password_config:
    enabled: true
    policy:
-     enabled: {{var_synapse_password_strict_policy}}
+     enabled: {{var_synapse_password_strict_policy | to_yaml}}
 
 email:
   smtp_host: "{{var_synapse_smtp_host}}"
-  smtp_port: {{var_synapse_smtp_port}}
+  smtp_port: {{var_synapse_smtp_port | to_yaml}}
   smtp_user: "{{var_synapse_smtp_username}}"
   smtp_pass: "{{var_synapse_smtp_password}}"
   require_transport_security: true

ansible/roles/tlscert_acme_inwx/tasks/main.json

@@ -3,6 +3,7 @@
 		"name": "packages",
 		"become": true,
 		"ansible.builtin.apt": {
+			"update_cache": true,
 			"pkg": [
 				"openssl",
 				"python3-cryptography"

ansible/roles/tlscert_acme_netcup/tasks/main.json

@@ -3,6 +3,7 @@
 		"name": "packages | debian",
 		"become": true,
 		"ansible.builtin.apt": {
+			"update_cache": true,
 			"pkg": [
 				"openssl",
 				"python3-cryptography",

ansible/roles/tlscert_selfsigned/tasks/main.json

@@ -3,6 +3,7 @@
 		"name": "install packages",
 		"become": true,
 		"ansible.builtin.apt": {
+			"update_cache": true,
 			"pkg": [
 				"openssl",
 				"python3-cryptography"