diff --git a/ansible/roles/authelia-and-nginx/defaults/main.json b/ansible/roles/authelia-and-nginx/defaults/main.json new file mode 100644 index 0000000..7559dcb --- /dev/null +++ b/ansible/roles/authelia-and-nginx/defaults/main.json @@ -0,0 +1,3 @@ +{ + "var_authelia_and_nginx_domain": "authelia.example.org" +} diff --git a/ansible/roles/authelia-and-nginx/info.md b/ansible/roles/authelia-and-nginx/info.md new file mode 100644 index 0000000..670d9f0 --- /dev/null +++ b/ansible/roles/authelia-and-nginx/info.md @@ -0,0 +1,3 @@ +## Verweise + +- [Authelia-Dokumentation](https://www.authelia.com/integration/proxies/nginx/) diff --git a/ansible/roles/authelia-and-nginx/tasks/main.json b/ansible/roles/authelia-and-nginx/tasks/main.json new file mode 100644 index 0000000..87dcf2b --- /dev/null +++ b/ansible/roles/authelia-and-nginx/tasks/main.json @@ -0,0 +1,35 @@ +[ + { + "name": "deactivate default site", + "become": true, + "ansible.builtin.file": { + "state": "absent", + "dest": "/etc/nginx/sites-enabled/default" + } + }, + { + "name": "emplace configuration | data", + "become": true, + "ansible.builtin.template": { + "src": "conf.j2", + "dest": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}" + } + }, + { + "name": "emplace configuration | link", + "become": true, + "ansible.builtin.file": { + "state": "link", + "src": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}", + "dest": "/etc/nginx/sites-enabled/{{var_authelia_and_nginx_domain}}" + } + }, + { + "name": "restart nginx", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "nginx" + } + } +] diff --git a/ansible/roles/authelia-and-nginx/templates/conf.j2 b/ansible/roles/authelia-and-nginx/templates/conf.j2 new file mode 100644 index 0000000..bd0cbeb --- /dev/null +++ b/ansible/roles/authelia-and-nginx/templates/conf.j2 @@ -0,0 +1,62 @@ +server { + server_name {{var_authelia_and_nginx_domain}}; + + listen [::]:80; + listen 80; + + return 301 https://$server_name$request_uri; +} + +server { + server_name {{var_authelia_and_nginx_domain}}; + + listen [::]:443 ssl http2; + listen 443 ssl http2; + + ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; + + location / { + ## Headers + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Connection ""; + + ## Basic Proxy Configuration + client_body_buffer_size 128k; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead. + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + + ## Trusted Proxies Configuration + ## Please read the following documentation before configuring this: + ## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies + # set_real_ip_from 10.0.0.0/8; + # set_real_ip_from 172.16.0.0/12; + # set_real_ip_from 192.168.0.0/16; + # set_real_ip_from fc00::/7; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + + ## Advanced Proxy Configuration + send_timeout 5m; + proxy_read_timeout 360; + proxy_send_timeout 360; + proxy_connect_timeout 360; + + proxy_pass http://localhost:9091; + } + + location /api/verify { + proxy_pass http://localhost:9091; + } +} diff --git a/ansible/roles/authelia-for-hedgedoc/defaults/main.json b/ansible/roles/authelia-for-hedgedoc/defaults/main.json new file mode 100644 index 0000000..b1e3329 --- /dev/null +++ b/ansible/roles/authelia-for-hedgedoc/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_authelia_for_hedgedoc_hedgedoc_url_base": "https://hedgedoc.example.org", + "var_authelia_for_hedgedoc_client_id": "hedgedoc", + "var_authelia_for_hedgedoc_client_secret": "REPLACE_ME" +} diff --git a/ansible/roles/authelia-for-hedgedoc/info.md b/ansible/roles/authelia-for-hedgedoc/info.md new file mode 100644 index 0000000..ef620fc --- /dev/null +++ b/ansible/roles/authelia-for-hedgedoc/info.md @@ -0,0 +1,10 @@ +## Beschreibung + +Um [Hedgedoc](../hedgedoc) gegen [Authelia](../authelia) authentifizieren zu lassen + + +## Verweise + +- [Authelia-Dokumentation | Configuration: OpenID Connect: Client](https://www.authelia.com/configuration/identity-providers/open-id-connect/#clients) +- [Hedgedoc-Dokumentation | Authelia](https://docs.hedgedoc.org/guides/auth/authelia/) +- [Hedgedoc-Dokumentation | Conf: OAuth2 Login](https://docs.hedgedoc.org/configuration/#oauth2-login) diff --git a/ansible/roles/authelia-for-hedgedoc/tasks/main.json b/ansible/roles/authelia-for-hedgedoc/tasks/main.json new file mode 100644 index 0000000..23c6dab --- /dev/null +++ b/ansible/roles/authelia-for-hedgedoc/tasks/main.json @@ -0,0 +1,25 @@ +[ + { + "name": "configuration | emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf.json.j2", + "dest": "/etc/authelia/conf.d/clients/hedgedoc.json" + } + }, + { + "name": "configuration | apply", + "become": true, + "ansible.builtin.command": { + "cmd": "/usr/bin/authelia-conf-compose" + } + }, + { + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "authelia" + } + } +] diff --git a/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 new file mode 100644 index 0000000..2b9a311 --- /dev/null +++ b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 @@ -0,0 +1,28 @@ +{ + "client_id": "{{var_authelia_for_hedgedoc_client_id}}", + "client_secret": "{{var_authelia_for_hedgedoc_client_secret}}", + "client_name": "Hedgedoc", + "public": false, + "authorization_policy": "one_factor", + "scopes": [ + "openid", + "email", + "profile" + ], + "redirect_uris": [ + "{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback" + ], + "grant_types": [ + "refresh_token", + "authorization_code" + ], + "response_types": [ + "code" + ], + "response_modes": [ + "form_post", + "query", + "fragment" + ], + "userinfo_signed_response_alg": "none" +} diff --git a/ansible/roles/authelia-for-synapse/defaults/main.json b/ansible/roles/authelia-for-synapse/defaults/main.json new file mode 100644 index 0000000..c140a23 --- /dev/null +++ b/ansible/roles/authelia-for-synapse/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_authelia_for_synapse_synapse_url_base": "https://matrix.example.org", + "var_authelia_for_synapse_client_id": "synapse", + "var_authelia_for_synapse_client_secret": "REPLACE_ME" +} diff --git a/ansible/roles/authelia-for-synapse/info.md b/ansible/roles/authelia-for-synapse/info.md new file mode 100644 index 0000000..2ec06a0 --- /dev/null +++ b/ansible/roles/authelia-for-synapse/info.md @@ -0,0 +1,9 @@ +## Beschreibung + +Um [Synapse](../synapse) gegen [Authelia](../authelia) authentifizieren zu lassen + + +## Verweise + +- [Authelia-Dokumentation | Synapse Integration](https://www.authelia.com/integration/openid-connect/synapse/) +- [Synapse-Dokumentation | OpenID Connect](https://matrix-org.github.io/synapse/latest/openid.html) diff --git a/ansible/roles/authelia-for-synapse/tasks/main.json b/ansible/roles/authelia-for-synapse/tasks/main.json new file mode 100644 index 0000000..25aa632 --- /dev/null +++ b/ansible/roles/authelia-for-synapse/tasks/main.json @@ -0,0 +1,25 @@ +[ + { + "name": "configuration | emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf.json.j2", + "dest": "/etc/authelia/conf.d/clients/synapse.json" + } + }, + { + "name": "configuration | apply", + "become": true, + "ansible.builtin.command": { + "cmd": "/usr/bin/authelia-conf-compose" + } + }, + { + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "authelia" + } + } +] diff --git a/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 new file mode 100644 index 0000000..3f91cdf --- /dev/null +++ b/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 @@ -0,0 +1,16 @@ +{ + "client_id": "{{var_authelia_for_synapse_client_id}}", + "client_secret": "{{var_authelia_for_synapse_client_secret}}", + "client_name": "Synapse", + "public": false, + "authorization_policy": "one_factor", + "redirect_uris": [ + "{{var_authelia_for_synapse_synapse_url_base}}/_synapse/client/oidc/callback" + ], + "scopes": [ + "openid", + "email", + "profile" + ], + "userinfo_signed_response_alg": "none" +} diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json new file mode 100644 index 0000000..9b5e676 --- /dev/null +++ b/ansible/roles/authelia/defaults/main.json @@ -0,0 +1,33 @@ +{ + "var_authelia_version": "4.37.5", + "var_authelia_architecture": "amd64", + "var_authelia_listen_address": "0.0.0.0", + "var_authelia_jwt_secret": "REPLACE_ME", + "var_authelia_users_file_path": "/var/authelia/users.yml", + "var_authelia_log_file_path": "/var/authelia/log.jsonl", + "var_authelia_session_domain": "example.org", + "var_authelia_session_secret": "REPLACE_ME", + "var_authelia_storage_encryption_key": "REPLACE_ME", + "var_authelia_storage_kind": "sqlite", + "var_authelia_storage_data_sqlite_path": "/var/authelia/state.db", + "var_authelia_storage_data_postgresql_host": "localhost", + "var_authelia_storage_data_postgresql_port": 5432, + "var_authelia_storage_data_postgresql_username": "authelia_user", + "var_authelia_storage_data_postgresql_password": "REPLACE_ME", + "var_authelia_storage_data_postgresql_schema": "authelia", + "var_authelia_storage_data_mariadb_host": "localhost", + "var_authelia_storage_data_mariadb_port": 3306, + "var_authelia_storage_data_mariadb_username": "authelia_user", + "var_authelia_storage_data_mariadb_password": "REPLACE_ME", + "var_authelia_storage_data_mariadb_schema": "authelia", + "var_authelia_ntp_server": "time.cloudflare.com:123", + "var_authelia_password_reset_enabled": false, + "var_authelia_notification_mode": "smtp", + "var_authelia_notification_file_path": "/var/authelia/notifications", + "var_authelia_notification_smtp_host": "smtp.example.org", + "var_authelia_notification_smtp_port": 465, + "var_authelia_notification_smtp_username": "authelia", + "var_authelia_notification_smtp_password": "REPLACE_ME", + "var_authelia_notification_smtp_sender": "authelia@example.org", + "var_authelia_oidc_hmac_secret": "REPLACE_ME" +} diff --git a/ansible/roles/authelia/files/conf-compose.py b/ansible/roles/authelia/files/conf-compose.py new file mode 100644 index 0000000..011babb --- /dev/null +++ b/ansible/roles/authelia/files/conf-compose.py @@ -0,0 +1,150 @@ +#!