From a947c4900e186cfa87ad6f190b6c0e8235db3492 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Mon, 11 Dec 2023 02:43:58 +0100
Subject: [PATCH] [mod] role:authelia

---
 ansible/roles/authelia/defaults/main.json     |  8 ++-
 ansible/roles/authelia/info.md                |  7 ++
 ansible/roles/authelia/tasks/main.json        | 66 ++++++++++++++++---
 .../{config.yml.j2 => configuration.yml.j2}   | 23 +++++--
 ansible/roles/authelia/templates/users.yml.j2 |  6 ++
 5 files changed, 93 insertions(+), 17 deletions(-)
 rename ansible/roles/authelia/templates/{config.yml.j2 => configuration.yml.j2} (84%)
 create mode 100644 ansible/roles/authelia/templates/users.yml.j2

diff --git a/ansible/roles/authelia/defaults/main.json b/ansible/roles/authelia/defaults/main.json
index fa6cc83..a287d47 100644
--- a/ansible/roles/authelia/defaults/main.json
+++ b/ansible/roles/authelia/defaults/main.json
@@ -1,18 +1,20 @@
 {
 	"var_authelia_listen_address": "0.0.0.0",
 	"var_authelia_jwt_secret": "authelia_jwt_secret",
-	"var_authelia_users_file_path": "/var/authelia/users.json",
+	"var_authelia_users_file_path": "/var/authelia/users.yml",
+	"var_authelia_log_file_path": "/var/log/authelia.log",
 	"var_authelia_session_domain": "example.org",
 	"var_authelia_session_secret": "session_secret",
 	"var_authelia_storage_path": "/var/authelia/state.db",
 	"var_authelia_storage_encryption_key": "storage_encryption_key",
 	"var_authelia_ntp_server": "time.cloudflare.com:123",
-	"var_authelia_notification_mode": "email",
+	"var_authelia_notification_mode": "smtp",
+	"var_authelia_notification_file_path": "/var/authelia/notifications",
 	"var_authelia_notification_smtp_host": "smtp.example.org",
 	"var_authelia_notification_smtp_port": "465",
 	"var_authelia_notification_smtp_username": "authelia",
 	"var_authelia_notification_smtp_username": "smtp_password",
 	"var_authelia_notification_smtp_sender": "Authelia",
 	"var_authelia_notification_smtp_sender": "Authelia",
-	"var_authelia_oidc_hmac_secret": "oidc_hmac_secret",
+	"var_authelia_oidc_hmac_secret": "oidc_hmac_secret"
 }
diff --git a/ansible/roles/authelia/info.md b/ansible/roles/authelia/info.md
index 94653fd..a980bea 100644
--- a/ansible/roles/authelia/info.md
+++ b/ansible/roles/authelia/info.md
@@ -4,3 +4,10 @@
 - [GitHub-Seite](https://github.com/authelia/authelia)
 - [Installations-Anleitung](https://www.authelia.com/integration/deployment/bare-metal/)
 - [Dokumentation | Konfiguration](https://www.authelia.com/configuration/)
+
+
+## ToDo
+
+- Dummy-Client los werden
+- Dummy-Nutzer los werden
+
diff --git a/ansible/roles/authelia/tasks/main.json b/ansible/roles/authelia/tasks/main.json
index 5b78ea0..faecaf0 100644
--- a/ansible/roles/authelia/tasks/main.json
+++ b/ansible/roles/authelia/tasks/main.json
@@ -1,36 +1,86 @@
 [
 	{
-		"name": "invoke package repository",
+"when": false,
+		"name": "prepare package installation 1",
+		"become": true,
+		"ansible.builtin.apt": {
+			"pkg": [
+				"apt-transport-https",
+				"gpg"
+			]
+		}
+	},
+	{
+"when": false,
+		"name": "prepare package installation 2",
+		"become": true,
+		"ansible.builtin.apt_key": {
+			"url": "https://apt.authelia.com/organization/signing.asc"
+		}
+	},
+	{
+"when": false,
+		"name": "prepare package installation 3",
 		"become": true,
 		"ansible.builtin.apt_repository": {
 			"repo": "deb https://apt.authelia.com/stable/debian/debian/ all main"
 		}
+
 	},
 	{
+"when": false,
 		"name": "install packages",
 		"become": true,
 		"ansible.builtin.apt": {
-			"pgk": [
