From e4c3b3a287f4d91328e9fa76643bd5141bbe1416 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Mon, 24 Jun 2024 20:19:04 +0200 Subject: [PATCH 01/51] [int] --- roles/element-and-nginx/defaults/main.json | 3 +- roles/element-and-nginx/templates/conf.j2 | 23 +++++++-- roles/gitlab-and-nginx/defaults/main.json | 5 +- roles/gitlab-and-nginx/templates/conf.j2 | 56 ++++++++++++---------- 4 files changed, 56 insertions(+), 31 deletions(-) diff --git a/roles/element-and-nginx/defaults/main.json b/roles/element-and-nginx/defaults/main.json index c7db00b..64929d1 100644 --- a/roles/element-and-nginx/defaults/main.json +++ b/roles/element-and-nginx/defaults/main.json @@ -1,4 +1,5 @@ { "var_element_and_nginx_domain": "element.example.org", - "var_element_and_nginx_path": "/opt/element" + "var_element_and_nginx_path": "/opt/element", + "var_element_and_nginx_tls": "enable" } diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2 index 08330a6..bc9c035 100644 --- a/roles/element-and-nginx/templates/conf.j2 +++ b/roles/element-and-nginx/templates/conf.j2 @@ -1,14 +1,31 @@ +boilerplate element { + root {{var_element_and_nginx_path}}; +} + server { + server_name {{var_element_and_nginx_domain}}; + listen 80; listen [::]:80; + +{% if (var_element_and_nginx_tls == "force") %} + return 301 https://$http_host$request_uri; +{% else %} + invoke element; +{% endif %} +} + +{% if (var_element_and_nginx_tls != "disable") %} +server { + server_name {{var_element_and_nginx_domain}}; + listen 443 ssl; listen [::]:443 ssl; - server_name {{var_element_and_nginx_domain}}; - ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - root {{var_element_and_nginx_path}}; + invoke element; } +{% endif %} diff --git a/roles/gitlab-and-nginx/defaults/main.json b/roles/gitlab-and-nginx/defaults/main.json index 6bffbd7..c51d108 100644 --- a/roles/gitlab-and-nginx/defaults/main.json +++ b/roles/gitlab-and-nginx/defaults/main.json @@ -1,4 +1,5 @@ { - "var_gitlab_and_nginx_domain": "element.example.org", - "var_gitlab_and_nginx_path": "/opt/element" + "var_gitlab_and_nginx_domain": "gitlab.example.org", + "var_gitlab_and_nginx_path": "/opt/gitlab", + "var_gitlab_and_nginx_tls": "enable" } diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index 4208162..1033ae6 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -29,34 +29,11 @@ map $http_referer $gitlab_ssl_filtered_http_referer { ~^(?.*)\? $temp; } -server { - listen 80 default_server; - listen [::]:80 ipv6only=on default_server; - - server_name {{var_gitlab_and_nginx_domain}}; - server_tokens off; - - return 301 https://$http_host$request_uri; - - access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; - error_log /var/log/nginx/gitlab_error.log; -} - -server { - listen 0.0.0.0:443 ssl http2; - listen [::]:443 ipv6only=on ssl http2 default_server; - - server_name {{var_gitlab_and_nginx_domain}}; - server_tokens off; - - ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; - +boilerplate gitlab_common { real_ip_header X-Real-IP; real_ip_recursive off; - access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; + access_log /var/log/nginx/gitlab_access.log;# gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; location / { @@ -92,3 +69,32 @@ server { } } +server { + server_name {{var_gitlab_and_nginx_domain}}; + server_tokens off; + + listen 80 default_server; + listen [::]:80 ipv6only=on default_server; + +{% if (var_gitlab_and_nginx_tls == "force") %} + return 301 https://$http_host$request_uri; +{% else %} + invoke gitlab_common; +{% endif %} +} + +{% if (var_gitlab_and_nginx_tls != "disable") %} +server { + server_name {{var_gitlab_and_nginx_domain}}; + server_tokens off; + + listen 0.0.0.0:443 ssl http2; + listen [::]:443 ipv6only=on ssl http2 default_server; + + ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + invoke gitlab_common; +} +{% endif %} From 82e9f8e806ba96654a3c2985a7c9f47d2ecb0b94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 25 Jun 2024 11:32:36 +0200 Subject: [PATCH 02/51] [mod] role:tlscert_existing:remove var for ssl-path and unify domain vars --- roles/tlscert_existing/defaults/main.json | 6 ++---- roles/tlscert_existing/tasks/main.json | 16 ++++++++-------- 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/roles/tlscert_existing/defaults/main.json b/roles/tlscert_existing/defaults/main.json index 66473bb..b47e0a2 100644 --- a/roles/tlscert_existing/defaults/main.json +++ b/roles/tlscert_existing/defaults/main.json @@ -1,8 +1,6 @@ { + "var_tlscert_existing_domain": "foo.example.org", "var_tlscert_existing_key_path": "/tmp/key.pem", "var_tlscert_existing_cert_path": "/tmp/cert.pem", - "var_tlscert_existing_fullchain_path": "/tmp/fullchain.pem", - "var_tlscert_existing_domain_base": "example.org", - "var_tlscert_existing_domain_path": "foo", - "var_tlscert_existing_ssl_directory": "/etc/ssl" + "var_tlscert_existing_fullchain_path": "/tmp/fullchain.pem" } diff --git a/roles/tlscert_existing/tasks/main.json b/roles/tlscert_existing/tasks/main.json index 28ebd49..bc4354a 100644 --- a/roles/tlscert_existing/tasks/main.json +++ b/roles/tlscert_existing/tasks/main.json @@ -3,10 +3,10 @@ "name": "directories", "become": true, "loop": [ - "{{var_tlscert_existing_ssl_directory}}/private", - "{{var_tlscert_existing_ssl_directory}}/csr", - "{{var_tlscert_existing_ssl_directory}}/certs", - "{{var_tlscert_existing_ssl_directory}}/fullchains" + "/etc/ssl/private", + "/etc/ssl/csr", + "/etc/ssl/certs", + "/etc/ssl/fullchains" ], "ansible.builtin.file": { "state": "directory", @@ -18,7 +18,7 @@ "become": true, "ansible.builtin.copy": { "src": "{{var_tlscert_existing_key_path}}", - "dest": "{{var_tlscert_existing_ssl_directory}}/private/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem" + "dest": "/etc/ssl/private/{{var_tlscert_existing_domain}}.pem" } }, { @@ -26,7 +26,7 @@ "become": true, "ansible.builtin.copy": { "src": "{{var_tlscert_existing_cert_path}}", - "dest": "{{var_tlscert_existing_ssl_directory}}/certs/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem" + "dest": "/etc/ssl/certs/{{var_tlscert_existing_domain}}.pem" } }, { @@ -35,7 +35,7 @@ "become": true, "ansible.builtin.copy": { "src": "{{var_tlscert_existing_fullchain_path}}", - "dest": "{{var_tlscert_existing_ssl_directory}}/fullchains/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem" + "dest": "/etc/ssl/fullchains/{{var_tlscert_existing_domain}}.pem" } }, { @@ -43,7 +43,7 @@ "when": "var_tlscert_existing_fullchain_path == None", "become": true, "ansible.builtin.shell": { - "cmd": "cat {{var_tlscert_existing_ssl_directory}}/certs/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem > {{var_tlscert_existing_ssl_directory}}/fullchains/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem" + "cmd": "cat /etc/ssl/certs/{{var_tlscert_existing_domain}}.pem > /etc/ssl/fullchains/{{var_tlscert_existing_domain}}.pem" } } ] From c997a202760c413d8a7d9d087e6d963604624954 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 25 Jun 2024 11:33:12 +0200 Subject: [PATCH 03/51] [mod] role:tlscert_selfsigned:remove var for ssl-path and unify domain vars --- roles/tlscert_selfsigned/defaults/main.json | 4 +--- roles/tlscert_selfsigned/tasks/main.json | 26 ++++++++++----------- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/roles/tlscert_selfsigned/defaults/main.json b/roles/tlscert_selfsigned/defaults/main.json index 23e7808..06c1a9a 100644 --- a/roles/tlscert_selfsigned/defaults/main.json +++ b/roles/tlscert_selfsigned/defaults/main.json @@ -1,5 +1,3 @@ { - "var_tlscert_selfsigned_domain_base": "example.org", - "var_tlscert_selfsigned_domain_path": "foo", - "var_tlscert_selfsigned_ssl_directory": "/etc/ssl" + "var_tlscert_selfsigned_domain": "foo.example.org" } diff --git a/roles/tlscert_selfsigned/tasks/main.json b/roles/tlscert_selfsigned/tasks/main.json index 5b816f3..bed8255 100644 --- a/roles/tlscert_selfsigned/tasks/main.json +++ b/roles/tlscert_selfsigned/tasks/main.json @@ -14,10 +14,10 @@ "name": "setup directories", "become": true, "loop": [ - "{{var_tlscert_selfsigned_ssl_directory}}/private", - "{{var_tlscert_selfsigned_ssl_directory}}/csr", - "{{var_tlscert_selfsigned_ssl_directory}}/certs", - "{{var_tlscert_selfsigned_ssl_directory}}/fullchains" + "/etc/ssl/private", + "/etc/ssl/csr", + "/etc/ssl/certs", + "/etc/ssl/fullchains" ], "ansible.builtin.file": { "state": "directory", @@ -28,19 +28,19 @@ "name": "csr | generate private key", "become": true, "community.crypto.openssl_privatekey": { - "path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem" + "path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem" } }, { "name": "csr | execute", "become": true, "community.crypto.openssl_csr": { - "privatekey_path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem", - "common_name": "{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}", + "privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem", + "common_name": "{{var_tlscert_selfsigned_domain}}", "subject_alt_name": [ - "DNS:{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}" + "DNS:{{var_tlscert_selfsigned_domain}}" ], - "path": "{{var_tlscert_selfsigned_ssl_directory}}/csr/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem" + "path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem" }, "register": "temp_csr" }, @@ -48,17 +48,17 @@ "name": "generate certificate", "become": true, "community.crypto.x509_certificate": { - "privatekey_path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem", - "csr_path": "{{var_tlscert_selfsigned_ssl_directory}}/csr/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem", + "privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem", + "csr_path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem", "provider": "selfsigned", - "path": "{{var_tlscert_selfsigned_ssl_directory}}/certs/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem" + "path": "/etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem" } }, { "name": "compose fullchain", "become": true, "ansible.builtin.shell": { - "cmd": "cat {{var_tlscert_selfsigned_ssl_directory}}/certs/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem > {{var_tlscert_selfsigned_ssl_directory}}/fullchains/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem" + "cmd": "cat /etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem > /etc/ssl/fullchains/{{var_tlscert_selfsigned_domain}}.pem" } } ] From 1bf66c5c23348bf8ed652866d602a2c8ca928a30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 25 Jun 2024 11:42:01 +0200 Subject: [PATCH 04/51] =?UTF-8?q?[mod]=20role:element-and-nginx:Abh=C3=A4n?= =?UTF-8?q?gigkeiten=20nutzen=20und=20TLS-Schalter=20einbauen?