/usr/bin/env python3 + +import sys as _sys +import os as _os +import yaml as _yaml +import json as _json +import argparse as _argparse + + +def file_read(path): + handle = open(path, "r") + content = handle.read() + handle.close() + return content + + +def file_write(path, content): + directory = _os.path.dirname(path) + if (not _os.path.exists(directory)): + _os.makedirs(directory, exist_ok = True) + else: + pass + handle = open(path, "w") + handle.write(content) + handle.close() + return content + + +def dict_merge(core, mantle, path = None): + if (path is None): + path = [] + result = {} + for source in [core, mantle]: + for (key, value_new, ) in source.items(): + path_ = (path + [key]) + type_new = type(value_new) + if (not (key in result)): + result[key] = value_new + else: + value_old = result[key] + type_old = type(value_old) + if (value_old is None): + result[key] = value_new + else: + if (not (type_old == type_new)): + raise ValueError( + "type mismatch at path %s: %s vs. %s" + % ( + ".".join(path), + str(type_old), + str(type_new), + ) + ) + else: + if (type_old == dict): + result[key] = dict_merge(value_old, value_new, path_) + elif (type_old == list): + result[key] = (value_old + value_new) + else: + result[key] = value_new + return result + + +def main(): + ## args + argument_parser = _argparse.ArgumentParser() + argument_parser.add_argument( + "-m", + "--main-file-path", + type = str, + dest = "main_file_path", + default = "/etc/authelia/conf.d/main.json", + metavar = "", + ) + argument_parser.add_argument( + "-c", + "--clients-directory-path", + type = str, + dest = "clients_directory_path", + default = "/etc/authelia/conf.d/clients", + metavar = "", + ) + argument_parser.add_argument( + "-f", + "--output-format", + type = str, + choices = ["json", "yaml"], + dest = "output_format", + default = "yaml", + metavar = "", + ) + argument_parser.add_argument( + "-o", + "--output-path", + type = str, + dest = "output_path", + default = "/etc/authelia/configuration.yml", + metavar = "", + ) + args = argument_parser.parse_args() + + ## exec + data = {} + ### main + if True: + data_ = _json.loads(file_read(args.main_file_path)) + data = dict_merge(data, data_) + ### clients + if True: + for name in _os.listdir(args.clients_directory_path): + data__ = _json.loads(file_read(_os.path.join(args.clients_directory_path, name))) + data_ = { + "identity_providers": { + "oidc": { + "clients": [data__] + } + } + } + data = dict_merge(data, data_) + ### postprocess + if True: + if (len(data["identity_providers"]["oidc"]["clients"]) <= 0): + data["identity_providers"]["oidc"]["clients"].append( + { + "public": False, + "id": "_dummy", + "description": "not a real client; just here to make Authelia run", + "authorization_policy": "one_factor", + "secret": "", + "scopes": [], + "redirect_uris": [], + "grant_types": [], + "response_types": [], + "response_modes": [], + } + ) + else: + pass + ## output + if True: + if (args.output_format == "json"): + output_content = _json.dumps(data, indent = "\t") + elif (args.output_format == "yaml"): + output_content = _yaml.dump(data) + else: + raise ValueError("invalid output format") + file_write(args.output_path, output_content) + + +main() diff --git a/ansible/roles/authelia/files/user-manage.py b/ansible/roles/authelia/files/user-manage.py new file mode 100644 index 0000000..afd9171 --- /dev/null +++ b/ansible/roles/authelia/files/user-manage.py @@ -0,0 +1,205 @@ +#!/usr/bin/env python3 + +import sys as _sys +import os as _os +import subprocess as _subprocess +import argparse as _argparse +import yaml as _yaml +import string as _string +import random as _random + + +def file_read(path): + handle = open(path, "r") + content = handle.read() + handle.close() + return content + + +def file_write(path, content): + directory = _os.path.dirname(path) + if (not _os.path.exists(directory)): + _os.makedirs(directory, exist_ok = True) + else: + pass + handle = open(path, "w") + handle.write(content) + handle.close() + return content + + +def get_password_hash(binary_file_path, conf_file_path, password): + # /usr/bin/authelia --config=/etc/authelia/configuration.yml crypto hash generate bcrypt --password=alice + output = _subprocess.check_output([ + binary_file_path, + "--config=%s" % conf_file_path, + "crypto", + "hash", + "generate", + "bcrypt", + "--password=%s" % password, + ]) + return output.decode("utf-8").split("\n")[0].split(" ")[1] + + +def postprocess(binary_file_path, conf_file_path, data): + password = "".join(map(lambda x: _random.choice(_string.ascii_lowercase), range(16))) + if (len(data["users"]) <= 0): + data["users"]["_dummy"] = { + "displayname": "(Dummy)", + "password": get_password_hash(binary_file_path, conf_file_path, password), + "email": "dummy@nowhere.net", + "groups": [], + } + else: + pass + return data + + +def data_read(user_file_path): + data = _yaml.safe_load(file_read(user_file_path)) + data["users"].pop("_dummy", None) + return data + + +def data_write(binary_file_path, conf_file_path, user_file_path, data): + file_write(user_file_path, _yaml.dump(postprocess(binary_file_path, conf_file_path, data))) + + +def main(): + ## args + argument_parser = _argparse.ArgumentParser() + argument_parser.add_argument( + "command", + type = str, + choices = ["list", "show", "add", "change", "remove"], + default = "list", + help = "command to execute", + ) + argument_parser.add_argument( + "-b", + "--binary-file-path", + type = str, + default = "/usr/bin/authelia", + help = "path to the Authelia binary file", + ) + argument_parser.add_argument( + "-c", + "--conf-file-path", + type = str, + default = "/etc/authelia/configuration.yml", + help = "path to the Authelia configuration file", + ) + argument_parser.add_argument( + "-u", + "--user-file-path", + type = str, + default = "/var/authelia/users.yml", + help = "path to the user database file", + ) + argument_parser.add_argument( + "-n", + "--login-name", + type = str, + default = None, + help = "login name of the user; has to be unique", + ) + argument_parser.add_argument( + "-p", + "--password", + type = str, + default = None, + help = "password of the user", + ) + argument_parser.add_argument( + "-d", + "--display-name", + type = str, + default = None, + help = "display name of the user", + ) + argument_parser.add_argument( + "-e", + "--email", + type = str, + default = None, + help = "e-mail address of the user", + ) + argument_parser.add_argument( + "-x", + "--deactivated", + type = str, + default = "no", + choices = ["no", "yes"], + help = "whether the user shall be deactivated", + ) + args = argument_parser.parse_args() + + ## exec + data = data_read(args.user_file_path) + if (args.command == "list"): + names = sorted(data["users"].keys()) + for name in names: + _sys.stdout.write("%s\n" % name) + elif (args.command == "show"): + if (args.login_name is None): + raise ValueError("name required") + else: + if (not (args.login_name in data["users"])): + raise ValueError("no such user") + else: + entry = data["users"][args.login_name] + _sys.stdout.write("%s\n" % _yaml.dump(entry)) + elif (args.command == "add"): + if (args.login_name is None): + raise ValueError("name required") + else: + if (args.password is None): + raise ValueError("password required") + else: + entry = { + "disabled": (args.deactivated == "yes"), + "displayname": (args.display_name or args.login_name), + "password": get_password_hash(args.binary_file_path, args.conf_file_path, args.login_name), + "email": args.email, + "groups": [], + } + data["users"][args.login_name] = entry + data_write(args.binary_file_path, args.conf_file_path, args.user_file_path, data) + elif (args.command == "change"): + if (args.login_name is None): + raise ValueError("name required") + else: + entry = data["users"][args.login_name] + if (args.deactivated is None): + pass + else: + entry["disabled"] = (args.deactivated == "yes") + if (args.password is None): + pass + else: + entry["password"] = get_password_hash(args.binary_file_path, args.conf_file_path, args.login_name) + if (args.display_name is None): + pass + else: + entry["displayname"] = args.display_name + if (args.email is None): + pass + else: + entry["email"] = args.email + data["users"][args.login_name] = entry + data_write(args.binary_file_path, args.conf_file_path, args.user_file_path, data) + elif (args.command == "remove"): + if (args.login_name is None): + raise ValueError("name required") + else: + if (not (args.login_name in data["users"])): + raise ValueError("no such user") + else: + del data["users"][args.login_name] + data_write(args.binary_file_path, args.conf_file_path, args.user_file_path, data) + else: + raise NotImplementedError() + + +main() diff --git a/ansible/roles/authelia/info.md b/ansible/roles/authelia/info.md new file mode 100644 index 0000000..6779bb2 --- /dev/null +++ b/ansible/roles/authelia/info.md @@ -0,0 +1,17 @@ +## Beschreibung + +- zum Aufsetzen des Authentifizierungs-Dienstes [Authelia](https://www.authelia.com/) +- um einen Clients hinzuzfügen, erstellt man eine entsprechende JSON-Datei in `/etc/authelia/conf.d/clients` und führt aus `authelia-conf-compose` +- zum Verwalten der Nutzer kann man `authelia-user-manage` verwenden (`-h` anhängen für Erklärung) + + +## Verweise + +- [GitHub-Seite](https://github.com/authelia/authelia) +- [Installations-Anleitung](https://www.authelia.com/integration/deployment/bare-metal/) +- [Dokumentation | Konfiguration](https://www.authelia.com/configuration/) + + +## ToDo + +- Nutzer-Verwaltung verbessern (evtl. externalisieren) diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json new file mode 100644 index 0000000..92811fa --- /dev/null +++ b/ansible/roles/authelia/tasks/main.json @@ -0,0 +1,129 @@ +[ + { + "name": "packages | prerequisites", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "apt-transport-https", + "gpg" + ] + } + }, + { + "name": "packages | keys", + "become": true, + "ansible.builtin.apt_key": { + "url": "https://apt.authelia.com/organization/signing.asc" + } + }, + { + "name": "packages | repository", + "become": true, + "ansible.builtin.apt_repository": { + "repo": "deb https://apt.authelia.com/stable/debian/debian/ all main" + } + + }, + { + "name": "packages | installation", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "openssl", + "python3-cryptography", + "python3-yaml", + "authelia" + ] + } + }, + { + "name": "generate private key for signing OIDC JWTs", + "become": true, + "community.crypto.openssl_privatekey": { + "type": "RSA", + "size": 4096, + "path": "/etc/ssl/private/authelia-key.pem", + "return_content": true + }, + "register": "temp_tls_result" + }, + { + "name": "configuration | compose script", + "become": true, + "ansible.builtin.copy": { + "src": "conf-compose.py", + "dest": "/usr/bin/authelia-conf-compose", + "mode": "0700" + } + }, + { + "name": "configuration | directories", + "become": true, + "loop": [ + "/etc/authelia/conf.d", + "/etc/authelia/conf.d/clients" + ], + "ansible.builtin.file": { + "state": "directory", + "path": "{{item}}" + } + }, + { + "name": "configuration | main", + "become": true, + "ansible.builtin.template": { + "src": "conf-main.json.j2", + "dest": "/etc/authelia/conf.d/main.json" + } + }, + { + "name": "configuration | compose", + "become": true, + "ansible.builtin.command": { + "cmd": "/usr/bin/authelia-conf-compose --main-file-path=/etc/authelia/conf.d/main.json --clients-directory-path=/etc/authelia/conf.d/clients --output-format=yaml --output-path=/etc/authelia/configuration.yml" + } + }, + { + "name": "setup log directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "{{var_authelia_log_file_path | dirname}}" + } + }, + { + "name": "users | directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "{{var_authelia_users_file_path | dirname}}" + } + }, + { + "name": "users | initial file", + "become": true, + "ansible.builtin.template": { + "src": "users.yml.j2", + "dest": "{{var_authelia_users_file_path}}" + } + }, + { + "name": "users | management script", + "become": true, + "ansible.builtin.copy": { + "src": "user-manage.py", + "dest": "/usr/bin/authelia-user-manage", + "mode": "0700" + } + }, + { + "name": "apply", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "authelia" + } + } +] diff --git a/ansible/roles/authelia/templates/conf-main.json.j2 b/ansible/roles/authelia/templates/conf-main.json.j2 new file mode 100644 index 0000000..98c0437 --- /dev/null +++ b/ansible/roles/authelia/templates/conf-main.json.j2 @@ -0,0 +1,194 @@ +{ + "theme": "auto", + "identity_validation": { + "reset_password": { + "jwt_secret": "{{var_authelia_jwt_secret}}" + } + }, + "default_2fa_method": "totp", + "server": { + "address": "{{var_authelia_listen_address}}:9091", + "endpoints": { + "enable_pprof": false, + "enable_expvars": false + }, + "disable_healthcheck": false + }, + "log": { + "level": "info", + "format": "json", + "file_path": "{{var_authelia_log_file_path}}", + "keep_stdout": false + }, + "telemetry": { + "metrics": { + "enabled": false, + "address": "tcp://0.0.0.0:9959" + } + }, + "totp": { + "disable": false, + "issuer": "authelia.com", + "algorithm": "sha1", + "digits": 6, + "period": 30, + "skew": 1, + "secret_size": 32 + }, + "webauthn": { + "disable": true, + "timeout": "60s", + "display_name": "Authelia", + "attestation_conveyance_preference": "indirect", + "user_verification": "preferred" + }, + "ntp": { + "address": "{{var_authelia_ntp_server}}", + "version": 4, + "max_desync": "3s", + "disable_startup_check": false, + "disable_failure": false + }, + "authentication_backend": { + "password_reset": { +{% if var_authelia_password_reset_enabled %} + "disable": false, +{% else %} + "disable": true, +{% endif %} + "custom_url": "" + }, + "refresh_interval": "5m", + "file": { + "path": "{{var_authelia_users_file_path}}", + "watch": true, + "search": { + "email": false, + "case_insensitive": false + }, + "password": { + "algorithm": "argon2", + "argon2": { + "variant": "argon2id", + "iterations": 3, + "memory": 65536, + "parallelism": 4, + "key_length": 32, + "salt_length": 16 + }, + "scrypt": { + "iterations": 16, + "block_size": 8, + "parallelism": 1, + "key_length": 32, + "salt_length": 16 + }, + "pbkdf2": { + "variant": "sha512", + "iterations": 310000, + "salt_length": 16 + }, + "sha2crypt": { + "variant": "sha512", + "iterations": 50000, + "salt_length": 16 + }, + "bcrypt": { + "variant": "standard", + "cost": 12 + } + } + } + }, + "password_policy": { + "standard": { + "enabled": false, + "min_length": 8, + "max_length": 0, + "require_uppercase": true, + "require_lowercase": true, + "require_number": true, + "require_special": true + }, + "zxcvbn": { + "enabled": false, + "min_score": 3 + } + }, + "access_control": { + "default_policy": "one_factor" + }, + "session": { + "name": "authelia_session", + "domain": "{{var_authelia_session_domain}}", + "same_site": "lax", + "secret": "{{var_authelia_session_secret}}", + "expiration": "1h", + "inactivity": "5m", + "remember_me": "1M" + }, + "regulation": { + "max_retries": 3, + "find_time": "2m", + "ban_time": "5m" + }, + "storage": { + "encryption_key": "{{var_authelia_storage_encryption_key}}", +{% if var_authelia_storage_kind == "sqlite" %} + "local": { + "path": "{{var_authelia_storage_data_sqlite_path}}" + } +{% endif %} +{% if var_authelia_storage_kind == "postgresql" %} + "postgres": { + "address": "{{var_authelia_storage_data_postgresql_host}}:{{var_authelia_storage_data_postgresql_port | string}}", + "schema": "public", + "username": "{{var_authelia_storage_data_postgresql_username}}", + "password": "{{var_authelia_storage_data_postgresql_password}}", + "database": "{{var_authelia_storage_data_postgresql_schema}}" + } +{% endif %} +{% if var_authelia_storage_kind == "mariadb" %} + "mysql": { + "host": "{{var_authelia_storage_data_mariadb_host}}", + "port": {{var_authelia_storage_data_mariadb_port | string}}, + "username": "{{var_authelia_storage_data_mariadb_username}}", + "password": "{{var_authelia_storage_data_mariadb_password}}", + "database": "{{var_authelia_storage_data_mariadb_schema}}" + } +{% endif %} + }, + "notifier": { + "disable_startup_check": true, +{% if var_authelia_notification_mode == "file" %} + "filesystem": { + "filename": "{{var_authelia_notification_file_path}}" + } +{% endif %} +{% if var_authelia_notification_mode == "smtp" %} + "smtp": { + "host": "{{var_authelia_notification_smtp_host}}", + "port": {{var_authelia_notification_smtp_port | string}}, + "username": "{{var_authelia_notification_smtp_username}}", + "password": "{{var_authelia_notification_smtp_password}}", + "sender": "{{var_authelia_notification_smtp_sender}}", + "disable_require_tls": false, + "disable_html_emails": false, + "tls": { + "skip_verify": false + } + } +{% endif %} + }, + "identity_providers": { + "oidc": { + "hmac_secret": "{{var_authelia_oidc_hmac_secret}}", + "issuer_private_key": "{{temp_tls_result.privatekey | replace('\n', '\\n')}}", + "cors": { + "allowed_origins_from_client_redirect_uris": true + }, + "clients": [ + ] + } + } +} diff --git a/ansible/roles/authelia/templates/users.yml.j2 b/ansible/roles/authelia/templates/users.yml.j2 new file mode 100644 index 0000000..fcd822f --- /dev/null +++ b/ansible/roles/authelia/templates/users.yml.j2 @@ -0,0 +1,5 @@ +users: + _dummy: + displayname: dummy + password: "$2b$12$N5qptdk1VtpSlIlCxspLxeNeRIP6UEho4r1ZCoOlfpAtsIJQIjV/a" + email: dummy@example.org diff --git a/ansible/roles/authelia/vardef.json b/ansible/roles/authelia/vardef.json new file mode 100644 index 0000000..8370d6b --- /dev/null +++ b/ansible/roles/authelia/vardef.json @@ -0,0 +1,130 @@ +{ + "version": { + "type": "string", + "mandatory": false + }, + "architecture": { + "type": "string", + "mandatory": false + }, + "listen_address": { + "type": "string", + "mandatory": false + }, + "jwt_secret": { + "type": "string", + "mandatory": true + }, + "users_file_path": { + "type": "string", + "mandatory": false + }, + "log_file_path": { + "type": "string", + "mandatory": false + }, + "session_domain": { + "type": "string", + "mandatory": false + }, + "session_secret": { + "type": "string", + "mandatory": true + }, + "storage_encryption_key": { + "type": "string", + "mandatory": true + }, + "storage_kind": { + "type": "string", + "mandatory": false + }, + "storage_data_sqlite_path": { + "type": "string", + "mandatory": false + }, + "storage_data_postgresql_host": { + "type": "string", + "mandatory": false + }, + "storage_data_postgresql_port": { + "type": "integer", + "mandatory": false + }, + "storage_data_postgresql_username": { + "type": "string", + "mandatory": false + }, + "storage_data_postgresql_password": { + "type": "string", + "mandatory": false + }, + "storage_data_postgresql_schema": { + "type": "string", + "mandatory": false + }, + "storage_data_mariadb_host": { + "type": "string", + "mandatory": false + }, + "storage_data_mariadb_port": { + "type": "integer", + "mandatory": false + }, + "storage_data_mariadb_username": { + "type": "string", + "mandatory": false + }, + "storage_data_mariadb_password": { + "type": "string", + "mandatory": false + }, + "storage_data_mariadb_schema": { + "type": "string", + "mandatory": false + }, + "ntp_server": { + "type": "string", + "mandatory": false + }, + "password_reset_enabled": { + "type": "boolean", + "mandatory": false + }, + "notification_mode": { + "type": "string", + "mandatory": false, + "options": [ + "file", + "smtp" + ] + }, + "notification_file_path": { + "type": "string", + "mandatory": false + }, + "notification_smtp_host": { + "type": "string", + "mandatory": false + }, + "notification_smtp_port": { + "type": "integer", + "mandatory": false + }, + "notification_smtp_username": { + "type": "string", + "mandatory": false + }, + "notification_smtp_password": { + "type": "string", + "mandatory": false + }, + "notification_smtp_sender": { + "type": "string", + "mandatory": false + }, + "oidc_hmac_secret": { + "type": "string", + "mandatory": true + } +} diff --git a/ansible/roles/hedgedoc-and-lighttpd/defaults/main.json b/ansible/roles/hedgedoc-and-lighttpd/defaults/main.json new file mode 100644 index 0000000..16c8d4e --- /dev/null +++ b/ansible/roles/hedgedoc-and-lighttpd/defaults/main.json @@ -0,0 +1,4 @@ +{ + "var_hedgedoc_and_lighttpd_domain": "hedgedoc.example.org", + "var_hedgedoc_and_lighttpd_tls_enable": true +} diff --git a/ansible/roles/hedgedoc-and-lighttpd/info.md b/ansible/roles/hedgedoc-and-lighttpd/info.md new file mode 100644 index 0000000..99a615a --- /dev/null +++ b/ansible/roles/hedgedoc-and-lighttpd/info.md @@ -0,0 +1,8 @@ +## Beschreibung + +- zur Einrichtung von [Lighttpd](../lighttpd) als Reverse-Proxy für [Hedgedoc](../hedgedoc) + + +## Verweise + +- [Hedgedoc-Dokumentation | Using a Reverse Proxy](https://docs.hedgedoc.org/guides/reverse-proxy/) diff --git a/ansible/roles/hedgedoc-and-lighttpd/tasks/main.json b/ansible/roles/hedgedoc-and-lighttpd/tasks/main.json new file mode 100644 index 0000000..1bbe93f --- /dev/null +++ b/ansible/roles/hedgedoc-and-lighttpd/tasks/main.json @@ -0,0 +1,34 @@ +[ + { + "name": "activate proxy module", + "become": true, + "ansible.builtin.shell": { + "cmd": "lighttpd-enable-mod proxy || exit 0" + } + }, + { + "name": "emplace configuration | data", + "become": true, + "ansible.builtin.template": { + "src": "conf.j2", + "dest": "/etc/lighttpd/conf-available/{{var_hedgedoc_and_lighttpd_domain}}.conf" + } + }, + { + "name": "emplace configuration | link", + "become": true, + "ansible.builtin.file": { + "state": "link", + "src": "/etc/lighttpd/conf-available/{{var_hedgedoc_and_lighttpd_domain}}.conf", + "dest": "/etc/lighttpd/conf-enabled/{{var_hedgedoc_and_lighttpd_domain}}.conf" + } + }, + { + "name": "restart lighttpd", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "lighttpd" + } + } +] diff --git a/ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2 b/ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2 new file mode 100644 index 0000000..4b6013c --- /dev/null +++ b/ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2 @@ -0,0 +1,33 @@ +$HTTP["host"] == "{{var_hedgedoc_and_lighttpd_domain}}" { + server.name = "{{var_hedgedoc_and_lighttpd_domain}}" + proxy.server = ( + "" => ( + "" => ( + "host" => "127.0.0.1", + "port" => 2400 + ) + ) + ) + proxy.header = ( + "upgrade" => "enable" + ) + +{% if var_hedgedoc_and_lighttpd_tls_enable %} + ## alle Anfragen auf Port 80 + $SERVER["socket"] == ":80" { + ## auf HTTPS umleiten + url.redirect = ("^/(.*)$" => "https://{{var_hedgedoc_and_lighttpd_domain}}/$1") + } + + ## alle Anfragen auf Port 443 + $SERVER["socket"] == ":443" { + ## mit dem SSL-Kram beglücken + ssl.engine = "enable" + ssl.pemfile = "/etc/ssl/certs/{{var_hedgedoc_and_lighttpd_domain}}.pem" + ssl.privkey = "/etc/ssl/keys/{{var_hedgedoc_and_lighttpd_domain}}.pem" + ssl.ca-file = "/etc/ssl/fullchains/{{var_hedgedoc_and_lighttpd_domain}}.pem" + ssl.use-sslv2 = "disable" + ssl.use-sslv3 = "disable" + } +{% endif %} +} diff --git a/ansible/roles/hedgedoc-and-nginx/defaults/main.json b/ansible/roles/hedgedoc-and-nginx/defaults/main.json new file mode 100644 index 0000000..840159e --- /dev/null +++ b/ansible/roles/hedgedoc-and-nginx/defaults/main.json @@ -0,0 +1,3 @@ +{ + "var_hedgedoc_and_nginx_domain": "hedgedoc.example.org" +} diff --git a/ansible/roles/hedgedoc-and-nginx/info.md b/ansible/roles/hedgedoc-and-nginx/info.md new file mode 100644 index 0000000..7437bf0 --- /dev/null +++ b/ansible/roles/hedgedoc-and-nginx/info.md @@ -0,0 +1,8 @@ +## Beschreibung + +Um [Hedgedoc](../hedgedoc) mit mittels [nginx](../nginx)-reverse-proxy laufen zu lassen + + +## Verweise + +- [Hedgedoc-Dokumentation](https://docs.hedgedoc.org/guides/reverse-proxy/#nginx) diff --git a/ansible/roles/hedgedoc-and-nginx/tasks/main.json b/ansible/roles/hedgedoc-and-nginx/tasks/main.json new file mode 100644 index 0000000..40614bb --- /dev/null +++ b/ansible/roles/hedgedoc-and-nginx/tasks/main.json @@ -0,0 +1,35 @@ +[ + { + "name": "deactivate default site", + "become": true, + "ansible.builtin.file": { + "state": "absent", + "dest": "/etc/nginx/sites-enabled/default" + } + }, + { + "name": "emplace configuration | data", + "become": true, + "ansible.builtin.template": { + "src": "conf.j2", + "dest": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}" + } + }, + { + "name": "emplace configuration | link", + "become": true, + "ansible.builtin.file": { + "state": "link", + "src": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}", + "dest": "/etc/nginx/sites-enabled/{{var_hedgedoc_and_nginx_domain}}" + } + }, + { + "name": "restart nginx", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "nginx" + } + } +] diff --git a/ansible/roles/hedgedoc-and-nginx/templates/conf.j2 b/ansible/roles/hedgedoc-and-nginx/templates/conf.j2 new file mode 100644 index 0000000..0760df4 --- /dev/null +++ b/ansible/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -0,0 +1,32 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + server_name {{var_hedgedoc_and_nginx_domain}}; + + listen [::]:443 ssl http2; + listen 443 ssl http2; + + ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem; + + location / { + proxy_pass http://localhost:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /socket.io/ { + proxy_pass http://localhost:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } +} diff --git a/ansible/roles/hedgedoc/defaults/main.json b/ansible/roles/hedgedoc/defaults/main.json new file mode 100644 index 0000000..e2a58c4 --- /dev/null +++ b/ansible/roles/hedgedoc/defaults/main.json @@ -0,0 +1,21 @@ +{ + "var_hedgedoc_user_name": "hedgedoc", + "var_hedgedoc_directory": "/opt/hedgedoc", + "var_hedgedoc_version": "1.9.9", + "var_hedgedoc_session_secret": "REPLACE_ME", + "var_hedgedoc_database_kind": "sqlite", + "var_hedgedoc_database_data_sqlite_path": "/var/hedgedoc/data.sqlite", + "var_hedgedoc_database_data_postgresql_host": "localhost", + "var_hedgedoc_database_data_postgresql_port": 5432, + "var_hedgedoc_database_data_postgresql_username": "hedgedoc_user", + "var_hedgedoc_database_data_postgresql_password": "REPLACE_ME", + "var_hedgedoc_database_data_postgresql_schema": "hedgedoc", + "var_hedgedoc_domain": "hedgedoc.example.org", + "var_hedgedoc_authentication_kind": "authelia", + "var_hedgedoc_authentication_data_authelia_client_id": "hedgedoc", + "var_hedgedoc_authentication_data_authelia_client_secret": "REPLACE_ME", + "var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.linke.sx", + "var_hedgedoc_guest_allow_create": false, + "var_hedgedoc_guest_allow_change": false, + "var_hedgedoc_free_names_mode": "authed" +} diff --git a/ansible/roles/hedgedoc/info.md b/ansible/roles/hedgedoc/info.md new file mode 100644 index 0000000..a3c2473 --- /dev/null +++ b/ansible/roles/hedgedoc/info.md @@ -0,0 +1,14 @@ +## Beschreibung + +Kollaborativer Editor [Hedgedoc](https://docs.hedgedoc.org/) + + +## Verweise + +- [Dokumentation | Manual Installation](https://docs.hedgedoc.org/setup/manual-setup/) +- [Dokumentation | Configuration](https://docs.hedgedoc.org/configuration/) + + +## Bemerkungen + +- Login über OAuth2 funktioniert vermutlich nicht mit abgelehnten TLS-Zertifikaten (z.B. selbst-signierten) diff --git a/ansible/roles/hedgedoc/tasks/main.json b/ansible/roles/hedgedoc/tasks/main.json new file mode 100644 index 0000000..b4fd779 --- /dev/null +++ b/ansible/roles/hedgedoc/tasks/main.json @@ -0,0 +1,85 @@ +[ + { + "name": "packages", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "acl", + "git", + "nodejs", + "npm", + "yarnpkg" + ] + } + }, + { + "name": "yarn link", + "become": true, + "ansible.builtin.file": { + "state": "link", + "src": "/usr/bin/yarnpkg", + "dest": "/usr/bin/yarn" + } + }, + { + "name": "user", + "become": true, + "ansible.builtin.user": { + "name": "{{var_hedgedoc_user_name}}", + "create_home": true + } + }, + { + "name": "download", + "become": false, + "ansible.builtin.get_url": { + "url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{var_hedgedoc_version}}/hedgedoc-{{var_hedgedoc_version}}.tar.gz", + "dest": "/tmp/hedgedoc.tar.gz" + } + }, + { + "name": "extract", + "become": true, + "ansible.builtin.unarchive": { + "remote_src": true, + "src": "/tmp/hedgedoc.tar.gz", + "dest": "{{var_hedgedoc_directory | dirname}}", + "owner": "{{var_hedgedoc_user_name}}" + } + }, + { + "name": "setup script", + "become": true, + "become_user": "hedgedoc", + "ansible.builtin.command": { + "chdir": "{{var_hedgedoc_directory}}", + "cmd": "bin/setup" + } + }, + { + "name": "configuration", + "become": true, + "ansible.builtin.template": { + "src": "config.json.j2", + "dest": "{{var_hedgedoc_directory}}/config.json" + } + }, + { + "name": "systemd unit", + "become": true, + "ansible.builtin.template": { + "src": "systemd-unit.j2", + "dest": "/etc/systemd/system/hedgedoc.service" + } + }, + { + "name": "start", + "become": true, + "ansible.builtin.systemd_service": { + "enabled": true, + "state": "started", + "name": "hedgedoc" + } + } +] diff --git a/ansible/roles/hedgedoc/templates/config.json.j2 b/ansible/roles/hedgedoc/templates/config.json.j2 new file mode 100644 index 0000000..a5d3184 --- /dev/null +++ b/ansible/roles/hedgedoc/templates/config.json.j2 @@ -0,0 +1,64 @@ +{ + "production": { + "loglevel": "error", +{% if var_hedgedoc_database_kind == 'sqlite' %} + "db": { + "dialect": "sqlite", + "storage": "{{var_hedgedoc_database_data_sqlite_path}}" + }, +{% endif %} +{% if var_hedgedoc_database_kind == 