From 99f4bb1d98657395cf6fe7b6c31e229b68dc600c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 10 Dec 2023 14:33:45 +0100 Subject: [PATCH 01/61] [add] role:authelia --- ansible/roles/authelia/defaults/main.json | 18 +++ ansible/roles/authelia/info.md | 6 + ansible/roles/authelia/tasks/main.json | 44 ++++++ .../roles/authelia/templates/config.yml.j2 | 130 ++++++++++++++++++ 4 files changed, 198 insertions(+) create mode 100644 ansible/roles/authelia/defaults/main.json create mode 100644 ansible/roles/authelia/info.md create mode 100644 ansible/roles/authelia/tasks/main.json create mode 100644 ansible/roles/authelia/templates/config.yml.j2 diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json new file mode 100644 index 0000000..fa6cc83 --- /dev/null +++ b/ansible/roles/authelia/defaults/main.json @@ -0,0 +1,18 @@ +{ + "var_authelia_listen_address": "0.0.0.0", + "var_authelia_jwt_secret": "authelia_jwt_secret", + "var_authelia_users_file_path": "/var/authelia/users.json", + "var_authelia_session_domain": "example.org", + "var_authelia_session_secret": "session_secret", + "var_authelia_storage_path": "/var/authelia/state.db", + "var_authelia_storage_encryption_key": "storage_encryption_key", + "var_authelia_ntp_server": "time.cloudflare.com:123", + "var_authelia_notification_mode": "email", + "var_authelia_notification_smtp_host": "smtp.example.org", + "var_authelia_notification_smtp_port": "465", + "var_authelia_notification_smtp_username": "authelia", + "var_authelia_notification_smtp_username": "smtp_password", + "var_authelia_notification_smtp_sender": "Authelia", + "var_authelia_notification_smtp_sender": "Authelia", + "var_authelia_oidc_hmac_secret": "oidc_hmac_secret", +} diff --git a/ansible/roles/authelia/info.md b/ansible/roles/authelia/info.md new file mode 100644 index 0000000..94653fd --- /dev/null +++ b/ansible/roles/authelia/info.md @@ -0,0 +1,6 @@ +## Verweise + +- [Projekt-Website](https://www.authelia.com/) +- [GitHub-Seite](https://github.com/authelia/authelia) +- [Installations-Anleitung](https://www.authelia.com/integration/deployment/bare-metal/) +- [Dokumentation | Konfiguration](https://www.authelia.com/configuration/) diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json new file mode 100644 index 0000000..5b78ea0 --- /dev/null +++ b/ansible/roles/authelia/tasks/main.json @@ -0,0 +1,44 @@ +[ + { + "name": "invoke package repository", + "become": true, + "ansible.builtin.apt_repository": { + "repo": "deb https://apt.authelia.com/stable/debian/debian/ all main" + } + }, + { + "name": "install packages", + "become": true, + "ansible.builtin.apt": { + "pgk": [ + "authelia" + ] + } + }, + { + "name": "generate private key for signing OIDC JWTs", + "beccome": true, + "community.crypto.openssl_privatekey": { + "type": "RSA", + "size": 4096, + "path": "/dev/null", + "return_content": true + } + }, + { + "name": "emplace configuration", + "become": true, + "ansible.builtin.template": { + "src": "config.yml.j2", + "dest": "/etc/authelia/config.yml" + } + }, + { + "name": "apply", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "authelia" + } + } +] diff --git a/ansible/roles/authelia/templates/config.yml.j2 b/ansible/roles/authelia/templates/config.yml.j2 new file mode 100644 index 0000000..6e0ee36 --- /dev/null +++ b/ansible/roles/authelia/templates/config.yml.j2 @@ -0,0 +1,130 @@ +theme: auto +jwt_secret: "{{var_authelia_jwt_secret}}" +default_2fa_method: totp +server: + host: "{{var_authelia_listen_address}}" + port: 9091 + path: "" + enable_pprof: false + enable_expvars: false + disable_healthcheck: false +log: + level: info + format: json + file_path: /var/log/authelia.log + keep_stdout: false +telemetry: + metrics: + enabled: false + address: tcp://0.0.0.0:9959 +totp: + disable: true + issuer: authelia.com + algorithm: sha1 + digits: 6 + period: 30 + skew: 1 + secret_size: 32 +webauthn: + disable: true + timeout: 60s + display_name: Authelia + attestation_conveyance_preference: indirect + user_verification: preferred +ntp: + address: "{{var_authelia_ntp_server}}" + version: 4 + max_desync: 3s + disable_startup_check: false + disable_failure: false +authentication_backend: + password_reset: + disable: true + custom_url: "" + refresh_interval: 5m + file: + path: "{{var_authelia_users_file_path}}" + watch: true + search: + email: false + case_insensitive: false + password: + algorithm: argon2 + argon2: + variant: argon2id + iterations: 3 + memory: 65536 + parallelism: 4 + key_length: 32 + salt_length: 16 + scrypt: + iterations: 16 + block_size: 8 + parallelism: 1 + key_length: 32 + salt_length: 16 + pbkdf2: + variant: sha512 + iterations: 310000 + salt_length: 16 + sha2crypt: + variant: sha512 + iterations: 50000 + salt_length: 16 + bcrypt: + variant: standard + cost: 12 +password_policy: + standard: + enabled: false + min_length: 8 + max_length: 0 + require_uppercase: true + require_lowercase: true + require_number: true + require_special: true + zxcvbn: + enabled: false + min_score: 3 +access_control: + default_policy: one_factor +session: + name: authelia_session + domain: "{{var_authelia_session_domain}}" + same_site: lax + secret: "{{var_authelia_session_secret}}" + expiration: 1h + inactivity: 5m + remember_me_duration: 1M +regulation: + max_retries: 3 + find_time: 2m + ban_time: 5m +storage: + encryption_key: "{{var_authelia_storage_encryption_key}}" + local: + path: "{{var_authelia_storage_path}}" +notifier: + disable_startup_check: true + # filesystem: + # filename: /config/notification.txt + smtp: + host: "{{var_authelia_notification_smtp_host}}" + port: {{var_authelia_notification_smtp_port}} + username: "{{var_authelia_notification_smtp_username}}" + password: "{{var_authelia_notification_smtp_password}}" + sender: "{{var_authelia_notification_smtp_sender}}" + disable_require_tls: false + disable_html_emails: false + tls: + skip_verify: false +identity_providers: + oidc: + hmac_secret: "{{var_authelia_oidc_hmac_secret}}" + issuer_private_key: | + {{privatekey}} + cors: + allowed_origins_from_client_redirect_uris: true + clients: [] + +... From 8b322c0c2ef0ec6c9762e1bc070f043da4ea6d32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 10 Dec 2023 20:44:52 +0100 Subject: [PATCH 02/61] [int] --- ansible/roles/hedgedoc/defaults/main.json | 5 ++++ ansible/roles/hedgedoc/info.md | 3 ++ ansible/roles/hedgedoc/tasks/main.json | 2 ++ .../roles/hedgedoc/templates/config.json.j2 | 28 +++++++++++++++++++ 4 files changed, 38 insertions(+) create mode 100644 ansible/roles/hedgedoc/defaults/main.json create mode 100644 ansible/roles/hedgedoc/info.md create mode 100644 ansible/roles/hedgedoc/tasks/main.json create mode 100644 ansible/roles/hedgedoc/templates/config.json.j2 diff --git a/ansible/roles/hedgedoc/defaults/main.json b/ansible/roles/hedgedoc/defaults/main.json new file mode 100644 index 0000000..9370b77 --- /dev/null +++ b/ansible/roles/hedgedoc/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_hedgedoc_session_secret": "session_secret", + "var_hedgedoc_database_path": "/var/hedgedoc/data.sqlite", + "var_hedgedoc_oauth2_provider_name": "external auth", +} diff --git a/ansible/roles/hedgedoc/info.md b/ansible/roles/hedgedoc/info.md new file mode 100644 index 0000000..e2c1fa2 --- /dev/null +++ b/ansible/roles/hedgedoc/info.md @@ -0,0 +1,3 @@ +## Verweise + +- [Projekt-Website](https://docs.hedgedoc.org/) diff --git a/ansible/roles/hedgedoc/tasks/main.json b/ansible/roles/hedgedoc/tasks/main.json new file mode 100644 index 0000000..0d4f101 --- /dev/null +++ b/ansible/roles/hedgedoc/tasks/main.json @@ -0,0 +1,2 @@ +[ +] diff --git a/ansible/roles/hedgedoc/templates/config.json.j2 b/ansible/roles/hedgedoc/templates/config.json.j2 new file mode 100644 index 0000000..d5f04cc --- /dev/null +++ b/ansible/roles/hedgedoc/templates/config.json.j2 @@ -0,0 +1,28 @@ +{ + "development": { + "domain": "localhost:3000", + "url": { + "addport": true + }, + "loglevel": "debug", + "sessionSecret": "{{var_hedgedoc_session_secret}}", + "db": { + "dialect": "sqlite", + "storage": "./db.hedgedoc.sqlite" + }, + "urlAddPort": false, + "protocolUseSSL": false, + "oauth2": { + "providerName": "authelia", + "clientId": "b45421efcb7b1e5672d9b2bc55b3fdb2b6c62f3a72668110bd38f77fa1242ece", + "clientSecret": "e8493098b9a280610a2ba9fa0b49f14035a9f048e8505cf4981f0555a2885655", + "scope": "openid email profile", + "userProfileUsernameAttr": "sub", + "userProfileDisplayNameAttr": "name", + "userProfileEmailAttr": "email", + "userProfileUrl": "http://authelia.local:9091/api/oidc/userinfo", + "tokenUrl": "http://authelia.local:9091/api/oidc/token", + "authorizationUrl": "http://authelia.local:9091/api/oidc/authorize" + } + } +} From a947c4900e186cfa87ad6f190b6c0e8235db3492 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Mon, 11 Dec 2023 02:43:58 +0100 Subject: [PATCH 03/61] [mod] role:authelia --- ansible/roles/authelia/defaults/main.json | 8 ++- ansible/roles/authelia/info.md | 7 ++ ansible/roles/authelia/tasks/main.json | 66 ++++++++++++++++--- .../{config.yml.j2 => configuration.yml.j2} | 23 +++++-- ansible/roles/authelia/templates/users.yml.j2 | 6 ++ 5 files changed, 93 insertions(+), 17 deletions(-) rename ansible/roles/authelia/templates/{config.yml.j2 => configuration.yml.j2} (84%) create mode 100644 ansible/roles/authelia/templates/users.yml.j2 diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index fa6cc83..a287d47 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -1,18 +1,20 @@ { "var_authelia_listen_address": "0.0.0.0", "var_authelia_jwt_secret": "authelia_jwt_secret", - "var_authelia_users_file_path": "/var/authelia/users.json", + "var_authelia_users_file_path": "/var/authelia/users.yml", + "var_authelia_log_file_path": "/var/log/authelia.log", "var_authelia_session_domain": "example.org", "var_authelia_session_secret": "session_secret", "var_authelia_storage_path": "/var/authelia/state.db", "var_authelia_storage_encryption_key": "storage_encryption_key", "var_authelia_ntp_server": "time.cloudflare.com:123", - "var_authelia_notification_mode": "email", + "var_authelia_notification_mode": "smtp", + "var_authelia_notification_file_path": "/var/authelia/notifications", "var_authelia_notification_smtp_host": "smtp.example.org", "var_authelia_notification_smtp_port": "465", "var_authelia_notification_smtp_username": "authelia", "var_authelia_notification_smtp_username": "smtp_password", "var_authelia_notification_smtp_sender": "Authelia", "var_authelia_notification_smtp_sender": "Authelia", - "var_authelia_oidc_hmac_secret": "oidc_hmac_secret", + "var_authelia_oidc_hmac_secret": "oidc_hmac_secret" } diff --git a/ansible/roles/authelia/info.md b/ansible/roles/authelia/info.md index 94653fd..a980bea 100644 --- a/ansible/roles/authelia/info.md +++ b/ansible/roles/authelia/info.md @@ -4,3 +4,10 @@ - [GitHub-Seite](https://github.com/authelia/authelia) - [Installations-Anleitung](https://www.authelia.com/integration/deployment/bare-metal/) - [Dokumentation | Konfiguration](https://www.authelia.com/configuration/) + + +## ToDo + +- Dummy-Client los werden +- Dummy-Nutzer los werden + diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json index 5b78ea0..faecaf0 100644 --- a/ansible/roles/authelia/tasks/main.json +++ b/ansible/roles/authelia/tasks/main.json @@ -1,36 +1,86 @@ [ { - "name": "invoke package repository", +"when": false, + "name": "prepare package installation 1", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "apt-transport-https", + "gpg" + ] + } + }, + { +"when": false, + "name": "prepare package installation 2", + "become": true, + "ansible.builtin.apt_key": { + "url": "https://apt.authelia.com/organization/signing.asc" + } + }, + { +"when": false, + "name": "prepare package installation 3", "become": true, "ansible.builtin.apt_repository": { "repo": "deb https://apt.authelia.com/stable/debian/debian/ all main" } + }, { +"when": false, "name": "install packages", "become": true, "ansible.builtin.apt": { - "pgk": [ + "update_cache": true, + "pkg": [ + "openssl", + "python3-cryptography", "authelia" ] } }, { "name": "generate private key for signing OIDC JWTs", - "beccome": true, + "become": true, "community.crypto.openssl_privatekey": { "type": "RSA", "size": 4096, - "path": "/dev/null", + "path": "/etc/ssl/private/authelia-key.pem", "return_content": true - } + }, + "register": "temp_tls_result" }, { "name": "emplace configuration", "become": true, "ansible.builtin.template": { - "src": "config.yml.j2", - "dest": "/etc/authelia/config.yml" + "src": "configuration.yml.j2", + "dest": "/etc/authelia/configuration.yml" + } + }, + { + "name": "setup log directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "{{var_authelia_log_file_path | dirname}}" + } + }, + { + "name": "setup users directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "{{var_authelia_users_file_path | dirname}}" + } + }, + { + "name": "place dummy user file", + "become": true, + "ansible.builtin.template": { + "src": "users.yml.j2", + "path": "{{var_authelia_users_file_path}}" } }, { @@ -39,6 +89,6 @@ "ansible.builtin.systemd_service": { "state": "restarted", "name": "authelia" - } + } } ] diff --git a/ansible/roles/authelia/templates/config.yml.j2 b/ansible/roles/authelia/templates/configuration.yml.j2 similarity index 84% rename from ansible/roles/authelia/templates/config.yml.j2 rename to ansible/roles/authelia/templates/configuration.yml.j2 index 6e0ee36..8fc19ad 100644 --- a/ansible/roles/authelia/templates/config.yml.j2 +++ b/ansible/roles/authelia/templates/configuration.yml.j2 @@ -11,14 +11,14 @@ server: log: level: info format: json - file_path: /var/log/authelia.log + file_path: {{var_authelia_log_file_path}} keep_stdout: false telemetry: metrics: enabled: false address: tcp://0.0.0.0:9959 totp: - disable: true + disable: false issuer: authelia.com algorithm: sha1 digits: 6 @@ -106,8 +106,11 @@ storage: path: "{{var_authelia_storage_path}}" notifier: disable_startup_check: true - # filesystem: - # filename: /config/notification.txt +{% if var_authelia_notification_mode == "file" %} + filesystem: + filename: {{var_authelia_notification_file_path}} +{% endif %} +{% if var_authelia_notification_mode == "smtp" %} smtp: host: "{{var_authelia_notification_smtp_host}}" port: {{var_authelia_notification_smtp_port}} @@ -118,13 +121,21 @@ notifier: disable_html_emails: false tls: skip_verify: false +{% endif %} identity_providers: oidc: hmac_secret: "{{var_authelia_oidc_hmac_secret}}" issuer_private_key: | - {{privatekey}} +{% filter indent(width=6) %} + {{temp_tls_result.privatekey}} +{% endfilter %} cors: allowed_origins_from_client_redirect_uris: true - clients: [] + clients: + - + public: false + id: "dummy" + secret: "d1424b378e4fbbc153f330f33b74ab192525b98cc2dd58b2e8d01c2737be00c6" + redirect_uris: [] ... diff --git a/ansible/roles/authelia/templates/users.yml.j2 b/ansible/roles/authelia/templates/users.yml.j2 new file mode 100644 index 0000000..eea8164 --- /dev/null +++ b/ansible/roles/authelia/templates/users.yml.j2 @@ -0,0 +1,6 @@ +users: + _dummy: + displayname: "(Dummy)" + password: "$argon2id$v=19$m=65536,t=3,p=4$sHIRjFaYRz2U3F8wHnqecQ$lwnQtHNeFqgLaLSW8It7KJSHNOJoSeF+RF7lwgM7WRA" + email: "dummy@nowhere.org" + groups: [] From 15af3efdab8e50767ad10c977a9f226bbfb9e955 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Mon, 11 Dec 2023 02:44:11 +0100 Subject: [PATCH 04/61] [add] role:authelia-and-nginx --- .../authelia-and-nginx/defaults/main.json | 3 ++ ansible/roles/authelia-and-nginx/info.md | 3 ++ .../roles/authelia-and-nginx/tasks/main.json | 35 +++++++++++++++++++ .../authelia-and-nginx/templates/conf.j2 | 26 ++++++++++++++ 4 files changed, 67 insertions(+) create mode 100644 ansible/roles/authelia-and-nginx/defaults/main.json create mode 100644 ansible/roles/authelia-and-nginx/info.md create mode 100644 ansible/roles/authelia-and-nginx/tasks/main.json create mode 100644 ansible/roles/authelia-and-nginx/templates/conf.j2 diff --git a/ansible/roles/authelia-and-nginx/defaults/main.json b/ansible/roles/authelia-and-nginx/defaults/main.json new file mode 100644 index 0000000..7559dcb --- /dev/null +++ b/ansible/roles/authelia-and-nginx/defaults/main.json @@ -0,0 +1,3 @@ +{ + "var_authelia_and_nginx_domain": "authelia.example.org" +} diff --git a/ansible/roles/authelia-and-nginx/info.md b/ansible/roles/authelia-and-nginx/info.md new file mode 100644 index 0000000..670d9f0 --- /dev/null +++ b/ansible/roles/authelia-and-nginx/info.md @@ -0,0 +1,3 @@ +## Verweise + +- [Authelia-Dokumentation](https://www.authelia.com/integration/proxies/nginx/) diff --git a/ansible/roles/authelia-and-nginx/tasks/main.json b/ansible/roles/authelia-and-nginx/tasks/main.json new file mode 100644 index 0000000..87dcf2b --- /dev/null +++ b/ansible/roles/authelia-and-nginx/tasks/main.json @@ -0,0 +1,35 @@ +[ + { + "name": "deactivate default site", + "become": true, + "ansible.builtin.file": { + "state": "absent", + "dest": "/etc/nginx/sites-enabled/default" + } + }, + { + "name": "emplace configuration | data", + "become": true, + "ansible.builtin.template": { + "src": "conf.j2", + "dest": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}" + } + }, + { + "name": "emplace configuration | link", + "become": true, + "ansible.builtin.file": { + "state": "link", + "src": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}", + "dest": "/etc/nginx/sites-enabled/{{var_authelia_and_nginx_domain}}" + } + }, + { + "name": "restart nginx", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "nginx" + } + } +] diff --git a/ansible/roles/authelia-and-nginx/templates/conf.j2 b/ansible/roles/authelia-and-nginx/templates/conf.j2 new file mode 100644 index 0000000..8202046 --- /dev/null +++ b/ansible/roles/authelia-and-nginx/templates/conf.j2 @@ -0,0 +1,26 @@ +server { + listen 80; + server_name auth.*; + + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + server_name {{var_authelia_and_nginx_domain}}; + + # include /config/nginx/snippets/ssl.conf; + ssl_certificate /etc/ssl/certs/{{var_authelia_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; + + set $upstream http://localhost:9091; + + location / { + # include /config/nginx/snippets/proxy.conf; + proxy_pass $upstream; + } + + location /api/verify { + proxy_pass $upstream; + } +} From 5d24351cf64f2e42a57d0bc869d3ac9846336e15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 13 Dec 2023 18:04:57 +0100 Subject: [PATCH 05/61] [fix] role:tlscert_acme_netcup --- .../roles/tlscert_acme_netcup/tasks/main.json | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/ansible/roles/tlscert_acme_netcup/tasks/main.json b/ansible/roles/tlscert_acme_netcup/tasks/main.json index ed198dd..4a9f98f 100644 --- a/ansible/roles/tlscert_acme_netcup/tasks/main.json +++ b/ansible/roles/tlscert_acme_netcup/tasks/main.json @@ -1,14 +1,24 @@ [ { - "name": "packages", + "name": "packages | debian", "become": true, "ansible.builtin.apt": { "pkg": [ "openssl", - "python3-cryptography" + "python3-cryptography", + "python3-pip" ] } }, + { + "name": "packages | python", + "ansible.builtin.pip": { + "name": "nc_dnsapi" + }, + "environment": { + "PIP_BREAK_SYSTEM_PACKAGES": "1" + } + }, { "name": "setup directories | keys", "become": true, @@ -105,7 +115,7 @@ "name": "dns challenge | wait", "when": "'challenge_data' in temp_acme_data", "ansible.builtin.pause": { - "seconds": 60 + "seconds": 300 } }, { From 5732ffbc00383c2b811d46006aa25ade7465424c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 13 Dec 2023 20:33:53 +0100 Subject: [PATCH 06/61] [fix] roles:hedgedoc:defaults --- ansible/roles/hedgedoc/defaults/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/hedgedoc/defaults/main.json b/ansible/roles/hedgedoc/defaults/main.json index 9370b77..c79099c 100644 --- a/ansible/roles/hedgedoc/defaults/main.json +++ b/ansible/roles/hedgedoc/defaults/main.json @@ -1,5 +1,5 @@ { "var_hedgedoc_session_secret": "session_secret", "var_hedgedoc_database_path": "/var/hedgedoc/data.sqlite", - "var_hedgedoc_oauth2_provider_name": "external auth", + "var_hedgedoc_oauth2_provider_name": "external auth" } From 547fdb49973dea24f805214cd21b0bc9e88a0bf6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Fri, 15 Dec 2023 15:24:51 +0100 Subject: [PATCH 07/61] [mod] role:authelia --- ansible/roles/authelia/defaults/main.json | 2 + ansible/roles/authelia/tasks/main.json | 44 ++++++++++++++++++- .../roles/authelia/templates/systemd-unit.j2 | 11 +++++ 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 ansible/roles/authelia/templates/systemd-unit.j2 diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index a287d47..7c00228 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -1,4 +1,6 @@ { + "var_authelia_version": "4.37.5", + "var_authelia_variant": "amd64", "var_authelia_listen_address": "0.0.0.0", "var_authelia_jwt_secret": "authelia_jwt_secret", "var_authelia_users_file_path": "/var/authelia/users.yml", diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json index faecaf0..fe83c24 100644 --- a/ansible/roles/authelia/tasks/main.json +++ b/ansible/roles/authelia/tasks/main.json @@ -40,6 +40,47 @@ ] } }, + { + "name": "download", + "delegate_to": "localhost", + "ansible.builtin.get_url": { + "url": "https://github.com/authelia/authelia/releases/download/v{{var_authelia_version}}/authelia-v{{var_authelia_version}}-linux-{{var_authelia_variant}}.tar.gz", + "dest": "/tmp/authelia.tar.gz" + } + }, + { + "name": "unpack | preparation", + "delegate_to": "localhost", + "ansible.builtin.file": { + "state": "directory", + "dest": "/tmp/authelia" + } + }, + { + "name": "unpack | execution", + "delegate_to": "localhost", + "ansible.builtin.unarchive": { + "src": "/tmp/authelia.tar.gz", + "dest": "/tmp/authelia" + } + }, + { + "name": "setup binary", + "become": true, + "ansible.builtin.copy": { + "src": "/tmp/authelia/authelia-linux-{{var_authelia_variant}}", + "dest": "/usr/bin/authelia", + "mode": "0744" + } + }, + { + "name": "systemd unit", + "become": true, + "ansible.builtin.template": { + "src": "systemd-unit.j2", + "dest": "/etc/systemd/system/authelia.service" + } + }, { "name": "generate private key for signing OIDC JWTs", "become": true, @@ -80,13 +121,14 @@ "become": true, "ansible.builtin.template": { "src": "users.yml.j2", - "path": "{{var_authelia_users_file_path}}" + "dest": "{{var_authelia_users_file_path}}" } }, { "name": "apply", "become": true, "ansible.builtin.systemd_service": { + "enabled": true, "state": "restarted", "name": "authelia" } diff --git a/ansible/roles/authelia/templates/systemd-unit.j2 b/ansible/roles/authelia/templates/systemd-unit.j2 new file mode 100644 index 0000000..48b2065 --- /dev/null +++ b/ansible/roles/authelia/templates/systemd-unit.j2 @@ -0,0 +1,11 @@ +[Unit] +Description=Authelia authentication and authorization server +After=multi-user.target + +[Service] +Environment=AUTHELIA_SERVER_DISABLE_HEALTHCHECK=true +ExecStart=/usr/bin/authelia --config /etc/authelia/configuration.yml +SyslogIdentifier=authelia + +[Install] +WantedBy=multi-user.target From 2f18fc9570edc70f35cddb3973dfc7ac33402d31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 16 Dec 2023 11:33:38 +0100 Subject: [PATCH 08/61] [mod] role:authelia --- ansible/roles/authelia/defaults/main.json | 2 +- ansible/roles/authelia/files/conf-compose.py | 132 ++++++++++++++ ansible/roles/authelia/info.md | 7 +- ansible/roles/authelia/tasks/main.json | 90 ++++------ .../templates/conf-client-dummy.json.j2 | 7 + .../authelia/templates/conf-main.json.j2 | 166 ++++++++++++++++++ .../authelia/templates/configuration.yml.j2 | 141 --------------- .../roles/authelia/templates/systemd-unit.j2 | 11 -- 8 files changed, 349 insertions(+), 207 deletions(-) create mode 100644 ansible/roles/authelia/files/conf-compose.py create mode 100644 ansible/roles/authelia/templates/conf-client-dummy.json.j2 create mode 100644 ansible/roles/authelia/templates/conf-main.json.j2 delete mode 100644 ansible/roles/authelia/templates/configuration.yml.j2 delete mode 100644 ansible/roles/authelia/templates/systemd-unit.j2 diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index 7c00228..44809f8 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -1,6 +1,6 @@ { "var_authelia_version": "4.37.5", - "var_authelia_variant": "amd64", + "var_authelia_architecture": "amd64", "var_authelia_listen_address": "0.0.0.0", "var_authelia_jwt_secret": "authelia_jwt_secret", "var_authelia_users_file_path": "/var/authelia/users.yml", diff --git a/ansible/roles/authelia/files/conf-compose.py b/ansible/roles/authelia/files/conf-compose.py new file mode 100644 index 0000000..92a76b8 --- /dev/null +++ b/ansible/roles/authelia/files/conf-compose.py @@ -0,0 +1,132 @@ +#!/usr/bin/env python3 + +import sys as _sys +import os as _os +import yaml as _yaml +import json as _json +import argparse as _argparse + + +def file_read(path): + handle = open(path, "r") + content = handle.read() + handle.close() + return content + + +def file_write(path, content): + directory = _os.path.dirname(path) + if (not _os.path.exists(directory)): + _os.makedirs(directory, exist_ok = True) + else: + pass + handle = open(path, "w") + handle.write(content) + handle.close() + return content + + +def dict_merge(core, mantle, path = None): + if (path is None): + path = [] + result = {} + for source in [core, mantle]: + for (key, value_new, ) in source.items(): + path_ = (path + [key]) + type_new = type(value_new) + if (not (key in result)): + result[key] = value_new + else: + value_old = result[key] + type_old = type(value_old) + if (value_old is None): + result[key] = value_new + else: + if (not (type_old == type_new)): + raise ValueError( + "type mismatch at path %s: %s vs. %s" + % ( + ".".join(path), + str(type_old), + str(type_new), + ) + ) + else: + if (type_old == dict): + result[key] = dict_merge(value_old, value_new, path_) + elif (type_old == list): + result[key] = (value_old + value_new) + else: + result[key] = value_new + return result + + +def main(): + ## args + argument_parser = _argparse.ArgumentParser() + argument_parser.add_argument( + "-m", + "--main-file-path", + type = str, + dest = "main_file_path", + default = "/etc/authelia/conf.d/main.json", + metavar = "", + ) + argument_parser.add_argument( + "-c", + "--clients-directory-path", + type = str, + dest = "clients_directory_path", + default = "/etc/authelia/conf.d/clients", + metavar = "", + ) + argument_parser.add_argument( + "-f", + "--output-format", + type = str, + choices = ["json", "yaml"], + dest = "output_format", + default = "yaml", + metavar = "", + ) + argument_parser.add_argument( + "-o", + "--output-path", + type = str, + dest = "output_path", + default = "/etc/authelia/configuration.yml", + metavar = "", + ) + args = argument_parser.parse_args() + + ## exec + data = {} + ### main + if True: + data_ = _json.loads(file_read(args.main_file_path)) + data = dict_merge(data, data_) + ### clients + if True: + for name in _os.listdir(args.clients_directory_path): + data__ = _json.loads(file_read(_os.path.join(args.clients_directory_path, name))) + data_ = { + "identity_providers": { + "oidc": { + "clients": [data__] + } + } + } + data = dict_merge(data, data_) + + ## output + if True: + if (args.output_format == "json"): + output_content = _json.dumps(data, indent = "\t") + elif (args.output_format == "yaml"): + output_content = _yaml.dump(data) + else: + raise ValueError("invalid output format") + file_write(args.output_path, output_content) + + +main() diff --git a/ansible/roles/authelia/info.md b/ansible/roles/authelia/info.md index a980bea..f025edb 100644 --- a/ansible/roles/authelia/info.md +++ b/ansible/roles/authelia/info.md @@ -1,6 +1,11 @@ +## Beschreibung + +- zum Aufsetzen des Authentifizierungs-Dienstes [Authelia](https://www.authelia.com/) +- um einen Clients hinzuzfügen, erstellt man eine entsprechende JSON-Datei in `/etc/authelia/conf.d/clients` und führt aus `/usr/bin/authelia-conf-compose` + + ## Verweise -- [Projekt-Website](https://www.authelia.com/) - [GitHub-Seite](https://github.com/authelia/authelia) - [Installations-Anleitung](https://www.authelia.com/integration/deployment/bare-metal/) - [Dokumentation | Konfiguration](https://www.authelia.com/configuration/) diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json index fe83c24..945d9cf 100644 --- a/ansible/roles/authelia/tasks/main.json +++ b/ansible/roles/authelia/tasks/main.json @@ -1,7 +1,6 @@ [ { -"when": false, - "name": "prepare package installation 1", + "name": "packages | prerequisites", "become": true, "ansible.builtin.apt": { "pkg": [ @@ -11,16 +10,14 @@ } }, { -"when": false, - "name": "prepare package installation 2", + "name": "packages | keys", "become": true, "ansible.builtin.apt_key": { "url": "https://apt.authelia.com/organization/signing.asc" } }, { -"when": false, - "name": "prepare package installation 3", + "name": "packages | repository", "become": true, "ansible.builtin.apt_repository": { "repo": "deb https://apt.authelia.com/stable/debian/debian/ all main" @@ -28,59 +25,18 @@ }, { -"when": false, - "name": "install packages", + "name": "packages | installation", "become": true, "ansible.builtin.apt": { "update_cache": true, "pkg": [ "openssl", "python3-cryptography", + "python3-yaml", "authelia" ] } }, - { - "name": "download", - "delegate_to": "localhost", - "ansible.builtin.get_url": { - "url": "https://github.com/authelia/authelia/releases/download/v{{var_authelia_version}}/authelia-v{{var_authelia_version}}-linux-{{var_authelia_variant}}.tar.gz", - "dest": "/tmp/authelia.tar.gz" - } - }, - { - "name": "unpack | preparation", - "delegate_to": "localhost", - "ansible.builtin.file": { - "state": "directory", - "dest": "/tmp/authelia" - } - }, - { - "name": "unpack | execution", - "delegate_to": "localhost", - "ansible.builtin.unarchive": { - "src": "/tmp/authelia.tar.gz", - "dest": "/tmp/authelia" - } - }, - { - "name": "setup binary", - "become": true, - "ansible.builtin.copy": { - "src": "/tmp/authelia/authelia-linux-{{var_authelia_variant}}", - "dest": "/usr/bin/authelia", - "mode": "0744" - } - }, - { - "name": "systemd unit", - "become": true, - "ansible.builtin.template": { - "src": "systemd-unit.j2", - "dest": "/etc/systemd/system/authelia.service" - } - }, { "name": "generate private key for signing OIDC JWTs", "become": true, @@ -93,11 +49,40 @@ "register": "temp_tls_result" }, { - "name": "emplace configuration", + "name": "configuration | compose script", + "become": true, + "ansible.builtin.copy": { + "src": "conf-compose.py", + "dest": "/usr/bin/authelia-conf-compose", + "mode": "0700" + } + }, + { + "name": "configuration | directories", + "become": true, + "loop": [ + "/etc/authelia/conf.d", + "/etc/authelia/conf.d/clients" + ], + "ansible.builtin.file": { + "state": "directory", + "path": "{{item}}" + } + }, + { + "name": "configuration | main", "become": true, "ansible.builtin.template": { - "src": "configuration.yml.j2", - "dest": "/etc/authelia/configuration.yml" + "src": "conf-main.json.j2", + "dest": "/etc/authelia/conf.d/main.json" + } + }, + { + "name": "configuration | client | dummy", + "become": true, + "ansible.builtin.template": { + "src": "conf-client-dummy.json.j2", + "dest": "/etc/authelia/conf.d/clients/dummy.json" } }, { @@ -128,7 +113,6 @@ "name": "apply", "become": true, "ansible.builtin.systemd_service": { - "enabled": true, "state": "restarted", "name": "authelia" } diff --git a/ansible/roles/authelia/templates/conf-client-dummy.json.j2 b/ansible/roles/authelia/templates/conf-client-dummy.json.j2 new file mode 100644 index 0000000..88dcf25 --- /dev/null +++ b/ansible/roles/authelia/templates/conf-client-dummy.json.j2 @@ -0,0 +1,7 @@ +{ + "public": false, + "id": "dummy", + "secret": "d1424b378e4fbbc153f330f33b74ab192525b98cc2dd58b2e8d01c2737be00c6", + "redirect_uris": [ + ] +} diff --git a/ansible/roles/authelia/templates/conf-main.json.j2 b/ansible/roles/authelia/templates/conf-main.json.j2 new file mode 100644 index 0000000..5fa6b6d --- /dev/null +++ b/ansible/roles/authelia/templates/conf-main.json.j2 @@ -0,0 +1,166 @@ +{ + "theme": "auto", + "jwt_secret": "{{var_authelia_jwt_secret}}", + "default_2fa_method": "totp", + "server": { + "host": "{{var_authelia_listen_address}}", + "port": 9091, + "path": "", + "enable_pprof": false, + "enable_expvars": false, + "disable_healthcheck": false + }, + "log": { + "level": "info", + "format": "json", + "file_path": "{{var_authelia_log_file_path}}", + "keep_stdout": false + }, + "telemetry": { + "metrics": { + "enabled": false, + "address": "tcp://0.0.0.0:9959" + } + }, + "totp": { + "disable": false, + "issuer": "authelia.com", + "algorithm": "sha1", + "digits": 6, + "period": 30, + "skew": 1, + "secret_size": 32 + }, + "webauthn": { + "disable": true, + "timeout": "60s", + "display_name": "Authelia", + "attestation_conveyance_preference": "indirect", + "user_verification": "preferred" + }, + "ntp": { + "address": "{{var_authelia_ntp_server}}", + "version": 4, + "max_desync": "3s", + "disable_startup_check": false, + "disable_failure": false + }, + "authentication_backend": { + "password_reset": { + "disable": true, + "custom_url": "" + }, + "refresh_interval": "5m", + "file": { + "path": "{{var_authelia_users_file_path}}", + "watch": true, + "search": { + "email": false, + "case_insensitive": false + }, + "password": { + "algorithm": "argon2", + "argon2": { + "variant": "argon2id", + "iterations": 3, + "memory": 65536, + "parallelism": 4, + "key_length": 32, + "salt_length": 16 + }, + "scrypt": { + "iterations": 16, + "block_size": 8, + "parallelism": 1, + "key_length": 32, + "salt_length": 16 + }, + "pbkdf2": { + "variant": "sha512", + "iterations": 310000, + "salt_length": 16 + }, + "sha2crypt": { + "variant": "sha512", + "iterations": 50000, + "salt_length": 16 + }, + "bcrypt": { + "variant": "standard", + "cost": 12 + } + } + } + }, + "password_policy": { + "standard": { + "enabled": false, + "min_length": 8, + "max_length": 0, + "require_uppercase": true, + "require_lowercase": true, + "require_number": true, + "require_special": true + }, + "zxcvbn": { + "enabled": false, + "min_score": 3 + } + }, + "access_control": { + "default_policy": "one_factor" + }, + "session": { + "name": "authelia_session", + "domain": "{{var_authelia_session_domain}}", + "same_site": "lax", + "secret": "{{var_authelia_session_secret}}", + "expiration": "1h", + "inactivity": "5m", + "remember_me_duration": "1M" + }, + "regulation": { + "max_retries": 3, + "find_time": "2m", + "ban_time": "5m" + }, + "storage": { + "encryption_key": "{{var_authelia_storage_encryption_key}}", + "local": { + "path": "{{var_authelia_storage_path}}" + } + }, + "notifier": { + "disable_startup_check": true, +{% if var_authelia_notification_mode == "file" %} + "filesystem": { + "filename": "{{var_authelia_notification_file_path}}" + } +{% endif %} +{% if var_authelia_notification_mode == "smtp" %} + "smtp": { + "host": "{{var_authelia_notification_smtp_host}}", + "port": {{var_authelia_notification_smtp_port}}, + "username": "{{var_authelia_notification_smtp_username}}", + "password": "{{var_authelia_notification_smtp_password}}", + "sender": "{{var_authelia_notification_smtp_sender}}", + "disable_require_tls": false, + "disable_html_emails": false, + "tls": { + "skip_verify": false + } + } +{% endif %} + }, + "identity_providers": { + "oidc": { + "hmac_secret": "{{var_authelia_oidc_hmac_secret}}", + "issuer_private_key": "{{temp_tls_result.privatekey | replace('\n', '\\n')}}", + "cors": { + "allowed_origins_from_client_redirect_uris": true + }, + "clients": [ + ] + } + } +} diff --git a/ansible/roles/authelia/templates/configuration.yml.j2 b/ansible/roles/authelia/templates/configuration.yml.j2 deleted file mode 100644 index 8fc19ad..0000000 --- a/ansible/roles/authelia/templates/configuration.yml.j2 +++ /dev/null @@ -1,141 +0,0 @@ -theme: auto -jwt_secret: "{{var_authelia_jwt_secret}}" -default_2fa_method: totp -server: - host: "{{var_authelia_listen_address}}" - port: 9091 - path: "" - enable_pprof: false - enable_expvars: false - disable_healthcheck: false -log: - level: info - format: json - file_path: {{var_authelia_log_file_path}} - keep_stdout: false -telemetry: - metrics: - enabled: false - address: tcp://0.0.0.0:9959 -totp: - disable: false - issuer: authelia.com - algorithm: sha1 - digits: 6 - period: 30 - skew: 1 - secret_size: 32 -webauthn: - disable: true - timeout: 60s - display_name: Authelia - attestation_conveyance_preference: indirect - user_verification: preferred -ntp: - address: "{{var_authelia_ntp_server}}" - version: 4 - max_desync: 3s - disable_startup_check: false - disable_failure: false -authentication_backend: - password_reset: - disable: true - custom_url: "" - refresh_interval: 5m - file: - path: "{{var_authelia_users_file_path}}" - watch: true - search: - email: false - case_insensitive: false - password: - algorithm: argon2 - argon2: - variant: argon2id - iterations: 3 - memory: 65536 - parallelism: 4 - key_length: 32 - salt_length: 16 - scrypt: - iterations: 16 - block_size: 8 - parallelism: 1 - key_length: 32 - salt_length: 16 - pbkdf2: - variant: sha512 - iterations: 310000 - salt_length: 16 - sha2crypt: - variant: sha512 - iterations: 50000 - salt_length: 16 - bcrypt: - variant: standard - cost: 12 -password_policy: - standard: - enabled: false - min_length: 8 - max_length: 0 - require_uppercase: true - require_lowercase: true - require_number: true - require_special: true - zxcvbn: - enabled: false - min_score: 3 -access_control: - default_policy: one_factor -session: - name: authelia_session - domain: "{{var_authelia_session_domain}}" - same_site: lax - secret: "{{var_authelia_session_secret}}" - expiration: 1h - inactivity: 5m - remember_me_duration: 1M -regulation: - max_retries: 3 - find_time: 2m - ban_time: 5m -storage: - encryption_key: "{{var_authelia_storage_encryption_key}}" - local: - path: "{{var_authelia_storage_path}}" -notifier: - disable_startup_check: true -{% if var_authelia_notification_mode == "file" %} - filesystem: - filename: {{var_authelia_notification_file_path}} -{% endif %} -{% if var_authelia_notification_mode == "smtp" %} - smtp: - host: "{{var_authelia_notification_smtp_host}}" - port: {{var_authelia_notification_smtp_port}} - username: "{{var_authelia_notification_smtp_username}}" - password: "{{var_authelia_notification_smtp_password}}" - sender: "{{var_authelia_notification_smtp_sender}}" - disable_require_tls: false - disable_html_emails: false - tls: - skip_verify: false -{% endif %} -identity_providers: - oidc: - hmac_secret: "{{var_authelia_oidc_hmac_secret}}" - issuer_private_key: | -{% filter indent(width=6) %} - {{temp_tls_result.privatekey}} -{% endfilter %} - cors: - allowed_origins_from_client_redirect_uris: true - clients: - - - public: false - id: "dummy" - secret: "d1424b378e4fbbc153f330f33b74ab192525b98cc2dd58b2e8d01c2737be00c6" - redirect_uris: [] - -... diff --git a/ansible/roles/authelia/templates/systemd-unit.j2 b/ansible/roles/authelia/templates/systemd-unit.j2 deleted file mode 100644 index 48b2065..0000000 --- a/ansible/roles/authelia/templates/systemd-unit.j2 +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Authelia authentication and authorization server -After=multi-user.target - -[Service] -Environment=AUTHELIA_SERVER_DISABLE_HEALTHCHECK=true -ExecStart=/usr/bin/authelia --config /etc/authelia/configuration.yml -SyslogIdentifier=authelia - -[Install] -WantedBy=multi-user.target From d59a64c36d51741dbc9ce2a1ce875b5fa6305fef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 16 Dec 2023 15:13:01 +0100 Subject: [PATCH 09/61] [mod] role:hedgedoc --- ansible/roles/hedgedoc/defaults/main.json | 10 +- ansible/roles/hedgedoc/info.md | 8 +- ansible/roles/hedgedoc/tasks/main.json | 91 +++++++++++++++++++ .../roles/hedgedoc/templates/config.json.j2 | 45 +++++---- .../roles/hedgedoc/templates/systemd-unit.j2 | 13 +++ 5 files changed, 149 insertions(+), 18 deletions(-) create mode 100644 ansible/roles/hedgedoc/templates/systemd-unit.j2 diff --git a/ansible/roles/hedgedoc/defaults/main.json b/ansible/roles/hedgedoc/defaults/main.json index c79099c..b7e9a3c 100644 --- a/ansible/roles/hedgedoc/defaults/main.json +++ b/ansible/roles/hedgedoc/defaults/main.json @@ -1,5 +1,13 @@ { + "var_hedgedoc_version": "1.9.9", "var_hedgedoc_session_secret": "session_secret", "var_hedgedoc_database_path": "/var/hedgedoc/data.sqlite", - "var_hedgedoc_oauth2_provider_name": "external auth" + "var_hedgedoc_domain": "hedgedoc.example.org", + "var_hedgedoc_oauth2_enable": false, + "var_hedgedoc_oauth2_provider_name": "external auth", + "var_hedgedoc_oauth2_client_id": "hedgedoc", + "var_hedgedoc_oauth2_client_secret": "REPLACE_ME", + "var_hedgedoc_oauth2_user_profile_url": "https://auth.example.org/profile", + "var_hedgedoc_oauth2_token_url": "https://auth.example.org/token", + "var_hedgedoc_oauth2_authorization_url": "https://auth.example.org/authorization" } diff --git a/ansible/roles/hedgedoc/info.md b/ansible/roles/hedgedoc/info.md index e2c1fa2..7f5ab1a 100644 --- a/ansible/roles/hedgedoc/info.md +++ b/ansible/roles/hedgedoc/info.md @@ -1,3 +1,9 @@ +## Beschreibung + +Kollaborativer Editor [Hedgedoc](https://docs.hedgedoc.org/) + + ## Verweise -- [Projekt-Website](https://docs.hedgedoc.org/) +- [Dokumentation | Manual Installation](https://docs.hedgedoc.org/setup/manual-setup/) +- [Dokumentation | Configuration](https://docs.hedgedoc.org/configuration/) diff --git a/ansible/roles/hedgedoc/tasks/main.json b/ansible/roles/hedgedoc/tasks/main.json index 0d4f101..0285ae7 100644 --- a/ansible/roles/hedgedoc/tasks/main.json +++ b/ansible/roles/hedgedoc/tasks/main.json @@ -1,2 +1,93 @@ [ + { + "name": "packages", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "acl", + "git", + "nodejs", + "npm", + "yarnpkg" + ] + } + }, + { + "name": "link yarn", + "become": true, + "ansible.builtin.file": { + "state": "link", + "src": "/usr/bin/yarnpkg", + "dest": "/usr/bin/yarn" + } + }, + { + "name": "user", + "become": true, + "ansible.builtin.user": { + "name": "hedgedoc", + "create_home": true + } + }, + { + "name": "download", + "become": false, + "ansible.builtin.get_url": { + "url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{var_hedgedoc_version}}/hedgedoc-{{var_hedgedoc_version}}.tar.gz", + "dest": "/tmp/hedgedoc.tar.gz" + } + }, + { + "name": "extract", + "become": true, + "ansible.builtin.unarchive": { + "remote_src": true, + "src": "/tmp/hedgedoc.tar.gz", + "dest": "/opt", + "owner": "hedgedoc" + } + }, + { + "name": "setup", + "become": true, + "become_user": "hedgedoc", + "ansible.builtin.command": { + "chdir": "/opt/hedgedoc", + "cmd": "bin/setup" + } + }, + { + "name": "database", + "become": true, + "ansible.builtin.file": { + "state": "touch", + "path": "{{var_hedgedoc_database_path}}", + "owner": "hedgedoc" + } + }, + { + "name": "configuration", + "become": true, + "ansible.builtin.template": { + "src": "config.json.j2", + "dest": "/opt/hedgedoc/config.json" + } + }, + { + "name": "systemd", + "become": true, + "ansible.builtin.template": { + "src": "systemd-unit.j2", + "dest": "/etc/systemd/system/hedgedoc.service" + } + }, + { + "name": "apply", + "become": true, + "ansible.builtin.systemd_service": { + "enabled": true, + "state": "started", + "name": "hedgedoc" + } + } ] diff --git a/ansible/roles/hedgedoc/templates/config.json.j2 b/ansible/roles/hedgedoc/templates/config.json.j2 index d5f04cc..a1b9b2d 100644 --- a/ansible/roles/hedgedoc/templates/config.json.j2 +++ b/ansible/roles/hedgedoc/templates/config.json.j2 @@ -1,28 +1,41 @@ { - "development": { - "domain": "localhost:3000", - "url": { - "addport": true - }, - "loglevel": "debug", - "sessionSecret": "{{var_hedgedoc_session_secret}}", + "production": { + "loglevel": "error", "db": { "dialect": "sqlite", - "storage": "./db.hedgedoc.sqlite" + "storage": "{{var_hedgedoc_database_path}}" }, + "sessionSecret": "{{var_hedgedoc_session_secret}}", + "host": "localhost", + "allowOrigin": [ + "localhost" + ], + "domain": "{{var_hedgedoc_domain}}", "urlAddPort": false, - "protocolUseSSL": false, + "protocolUseSSL": true, +{% if var_hedgedoc_oauth2_enable %} "oauth2": { - "providerName": "authelia", - "clientId": "b45421efcb7b1e5672d9b2bc55b3fdb2b6c62f3a72668110bd38f77fa1242ece", - "clientSecret": "e8493098b9a280610a2ba9fa0b49f14035a9f048e8505cf4981f0555a2885655", + "providerName": "{{var_hedgedoc_oauth2_provider_name}}", + "clientID": "{{var_hedgedoc_oauth2_client_id}}", + "clientSecret": "{{var_hedgedoc_oauth2_client_secret}}", "scope": "openid email profile", "userProfileUsernameAttr": "sub", "userProfileDisplayNameAttr": "name", "userProfileEmailAttr": "email", - "userProfileUrl": "http://authelia.local:9091/api/oidc/userinfo", - "tokenUrl": "http://authelia.local:9091/api/oidc/token", - "authorizationUrl": "http://authelia.local:9091/api/oidc/authorize" - } + "userProfileURL": "{{var_hedgedoc_oauth2_user_profile_url}}", + "tokenURL": "{{var_hedgedoc_oauth2_token_url}}", + "authorizationURL": "{{var_hedgedoc_oauth2_authorization_url}}" + }, + "email": false, + "allowEmailRegister": false, +{% else %} + "email": true, + "allowEmailRegister": true, +{% endif %} + "allowAnonymous": false, + "allowAnonymousEdits": true, + "allowFreeURL": true, + "requireFreeURLAuthentication": true, + "defaultPermission": "editable" } } diff --git a/ansible/roles/hedgedoc/templates/systemd-unit.j2 b/ansible/roles/hedgedoc/templates/systemd-unit.j2 new file mode 100644 index 0000000..f2574df --- /dev/null +++ b/ansible/roles/hedgedoc/templates/systemd-unit.j2 @@ -0,0 +1,13 @@ +[Unit] +Description=Hedgedoc +After=multi-user.target + +[Service] +WorkingDirectory=/opt/hedgedoc +Environment=NODE_ENV=production +ExecStart=yarn start +SyslogIdentifier=hedgedoc + +[Install] +WantedBy=multi-user.target + From 33186a15cccac0d55a2d373534c069228a71be35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 16 Dec 2023 15:15:35 +0100 Subject: [PATCH 10/61] [add] role:hedgedoc-and-nginx --- .../hedgedoc-and-nginx/defaults/main.json | 3 ++ ansible/roles/hedgedoc-and-nginx/info.md | 8 +++++ .../roles/hedgedoc-and-nginx/tasks/main.json | 35 +++++++++++++++++++ .../hedgedoc-and-nginx/templates/conf.j2 | 32 +++++++++++++++++ 4 files changed, 78 insertions(+) create mode 100644 ansible/roles/hedgedoc-and-nginx/defaults/main.json create mode 100644 ansible/roles/hedgedoc-and-nginx/info.md create mode 100644 ansible/roles/hedgedoc-and-nginx/tasks/main.json create mode 100644 ansible/roles/hedgedoc-and-nginx/templates/conf.j2 diff --git a/ansible/roles/hedgedoc-and-nginx/defaults/main.json b/ansible/roles/hedgedoc-and-nginx/defaults/main.json new file mode 100644 index 0000000..840159e --- /dev/null +++ b/ansible/roles/hedgedoc-and-nginx/defaults/main.json @@ -0,0 +1,3 @@ +{ + "var_hedgedoc_and_nginx_domain": "hedgedoc.example.org" +} diff --git a/ansible/roles/hedgedoc-and-nginx/info.md b/ansible/roles/hedgedoc-and-nginx/info.md new file mode 100644 index 0000000..7437bf0 --- /dev/null +++ b/ansible/roles/hedgedoc-and-nginx/info.md @@ -0,0 +1,8 @@ +## Beschreibung + +Um [Hedgedoc](../hedgedoc) mit mittels [nginx](../nginx)-reverse-proxy laufen zu lassen + + +## Verweise + +- [Hedgedoc-Dokumentation](https://docs.hedgedoc.org/guides/reverse-proxy/#nginx) diff --git a/ansible/roles/hedgedoc-and-nginx/tasks/main.json b/ansible/roles/hedgedoc-and-nginx/tasks/main.json new file mode 100644 index 0000000..40614bb --- /dev/null +++ b/ansible/roles/hedgedoc-and-nginx/tasks/main.json @@ -0,0 +1,35 @@ +[ + { + "name": "deactivate default site", + "become": true, + "ansible.builtin.file": { + "state": "absent", + "dest": "/etc/nginx/sites-enabled/default" + } + }, + { + "name": "emplace configuration | data", + "become": true, + "ansible.builtin.template": { + "src": "conf.j2", + "dest": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}" + } + }, + { + "name": "emplace configuration | link", + "become": true, + "ansible.builtin.file": { + "state": "link", + "src": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}", + "dest": "/etc/nginx/sites-enabled/{{var_hedgedoc_and_nginx_domain}}" + } + }, + { + "name": "restart nginx", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "nginx" + } + } +] diff --git a/ansible/roles/hedgedoc-and-nginx/templates/conf.j2 b/ansible/roles/hedgedoc-and-nginx/templates/conf.j2 new file mode 100644 index 0000000..0760df4 --- /dev/null +++ b/ansible/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -0,0 +1,32 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + server_name {{var_hedgedoc_and_nginx_domain}}; + + listen [::]:443 ssl http2; + listen 443 ssl http2; + + ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem; + + location / { + proxy_pass http://localhost:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /socket.io/ { + proxy_pass http://localhost:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } +} From adda3f667720554135ec6620935bd523f62401f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 16 Dec 2023 15:16:45 +0100 Subject: [PATCH 11/61] [add] role:authelia-for-hedgedoc --- .../authelia-for-hedgedoc/defaults/main.json | 5 ++++ ansible/roles/authelia-for-hedgedoc/info.md | 10 +++++++ .../authelia-for-hedgedoc/tasks/main.json | 25 +++++++++++++++++ .../templates/authelia-client-conf.json.j2 | 28 +++++++++++++++++++ 4 files changed, 68 insertions(+) create mode 100644 ansible/roles/authelia-for-hedgedoc/defaults/main.json create mode 100644 ansible/roles/authelia-for-hedgedoc/info.md create mode 100644 ansible/roles/authelia-for-hedgedoc/tasks/main.json create mode 100644 ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 diff --git a/ansible/roles/authelia-for-hedgedoc/defaults/main.json b/ansible/roles/authelia-for-hedgedoc/defaults/main.json new file mode 100644 index 0000000..b1e3329 --- /dev/null +++ b/ansible/roles/authelia-for-hedgedoc/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_authelia_for_hedgedoc_hedgedoc_url_base": "https://hedgedoc.example.org", + "var_authelia_for_hedgedoc_client_id": "hedgedoc", + "var_authelia_for_hedgedoc_client_secret": "REPLACE_ME" +} diff --git a/ansible/roles/authelia-for-hedgedoc/info.md b/ansible/roles/authelia-for-hedgedoc/info.md new file mode 100644 index 0000000..ef620fc --- /dev/null +++ b/ansible/roles/authelia-for-hedgedoc/info.md @@ -0,0 +1,10 @@ +## Beschreibung + +Um [Hedgedoc](../hedgedoc) gegen [Authelia](../authelia) authentifizieren zu lassen + + +## Verweise + +- [Authelia-Dokumentation | Configuration: OpenID Connect: Client](https://www.authelia.com/configuration/identity-providers/open-id-connect/#clients) +- [Hedgedoc-Dokumentation | Authelia](https://docs.hedgedoc.org/guides/auth/authelia/) +- [Hedgedoc-Dokumentation | Conf: OAuth2 Login](https://docs.hedgedoc.org/configuration/#oauth2-login) diff --git a/ansible/roles/authelia-for-hedgedoc/tasks/main.json b/ansible/roles/authelia-for-hedgedoc/tasks/main.json new file mode 100644 index 0000000..23c6dab --- /dev/null +++ b/ansible/roles/authelia-for-hedgedoc/tasks/main.json @@ -0,0 +1,25 @@ +[ + { + "name": "configuration | emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf.json.j2", + "dest": "/etc/authelia/conf.d/clients/hedgedoc.json" + } + }, + { + "name": "configuration | apply", + "become": true, + "ansible.builtin.command": { + "cmd": "/usr/bin/authelia-conf-compose" + } + }, + { + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "authelia" + } + } +] diff --git a/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 new file mode 100644 index 0000000..3024226 --- /dev/null +++ b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 @@ -0,0 +1,28 @@ +{ + "id": "{{var_authelia_for_hedgedoc_client_id}}", + "description": "Hedgedoc", + "secret": "{{var_authelia_for_hedgedoc_client_secret}}", + "public": false, + "authorization_policy": "one_factor", + "scopes": [ + "openid", + "email", + "profile" + ], + "redirect_uris": [ + "{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback" + ], + "grant_types": [ + "refresh_token", + "authorization_code" + ], + "response_types": [ + "code" + ], + "response_modes": [ + "form_post", + "query", + "fragment" + ], + "userinfo_signing_algorithm": "none" +} From ed282bb9eebee8504a940bc12574d08e8362a2d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 16 Dec 2023 15:13:41 +0100 Subject: [PATCH 12/61] [fix] role:authelia: --- ansible/roles/authelia/tasks/main.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json index 945d9cf..22cfd21 100644 --- a/ansible/roles/authelia/tasks/main.json +++ b/ansible/roles/authelia/tasks/main.json @@ -85,6 +85,13 @@ "dest": "/etc/authelia/conf.d/clients/dummy.json" } }, + { + "name": "configuration | compose", + "become": true, + "ansible.builtin.command": { + "cmd": "/usr/bin/authelia-conf-compose --main-file-path=/etc/authelia/conf.d/main.json --clients-directory-path=/etc/authelia/conf.d/clients --output-format=yaml --output-path=/etc/authelia/configuration.yml" + } + }, { "name": "setup log directory", "become": true, From c943418942370112ea6add512f24cabdd7d1305b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 16 Dec 2023 15:14:21 +0100 Subject: [PATCH 13/61] [fix] role:authelia-and-nginx --- .../authelia-and-nginx/templates/conf.j2 | 52 ++++++++++++++++--- 1 file changed, 44 insertions(+), 8 deletions(-) diff --git a/ansible/roles/authelia-and-nginx/templates/conf.j2 b/ansible/roles/authelia-and-nginx/templates/conf.j2 index 8202046..67fcd50 100644 --- a/ansible/roles/authelia-and-nginx/templates/conf.j2 +++ b/ansible/roles/authelia-and-nginx/templates/conf.j2 @@ -1,26 +1,62 @@ server { + server_name {{var_authelia_and_nginx_domain}}; + + listen [::]:80; listen 80; - server_name auth.*; return 301 https://$server_name$request_uri; } server { - listen 443 ssl http2; server_name {{var_authelia_and_nginx_domain}}; - # include /config/nginx/snippets/ssl.conf; + listen [::]:443 ssl http2; + listen 443 ssl http2; + ssl_certificate /etc/ssl/certs/{{var_authelia_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; - set $upstream http://localhost:9091; - location / { - # include /config/nginx/snippets/proxy.conf; - proxy_pass $upstream; + ## Headers + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Connection ""; + + ## Basic Proxy Configuration + client_body_buffer_size 128k; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead. + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + + ## Trusted Proxies Configuration + ## Please read the following documentation before configuring this: + ## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies + # set_real_ip_from 10.0.0.0/8; + # set_real_ip_from 172.16.0.0/12; + # set_real_ip_from 192.168.0.0/16; + # set_real_ip_from fc00::/7; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + + ## Advanced Proxy Configuration + send_timeout 5m; + proxy_read_timeout 360; + proxy_send_timeout 360; + proxy_connect_timeout 360; + + proxy_pass http://localhost:9091; } location /api/verify { - proxy_pass $upstream; + proxy_pass http://localhost:9091; } } From e6021f4a9c2250605bb1b5c8c12730609318f3d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 00:16:15 +0100 Subject: [PATCH 14/61] [fix] role:authelia --- ansible/roles/authelia/defaults/main.json | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index 44809f8..4dd3749 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -2,11 +2,11 @@ "var_authelia_version": "4.37.5", "var_authelia_architecture": "amd64", "var_authelia_listen_address": "0.0.0.0", - "var_authelia_jwt_secret": "authelia_jwt_secret", + "var_authelia_jwt_secret": "REPLACE_ME", "var_authelia_users_file_path": "/var/authelia/users.yml", "var_authelia_log_file_path": "/var/log/authelia.log", "var_authelia_session_domain": "example.org", - "var_authelia_session_secret": "session_secret", + "var_authelia_session_secret": "REPLACE_ME", "var_authelia_storage_path": "/var/authelia/state.db", "var_authelia_storage_encryption_key": "storage_encryption_key", "var_authelia_ntp_server": "time.cloudflare.com:123", @@ -15,8 +15,7 @@ "var_authelia_notification_smtp_host": "smtp.example.org", "var_authelia_notification_smtp_port": "465", "var_authelia_notification_smtp_username": "authelia", - "var_authelia_notification_smtp_username": "smtp_password", - "var_authelia_notification_smtp_sender": "Authelia", + "var_authelia_notification_smtp_password": "smtp_password", "var_authelia_notification_smtp_sender": "Authelia", "var_authelia_oidc_hmac_secret": "oidc_hmac_secret" } From 21acd5c745da835c0070ac0915788f3c7fe20c77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 00:23:21 +0100 Subject: [PATCH 15/61] [add] role:authelia-for-synapse --- .../authelia-for-synapse/defaults/main.json | 5 ++++ ansible/roles/authelia-for-synapse/info.md | 9 +++++++ .../authelia-for-synapse/tasks/main.json | 25 +++++++++++++++++++ .../templates/authelia-client-conf.json.j2 | 16 ++++++++++++ 4 files changed, 55 insertions(+) create mode 100644 ansible/roles/authelia-for-synapse/defaults/main.json create mode 100644 ansible/roles/authelia-for-synapse/info.md create mode 100644 ansible/roles/authelia-for-synapse/tasks/main.json create mode 100644 ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 diff --git a/ansible/roles/authelia-for-synapse/defaults/main.json b/ansible/roles/authelia-for-synapse/defaults/main.json new file mode 100644 index 0000000..c140a23 --- /dev/null +++ b/ansible/roles/authelia-for-synapse/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_authelia_for_synapse_synapse_url_base": "https://matrix.example.org", + "var_authelia_for_synapse_client_id": "synapse", + "var_authelia_for_synapse_client_secret": "REPLACE_ME" +} diff --git a/ansible/roles/authelia-for-synapse/info.md b/ansible/roles/authelia-for-synapse/info.md new file mode 100644 index 0000000..2ec06a0 --- /dev/null +++ b/ansible/roles/authelia-for-synapse/info.md @@ -0,0 +1,9 @@ +## Beschreibung + +Um [Synapse](../synapse) gegen [Authelia](../authelia) authentifizieren zu lassen + + +## Verweise + +- [Authelia-Dokumentation | Synapse Integration](https://www.authelia.com/integration/openid-connect/synapse/) +- [Synapse-Dokumentation | OpenID Connect](https://matrix-org.github.io/synapse/latest/openid.html) diff --git a/ansible/roles/authelia-for-synapse/tasks/main.json b/ansible/roles/authelia-for-synapse/tasks/main.json new file mode 100644 index 0000000..25aa632 --- /dev/null +++ b/ansible/roles/authelia-for-synapse/tasks/main.json @@ -0,0 +1,25 @@ +[ + { + "name": "configuration | emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf.json.j2", + "dest": "/etc/authelia/conf.d/clients/synapse.json" + } + }, + { + "name": "configuration | apply", + "become": true, + "ansible.builtin.command": { + "cmd": "/usr/bin/authelia-conf-compose" + } + }, + { + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "authelia" + } + } +] diff --git a/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 new file mode 100644 index 0000000..be88570 --- /dev/null +++ b/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 @@ -0,0 +1,16 @@ +{ + "id": "{{var_authelia_for_synapse_client_id}}", + "description": "Synapse", + "secret": "{{var_authelia_for_synapse_client_secret}}", + "public": false, + "authorization_policy": "one_factor", + "redirect_uris": [ + "{{var_authelia_for_synapse_synapse_url_base}}/_synapse/client/oidc/callback" + ], + "scopes": [ + "openid", + "email", + "profile" + ], + "userinfo_signing_algorithm": "none" +} From b9e036e5526c12a71dc34af56a4cb31d1c9b913d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 00:04:07 +0100 Subject: [PATCH 16/61] [fix] role:hedgedoc --- ansible/roles/hedgedoc/info.md | 5 +++++ ansible/roles/hedgedoc/tasks/main.json | 17 +++++++++++++---- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/ansible/roles/hedgedoc/info.md b/ansible/roles/hedgedoc/info.md index 7f5ab1a..a3c2473 100644 --- a/ansible/roles/hedgedoc/info.md +++ b/ansible/roles/hedgedoc/info.md @@ -7,3 +7,8 @@ Kollaborativer Editor [Hedgedoc](https://docs.hedgedoc.org/) - [Dokumentation | Manual Installation](https://docs.hedgedoc.org/setup/manual-setup/) - [Dokumentation | Configuration](https://docs.hedgedoc.org/configuration/) + + +## Bemerkungen + +- Login über OAuth2 funktioniert vermutlich nicht mit abgelehnten TLS-Zertifikaten (z.B. selbst-signierten) diff --git a/ansible/roles/hedgedoc/tasks/main.json b/ansible/roles/hedgedoc/tasks/main.json index 0285ae7..193af87 100644 --- a/ansible/roles/hedgedoc/tasks/main.json +++ b/ansible/roles/hedgedoc/tasks/main.json @@ -13,7 +13,7 @@ } }, { - "name": "link yarn", + "name": "yarn link", "become": true, "ansible.builtin.file": { "state": "link", @@ -48,7 +48,7 @@ } }, { - "name": "setup", + "name": "setup script", "become": true, "become_user": "hedgedoc", "ansible.builtin.command": { @@ -56,6 +56,15 @@ "cmd": "bin/setup" } }, + { + "name": "var directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "{{var_hedgedoc_database_path | dirname}}", + "owner": "hedgedoc" + } + }, { "name": "database", "become": true, @@ -74,7 +83,7 @@ } }, { - "name": "systemd", + "name": "systemd unit", "become": true, "ansible.builtin.template": { "src": "systemd-unit.j2", @@ -82,7 +91,7 @@ } }, { - "name": "apply", + "name": "start", "become": true, "ansible.builtin.systemd_service": { "enabled": true, From 148df7737065fc33683b011375fa2c653c552e7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 00:30:48 +0100 Subject: [PATCH 17/61] [fix] role:authelia-and-nginx --- ansible/roles/authelia-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/authelia-and-nginx/templates/conf.j2 b/ansible/roles/authelia-and-nginx/templates/conf.j2 index 67fcd50..bd0cbeb 100644 --- a/ansible/roles/authelia-and-nginx/templates/conf.j2 +++ b/ansible/roles/authelia-and-nginx/templates/conf.j2 @@ -13,7 +13,7 @@ server { listen [::]:443 ssl http2; listen 443 ssl http2; - ssl_certificate /etc/ssl/certs/{{var_authelia_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; location / { From 7615a64d56131c515c19ffd378b2f3d1cc1e9825 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 00:31:03 +0100 Subject: [PATCH 18/61] [mod] role:authelia-and-nginx:info --- ansible/roles/authelia/info.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/authelia/info.md b/ansible/roles/authelia/info.md index f025edb..abdb2ac 100644 --- a/ansible/roles/authelia/info.md +++ b/ansible/roles/authelia/info.md @@ -15,4 +15,4 @@ - Dummy-Client los werden - Dummy-Nutzer los werden - +- Nutzer-Datei-Verwaltung verbessern From 0d4a51564c963f2a76aab8c8dc2668852ed30686 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 11:12:47 +0100 Subject: [PATCH 19/61] =?UTF-8?q?[mod]=20role:hedgedoc:Parameter=20f=C3=BC?= =?UTF-8?q?r=20Nutzer-Name=20und=20Verzeichnis?