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/element-and-nginx/defaults/main.json | 12 +++- roles/element-and-nginx/meta/main.json | 32 +++++++++++ roles/element-and-nginx/templates/conf.j2 | 13 ++--- roles/element-and-nginx/vardef.json | 64 ++++++++++++++++++++++ 4 files changed, 113 insertions(+), 8 deletions(-) create mode 100644 roles/element-and-nginx/meta/main.json create mode 100644 roles/element-and-nginx/vardef.json diff --git a/roles/element-and-nginx/defaults/main.json b/roles/element-and-nginx/defaults/main.json index 64929d1..aa43d9e 100644 --- a/roles/element-and-nginx/defaults/main.json +++ b/roles/element-and-nginx/defaults/main.json @@ -1,5 +1,15 @@ { "var_element_and_nginx_domain": "element.example.org", "var_element_and_nginx_path": "/opt/element", - "var_element_and_nginx_tls": "enable" + "var_element_and_nginx_element_version": "v1.11.47", + "var_element_and_nginx_element_matrix_baseurl": "https://matrix.example.org", + "var_element_and_nginx_element_server_name": "example" + "var_element_and_nginx_tls_mode": "disable", + "var_element_and_nginx_tls_cert_kind": "none", + "var_element_and_nginx_tls_cert_data_existing_key_path": "/tmp/key.pem", + "var_element_and_nginx_tls_cert_data_existing_cert_path": "/tmp/cert.pem", + "var_element_and_nginx_tls_cert_data_existing_fullchain_path": "/tmp/fullchain.pem", + "var_element_and_nginx_tls_cert_data_acme_inwx_acme_account_email": "REPLACE_ME", + "var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_username": "REPLACE_ME", + "var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_password": "REPLACE_ME" } diff --git a/roles/element-and-nginx/meta/main.json b/roles/element-and-nginx/meta/main.json new file mode 100644 index 0000000..3b5f228 --- /dev/null +++ b/roles/element-and-nginx/meta/main.json @@ -0,0 +1,32 @@ +{ + "dependencies": [ + { + "role": "element", + "var_element_version": "{{var_element_and_nginx_element_version}}", + "var_element_path": "{{var_element_and_nginx_path}}", + "var_element_matrix_baseurl": "{{var_element_and_nginx_element_matrix_baseurl}}", + "var_element_server_name": "{{var_element_and_nginx_element_server_name}}" + }, + { + "when": "var_element_and_nginx_tls_cert_kind == 'existing'", + "role": "tlscert_existing", + "var_tlscert_existing_domain": "{{var_element_and_nginx_domain}}", + "var_tlscert_existing_key_path": "{{var_element_and_nginx_tls_cert_data_existing_key_path}}", + "var_tlscert_existing_cert_path": "{{var_element_and_nginx_tls_cert_data_existing_cert_path}}", + "var_tlscert_existing_fullchain_path": "{{var_element_and_nginx_tls_cert_data_existing_fullchain_path}}" + }, + { + "when": "var_element_and_nginx_tls_cert_kind == 'selfsigned'", + "role": "tlscert_selfsigned", + "var_tlscert_selfsigned": "{{var_element_and_nginx_domain}}" + }, + { + "when": "var_element_and_nginx_tls_cert_kind == 'acme_inwx'", + "role": "tlscert_acme_inwx", + "var_tlscert_acme_inwx_domain": "{{var_element_and_nginx_domain}}", + "var_tlscert_acme_inwx_acme_account_email": "{{var_element_and_nginx_tls_cert_data_acme_inwx_acme_account_email}}", + "var_tlscert_acme_inwx_inwx_account_username": "{{var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_username}}", + "var_tlscert_acme_inwx_inwx_account_password": "{{var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_password}}" + } + ] +} diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2 index bc9c035..6df3e18 100644 --- a/roles/element-and-nginx/templates/conf.j2 +++ b/roles/element-and-nginx/templates/conf.j2 @@ -1,21 +1,20 @@ -boilerplate element { +{% macro element_common() %} root {{var_element_and_nginx_path}}; -} - +{% endmacro %} server { server_name {{var_element_and_nginx_domain}}; listen 80; listen [::]:80; -{% if (var_element_and_nginx_tls == "force") %} +{% if (var_element_and_nginx_tls_mode == "force") %} return 301 https://$http_host$request_uri; {% else %} - invoke element; + {{ element_common() }} {% endif %} } +{% if (var_element_and_nginx_tls_mode != "disable") %} -{% if (var_element_and_nginx_tls != "disable") %} server { server_name {{var_element_and_nginx_domain}}; @@ -26,6 +25,6 @@ server { ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - invoke element; + {{ element_common() }} } {% endif %} diff --git a/roles/element-and-nginx/vardef.json b/roles/element-and-nginx/vardef.json new file mode 100644 index 0000000..a51eccf --- /dev/null +++ b/roles/element-and-nginx/vardef.json @@ -0,0 +1,64 @@ +{ + "domain": { + "type": "string", + "mandatory": false + }, + "path": { + "type": "string", + "mandatory": false + }, + "element_version": { + "type": "string", + "mandatory": false + }, + "element_matrix_baseurl": { + "type": "string", + "mandatory": false + }, + "element_server_name": { + "type": "string", + "mandatory": false + }, + "tls_mode": { + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "mandatory": false + }, + "tls_cert_kind": { + "type": "string", + "options": [ + "none", + "selfsigned", + "acme_inwx" + ], + "mandatory": false + }, + "tls_cert_data_existing_key_path": { + "type": "string", + "mandatory": false + }, + "tls_cert_data_existing_cert_path": { + "type": "string", + "mandatory": false + }, + "tls_cert_data_existing_fullchain_path": { + "type": "string", + "mandatory": false + }, + "tls_cert_data_acme_inwx_acme_account_email": { + "type": "string", + "mandatory": false + }, + "tls_cert_data_acme_inwx_inwx_account_username": { + "type": "string", + "mandatory": false + }, + "tls_cert_data_acme_inwx_inwx_account_password": { + "type": "string", + "mandatory": false + } +} From a3509ca37b63cec09d92625c679046868a7b5bff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 25 Jun 2024 11:44:29 +0200 Subject: [PATCH 05/51] [int] --- roles/gitlab-and-nginx/defaults/main.json | 5 +- roles/gitlab-and-nginx/templates/conf.j2 | 56 ++++++++++------------- 2 files changed, 27 insertions(+), 34 deletions(-) diff --git a/roles/gitlab-and-nginx/defaults/main.json b/roles/gitlab-and-nginx/defaults/main.json index c51d108..6bffbd7 100644 --- a/roles/gitlab-and-nginx/defaults/main.json +++ b/roles/gitlab-and-nginx/defaults/main.json @@ -1,5 +1,4 @@ { - "var_gitlab_and_nginx_domain": "gitlab.example.org", - "var_gitlab_and_nginx_path": "/opt/gitlab", - "var_gitlab_and_nginx_tls": "enable" + "var_gitlab_and_nginx_domain": "element.example.org", + "var_gitlab_and_nginx_path": "/opt/element" } diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index 1033ae6..4208162 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -29,11 +29,34 @@ map $http_referer $gitlab_ssl_filtered_http_referer { ~^(?.