'postgresql' %} + "db": { + "dialect": "postgres", + "host": "{{var_hedgedoc_database_data_postgresql_host}}", + "port": {{var_hedgedoc_database_data_postgresql_port | to_json}}, + "username": "{{var_hedgedoc_database_data_postgresql_username}}", + "password": "{{var_hedgedoc_database_data_postgresql_password}}", + "database": "{{var_hedgedoc_database_data_postgresql_schema}}" + }, +{% endif %} + "sessionSecret": "{{var_hedgedoc_session_secret}}", + "host": "localhost", + "allowOrigin": [ + "localhost" + ], + "domain": "{{var_hedgedoc_domain}}", + "urlAddPort": false, + "protocolUseSSL": true, +{% if var_hedgedoc_authentication_kind == 'internal' %} + "email": true, + "allowEmailRegister": true, +{% endif %} +{% if var_hedgedoc_authentication_kind == 'authelia' %} + "oauth2": { + "providerName": "{{var_hedgedoc_authentication_data_authelia_provider_name}}", + "clientID": "{{var_hedgedoc_authentication_data_authelia_client_id}}", + "clientSecret": "{{var_hedgedoc_authentication_data_authelia_client_secret}}", + "scope": "openid email profile", + "userProfileUsernameAttr": "sub", + "userProfileDisplayNameAttr": "name", + "userProfileEmailAttr": "email", + "userProfileURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/profile", + "tokenURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/token", + "authorizationURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/authorization" + }, + "email": false, + "allowEmailRegister": false, +{% endif %} + "allowAnonymous": {{var_hedgedoc_guest_allow_create | to_json}}, + "allowAnonymousEdits": {{var_hedgedoc_guest_allow_change | to_json}}, +{% if var_hedgedoc_free_names_mode == 'never' %} + "allowFreeURL": false, + "requireFreeURLAuthentication": false, +{% endif %} +{% if var_hedgedoc_free_names_mode == 'authed' %} + "allowFreeURL": true, + "requireFreeURLAuthentication": true, +{% endif %} +{% if var_hedgedoc_free_names_mode == 'always' %} + "allowFreeURL": true, + "requireFreeURLAuthentication": false, +{% endif %} + "defaultPermission": "editable" + } +} diff --git a/ansible/roles/hedgedoc/templates/systemd-unit.j2 b/ansible/roles/hedgedoc/templates/systemd-unit.j2 new file mode 100644 index 0000000..000bd6e --- /dev/null +++ b/ansible/roles/hedgedoc/templates/systemd-unit.j2 @@ -0,0 +1,14 @@ +[Unit] +Description=Hedgedoc +After=multi-user.target + +[Service] +WorkingDirectory={{var_hedgedoc_directory}} +User={{var_hedgedoc_user_name}} +Environment="NODE_ENV=production" +ExecStart=yarn start +SyslogIdentifier=hedgedoc + +[Install] +WantedBy=multi-user.target + diff --git a/ansible/roles/hedgedoc/vardef.json b/ansible/roles/hedgedoc/vardef.json new file mode 100644 index 0000000..cb6e8d6 --- /dev/null +++ b/ansible/roles/hedgedoc/vardef.json @@ -0,0 +1,87 @@ +{ + "user_name": { + "type": "string", + "mandatory": false + }, + "directory": { + "type": "string", + "mandatory": false + }, + "version": { + "type": "string", + "mandatory": false + }, + "session_secret": { + "type": "string", + "mandatory": true + }, + "database_kind": { + "type": "string", + "mandatory": false, + "options": [ + "sqlite", + "postgresql", + "mariadb" + ] + }, + "database_data_sqlite_path": { + "type": "string", + "mandatory": false + }, + "database_data_postgresql_host": { + "type": "string", + "mandatory": false + }, + "database_data_postgresql_port": { + "type": "integer", + "mandatory": false + }, + "database_data_postgresql_username": { + "type": "string", + "mandatory": false + }, + "database_data_postgresql_password": { + "type": "string", + "mandatory": false + }, + "database_data_postgresql_schema": { + "type": "string", + "mandatory": false + }, + "domain": { + "type": "string", + "mandatory": false + }, + "authentication_kind": { + "type": "string", + "mandatory": false, + "options": [ + "internal", + "authelia" + ] + }, + "authentication_data_authelia_client_id": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_client_secret": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_url_base": { + "type": "string", + "mandatory": false + }, + "guest_allow_create": { + "type": "boolean", + "mandatory": false + }, + "guest_allow_change": { + "type": "boolean", + "mandatory": false + }, + "free_names_mode": { + "type": "string", + "mandatory": false + } +} diff --git a/ansible/roles/lighttpd/tasks/main.json b/ansible/roles/lighttpd/tasks/main.json index 5d8d887..1b6af91 100644 --- a/ansible/roles/lighttpd/tasks/main.json +++ b/ansible/roles/lighttpd/tasks/main.json @@ -3,6 +3,7 @@ "name": "install packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "lighttpd", "lighttpd-mod-openssl" diff --git a/ansible/roles/murmur/defaults/main.json b/ansible/roles/murmur/defaults/main.json new file mode 100644 index 0000000..33156cb --- /dev/null +++ b/ansible/roles/murmur/defaults/main.json @@ -0,0 +1,6 @@ +{ + "var_murmur_database_path": "/var/lib/mumble-server/mumble-server.sqlite", + "var_murmur_port": 64738, + "var_murmur_welcome_text": "
Welcome to this server running Murmur.
Enjoy your stay!
", + "var_murmur_admin_password": "REPLACE_ME" +} diff --git a/ansible/roles/murmur/info.md b/ansible/roles/murmur/info.md new file mode 100644 index 0000000..9067faa --- /dev/null +++ b/ansible/roles/murmur/info.md @@ -0,0 +1,12 @@ +## Beschreibung + +Server-Implementierung _Murmur_ für den Audiokonferenz-Software [Mumble](https://www.mumble.info/) + + +## Verweise + +- [Wikipedia-Artikel zu Mumble](https://de.m.wikipedia.org/wiki/Mumblehttps://de.m.wikipedia.org/wiki/Mumble) +- [Mumble-Wiki | Hauptseite](https://wiki.mumble.info/wiki/Main_Page) +- [Mumble-Wiki | Running Murmur](https://wiki.mumble.info/wiki/Running_Murmur) +- [Mumble-Wiki | Murmurguide](https://wiki.mumble.info/wiki/Murmurguide) +- [Mumble-Wiki | Authentication](https://wiki.mumble.info/wiki/Authentication) diff --git a/ansible/roles/murmur/tasks/main.json b/ansible/roles/murmur/tasks/main.json new file mode 100644 index 0000000..7341ac8 --- /dev/null +++ b/ansible/roles/murmur/tasks/main.json @@ -0,0 +1,36 @@ +[ + { + "name": "packages", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "mumble-server" + ] + } + }, + { + "name": "configuration", + "become": true, + "ansible.builtin.template": { + "src": "mumble-server.ini.j2", + "dest": "/etc/mumble-server.ini", + "group": "mumble-server" + } + }, + { + "name": "admin account", + "become": true, + "ansible.builtin.command": { + "cmd": "murmurd -ini /etc/mumble-server.ini -supw {{var_murmur_admin_password}}" + } + }, + { + "name": "service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "mumble-server" + } + } +] diff --git a/ansible/roles/murmur/templates/mumble-server.ini.j2 b/ansible/roles/murmur/templates/mumble-server.ini.j2 new file mode 100644 index 0000000..4db3508 --- /dev/null +++ b/ansible/roles/murmur/templates/mumble-server.ini.j2 @@ -0,0 +1,380 @@ +; Murmur configuration file. +; +; General notes: +; * Settings in this file are default settings and many of them can be overridden +; with virtual server specific configuration via the Ice or DBus interface. +; * Due to the way this configuration file is read some rules have to be +; followed when specifying variable values (as in variable = value): +; * Make sure to quote the value when using commas in strings or passwords. +; NOT variable = super,secret BUT variable = "super,secret" +; * Make sure to escape special characters like '\' or '"' correctly +; NOT variable = """ BUT variable = "\"" +; NOT regex = \w* BUT regex = \\w* + +; Path to database. If blank, will search for +; murmur.sqlite in default locations or create it if not found. +database={{var_murmur_database_path}} + +; Murmur defaults to using SQLite with its default rollback journal. +; In some situations, using SQLite's write-ahead log (WAL) can be +; advantageous. +; If you encounter slowdowns when moving between channels and similar +; operations, enabling the SQLite write-ahead log might help. +; +; To use SQLite's write-ahead log, set sqlite_wal to one of the following +; values: +; +; 0 - Use SQLite's default rollback journal. +; 1 - Use write-ahead log with synchronous=NORMAL. +; If Murmur crashes, the database will be in a consistent state, but +; the most recent changes might be lost if the operating system did +; not write them to disk yet. This option can improve Murmur's +; interactivity on busy servers, or servers with slow storage. +; 2 - Use write-ahead log with synchronous=FULL. +; All database writes are synchronized to disk when they are made. +; If Murmur crashes, the database will be include all completed writes. +;sqlite_wal=0 + +; If you wish to use something other than SQLite, you'll need to set the name +; of the database above, and also uncomment the below. +; Sticking with SQLite is strongly recommended, as it's the most well tested +; and by far the fastest solution. +; +;dbDriver=QMYSQL +;dbUsername= +;dbPassword= +;dbHost= +;dbPort= +;dbPrefix=murmur_ +;dbOpts= + +; Murmur defaults to not using D-Bus. If you wish to use dbus, which is one of the +; RPC methods available in Murmur, please specify so here. +; +;dbus=system + +; Alternate D-Bus service name. Only use if you are running distinct +; murmurd processes connected to the same D-Bus daemon. +;dbusservice=net.sourceforge.mumble.murmur + +; If you want to use ZeroC Ice to communicate with Murmur, you need +; to specify the endpoint to use. Since there is no authentication +; with ICE, you should only use it if you trust all the users who have +; shell access to your machine. +; Please see the ICE documentation on how to specify endpoints. +#ice="tcp -h 127.0.0.1 -p 6502" + +; Ice primarily uses local sockets. This means anyone who has a +; user account on your machine can connect to the Ice services. +; You can set a plaintext "secret" on the Ice connection, and +; any script attempting to access must then have this secret +; (as context with name "secret"). +; Access is split in read (look only) and write (modify) +; operations. Write access always includes read access, +; unless read is explicitly denied (see note below). +; +; Note that if this is uncommented and with empty content, +; access will be denied. + +;icesecretread= +icesecretwrite= + +; If you want to expose Murmur's experimental gRPC API, you +; need to specify an address to bind on. +; Note: not all builds of Murmur support gRPC. If gRPC is not +; available, Murmur will warn you in its log output. +;grpc="127.0.0.1:50051" +; Specifying both a certificate and key file below will cause gRPC to use +; secured, TLS connections. +;grpccert="" +;grpckey="" + +; Specifies the file Murmur should log to. By default, Murmur +; logs to the file 'murmur.log'. If you leave this field blank +; on Unix-like systems, Murmur will force itself into foreground +; mode which logs to the console. +logfile=/var/log/mumble-server/mumble-server.log + +; If set, Murmur will write its process ID to this file +; when running in daemon mode (when the -fg flag is not +; specified on the command line). Only available on +; Unix-like systems. +pidfile=/run/mumble-server/mumble-server.pid + +; The below will be used as defaults for new configured servers. +; If you're just running one server (the default), it's easier to +; configure it here than through D-Bus or Ice. +; +; Welcome message sent to clients when they connect. +; If the welcome message is set to an empty string, +; no welcome message will be sent to clients. +welcometext="{{var_murmur_welcome_text}}" + +; Port to bind TCP and UDP sockets to. +port={{var_murmur_port | string}} + +; Specific IP or hostname to bind to. +; If this is left blank (default), Murmur will bind to all available addresses. +;host= + +; Password to join server. +serverpassword= + +; Maximum bandwidth (in bits per second) clients are allowed +; to send speech at. +bandwidth=72000 + +; Murmur and Mumble are usually pretty good about cleaning up hung clients, but +; occasionally one will get stuck on the server. The timeout setting will cause +; a periodic check of all clients who haven't communicated with the server in +; this many seconds - causing zombie clients to be disconnected. +; +; Note that this has no effect on idle clients or people who are AFK. It will +; only affect people who are already disconnected, and just haven't told the +; server. +;timeout=30 + +; Maximum number of concurrent clients allowed. +users=100 + +; Where users sets a blanket limit on the number of clients per virtual server, +; usersperchannel sets a limit on the number per channel. The default is 0, for +; no limit. +;usersperchannel=0 + +; Per-user rate limiting +; +; These two settings allow to configure the per-user rate limiter for some +; command messages sent from the client to the server. The messageburst setting +; specifies an amount of messages which are allowed in short bursts. The +; messagelimit setting specifies the number of messages per second allowed over +; a longer period. If a user hits the rate limit, his packages are then ignored +; for some time. Both of these settings have a minimum of 1 as setting either to +; 0 could render the server unusable. +messageburst=5 +messagelimit=1 + +; Respond to UDP ping packets. +; +; Setting to true exposes the current user count, the maximum user count, and +; the server's maximum bandwidth per client to unauthenticated users. In the +; Mumble client, this information is shown in the Connect dialog. +allowping=true + +; Amount of users with Opus support needed to force Opus usage, in percent. +; 0 = Always enable Opus, 100 = enable Opus if it's supported by all clients. +;opusthreshold=100 + +; Maximum depth of channel nesting. Note that some databases like MySQL using +; InnoDB will fail when operating on deeply nested channels. +;channelnestinglimit=10 + +; Maximum number of channels per server. 0 for unlimited. Note that an +; excessive number of channels will impact server performance +;channelcountlimit=1000 + +; Regular expression used to validate channel names. +; (Note that you have to escape backslashes with \ ) +;channelname=[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+ + +; Regular expression used to validate user names. +; (Note that you have to escape backslashes with \ ) +;username=[-=\\w\\[\\]\\{\\}\\(\\)\\@\\|\\.]+ + +; If a user has no stored channel (they've never been connected to the server +; before, or rememberchannel is set to false) and the client hasn't been given +; a URL that includes a channel path, the default behavior is that they will +; end up in the root channel. +; +; You can set this setting to a channel ID, and the user will automatically be +; moved into that channel instead. Note that this is the numeric ID of the +; channel, which can be a little tricky to get (you'll either need to use an +; RPC mechanism, watch the console of a debug client, or root around through +; the Murmur Database to get it). +; +;defaultchannel=0 + +; When a user connects to a server they've already been on, by default the +; server will remember the last channel they were in and move them to it +; automatically. Toggling this setting to false will disable that feature. +; +;rememberchannel=true + +; Maximum length of text messages in characters. 0 for no limit. +;textmessagelength=5000 + +; Maximum length of text messages in characters, with image data. 0 for no limit. +;imagemessagelength=131072 + +; Allow clients to use HTML in messages, user comments and channel descriptions? +;allowhtml=true + +; Murmur retains the per-server log entries in an internal database which +; allows it to be accessed over D-Bus/ICE. +; How many days should such entries be kept? +; Set to 0 to keep forever, or -1 to disable logging to the DB. +;logdays=31 + +; To enable public server registration, the serverpassword must be blank, and +; this must all be filled out. +; The password here is used to create a registry for the server name; subsequent +; updates will need the same password. Don't lose your password. +; The URL is your own website, and only set the registerHostname for static IP +; addresses. +; Location is typically the country of typical users of the server, in +; two-letter TLD style (ISO 3166-1 alpha-2 country code) +; +; If you only wish to give your "Root" channel a custom name, then only +; uncomment the 'registerName' parameter. +; +;registerName=Mumble Server +;registerPassword=secret +;registerUrl=http://www.mumble.info/ +;registerHostname= +;registerLocation= + +; If this option is enabled, the server will announce its presence via the +; bonjour service discovery protocol. To change the name announced by bonjour +; adjust the registerName variable. +; See http://developer.apple.com/networking/bonjour/index.html for more information +; about bonjour. +;bonjour=True + +; If you have a proper SSL certificate, you can provide the filenames here. +; Otherwise, Murmur will create its own certificate automatically. +;sslCert= +;sslKey= + +; If the keyfile specified above is encrypted with a passphrase, you can enter +; it in this setting. It must be plaintext, so you may wish to adjust the +; permissions on your murmur.ini file accordingly. +;sslPassPhrase= + +; If your certificate is signed by an authority that uses a sub-signed or +; "intermediate" certificate, you probably need to bundle it with your +; certificate in order to get Murmur to accept it. You can either concatenate +; the two certificates into one file, or you can put it in a file by itself and +; put the path to that PEM-file in sslCA. +;sslCA= + +; The sslDHParams option allows you to specify a PEM-encoded file with +; Diffie-Hellman parameters, which will be used as the default Diffie- +; Hellman parameters for all virtual servers. +; +; Instead of pointing sslDHParams to a file, you can also use the option +; to specify a named set of Diffie-Hellman parameters for Murmur to use. +; Murmur comes bundled with the Diffie-Hellman parameters from RFC 7919. +; These parameters are available by using the following names: +; +; @ffdhe2048, @ffdhe3072, @ffdhe4096, @ffdhe6144, @ffdhe8192 +; +; By default, Murmur uses @ffdhe2048. +;sslDHParams=@ffdhe2048 + +; The sslCiphers option chooses the cipher suites to make available for use +; in SSL/TLS. This option is server-wide, and cannot be set on a +; per-virtual-server basis. +; +; This option is specified using OpenSSL cipher list notation (see +; https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT). +; +; It is recommended that you try your cipher string using 'openssl ciphers ' +; before setting it here, to get a feel for which cipher suites you will get. +; +; After setting this option, it is recommend that you inspect your Murmur log +; to ensure that Murmur is using the cipher suites that you expected it to. +; +; Note: Changing this option may impact the backwards compatibility of your +; Murmur server, and can remove the ability for older Mumble clients to be able +; to connect to it. +;sslCiphers=EECDH+AESGCM:EDH+aRSA+AESGCM:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA + +; If Murmur is started as root, which user should it switch to? +; This option is ignored if Murmur isn't started with root privileges. +uname=mumble-server + +; By default, in log files and in the user status window for privileged users, +; Mumble will show IP addresses - in some situations you may find this unwanted +; behavior. If obfuscate is set to true, Murmur will randomize the IP addresses +; of connecting users. +; +; The obfuscate function only affects the log file and DOES NOT effect the user +; information section in the client window. +;obfuscate=false + +; If this options is enabled, only clients which have a certificate are allowed +; to connect. +;certrequired=False + +; If enabled, clients are sent information about the servers version and operating +; system. +;sendversion=True + +; You can set a recommended minimum version for your server, and clients will +; be notified in their log when they connect if their client does not meet the +; minimum requirements. suggestVersion expects the version in the format X.X.X. +; +; Note that the suggest* options appeared after 1.2.3 and will have no effect +; on client versions 1.2.3 and earlier. +; +;suggestVersion= + +; Setting this to "true" will alert any user who does not have positional audio +; enabled that the server administrators recommend enabling it. Setting it to +; "false" will have the opposite effect - if you do not care whether the user +; enables positional audio or not, set it to blank. The message will appear in +; the log window upon connection, but only if the user's settings do not match +; what the server requests. +; +; Note that the suggest* options appeared after 1.2.3 and will have no effect +; on client versions 1.2.3 and earlier. +; +;suggestPositional= + +; Setting this to "true" will alert any user who does not have Push-To-Talk +; enabled that the server administrators recommend enabling it. Setting it to +; "false" will have the opposite effect - if you do not care whether the user +; enables PTT or not, set it to blank. The message will appear in the log +; window upon connection, but only if the user's settings do not match what the +; server requests. +; +; Note that the suggest* options appeared after 1.2.3 and will have no effect +; on client versions 1.2.3 and earlier. +; +;suggestPushToTalk= + +; This sets password hash storage to legacy mode (1.2.4 and before) +; (Note that setting this to true is insecure and should not be used unless absolutely necessary) +;legacyPasswordHash=false + +; By default a strong amount of PBKDF2 iterations are chosen automatically. If >0 this setting +; overrides the automatic benchmark and forces a specific number of iterations. +; (Note that you should only change this value if you know what you are doing) +;kdfIterations=-1 + +; In order to prevent misconfigured, impolite or malicious clients from +; affecting the low-latency of other users, Murmur has a rudimentary global-ban +; system. It's configured using the autobanAttempts, autobanTimeframe and +; autobanTime settings. +; +; If a client attempts autobanAttempts connections in autobanTimeframe seconds, +; they will be banned for autobanTime seconds. This is a global ban, from all +; virtual servers on the Murmur process. It will not show up in any of the +; ban-lists on the server, and they can't be removed without restarting the +; Murmur process - just let them expire. A single, properly functioning client +; should not trip these bans. +; +; To disable, set autobanAttempts or autobanTimeframe to 0. Commenting these +; settings out will cause Murmur to use the defaults: +; +;autobanAttempts=10 +;autobanTimeframe=120 +;autobanTime=300 + +; You can configure any of the configuration options for Ice here. We recommend +; leave the defaults as they are. +; Please note that this section has to be last in the configuration file. +; +[Ice] +Ice.Warn.UnknownProperties=1 +Ice.MessageSizeMax=65536 diff --git a/ansible/roles/nginx/tasks/main.json b/ansible/roles/nginx/tasks/main.json index d39c1e2..c8e2b40 100644 --- a/ansible/roles/nginx/tasks/main.json +++ b/ansible/roles/nginx/tasks/main.json @@ -3,6 +3,7 @@ "name": "install packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "nginx" ] diff --git a/ansible/roles/postgresql-for-authelia/defaults/main.json b/ansible/roles/postgresql-for-authelia/defaults/main.json new file mode 100644 index 0000000..379cde9 --- /dev/null +++ b/ansible/roles/postgresql-for-authelia/defaults/main.json @@ -0,0 +1,7 @@ +{ + "var_postgresql_for_authelia_host": "localhost", + "var_postgresql_for_authelia_port": 5432, + "var_postgresql_for_authelia_username": "authelia_user", + "var_postgresql_for_authelia_password": "REPLACE_ME", + "var_postgresql_for_authelia_schema": "authelia" +} diff --git a/ansible/roles/postgresql-for-authelia/tasks/main.json b/ansible/roles/postgresql-for-authelia/tasks/main.json new file mode 100644 index 0000000..e2b3aa5 --- /dev/null +++ b/ansible/roles/postgresql-for-authelia/tasks/main.json @@ -0,0 +1,49 @@ +[ + { + "name": "packages", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "acl", + "python3-psycopg2" + ] + } + }, + { + "name": "user", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_user": { + "state": "present", + "name": "{{var_postgresql_for_authelia_username}}", + "password": "{{var_postgresql_for_authelia_password}}" + }, + "environment": { + "PGOPTIONS": "-c password_encryption=scram-sha-256" + } + }, + { + "name": "schema", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_db": { + "state": "present", + "name": "{{var_postgresql_for_authelia_schema}}", + "owner": "{{var_postgresql_for_authelia_username}}" + } + }, + { + "name": "rights", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_privs": { + "state": "present", + "db": "{{var_postgresql_for_authelia_schema}}", + "objs": "ALL_IN_SCHEMA", + "roles": "{{var_postgresql_for_authelia_username}}", + "privs": "ALL", + "grant_option": true + } + } +] diff --git a/ansible/roles/postgresql-for-authelia/vardef.json b/ansible/roles/postgresql-for-authelia/vardef.json new file mode 100644 index 0000000..87b266f --- /dev/null +++ b/ansible/roles/postgresql-for-authelia/vardef.json @@ -0,0 +1,22 @@ +{ + "host": { + "mandatory": false, + "type": "string" + }, + "port": { + "mandatory": false, + "type": "integer" + }, + "username": { + "mandatory": false, + "type": "string" + }, + "password": { + "mandatory": true, + "type": "string" + }, + "schema": { + "mandatory": false, + "type": "string" + } +} diff --git a/ansible/roles/postgresql-for-hedgedoc/defaults/main.json b/ansible/roles/postgresql-for-hedgedoc/defaults/main.json new file mode 100644 index 0000000..a0e1eeb --- /dev/null +++ b/ansible/roles/postgresql-for-hedgedoc/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_postgresql_for_hedgedoc_username": "hedgedoc_user", + "var_postgresql_for_hedgedoc_password": "REPLACE_ME", + "var_postgresql_for_hedgedoc_schema": "hedgedoc" +} diff --git a/ansible/roles/postgresql-for-hedgedoc/tasks/main.json b/ansible/roles/postgresql-for-hedgedoc/tasks/main.json new file mode 100644 index 0000000..3551075 --- /dev/null +++ b/ansible/roles/postgresql-for-hedgedoc/tasks/main.json @@ -0,0 +1,49 @@ +[ + { + "name": "packages", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "acl", + "python3-psycopg2" + ] + } + }, + { + "name": "user", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_user": { + "state": "present", + "name": "{{var_postgresql_for_hedgedoc_username}}", + "password": "{{var_postgresql_for_hedgedoc_password}}" + }, + "environment": { + "PGOPTIONS": "-c password_encryption=scram-sha-256" + } + }, + { + "name": "schema", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_db": { + "state": "present", + "name": "{{var_postgresql_for_hedgedoc_schema}}", + "owner": "{{var_postgresql_for_hedgedoc_username}}" + } + }, + { + "name": "rights", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_privs": { + "state": "present", + "db": "{{var_postgresql_for_hedgedoc_schema}}", + "objs": "ALL_IN_SCHEMA", + "roles": "{{var_postgresql_for_hedgedoc_username}}", + "privs": "ALL", + "grant_option": true + } + } +] diff --git a/ansible/roles/postgresql-for-synapse/defaults/main.json b/ansible/roles/postgresql-for-synapse/defaults/main.json index 3c4645a..84e4fd3 100644 --- a/ansible/roles/postgresql-for-synapse/defaults/main.json +++ b/ansible/roles/postgresql-for-synapse/defaults/main.json @@ -1,5 +1,5 @@ { "var_postgresql_for_synapse_username": "synapse_user", - "var_postgresql_for_synapse_password": "synapse_password", + "var_postgresql_for_synapse_password": "REPLACE_ME", "var_postgresql_for_synapse_schema": "synapse" } diff --git a/ansible/roles/postgresql-for-synapse/tasks/main.json b/ansible/roles/postgresql-for-synapse/tasks/main.json index 7b6cee0..7f6ceb0 100644 --- a/ansible/roles/postgresql-for-synapse/tasks/main.json +++ b/ansible/roles/postgresql-for-synapse/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "acl", "python3-psycopg2" @@ -17,6 +18,9 @@ "state": "present", "name": "{{var_postgresql_for_synapse_username}}", "password": "{{var_postgresql_for_synapse_password}}" + }, + "environment": { + "PGOPTIONS": "-c password_encryption=scram-sha-256" } }, { diff --git a/ansible/roles/postgresql/defaults/main.json b/ansible/roles/postgresql/defaults/main.json index abd9af3..ff00ca2 100644 --- a/ansible/roles/postgresql/defaults/main.json +++ b/ansible/roles/postgresql/defaults/main.json @@ -1,5 +1,5 @@ { "var_postgresql_listen_address": "localhost", - "var_postgresql_port": "5432" + "var_postgresql_port": 5432 } diff --git a/ansible/roles/postgresql/tasks/main.json b/ansible/roles/postgresql/tasks/main.json index d870dc8..b87c19b 100644 --- a/ansible/roles/postgresql/tasks/main.json +++ b/ansible/roles/postgresql/tasks/main.json @@ -3,6 +3,7 @@ "name": "install packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "postgresql" ] diff --git a/ansible/roles/postgresql/templates/postgresql.conf.j2 b/ansible/roles/postgresql/templates/postgresql.conf.j2 index 1b5c664..3b2847f 100644 --- a/ansible/roles/postgresql/templates/postgresql.conf.j2 +++ b/ansible/roles/postgresql/templates/postgresql.conf.j2 @@ -61,7 +61,7 @@ listen_addresses = '{{var_postgresql_listen_address}}' # what IP address(es) to # comma-separated list of addresses; # defaults to 'localhost'; use '*' for all # (change requires restart) -port = {{var_postgresql_port}} # (change requires restart) +port = {{var_postgresql_port | string}} # (change requires restart) max_connections = 100 # (change requires restart) #superuser_reserved_connections = 3 # (change requires