From 99f4bb1d98657395cf6fe7b6c31e229b68dc600c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Sun, 10 Dec 2023 14:33:45 +0100
Subject: [PATCH] [add] role:authelia

---
 ansible/roles/authelia/defaults/main.json     |  18 +++
 ansible/roles/authelia/info.md                |   6 +
 ansible/roles/authelia/tasks/main.json        |  44 ++++++
 .../roles/authelia/templates/config.yml.j2    | 130 ++++++++++++++++++
 4 files changed, 198 insertions(+)
 create mode 100644 ansible/roles/authelia/defaults/main.json
 create mode 100644 ansible/roles/authelia/info.md
 create mode 100644 ansible/roles/authelia/tasks/main.json
 create mode 100644 ansible/roles/authelia/templates/config.yml.j2

diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json
new file mode 100644
index 0000000..fa6cc83
--- /dev/null
+++ b/ansible/roles/authelia/defaults/main.json
@@ -0,0 +1,18 @@
+{
+	"var_authelia_listen_address": "0.0.0.0",
+	"var_authelia_jwt_secret": "authelia_jwt_secret",
+	"var_authelia_users_file_path": "/var/authelia/users.json",
+	"var_authelia_session_domain": "example.org",
+	"var_authelia_session_secret": "session_secret",
+	"var_authelia_storage_path": "/var/authelia/state.db",
+	"var_authelia_storage_encryption_key": "storage_encryption_key",
+	"var_authelia_ntp_server": "time.cloudflare.com:123",
+	"var_authelia_notification_mode": "email",
+	"var_authelia_notification_smtp_host": "smtp.example.org",
+	"var_authelia_notification_smtp_port": "465",
+	"var_authelia_notification_smtp_username": "authelia",
+	"var_authelia_notification_smtp_username": "smtp_password",
+	"var_authelia_notification_smtp_sender": "Authelia",
+	"var_authelia_notification_smtp_sender": "Authelia",
+	"var_authelia_oidc_hmac_secret": "oidc_hmac_secret",
+}
diff --git a/ansible/roles/authelia/info.md b/ansible/roles/authelia/info.md
new file mode 100644
index 0000000..94653fd
--- /dev/null
+++ b/ansible/roles/authelia/info.md
@@ -0,0 +1,6 @@
+## Verweise
+
+- [Projekt-Website](https://www.authelia.com/)
+- [GitHub-Seite](https://github.com/authelia/authelia)
+- [Installations-Anleitung](https://www.authelia.com/integration/deployment/bare-metal/)
+- [Dokumentation | Konfiguration](https://www.authelia.com/configuration/)
diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json
new file mode 100644
index 0000000..5b78ea0
--- /dev/null
+++ b/ansible/roles/authelia/tasks/main.json
@@ -0,0 +1,44 @@
+[
+	{
+		"name": "invoke package repository",
+		"become": true,
+		"ansible.builtin.apt_repository": {
+			"repo": "deb https://apt.authelia.com/stable/debian/debian/ all main"
+		}
+	},
+	{
+		"name": "install packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"pgk": [
+				"authelia"
+			]
+		}
+	},
+	{
+		"name": "generate private key for signing OIDC JWTs",
+		"beccome": true,
+		"community.crypto.openssl_privatekey": {
+			"type": "RSA",
+			"size": 4096,
+			"path": "/dev/null",
+			"return_content": true
+		}
+	},
+	{
+		"name": "emplace configuration",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "config.yml.j2",
+			"dest": "/etc/authelia/config.yml"
+		}
+	},
+	{
+		"name": "apply",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "authelia"
+		}		
+	}
+]
diff --git a/ansible/roles/authelia/templates/config.yml.j2 b/ansible/roles/authelia/templates/config.yml.j2
new file mode 100644
index 0000000..6e0ee36
--- /dev/null
+++ b/ansible/roles/authelia/templates/config.yml.j2
@@ -0,0 +1,130 @@
+theme: auto
+jwt_secret: "{{var_authelia_jwt_secret}}"
+default_2fa_method: totp
+server:
+  host: "{{var_authelia_listen_address}}"
+  port: 9091
+  path: ""
+  enable_pprof: false
+  enable_expvars: false
+  disable_healthcheck: false
+log:
+  level: info
+  format: json
+  file_path: /var/log/authelia.log
+  keep_stdout: false
+telemetry:
+  metrics:
+    enabled: false
+    address: tcp://0.0.0.0:9959
+totp:
+  disable: true
+  issuer: authelia.com
+  algorithm: sha1
+  digits: 6
+  period: 30
+  skew: 1
+  secret_size: 32
+webauthn:
+  disable: true
+  timeout: 60s
+  display_name: Authelia
+  attestation_conveyance_preference: indirect
+  user_verification: preferred
+ntp:
+  address: "{{var_authelia_ntp_server}}"
+  version: 4
+  max_desync: 3s
+  disable_startup_check: false
+  disable_failure: false
+authentication_backend:
+  password_reset:
+    disable: true
+    custom_url: ""
+  refresh_interval: 5m
+  file:
+    path: "{{var_authelia_users_file_path}}"
+    watch: true
+    search:
+      email: false
+      case_insensitive: false
+    password:
+      algorithm: argon2
+      argon2:
+        variant: argon2id
+        iterations: 3
+        memory: 65536
+        parallelism: 4
+        key_length: 32
+        salt_length: 16
+      scrypt:
+        iterations: 16
+        block_size: 8
+        parallelism: 1
+        key_length: 32
+        salt_length: 16
+      pbkdf2:
+        variant: sha512
+        iterations: 310000
+        salt_length: 16
+      sha2crypt:
+        variant: sha512
+        iterations: 50000
+        salt_length: 16
+      bcrypt:
+        variant: standard
+        cost: 12
+password_policy:
+  standard:
+    enabled: false
+    min_length: 8
+    max_length: 0
+    require_uppercase: true
+    require_lowercase: true
+    require_number: true
+    require_special: true
+  zxcvbn:
+    enabled: false
+    min_score: 3
+access_control:
+  default_policy: one_factor
+session:
+  name: authelia_session
+  domain: "{{var_authelia_session_domain}}"
+  same_site: lax
+  secret: "{{var_authelia_session_secret}}"
+  expiration: 1h
+  inactivity: 5m
+  remember_me_duration: 1M
+regulation:
+  max_retries: 3
+  find_time: 2m
+  ban_time: 5m
+storage:
+  encryption_key: "{{var_authelia_storage_encryption_key}}"
+  local:
+    path: "{{var_authelia_storage_path}}"
+notifier:
+  disable_startup_check: true
+  # filesystem:
+    # filename: /config/notification.txt
+  smtp:
+    host: "{{var_authelia_notification_smtp_host}}"
+    port: {{var_authelia_notification_smtp_port}}
+    username: "{{var_authelia_notification_smtp_username}}"
+    password: "{{var_authelia_notification_smtp_password}}"
+    sender: "{{var_authelia_notification_smtp_sender}}"
+    disable_require_tls: false
+    disable_html_emails: false
+    tls:
+      skip_verify: false
+identity_providers:
+  oidc:
+    hmac_secret: "{{var_authelia_oidc_hmac_secret}}"
+    issuer_private_key: |
+      {{privatekey}}
+    cors:
+      allowed_origins_from_client_redirect_uris: true
+    clients: []
+
+...