*)\? $temp; } -boilerplate gitlab_common { +server { + listen 80 default_server; + listen [::]:80 ipv6only=on default_server; + + server_name {{var_gitlab_and_nginx_domain}}; + server_tokens off; + + return 301 https://$http_host$request_uri; + + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; + error_log /var/log/nginx/gitlab_error.log; +} + +server { + listen 0.0.0.0:443 ssl http2; + listen [::]:443 ipv6only=on ssl http2 default_server; + + server_name {{var_gitlab_and_nginx_domain}}; + server_tokens off; + + ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + real_ip_header X-Real-IP; real_ip_recursive off; - access_log /var/log/nginx/gitlab_access.log;# gitlab_ssl_access; + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; location / { @@ -69,32 +92,3 @@ boilerplate gitlab_common { } } -server { - server_name {{var_gitlab_and_nginx_domain}}; - server_tokens off; - - listen 80 default_server; - listen [::]:80 ipv6only=on default_server; - -{% if (var_gitlab_and_nginx_tls == "force") %} - return 301 https://$http_host$request_uri; -{% else %} - invoke gitlab_common; -{% endif %} -} - -{% if (var_gitlab_and_nginx_tls != "disable") %} -server { - server_name {{var_gitlab_and_nginx_domain}}; - server_tokens off; - - listen 0.0.0.0:443 ssl http2; - listen [::]:443 ipv6only=on ssl http2 default_server; - - ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; - - invoke gitlab_common; -} -{% endif %} From 6c8b3d1b088ad552e478b391ea50c15cc46d7836 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 27 Jun 2024 19:07:58 +0200 Subject: [PATCH 06/51] [add] role:authelia-for-owncloud [add] owncloud [add] owncloud-and-nginx --- .../authelia-for-owncloud/defaults/main.json | 11 ++ roles/authelia-for-owncloud/info.md | 9 ++ roles/authelia-for-owncloud/tasks/main.json | 31 ++++ .../authelia-client-conf-android.json.j2 | 15 ++ .../authelia-client-conf-desktop.json.j2 | 16 +++ .../authelia-client-conf-ios.json.j2 | 16 +++ .../authelia-client-conf-web.json.j2 | 11 ++ roles/owncloud-and-nginx/defaults/main.json | 3 + roles/owncloud-and-nginx/tasks/main.json | 35 +++++ roles/owncloud-and-nginx/templates/conf.j2 | 16 +++ roles/owncloud/defaults/main.json | 20 +++ roles/owncloud/info.md | 15 ++ roles/owncloud/tasks/main.json | 47 ++++++ roles/owncloud/templates/ocis.yaml.j2 | 136 ++++++++++++++++++ roles/owncloud/templates/systemd_unit.j2 | 17 +++ roles/owncloud/vardef.json | 30 ++++ 16 files changed, 428 insertions(+) create mode 100644 roles/authelia-for-owncloud/defaults/main.json create mode 100644 roles/authelia-for-owncloud/info.md create mode 100644 roles/authelia-for-owncloud/tasks/main.json create mode 100644 roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 create mode 100644 roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 create mode 100644 roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 create mode 100644 roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 create mode 100644 roles/owncloud-and-nginx/defaults/main.json create mode 100644 roles/owncloud-and-nginx/tasks/main.json create mode 100644 roles/owncloud-and-nginx/templates/conf.j2 create mode 100644 roles/owncloud/defaults/main.json create mode 100644 roles/owncloud/info.md create mode 100644 roles/owncloud/tasks/main.json create mode 100644 roles/owncloud/templates/ocis.yaml.j2 create mode 100644 roles/owncloud/templates/systemd_unit.j2 create mode 100644 roles/owncloud/vardef.json diff --git a/roles/authelia-for-owncloud/defaults/main.json b/roles/authelia-for-owncloud/defaults/main.json new file mode 100644 index 0000000..df89782 --- /dev/null +++ b/roles/authelia-for-owncloud/defaults/main.json @@ -0,0 +1,11 @@ +{ + "var_authelia_for_owncloud_owncloud_url_base": "https://owncloud.example.org", + "var_authelia_for_owncloud_web_client_id": "owncloud_web", + "var_authelia_for_owncloud_web_client_secret": "REPLACE_ME", + "var_authelia_for_owncloud_desktop_client_id": "owncloud_desktop", + "var_authelia_for_owncloud_desktop_client_secret": "REPLACE_ME", + "var_authelia_for_owncloud_android_client_id": "owncloud_android", + "var_authelia_for_owncloud_android_client_secret": "REPLACE_ME", + "var_authelia_for_owncloud_ios_client_id": "owncloud_ios", + "var_authelia_for_owncloud_ios_client_secret": "REPLACE_ME" +} diff --git a/roles/authelia-for-owncloud/info.md b/roles/authelia-for-owncloud/info.md new file mode 100644 index 0000000..2ef0452 --- /dev/null +++ b/roles/authelia-for-owncloud/info.md @@ -0,0 +1,9 @@ +## Beschreibung + +Um [ownCloud](../owncloud) gegen [Authelia](../authelia) authentifizieren zu lassen + + +## Verweise + +- [Authelia-Dokumentation | ownCloud Infinite Scale Integration](https://www.authelia.com/integration/openid-connect/ocis/) +- [Helge Klein | SSO via Authelia: ownCloud OpenID Connect Authentication](https://helgeklein.com/blog/owncloud-infinite-scale-with-openid-connect-authentication-for-home-networks/#sso-via-authelia-owncloud-openid-connect-authentication) diff --git a/roles/authelia-for-owncloud/tasks/main.json b/roles/authelia-for-owncloud/tasks/main.json new file mode 100644 index 0000000..1272bc8 --- /dev/null +++ b/roles/authelia-for-owncloud/tasks/main.json @@ -0,0 +1,31 @@ +[ + { + "name": "configuration | emplace", + "become": true, + "loop": [ + {"src": "authelia-client-conf-web.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-web.json"}, + {"src": "authelia-client-conf-desktop.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-desktop.json"}, + {"src": "authelia-client-conf-android.