From 99f4bb1d98657395cf6fe7b6c31e229b68dc600c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 10 Dec 2023 14:33:45 +0100 Subject: [PATCH 01/19] [add] role:authelia --- ansible/roles/authelia/defaults/main.json | 18 +++ ansible/roles/authelia/info.md | 6 + ansible/roles/authelia/tasks/main.json | 44 ++++++ .../roles/authelia/templates/config.yml.j2 | 130 ++++++++++++++++++ 4 files changed, 198 insertions(+) create mode 100644 ansible/roles/authelia/defaults/main.json create mode 100644 ansible/roles/authelia/info.md create mode 100644 ansible/roles/authelia/tasks/main.json create mode 100644 ansible/roles/authelia/templates/config.yml.j2 diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json new file mode 100644 index 0000000..fa6cc83 --- /dev/null +++ b/ansible/roles/authelia/defaults/main.json @@ -0,0 +1,18 @@ +{ + "var_authelia_listen_address": "0.0.0.0", + "var_authelia_jwt_secret": "authelia_jwt_secret", + "var_authelia_users_file_path": "/var/authelia/users.json", + "var_authelia_session_domain": "example.org", + "var_authelia_session_secret": "session_secret", + "var_authelia_storage_path": "/var/authelia/state.db", + "var_authelia_storage_encryption_key": "storage_encryption_key", + "var_authelia_ntp_server": "time.cloudflare.com:123", + "var_authelia_notification_mode": "email", + "var_authelia_notification_smtp_host": "smtp.example.org", + "var_authelia_notification_smtp_port": "465", + "var_authelia_notification_smtp_username": "authelia", + "var_authelia_notification_smtp_username": "smtp_password", + "var_authelia_notification_smtp_sender": "Authelia", + "var_authelia_notification_smtp_sender": "Authelia", + "var_authelia_oidc_hmac_secret": "oidc_hmac_secret", +} diff --git a/ansible/roles/authelia/info.md b/ansible/roles/authelia/info.md new file mode 100644 index 0000000..94653fd --- /dev/null +++ b/ansible/roles/authelia/info.md @@ -0,0 +1,6 @@ +## Verweise + +- [Projekt-Website](https://www.authelia.com/) +- [GitHub-Seite](https://github.com/authelia/authelia) +- [Installations-Anleitung](https://www.authelia.com/integration/deployment/bare-metal/) +- [Dokumentation | Konfiguration](https://www.authelia.com/configuration/) diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json new file mode 100644 index 0000000..5b78ea0 --- /dev/null +++ b/ansible/roles/authelia/tasks/main.json @@ -0,0 +1,44 @@ +[ + { + "name": "invoke package repository", + "become": true, + "ansible.builtin.apt_repository": { + "repo": "deb https://apt.authelia.com/stable/debian/debian/ all main" + } + }, + { + "name": "install packages", + "become": true, + "ansible.builtin.apt": { + "pgk": [ + "authelia" + ] + } + }, + { + "name": "generate private key for signing OIDC JWTs", + "beccome": true, + "community.crypto.openssl_privatekey": { + "type": "RSA", + "size": 4096, + "path": "/dev/null", + "return_content": true + } + }, + { + "name": "emplace configuration", + "become": true, + "ansible.builtin.template": { + "src": "config.yml.j2", + "dest": "/etc/authelia/config.yml" + } + }, + { + "name": "apply", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "authelia" + } + } +] diff --git a/ansible/roles/authelia/templates/config.yml.j2 b/ansible/roles/authelia/templates/config.yml.j2 new file mode 100644 index 0000000..6e0ee36 --- /dev/null +++ b/ansible/roles/authelia/templates/config.yml.j2 @@ -0,0 +1,130 @@ +theme: auto +jwt_secret: "{{var_authelia_jwt_secret}}" +default_2fa_method: totp +server: + host: "{{var_authelia_listen_address}}" + port: 9091 + path: "" + enable_pprof: false + enable_expvars: false + disable_healthcheck: false +log: + level: info + format: json + file_path: /var/log/authelia.log + keep_stdout: false +telemetry: + metrics: + enabled: false + address: tcp://0.0.0.0:9959 +totp: + disable: true + issuer: authelia.com + algorithm: sha1 + digits: 6 + period: 30 + skew: 1 + secret_size: 32 +webauthn: + disable: true + timeout: 60s + display_name: Authelia + attestation_conveyance_preference: indirect + user_verification: preferred +ntp: + address: "{{var_authelia_ntp_server}}" + version: 4 + max_desync: 3s + disable_startup_check: false + disable_failure: false +authentication_backend: + password_reset: + disable: true + custom_url: "" + refresh_interval: 5m + file: + path: "{{var_authelia_users_file_path}}" + watch: true + search: + email: false + case_insensitive: false + password: + algorithm: argon2 + argon2: + variant: argon2id + iterations: 3 + memory: 65536 + parallelism: 4 + key_length: 32 + salt_length: 16 + scrypt: + iterations: 16 + block_size: 8 + parallelism: 1 + key_length: 32 + salt_length: 16 + pbkdf2: + variant: sha512 + iterations: 310000 + salt_length: 16 + sha2crypt: + variant: sha512 + iterations: 50000 + salt_length: 16 + bcrypt: + variant: standard + cost: 12 +password_policy: + standard: + enabled: false + min_length: 8 + max_length: 0 + require_uppercase: true + require_lowercase: true + require_number: true + require_special: true + zxcvbn: + enabled: false + min_score: 3 +access_control: + default_policy: one_factor +session: + name: authelia_session + domain: "{{var_authelia_session_domain}}" + same_site: lax + secret: "{{var_authelia_session_secret}}" + expiration: 1h + inactivity: 5m + remember_me_duration: 1M +regulation: + max_retries: 3 + find_time: 2m + ban_time: 5m +storage: + encryption_key: "{{var_authelia_storage_encryption_key}}" + local: + path: "{{var_authelia_storage_path}}" +notifier: + disable_startup_check: true + # filesystem: + # filename: /config/notification.txt + smtp: + host: "{{var_authelia_notification_smtp_host}}" + port: {{var_authelia_notification_smtp_port}} + username: "{{var_authelia_notification_smtp_username}}" + password: "{{var_authelia_notification_smtp_password}}" + sender: "{{var_authelia_notification_smtp_sender}}" + disable_require_tls: false + disable_html_emails: false + tls: + skip_verify: false +identity_providers: + oidc: + hmac_secret: "{{var_authelia_oidc_hmac_secret}}" + issuer_private_key: | + {{privatekey}} + cors: + allowed_origins_from_client_redirect_uris: true + clients: [] + +... From a947c4900e186cfa87ad6f190b6c0e8235db3492 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Mon, 11 Dec 2023 02:43:58 +0100 Subject: [PATCH 02/19] [mod] role:authelia --- ansible/roles/authelia/defaults/main.json | 8 ++- ansible/roles/authelia/info.md | 7 ++ ansible/roles/authelia/tasks/main.json | 66 ++++++++++++++++--- .../{config.yml.j2 => configuration.yml.j2} | 23 +++++-- ansible/roles/authelia/templates/users.yml.j2 | 6 ++ 5 files changed, 93 insertions(+), 17 deletions(-) rename ansible/roles/authelia/templates/{config.yml.j2 => configuration.yml.j2} (84%) create mode 100644 ansible/roles/authelia/templates/users.yml.j2 diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index fa6cc83..a287d47 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -1,18 +1,20 @@ { "var_authelia_listen_address": "0.0.0.0", "var_authelia_jwt_secret": "authelia_jwt_secret", - "var_authelia_users_file_path": "/var/authelia/users.json", + "var_authelia_users_file_path": "/var/authelia/users.yml", + "var_authelia_log_file_path": "/var/log/authelia.log", "var_authelia_session_domain": "example.org", "var_authelia_session_secret": "session_secret", "var_authelia_storage_path": "/var/authelia/state.db", "var_authelia_storage_encryption_key": "storage_encryption_key", "var_authelia_ntp_server": "time.cloudflare.com:123", - "var_authelia_notification_mode": "email", + "var_authelia_notification_mode": "smtp", + "var_authelia_notification_file_path": "/var/authelia/notifications", "var_authelia_notification_smtp_host": "smtp.example.org", "var_authelia_notification_smtp_port": "465", "var_authelia_notification_smtp_username": "authelia", "var_authelia_notification_smtp_username": "smtp_password", "var_authelia_notification_smtp_sender": "Authelia", "var_authelia_notification_smtp_sender": "Authelia", - "var_authelia_oidc_hmac_secret": "oidc_hmac_secret", + "var_authelia_oidc_hmac_secret": "oidc_hmac_secret" } diff --git a/ansible/roles/authelia/info.md b/ansible/roles/authelia/info.md index 94653fd..a980bea 100644 --- a/ansible/roles/authelia/info.md +++ b/ansible/roles/authelia/info.md @@ -4,3 +4,10 @@ - [GitHub-Seite](https://github.com/authelia/authelia) - [Installations-Anleitung](https://www.authelia.com/integration/deployment/bare-metal/) - [Dokumentation | Konfiguration](https://www.authelia.com/configuration/) + + +## ToDo + +- Dummy-Client los werden +- Dummy-Nutzer los werden + diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json index 5b78ea0..faecaf0 100644 --- a/ansible/roles/authelia/tasks/main.json +++ b/ansible/roles/authelia/tasks/main.json @@ -1,36 +1,86 @@ [ { - "name": "invoke package repository", +"when": false, + "name": "prepare package installation 1", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "apt-transport-https", + "gpg" + ] + } + }, + { +"when": false, + "name": "prepare package installation 2", + "become": true, + "ansible.builtin.apt_key": { + "url": "https://apt.authelia.com/organization/signing.asc" + } + }, + { +"when": false, + "name": "prepare package installation 3", "become": true, "ansible.builtin.apt_repository": { "repo": "deb https://apt.authelia.com/stable/debian/debian/ all main" } + }, { +"when": false, "name": "install packages", "become": true, "ansible.builtin.apt": { - "pgk": [ + "update_cache": true, + "pkg": [ + "openssl", + "python3-cryptography", "authelia" ] } }, { "name": "generate private key for signing OIDC JWTs", - "beccome": true, + "become": true, "community.crypto.openssl_privatekey": { "type": "RSA", "size": 4096, - "path": "/dev/null", + "path": "/etc/ssl/private/authelia-key.pem", "return_content": true - } + }, + "register": "temp_tls_result" }, { "name": "emplace configuration", "become": true, "ansible.builtin.template": { - "src": "config.yml.j2", - "dest": "/etc/authelia/config.yml" + "src": "configuration.yml.j2", + "dest": "/etc/authelia/configuration.yml" + } + }, + { + "name": "setup log directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "{{var_authelia_log_file_path | dirname}}" + } + }, + { + "name": "setup users directory", + "become": true, + "ansible.builtin.file": { + "state": "directory", + "path": "{{var_authelia_users_file_path | dirname}}" + } + }, + { + "name": "place dummy user file", + "become": true, + "ansible.builtin.template": { + "src": "users.yml.j2", + "path": "{{var_authelia_users_file_path}}" } }, { @@ -39,6 +89,6 @@ "ansible.builtin.systemd_service": { "state": "restarted", "name": "authelia" - } + } } ] diff --git a/ansible/roles/authelia/templates/config.yml.j2 b/ansible/roles/authelia/templates/configuration.yml.j2 similarity index 84% rename from ansible/roles/authelia/templates/config.yml.j2 rename to ansible/roles/authelia/templates/configuration.yml.j2 index 6e0ee36..8fc19ad 100644 --- a/ansible/roles/authelia/templates/config.yml.j2 +++ b/ansible/roles/authelia/templates/configuration.yml.j2 @@ -11,14 +11,14 @@ server: log: level: info format: json - file_path: /var/log/authelia.log + file_path: {{var_authelia_log_file_path}} keep_stdout: false telemetry: metrics: enabled: false address: tcp://0.0.0.0:9959 totp: - disable: true + disable: false issuer: authelia.com algorithm: sha1 digits: 6 @@ -106,8 +106,11 @@ storage: path: "{{var_authelia_storage_path}}" notifier: disable_startup_check: true - # filesystem: - # filename: /config/notification.txt +{% if var_authelia_notification_mode == "file" %} + filesystem: + filename: {{var_authelia_notification_file_path}} +{% endif %} +{% if var_authelia_notification_mode == "smtp" %} smtp: host: "{{var_authelia_notification_smtp_host}}" port: {{var_authelia_notification_smtp_port}} @@ -118,13 +121,21 @@ notifier: disable_html_emails: false tls: skip_verify: false +{% endif %} identity_providers: oidc: hmac_secret: "{{var_authelia_oidc_hmac_secret}}" issuer_private_key: | - {{privatekey}} +{% filter indent(width=6) %} + {{temp_tls_result.privatekey}} +{% endfilter %} cors: allowed_origins_from_client_redirect_uris: true - clients: [] + clients: + - + public: false + id: "dummy" + secret: "d1424b378e4fbbc153f330f33b74ab192525b98cc2dd58b2e8d01c2737be00c6" + redirect_uris: [] ... diff --git a/ansible/roles/authelia/templates/users.yml.j2 b/ansible/roles/authelia/templates/users.yml.j2 new file mode 100644 index 0000000..eea8164 --- /dev/null +++ b/ansible/roles/authelia/templates/users.yml.j2 @@ -0,0 +1,6 @@ +users: + _dummy: + displayname: "(Dummy)" + password: "$argon2id$v=19$m=65536,t=3,p=4$sHIRjFaYRz2U3F8wHnqecQ$lwnQtHNeFqgLaLSW8It7KJSHNOJoSeF+RF7lwgM7WRA" + email: "dummy@nowhere.org" + groups: [] From 15af3efdab8e50767ad10c977a9f226bbfb9e955 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Mon, 11 Dec 2023 02:44:11 +0100 Subject: [PATCH 03/19] [add] role:authelia-and-nginx --- .../authelia-and-nginx/defaults/main.json | 3 ++ ansible/roles/authelia-and-nginx/info.md | 3 ++ .../roles/authelia-and-nginx/tasks/main.json | 35 +++++++++++++++++++ .../authelia-and-nginx/templates/conf.j2 | 26 ++++++++++++++ 4 files changed, 67 insertions(+) create mode 100644 ansible/roles/authelia-and-nginx/defaults/main.json create mode 100644 ansible/roles/authelia-and-nginx/info.md create mode 100644 ansible/roles/authelia-and-nginx/tasks/main.json create mode 100644 ansible/roles/authelia-and-nginx/templates/conf.j2 diff --git a/ansible/roles/authelia-and-nginx/defaults/main.json b/ansible/roles/authelia-and-nginx/defaults/main.json new file mode 100644 index 0000000..7559dcb --- /dev/null +++ b/ansible/roles/authelia-and-nginx/defaults/main.json @@ -0,0 +1,3 @@ +{ + "var_authelia_and_nginx_domain": "authelia.example.org" +} diff --git a/ansible/roles/authelia-and-nginx/info.md b/ansible/roles/authelia-and-nginx/info.md new file mode 100644 index 0000000..670d9f0 --- /dev/null +++ b/ansible/roles/authelia-and-nginx/info.md @@ -0,0 +1,3 @@ +## Verweise + +- [Authelia-Dokumentation](https://www.authelia.com/integration/proxies/nginx/) diff --git a/ansible/roles/authelia-and-nginx/tasks/main.json b/ansible/roles/authelia-and-nginx/tasks/main.json new file mode 100644 index 0000000..87dcf2b --- /dev/null +++ b/ansible/roles/authelia-and-nginx/tasks/main.json @@ -0,0 +1,35 @@ +[ + { + "name": "deactivate default site", + "become": true, + "ansible.builtin.file": { + "state": "absent", + "dest": "/etc/nginx/sites-enabled/default" + } + }, + { + "name": "emplace configuration | data", + "become": true, + "ansible.builtin.template": { + "src": "conf.j2", + "dest": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}" + } + }, + { + "name": "emplace configuration | link", + "become": true, + "ansible.builtin.file": { + "state": "link", + "src": "/etc/nginx/sites-available/{{var_authelia_and_nginx_domain}}", + "dest": "/etc/nginx/sites-enabled/{{var_authelia_and_nginx_domain}}" + } + }, + { + "name": "restart nginx", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "nginx" + } + } +] diff --git a/ansible/roles/authelia-and-nginx/templates/conf.j2 b/ansible/roles/authelia-and-nginx/templates/conf.j2 new file mode 100644 index 0000000..8202046 --- /dev/null +++ b/ansible/roles/authelia-and-nginx/templates/conf.j2 @@ -0,0 +1,26 @@ +server { + listen 80; + server_name auth.*; + + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + server_name {{var_authelia_and_nginx_domain}}; + + # include /config/nginx/snippets/ssl.conf; + ssl_certificate /etc/ssl/certs/{{var_authelia_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; + + set $upstream http://localhost:9091; + + location / { + # include /config/nginx/snippets/proxy.conf; + proxy_pass $upstream; + } + + location /api/verify { + proxy_pass $upstream; + } +} From 547fdb49973dea24f805214cd21b0bc9e88a0bf6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Fri, 15 Dec 2023 15:24:51 +0100 Subject: [PATCH 04/19] [mod] role:authelia --- ansible/roles/authelia/defaults/main.json | 2 + ansible/roles/authelia/tasks/main.json | 44 ++++++++++++++++++- .../roles/authelia/templates/systemd-unit.j2 | 11 +++++ 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 ansible/roles/authelia/templates/systemd-unit.j2 diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index a287d47..7c00228 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -1,4 +1,6 @@ { + "var_authelia_version": "4.37.5", + "var_authelia_variant": "amd64", "var_authelia_listen_address": "0.0.0.0", "var_authelia_jwt_secret": "authelia_jwt_secret", "var_authelia_users_file_path": "/var/authelia/users.yml", diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json index faecaf0..fe83c24 100644 --- a/ansible/roles/authelia/tasks/main.json +++ b/ansible/roles/authelia/tasks/main.json @@ -40,6 +40,47 @@ ] } }, + { + "name": "download", + "delegate_to": "localhost", + "ansible.builtin.get_url": { + "url": "https://github.com/authelia/authelia/releases/download/v{{var_authelia_version}}/authelia-v{{var_authelia_version}}-linux-{{var_authelia_variant}}.tar.gz", + "dest": "/tmp/authelia.tar.gz" + } + }, + { + "name": "unpack | preparation", + "delegate_to": "localhost", + "ansible.builtin.file": { + "state": "directory", + "dest": "/tmp/authelia" + } + }, + { + "name": "unpack | execution", + "delegate_to": "localhost", + "ansible.builtin.unarchive": { + "src": "/tmp/authelia.tar.gz", + "dest": "/tmp/authelia" + } + }, + { + "name": "setup binary", + "become": true, + "ansible.builtin.copy": { + "src": "/tmp/authelia/authelia-linux-{{var_authelia_variant}}", + "dest": "/usr/bin/authelia", + "mode": "0744" + } + }, + { + "name": "systemd unit", + "become": true, + "ansible.builtin.template": { + "src": "systemd-unit.j2", + "dest": "/etc/systemd/system/authelia.service" + } + }, { "name": "generate private key for signing OIDC JWTs", "become": true, @@ -80,13 +121,14 @@ "become": true, "ansible.builtin.template": { "src": "users.yml.j2", - "path": "{{var_authelia_users_file_path}}" + "dest": "{{var_authelia_users_file_path}}" } }, { "name": "apply", "become": true, "ansible.builtin.systemd_service": { + "enabled": true, "state": "restarted", "name": "authelia" } diff --git a/ansible/roles/authelia/templates/systemd-unit.j2 b/ansible/roles/authelia/templates/systemd-unit.j2 new file mode 100644 index 0000000..48b2065 --- /dev/null +++ b/ansible/roles/authelia/templates/systemd-unit.j2 @@ -0,0 +1,11 @@ +[Unit] +Description=Authelia authentication and authorization server +After=multi-user.target + +[Service] +Environment=AUTHELIA_SERVER_DISABLE_HEALTHCHECK=true +ExecStart=/usr/bin/authelia --config /etc/authelia/configuration.yml +SyslogIdentifier=authelia + +[Install] +WantedBy=multi-user.target From 2f18fc9570edc70f35cddb3973dfc7ac33402d31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 16 Dec 2023 11:33:38 +0100 Subject: [PATCH 05/19] [mod] role:authelia --- ansible/roles/authelia/defaults/main.json | 2 +- ansible/roles/authelia/files/conf-compose.py | 132 ++++++++++++++ ansible/roles/authelia/info.md | 7 +- ansible/roles/authelia/tasks/main.json | 90 ++++------ .../templates/conf-client-dummy.json.j2 | 7 + .../authelia/templates/conf-main.json.j2 | 166 ++++++++++++++++++ .../authelia/templates/configuration.yml.j2 | 141 --------------- .../roles/authelia/templates/systemd-unit.j2 | 11 -- 8 files changed, 349 insertions(+), 207 deletions(-) create mode 100644 ansible/roles/authelia/files/conf-compose.py create mode 100644 ansible/roles/authelia/templates/conf-client-dummy.json.j2 create mode 100644 ansible/roles/authelia/templates/conf-main.json.j2 delete mode 100644 ansible/roles/authelia/templates/configuration.yml.j2 delete mode 100644 ansible/roles/authelia/templates/systemd-unit.j2 diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index 7c00228..44809f8 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -1,6 +1,6 @@ { "var_authelia_version": "4.37.5", - "var_authelia_variant": "amd64", + "var_authelia_architecture": "amd64", "var_authelia_listen_address": "0.0.0.0", "var_authelia_jwt_secret": "authelia_jwt_secret", "var_authelia_users_file_path": "/var/authelia/users.yml", diff --git a/ansible/roles/authelia/files/conf-compose.py b/ansible/roles/authelia/files/conf-compose.py new file mode 100644 index 0000000..92a76b8 --- /dev/null +++ b/ansible/roles/authelia/files/conf-compose.py @@ -0,0 +1,132 @@ +#!/usr/bin/env python3 + +import sys as _sys +import os as _os +import yaml as _yaml +import json as _json +import argparse as _argparse + + +def file_read(path): + handle = open(path, "r") + content = handle.read() + handle.close() + return content + + +def file_write(path, content): + directory = _os.path.dirname(path) + if (not _os.path.exists(directory)): + _os.makedirs(directory, exist_ok = True) + else: + pass + handle = open(path, "w") + handle.write(content) + handle.close() + return content + + +def dict_merge(core, mantle, path = None): + if (path is None): + path = [] + result = {} + for source in [core, mantle]: + for (key, value_new, ) in source.items(): + path_ = (path + [key]) + type_new = type(value_new) + if (not (key in result)): + result[key] = value_new + else: + value_old = result[key] + type_old = type(value_old) + if (value_old is None): + result[key] = value_new + else: + if (not (type_old == type_new)): + raise ValueError( + "type mismatch at path %s: %s vs. %s" + % ( + ".".join(path), + str(type_old), + str(type_new), + ) + ) + else: + if (type_old == dict): + result[key] = dict_merge(value_old, value_new, path_) + elif (type_old == list): + result[key] = (value_old + value_new) + else: + result[key] = value_new + return result + + +def main(): + ## args + argument_parser = _argparse.ArgumentParser() + argument_parser.add_argument( + "-m", + "--main-file-path", + type = str, + dest = "main_file_path", + default = "/etc/authelia/conf.d/main.json", + metavar = "", + ) + argument_parser.add_argument( + "-c", + "--clients-directory-path", + type = str, + dest = "clients_directory_path", + default = "/etc/authelia/conf.d/clients", + metavar = "", + ) + argument_parser.add_argument( + "-f", + "--output-format", + type = str, + choices = ["json", "yaml"], + dest = "output_format", + default = "yaml", + metavar = "", + ) + argument_parser.add_argument( + "-o", + "--output-path", + type = str, + dest = "output_path", + default = "/etc/authelia/configuration.yml", + metavar = "", + ) + args = argument_parser.parse_args() + + ## exec + data = {} + ### main + if True: + data_ = _json.loads(file_read(args.main_file_path)) + data = dict_merge(data, data_) + ### clients + if True: + for name in _os.listdir(args.clients_directory_path): + data__ = _json.loads(file_read(_os.path.join(args.clients_directory_path, name))) + data_ = { + "identity_providers": { + "oidc": { + "clients": [data__] + } + } + } + data = dict_merge(data, data_) + + ## output + if True: + if (args.output_format == "json"): + output_content = _json.dumps(data, indent = "\t") + elif (args.output_format == "yaml"): + output_content = _yaml.dump(data) + else: + raise ValueError("invalid output format") + file_write(args.output_path, output_content) + + +main() diff --git a/ansible/roles/authelia/info.md b/ansible/roles/authelia/info.md index a980bea..f025edb 100644 --- a/ansible/roles/authelia/info.md +++ b/ansible/roles/authelia/info.md @@ -1,6 +1,11 @@ +## Beschreibung + +- zum Aufsetzen des Authentifizierungs-Dienstes [Authelia](https://www.authelia.com/) +- um einen Clients hinzuzfügen, erstellt man eine entsprechende JSON-Datei in `/etc/authelia/conf.d/clients` und führt aus `/usr/bin/authelia-conf-compose` + + ## Verweise -- [Projekt-Website](https://www.authelia.com/) - [GitHub-Seite](https://github.com/authelia/authelia) - [Installations-Anleitung](https://www.authelia.com/integration/deployment/bare-metal/) - [Dokumentation | Konfiguration](https://www.authelia.com/configuration/) diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json index fe83c24..945d9cf 100644 --- a/ansible/roles/authelia/tasks/main.json +++ b/ansible/roles/authelia/tasks/main.json @@ -1,7 +1,6 @@ [ { -"when": false, - "name": "prepare package installation 1", + "name": "packages | prerequisites", "become": true, "ansible.builtin.apt": { "pkg": [ @@ -11,16 +10,14 @@ } }, { -"when": false, - "name": "prepare package installation 2", + "name": "packages | keys", "become": true, "ansible.builtin.apt_key": { "url": "https://apt.authelia.com/organization/signing.asc" } }, { -"when": false, - "name": "prepare package installation 3", + "name": "packages | repository", "become": true, "ansible.builtin.apt_repository": { "repo": "deb https://apt.authelia.com/stable/debian/debian/ all main" @@ -28,59 +25,18 @@ }, { -"when": false, - "name": "install packages", + "name": "packages | installation", "become": true, "ansible.builtin.apt": { "update_cache": true, "pkg": [ "openssl", "python3-cryptography", + "python3-yaml", "authelia" ] } }, - { - "name": "download", - "delegate_to": "localhost", - "ansible.builtin.get_url": { - "url": "https://github.com/authelia/authelia/releases/download/v{{var_authelia_version}}/authelia-v{{var_authelia_version}}-linux-{{var_authelia_variant}}.tar.gz", - "dest": "/tmp/authelia.tar.gz" - } - }, - { - "name": "unpack | preparation", - "delegate_to": "localhost", - "ansible.builtin.file": { - "state": "directory", - "dest": "/tmp/authelia" - } - }, - { - "name": "unpack | execution", - "delegate_to": "localhost", - "ansible.builtin.unarchive": { - "src": "/tmp/authelia.tar.gz", - "dest": "/tmp/authelia" - } - }, - { - "name": "setup binary", - "become": true, - "ansible.builtin.copy": { - "src": "/tmp/authelia/authelia-linux-{{var_authelia_variant}}", - "dest": "/usr/bin/authelia", - "mode": "0744" - } - }, - { - "name": "systemd unit", - "become": true, - "ansible.builtin.template": { - "src": "systemd-unit.j2", - "dest": "/etc/systemd/system/authelia.service" - } - }, { "name": "generate private key for signing OIDC JWTs", "become": true, @@ -93,11 +49,40 @@ "register": "temp_tls_result" }, { - "name": "emplace configuration", + "name": "configuration | compose script", + "become": true, + "ansible.builtin.copy": { + "src": "conf-compose.py", + "dest": "/usr/bin/authelia-conf-compose", + "mode": "0700" + } + }, + { + "name": "configuration | directories", + "become": true, + "loop": [ + "/etc/authelia/conf.d", + "/etc/authelia/conf.d/clients" + ], + "ansible.builtin.file": { + "state": "directory", + "path": "{{item}}" + } + }, + { + "name": "configuration | main", "become": true, "ansible.builtin.template": { - "src": "configuration.yml.j2", - "dest": "/etc/authelia/configuration.yml" + "src": "conf-main.json.j2", + "dest": "/etc/authelia/conf.d/main.json" + } + }, + { + "name": "configuration | client | dummy", + "become": true, + "ansible.builtin.template": { + "src": "conf-client-dummy.json.j2", + "dest": "/etc/authelia/conf.d/clients/dummy.json" } }, { @@ -128,7 +113,6 @@ "name": "apply", "become": true, "ansible.builtin.systemd_service": { - "enabled": true, "state": "restarted", "name": "authelia" } diff --git a/ansible/roles/authelia/templates/conf-client-dummy.json.j2 b/ansible/roles/authelia/templates/conf-client-dummy.json.j2 new file mode 100644 index 0000000..88dcf25 --- /dev/null +++ b/ansible/roles/authelia/templates/conf-client-dummy.json.j2 @@ -0,0 +1,7 @@ +{ + "public": false, + "id": "dummy", + "secret": "d1424b378e4fbbc153f330f33b74ab192525b98cc2dd58b2e8d01c2737be00c6", + "redirect_uris": [ + ] +} diff --git a/ansible/roles/authelia/templates/conf-main.json.j2 b/ansible/roles/authelia/templates/conf-main.json.j2 new file mode 100644 index 0000000..5fa6b6d --- /dev/null +++ b/ansible/roles/authelia/templates/conf-main.json.j2 @@ -0,0 +1,166 @@ +{ + "theme": "auto", + "jwt_secret": "{{var_authelia_jwt_secret}}", + "default_2fa_method": "totp", + "server": { + "host": "{{var_authelia_listen_address}}", + "port": 9091, + "path": "", + "enable_pprof": false, + "enable_expvars": false, + "disable_healthcheck": false + }, + "log": { + "level": "info", + "format": "json", + "file_path": "{{var_authelia_log_file_path}}", + "keep_stdout": false + }, + "telemetry": { + "metrics": { + "enabled": false, + "address": "tcp://0.0.0.0:9959" + } + }, + "totp": { + "disable": false, + "issuer": "authelia.com", + "algorithm": "sha1", + "digits": 6, + "period": 30, + "skew": 1, + "secret_size": 32 + }, + "webauthn": { + "disable": true, + "timeout": "60s", + "display_name": "Authelia", + "attestation_conveyance_preference": "indirect", + "user_verification": "preferred" + }, + "ntp": { + "address": "{{var_authelia_ntp_server}}", + "version": 4, + "max_desync": "3s", + "disable_startup_check": false, + "disable_failure": false + }, + "authentication_backend": { + "password_reset": { + "disable": true, + "custom_url": "" + }, + "refresh_interval": "5m", + "file": { + "path": "{{var_authelia_users_file_path}}", + "watch": true, + "search": { + "email": false, + "case_insensitive": false + }, + "password": { + "algorithm": "argon2", + "argon2": { + "variant": "argon2id", + "iterations": 3, + "memory": 65536, + "parallelism": 4, + "key_length": 32, + "salt_length": 16 + }, + "scrypt": { + "iterations": 16, + "block_size": 8, + "parallelism": 1, + "key_length": 32, + "salt_length": 16 + }, + "pbkdf2": { + "variant": "sha512", + "iterations": 310000, + "salt_length": 16 + }, + "sha2crypt": { + "variant": "sha512", + "iterations": 50000, + "salt_length": 16 + }, + "bcrypt": { + "variant": "standard", + "cost": 12 + } + } + } + }, + "password_policy": { + "standard": { + "enabled": false, + "min_length": 8, + "max_length": 0, + "require_uppercase": true, + "require_lowercase": true, + "require_number": true, + "require_special": true + }, + "zxcvbn": { + "enabled": false, + "min_score": 3 + } + }, + "access_control": { + "default_policy": "one_factor" + }, + "session": { + "name": "authelia_session", + "domain": "{{var_authelia_session_domain}}", + "same_site": "lax", + "secret": "{{var_authelia_session_secret}}", + "expiration": "1h", + "inactivity": "5m", + "remember_me_duration": "1M" + }, + "regulation": { + "max_retries": 3, + "find_time": "2m", + "ban_time": "5m" + }, + "storage": { + "encryption_key": "{{var_authelia_storage_encryption_key}}", + "local": { + "path": "{{var_authelia_storage_path}}" + } + }, + "notifier": { + "disable_startup_check": true, +{% if var_authelia_notification_mode == "file" %} + "filesystem": { + "filename": "{{var_authelia_notification_file_path}}" + } +{% endif %} +{% if var_authelia_notification_mode == "smtp" %} + "smtp": { + "host": "{{var_authelia_notification_smtp_host}}", + "port": {{var_authelia_notification_smtp_port}}, + "username": "{{var_authelia_notification_smtp_username}}", + "password": "{{var_authelia_notification_smtp_password}}", + "sender": "{{var_authelia_notification_smtp_sender}}", + "disable_require_tls": false, + "disable_html_emails": false, + "tls": { + "skip_verify": false + } + } +{% endif %} + }, + "identity_providers": { + "oidc": { + "hmac_secret": "{{var_authelia_oidc_hmac_secret}}", + "issuer_private_key": "{{temp_tls_result.privatekey | replace('\n', '\\n')}}", + "cors": { + "allowed_origins_from_client_redirect_uris": true + }, + "clients": [ + ] + } + } +} diff --git a/ansible/roles/authelia/templates/configuration.yml.j2 b/ansible/roles/authelia/templates/configuration.yml.j2 deleted file mode 100644 index 8fc19ad..0000000 --- a/ansible/roles/authelia/templates/configuration.yml.j2 +++ /dev/null @@ -1,141 +0,0 @@ -theme: auto -jwt_secret: "{{var_authelia_jwt_secret}}" -default_2fa_method: totp -server: - host: "{{var_authelia_listen_address}}" - port: 9091 - path: "" - enable_pprof: false - enable_expvars: false - disable_healthcheck: false -log: - level: info - format: json - file_path: {{var_authelia_log_file_path}} - keep_stdout: false -telemetry: - metrics: - enabled: false - address: tcp://0.0.0.0:9959 -totp: - disable: false - issuer: authelia.com - algorithm: sha1 - digits: 6 - period: 30 - skew: 1 - secret_size: 32 -webauthn: - disable: true - timeout: 60s - display_name: Authelia - attestation_conveyance_preference: indirect - user_verification: preferred -ntp: - address: "{{var_authelia_ntp_server}}" - version: 4 - max_desync: 3s - disable_startup_check: false - disable_failure: false -authentication_backend: - password_reset: - disable: true - custom_url: "" - refresh_interval: 5m - file: - path: "{{var_authelia_users_file_path}}" - watch: true - search: - email: false - case_insensitive: false - password: - algorithm: argon2 - argon2: - variant: argon2id - iterations: 3 - memory: 65536 - parallelism: 4 - key_length: 32 - salt_length: 16 - scrypt: - iterations: 16 - block_size: 8 - parallelism: 1 - key_length: 32 - salt_length: 16 - pbkdf2: - variant: sha512 - iterations: 310000 - salt_length: 16 - sha2crypt: - variant: sha512 - iterations: 50000 - salt_length: 16 - bcrypt: - variant: standard - cost: 12 -password_policy: - standard: - enabled: false - min_length: 8 - max_length: 0 - require_uppercase: true - require_lowercase: true - require_number: true - require_special: true - zxcvbn: - enabled: false - min_score: 3 -access_control: - default_policy: one_factor -session: - name: authelia_session - domain: "{{var_authelia_session_domain}}" - same_site: lax - secret: "{{var_authelia_session_secret}}" - expiration: 1h - inactivity: 5m - remember_me_duration: 1M -regulation: - max_retries: 3 - find_time: 2m - ban_time: 5m -storage: - encryption_key: "{{var_authelia_storage_encryption_key}}" - local: - path: "{{var_authelia_storage_path}}" -notifier: - disable_startup_check: true -{% if var_authelia_notification_mode == "file" %} - filesystem: - filename: {{var_authelia_notification_file_path}} -{% endif %} -{% if var_authelia_notification_mode == "smtp" %} - smtp: - host: "{{var_authelia_notification_smtp_host}}" - port: {{var_authelia_notification_smtp_port}} - username: "{{var_authelia_notification_smtp_username}}" - password: "{{var_authelia_notification_smtp_password}}" - sender: "{{var_authelia_notification_smtp_sender}}" - disable_require_tls: false - disable_html_emails: false - tls: - skip_verify: false -{% endif %} -identity_providers: - oidc: - hmac_secret: "{{var_authelia_oidc_hmac_secret}}" - issuer_private_key: | -{% filter indent(width=6) %} - {{temp_tls_result.privatekey}} -{% endfilter %} - cors: - allowed_origins_from_client_redirect_uris: true - clients: - - - public: false - id: "dummy" - secret: "d1424b378e4fbbc153f330f33b74ab192525b98cc2dd58b2e8d01c2737be00c6" - redirect_uris: [] - -... diff --git a/ansible/roles/authelia/templates/systemd-unit.j2 b/ansible/roles/authelia/templates/systemd-unit.j2 deleted file mode 100644 index 48b2065..0000000 --- a/ansible/roles/authelia/templates/systemd-unit.j2 +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Authelia authentication and authorization server -After=multi-user.target - -[Service] -Environment=AUTHELIA_SERVER_DISABLE_HEALTHCHECK=true -ExecStart=/usr/bin/authelia --config /etc/authelia/configuration.yml -SyslogIdentifier=authelia - -[Install] -WantedBy=multi-user.target From ed282bb9eebee8504a940bc12574d08e8362a2d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 16 Dec 2023 15:13:41 +0100 Subject: [PATCH 06/19] [fix] role:authelia: --- ansible/roles/authelia/tasks/main.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json index 945d9cf..22cfd21 100644 --- a/ansible/roles/authelia/tasks/main.json +++ b/ansible/roles/authelia/tasks/main.json @@ -85,6 +85,13 @@ "dest": "/etc/authelia/conf.d/clients/dummy.json" } }, + { + "name": "configuration | compose", + "become": true, + "ansible.builtin.command": { + "cmd": "/usr/bin/authelia-conf-compose --main-file-path=/etc/authelia/conf.d/main.json --clients-directory-path=/etc/authelia/conf.d/clients --output-format=yaml --output-path=/etc/authelia/configuration.yml" + } + }, { "name": "setup log directory", "become": true, From c943418942370112ea6add512f24cabdd7d1305b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 16 Dec 2023 15:14:21 +0100 Subject: [PATCH 07/19] [fix] role:authelia-and-nginx --- .../authelia-and-nginx/templates/conf.j2 | 52 ++++++++++++++++--- 1 file changed, 44 insertions(+), 8 deletions(-) diff --git a/ansible/roles/authelia-and-nginx/templates/conf.j2 b/ansible/roles/authelia-and-nginx/templates/conf.j2 index 8202046..67fcd50 100644 --- a/ansible/roles/authelia-and-nginx/templates/conf.j2 +++ b/ansible/roles/authelia-and-nginx/templates/conf.j2 @@ -1,26 +1,62 @@ server { + server_name {{var_authelia_and_nginx_domain}}; + + listen [::]:80; listen 80; - server_name auth.*; return 301 https://$server_name$request_uri; } server { - listen 443 ssl http2; server_name {{var_authelia_and_nginx_domain}}; - # include /config/nginx/snippets/ssl.conf; + listen [::]:443 ssl http2; + listen 443 ssl http2; + ssl_certificate /etc/ssl/certs/{{var_authelia_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; - set $upstream http://localhost:9091; - location / { - # include /config/nginx/snippets/proxy.conf; - proxy_pass $upstream; + ## Headers + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Connection ""; + + ## Basic Proxy Configuration + client_body_buffer_size 128k; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead. + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + + ## Trusted Proxies Configuration + ## Please read the following documentation before configuring this: + ## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies + # set_real_ip_from 10.0.0.0/8; + # set_real_ip_from 172.16.0.0/12; + # set_real_ip_from 192.168.0.0/16; + # set_real_ip_from fc00::/7; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + + ## Advanced Proxy Configuration + send_timeout 5m; + proxy_read_timeout 360; + proxy_send_timeout 360; + proxy_connect_timeout 360; + + proxy_pass http://localhost:9091; } location /api/verify { - proxy_pass $upstream; + proxy_pass http://localhost:9091; } } From e6021f4a9c2250605bb1b5c8c12730609318f3d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 00:16:15 +0100 Subject: [PATCH 08/19] [fix] role:authelia --- ansible/roles/authelia/defaults/main.json | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index 44809f8..4dd3749 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -2,11 +2,11 @@ "var_authelia_version": "4.37.5", "var_authelia_architecture": "amd64", "var_authelia_listen_address": "0.0.0.0", - "var_authelia_jwt_secret": "authelia_jwt_secret", + "var_authelia_jwt_secret": "REPLACE_ME", "var_authelia_users_file_path": "/var/authelia/users.yml", "var_authelia_log_file_path": "/var/log/authelia.log", "var_authelia_session_domain": "example.org", - "var_authelia_session_secret": "session_secret", + "var_authelia_session_secret": "REPLACE_ME", "var_authelia_storage_path": "/var/authelia/state.db", "var_authelia_storage_encryption_key": "storage_encryption_key", "var_authelia_ntp_server": "time.cloudflare.com:123", @@ -15,8 +15,7 @@ "var_authelia_notification_smtp_host": "smtp.example.org", "var_authelia_notification_smtp_port": "465", "var_authelia_notification_smtp_username": "authelia", - "var_authelia_notification_smtp_username": "smtp_password", - "var_authelia_notification_smtp_sender": "Authelia", + "var_authelia_notification_smtp_password": "smtp_password", "var_authelia_notification_smtp_sender": "Authelia", "var_authelia_oidc_hmac_secret": "oidc_hmac_secret" } From 21acd5c745da835c0070ac0915788f3c7fe20c77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 00:23:21 +0100 Subject: [PATCH 09/19] [add] role:authelia-for-synapse --- .../authelia-for-synapse/defaults/main.json | 5 ++++ ansible/roles/authelia-for-synapse/info.md | 9 +++++++ .../authelia-for-synapse/tasks/main.json | 25 +++++++++++++++++++ .../templates/authelia-client-conf.json.j2 | 16 ++++++++++++ 4 files changed, 55 insertions(+) create mode 100644 ansible/roles/authelia-for-synapse/defaults/main.json create mode 100644 ansible/roles/authelia-for-synapse/info.md create mode 100644 ansible/roles/authelia-for-synapse/tasks/main.json create mode 100644 ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 diff --git a/ansible/roles/authelia-for-synapse/defaults/main.json b/ansible/roles/authelia-for-synapse/defaults/main.json new file mode 100644 index 0000000..c140a23 --- /dev/null +++ b/ansible/roles/authelia-for-synapse/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_authelia_for_synapse_synapse_url_base": "https://matrix.example.org", + "var_authelia_for_synapse_client_id": "synapse", + "var_authelia_for_synapse_client_secret": "REPLACE_ME" +} diff --git a/ansible/roles/authelia-for-synapse/info.md b/ansible/roles/authelia-for-synapse/info.md new file mode 100644 index 0000000..2ec06a0 --- /dev/null +++ b/ansible/roles/authelia-for-synapse/info.md @@ -0,0 +1,9 @@ +## Beschreibung + +Um [Synapse](../synapse) gegen [Authelia](../authelia) authentifizieren zu lassen + + +## Verweise + +- [Authelia-Dokumentation | Synapse Integration](https://www.authelia.com/integration/openid-connect/synapse/) +- [Synapse-Dokumentation | OpenID Connect](https://matrix-org.github.io/synapse/latest/openid.html) diff --git a/ansible/roles/authelia-for-synapse/tasks/main.json b/ansible/roles/authelia-for-synapse/tasks/main.json new file mode 100644 index 0000000..25aa632 --- /dev/null +++ b/ansible/roles/authelia-for-synapse/tasks/main.json @@ -0,0 +1,25 @@ +[ + { + "name": "configuration | emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf.json.j2", + "dest": "/etc/authelia/conf.d/clients/synapse.json" + } + }, + { + "name": "configuration | apply", + "become": true, + "ansible.builtin.command": { + "cmd": "/usr/bin/authelia-conf-compose" + } + }, + { + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "authelia" + } + } +] diff --git a/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 new file mode 100644 index 0000000..be88570 --- /dev/null +++ b/ansible/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2 @@ -0,0 +1,16 @@ +{ + "id": "{{var_authelia_for_synapse_client_id}}", + "description": "Synapse", + "secret": "{{var_authelia_for_synapse_client_secret}}", + "public": false, + "authorization_policy": "one_factor", + "redirect_uris": [ + "{{var_authelia_for_synapse_synapse_url_base}}/_synapse/client/oidc/callback" + ], + "scopes": [ + "openid", + "email", + "profile" + ], + "userinfo_signing_algorithm": "none" +} From 148df7737065fc33683b011375fa2c653c552e7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 00:30:48 +0100 Subject: [PATCH 10/19] [fix] role:authelia-and-nginx --- ansible/roles/authelia-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/authelia-and-nginx/templates/conf.j2 b/ansible/roles/authelia-and-nginx/templates/conf.j2 index 67fcd50..bd0cbeb 100644 --- a/ansible/roles/authelia-and-nginx/templates/conf.j2 +++ b/ansible/roles/authelia-and-nginx/templates/conf.j2 @@ -13,7 +13,7 @@ server { listen [::]:443 ssl http2; listen 443 ssl http2; - ssl_certificate /etc/ssl/certs/{{var_authelia_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; location / { From 7615a64d56131c515c19ffd378b2f3d1cc1e9825 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 00:31:03 +0100 Subject: [PATCH 11/19] [mod] role:authelia-and-nginx:info --- ansible/roles/authelia/info.