+			"update_cache": true,
+			"pkg": [
+				"openssl",
+				"python3-cryptography",
 				"authelia"
 			]
 		}
 	},
 	{
 		"name": "generate private key for signing OIDC JWTs",
-		"beccome": true,
+		"become": true,
 		"community.crypto.openssl_privatekey": {
 			"type": "RSA",
 			"size": 4096,
-			"path": "/dev/null",
+			"path": "/etc/ssl/private/authelia-key.pem",
 			"return_content": true
-		}
+		},
+		"register": "temp_tls_result"
 	},
 	{
 		"name": "emplace configuration",
 		"become": true,
 		"ansible.builtin.template": {
-			"src": "config.yml.j2",
-			"dest": "/etc/authelia/config.yml"
+			"src": "configuration.yml.j2",
+			"dest": "/etc/authelia/configuration.yml"
+		}
+	},
+	{
+		"name": "setup log directory",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{var_authelia_log_file_path | dirname}}"
+		}
+	},
+	{
+		"name": "setup users directory",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{var_authelia_users_file_path | dirname}}"
+		}
+	},
+	{
+		"name": "place dummy user file",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "users.yml.j2",
+			"path": "{{var_authelia_users_file_path}}"
 		}
 	},
 	{
@@ -39,6 +89,6 @@
 		"ansible.builtin.systemd_service": {
 			"state": "restarted",
 			"name": "authelia"
-		}		
+		}
 	}
 ]
diff --git a/ansible/roles/authelia/templates/config.yml.j2 b/ansible/roles/authelia/templates/configuration.yml.j2
similarity index 84%
rename from ansible/roles/authelia/templates/config.yml.j2
rename to ansible/roles/authelia/templates/configuration.yml.j2
index 6e0ee36..8fc19ad 100644
--- a/ansible/roles/authelia/templates/config.yml.j2
+++ b/ansible/roles/authelia/templates/configuration.yml.j2
@@ -11,14 +11,14 @@ server:
 log:
   level: info
   format: json
-  file_path: /var/log/authelia.log
+  file_path: {{var_authelia_log_file_path}}
   keep_stdout: false
 telemetry:
   metrics:
     enabled: false
     address: tcp://0.0.0.0:9959
 totp:
-  disable: true
+  disable: false
   issuer: authelia.com
   algorithm: sha1
   digits: 6
@@ -106,8 +106,11 @@ storage:
     path: "{{var_authelia_storage_path}}"
 notifier:
   disable_startup_check: true
-  # filesystem:
-    # filename: /config/notification.txt
+{% if var_authelia_notification_mode == "file" %}
+  filesystem:
+    filename: {{var_authelia_notification_file_path}}
+{% endif %}
+{% if var_authelia_notification_mode == "smtp" %}
   smtp:
     host: "{{var_authelia_notification_smtp_host}}"
     port: {{var_authelia_notification_smtp_port}}
@@ -118,13 +121,21 @@ notifier:
     disable_html_emails: false
     tls:
       skip_verify: false
+{% endif %}
 identity_providers:
   oidc:
     hmac_secret: "{{var_authelia_oidc_hmac_secret}}"
     issuer_private_key: |
-      {{privatekey}}
+{% filter indent(width=6) %}
+      {{temp_tls_result.privatekey}}
+{% endfilter %}
     cors:
       allowed_origins_from_client_redirect_uris: true
-    clients: []
+    clients:
+      -
+        public: false
+        id: "dummy"
+        secret: "d1424b378e4fbbc153f330f33b74ab192525b98cc2dd58b2e8d01c2737be00c6"
+        redirect_uris: []
 
 ...
diff --git a/ansible/roles/authelia/templates/users.yml.j2 b/ansible/roles/authelia/templates/users.yml.j2
new file mode 100644
index 0000000..eea8164
--- /dev/null
+++ b/ansible/roles/authelia/templates/users.yml.j2
@@ -0,0 +1,6 @@
+users:
+  _dummy:
+    displayname: "(Dummy)"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$sHIRjFaYRz2U3F8wHnqecQ$lwnQtHNeFqgLaLSW8It7KJSHNOJoSeF+RF7lwgM7WRA"
+    email: "dummy@nowhere.org"
+    groups: []