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/roles/hedgedoc/defaults/main.json | 2 ++ ansible/roles/hedgedoc/tasks/main.json | 14 +++++++------- ansible/roles/hedgedoc/templates/systemd-unit.j2 | 5 +++-- 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/ansible/roles/hedgedoc/defaults/main.json b/ansible/roles/hedgedoc/defaults/main.json index b7e9a3c..a1c03ed 100644 --- a/ansible/roles/hedgedoc/defaults/main.json +++ b/ansible/roles/hedgedoc/defaults/main.json @@ -1,4 +1,6 @@ { + "var_hedgedoc_user_name": "hedgedoc", + "var_hedgedoc_directory": "/opt/hedgedoc", "var_hedgedoc_version": "1.9.9", "var_hedgedoc_session_secret": "session_secret", "var_hedgedoc_database_path": "/var/hedgedoc/data.sqlite", diff --git a/ansible/roles/hedgedoc/tasks/main.json b/ansible/roles/hedgedoc/tasks/main.json index 193af87..984e44d 100644 --- a/ansible/roles/hedgedoc/tasks/main.json +++ b/ansible/roles/hedgedoc/tasks/main.json @@ -25,7 +25,7 @@ "name": "user", "become": true, "ansible.builtin.user": { - "name": "hedgedoc", + "name": "{{var_hedgedoc_user_name}}", "create_home": true } }, @@ -43,8 +43,8 @@ "ansible.builtin.unarchive": { "remote_src": true, "src": "/tmp/hedgedoc.tar.gz", - "dest": "/opt", - "owner": "hedgedoc" + "dest": "{{var_hedgedoc_directory | dirname}}", + "owner": "{{var_hedgedoc_user_name}}" } }, { @@ -52,7 +52,7 @@ "become": true, "become_user": "hedgedoc", "ansible.builtin.command": { - "chdir": "/opt/hedgedoc", + "chdir": "{{var_hedgedoc_directory}}", "cmd": "bin/setup" } }, @@ -62,7 +62,7 @@ "ansible.builtin.file": { "state": "directory", "path": "{{var_hedgedoc_database_path | dirname}}", - "owner": "hedgedoc" + "owner": "{{var_hedgedoc_user_name}}" } }, { @@ -71,7 +71,7 @@ "ansible.builtin.file": { "state": "touch", "path": "{{var_hedgedoc_database_path}}", - "owner": "hedgedoc" + "owner": "{{var_hedgedoc_user_name}}" } }, { @@ -79,7 +79,7 @@ "become": true, "ansible.builtin.template": { "src": "config.json.j2", - "dest": "/opt/hedgedoc/config.json" + "dest": "{{var_hedgedoc_directory}}/config.json" } }, { diff --git a/ansible/roles/hedgedoc/templates/systemd-unit.j2 b/ansible/roles/hedgedoc/templates/systemd-unit.j2 index f2574df..000bd6e 100644 --- a/ansible/roles/hedgedoc/templates/systemd-unit.j2 +++ b/ansible/roles/hedgedoc/templates/systemd-unit.j2 @@ -3,8 +3,9 @@ Description=Hedgedoc After=multi-user.target [Service] -WorkingDirectory=/opt/hedgedoc -Environment=NODE_ENV=production +WorkingDirectory={{var_hedgedoc_directory}} +User={{var_hedgedoc_user_name}} +Environment="NODE_ENV=production" ExecStart=yarn start SyslogIdentifier=hedgedoc From e54bcb109346430ad5c43cd80a31ac9f0168196f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 11:19:44 +0100 Subject: [PATCH 20/61] [mod] role:authelia:log-pfad --- ansible/roles/authelia/defaults/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index 4dd3749..d2fbace 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -4,7 +4,7 @@ "var_authelia_listen_address": "0.0.0.0", "var_authelia_jwt_secret": "REPLACE_ME", "var_authelia_users_file_path": "/var/authelia/users.yml", - "var_authelia_log_file_path": "/var/log/authelia.log", + "var_authelia_log_file_path": "/var/authelia/log.jsonl", "var_authelia_session_domain": "example.org", "var_authelia_session_secret": "REPLACE_ME", "var_authelia_storage_path": "/var/authelia/state.db", From 8f670639f464b24de01893aa61656134068bc85e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 16:11:49 +0100 Subject: [PATCH 21/61] [add] role:authelia-for-gitlab --- .../authelia-for-gitlab/defaults/main.json | 5 ++++ ansible/roles/authelia-for-gitlab/info.md | 10 ++++++++ .../roles/authelia-for-gitlab/tasks/main.json | 25 +++++++++++++++++++ .../templates/authelia-client-conf.json.j2 | 17 +++++++++++++ 4 files changed, 57 insertions(+) create mode 100644 ansible/roles/authelia-for-gitlab/defaults/main.json create mode 100644 ansible/roles/authelia-for-gitlab/info.md create mode 100644 ansible/roles/authelia-for-gitlab/tasks/main.json create mode 100644 ansible/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2 diff --git a/ansible/roles/authelia-for-gitlab/defaults/main.json b/ansible/roles/authelia-for-gitlab/defaults/main.json new file mode 100644 index 0000000..aeeec3b --- /dev/null +++ b/ansible/roles/authelia-for-gitlab/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_authelia_for_gitlab_gitlab_url_base": "https://gitlab.example.org", + "var_authelia_for_gitlab_client_id": "gitlab", + "var_authelia_for_gitlab_client_secret": "REPLACE_ME" +} diff --git a/ansible/roles/authelia-for-gitlab/info.md b/ansible/roles/authelia-for-gitlab/info.md new file mode 100644 index 0000000..9bf2a1f --- /dev/null +++ b/ansible/roles/authelia-for-gitlab/info.md @@ -0,0 +1,10 @@ +## Beschreibung + +Um [GitLab](../gitlab) gegen [Authelia](../authelia) authentifizieren zu lassen + + +## Verweise + +- [Authelia-Dokumentation | GitLab Integration](https://www.authelia.com/integration/openid-connect/gitlab/) +- [GitLab-Dokumentation | Use OpenID Connect as an OAuth 2.0 authentication provider](https://docs.gitlab.com/ee/administration/auth/oidc.html) + diff --git a/ansible/roles/authelia-for-gitlab/tasks/main.json b/ansible/roles/authelia-for-gitlab/tasks/main.json new file mode 100644 index 0000000..5790e65 --- /dev/null +++ b/ansible/roles/authelia-for-gitlab/tasks/main.json @@ -0,0 +1,25 @@ +[ + { + "name": "configuration | emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf.json.j2", + "dest": "/etc/authelia/conf.d/clients/gitlab.json" + } + }, + { + "name": "configuration | apply", + "become": true, + "ansible.builtin.command": { + "cmd": "/usr/bin/authelia-conf-compose" + } + }, + { + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "authelia" + } + } +] diff --git a/ansible/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2 new file mode 100644 index 0000000..2c1f44a --- /dev/null +++ b/ansible/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2 @@ -0,0 +1,17 @@ +{ + "id": "{{var_authelia_for_gitlab_client_id}}", + "description": "GitLab", + "secret": "{{var_authelia_for_gitlab_client_secret}}", + "public": false, + "authorization_policy": "one_factor", + "redirect_uris": [ + "{{var_authelia_for_gitlab_gitlab_url_base}}/users/auth/openid_connect/callback + ], + "scopes": [ + "openid", + "profile" + "groups", + "email" + ], + "userinfo_signing_algorithm": "none" +} From 03c72674d14b512d2ae487a7f86e5cbcb20b596c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 23:04:02 +0100 Subject: [PATCH 22/61] [mod] roles:authelia:Dummy-Client und -Nutzer dynamisch handhaben --- ansible/roles/authelia/files/conf-compose.py | 20 +- ansible/roles/authelia/files/user-manage.py | 188 ++++++++++++++++++ ansible/roles/authelia/info.md | 7 +- ansible/roles/authelia/tasks/main.json | 21 +- .../templates/conf-client-dummy.json.j2 | 7 - ansible/roles/authelia/templates/users.yml.j2 | 7 +- 6 files changed, 222 insertions(+), 28 deletions(-) create mode 100644 ansible/roles/authelia/files/user-manage.py delete mode 100644 ansible/roles/authelia/templates/conf-client-dummy.json.j2 diff --git a/ansible/roles/authelia/files/conf-compose.py b/ansible/roles/authelia/files/conf-compose.py index 92a76b8..011babb 100644 --- a/ansible/roles/authelia/files/conf-compose.py +++ b/ansible/roles/authelia/files/conf-compose.py @@ -117,7 +117,25 @@ def main(): } } data = dict_merge(data, data_) - + ### postprocess + if True: + if (len(data["identity_providers"]["oidc"]["clients"]) <= 0): + data["identity_providers"]["oidc"]["clients"].append( + { + "public": False, + "id": "_dummy", + "description": "not a real client; just here to make Authelia run", + "authorization_policy": "one_factor", + "secret": "", + "scopes": [], + "redirect_uris": [], + "grant_types": [], + "response_types": [], + "response_modes": [], + } + ) + else: + pass ## output if True: if (args.output_format == "json"): diff --git a/ansible/roles/authelia/files/user-manage.py b/ansible/roles/authelia/files/user-manage.py new file mode 100644 index 0000000..7d9a84e --- /dev/null +++ b/ansible/roles/authelia/files/user-manage.py @@ -0,0 +1,188 @@ +#!/usr/bin/env python3 + +import sys as _sys +import os as _os +import subprocess as _subprocess +import argparse as _argparse +import yaml as _yaml +import string as _string +import random as _random + + +def file_read(path): + handle = open(path, "r") + content = handle.read() + handle.close() + return content + + +def file_write(path, content): + directory = _os.path.dirname(path) + if (not _os.path.exists(directory)): + _os.makedirs(directory, exist_ok = True) + else: + pass + handle = open(path, "w") + handle.write(content) + handle.close() + return content + + +def get_password_hash(binary_file_path, conf_file_path, name): + output = _subprocess.check_output([ + binary_file_path, + "--config=%s" % conf_file_path, + "hash-password", + name + ]) + return output.decode("utf-8").split("\n")[0][8:] + + +def postprocess(binary_file_path, conf_file_path, data): + password = "".join(map(lambda x: _random.choice(_string.ascii_lowercase), range(16))) + if (len(data["users"]) <= 0): + data["users"]["_dummy"] = { + "displayname": "(Dummy)", + "password": get_password_hash(binary_file_path, conf_file_path, password), + "email": "dummy@nowhere.net", + "groups": [], + } + else: + pass + return data + + +def data_read(user_file_path): + data = _yaml.safe_load(file_read(user_file_path)) + data["users"].pop("_dummy", None) + return data + + +def data_write(binary_file_path, conf_file_path, user_file_path, data): + file_write(user_file_path, _yaml.dump(postprocess(binary_file_path, conf_file_path, data))) + + +def main(): + ## args + argument_parser = _argparse.ArgumentParser() + argument_parser.add_argument( + "command", + type = str, + choices = ["list", "show", "add", "change", "remove"], + default = "list", + help = "command to execute", + ) + argument_parser.add_argument( + "-b", + "--binary-file-path", + type = str, + default = "/usr/bin/authelia", + help = "path to the Authelia binary file", + ) + argument_parser.add_argument( + "-c", + "--conf-file-path", + type = str, + default = "/etc/authelia/configuration.yml", + help = "path to the Authelia configuration file", + ) + argument_parser.add_argument( + "-u", + "--user-file-path", + type = str, + default = "/var/authelia/users.yml", + help = "path to the user database file", + ) + argument_parser.add_argument( + "-n", + "--login-name", + type = str, + default = None, + help = "login name of the user; has to be unique", + ) + argument_parser.add_argument( + "-p", + "--password", + type = str, + default = None, + help = "password of the user", + ) + argument_parser.add_argument( + "-d", + "--display-name", + type = str, + default = None, + help = "display name of the user", + ) + argument_parser.add_argument( + "-e", + "--email", + type = str, + default = None, + help = "e-mail address of the user", + ) + args = argument_parser.parse_args() + + ## exec + data = data_read(args.user_file_path) + if (args.command == "list"): + names = sorted(data["users"].keys()) + for name in names: + _sys.stdout.write("%s\n" % name) + elif (args.command == "show"): + if (args.login_name is None): + raise ValueError("name required") + else: + if (not (args.login_name in data["users"])): + raise ValueError("no such user") + else: + entry = data["users"][args.login_name] + _sys.stdout.write("%s\n" % _yaml.dump(entry)) + elif (args.command == "add"): + if (args.login_name is None): + raise ValueError("name required") + else: + if (args.password is None): + raise ValueError("password required") + else: + entry = { + "displayname": (args.display_name or args.login_name), + "password": get_password_hash(args.binary_file_path, args.conf_file_path, args.login_name), + "email": args.email, + "groups": [], + } + data["users"][args.login_name] = entry + data_write(args.binary_file_path, args.conf_file_path, args.user_file_path, data) + elif (args.command == "change"): + if (args.login_name is None): + raise ValueError("name required") + else: + entry = data["users"][args.login_name] + if (args.password is None): + pass + else: + entry["password"] = get_password_hash(args.binary_file_path, args.conf_file_path, args.login_name) + if (args.display_name is None): + pass + else: + entry["displayname"] = args.display_name + if (args.email is None): + pass + else: + entry["email"] = args.email + data["users"][args.login_name] = entry + data_write(args.binary_file_path, args.conf_file_path, args.user_file_path, data) + elif (args.command == "remove"): + if (args.login_name is None): + raise ValueError("name required") + else: + if (not (args.login_name in data["users"])): + raise ValueError("no such user") + else: + del data["users"][args.login_name] + data_write(args.binary_file_path, args.conf_file_path, args.user_file_path, data) + else: + raise NotImplementedError() + + +main() diff --git a/ansible/roles/authelia/info.md b/ansible/roles/authelia/info.md index abdb2ac..6779bb2 100644 --- a/ansible/roles/authelia/info.md +++ b/ansible/roles/authelia/info.md @@ -1,7 +1,8 @@ ## Beschreibung - zum Aufsetzen des Authentifizierungs-Dienstes [Authelia](https://www.authelia.com/) -- um einen Clients hinzuzfügen, erstellt man eine entsprechende JSON-Datei in `/etc/authelia/conf.d/clients` und führt aus `/usr/bin/authelia-conf-compose` +- um einen Clients hinzuzfügen, erstellt man eine entsprechende JSON-Datei in `/etc/authelia/conf.d/clients` und führt aus `authelia-conf-compose` +- zum Verwalten der Nutzer kann man `authelia-user-manage` verwenden (`-h` anhängen für Erklärung) ## Verweise @@ -13,6 +14,4 @@ ## ToDo -- Dummy-Client los werden -- Dummy-Nutzer los werden -- Nutzer-Datei-Verwaltung verbessern +- Nutzer-Verwaltung verbessern (evtl. externalisieren) diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json index 22cfd21..c765720 100644 --- a/ansible/roles/authelia/tasks/main.json +++ b/ansible/roles/authelia/tasks/main.json @@ -77,14 +77,6 @@ "dest": "/etc/authelia/conf.d/main.json" } }, - { - "name": "configuration | client | dummy", - "become": true, - "ansible.builtin.template": { - "src": "conf-client-dummy.json.j2", - "dest": "/etc/authelia/conf.d/clients/dummy.json" - } - }, { "name": "configuration | compose", "become": true, @@ -101,7 +93,7 @@ } }, { - "name": "setup users directory", + "name": "users | directory", "become": true, "ansible.builtin.file": { "state": "directory", @@ -109,13 +101,22 @@ } }, { - "name": "place dummy user file", + "name": "users | initial file", "become": true, "ansible.builtin.template": { "src": "users.yml.j2", "dest": "{{var_authelia_users_file_path}}" } }, + { + "name": "users | management script", + "become": true, + "ansible.builtin.copy": { + "src": "user-manage.py", + "dest": "/usr/bin/authelia-user-manage", + "mode": "0700" + } + }, { "name": "apply", "become": true, diff --git a/ansible/roles/authelia/templates/conf-client-dummy.json.j2 b/ansible/roles/authelia/templates/conf-client-dummy.json.j2 deleted file mode 100644 index 88dcf25..0000000 --- a/ansible/roles/authelia/templates/conf-client-dummy.json.j2 +++ /dev/null @@ -1,7 +0,0 @@ -{ - "public": false, - "id": "dummy", - "secret": "d1424b378e4fbbc153f330f33b74ab192525b98cc2dd58b2e8d01c2737be00c6", - "redirect_uris": [ - ] -} diff --git a/ansible/roles/authelia/templates/users.yml.j2 b/ansible/roles/authelia/templates/users.yml.j2 index eea8164..bf82e98 100644 --- a/ansible/roles/authelia/templates/users.yml.j2 +++ b/ansible/roles/authelia/templates/users.yml.j2 @@ -1,6 +1 @@ -users: - _dummy: - displayname: "(Dummy)" - password: "$argon2id$v=19$m=65536,t=3,p=4$sHIRjFaYRz2U3F8wHnqecQ$lwnQtHNeFqgLaLSW8It7KJSHNOJoSeF+RF7lwgM7WRA" - email: "dummy@nowhere.org" - groups: [] +users: {} From 8a877748fbc100e6923b85944b813fc680915d30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 23:41:32 +0100 Subject: [PATCH 23/61] [mod] role:synapse:Konvertierungen nutzen --- ansible/roles/synapse/defaults/main.json | 10 +++++----- ansible/roles/synapse/templates/homeserver.yaml.j2 | 8 +++++--- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/ansible/roles/synapse/defaults/main.json b/ansible/roles/synapse/defaults/main.json index fe0f604..a57ac35 100644 --- a/ansible/roles/synapse/defaults/main.json +++ b/ansible/roles/synapse/defaults/main.json @@ -1,6 +1,6 @@ { "var_synapse_scheme": "https", - "var_synapse_domain": "matrix.example.org", + "var_synapse_domain": "synapse.example.org", "var_synaspe_database_kind": "sqlite", "var_synaspe_database_sqlite_path": "/var/synapse/data.sqlite", "var_synaspe_database_postgresql_host": "localhost", @@ -10,8 +10,8 @@ "var_synaspe_database_postgresql_schema": "synapse", "var_synapse_element_url": "https://element.example.org", "var_synapse_title": "Example | Matrix", - "var_synapse_federation_whitelist": "[]", - "var_synapse_password_strict_policy": "true", + "var_synapse_federation_whitelist": [], + "var_synapse_password_strict_policy": true, "var_synapse_registration_shared_secret": "REPLACE_ME", "var_synapse_oidc_enable": false, "var_synapse_oidc_provider_id": "external_auth", @@ -20,8 +20,8 @@ "var_synapse_oidc_client_secret": "REPLACE_ME", "var_synapse_oidc_issuer_url": "https://auth.example.org", "var_synapse_smtp_host": "smtp.example.org", - "var_synapse_smtp_port": "587", - "var_synapse_smtp_username": "matrix@smtp.example.org", + "var_synapse_smtp_port": 587, + "var_synapse_smtp_username": "synapse@smtp.example.org", "var_synapse_smtp_password": "REPLACE_ME", "var_synapse_admin_user_define": true, "var_synapse_admin_user_name": "admin", diff --git a/ansible/roles/synapse/templates/homeserver.yaml.j2 b/ansible/roles/synapse/templates/homeserver.yaml.j2 index c58e3e7..de8088e 100644 --- a/ansible/roles/synapse/templates/homeserver.yaml.j2 +++ b/ansible/roles/synapse/templates/homeserver.yaml.j2 @@ -45,7 +45,7 @@ listeners: - names: [federation] compress: false -federation_domain_whitelist: {{var_synapse_federation_whitelist}} +federation_domain_whitelist: {{var_synapse_federation_whitelist | to_yaml}} serve_server_wellknown: true @@ -87,7 +87,9 @@ max_spider_size: "10M" enable_registration_captcha: false recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" +{% if var_synapse_registration_shared_secret != None %} registration_shared_secret: "{{var_synapse_registration_shared_secret}}" +{% endif %} {% if var_synapse_oidc_enable %} enable_registration: false @@ -158,11 +160,11 @@ saml2_config: password_config: enabled: true policy: - enabled: {{var_synapse_password_strict_policy}} + enabled: {{var_synapse_password_strict_policy | to_yaml}} email: smtp_host: "{{var_synapse_smtp_host}}" - smtp_port: {{var_synapse_smtp_port}} + smtp_port: {{var_synapse_smtp_port | to_yaml}} smtp_user: "{{var_synapse_smtp_username}}" smtp_pass: "{{var_synapse_smtp_password}}" require_transport_security: true From 439861ee7a5dbd04367885018837d5ebbae69ae8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 23:41:59 +0100 Subject: [PATCH 24/61] =?UTF-8?q?[mod]=20role:synapse-and-lighttpd:Standar?= =?UTF-8?q?d-Wert=20f=C3=BCr=20Dom=C3=A4ne=20ge=C3=A4ndert?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/roles/synapse-and-lighttpd/defaults/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/synapse-and-lighttpd/defaults/main.json b/ansible/roles/synapse-and-lighttpd/defaults/main.json index fc3f952..9f9b55e 100644 --- a/ansible/roles/synapse-and-lighttpd/defaults/main.json +++ b/ansible/roles/synapse-and-lighttpd/defaults/main.json @@ -1,3 +1,3 @@ { - "var_synapse_and_lighttpd_domain": "REPLACE_ME" + "var_synapse_and_lighttpd_domain": "synapse.example.org" } From 822905025f4dd2a8708e7922f4f7692da9ead008 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 23:41:32 +0100 Subject: [PATCH 25/61] [mod] role:synapse:Konvertierungen nutzen --- ansible/roles/synapse/defaults/main.json | 10 +++++----- ansible/roles/synapse/templates/homeserver.yaml.j2 | 8 +++++--- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/ansible/roles/synapse/defaults/main.json b/ansible/roles/synapse/defaults/main.json index fe0f604..a57ac35 100644 --- a/ansible/roles/synapse/defaults/main.json +++ b/ansible/roles/synapse/defaults/main.json @@ -1,6 +1,6 @@ { "var_synapse_scheme": "https", - "var_synapse_domain": "matrix.example.org", + "var_synapse_domain": "synapse.example.org", "var_synaspe_database_kind": "sqlite", "var_synaspe_database_sqlite_path": "/var/synapse/data.sqlite", "var_synaspe_database_postgresql_host": "localhost", @@ -10,8 +10,8 @@ "var_synaspe_database_postgresql_schema": "synapse", "var_synapse_element_url": "https://element.example.org", "var_synapse_title": "Example | Matrix", - "var_synapse_federation_whitelist": "[]", - "var_synapse_password_strict_policy": "true", + "var_synapse_federation_whitelist": [], + "var_synapse_password_strict_policy": true, "var_synapse_registration_shared_secret": "REPLACE_ME", "var_synapse_oidc_enable": false, "var_synapse_oidc_provider_id": "external_auth", @@ -20,8 +20,8 @@ "var_synapse_oidc_client_secret": "REPLACE_ME", "var_synapse_oidc_issuer_url": "https://auth.example.org", "var_synapse_smtp_host": "smtp.example.org", - "var_synapse_smtp_port": "587", - "var_synapse_smtp_username": "matrix@smtp.example.org", + "var_synapse_smtp_port": 587, + "var_synapse_smtp_username": "synapse@smtp.example.org", "var_synapse_smtp_password": "REPLACE_ME", "var_synapse_admin_user_define": true, "var_synapse_admin_user_name": "admin", diff --git a/ansible/roles/synapse/templates/homeserver.yaml.j2 b/ansible/roles/synapse/templates/homeserver.yaml.j2 index c58e3e7..de8088e 100644 --- a/ansible/roles/synapse/templates/homeserver.yaml.j2 +++ b/ansible/roles/synapse/templates/homeserver.yaml.j2 @@ -45,7 +45,7 @@ listeners: - names: [federation] compress: false -federation_domain_whitelist: {{var_synapse_federation_whitelist}} +federation_domain_whitelist: {{var_synapse_federation_whitelist | to_yaml}} serve_server_wellknown: true @@ -87,7 +87,9 @@ max_spider_size: "10M" enable_registration_captcha: false recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" +{% if var_synapse_registration_shared_secret != None %} registration_shared_secret: "{{var_synapse_registration_shared_secret}}" +{% endif %} {% if var_synapse_oidc_enable %} enable_registration: false @@ -158,11 +160,11 @@ saml2_config: password_config: enabled: true policy: - enabled: {{var_synapse_password_strict_policy}} + enabled: {{var_synapse_password_strict_policy | to_yaml}} email: smtp_host: "{{var_synapse_smtp_host}}" - smtp_port: {{var_synapse_smtp_port}} + smtp_port: {{var_synapse_smtp_port | to_yaml}} smtp_user: "{{var_synapse_smtp_username}}" smtp_pass: "{{var_synapse_smtp_password}}" require_transport_security: true From ce22bc109ddea21cb176508eb91924dc53cdcd75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 23:41:59 +0100 Subject: [PATCH 26/61] =?UTF-8?q?