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/authelia/info.md b/ansible/roles/authelia/info.md index f025edb..abdb2ac 100644 --- a/ansible/roles/authelia/info.md +++ b/ansible/roles/authelia/info.md @@ -15,4 +15,4 @@ - Dummy-Client los werden - Dummy-Nutzer los werden - +- Nutzer-Datei-Verwaltung verbessern From e54bcb109346430ad5c43cd80a31ac9f0168196f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 11:19:44 +0100 Subject: [PATCH 12/19] [mod] role:authelia:log-pfad --- ansible/roles/authelia/defaults/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json index 4dd3749..d2fbace 100644 --- a/ansible/roles/authelia/defaults/main.json +++ b/ansible/roles/authelia/defaults/main.json @@ -4,7 +4,7 @@ "var_authelia_listen_address": "0.0.0.0", "var_authelia_jwt_secret": "REPLACE_ME", "var_authelia_users_file_path": "/var/authelia/users.yml", - "var_authelia_log_file_path": "/var/log/authelia.log", + "var_authelia_log_file_path": "/var/authelia/log.jsonl", "var_authelia_session_domain": "example.org", "var_authelia_session_secret": "REPLACE_ME", "var_authelia_storage_path": "/var/authelia/state.db", From 8f670639f464b24de01893aa61656134068bc85e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 16:11:49 +0100 Subject: [PATCH 13/19] [add] role:authelia-for-gitlab --- .../authelia-for-gitlab/defaults/main.json | 5 ++++ ansible/roles/authelia-for-gitlab/info.md | 10 ++++++++ .../roles/authelia-for-gitlab/tasks/main.json | 25 +++++++++++++++++++ .../templates/authelia-client-conf.json.j2 | 17 +++++++++++++ 4 files changed, 57 insertions(+) create mode 100644 ansible/roles/authelia-for-gitlab/defaults/main.json create mode 100644 ansible/roles/authelia-for-gitlab/info.md create mode 100644 ansible/roles/authelia-for-gitlab/tasks/main.json create mode 100644 ansible/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2 diff --git a/ansible/roles/authelia-for-gitlab/defaults/main.json b/ansible/roles/authelia-for-gitlab/defaults/main.json new file mode 100644 index 0000000..aeeec3b --- /dev/null +++ b/ansible/roles/authelia-for-gitlab/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_authelia_for_gitlab_gitlab_url_base": "https://gitlab.example.org", + "var_authelia_for_gitlab_client_id": "gitlab", + "var_authelia_for_gitlab_client_secret": "REPLACE_ME" +} diff --git a/ansible/roles/authelia-for-gitlab/info.md b/ansible/roles/authelia-for-gitlab/info.md new file mode 100644 index 0000000..9bf2a1f --- /dev/null +++ b/ansible/roles/authelia-for-gitlab/info.md @@ -0,0 +1,10 @@ +## Beschreibung + +Um [GitLab](../gitlab) gegen [Authelia](../authelia) authentifizieren zu lassen + + +## Verweise + +- [Authelia-Dokumentation | GitLab Integration](https://www.authelia.com/integration/openid-connect/gitlab/) +- [GitLab-Dokumentation | Use OpenID Connect as an OAuth 2.0 authentication provider](https://docs.gitlab.com/ee/administration/auth/oidc.html) + diff --git a/ansible/roles/authelia-for-gitlab/tasks/main.json b/ansible/roles/authelia-for-gitlab/tasks/main.json new file mode 100644 index 0000000..5790e65 --- /dev/null +++ b/ansible/roles/authelia-for-gitlab/tasks/main.json @@ -0,0 +1,25 @@ +[ + { + "name": "configuration | emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf.json.j2", + "dest": "/etc/authelia/conf.d/clients/gitlab.json" + } + }, + { + "name": "configuration | apply", + "become": true, + "ansible.builtin.command": { + "cmd": "/usr/bin/authelia-conf-compose" + } + }, + { + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "authelia" + } + } +] diff --git a/ansible/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2 new file mode 100644 index 0000000..2c1f44a --- /dev/null +++ b/ansible/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2 @@ -0,0 +1,17 @@ +{ + "id": "{{var_authelia_for_gitlab_client_id}}", + "description": "GitLab", + "secret": "{{var_authelia_for_gitlab_client_secret}}", + "public": false, + "authorization_policy": "one_factor", + "redirect_uris": [ + "{{var_authelia_for_gitlab_gitlab_url_base}}/users/auth/openid_connect/callback + ], + "scopes": [ + "openid", + "profile" + "groups", + "email" + ], + "userinfo_signing_algorithm": "none" +} From 03c72674d14b512d2ae487a7f86e5cbcb20b596c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 23:04:02 +0100 Subject: [PATCH 14/19] [mod] roles:authelia:Dummy-Client und -Nutzer dynamisch handhaben --- ansible/roles/authelia/files/conf-compose.py | 20 +- ansible/roles/authelia/files/user-manage.py | 188 ++++++++++++++++++ ansible/roles/authelia/info.md | 7 +- ansible/roles/authelia/tasks/main.json | 21 +- .../templates/conf-client-dummy.json.j2 | 7 - ansible/roles/authelia/templates/users.yml.j2 | 7 +- 6 files changed, 222 insertions(+), 28 deletions(-) create mode 100644 ansible/roles/authelia/files/user-manage.py delete mode 100644 ansible/roles/authelia/templates/conf-client-dummy.json.j2 diff --git a/ansible/roles/authelia/files/conf-compose.py b/ansible/roles/authelia/files/conf-compose.py index 92a76b8..011babb 100644 --- a/ansible/roles/authelia/files/conf-compose.py +++ b/ansible/roles/authelia/files/conf-compose.py @@ -117,7 +117,25 @@ def main(): } } data = dict_merge(data, data_) - + ### postprocess + if True: + if (len(data["identity_providers"]["oidc"]["clients"]) <= 0): + data["identity_providers"]["oidc"]["clients"].append( + { + "public": False, + "id": "_dummy", + "description": "not a real client; just here to make Authelia run", + "authorization_policy": "one_factor", + "secret": "", + "scopes": [], + "redirect_uris": [], + "grant_types": [], + "response_types": [], + "response_modes": [], + } + ) + else: + pass ## output if True: if (args.output_format == "json"): diff --git a/ansible/roles/authelia/files/user-manage.py b/ansible/roles/authelia/files/user-manage.py new file mode 100644 index 0000000..7d9a84e --- /dev/null +++ b/ansible/roles/authelia/files/user-manage.py @@ -0,0 +1,188 @@ +#!/usr/bin/env python3 + +import sys as _sys +import os as _os +import subprocess as _subprocess +import argparse as _argparse +import yaml as _yaml +import string as _string +import random as _random + + +def file_read(path): + handle = open(path, "r") + content = handle.read() + handle.close() + return content + + +def file_write(path, content): + directory = _os.path.dirname(path) + if (not _os.path.exists(directory)): + _os.makedirs(directory, exist_ok = True) + else: + pass + handle = open(path, "w") + handle.write(content) + handle.close() + return content + + +def get_password_hash(binary_file_path, conf_file_path, name): + output = _subprocess.check_output([ + binary_file_path, + "--config=%s" % conf_file_path, + "hash-password", + name + ]) + return output.decode("utf-8").split("\n")[0][8:] + + +def postprocess(binary_file_path, conf_file_path, data): + password = "".join(map(lambda x: _random.choice(_string.ascii_lowercase), range(16))) + if (len(data["users"]) <= 0): + data["users"]["_dummy"] = { + "displayname": "(Dummy)", + "password": get_password_hash(binary_file_path, conf_file_path, password), + "email": "dummy@nowhere.net", + "groups": [], + } + else: + pass + return data + + +def data_read(user_file_path): + data = _yaml.safe_load(file_read(user_file_path)) + data["users"].pop("_dummy", None) + return data + + +def data_write(binary_file_path, conf_file_path, user_file_path, data): + file_write(user_file_path, _yaml.dump(postprocess(binary_file_path, conf_file_path, data))) + + +def main(): + ## args + argument_parser = _argparse.ArgumentParser() + argument_parser.add_argument( + "command", + type = str, + choices = ["list", "show", "add", "change", "remove"], + default = "list", + help = "command to execute", + ) + argument_parser.add_argument( + "-b", + "--binary-file-path", + type = str, + default = "/usr/bin/authelia", + help = "path to the Authelia binary file", + ) + argument_parser.add_argument( + "-c", + "--conf-file-path", + type = str, + default = "/etc/authelia/configuration.yml", + help = "path to the Authelia configuration file", + ) + argument_parser.add_argument( + "-u", + "--user-file-path", + type = str, + default = "/var/authelia/users.yml", + help = "path to the user database file", + ) + argument_parser.add_argument( + "-n", + "--login-name", + type = str, + default = None, + help = "login name of the user; has to be unique", + ) + argument_parser.add_argument( + "-p", + "--password", + type = str, + default = None, + help = "password of the user", + ) + argument_parser.add_argument( + "-d", + "--display-name", + type = str, + default = None, + help = "display name of the user", + ) + argument_parser.add_argument( + "-e", + "--email", + type = str, + default = None, + help = "e-mail address of the user", + ) + args = argument_parser.parse_args() + + ## exec + data = data_read(args.user_file_path) + if (args.command == "list"): + names = sorted(data["users"].keys()) + for name in names: + _sys.stdout.write("%s\n" % name) + elif (args.command == "show"): + if (args.login_name is None): + raise ValueError("name required") + else: + if (not (args.login_name in data["users"])): + raise ValueError("no such user") + else: + entry = data["users"][args.login_name] + _sys.stdout.write("%s\n" % _yaml.dump(entry)) + elif (args.command == "add"): + if (args.login_name is None): + raise ValueError("name required") + else: + if (args.password is None): + raise ValueError("password required") + else: + entry = { + "displayname": (args.display_name or args.login_name), + "password": get_password_hash(args.binary_file_path, args.conf_file_path, args.login_name), + "email": args.email, + "groups": [], + } + data["users"][args.login_name] = entry + data_write(args.binary_file_path, args.conf_file_path, args.user_file_path, data) + elif (args.command == "change"): + if (args.login_name is None): + raise ValueError("name required") + else: + entry = data["users"][args.login_name] + if (args.password is None): + pass + else: + entry["password"] = get_password_hash(args.binary_file_path, args.conf_file_path, args.login_name) + if (args.display_name is None): + pass + else: + entry["displayname"] = args.display_name + if (args.email is None): + pass + else: + entry["email"] = args.email + data["users"][args.login_name] = entry + data_write(args.binary_file_path, args.conf_file_path, args.user_file_path, data) + elif (args.command == "remove"): + if (args.login_name is None): + raise ValueError("name required") + else: + if (not (args.login_name in data["users"])): + raise ValueError("no such user") + else: + del data["users"][args.login_name] + data_write(args.binary_file_path, args.conf_file_path, args.user_file_path, data) + else: + raise NotImplementedError() + + +main() diff --git a/ansible/roles/authelia/info.md b/ansible/roles/authelia/info.md index abdb2ac..6779bb2 100644 --- a/ansible/roles/authelia/info.md +++ b/ansible/roles/authelia/info.md @@ -1,7 +1,8 @@ ## Beschreibung - zum Aufsetzen des Authentifizierungs-Dienstes [Authelia](https://www.authelia.com/) -- um einen Clients hinzuzfügen, erstellt man eine entsprechende JSON-Datei in `/etc/authelia/conf.d/clients` und führt aus `/usr/bin/authelia-conf-compose` +- um einen Clients hinzuzfügen, erstellt man eine entsprechende JSON-Datei in `/etc/authelia/conf.d/clients` und führt aus `authelia-conf-compose` +- zum Verwalten der Nutzer kann man `authelia-user-manage` verwenden (`-h` anhängen für Erklärung) ## Verweise @@ -13,6 +14,4 @@ ## ToDo -- Dummy-Client los werden -- Dummy-Nutzer los werden -- Nutzer-Datei-Verwaltung verbessern +- Nutzer-Verwaltung verbessern (evtl. externalisieren) diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json index 22cfd21..c765720 100644 --- a/ansible/roles/authelia/tasks/main.json +++ b/ansible/roles/authelia/tasks/main.json @@ -77,14 +77,6 @@ "dest": "/etc/authelia/conf.d/main.json" } }, - { - "name": "configuration | client | dummy", - "become": true, - "ansible.builtin.template": { - "src": "conf-client-dummy.json.j2", - "dest": "/etc/authelia/conf.d/clients/dummy.json" - } - }, { "name": "configuration | compose", "become": true, @@ -101,7 +93,7 @@ } }, { - "name": "setup users directory", + "name": "users | directory", "become": true, "ansible.builtin.file": { "state": "directory", @@ -109,13 +101,22 @@ } }, { - "name": "place dummy user file", + "name": "users | initial file", "become": true, "ansible.builtin.template": { "src": "users.yml.j2", "dest": "{{var_authelia_users_file_path}}" } }, + { + "name": "users | management script", + "become": true, + "ansible.builtin.copy": { + "src": "user-manage.py", + "dest": "/usr/bin/authelia-user-manage", + "mode": "0700" + } + }, { "name": "apply", "become": true, diff --git a/ansible/roles/authelia/templates/conf-client-dummy.json.j2 b/ansible/roles/authelia/templates/conf-client-dummy.json.j2 deleted file mode 100644 index 88dcf25..0000000 --- a/ansible/roles/authelia/templates/conf-client-dummy.json.j2 +++ /dev/null @@ -1,7 +0,0 @@ -{ - "public": false, - "id": "dummy", - "secret": "d1424b378e4fbbc153f330f33b74ab192525b98cc2dd58b2e8d01c2737be00c6", - "redirect_uris": [ - ] -} diff --git a/ansible/roles/authelia/templates/users.yml.j2 b/ansible/roles/authelia/templates/users.yml.j2 index eea8164..bf82e98 100644 --- a/ansible/roles/authelia/templates/users.yml.j2 +++ b/ansible/roles/authelia/templates/users.yml.j2 @@ -1,6 +1 @@ -users: - _dummy: - displayname: "(Dummy)" - password: "$argon2id$v=19$m=65536,t=3,p=4$sHIRjFaYRz2U3F8wHnqecQ$lwnQtHNeFqgLaLSW8It7KJSHNOJoSeF+RF7lwgM7WRA" - email: "dummy@nowhere.org" - groups: [] +users: {} From 8a877748fbc100e6923b85944b813fc680915d30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 23:41:32 +0100 Subject: [PATCH 15/19] [mod] role:synapse:Konvertierungen nutzen --- ansible/roles/synapse/defaults/main.json | 10 +++++----- ansible/roles/synapse/templates/homeserver.yaml.j2 | 8 +++++--- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/ansible/roles/synapse/defaults/main.json b/ansible/roles/synapse/defaults/main.json index fe0f604..a57ac35 100644 --- a/ansible/roles/synapse/defaults/main.json +++ b/ansible/roles/synapse/defaults/main.json @@ -1,6 +1,6 @@ { "var_synapse_scheme": "https", - "var_synapse_domain": "matrix.example.org", + "var_synapse_domain": "synapse.example.org", "var_synaspe_database_kind": "sqlite", "var_synaspe_database_sqlite_path": "/var/synapse/data.sqlite", "var_synaspe_database_postgresql_host": "localhost", @@ -10,8 +10,8 @@ "var_synaspe_database_postgresql_schema": "synapse", "var_synapse_element_url": "https://element.example.org", "var_synapse_title": "Example | Matrix", - "var_synapse_federation_whitelist": "[]", - "var_synapse_password_strict_policy": "true", + "var_synapse_federation_whitelist": [], + "var_synapse_password_strict_policy": true, "var_synapse_registration_shared_secret": "REPLACE_ME", "var_synapse_oidc_enable": false, "var_synapse_oidc_provider_id": "external_auth", @@ -20,8 +20,8 @@ "var_synapse_oidc_client_secret": "REPLACE_ME", "var_synapse_oidc_issuer_url": "https://auth.example.org", "var_synapse_smtp_host": "smtp.example.org", - "var_synapse_smtp_port": "587", - "var_synapse_smtp_username": "matrix@smtp.example.org", + "var_synapse_smtp_port": 587, + "var_synapse_smtp_username": "synapse@smtp.example.org", "var_synapse_smtp_password": "REPLACE_ME", "var_synapse_admin_user_define": true, "var_synapse_admin_user_name": "admin", diff --git a/ansible/roles/synapse/templates/homeserver.yaml.j2 b/ansible/roles/synapse/templates/homeserver.yaml.j2 index c58e3e7..de8088e 100644 --- a/ansible/roles/synapse/templates/homeserver.yaml.j2 +++ b/ansible/roles/synapse/templates/homeserver.yaml.j2 @@ -45,7 +45,7 @@ listeners: - names: [federation] compress: false -federation_domain_whitelist: {{var_synapse_federation_whitelist}} +federation_domain_whitelist: {{var_synapse_federation_whitelist | to_yaml}} serve_server_wellknown: true @@ -87,7 +87,9 @@ max_spider_size: "10M" enable_registration_captcha: false recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" +{% if var_synapse_registration_shared_secret != None %} registration_shared_secret: "{{var_synapse_registration_shared_secret}}" +{% endif %} {% if var_synapse_oidc_enable %} enable_registration: false @@ -158,11 +160,11 @@ saml2_config: password_config: enabled: true policy: - enabled: {{var_synapse_password_strict_policy}} + enabled: {{var_synapse_password_strict_policy | to_yaml}} email: smtp_host: "{{var_synapse_smtp_host}}" - smtp_port: {{var_synapse_smtp_port}} + smtp_port: {{var_synapse_smtp_port | to_yaml}} smtp_user: "{{var_synapse_smtp_username}}" smtp_pass: "{{var_synapse_smtp_password}}" require_transport_security: true From 439861ee7a5dbd04367885018837d5ebbae69ae8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 23:41:59 +0100 Subject: [PATCH 16/19] =?UTF-8?q?