restart) unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories diff --git a/ansible/roles/postgresql/vardef.json b/ansible/roles/postgresql/vardef.json new file mode 100644 index 0000000..0fc124f --- /dev/null +++ b/ansible/roles/postgresql/vardef.json @@ -0,0 +1,15 @@ +{ + "listen_address": { + "mandatory": false, + "type": "string" + }, + "port": { + "mandatory": false, + "type": "integer" + }, + "allow_md5_auth": { + "mandatory": false, + "type": "boolean" + } +} + diff --git a/ansible/roles/proftpd/tasks/main.json b/ansible/roles/proftpd/tasks/main.json index 982ae45..d277bc0 100644 --- a/ansible/roles/proftpd/tasks/main.json +++ b/ansible/roles/proftpd/tasks/main.json @@ -3,6 +3,7 @@ "name": "install packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "proftpd-core" ] diff --git a/ansible/roles/sqlite-for-hedgedoc/defaults/main.json b/ansible/roles/sqlite-for-hedgedoc/defaults/main.json new file mode 100644 index 0000000..e574eac --- /dev/null +++ b/ansible/roles/sqlite-for-hedgedoc/defaults/main.json @@ -0,0 +1,4 @@ +{ + "var_sqlite_for_hedgedoc_path": "/var/hedgedoc/data.sqlite", + "var_sqlite_for_hedgedoc_user_name": "hedgedoc" +} diff --git a/ansible/roles/sqlite-for-hedgedoc/tasks/main.json b/ansible/roles/sqlite-for-hedgedoc/tasks/main.json new file mode 100644 index 0000000..7495fca --- /dev/null +++ b/ansible/roles/sqlite-for-hedgedoc/tasks/main.json @@ -0,0 +1,20 @@ +[ + { + "name": "directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "{{var_sqlite_for_hedgedoc_path | dirname}}", + "owner": "{{var_hedgedoc_user_name}}" + } + }, + { + "name": "file", + "become": true, + "ansible.builtin.file": { + "state": "touch", + "path": "{{var_sqlite_for_hedgedoc_path}}", + "owner": "{{var_sqlite_for_hedgedoc_user_name}}" + } + } +] diff --git a/ansible/roles/sqlite-for-hedgedoc/vardef.json b/ansible/roles/sqlite-for-hedgedoc/vardef.json new file mode 100644 index 0000000..e62f130 --- /dev/null +++ b/ansible/roles/sqlite-for-hedgedoc/vardef.json @@ -0,0 +1,10 @@ +{ + "path": { + "type": "string", + "mandatory": false + }, + "user_name": { + "type": "string", + "mandatory": false + } +} diff --git a/ansible/roles/synapse-and-lighttpd/defaults/main.json b/ansible/roles/synapse-and-lighttpd/defaults/main.json index fc3f952..9f9b55e 100644 --- a/ansible/roles/synapse-and-lighttpd/defaults/main.json +++ b/ansible/roles/synapse-and-lighttpd/defaults/main.json @@ -1,3 +1,3 @@ { - "var_synapse_and_lighttpd_domain": "REPLACE_ME" + "var_synapse_and_lighttpd_domain": "synapse.example.org" } diff --git a/ansible/roles/synapse/defaults/main.json b/ansible/roles/synapse/defaults/main.json index fe0f604..bc84eb6 100644 --- a/ansible/roles/synapse/defaults/main.json +++ b/ansible/roles/synapse/defaults/main.json @@ -1,27 +1,27 @@ { "var_synapse_scheme": "https", - "var_synapse_domain": "matrix.example.org", - "var_synaspe_database_kind": "sqlite", - "var_synaspe_database_sqlite_path": "/var/synapse/data.sqlite", - "var_synaspe_database_postgresql_host": "localhost", - "var_synaspe_database_postgresql_port": "5432", - "var_synaspe_database_postgresql_username": "synapse_user", - "var_synaspe_database_postgresql_password": "REPLACE_ME", - "var_synaspe_database_postgresql_schema": "synapse", + "var_synapse_domain": "synapse.example.org", + "var_synapse_database_kind": "sqlite", + "var_synapse_database_data_sqlite_path": "/var/synapse/data.sqlite", + "var_synapse_database_data_postgresql_host": "localhost", + "var_synapse_database_data_postgresql_port": 5432, + "var_synapse_database_data_postgresql_username": "synapse_user", + "var_synapse_database_data_postgresql_password": "REPLACE_ME", + "var_synapse_database_data_postgresql_schema": "synapse", "var_synapse_element_url": "https://element.example.org", "var_synapse_title": "Example | Matrix", - "var_synapse_federation_whitelist": "[]", - "var_synapse_password_strict_policy": "true", + "var_synapse_federation_whitelist": [], + "var_synapse_password_strict_policy": true, "var_synapse_registration_shared_secret": "REPLACE_ME", - "var_synapse_oidc_enable": false, - "var_synapse_oidc_provider_id": "external_auth", - "var_synapse_oidc_provider_name": "external auth", - "var_synapse_oidc_client_id": "synapse", - "var_synapse_oidc_client_secret": "REPLACE_ME", - "var_synapse_oidc_issuer_url": "https://auth.example.org", + "var_synapse_authentication_kind": "internal", + "var_synapse_authentication_data_authelia_provider_id": "authelia", + "var_synapse_authentication_data_authelia_provider_name": "Authelia", + "var_synapse_authentication_data_authelia_client_id": "synapse", + "var_synapse_authentication_data_authelia_client_secret": "REPLACE_ME", + "var_synapse_authentication_data_authelia_url_base": "https://authelia.example.org", "var_synapse_smtp_host": "smtp.example.org", - "var_synapse_smtp_port": "587", - "var_synapse_smtp_username": "matrix@smtp.example.org", + "var_synapse_smtp_port": 587, + "var_synapse_smtp_username": "synapse@smtp.example.org", "var_synapse_smtp_password": "REPLACE_ME", "var_synapse_admin_user_define": true, "var_synapse_admin_user_name": "admin", diff --git a/ansible/roles/synapse/templates/homeserver.yaml.j2 b/ansible/roles/synapse/templates/homeserver.yaml.j2 index c58e3e7..f5c310c 100644 --- a/ansible/roles/synapse/templates/homeserver.yaml.j2 +++ b/ansible/roles/synapse/templates/homeserver.yaml.j2 @@ -1,19 +1,19 @@ -{% if var_synaspe_database_kind == 'sqlite' %} +{% if var_synapse_database_kind == 'sqlite' %} database: name: sqlite3 args: - database: {{var_synaspe_database_sqlite_path}} + database: {{var_synapse_database_sqlite_path}} {% endif %} -{% if var_synaspe_database_kind == 'postgresql' %} +{% if var_synapse_database_kind == 'postgresql' %} database: name: psycopg2 args: - host: {{var_synapse_database_postgresql_host}} - port: {{var_synapse_database_postgresql_port}} - database: "{{var_synapse_database_postgresql_schema}}" - user: "{{var_synapse_database_postgresql_username}}" - password: "{{var_synapse_database_postgresql_password}}" + host: {{var_synapse_database_data_postgresql_host}} + port: {{var_synapse_database_data_postgresql_port | string}} + database: "{{var_synapse_database_data_postgresql_schema}}" + user: "{{var_synapse_database_data_postgresql_username}}" + password: "{{var_synapse_database_data_postgresql_password}}" cp_min: 5 cp_max: 10 {% endif %} @@ -45,7 +45,7 @@ listeners: - names: [federation] compress: false -federation_domain_whitelist: {{var_synapse_federation_whitelist}} +federation_domain_whitelist: {{var_synapse_federation_whitelist | to_yaml}} serve_server_wellknown: true @@ -87,14 +87,8 @@ max_spider_size: "10M" enable_registration_captcha: false recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" +{% if var_synapse_registration_shared_secret != None %} registration_shared_secret: "{{var_synapse_registration_shared_secret}}" - -{% if var_synapse_oidc_enable %} -enable_registration: false -enable_registration_without_verification: false -{% else %} -enable_registration: true -enable_registration_without_verification: true {% endif %} oidc_config: @@ -103,15 +97,23 @@ oidc_config: # NOT an Ansible variable localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}" -{% if var_synapse_oidc_enable %} +{% if var_synapse_authentication_kind == 'internal' %} +enable_registration: true +enable_registration_without_verification: true +{% endif %} + +{% if var_synapse_authentication_kind == 'authelia' %} +enable_registration: false +enable_registration_without_verification: false + oidc_providers: - - idp_id: "{{var_synapse_oidc_provider_id}}" - idp_name: "{{var_synapse_oidc_provider_name}}" - # idp_icon: "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI" + - idp_id: "{{var_synapse_authentication_data_authelia_provider_id}}" + idp_name: "{{var_synapse_authentication_data_authelia_provider_name}}" + idp_icon: "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI" discover: true - issuer: "{{var_synapse_oidc_issuer_url}}" - client_id: "{{var_synapse_oidc_client_id}}" - client_secret: "{{var_synapse_oidc_client_secret}}" + issuer: "{{var_synapse_authentication_data_authelia_url_base}}" + client_id: "{{var_synapse_authentication_data_authelia_client_id}}" + client_secret: "{{var_synapse_authentication_data_authelia_client_secret}}" scopes: ["openid", "profile", "email"] allow_existing_users: true user_mapping_provider: @@ -158,11 +160,11 @@ saml2_config: password_config: enabled: true policy: - enabled: {{var_synapse_password_strict_policy}} + enabled: {{var_synapse_password_strict_policy | to_yaml}} email: smtp_host: "{{var_synapse_smtp_host}}" - smtp_port: {{var_synapse_smtp_port}} + smtp_port: {{var_synapse_smtp_port | to_yaml}} smtp_user: "{{var_synapse_smtp_username}}" smtp_pass: "{{var_synapse_smtp_password}}" require_transport_security: true diff --git a/ansible/roles/tlscert_acme_inwx/tasks/main.json b/ansible/roles/tlscert_acme_inwx/tasks/main.json index d7016ba..0e8a365 100644 --- a/ansible/roles/tlscert_acme_inwx/tasks/main.json +++ b/ansible/roles/tlscert_acme_inwx/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "openssl", "python3-cryptography" diff --git a/ansible/roles/tlscert_acme_netcup/tasks/main.json b/ansible/roles/tlscert_acme_netcup/tasks/main.json index 37ad51c..574ee11 100644 --- a/ansible/roles/tlscert_acme_netcup/tasks/main.json +++ b/ansible/roles/tlscert_acme_netcup/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages | debian", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "openssl", "python3-cryptography", diff --git a/ansible/roles/tlscert_selfsigned/tasks/main.json b/ansible/roles/tlscert_selfsigned/tasks/main.json index 96d3863..5b816f3 100644 --- a/ansible/roles/tlscert_selfsigned/tasks/main.json +++ b/ansible/roles/tlscert_selfsigned/tasks/main.json @@ -3,6 +3,7 @@ "name": "install packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "openssl", "python3-cryptography"