[mod]=20role:synapse-and-lighttpd:Standar?= =?UTF-8?q?d-Wert=20f=C3=BCr=20Dom=C3=A4ne=20ge=C3=A4ndert?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/roles/synapse-and-lighttpd/defaults/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/synapse-and-lighttpd/defaults/main.json b/ansible/roles/synapse-and-lighttpd/defaults/main.json index fc3f952..9f9b55e 100644 --- a/ansible/roles/synapse-and-lighttpd/defaults/main.json +++ b/ansible/roles/synapse-and-lighttpd/defaults/main.json @@ -1,3 +1,3 @@ { - "var_synapse_and_lighttpd_domain": "REPLACE_ME" + "var_synapse_and_lighttpd_domain": "synapse.example.org" } From f502ae20edb00651ecf08e621ba476a4ca67410e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 23:47:37 +0100 Subject: [PATCH 27/61] [mod] outsourced --- .../authelia-for-gitlab/defaults/main.json | 5 ---- ansible/roles/authelia-for-gitlab/info.md | 10 -------- .../roles/authelia-for-gitlab/tasks/main.json | 25 ------------------- .../templates/authelia-client-conf.json.j2 | 17 ------------- 4 files changed, 57 deletions(-) delete mode 100644 ansible/roles/authelia-for-gitlab/defaults/main.json delete mode 100644 ansible/roles/authelia-for-gitlab/info.md delete mode 100644 ansible/roles/authelia-for-gitlab/tasks/main.json delete mode 100644 ansible/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2 diff --git a/ansible/roles/authelia-for-gitlab/defaults/main.json b/ansible/roles/authelia-for-gitlab/defaults/main.json deleted file mode 100644 index aeeec3b..0000000 --- a/ansible/roles/authelia-for-gitlab/defaults/main.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "var_authelia_for_gitlab_gitlab_url_base": "https://gitlab.example.org", - "var_authelia_for_gitlab_client_id": "gitlab", - "var_authelia_for_gitlab_client_secret": "REPLACE_ME" -} diff --git a/ansible/roles/authelia-for-gitlab/info.md b/ansible/roles/authelia-for-gitlab/info.md deleted file mode 100644 index 9bf2a1f..0000000 --- a/ansible/roles/authelia-for-gitlab/info.md +++ /dev/null @@ -1,10 +0,0 @@ -## Beschreibung - -Um [GitLab](../gitlab) gegen [Authelia](../authelia) authentifizieren zu lassen - - -## Verweise - -- [Authelia-Dokumentation | GitLab Integration](https://www.authelia.com/integration/openid-connect/gitlab/) -- [GitLab-Dokumentation | Use OpenID Connect as an OAuth 2.0 authentication provider](https://docs.gitlab.com/ee/administration/auth/oidc.html) - diff --git a/ansible/roles/authelia-for-gitlab/tasks/main.json b/ansible/roles/authelia-for-gitlab/tasks/main.json deleted file mode 100644 index 5790e65..0000000 --- a/ansible/roles/authelia-for-gitlab/tasks/main.json +++ /dev/null @@ -1,25 +0,0 @@ -[ - { - "name": "configuration | emplace", - "become": true, - "ansible.builtin.template": { - "src": "authelia-client-conf.json.j2", - "dest": "/etc/authelia/conf.d/clients/gitlab.json" - } - }, - { - "name": "configuration | apply", - "become": true, - "ansible.builtin.command": { - "cmd": "/usr/bin/authelia-conf-compose" - } - }, - { - "name": "restart service", - "become": true, - "ansible.builtin.systemd_service": { - "state": "restarted", - "name": "authelia" - } - } -] diff --git a/ansible/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2 deleted file mode 100644 index 2c1f44a..0000000 --- a/ansible/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2 +++ /dev/null @@ -1,17 +0,0 @@ -{ - "id": "{{var_authelia_for_gitlab_client_id}}", - "description": "GitLab", - "secret": "{{var_authelia_for_gitlab_client_secret}}", - "public": false, - "authorization_policy": "one_factor", - "redirect_uris": [ - "{{var_authelia_for_gitlab_gitlab_url_base}}/users/auth/openid_connect/callback - ], - "scopes": [ - "openid", - "profile" - "groups", - "email" - ], - "userinfo_signing_algorithm": "none" -} From 68a3dc45edf83a90005c855e38781bdc2c5bb509 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 23:55:42 +0100 Subject: [PATCH 28/61] [add] role:hedgedoc-and-lighttpd --- .../hedgedoc-and-lighttpd/defaults/main.json | 4 +++ ansible/roles/hedgedoc-and-lighttpd/info.md | 8 +++++ .../hedgedoc-and-lighttpd/tasks/main.json | 34 +++++++++++++++++++ .../hedgedoc-and-lighttpd/templates/conf.j2 | 33 ++++++++++++++++++ 4 files changed, 79 insertions(+) create mode 100644 ansible/roles/hedgedoc-and-lighttpd/defaults/main.json create mode 100644 ansible/roles/hedgedoc-and-lighttpd/info.md create mode 100644 ansible/roles/hedgedoc-and-lighttpd/tasks/main.json create mode 100644 ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2 diff --git a/ansible/roles/hedgedoc-and-lighttpd/defaults/main.json b/ansible/roles/hedgedoc-and-lighttpd/defaults/main.json new file mode 100644 index 0000000..16c8d4e --- /dev/null +++ b/ansible/roles/hedgedoc-and-lighttpd/defaults/main.json @@ -0,0 +1,4 @@ +{ + "var_hedgedoc_and_lighttpd_domain": "hedgedoc.example.org", + "var_hedgedoc_and_lighttpd_tls_enable": true +} diff --git a/ansible/roles/hedgedoc-and-lighttpd/info.md b/ansible/roles/hedgedoc-and-lighttpd/info.md new file mode 100644 index 0000000..99a615a --- /dev/null +++ b/ansible/roles/hedgedoc-and-lighttpd/info.md @@ -0,0 +1,8 @@ +## Beschreibung + +- zur Einrichtung von [Lighttpd](../lighttpd) als Reverse-Proxy für [Hedgedoc](../hedgedoc) + + +## Verweise + +- [Hedgedoc-Dokumentation | Using a Reverse Proxy](https://docs.hedgedoc.org/guides/reverse-proxy/) diff --git a/ansible/roles/hedgedoc-and-lighttpd/tasks/main.json b/ansible/roles/hedgedoc-and-lighttpd/tasks/main.json new file mode 100644 index 0000000..1bbe93f --- /dev/null +++ b/ansible/roles/hedgedoc-and-lighttpd/tasks/main.json @@ -0,0 +1,34 @@ +[ + { + "name": "activate proxy module", + "become": true, + "ansible.builtin.shell": { + "cmd": "lighttpd-enable-mod proxy || exit 0" + } + }, + { + "name": "emplace configuration | data", + "become": true, + "ansible.builtin.template": { + "src": "conf.j2", + "dest": "/etc/lighttpd/conf-available/{{var_hedgedoc_and_lighttpd_domain}}.conf" + } + }, + { + "name": "emplace configuration | link", + "become": true, + "ansible.builtin.file": { + "state": "link", + "src": "/etc/lighttpd/conf-available/{{var_hedgedoc_and_lighttpd_domain}}.conf", + "dest": "/etc/lighttpd/conf-enabled/{{var_hedgedoc_and_lighttpd_domain}}.conf" + } + }, + { + "name": "restart lighttpd", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "lighttpd" + } + } +] diff --git a/ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2 b/ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2 new file mode 100644 index 0000000..4b6013c --- /dev/null +++ b/ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2 @@ -0,0 +1,33 @@ +$HTTP["host"] == "{{var_hedgedoc_and_lighttpd_domain}}" { + server.name = "{{var_hedgedoc_and_lighttpd_domain}}" + proxy.server = ( + "" => ( + "" => ( + "host" => "127.0.0.1", + "port" => 2400 + ) + ) + ) + proxy.header = ( + "upgrade" => "enable" + ) + +{% if var_hedgedoc_and_lighttpd_tls_enable %} + ## alle Anfragen auf Port 80 + $SERVER["socket"] == ":80" { + ## auf HTTPS umleiten + url.redirect = ("^/(.*)$" => "https://{{var_hedgedoc_and_lighttpd_domain}}/$1") + } + + ## alle Anfragen auf Port 443 + $SERVER["socket"] == ":443" { + ## mit dem SSL-Kram beglücken + ssl.engine = "enable" + ssl.pemfile = "/etc/ssl/certs/{{var_hedgedoc_and_lighttpd_domain}}.pem" + ssl.privkey = "/etc/ssl/keys/{{var_hedgedoc_and_lighttpd_domain}}.pem" + ssl.ca-file = "/etc/ssl/fullchains/{{var_hedgedoc_and_lighttpd_domain}}.pem" + ssl.use-sslv2 = "disable" + ssl.use-sslv3 = "disable" + } +{% endif %} +} From e81cbdcedfdb9dbcd1e605d24096b4fd8d2728c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Mon, 18 Dec 2023 00:18:34 +0100 Subject: [PATCH 29/61] [mod] role:hedgedoc:postgresql-Anbindung und mehr Parameter --- ansible/roles/hedgedoc/defaults/main.json | 15 ++++++++--- .../roles/hedgedoc/templates/config.json.j2 | 26 +++++++++++++++++-- 2 files changed, 36 insertions(+), 5 deletions(-) diff --git a/ansible/roles/hedgedoc/defaults/main.json b/ansible/roles/hedgedoc/defaults/main.json index a1c03ed..438eb14 100644 --- a/ansible/roles/hedgedoc/defaults/main.json +++ b/ansible/roles/hedgedoc/defaults/main.json @@ -2,8 +2,14 @@ "var_hedgedoc_user_name": "hedgedoc", "var_hedgedoc_directory": "/opt/hedgedoc", "var_hedgedoc_version": "1.9.9", - "var_hedgedoc_session_secret": "session_secret", - "var_hedgedoc_database_path": "/var/hedgedoc/data.sqlite", + "var_hedgedoc_session_secret": "REPLACE_ME", + "var_hedgedoc_database_kind": "sqlite", + "var_hedgedoc_database_data_sqlite_path": "/var/hedgedoc/data.sqlite", + "var_hedgedoc_database_data_postgresql_host": "localhost", + "var_hedgedoc_database_data_postgresql_port": 5432, + "var_hedgedoc_database_data_postgresql_username": "hedgedoc_user", + "var_hedgedoc_database_data_postgresql_password": "REPLACE_ME", + "var_hedgedoc_database_data_postgresql_schema": "hedgedoc", "var_hedgedoc_domain": "hedgedoc.example.org", "var_hedgedoc_oauth2_enable": false, "var_hedgedoc_oauth2_provider_name": "external auth", @@ -11,5 +17,8 @@ "var_hedgedoc_oauth2_client_secret": "REPLACE_ME", "var_hedgedoc_oauth2_user_profile_url": "https://auth.example.org/profile", "var_hedgedoc_oauth2_token_url": "https://auth.example.org/token", - "var_hedgedoc_oauth2_authorization_url": "https://auth.example.org/authorization" + "var_hedgedoc_oauth2_authorization_url": "https://auth.example.org/authorization", + "var_hedgedoc_guest_allow_create": false, + "var_hedgedoc_guest_allow_change": false, + "var_hedgedoc_free_names_mode": "authed" } diff --git a/ansible/roles/hedgedoc/templates/config.json.j2 b/ansible/roles/hedgedoc/templates/config.json.j2 index a1b9b2d..6c953c5 100644 --- a/ansible/roles/hedgedoc/templates/config.json.j2 +++ b/ansible/roles/hedgedoc/templates/config.json.j2 @@ -1,10 +1,22 @@ { "production": { "loglevel": "error", +{% if var_hedgedoc_database_kind == 'sqlite' %} "db": { "dialect": "sqlite", "storage": "{{var_hedgedoc_database_path}}" }, +{% endif %} +{% if var_hedgedoc_database_kind == 'postgresql' %} + "db": { + "dialect": "postgres", + "host": "{{var_hedgedoc_database_data_postgresql_host}}", + "port": {{var_hedgedoc_database_data_postgresql_port | to_json}}, + "username": "{{var_hedgedoc_database_data_postgresql_username}}", + "password": "{{var_hedgedoc_database_data_postgresql_password}}", + "database": "{{var_hedgedoc_database_data_postgresql_schema}}" + }, +{% endif %} "sessionSecret": "{{var_hedgedoc_session_secret}}", "host": "localhost", "allowOrigin": [ @@ -32,10 +44,20 @@ "email": true, "allowEmailRegister": true, {% endif %} - "allowAnonymous": false, - "allowAnonymousEdits": true, + "allowAnonymous": {{var_hedgedoc_guest_allow_create | to_json}}, + "allowAnonymousEdits": {{var_hedgedoc_guest_allow_edit | to_json}}, +{% if var_hedgedoc_free_names_mode == 'never' %} + "allowFreeURL": false, + "requireFreeURLAuthentication": false, +{% endif %} +{% if var_hedgedoc_free_names_mode == 'authed' %} "allowFreeURL": true, "requireFreeURLAuthentication": true, +{% endif %} +{% if var_hedgedoc_free_names_mode == 'always' %} + "allowFreeURL": true, + "requireFreeURLAuthentication": false, +{% endif %} "defaultPermission": "editable" } } From bf4afbdc7aaa711056502d6b6050d6f5e030edba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Mon, 18 Dec 2023 00:19:03 +0100 Subject: [PATCH 30/61] [add] role:postgresql-for-hedgedoc --- .../defaults/main.json | 5 +++ .../postgresql-for-hedgedoc/tasks/main.json | 45 +++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 ansible/roles/postgresql-for-hedgedoc/defaults/main.json create mode 100644 ansible/roles/postgresql-for-hedgedoc/tasks/main.json diff --git a/ansible/roles/postgresql-for-hedgedoc/defaults/main.json b/ansible/roles/postgresql-for-hedgedoc/defaults/main.json new file mode 100644 index 0000000..a0e1eeb --- /dev/null +++ b/ansible/roles/postgresql-for-hedgedoc/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_postgresql_for_hedgedoc_username": "hedgedoc_user", + "var_postgresql_for_hedgedoc_password": "REPLACE_ME", + "var_postgresql_for_hedgedoc_schema": "hedgedoc" +} diff --git a/ansible/roles/postgresql-for-hedgedoc/tasks/main.json b/ansible/roles/postgresql-for-hedgedoc/tasks/main.json new file mode 100644 index 0000000..85431cc --- /dev/null +++ b/ansible/roles/postgresql-for-hedgedoc/tasks/main.json @@ -0,0 +1,45 @@ +[ + { + "name": "packages", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "acl", + "python3-psycopg2" + ] + } + }, + { + "name": "user", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_user": { + "state": "present", + "name": "{{var_postgresql_for_hedgedoc_username}}", + "password": "{{var_postgresql_for_hedgedoc_password}}" + } + }, + { + "name": "schema", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_db": { + "state": "present", + "name": "{{var_postgresql_for_hedgedoc_schema}}", + "owner": "{{var_postgresql_for_hedgedoc_username}}" + } + }, + { + "name": "rights", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_privs": { + "state": "present", + "db": "{{var_postgresql_for_hedgedoc_schema}}", + "objs": "ALL_IN_SCHEMA", + "roles": "{{var_postgresql_for_hedgedoc_username}}", + "privs": "ALL", + "grant_option": true + } + } +] From 821625388dbf8895f86ada62b286ac63ad1ac059 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Mon, 18 Dec 2023 00:19:38 +0100 Subject: [PATCH 31/61] [mod] role:postgresql-for-synapse:default password --- ansible/roles/postgresql-for-synapse/defaults/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/postgresql-for-synapse/defaults/main.json b/ansible/roles/postgresql-for-synapse/defaults/main.json index 3c4645a..84e4fd3 100644 --- a/ansible/roles/postgresql-for-synapse/defaults/main.json +++ b/ansible/roles/postgresql-for-synapse/defaults/main.json @@ -1,5 +1,5 @@ { "var_postgresql_for_synapse_username": "synapse_user", - "var_postgresql_for_synapse_password": "synapse_password", + "var_postgresql_for_synapse_password": "REPLACE_ME", "var_postgresql_for_synapse_schema": "synapse" } From cce7ab2b5452d13690c561bc118295e11256db34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Fri, 22 Dec 2023 19:23:11 +0100 Subject: [PATCH 32/61] [add] role:murmur --- ansible/roles/murmur/defaults/main.json | 6 + ansible/roles/murmur/info.md | 12 + ansible/roles/murmur/tasks/main.json | 35 ++ .../murmur/templates/mumble-server.ini.j2 | 380 ++++++++++++++++++ 4 files changed, 433 insertions(+) create mode 100644 ansible/roles/murmur/defaults/main.json create mode 100644 ansible/roles/murmur/info.md create mode 100644 ansible/roles/murmur/tasks/main.json create mode 100644 ansible/roles/murmur/templates/mumble-server.ini.j2 diff --git a/ansible/roles/murmur/defaults/main.json b/ansible/roles/murmur/defaults/main.json new file mode 100644 index 0000000..33156cb --- /dev/null +++ b/ansible/roles/murmur/defaults/main.json @@ -0,0 +1,6 @@ +{ + "var_murmur_database_path": "/var/lib/mumble-server/mumble-server.sqlite", + "var_murmur_port": 64738, + "var_murmur_welcome_text": "
Welcome to this server running Murmur.
Enjoy your stay!
", + "var_murmur_admin_password": "REPLACE_ME" +} diff --git a/ansible/roles/murmur/info.md b/ansible/roles/murmur/info.md new file mode 100644 index 0000000..9067faa --- /dev/null +++ b/ansible/roles/murmur/info.md @@ -0,0 +1,12 @@ +## Beschreibung + +Server-Implementierung _Murmur_ für den Audiokonferenz-Software [Mumble](https://www.mumble.info/) + + +## Verweise + +- [Wikipedia-Artikel zu Mumble](https://de.m.wikipedia.org/wiki/Mumblehttps://de.m.wikipedia.org/wiki/Mumble) +- [Mumble-Wiki | Hauptseite](https://wiki.mumble.info/wiki/Main_Page) +- [Mumble-Wiki | Running Murmur](https://wiki.mumble.info/wiki/Running_Murmur) +- [Mumble-Wiki | Murmurguide](https://wiki.mumble.info/wiki/Murmurguide) +- [Mumble-Wiki | Authentication](https://wiki.mumble.info/wiki/Authentication) diff --git a/ansible/roles/murmur/tasks/main.json b/ansible/roles/murmur/tasks/main.json new file mode 100644 index 0000000..b135abb --- /dev/null +++ b/ansible/roles/murmur/tasks/main.json @@ -0,0 +1,35 @@ +[ + { + "name": "packages", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "mumble-server" + ] + } + }, + { + "name": "configuration", + "become": true, + "ansible.builtin.template": { + "src": "mumble-server.ini.j2", + "dest": "/etc/mumble-server.ini", + "group": "mumble-server" + } + }, + { + "name": "admin account", + "become": true, + "ansible.builtin.command": { + "cmd": "murmurd -ini /etc/mumble-server.ini -supw {{var_murmur_admin_password}}" + } + }, + { + "name": "service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "mumble-server" + } + } +] diff --git a/ansible/roles/murmur/templates/mumble-server.ini.j2 b/ansible/roles/murmur/templates/mumble-server.ini.j2 new file mode 100644 index 0000000..4db3508 --- /dev/null +++ b/ansible/roles/murmur/templates/mumble-server.ini.j2 @@ -0,0 +1,380 @@ +; Murmur configuration file. +; +; General notes: +; * Settings in this file are default settings and many of them can be overridden +; with virtual server specific configuration via the Ice or DBus interface. +; * Due to the way this configuration file is read some rules have to be +; followed when specifying variable values (as in variable = value): +; * Make sure to quote the value when using commas in strings or passwords. +; NOT variable = super,secret BUT variable = "super,secret" +; * Make sure to escape special characters like '\' or '"' correctly +; NOT variable = """ BUT variable = "\"" +; NOT regex = \w* BUT regex = \\w* + +; Path to database. If blank, will search for +; murmur.sqlite in default locations or create it if not found. +database={{var_murmur_database_path}} + +; Murmur defaults to using SQLite with its default rollback journal. +; In some situations, using SQLite's write-ahead log (WAL) can be +; advantageous. +; If you encounter slowdowns when moving between channels and similar +; operations, enabling the SQLite write-ahead log might help. +; +; To use SQLite's write-ahead log, set sqlite_wal to one of the following +; values: +; +; 0 - Use SQLite's default rollback journal. +; 1 - Use write-ahead log with synchronous=NORMAL. +; If Murmur crashes, the database will be in a consistent state, but +; the most recent changes might be lost if the operating system did +; not write them to disk yet. This option can improve Murmur's +; interactivity on busy servers, or servers with slow storage. +; 2 - Use write-ahead log with synchronous=FULL. +; All database writes are synchronized to disk when they are made. +; If Murmur crashes, the database will be include all completed writes. +;sqlite_wal=0 + +; If you wish to use something other than SQLite, you'll need to set the name +; of the database above, and also uncomment the below. +; Sticking with SQLite is strongly recommended, as it's the most well tested +; and by far the fastest solution. +; +;dbDriver=QMYSQL +;dbUsername= +;dbPassword= +;dbHost= +;dbPort= +;dbPrefix=murmur_ +;dbOpts= + +; Murmur defaults to not using D-Bus. If you wish to use dbus, which is one of the +; RPC methods available in Murmur, please specify so here. +; +;dbus=system + +; Alternate D-Bus service name. Only use if you are running distinct +; murmurd processes connected to the same D-Bus daemon. +;dbusservice=net.sourceforge.mumble.murmur + +; If you want to use ZeroC Ice to communicate with Murmur, you need +; to specify the endpoint to use. Since there is no authentication +; with ICE, you should only use it if you trust all the users who have +; shell access to your machine. +; Please see