[mod]=20role:synapse-and-lighttpd:Standar?= =?UTF-8?q?d-Wert=20f=C3=BCr=20Dom=C3=A4ne=20ge=C3=A4ndert?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/roles/synapse-and-lighttpd/defaults/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/synapse-and-lighttpd/defaults/main.json b/ansible/roles/synapse-and-lighttpd/defaults/main.json index fc3f952..9f9b55e 100644 --- a/ansible/roles/synapse-and-lighttpd/defaults/main.json +++ b/ansible/roles/synapse-and-lighttpd/defaults/main.json @@ -1,3 +1,3 @@ { - "var_synapse_and_lighttpd_domain": "REPLACE_ME" + "var_synapse_and_lighttpd_domain": "synapse.example.org" } From 822905025f4dd2a8708e7922f4f7692da9ead008 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 23:41:32 +0100 Subject: [PATCH 17/19] [mod] role:synapse:Konvertierungen nutzen --- ansible/roles/synapse/defaults/main.json | 10 +++++----- ansible/roles/synapse/templates/homeserver.yaml.j2 | 8 +++++--- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/ansible/roles/synapse/defaults/main.json b/ansible/roles/synapse/defaults/main.json index fe0f604..a57ac35 100644 --- a/ansible/roles/synapse/defaults/main.json +++ b/ansible/roles/synapse/defaults/main.json @@ -1,6 +1,6 @@ { "var_synapse_scheme": "https", - "var_synapse_domain": "matrix.example.org", + "var_synapse_domain": "synapse.example.org", "var_synaspe_database_kind": "sqlite", "var_synaspe_database_sqlite_path": "/var/synapse/data.sqlite", "var_synaspe_database_postgresql_host": "localhost", @@ -10,8 +10,8 @@ "var_synaspe_database_postgresql_schema": "synapse", "var_synapse_element_url": "https://element.example.org", "var_synapse_title": "Example | Matrix", - "var_synapse_federation_whitelist": "[]", - "var_synapse_password_strict_policy": "true", + "var_synapse_federation_whitelist": [], + "var_synapse_password_strict_policy": true, "var_synapse_registration_shared_secret": "REPLACE_ME", "var_synapse_oidc_enable": false, "var_synapse_oidc_provider_id": "external_auth", @@ -20,8 +20,8 @@ "var_synapse_oidc_client_secret": "REPLACE_ME", "var_synapse_oidc_issuer_url": "https://auth.example.org", "var_synapse_smtp_host": "smtp.example.org", - "var_synapse_smtp_port": "587", - "var_synapse_smtp_username": "matrix@smtp.example.org", + "var_synapse_smtp_port": 587, + "var_synapse_smtp_username": "synapse@smtp.example.org", "var_synapse_smtp_password": "REPLACE_ME", "var_synapse_admin_user_define": true, "var_synapse_admin_user_name": "admin", diff --git a/ansible/roles/synapse/templates/homeserver.yaml.j2 b/ansible/roles/synapse/templates/homeserver.yaml.j2 index c58e3e7..de8088e 100644 --- a/ansible/roles/synapse/templates/homeserver.yaml.j2 +++ b/ansible/roles/synapse/templates/homeserver.yaml.j2 @@ -45,7 +45,7 @@ listeners: - names: [federation] compress: false -federation_domain_whitelist: {{var_synapse_federation_whitelist}} +federation_domain_whitelist: {{var_synapse_federation_whitelist | to_yaml}} serve_server_wellknown: true @@ -87,7 +87,9 @@ max_spider_size: "10M" enable_registration_captcha: false recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" +{% if var_synapse_registration_shared_secret != None %} registration_shared_secret: "{{var_synapse_registration_shared_secret}}" +{% endif %} {% if var_synapse_oidc_enable %} enable_registration: false @@ -158,11 +160,11 @@ saml2_config: password_config: enabled: true policy: - enabled: {{var_synapse_password_strict_policy}} + enabled: {{var_synapse_password_strict_policy | to_yaml}} email: smtp_host: "{{var_synapse_smtp_host}}" - smtp_port: {{var_synapse_smtp_port}} + smtp_port: {{var_synapse_smtp_port | to_yaml}} smtp_user: "{{var_synapse_smtp_username}}" smtp_pass: "{{var_synapse_smtp_password}}" require_transport_security: true From ce22bc109ddea21cb176508eb91924dc53cdcd75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 23:41:59 +0100 Subject: [PATCH 18/19] =?UTF-8?q?[mod]=20role:synapse-and-lighttpd:Standar?= =?UTF-8?q?d-Wert=20f=C3=BCr=20Dom=C3=A4ne=20ge=C3=A4ndert?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/roles/synapse-and-lighttpd/defaults/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/synapse-and-lighttpd/defaults/main.json b/ansible/roles/synapse-and-lighttpd/defaults/main.json index fc3f952..9f9b55e 100644 --- a/ansible/roles/synapse-and-lighttpd/defaults/main.json +++ b/ansible/roles/synapse-and-lighttpd/defaults/main.json @@ -1,3 +1,3 @@ { - "var_synapse_and_lighttpd_domain": "REPLACE_ME" + "var_synapse_and_lighttpd_domain": "synapse.example.org" } From f502ae20edb00651ecf08e621ba476a4ca67410e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 17 Dec 2023 23:47:37 +0100 Subject: [PATCH 19/19] [mod] outsourced --- .../authelia-for-gitlab/defaults/main.json | 5 ---- ansible/roles/authelia-for-gitlab/info.md | 10 -------- .../roles/authelia-for-gitlab/tasks/main.json | 25 ------------------- .../templates/authelia-client-conf.json.j2 | 17 ------------- 4 files changed, 57 deletions(-) delete mode 100644 ansible/roles/authelia-for-gitlab/defaults/main.json delete mode 100644 ansible/roles/authelia-for-gitlab/info.md delete mode 100644 ansible/roles/authelia-for-gitlab/tasks/main.json delete mode 100644 ansible/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2 diff --git a/ansible/roles/authelia-for-gitlab/defaults/main.json b/ansible/roles/authelia-for-gitlab/defaults/main.json deleted file mode 100644 index aeeec3b..0000000 --- a/ansible/roles/authelia-for-gitlab/defaults/main.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "var_authelia_for_gitlab_gitlab_url_base": "https://gitlab.example.org", - "var_authelia_for_gitlab_client_id": "gitlab", - "var_authelia_for_gitlab_client_secret": "REPLACE_ME" -} diff --git a/ansible/roles/authelia-for-gitlab/info.md b/ansible/roles/authelia-for-gitlab/info.md deleted file mode 100644 index 9bf2a1f..0000000 --- a/ansible/roles/authelia-for-gitlab/info.md +++ /dev/null @@ -1,10 +0,0 @@ -## Beschreibung - -Um [GitLab](../gitlab) gegen [Authelia](../authelia) authentifizieren zu lassen - - -## Verweise - -- [Authelia-Dokumentation | GitLab Integration](https://www.authelia.com/integration/openid-connect/gitlab/) -- [GitLab-Dokumentation | Use OpenID Connect as an OAuth 2.0 authentication provider](https://docs.gitlab.com/ee/administration/auth/oidc.html) - diff --git a/ansible/roles/authelia-for-gitlab/tasks/main.json b/ansible/roles/authelia-for-gitlab/tasks/main.json deleted file mode 100644 index 5790e65..0000000 --- a/ansible/roles/authelia-for-gitlab/tasks/main.json +++ /dev/null @@ -1,25 +0,0 @@ -[ - { - "name": "configuration | emplace", - "become": true, - "ansible.builtin.template": { - "src": "authelia-client-conf.json.j2", - "dest": "/etc/authelia/conf.d/clients/gitlab.json" - } - }, - { - "name": "configuration | apply", - "become": true, - "ansible.builtin.command": { - "cmd": "/usr/bin/authelia-conf-compose" - } - }, - { - "name": "restart service", - "become": true, - "ansible.builtin.systemd_service": { - "state": "restarted", - "name": "authelia" - } - } -] diff --git a/ansible/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2 deleted file mode 100644 index 2c1f44a..0000000 --- a/ansible/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2 +++ /dev/null @@ -1,17 +0,0 @@ -{ - "id": "{{var_authelia_for_gitlab_client_id}}", - "description": "GitLab", - "secret": "{{var_authelia_for_gitlab_client_secret}}", - "public": false, - "authorization_policy": "one_factor", - "redirect_uris": [ - "{{var_authelia_for_gitlab_gitlab_url_base}}/users/auth/openid_connect/callback - ], - "scopes": [ - "openid", - "profile" - "groups", - "email" - ], - "userinfo_signing_algorithm": "none" -}