the ICE documentation on how to specify endpoints. +#ice="tcp -h 127.0.0.1 -p 6502" + +; Ice primarily uses local sockets. This means anyone who has a +; user account on your machine can connect to the Ice services. +; You can set a plaintext "secret" on the Ice connection, and +; any script attempting to access must then have this secret +; (as context with name "secret"). +; Access is split in read (look only) and write (modify) +; operations. Write access always includes read access, +; unless read is explicitly denied (see note below). +; +; Note that if this is uncommented and with empty content, +; access will be denied. + +;icesecretread= +icesecretwrite= + +; If you want to expose Murmur's experimental gRPC API, you +; need to specify an address to bind on. +; Note: not all builds of Murmur support gRPC. If gRPC is not +; available, Murmur will warn you in its log output. +;grpc="127.0.0.1:50051" +; Specifying both a certificate and key file below will cause gRPC to use +; secured, TLS connections. +;grpccert="" +;grpckey="" + +; Specifies the file Murmur should log to. By default, Murmur +; logs to the file 'murmur.log'. If you leave this field blank +; on Unix-like systems, Murmur will force itself into foreground +; mode which logs to the console. +logfile=/var/log/mumble-server/mumble-server.log + +; If set, Murmur will write its process ID to this file +; when running in daemon mode (when the -fg flag is not +; specified on the command line). Only available on +; Unix-like systems. +pidfile=/run/mumble-server/mumble-server.pid + +; The below will be used as defaults for new configured servers. +; If you're just running one server (the default), it's easier to +; configure it here than through D-Bus or Ice. +; +; Welcome message sent to clients when they connect. +; If the welcome message is set to an empty string, +; no welcome message will be sent to clients. +welcometext="{{var_murmur_welcome_text}}" + +; Port to bind TCP and UDP sockets to. +port={{var_murmur_port | string}} + +; Specific IP or hostname to bind to. +; If this is left blank (default), Murmur will bind to all available addresses. +;host= + +; Password to join server. +serverpassword= + +; Maximum bandwidth (in bits per second) clients are allowed +; to send speech at. +bandwidth=72000 + +; Murmur and Mumble are usually pretty good about cleaning up hung clients, but +; occasionally one will get stuck on the server. The timeout setting will cause +; a periodic check of all clients who haven't communicated with the server in +; this many seconds - causing zombie clients to be disconnected. +; +; Note that this has no effect on idle clients or people who are AFK. It will +; only affect people who are already disconnected, and just haven't told the +; server. +;timeout=30 + +; Maximum number of concurrent clients allowed. +users=100 + +; Where users sets a blanket limit on the number of clients per virtual server, +; usersperchannel sets a limit on the number per channel. The default is 0, for +; no limit. +;usersperchannel=0 + +; Per-user rate limiting +; +; These two settings allow to configure the per-user rate limiter for some +; command messages sent from the client to the server. The messageburst setting +; specifies an amount of messages which are allowed in short bursts. The +; messagelimit setting specifies the number of messages per second allowed over +; a longer period. If a user hits the rate limit, his packages are then ignored +; for some time. Both of these settings have a minimum of 1 as setting either to +; 0 could render the server unusable. +messageburst=5 +messagelimit=1 + +; Respond to UDP ping packets. +; +; Setting to true exposes the current user count, the maximum user count, and +; the server's maximum bandwidth per client to unauthenticated users. In the +; Mumble client, this information is shown in the Connect dialog. +allowping=true + +; Amount of users with Opus support needed to force Opus usage, in percent. +; 0 = Always enable Opus, 100 = enable Opus if it's supported by all clients. +;opusthreshold=100 + +; Maximum depth of channel nesting. Note that some databases like MySQL using +; InnoDB will fail when operating on deeply nested channels. +;channelnestinglimit=10 + +; Maximum number of channels per server. 0 for unlimited. Note that an +; excessive number of channels will impact server performance +;channelcountlimit=1000 + +; Regular expression used to validate channel names. +; (Note that you have to escape backslashes with \ ) +;channelname=[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+ + +; Regular expression used to validate user names. +; (Note that you have to escape backslashes with \ ) +;username=[-=\\w\\[\\]\\{\\}\\(\\)\\@\\|\\.]+ + +; If a user has no stored channel (they've never been connected to the server +; before, or rememberchannel is set to false) and the client hasn't been given +; a URL that includes a channel path, the default behavior is that they will +; end up in the root channel. +; +; You can set this setting to a channel ID, and the user will automatically be +; moved into that channel instead. Note that this is the numeric ID of the +; channel, which can be a little tricky to get (you'll either need to use an +; RPC mechanism, watch the console of a debug client, or root around through +; the Murmur Database to get it). +; +;defaultchannel=0 + +; When a user connects to a server they've already been on, by default the +; server will remember the last channel they were in and move them to it +; automatically. Toggling this setting to false will disable that feature. +; +;rememberchannel=true + +; Maximum length of text messages in characters. 0 for no limit. +;textmessagelength=5000 + +; Maximum length of text messages in characters, with image data. 0 for no limit. +;imagemessagelength=131072 + +; Allow clients to use HTML in messages, user comments and channel descriptions? +;allowhtml=true + +; Murmur retains the per-server log entries in an internal database which +; allows it to be accessed over D-Bus/ICE. +; How many days should such entries be kept? +; Set to 0 to keep forever, or -1 to disable logging to the DB. +;logdays=31 + +; To enable public server registration, the serverpassword must be blank, and +; this must all be filled out. +; The password here is used to create a registry for the server name; subsequent +; updates will need the same password. Don't lose your password. +; The URL is your own website, and only set the registerHostname for static IP +; addresses. +; Location is typically the country of typical users of the server, in +; two-letter TLD style (ISO 3166-1 alpha-2 country code) +; +; If you only wish to give your "Root" channel a custom name, then only +; uncomment the 'registerName' parameter. +; +;registerName=Mumble Server +;registerPassword=secret +;registerUrl=http://www.mumble.info/ +;registerHostname= +;registerLocation= + +; If this option is enabled, the server will announce its presence via the +; bonjour service discovery protocol. To change the name announced by bonjour +; adjust the registerName variable. +; See http://developer.apple.com/networking/bonjour/index.html for more information +; about bonjour. +;bonjour=True + +; If you have a proper SSL certificate, you can provide the filenames here. +; Otherwise, Murmur will create its own certificate automatically. +;sslCert= +;sslKey= + +; If the keyfile specified above is encrypted with a passphrase, you can enter +; it in this setting. It must be plaintext, so you may wish to adjust the +; permissions on your murmur.ini file accordingly. +;sslPassPhrase= + +; If your certificate is signed by an authority that uses a sub-signed or +; "intermediate" certificate, you probably need to bundle it with your +; certificate in order to get Murmur to accept it. You can either concatenate +; the two certificates into one file, or you can put it in a file by itself and +; put the path to that PEM-file in sslCA. +;sslCA= + +; The sslDHParams option allows you to specify a PEM-encoded file with +; Diffie-Hellman parameters, which will be used as the default Diffie- +; Hellman parameters for all virtual servers. +; +; Instead of pointing sslDHParams to a file, you can also use the option +; to specify a named set of Diffie-Hellman parameters for Murmur to use. +; Murmur comes bundled with the Diffie-Hellman parameters from RFC 7919. +; These parameters are available by using the following names: +; +; @ffdhe2048, @ffdhe3072, @ffdhe4096, @ffdhe6144, @ffdhe8192 +; +; By default, Murmur uses @ffdhe2048. +;sslDHParams=@ffdhe2048 + +; The sslCiphers option chooses the cipher suites to make available for use +; in SSL/TLS. This option is server-wide, and cannot be set on a +; per-virtual-server basis. +; +; This option is specified using OpenSSL cipher list notation (see +; https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT). +; +; It is recommended that you try your cipher string using 'openssl ciphers ' +; before setting it here, to get a feel for which cipher suites you will get. +; +; After setting this option, it is recommend that you inspect your Murmur log +; to ensure that Murmur is using the cipher suites that you expected it to. +; +; Note: Changing this option may impact the backwards compatibility of your +; Murmur server, and can remove the ability for older Mumble clients to be able +; to connect to it. +;sslCiphers=EECDH+AESGCM:EDH+aRSA+AESGCM:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA + +; If Murmur is started as root, which user should it switch to? +; This option is ignored if Murmur isn't started with root privileges. +uname=mumble-server + +; By default, in log files and in the user status window for privileged users, +; Mumble will show IP addresses - in some situations you may find this unwanted +; behavior. If obfuscate is set to true, Murmur will randomize the IP addresses +; of connecting users. +; +; The obfuscate function only affects the log file and DOES NOT effect the user +; information section in the client window. +;obfuscate=false + +; If this options is enabled, only clients which have a certificate are allowed +; to connect. +;certrequired=False + +; If enabled, clients are sent information about the servers version and operating +; system. +;sendversion=True + +; You can set a recommended minimum version for your server, and clients will +; be notified in their log when they connect if their client does not meet the +; minimum requirements. suggestVersion expects the version in the format X.X.X. +; +; Note that the suggest* options appeared after 1.2.3 and will have no effect +; on client versions 1.2.3 and earlier. +; +;suggestVersion= + +; Setting this to "true" will alert any user who does not have positional audio +; enabled that the server administrators recommend enabling it. Setting it to +; "false" will have the opposite effect - if you do not care whether the user +; enables positional audio or not, set it to blank. The message will appear in +; the log window upon connection, but only if the user's settings do not match +; what the server requests. +; +; Note that the suggest* options appeared after 1.2.3 and will have no effect +; on client versions 1.2.3 and earlier. +; +;suggestPositional= + +; Setting this to "true" will alert any user who does not have Push-To-Talk +; enabled that the server administrators recommend enabling it. Setting it to +; "false" will have the opposite effect - if you do not care whether the user +; enables PTT or not, set it to blank. The message will appear in the log +; window upon connection, but only if the user's settings do not match what the +; server requests. +; +; Note that the suggest* options appeared after 1.2.3 and will have no effect +; on client versions 1.2.3 and earlier. +; +;suggestPushToTalk= + +; This sets password hash storage to legacy mode (1.2.4 and before) +; (Note that setting this to true is insecure and should not be used unless absolutely necessary) +;legacyPasswordHash=false + +; By default a strong amount of PBKDF2 iterations are chosen automatically. If >0 this setting +; overrides the automatic benchmark and forces a specific number of iterations. +; (Note that you should only change this value if you know what you are doing) +;kdfIterations=-1 + +; In order to prevent misconfigured, impolite or malicious clients from +; affecting the low-latency of other users, Murmur has a rudimentary global-ban +; system. It's configured using the autobanAttempts, autobanTimeframe and +; autobanTime settings. +; +; If a client attempts autobanAttempts connections in autobanTimeframe seconds, +; they will be banned for autobanTime seconds. This is a global ban, from all +; virtual servers on the Murmur process. It will not show up in any of the +; ban-lists on the server, and they can't be removed without restarting the +; Murmur process - just let them expire. A single, properly functioning client +; should not trip these bans. +; +; To disable, set autobanAttempts or autobanTimeframe to 0. Commenting these +; settings out will cause Murmur to use the defaults: +; +;autobanAttempts=10 +;autobanTimeframe=120 +;autobanTime=300 + +; You can configure any of the configuration options for Ice here. We recommend +; leave the defaults as they are. +; Please note that this section has to be last in the configuration file. +; +[Ice] +Ice.Warn.UnknownProperties=1 +Ice.MessageSizeMax=65536 From 07a681b4351b7d9e39eb007ba56fe796e15fb6c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 23 Dec 2023 12:19:29 +0100 Subject: [PATCH 33/61] =?UTF-8?q?[mod]=20role:authelia:Unterst=C3=BCtzung?= =?UTF-8?q?=20f=C3=BCr=20PostgreSQL=20und=20MariaDB?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/roles/authelia/defaults/main.json | 13 ++++++++++- .../authelia/templates/conf-main.json.j2 | 23 ++++++++++++++++++- 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index d2fbace..8206661 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -7,8 +7,19 @@ "var_authelia_log_file_path": "/var/authelia/log.jsonl", "var_authelia_session_domain": "example.org", "var_authelia_session_secret": "REPLACE_ME", - "var_authelia_storage_path": "/var/authelia/state.db", "var_authelia_storage_encryption_key": "storage_encryption_key", + "var_authelia_storage_kind": "sqlite", + "var_authelia_storage_data_sqlite_path": "/var/authelia/state.db", + "var_authelia_storage_data_postgresql_host": "localhost", + "var_authelia_storage_data_postgresql_port": 5432, + "var_authelia_storage_data_postgresql_username": "authelia_user", + "var_authelia_storage_data_postgresql_password": "REPLACE_ME", + "var_authelia_storage_data_postgresql_schema": "authelia", + "var_authelia_storage_data_mariadb_host": "localhost", + "var_authelia_storage_data_mariadb_port": 3306, + "var_authelia_storage_data_mariadb_username": "authelia_user", + "var_authelia_storage_data_mariadb_password": "REPLACE_ME", + "var_authelia_storage_data_mariadb_schema": "authelia", "var_authelia_ntp_server": "time.cloudflare.com:123", "var_authelia_notification_mode": "smtp", "var_authelia_notification_file_path": "/var/authelia/notifications", diff --git a/ansible/roles/authelia/templates/conf-main.json.j2 b/ansible/roles/authelia/templates/conf-main.json.j2 index 5fa6b6d..096774a 100644 --- a/ansible/roles/authelia/templates/conf-main.json.j2 +++ b/ansible/roles/authelia/templates/conf-main.json.j2 @@ -126,9 +126,30 @@ }, "storage": { "encryption_key": "{{var_authelia_storage_encryption_key}}", +{% if var_authelia_storage_kind == "sqlite" %} "local": { - "path": "{{var_authelia_storage_path}}" + "path": "{{var_authelia_storage_data_sqlite_path}}" } +{% endif %} +{% if var_authelia_storage_kind == "postgresql" %} + "postgres": { + "host": "{{var_authelia_storage_data_postgresql_host}}", + "port": {{var_authelia_storage_data_postgresql_port | string}}, + "schema": "public", + "username": "{{var_authelia_storage_data_postgresql_username}}", + "password": "{{var_authelia_storage_data_postgresql_password}}", + "database": "{{var_authelia_storage_data_postgresql_schema}}" + } +{% endif %} +{% if var_authelia_storage_kind == "mariadb" %} + "mysql": { + "host": "{{var_authelia_storage_data_mariadb_host}}", + "port": {{var_authelia_storage_data_mariadb_port | string}}, + "username": "{{var_authelia_storage_data_mariadb_username}}", + "password": "{{var_authelia_storage_data_mariadb_password}}", + "database": "{{var_authelia_storage_data_mariadb_schema}}" + } +{% endif %} }, "notifier": { "disable_startup_check": true, From dc219168dfa81f5186ccf3ef81c6689b67742031 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 23 Dec 2023 12:41:34 +0100 Subject: [PATCH 34/61] =?UTF-8?q?[mod]=20role:authelia:Neben-Task=20f?= =?UTF-8?q?=C3=BCr=20PostgreSQL-Einrichtung?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../authelia/tasks/database-postgresql.json | 45 +++++++++++++++++++ ansible/roles/authelia/tasks/main.json | 7 +++ 2 files changed, 52 insertions(+) create mode 100644 ansible/roles/authelia/tasks/database-postgresql.json diff --git a/ansible/roles/authelia/tasks/database-postgresql.json b/ansible/roles/authelia/tasks/database-postgresql.json new file mode 100644 index 0000000..ca69439 --- /dev/null +++ b/ansible/roles/authelia/tasks/database-postgresql.json @@ -0,0 +1,45 @@ +[ + { + "name": "database:postgresql | packages", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "acl", + "python3-psycopg2" + ] + } + }, + { + "name": "database:postgresql | user", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_user": { + "state": "present", + "name": "{{var_authelia_storage_data_postgresql_username}}", + "password": "{{var_authelia_storage_data_postgresql_password}}" + } + }, + { + "name": "database:postgresql | schema", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_db": { + "state": "present", + "name": "{{var_authelia_storage_data_postgresql_schema}}", + "owner": "{{var_authelia_storage_data_postgresql_username}}" + } + }, + { + "name": "database:postgresql | rights", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_privs": { + "state": "present", + "db": "{{var_authelia_storage_data_postgresql_schema}}", + "objs": "ALL_IN_SCHEMA", + "roles": "{{var_authelia_storage_data_postgresql_username}}", + "privs": "ALL", + "grant_option": true + } + } +] diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json index c765720..12bbe17 100644 --- a/ansible/roles/authelia/tasks/main.json +++ b/ansible/roles/authelia/tasks/main.json @@ -37,6 +37,13 @@ ] } }, + { + "name": "database", + "when": "var_authelia_storage_kind == 'postgresql'", + "ansible.builtin.include_tasks": { + "file": "database-postgresql.json" + } + }, { "name": "generate private key for signing OIDC JWTs", "become": true, From c332923f6504accd5d8215699ef964a724362e66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 23 Dec 2023 12:50:10 +0100 Subject: [PATCH 35/61] =?UTF-8?q?[mod]=20role:authelia:Unterst=C3=BCtzung?= =?UTF-8?q?=20f=C3=BCr=20"disabled"-Flag=20bei=20der=20Nutzer-Verwaltung?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/roles/authelia/files/user-manage.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/ansible/roles/authelia/files/user-manage.py b/ansible/roles/authelia/files/user-manage.py index 7d9a84e..1e4355a 100644 --- a/ansible/roles/authelia/files/user-manage.py +++ b/ansible/roles/authelia/files/user-manage.py @@ -121,6 +121,14 @@ def main(): default = None, help = "e-mail address of the user", ) + argument_parser.add_argument( + "-x", + "--deactivated", + type = str, + default = "no", + choices = ["no", "yes"], + help = "whether the user shall be deactivated", + ) args = argument_parser.parse_args() ## exec @@ -146,6 +154,7 @@ def main(): raise ValueError("password required") else: entry = { + "disabled": (args.deactivated == "yes"), "displayname": (args.display_name or args.login_name), "password": get_password_hash(args.binary_file_path, args.conf_file_path, args.login_name), "email": args.email, @@ -158,6 +167,10 @@ def main(): raise ValueError("name required") else: entry = data["users"][args.login_name] + if (args.deactivated is None): + pass + else: + entry["disabled"] = (args.deactivated == "yes") if (args.password is None): pass else: From 5c3f628e742a95c0eb9d798c8d16c3484d4e0d42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 23 Dec 2023 12:55:31 +0100 Subject: [PATCH 36/61] =?UTF-8?q?[mod]=20role:authelia:Kennwort-R=C3=BCcks?= =?UTF-8?q?etz-Funktion=20steuern?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/roles/authelia/defaults/main.json | 1 + ansible/roles/authelia/templates/conf-main.json.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index 8206661..89c4e12 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -21,6 +21,7 @@ "var_authelia_storage_data_mariadb_password": "REPLACE_ME", "var_authelia_storage_data_mariadb_schema": "authelia", "var_authelia_ntp_server": "time.cloudflare.com:123", + "var_authelia_password_reset_enabled": false, "var_authelia_notification_mode": "smtp", "var_authelia_notification_file_path": "/var/authelia/notifications", "var_authelia_notification_smtp_host": "smtp.example.org", diff --git a/ansible/roles/authelia/templates/conf-main.json.j2 b/ansible/roles/authelia/templates/conf-main.json.j2 index 096774a..3b85291 100644 --- a/ansible/roles/authelia/templates/conf-main.json.j2 +++ b/ansible/roles/authelia/templates/conf-main.json.j2 @@ -47,7 +47,7 @@ }, "authentication_backend": { "password_reset": { - "disable": true, + "disable": {{not var_authelia_password_reset_enabled | to_json}}, "custom_url": "" }, "refresh_interval": "5m", From 3d30bc38d240401cdc037e7109acc91ee5d14f1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Mon, 1 Jan 2024 16:46:36 +0100 Subject: [PATCH 37/61] [fix] role:authelia --- ansible/roles/authelia/templates/conf-main.json.j2 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ansible/roles/authelia/templates/conf-main.json.j2 b/ansible/roles/authelia/templates/conf-main.json.j2 index 3b85291..4279742 100644 --- a/ansible/roles/authelia/templates/conf-main.json.j2 +++ b/ansible/roles/authelia/templates/conf-main.json.j2 @@ -47,7 +47,11 @@ }, "authentication_backend": { "password_reset": { - "disable": {{not var_authelia_password_reset_enabled | to_json}}, +{% if var_authelia_password_reset_enabled %} + "disable": false, +{% else %} + "disable": true, +{% endif %} "custom_url": "" }, "refresh_interval": "5m", From 5da8450f22150c063dda0d492963d754339001df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 7 Jan 2024 23:42:07 +0100 Subject: [PATCH 38/61] [mod] role:ansible:defaults:password --- ansible/roles/authelia/defaults/main.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index 89c4e12..de2bc43 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -27,7 +27,9 @@ "var_authelia_notification_smtp_host": "smtp.example.org", "var_authelia_notification_smtp_port": "465", "var_authelia_notification_smtp_username": "authelia", - "var_authelia_notification_smtp_password": "smtp_password", + "var_authelia_notification_smtp_password": "REPLACE_ME", "var_authelia_notification_smtp_sender": "Authelia", - "var_authelia_oidc_hmac_secret": "oidc_hmac_secret" + "var_authelia_oidc_hmac_secret": "REPLACE_ME", + "var_authelia_domain": "authelia.example.org", + "var_authelia_webportal_kind": "none" } From 944f75de59b5945f2b9a646c7d3d92d27e7e1026 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 7 Jan 2024 23:42:25 +0100 Subject: [PATCH 39/61] [mod] role:ansible:defaults:password --- ansible/roles/authelia/defaults/main.json | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index de2bc43..af34caa 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -29,7 +29,5 @@ "var_authelia_notification_smtp_username": "authelia", "var_authelia_notification_smtp_password": "REPLACE_ME", "var_authelia_notification_smtp_sender": "Authelia", - "var_authelia_oidc_hmac_secret": "REPLACE_ME", - "var_authelia_domain": "authelia.example.org", - "var_authelia_webportal_kind": "none" + "var_authelia_oidc_hmac_secret": "REPLACE_ME" } From b658f3057ca9f1c3689feb4fbdcc3f25db020c34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 19 Mar 2024 18:45:32 +0100 Subject: [PATCH 40/61] [add] role:postgresql-for-authelia --- .../defaults/main.json | 7 ++++++ .../tasks/main.json} | 20 ++++++++--------- .../roles/postgresql-for-authelia/vardef.json | 22 +++++++++++++++++++ 3 files changed, 39 insertions(+), 10 deletions(-) create mode 100644 ansible/roles/postgresql-for-authelia/defaults/main.json rename ansible/roles/{authelia/tasks/database-postgresql.json => postgresql-for-authelia/tasks/main.json} (50%) create mode 100644 ansible/roles/postgresql-for-authelia/vardef.json diff --git a/ansible/roles/postgresql-for-authelia/defaults/main.json b/ansible/roles/postgresql-for-authelia/defaults/main.json new file mode 100644 index 0000000..379cde9 --- /dev/null +++ b/ansible/roles/postgresql-for-authelia/defaults/main.json @@ -0,0 +1,7 @@ +{ + "var_postgresql_for_authelia_host": "localhost", + "var_postgresql_for_authelia_port": 5432, + "var_postgresql_for_authelia_username": "authelia_user", + "var_postgresql_for_authelia_password": "REPLACE_ME", + "var_postgresql_for_authelia_schema": "authelia" +} diff --git a/ansible/roles/authelia/tasks/database-postgresql.json b/ansible/roles/postgresql-for-authelia/tasks/main.json similarity index 50% rename from ansible/roles/authelia/tasks/database-postgresql.json rename to ansible/roles/postgresql-for-authelia/tasks/main.json index ca69439..0f053db 100644 --- a/ansible/roles/authelia/tasks/database-postgresql.json +++ b/ansible/roles/postgresql-for-authelia/tasks/main.json @@ -1,6 +1,6 @@ [ { - "name": "database:postgresql | packages", + "name": "packages", "become": true, "ansible.builtin.apt": { "pkg": [ @@ -10,34 +10,34 @@ } }, { - "name": "database:postgresql | user", + "name": "user", "become": true, "become_user": "postgres", "community.postgresql.postgresql_user": { "state": "present", - "name": "{{var_authelia_storage_data_postgresql_username}}", - "password": "{{var_authelia_storage_data_postgresql_password}}" + "name": "{{var_postgresql_for_authelia_username}}", + "password": "{{var_postgresql_for_authelia_password}}" } }, { - "name": "database:postgresql | schema", + "name": "schema", "become": true, "become_user": "postgres", "community.postgresql.postgresql_db": { "state": "present", - "name": "{{var_authelia_storage_data_postgresql_schema}}", - "owner": "{{var_authelia_storage_data_postgresql_username}}" + "name": "{{var_postgresql_for_authelia_schema}}", + "owner": "{{var_postgresql_for_authelia_username}}" } }, { - "name": "database:postgresql | rights", + "name": "rights", "become": true, "become_user": "postgres", "community.postgresql.postgresql_privs": { "state": "present", - "db": "{{var_authelia_storage_data_postgresql_schema}}", + "db": "{{var_postgresql_for_authelia_schema}}", "objs": "ALL_IN_SCHEMA", - "roles": "{{var_authelia_storage_data_postgresql_username}}", + "roles": "{{var_postgresql_for_authelia_username}}", "privs": "ALL", "grant_option": true } diff --git a/ansible/roles/postgresql-for-authelia/vardef.json b/ansible/roles/postgresql-for-authelia/vardef.json new file mode 100644 index 0000000..87b266f --- /dev/null +++ b/ansible/roles/postgresql-for-authelia/vardef.json @@ -0,0 +1,22 @@ +{ + "host": { + "mandatory": false, + "type": "string" + }, + "port": { + "mandatory": false, + "type": "integer" + }, + "username": { + "mandatory": false, + "type": "string" + }, + "password": { + "mandatory": true, + "type": "string" + }, + "schema": { + "mandatory": false, + "type": "string" + } +} From db0ce652945070e19621cfa325fd1c8fdb2e0589 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 19 Mar 2024 18:46:14 +0100 Subject: [PATCH 41/61] [fix] role:authelia --- ansible/roles/authelia/tasks/main.json | 7 ------- 1 file changed, 7 deletions(-) diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json index 12bbe17..c765720 100644 --- a/ansible/roles/authelia/tasks/main.json +++ b/ansible/roles/authelia/tasks/main.json @@ -37,13 +37,6 @@ ] } }, - { - "name": "database", - "when": "var_authelia_storage_kind == 'postgresql'", - "ansible.builtin.include_tasks": { - "file": "database-postgresql.json" - } - }, { "name": "generate private key for signing OIDC JWTs", "become": true, From 167e11ec2eb9aa2f6dac087b3a82bf702537c1d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:03:48 +0100 Subject: [PATCH 42/61] [fix] role:tlscert_acme_inwx:apt update --- ansible/roles/tlscert_acme_inwx/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/tlscert_acme_inwx/tasks/main.json b/ansible/roles/tlscert_acme_inwx/tasks/main.json index d7016ba..0e8a365 100644 --- a/ansible/roles/tlscert_acme_inwx/tasks/main.json +++ b/ansible/roles/tlscert_acme_inwx/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "openssl", "python3-cryptography" From f3e0d206fa732543cef7c12edf1d64d3fe452a34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:04:13 +0100 Subject: [PATCH 43/61] [fix] role:tlscert_selfsigned:apt update --- ansible/roles/tlscert_selfsigned/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/tlscert_selfsigned/tasks/main.json b/ansible/roles/tlscert_selfsigned/tasks/main.json index 96d3863..5b816f3 100644 --- a/ansible/roles/tlscert_selfsigned/tasks/main.json +++ b/ansible/roles/tlscert_selfsigned/tasks/main.json @@ -3,6 +3,7 @@ "name": "install packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "openssl", "python3-cryptography" From 368d2ecec26d24302a893f38c3465ff17e90949b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:04:43 +0100 Subject: [PATCH 44/61] [fix] role:tlscert_acme_netcup:apt update --- ansible/roles/tlscert_acme_netcup/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/tlscert_acme_netcup/tasks/main.json b/ansible/roles/tlscert_acme_netcup/tasks/main.json index 37ad51c..574ee11 100644 --- a/ansible/roles/tlscert_acme_netcup/tasks/main.json +++ b/ansible/roles/tlscert_acme_netcup/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages | debian", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "openssl", "python3-cryptography", From 8353f9ea908b865607ebc47244ba59ca97e23165 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:05:11 +0100 Subject: [PATCH 45/61] [fix] role:lighttpd:apt update --- ansible/roles/lighttpd/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/lighttpd/tasks/main.json b/ansible/roles/lighttpd/tasks/main.json index 5d8d887..1b6af91 100644 --- a/ansible/roles/lighttpd/tasks/main.json +++ b/ansible/roles/lighttpd/tasks/main.json @@ -3,6 +3,7 @@ "name": "install packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "lighttpd", "lighttpd-mod-openssl" From 2c5aa961c89de96710f28a17b2f9c0138f0e9f2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:05:24 +0100 Subject: [PATCH 46/61] [fix] role:murmur:apt update --- ansible/roles/murmur/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/murmur/tasks/main.json b/ansible/roles/murmur/tasks/main.json index b135abb..7341ac8 100644 --- a/ansible/roles/murmur/tasks/main.json +++ b/ansible/roles/murmur/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "mumble-server" ] From 64224db0e5b4c748c2f909052d9bfbcec8e0dc8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:05:42 +0100 Subject: [PATCH 47/61] [fix] role:nginx:apt update --- ansible/roles/nginx/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/nginx/tasks/main.json b/ansible/roles/nginx/tasks/main.json index d39c1e2..c8e2b40 100644 --- a/ansible/roles/nginx/tasks/main.json +++ b/ansible/roles/nginx/tasks/main.json @@ -3,6 +3,7 @@ "name": "install packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "nginx" ] From 26ca0b14c4e44dbd2c8beadc2f47be8ba4bf2c16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:06:17 +0100 Subject: [PATCH 48/61] [add] role:sqlite-for-hedgedoc --- .../sqlite-for-hedgedoc/defaults/main.json | 4 ++++ .../roles/sqlite-for-hedgedoc/tasks/main.json | 20 +++++++++++++++++++ ansible/roles/sqlite-for-hedgedoc/vardef.json | 10 ++++++++++ 3 files changed, 34 insertions(+) create mode 100644 ansible/roles/sqlite-for-hedgedoc/defaults/main.json create mode 100644 ansible/roles/sqlite-for-hedgedoc/tasks/main.json create mode 100644 ansible/roles/sqlite-for-hedgedoc/vardef.json diff --git a/ansible/roles/sqlite-for-hedgedoc/defaults/main.json b/ansible/roles/sqlite-for-hedgedoc/defaults/main.json new file mode 100644 index 0000000..e574eac --- /dev/null +++ b/ansible/roles/sqlite-for-hedgedoc/defaults/main.json @@ -0,0 +1,4 @@ +{ + "var_sqlite_for_hedgedoc_path": "/var/hedgedoc/data.sqlite", + "var_sqlite_for_hedgedoc_user_name": "hedgedoc" +} diff --git a/ansible/roles/sqlite-for-hedgedoc/tasks/main.json b/ansible/roles/sqlite-for-hedgedoc/tasks/main.json new file mode 100644 index 0000000..7495fca --- /dev/null +++ b/ansible/roles/sqlite-for-hedgedoc/tasks/main.json @@ -0,0 +1,20 @@ +[ + { + "name": "directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "{{var_sqlite_for_hedgedoc_path | dirname}}", + "owner": "{{var_hedgedoc_user_name}}" + } + }, + { + "name": "file", + "become": true, + "ansible.builtin.file": { + "state": "touch", + "path": "{{var_sqlite_for_hedgedoc_path}}", + "owner": "{{var_sqlite_for_hedgedoc_user_name}}" + } + } +] diff --git a/ansible/roles/sqlite-for-hedgedoc/vardef.json b/ansible/roles/sqlite-for-hedgedoc/vardef.json new file mode 100644 index 0000000..e62f130 --- /dev/null +++ b/ansible/roles/sqlite-for-hedgedoc/vardef.json @@ -0,0 +1,10 @@ +{ + "path": { + "type": "string", + "mandatory": false + }, + "user_name": { + "type": "string", + "mandatory": false + } +} From 342fc6dd9b7a0ce2f3ec31171ba64b180d89ad05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:06:32 +0100 Subject: [PATCH 49/61] [fix] role:proftpd:apt update --- ansible/roles/proftpd/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/proftpd/tasks/main.json b/ansible/roles/proftpd/tasks/main.json index 982ae45..d277bc0 100644 --- a/ansible/roles/proftpd/tasks/main.json +++ b/ansible/roles/proftpd/tasks/main.json @@ -3,6 +3,7 @@ "name": "install packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "proftpd-core" ] From 1849d6b7a19b4140986caa9a7f29277d5ecb0932 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:07:15 +0100 Subject: [PATCH 50/61] [fix] role:synapse:Variablennamen --- ansible/roles/synapse/defaults/main.json | 14 +++++++------- .../roles/synapse/templates/homeserver.yaml.j2 | 16 ++++++++-------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/ansible/roles/synapse/defaults/main.json b/ansible/roles/synapse/defaults/main.json index a57ac35..28ee5e3 100644 --- a/ansible/roles/synapse/defaults/main.json +++ b/ansible/roles/synapse/defaults/main.json @@ -1,13 +1,13 @@ { "var_synapse_scheme": "https", "var_synapse_domain": "synapse.example.org", - "var_synaspe_database_kind": "sqlite", - "var_synaspe_database_sqlite_path": "/var/synapse/data.sqlite", - "var_synaspe_database_postgresql_host": "localhost", - "var_synaspe_database_postgresql_port": "5432", - "var_synaspe_database_postgresql_username": "synapse_user", - "var_synaspe_database_postgresql_password": "REPLACE_ME", - "var_synaspe_database_postgresql_schema": "synapse", + "var_synapse_database_kind": "sqlite", + "var_synapse_database_data_sqlite_path": "/var/synapse/data.sqlite", + "var_synapse_database_data_postgresql_host": "localhost", + "var_synapse_database_data_postgresql_port": 5432, + "var_synapse_database_data_postgresql_username": "synapse_user", + "var_synapse_database_data_postgresql_password": "REPLACE_ME", + "var_synapse_database_data_postgresql_schema": "synapse", "var_synapse_element_url": "https://element.example.org", "var_synapse_title": "Example | Matrix", "var_synapse_federation_whitelist": [], diff --git a/ansible/roles/synapse/templates/homeserver.yaml.j2 b/ansible/roles/synapse/templates/homeserver.yaml.j2 index de8088e..06e7079 100644 --- a/ansible/roles/synapse/templates/homeserver.yaml.j2 +++ b/ansible/roles/synapse/templates/homeserver.yaml.j2 @@ -1,19 +1,19 @@ -{% if var_synaspe_database_kind == 'sqlite' %} +{% if var_synapse_database_kind == 'sqlite' %} database: name: sqlite3 args: - database: {{var_synaspe_database_sqlite_path}} + database: {{var_synapse_database_sqlite_path}} {% endif %} -{% if var_synaspe_database_kind == 'postgresql' %} +{% if var_synapse_database_kind == 'postgresql' %} database: name: psycopg2 args: - host: {{var_synapse_database_postgresql_host}} - port: {{var_synapse_database_postgresql_port}} - database: "{{var_synapse_database_postgresql_schema}}" - user: "{{var_synapse_database_postgresql_username}}" - password: "{{var_synapse_database_postgresql_password}}" + host: {{var_synapse_database_data_postgresql_host}} + port: {{var_synapse_database_data_postgresql_port | string}} + database: "{{var_synapse_database_data_postgresql_schema}}" + user: "{{var_synapse_database_data_postgresql_username}}" + password: "{{var_synapse_database_data_postgresql_password}}" cp_min: 5 cp_max: 10 {% endif %} From 6fc1f26af22b6a6284a1420aa1ecb49d8c76e101 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:07:58 +0100 Subject: [PATCH 51/61] [fix] role:hedgedoc --- ansible/roles/hedgedoc/defaults/main.json | 11 +-- ansible/roles/hedgedoc/tasks/main.json | 19 +--- .../roles/hedgedoc/templates/config.json.j2 | 25 +++--- ansible/roles/hedgedoc/vardef.json | 87 +++++++++++++++++++ 4 files changed, 105 insertions(+), 37 deletions(-) create mode 100644 ansible/roles/hedgedoc/vardef.json diff --git a/ansible/roles/hedgedoc/defaults/main.json b/ansible/roles/hedgedoc/defaults/main.json index 438eb14..e2a58c4 100644 --- a/ansible/roles/hedgedoc/defaults/main.json +++ b/ansible/roles/hedgedoc/defaults/main.json @@ -11,13 +11,10 @@ "var_hedgedoc_database_data_postgresql_password": "REPLACE_ME", "var_hedgedoc_database_data_postgresql_schema": "hedgedoc", "var_hedgedoc_domain": "hedgedoc.example.org", - "var_hedgedoc_oauth2_enable": false, - "var_hedgedoc_oauth2_provider_name": "external auth", - "var_hedgedoc_oauth2_client_id": "hedgedoc", - "var_hedgedoc_oauth2_client_secret": "REPLACE_ME", - "var_hedgedoc_oauth2_user_profile_url": "https://auth.example.org/profile", - "var_hedgedoc_oauth2_token_url": "https://auth.example.org/token", - "var_hedgedoc_oauth2_authorization_url": "https://auth.example.org/authorization", + "var_hedgedoc_authentication_kind": "authelia", + "var_hedgedoc_authentication_data_authelia_client_id": "hedgedoc", + "var_hedgedoc_authentication_data_authelia_client_secret": "REPLACE_ME", + "var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.linke.sx", "var_hedgedoc_guest_allow_create": false, "var_hedgedoc_guest_allow_change": false, "var_hedgedoc_free_names_mode": "authed" diff --git a/ansible/roles/hedgedoc/tasks/main.json b/ansible/roles/hedgedoc/tasks/main.json index 984e44d..b4fd779 100644 --- a/ansible/roles/hedgedoc/tasks/main.json +++ b/ansible/roles/hedgedoc/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "acl", "git", @@ -56,24 +57,6 @@ "cmd": "bin/setup" } }, - { - "name": "var directory", - "become": true, - "ansible.builtin.file": { - "state": "directory", - "path": "{{var_hedgedoc_database_path | dirname}}", - "owner": "{{var_hedgedoc_user_name}}" - } - }, - { - "name": "database", - "become": true, - "ansible.builtin.file": { - "state": "touch", - "path": "{{var_hedgedoc_database_path}}", - "owner": "{{var_hedgedoc_user_name}}" - } - }, { "name": "configuration", "become": true, diff --git a/ansible/roles/hedgedoc/templates/config.json.j2 b/ansible/roles/hedgedoc/templates/config.json.j2 index 6c953c5..a5d3184 100644 --- a/ansible/roles/hedgedoc/templates/config.json.j2 +++ b/ansible/roles/hedgedoc/templates/config.json.j2 @@ -4,7 +4,7 @@ {% if var_hedgedoc_database_kind == 'sqlite' %} "db": { "dialect": "sqlite", - "storage": "{{var_hedgedoc_database_path}}" + "storage": "{{var_hedgedoc_database_data_sqlite_path}}" }, {% endif %} {% if var_hedgedoc_database_kind == 'postgresql' %} @@ -25,27 +25,28 @@ "domain": "{{var_hedgedoc_domain}}", "urlAddPort": false, "protocolUseSSL": true, -{% if var_hedgedoc_oauth2_enable %} +{% if var_hedgedoc_authentication_kind == 'internal' %} + "email": true, + "allowEmailRegister": true, +{% endif %} +{% if var_hedgedoc_authentication_kind == 'authelia' %} "oauth2": { - "providerName": "{{var_hedgedoc_oauth2_provider_name}}", - "clientID": "{{var_hedgedoc_oauth2_client_id}}", - "clientSecret": "{{var_hedgedoc_oauth2_client_secret}}", + "providerName": "{{var_hedgedoc_authentication_data_authelia_provider_name}}", + "clientID": "{{var_hedgedoc_authentication_data_authelia_client_id}}", + "clientSecret": "{{var_hedgedoc_authentication_data_authelia_client_secret}}", "scope": "openid email profile", "userProfileUsernameAttr": "sub", "userProfileDisplayNameAttr": "name", "userProfileEmailAttr": "email", - "userProfileURL": "{{var_hedgedoc_oauth2_user_profile_url}}", - "tokenURL": "{{var_hedgedoc_oauth2_token_url}}", - "authorizationURL": "{{var_hedgedoc_oauth2_authorization_url}}" + "userProfileURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/profile", + "tokenURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/token", + "authorizationURL": "{{var_hedgedoc_authentication_data_authelia_url_base}}/authorization" }, "email": false, "allowEmailRegister": false, -{% else %} - "email": true, - "allowEmailRegister": true, {% endif %} "allowAnonymous": {{var_hedgedoc_guest_allow_create | to_json}}, - "allowAnonymousEdits": {{var_hedgedoc_guest_allow_edit | to_json}}, + "allowAnonymousEdits": {{var_hedgedoc_guest_allow_change | to_json}}, {% if var_hedgedoc_free_names_mode == 'never' %} "allowFreeURL": false, "requireFreeURLAuthentication": false, diff --git a/ansible/roles/hedgedoc/vardef.json b/ansible/roles/hedgedoc/vardef.json new file mode 100644 index 0000000..cb6e8d6 --- /dev/null +++ b/ansible/roles/hedgedoc/vardef.json @@ -0,0 +1,87 @@ +{ + "user_name": { + "type": "string", + "mandatory": false + }, + "directory": { + "type": "string", + "mandatory": false + }, + "version": { + "type": "string", + "mandatory": false + }, + "session_secret": { + "type": "string", + "mandatory": true + }, + "database_kind": { + "type": "string", + "mandatory": false, + "options": [ + "sqlite", + "postgresql", + "mariadb" + ] + }, + "database_data_sqlite_path": { + "type": "string", + "mandatory": false + }, + "database_data_postgresql_host": { + "type": "string", + "mandatory": false + }, + "database_data_postgresql_port": { + "type": "integer", + "mandatory": false + }, + "database_data_postgresql_username": { + "type": "string", + "mandatory": false + }, + "database_data_postgresql_password": { + "type": "string", + "mandatory": false + }, + "database_data_postgresql_schema": { + "type": "string", + "mandatory": false + }, + "domain": { + "type": "string", + "mandatory": false + }, + "authentication_kind": { + "type": "string", + "mandatory": false, + "options": [ + "internal", + "authelia" + ] + }, + "authentication_data_authelia_client_id": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_client_secret": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_url_base": { + "type": "string", + "mandatory": false + }, + "guest_allow_create": { + "type": "boolean", + "mandatory": false + }, + "guest_allow_change": { + "type": "boolean", + "mandatory": false + }, + "free_names_mode": { + "type": "string", + "mandatory": false + } +} From c2879c7bf2f36dd013d7791c4e0c05e138d86062 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:08:30 +0100 Subject: [PATCH 52/61] [fix] role:postgresql:apt update --- ansible/roles/postgresql/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/postgresql/tasks/main.json b/ansible/roles/postgresql/tasks/main.json index d870dc8..b87c19b 100644 --- a/ansible/roles/postgresql/tasks/main.json +++ b/ansible/roles/postgresql/tasks/main.json @@ -3,6 +3,7 @@ "name": "install packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "postgresql" ] From cb09bca26e9357ff1733dd84c42a0a3a77a29f37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:08:53 +0100 Subject: [PATCH 53/61] =?UTF-8?q?[mod]=20role:postgresql:Integer-Wert=20f?= =?UTF-8?q?=C3=BCr=20Port=20verwenden?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/roles/postgresql/defaults/main.json | 2 +- .../roles/postgresql/templates/postgresql.conf.j2 | 2 +- ansible/roles/postgresql/vardef.json | 15 +++++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 ansible/roles/postgresql/vardef.json diff --git a/ansible/roles/postgresql/defaults/main.json b/ansible/roles/postgresql/defaults/main.json index abd9af3..ff00ca2 100644 --- a/ansible/roles/postgresql/defaults/main.json +++ b/ansible/roles/postgresql/defaults/main.json @@ -1,5 +1,5 @@ { "var_postgresql_listen_address": "localhost", - "var_postgresql_port": "5432" + "var_postgresql_port": 5432 } diff --git a/ansible/roles/postgresql/templates/postgresql.conf.j2 b/ansible/roles/postgresql/templates/postgresql.conf.j2 index 1b5c664..3b2847f 100644 --- a/ansible/roles/postgresql/templates/postgresql.conf.j2 +++ b/ansible/roles/postgresql/templates/postgresql.conf.j2 @@ -61,7 +61,7 @@ listen_addresses = '{{var_postgresql_listen_address}}' # what IP address(es) to # comma-separated list of addresses; # defaults to 'localhost'; use '*' for all # (change requires restart) -port = {{var_postgresql_port}} # (change requires restart) +port = {{var_postgresql_port | string}} # (change requires restart) max_connections = 100 # (change requires restart) #superuser_reserved_connections = 3 # (change requires restart) unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories diff --git a/ansible/roles/postgresql/vardef.json b/ansible/roles/postgresql/vardef.json new file mode 100644 index 0000000..0fc124f --- /dev/null +++ b/ansible/roles/postgresql/vardef.json @@ -0,0 +1,15 @@ +{ + "listen_address": { + "mandatory": false, + "type": "string" + }, + "port": { + "mandatory": false, + "type": "integer" + }, + "allow_md5_auth": { + "mandatory": false, + "type": "boolean" + } +} + From b36bcf9b83a5cc46f8be8671be4cf0f47e95892b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:09:41 +0100 Subject: [PATCH 54/61] [fix] role:authelia --- ansible/roles/authelia/defaults/main.json | 6 +- ansible/roles/authelia/files/user-manage.py | 12 +- ansible/roles/authelia/tasks/main.json | 1 + .../authelia/templates/conf-main.json.j2 | 43 +++--- ansible/roles/authelia/templates/users.yml.j2 | 6 +- ansible/roles/authelia/vardef.json | 130 ++++++++++++++++++ 6 files changed, 170 insertions(+), 28 deletions(-) create mode 100644 ansible/roles/authelia/vardef.json diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index af34caa..9b5e676 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -7,7 +7,7 @@ "var_authelia_log_file_path": "/var/authelia/log.jsonl", "var_authelia_session_domain": "example.org", "var_authelia_session_secret": "REPLACE_ME", - "var_authelia_storage_encryption_key": "storage_encryption_key", + "var_authelia_storage_encryption_key": "REPLACE_ME", "var_authelia_storage_kind": "sqlite", "var_authelia_storage_data_sqlite_path": "/var/authelia/state.db", "var_authelia_storage_data_postgresql_host": "localhost", @@ -25,9 +25,9 @@ "var_authelia_notification_mode": "smtp", "var_authelia_notification_file_path": "/var/authelia/notifications", "var_authelia_notification_smtp_host": "smtp.example.org", - "var_authelia_notification_smtp_port": "465", + "var_authelia_notification_smtp_port": 465, "var_authelia_notification_smtp_username": "authelia", "var_authelia_notification_smtp_password": "REPLACE_ME", - "var_authelia_notification_smtp_sender": "Authelia", + "var_authelia_notification_smtp_sender": "authelia@example.org", "var_authelia_oidc_hmac_secret": "REPLACE_ME" } diff --git a/ansible/roles/authelia/files/user-manage.py b/ansible/roles/authelia/files/user-manage.py index 1e4355a..afd9171 100644 --- a/ansible/roles/authelia/files/user-manage.py +++ b/ansible/roles/authelia/files/user-manage.py @@ -28,14 +28,18 @@ def file_write(path, content): return content -def get_password_hash(binary_file_path, conf_file_path, name): +def get_password_hash(binary_file_path, conf_file_path, password): + # /usr/bin/authelia --config=/etc/authelia/configuration.yml crypto hash generate bcrypt --password=alice output = _subprocess.check_output([ binary_file_path, "--config=%s" % conf_file_path, - "hash-password", - name + "crypto", + "hash", + "generate", + "bcrypt", + "--password=%s" % password, ]) - return output.decode("utf-8").split("\n")[0][8:] + return output.decode("utf-8").split("\n")[0].split(" ")[1] def postprocess(binary_file_path, conf_file_path, data): diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json index c765720..92811fa 100644 --- a/ansible/roles/authelia/tasks/main.json +++ b/ansible/roles/authelia/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages | prerequisites", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "apt-transport-https", "gpg" diff --git a/ansible/roles/authelia/templates/conf-main.json.j2 b/ansible/roles/authelia/templates/conf-main.json.j2 index 4279742..98c0437 100644 --- a/ansible/roles/authelia/templates/conf-main.json.j2 +++ b/ansible/roles/authelia/templates/conf-main.json.j2 @@ -1,13 +1,17 @@ { "theme": "auto", - "jwt_secret": "{{var_authelia_jwt_secret}}", + "identity_validation": { + "reset_password": { + "jwt_secret": "{{var_authelia_jwt_secret}}" + } + }, "default_2fa_method": "totp", "server": { - "host": "{{var_authelia_listen_address}}", - "port": 9091, - "path": "", - "enable_pprof": false, - "enable_expvars": false, + "address": "{{var_authelia_listen_address}}:9091", + "endpoints": { + "enable_pprof": false, + "enable_expvars": false + }, "disable_healthcheck": false }, "log": { @@ -121,7 +125,7 @@ "secret": "{{var_authelia_session_secret}}", "expiration": "1h", "inactivity": "5m", - "remember_me_duration": "1M" + "remember_me": "1M" }, "regulation": { "max_retries": 3, @@ -137,8 +141,7 @@ {% endif %} {% if var_authelia_storage_kind == "postgresql" %} "postgres": { - "host": "{{var_authelia_storage_data_postgresql_host}}", - "port": {{var_authelia_storage_data_postgresql_port | string}}, + "address": "{{var_authelia_storage_data_postgresql_host}}:{{var_authelia_storage_data_postgresql_port | string}}", "schema": "public", "username": "{{var_authelia_storage_data_postgresql_username}}", "password": "{{var_authelia_storage_data_postgresql_password}}", @@ -163,18 +166,18 @@ } {% endif %} {% if var_authelia_notification_mode == "smtp" %} - "smtp": { - "host": "{{var_authelia_notification_smtp_host}}", - "port": {{var_authelia_notification_smtp_port}}, - "username": "{{var_authelia_notification_smtp_username}}", - "password": "{{var_authelia_notification_smtp_password}}", - "sender": "{{var_authelia_notification_smtp_sender}}", - "disable_require_tls": false, - "disable_html_emails": false, - "tls": { - "skip_verify": false + "smtp": { + "host": "{{var_authelia_notification_smtp_host}}", + "port": {{var_authelia_notification_smtp_port | string}}, + "username": "{{var_authelia_notification_smtp_username}}", + "password": "{{var_authelia_notification_smtp_password}}", + "sender": "{{var_authelia_notification_smtp_sender}}", + "disable_require_tls": false, + "disable_html_emails": false, + "tls": { + "skip_verify": false + } } - } {% endif %} }, "identity_providers": { diff --git a/ansible/roles/authelia/templates/users.yml.j2 b/ansible/roles/authelia/templates/users.yml.j2 index bf82e98..fcd822f 100644 --- a/ansible/roles/authelia/templates/users.yml.j2 +++ b/ansible/roles/authelia/templates/users.yml.j2 @@ -1 +1,5 @@ -users: {} +users: + _dummy: + displayname: dummy + password: "$2b$12$N5qptdk1VtpSlIlCxspLxeNeRIP6UEho4r1ZCoOlfpAtsIJQIjV/a" + email: dummy@example.org diff --git a/ansible/roles/authelia/vardef.json b/ansible/roles/authelia/vardef.json new file mode 100644 index 0000000..8370d6b --- /dev/null +++ b/ansible/roles/authelia/vardef.json @@ -0,0 +1,130 @@ +{ + "version": { + "type": "string", + "mandatory": false + }, + "architecture": { + "type": "string", + "mandatory": false + }, + "listen_address": { + "type": "string", + "mandatory": false + }, + "jwt_secret": { + "type": "string", + "mandatory": true + }, + "users_file_path": { + "type": "string", + "mandatory": false + }, + "log_file_path": { + "type": "string", + "mandatory": false + }, + "session_domain": { + "type": "string", + "mandatory": false + }, + "session_secret": { + "type": "string", + "mandatory": true + }, + "storage_encryption_key": { + "type": "string", + "mandatory": true + }, + "storage_kind": { + "type": "string", + "mandatory": false + }, + "storage_data_sqlite_path": { + "type": "string", + "mandatory": false + }, + "storage_data_postgresql_host": { + "type": "string", + "mandatory": false + }, + "storage_data_postgresql_port": { + "type": "integer", + "mandatory": false + }, + "storage_data_postgresql_username": { + "type": "string", + "mandatory": false + }, + "storage_data_postgresql_password": { + "type": "string", + "mandatory": false + }, + "storage_data_postgresql_schema": { + "type": "string", + "mandatory": false + }, + "storage_data_mariadb_host": { + "type": "string", + "mandatory": false + }, + "storage_data_mariadb_port": { + "type": "integer", + "mandatory": false + }, + "storage_data_mariadb_username": { + "type": "string", + "mandatory": false + }, + "storage_data_mariadb_password": { + "type": "string", + "mandatory": false + }, + "storage_data_mariadb_schema": { + "type": "string", + "mandatory": false + }, + "ntp_server": { + "type": "string", + "mandatory": false + }, + "password_reset_enabled": { + "type": "boolean", + "mandatory": false + }, + "notification_mode": { + "type": "string", + "mandatory": false, + "options": [ + "file", + "smtp" + ] + }, + "notification_file_path": { + "type": "string", + "mandatory": false + }, + "notification_smtp_host": { + "type": "string", + "mandatory": false + }, + "notification_smtp_port": { + "type": "integer", + "mandatory": false + }, + "notification_smtp_username": { + "type": "string", + "mandatory": false + }, + "notification_smtp_password": { + "type": "string", + "mandatory": false + }, + "notification_smtp_sender": { + "type": "string", + "mandatory": false + }, + "oidc_hmac_secret": { + "type": "string", + "mandatory": true + } +} From 090d7d419020c035d4bd02b0cfe6393bdea01f3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:10:16 +0100 Subject: [PATCH 55/61] [fix] role:authelia-for-hedgedoc --- .../templates/authelia-client-conf.json.j2 | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 index 3024226..10ad3cb 100644 --- a/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 +++ b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 @@ -1,7 +1,7 @@ { - "id": "{{var_authelia_for_hedgedoc_client_id}}", - "description": "Hedgedoc", - "secret": "{{var_authelia_for_hedgedoc_client_secret}}", + "client_id": "{{var_authelia_for_hedgedoc_client_id}}", + "client_secret": "{{var_authelia_for_hedgedoc_client_secret}}", + "client_name": "Hedgedoc", "public": false, "authorization_policy": "one_factor", "scopes": [ @@ -13,7 +13,6 @@ "{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback" ], "grant_types": [ - "refresh_token", "authorization_code" ], "response_types": [ @@ -24,5 +23,5 @@ "query", "fragment" ], - "userinfo_signing_algorithm": "none" + "userinfo_signed_response_alg": "none" } From b9ac243efe47c65a958a43739cb758fd640b9b0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:10:35 +0100 Subject: [PATCH 56/61] [fix] role:authelia-for-synapse --- .../templates/authelia-client-conf.json.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 index be88570..3f91cdf 100644 --- a/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 +++ b/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 @@ -1,7 +1,7 @@ { - "id": "{{var_authelia_for_synapse_client_id}}", - "description": "Synapse", - "secret": "{{var_authelia_for_synapse_client_secret}}", + "client_id": "{{var_authelia_for_synapse_client_id}}", + "client_secret": "{{var_authelia_for_synapse_client_secret}}", + "client_name": "Synapse", "public": false, "authorization_policy": "one_factor", "redirect_uris": [ @@ -12,5 +12,5 @@ "email", "profile" ], - "userinfo_signing_algorithm": "none" + "userinfo_signed_response_alg": "none" } From f392a17f5b37d4226e0dde641cbf1b17e41e7a8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:11:13 +0100 Subject: [PATCH 57/61] [fix] role:postgresql-for-authelia:apt update und pg options --- ansible/roles/postgresql-for-authelia/tasks/main.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ansible/roles/postgresql-for-authelia/tasks/main.json b/ansible/roles/postgresql-for-authelia/tasks/main.json index 0f053db..e2b3aa5 100644 --- a/ansible/roles/postgresql-for-authelia/tasks/main.json +++ b/ansible/roles/postgresql-for-authelia/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "acl", "python3-psycopg2" @@ -17,6 +18,9 @@ "state": "present", "name": "{{var_postgresql_for_authelia_username}}", "password": "{{var_postgresql_for_authelia_password}}" + }, + "environment": { + "PGOPTIONS": "-c password_encryption=scram-sha-256" } }, { From 9c03561b1aceea773729d4b54550065f7a6df7e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:11:32 +0100 Subject: [PATCH 58/61] [fix] role:postgresql-for-hedgedoc:apt update und pg options --- ansible/roles/postgresql-for-hedgedoc/tasks/main.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ansible/roles/postgresql-for-hedgedoc/tasks/main.json b/ansible/roles/postgresql-for-hedgedoc/tasks/main.json index 85431cc..3551075 100644 --- a/ansible/roles/postgresql-for-hedgedoc/tasks/main.json +++ b/ansible/roles/postgresql-for-hedgedoc/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "acl", "python3-psycopg2" @@ -17,6 +18,9 @@ "state": "present", "name": "{{var_postgresql_for_hedgedoc_username}}", "password": "{{var_postgresql_for_hedgedoc_password}}" + }, + "environment": { + "PGOPTIONS": "-c password_encryption=scram-sha-256" } }, { From 81bef7dd446d8f38c09c1ce1f2a6029a06f86637 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:11:48 +0100 Subject: [PATCH 59/61] [fix] role:postgresql-for-postgresql:apt update und pg options --- ansible/roles/postgresql-for-synapse/tasks/main.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ansible/roles/postgresql-for-synapse/tasks/main.json b/ansible/roles/postgresql-for-synapse/tasks/main.json index 7b6cee0..7f6ceb0 100644 --- a/ansible/roles/postgresql-for-synapse/tasks/main.json +++ b/ansible/roles/postgresql-for-synapse/tasks/main.json @@ -3,6 +3,7 @@ "name": "packages", "become": true, "ansible.builtin.apt": { + "update_cache": true, "pkg": [ "acl", "python3-psycopg2" @@ -17,6 +18,9 @@ "state": "present", "name": "{{var_postgresql_for_synapse_username}}", "password": "{{var_postgresql_for_synapse_password}}" + }, + "environment": { + "PGOPTIONS": "-c password_encryption=scram-sha-256" } }, { From aefe805a10a2518b6bb590c8d4c8eccd738d33f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:47:45 +0100 Subject: [PATCH 60/61] [fix] role:synapse:auth --- ansible/roles/synapse/defaults/main.json | 12 ++++---- .../synapse/templates/homeserver.yaml.j2 | 30 +++++++++---------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/ansible/roles/synapse/defaults/main.json b/ansible/roles/synapse/defaults/main.json index 28ee5e3..bc84eb6 100644 --- a/ansible/roles/synapse/defaults/main.json +++ b/ansible/roles/synapse/defaults/main.json @@ -13,12 +13,12 @@ "var_synapse_federation_whitelist": [], "var_synapse_password_strict_policy": true, "var_synapse_registration_shared_secret": "REPLACE_ME", - "var_synapse_oidc_enable": false, - "var_synapse_oidc_provider_id": "external_auth", - "var_synapse_oidc_provider_name": "external auth", - "var_synapse_oidc_client_id": "synapse", - "var_synapse_oidc_client_secret": "REPLACE_ME", - "var_synapse_oidc_issuer_url": "https://auth.example.org", + "var_synapse_authentication_kind": "internal", + "var_synapse_authentication_data_authelia_provider_id": "authelia", + "var_synapse_authentication_data_authelia_provider_name": "Authelia", + "var_synapse_authentication_data_authelia_client_id": "synapse", + "var_synapse_authentication_data_authelia_client_secret": "REPLACE_ME", + "var_synapse_authentication_data_authelia_url_base": "https://authelia.example.org", "var_synapse_smtp_host": "smtp.example.org", "var_synapse_smtp_port": 587, "var_synapse_smtp_username": "synapse@smtp.example.org", diff --git a/ansible/roles/synapse/templates/homeserver.yaml.j2 b/ansible/roles/synapse/templates/homeserver.yaml.j2 index 06e7079..f5c310c 100644 --- a/ansible/roles/synapse/templates/homeserver.yaml.j2 +++ b/ansible/roles/synapse/templates/homeserver.yaml.j2 @@ -91,29 +91,29 @@ recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" registration_shared_secret: "{{var_synapse_registration_shared_secret}}" {% endif %} -{% if var_synapse_oidc_enable %} -enable_registration: false -enable_registration_without_verification: false -{% else %} -enable_registration: true -enable_registration_without_verification: true -{% endif %} - oidc_config: user_mapping_provider: config: # NOT an Ansible variable localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}" -{% if var_synapse_oidc_enable %} +{% if var_synapse_authentication_kind == 'internal' %} +enable_registration: true +enable_registration_without_verification: true +{% endif %} + +{% if var_synapse_authentication_kind == 'authelia' %} +enable_registration: false +enable_registration_without_verification: false + oidc_providers: - - idp_id: "{{var_synapse_oidc_provider_id}}" - idp_name: "{{var_synapse_oidc_provider_name}}" - # idp_icon: "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI" + - idp_id: "{{var_synapse_authentication_data_authelia_provider_id}}" + idp_name: "{{var_synapse_authentication_data_authelia_provider_name}}" + idp_icon: "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI" discover: true - issuer: "{{var_synapse_oidc_issuer_url}}" - client_id: "{{var_synapse_oidc_client_id}}" - client_secret: "{{var_synapse_oidc_client_secret}}" + issuer: "{{var_synapse_authentication_data_authelia_url_base}}" + client_id: "{{var_synapse_authentication_data_authelia_client_id}}" + client_secret: "{{var_synapse_authentication_data_authelia_client_secret}}" scopes: ["openid", "profile", "email"] allow_existing_users: true user_mapping_provider: From 78efa5297f47ac4b9949a764d0a409edd2405e29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 20 Mar 2024 00:48:04 +0100 Subject: [PATCH 61/61] [mod] role:authelia-for-hedgedoc:refresh_token --- .../authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 index 10ad3cb..2b9a311 100644 --- a/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 +++ b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 @@ -13,6 +13,7 @@ "{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback" ], "grant_types": [ + "refresh_token", "authorization_code" ], "response_types": [