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-android.json"}, + {"src": "authelia-client-conf-ios.json.j2", "dest": "/etc/authelia/conf.d/clients/owncloud-ios.json"} + ], + "ansible.builtin.template": { + "src": "{{item.src}}", + "dest": "{{item.dest}}" + } + }, + { + "name": "configuration | apply", + "become": true, + "ansible.builtin.command": { + "cmd": "/usr/bin/authelia-conf-compose" + } + }, + { + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "authelia" + } + } +] diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 new file mode 100644 index 0000000..2540ac2 --- /dev/null +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 @@ -0,0 +1,15 @@ +{ + "client_id": "{{var_authelia_for_owncloud_android_client_id}}", + "client_secret": "{{var_authelia_for_owncloud_android_client_secret}}", + "client_name": "ownCloud Android app", + "scopes": [ + "openid", + "groups", + "profile", + "email", + "offline_access" + ], + "redirect_uris": [ + "oc://android.owncloud.com" + ] +} diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 new file mode 100644 index 0000000..1a8088d --- /dev/null +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 @@ -0,0 +1,16 @@ +{ + "client_id": "{{var_authelia_for_owncloud_desktop_client_id}}", + "client_secret": "{{var_authelia_for_owncloud_desktop_client_secret}}", + "client_name": "ownCloud desktop client", + "scopes": [ + "openid", + "groups", + "profile", + "email", + "offline_access" + ], + "redirect_uris": [ + "http://127.0.0.1", + "http://localhost" + ] +} diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 new file mode 100644 index 0000000..9c4a2f0 --- /dev/null +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 @@ -0,0 +1,16 @@ +{ + "client_id": "{{var_authelia_for_owncloud_ios_client_id}}", + "client_secret": "{{var_authelia_for_owncloud_ios_client_secret}}", + "client_name": "ownCloud iOS app", + "scopes": [ + "openid", + "groups", + "profile", + "email", + "offline_access" + ], + "redirect_uris": [ + "oc://ios.owncloud.com", + "oc.ios://ios.owncloud.com" + ] +} diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 new file mode 100644 index 0000000..2887eaf --- /dev/null +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 @@ -0,0 +1,11 @@ +{ + "client_id": "{{var_authelia_for_owncloud_web_client_id}}", + "client_secret": "{{var_authelia_for_owncloud_web_client_secret}}", + "client_name": "ownCloud Infinite Scale", + "public": true, + "redirect_uris": [ + "{{var_authelia_for_owncloud_owncloud_url_base}}", + "{{var_authelia_for_owncloud_owncloud_url_base}}/oidc-callback.html", + "{{var_authelia_for_owncloud_owncloud_url_base}}/oidc-silent-redirect.html" + ] +} diff --git a/roles/owncloud-and-nginx/defaults/main.json b/roles/owncloud-and-nginx/defaults/main.json new file mode 100644 index 0000000..c9d2b8f --- /dev/null +++ b/roles/owncloud-and-nginx/defaults/main.json @@ -0,0 +1,3 @@ +{ + "var_owncloud_and_nginx_domain": "owncloud.example.org" +} diff --git a/roles/owncloud-and-nginx/tasks/main.json b/roles/owncloud-and-nginx/tasks/main.json new file mode 100644 index 0000000..004dfa3 --- /dev/null +++ b/roles/owncloud-and-nginx/tasks/main.json @@ -0,0 +1,35 @@ +[ + { + "name": "deactivate default site", + "become": true, + "ansible.builtin.file": { + "state": "absent", + "dest": "/etc/nginx/sites-enabled/default" + } + }, + { + "name": "emplace configuration | data", + "become": true, + "ansible.builtin.template": { + "src": "conf.j2", + "dest": "/etc/nginx/sites-available/{{var_owncloud_and_nginx_domain}}" + } + }, + { + "name": "emplace configuration | link", + "become": true, + "ansible.builtin.file": { + "state": "link", + "src": "/etc/nginx/sites-available/{{var_owncloud_and_nginx_domain}}", + "dest": "/etc/nginx/sites-enabled/{{var_owncloud_and_nginx_domain}}" + } + }, + { + "name": "restart nginx", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "nginx" + } + } +] diff --git a/roles/owncloud-and-nginx/templates/conf.j2 b/roles/owncloud-and-nginx/templates/conf.j2 new file mode 100644 index 0000000..77e4eaf --- /dev/null +++ b/roles/owncloud-and-nginx/templates/conf.j2 @@ -0,0 +1,16 @@ +server { + listen 80; + listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{var_owncloud_and_nginx_domain}}; + + ssl_certificate /etc/ssl/fullchains/{{var_owncloud_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_owncloud_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + location / { + proxy_pass http://localhost:9200; + } +} diff --git a/roles/owncloud/defaults/main.json b/roles/owncloud/defaults/main.json new file mode 100644 index 0000000..a4e3063 --- /dev/null +++ b/roles/owncloud/defaults/main.json @@ -0,0 +1,20 @@ +{ + "var_owncloud_user": "owncloud", + "var_owncloud_directory": "/opt/owncloud", + "var_owncloud_version": "5.0.0", + "var_owncloud_platform": "linux-amd64", + "var_owncloud_admin_password": "REPLACE_ME", + "var_owncloud_authentication_kind": "none", + "var_owncloud_authentication_data_authelia_url_base": "https://authelia.example.org", + "var_owncloud_authentication_data_authelia_web_client_id": "owncloud_web", + "var_owncloud_authentication_data_authelia_web_client_secret": "REPLACE_ME", + "var_owncloud_authentication_data_authelia_desktop_client_id": "owncloud_desktop", + "var_owncloud_authentication_data_authelia_desktop_client_secret": "REPLACE_ME", + "var_owncloud_authentication_data_authelia_android_client_id": "owncloud_android", + "var_owncloud_authentication_data_authelia_android_client_secret": "REPLACE_ME", + "var_owncloud_authentication_data_authelia_ios_client_id": "owncloud_ios", + "var_owncloud_authentication_data_authelia_ios_client_secret": "REPLACE_ME", + "var_owncloud_bind_password": "XJY1n3yakq.ko8fO&Ysl3YBiCMslIMd4", + "var_owncloud_account_id": "a2b6ad84-a728-44d3-bc4c-07f8b275d7ba", + "var_owncloud_account_secret": "7ivhMgFMakmZeGdhgne5rMUi*.1FVy4A" +} diff --git a/roles/owncloud/info.md b/roles/owncloud/info.md new file mode 100644 index 0000000..9bfee3e --- /dev/null +++ b/roles/owncloud/info.md @@ -0,0 +1,15 @@ +## Beschreibung + +Cloud-Plattform [ownCloud](https://owncloud.com/) (the rewrite in Go named "Infinite Scale") + + +## Verweise + +- [GitHub | ocis](https://github.com/rhafer/ocis/) +- [ownCloud-Dokumentation | How to install ownCloud Infinite Scale Tech Preview in three easy steps](https://owncloud.com/news/howto-install-owncloud-infinite-scale-tech-preview/) +- [ownCloud-Dokumentation | oCIS](https://owncloud.dev/ocis/) + + +## ToDo + +- Downlowd prüfen diff --git a/roles/owncloud/tasks/main.json b/roles/owncloud/tasks/main.json new file mode 100644 index 0000000..f7c8c3b --- /dev/null +++ b/roles/owncloud/tasks/main.json @@ -0,0 +1,47 @@ +[ + { + "name": "user", + "become": true, + "ansible.builtin.user": { + "name": "{{var_owncloud_user}}", + "create_home": true, + "home": "{{var_owncloud_directory}}" + } + }, + { + "name": "download", + "become": true, + "become_user": "{{var_owncloud_user}}", + "ansible.builtin.get_url": { + "url": "https://download.owncloud.com/ocis/ocis/stable/{{var_owncloud_version}}/ocis-{{var_owncloud_version}}-{{var_owncloud_platform}}", + "dest": "{{var_owncloud_directory}}/ocis", + "mode": "u+rx" + } + }, + { + "name": "setup", + "become": true, + "become_user": "{{var_owncloud_user}}", + "ansible.builtin.shell": { + "chdir": "{{var_owncloud_directory}}", + "cmd": "./ocis --insecure no --admin-password={{var_owncloud_admin_password}}" + } + }, + { + "name": "systemd unit", + "become": true, + "ansible.builtin.template": { + "src": "systemd_unit.j2", + "dest": "/etc/systemd/system/owncloud.service" + } + }, + { + "name": "run", + "become": true, + "ansible.builtin.systemd_service": { + "name": "owncloud", + "enabled": true, + "state": "restarted" + } + } +] diff --git a/roles/owncloud/templates/ocis.yaml.j2 b/roles/owncloud/templates/ocis.yaml.j2 new file mode 100644 index 0000000..89254ff --- /dev/null +++ b/roles/owncloud/templates/ocis.yaml.j2 @@ -0,0 +1,136 @@ +token_manager: + jwt_secret: cv95NuKbq9zKlbmE-5H6fv*A2gRqzY1y +machine_auth_api_key: BgY2%q1L2BwQTxqJpaWfbjHWzl@QAHGA +system_user_api_key: kGnoApWytP%Bt&kn!H2nAMOBqZhKM!f3 +transfer_secret: X8THQbAA-rFfTskAaZdf936vnd9UpodR +system_user_id: 2c56ae2c-881f-49a8-827b-c804d8ccb962 +admin_user_id: 253c3a04-5bb2-46de-bd4a-6d19dbbb50da +graph: + application: + id: 5251ba75-4a4f-4713-bed0-18ddb5328793 + events: + tls_insecure: true + spaces: + insecure: true + identity: + ldap: + bind_password: jqwCl3ix*wexA^SOIg=wiRF#&DIfezAf + service_account: + service_account_id: {{var_owncloud_account_id}} + service_account_secret: {{var_owncloud_account_secret}} +idp: + ldap: + bind_password: BYd$k0lmb=.=T7NOGk.$^XKYKY13kHbh +idm: + service_user_passwords: + admin_password: foobar + idm_password: jqwCl3ix*wexA^SOIg=wiRF#&DIfezAf + reva_password: {{var_owncloud_bind_password}} + idp_password: BYd$k0lmb=.=T7NOGk.$^XKYKY13kHbh +proxy: + oidc: +{% if var_owncloud_authentication_kind == 'none' %} + insecure: true +{% endif %} +{% if var_owncloud_authentication_kind == 'authelia' %} + insecure: false + issuer: "{{var_owncloud_authentication_data_authelia_url_base}}" + access_token_verify_method: none + rewrite_wellknown: true +{% endif %} + user: + oidc: + claim: preferred_username + insecure_backends: true + service_account: + service_account_id: {{var_owncloud_account_id}} + service_account_secret: {{var_owncloud_account_secret}} +frontend: + app_handler: + insecure: true + archiver: + insecure: true + service_account: + service_account_id: {{var_owncloud_account_id}} + service_account_secret: {{var_owncloud_account_secret}} +auth_basic: + auth_providers: + ldap: + bind_password: {{var_owncloud_bind_password}} +auth_bearer: + auth_providers: + oidc: + insecure: true +users: + drivers: + ldap: + bind_password: {{var_owncloud_bind_password}} +groups: + drivers: + ldap: + bind_password: {{var_owncloud_bind_password}} +ocdav: + insecure: true +ocm: + service_account: + service_account_id: {{var_owncloud_account_id}} + service_account_secret: {{var_owncloud_account_secret}} +thumbnails: + thumbnail: + transfer_secret: vEycSxTtr+4kqQBx1XLM9db*2Ac4v5l# + webdav_allow_insecure: true + cs3_allow_insecure: true +search: + events: + tls_insecure: true + service_account: + service_account_id: {{var_owncloud_account_id}} + service_account_secret: {{var_owncloud_account_secret}} +audit: + events: + tls_insecure: true +settings: + service_account_ids: + - {{var_owncloud_account_id}} +sharing: + events: + tls_insecure: true +storage_users: + events: + tls_insecure: true + mount_id: 7762e662-d016-4d2d-a353-28e439270b46 + service_account: + service_account_id: {{var_owncloud_account_id}} + service_account_secret: {{var_owncloud_account_secret}} +notifications: + notifications: + events: + tls_insecure: true + service_account: + service_account_id: {{var_owncloud_account_id}} + service_account_secret: {{var_owncloud_account_secret}} +nats: + nats: + tls_skip_verify_client_cert: true +gateway: + storage_registry: + storage_users_mount_id: 7762e662-d016-4d2d-a353-28e439270b46 +userlog: + service_account: + service_account_id: {{var_owncloud_account_id}} + service_account_secret: {{var_owncloud_account_secret}} +auth_service: + service_account: + service_account_id: {{var_owncloud_account_id}} + service_account_secret: {{var_owncloud_account_secret}} +clientlog: + service_account: + service_account_id: {{var_owncloud_account_id}} + service_account_secret: {{var_owncloud_account_secret}} +web: +{% if var_owncloud_authentication_kind == 'authelia' %} + oidc: + client_id: "{{var_owncloud_authentication_data_authelia_web_client_id}}" + client_secret: "{{var_owncloud_authentication_data_authelia_web_client_secret}}" + scope: "openid profile email groups" +{% endif %} diff --git a/roles/owncloud/templates/systemd_unit.j2 b/roles/owncloud/templates/systemd_unit.j2 new file mode 100644 index 0000000..46203ff --- /dev/null +++ b/roles/owncloud/templates/systemd_unit.j2 @@ -0,0 +1,17 @@ +[Unit] +Description=ownCloud +After=network.target + +[Service] +WorkingDirectory={{var_owncloud_directory}} +{% if var_owncloud_authentication_kind == 'authelia' %} +Environment="OCIS_OIDC_ISSUER='{{var_owncloud_authentication_data_authelia_url_base}}'" +{% endif %} +ExecStart={{var_owncloud_directory}}/ocis server +Type=simple +Restart=always +User={{var_owncloud_user}} + +[Install] +WantedBy=default.target +RequiredBy=network.target diff --git a/roles/owncloud/vardef.json b/roles/owncloud/vardef.json new file mode 100644 index 0000000..2940d4a --- /dev/null +++ b/roles/owncloud/vardef.json @@ -0,0 +1,30 @@ +{ + "user": { + "type": "string", + "mandatory": false + }, + "directory": { + "type": "string", + "mandatory": false + }, + "version": { + "type": "string", + "mandatory": false + }, + "platform": { + "type": "string", + "mandatory": false + }, + "admin_password": { + "type": "string", + "mandatory": true + }, + "authentication_kind": { + "type": "string", + "mandatory": false, + "options": [ + "none", + "authelia" + ] + } +} From 0235238dd7874a0776efa8deff9297e5f9c9ad77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 2 Jul 2024 00:11:22 +0200 Subject: [PATCH 07/51] [fix] role:authelia-for-owncloud --- roles/authelia-for-owncloud/info.md | 1 + .../templates/authelia-client-conf-android.json.j2 | 2 +- .../templates/authelia-client-conf-desktop.json.j2 | 2 +- .../templates/authelia-client-conf-ios.json.j2 | 2 +- .../templates/authelia-client-conf-web.json.j2 | 12 ++++++++++-- 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/roles/authelia-for-owncloud/info.md b/roles/authelia-for-owncloud/info.md index 2ef0452..54e275f 100644 --- a/roles/authelia-for-owncloud/info.md +++ b/roles/authelia-for-owncloud/info.md @@ -7,3 +7,4 @@ Um [ownCloud](../owncloud) gegen [Authelia](../authelia) authentifizieren zu las - [Authelia-Dokumentation | ownCloud Infinite Scale Integration](https://www.authelia.com/integration/openid-connect/ocis/) - [Helge Klein | SSO via Authelia: ownCloud OpenID Connect Authentication](https://helgeklein.com/blog/owncloud-infinite-scale-with-openid-connect-authentication-for-home-networks/#sso-via-authelia-owncloud-openid-connect-authentication) +- [ownCloud Forums | OCIS + Authelia](https://central.owncloud.org/t/ocis-authelia/44222) diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 index 2540ac2..a0f0bcb 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 @@ -1,7 +1,7 @@ { "client_id": "{{var_authelia_for_owncloud_android_client_id}}", "client_secret": "{{var_authelia_for_owncloud_android_client_secret}}", - "client_name": "ownCloud Android app", + "client_name": "ownCloud | Android Client", "scopes": [ "openid", "groups", diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 index 1a8088d..bafc164 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 @@ -1,7 +1,7 @@ { "client_id": "{{var_authelia_for_owncloud_desktop_client_id}}", "client_secret": "{{var_authelia_for_owncloud_desktop_client_secret}}", - "client_name": "ownCloud desktop client", + "client_name": "ownCloud | Desktop Client", "scopes": [ "openid", "groups", diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 index 9c4a2f0..8477691 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 @@ -1,7 +1,7 @@ { "client_id": "{{var_authelia_for_owncloud_ios_client_id}}", "client_secret": "{{var_authelia_for_owncloud_ios_client_secret}}", - "client_name": "ownCloud iOS app", + "client_name": "ownCloud | iOS Client", "scopes": [ "openid", "groups", diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 index 2887eaf..b60041e 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 @@ -1,8 +1,16 @@ { "client_id": "{{var_authelia_for_owncloud_web_client_id}}", - "client_secret": "{{var_authelia_for_owncloud_web_client_secret}}", - "client_name": "ownCloud Infinite Scale", + "client_name": "ownCloud | Web Client", "public": true, + "scopes": [ + "openid", + "email", + "profile", + "groups" + ], + "response_types": [ + "code" + ], "redirect_uris": [ "{{var_authelia_for_owncloud_owncloud_url_base}}", "{{var_authelia_for_owncloud_owncloud_url_base}}/oidc-callback.html", From 704012f888fe6954110423308e0caa4f224ee22a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 2 Jul 2024 00:11:36 +0200 Subject: [PATCH 08/51] [fix] role:owncloud --- roles/owncloud/defaults/main.json | 6 +- roles/owncloud/info.md | 4 +- roles/owncloud/tasks/main.json | 11 +- roles/owncloud/templates/env.j2 | 25 +++++ roles/owncloud/templates/ocis.yaml.j2 | 136 ----------------------- roles/owncloud/templates/systemd_unit.j2 | 4 +- roles/owncloud/vardef.json | 40 +++++++ 7 files changed, 81 insertions(+), 145 deletions(-) create mode 100644 roles/owncloud/templates/env.j2 delete mode 100644 roles/owncloud/templates/ocis.yaml.j2 diff --git a/roles/owncloud/defaults/main.json b/roles/owncloud/defaults/main.json index a4e3063..0f5e6df 100644 --- a/roles/owncloud/defaults/main.json +++ b/roles/owncloud/defaults/main.json @@ -3,6 +3,7 @@ "var_owncloud_directory": "/opt/owncloud", "var_owncloud_version": "5.0.0", "var_owncloud_platform": "linux-amd64", + "var_owncloud_domain": "owncloud.example.org", "var_owncloud_admin_password": "REPLACE_ME", "var_owncloud_authentication_kind": "none", "var_owncloud_authentication_data_authelia_url_base": "https://authelia.example.org", @@ -13,8 +14,5 @@ "var_owncloud_authentication_data_authelia_android_client_id": "owncloud_android", "var_owncloud_authentication_data_authelia_android_client_secret": "REPLACE_ME", "var_owncloud_authentication_data_authelia_ios_client_id": "owncloud_ios", - "var_owncloud_authentication_data_authelia_ios_client_secret": "REPLACE_ME", - "var_owncloud_bind_password": "XJY1n3yakq.ko8fO&Ysl3YBiCMslIMd4", - "var_owncloud_account_id": "a2b6ad84-a728-44d3-bc4c-07f8b275d7ba", - "var_owncloud_account_secret": "7ivhMgFMakmZeGdhgne5rMUi*.1FVy4A" + "var_owncloud_authentication_data_authelia_ios_client_secret": "REPLACE_ME" } diff --git a/roles/owncloud/info.md b/roles/owncloud/info.md index 9bfee3e..c81bd53 100644 --- a/roles/owncloud/info.md +++ b/roles/owncloud/info.md @@ -5,9 +5,11 @@ Cloud-Plattform [ownCloud](https://owncloud.com/) (the rewrite in Go named "Infi ## Verweise -- [GitHub | ocis](https://github.com/rhafer/ocis/) - [ownCloud-Dokumentation | How to install ownCloud Infinite Scale Tech Preview in three easy steps](https://owncloud.com/news/howto-install-owncloud-infinite-scale-tech-preview/) - [ownCloud-Dokumentation | oCIS](https://owncloud.dev/ocis/) +- [ownCloud-Dokumentation | Service | Proxy](https://doc.owncloud.com/ocis/next/deployment/services/s-list/proxy.html) +- [ownCloud-Dokumentation | Service | Web](https://doc.owncloud.com/ocis/next/deployment/services/s-list/web.html) +- [GitHub | ocis](https://github.com/owncloud/ocis/) ## ToDo diff --git a/roles/owncloud/tasks/main.json b/roles/owncloud/tasks/main.json index f7c8c3b..5c63d19 100644 --- a/roles/owncloud/tasks/main.json +++ b/roles/owncloud/tasks/main.json @@ -24,7 +24,16 @@ "become_user": "{{var_owncloud_user}}", "ansible.builtin.shell": { "chdir": "{{var_owncloud_directory}}", - "cmd": "./ocis --insecure no --admin-password={{var_owncloud_admin_password}}" + "cmd": "./ocis init --insecure no --admin-password={{var_owncloud_admin_password}}" + } + }, + { + "name": "configuration", + "become": true, + "become_user": "{{var_owncloud_user}}", + "ansible.builtin.template": { + "src": "env.j2", + "dest": "{{var_owncloud_directory}}/.env" } }, { diff --git a/roles/owncloud/templates/env.j2 b/roles/owncloud/templates/env.j2 new file mode 100644 index 0000000..3b3b194 --- /dev/null +++ b/roles/owncloud/templates/env.j2 @@ -0,0 +1,25 @@ +OCIS_URL="{{var_owncloud_domain}}" +OCIS_INSECURE="false" + +PROXY_TLS="false" + +{% if var_owncloud_authentication_kind != 'none' %} +PROXY_AUTOPROVISION_ACCOUNTS="false" +{% endif %} + +{% if var_owncloud_authentication_kind == 'authelia' %} +OCIS_OIDC_CLIENT_ID="{{var_owncloud_authentication_data_authelia_web_client_id}}" +OCIS_OIDC_ISSUER="{{var_owncloud_authentication_data_authelia_url_base}}" + +PROXY_AUTOPROVISION_ACCOUNTS="true" +PROXY_OIDC_REWRITE_WELLKNOWN="true" +PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD="none" +PROXY_OIDC_INSECURE="false" +PROXY_USER_OIDC_CLAIM="name" +PROXY_USER_CS3_CLAIM="username" + +WEB_OIDC_AUTHORITY="{{var_owncloud_authentication_data_authelia_url_base}}" +WEB_OIDC_METADATA_URL="{{var_owncloud_authentication_data_authelia_url_base}}/.well-known/openid-configuration" +WEB_OIDC_CLIENT_ID="{{var_owncloud_authentication_data_authelia_web_client_id}}" +WEB_OIDC_SCOPE="openid profile email groups" +{% endif %} diff --git a/roles/owncloud/templates/ocis.yaml.j2 b/roles/owncloud/templates/ocis.yaml.j2 deleted file mode 100644 index 89254ff..0000000 --- a/roles/owncloud/templates/ocis.yaml.j2 +++ /dev/null @@ -1,136 +0,0 @@ -token_manager: - jwt_secret: cv95NuKbq9zKlbmE-5H6fv*A2gRqzY1y -machine_auth_api_key: BgY2%q1L2BwQTxqJpaWfbjHWzl@QAHGA -system_user_api_key: kGnoApWytP%Bt&kn!H2nAMOBqZhKM!f3 -transfer_secret: X8THQbAA-rFfTskAaZdf936vnd9UpodR -system_user_id: 2c56ae2c-881f-49a8-827b-c804d8ccb962 -admin_user_id: 253c3a04-5bb2-46de-bd4a-6d19dbbb50da -graph: - application: - id: 5251ba75-4a4f-4713-bed0-18ddb5328793 - events: - tls_insecure: true - spaces: - insecure: true - identity: - ldap: - bind_password: jqwCl3ix*wexA^SOIg=wiRF#&DIfezAf - service_account: - service_account_id: {{var_owncloud_account_id}} - service_account_secret: {{var_owncloud_account_secret}} -idp: - ldap: - bind_password: BYd$k0lmb=.=T7NOGk.$^XKYKY13kHbh -idm: - service_user_passwords: - admin_password: foobar - idm_password: jqwCl3ix*wexA^SOIg=wiRF#&DIfezAf - reva_password: {{var_owncloud_bind_password}} - idp_password: BYd$k0lmb=.=T7NOGk.$^XKYKY13kHbh -proxy: - oidc: -{% if var_owncloud_authentication_kind == 'none' %} - insecure: true -{% endif %} -{% if var_owncloud_authentication_kind == 'authelia' %} - insecure: false - issuer: "{{var_owncloud_authentication_data_authelia_url_base}}" - access_token_verify_method: none - rewrite_wellknown: true -{% endif %} - user: - oidc: - claim: preferred_username - insecure_backends: true - service_account: - service_account_id: {{var_owncloud_account_id}} - service_account_secret: {{var_owncloud_account_secret}} -frontend: - app_handler: - insecure: true - archiver: - insecure: true - service_account: - service_account_id: {{var_owncloud_account_id}} - service_account_secret: {{var_owncloud_account_secret}} -auth_basic: - auth_providers: - ldap: - bind_password: {{var_owncloud_bind_password}} -auth_bearer: - auth_providers: - oidc: - insecure: true -users: - drivers: - ldap: - bind_password: {{var_owncloud_bind_password}} -groups: - drivers: - ldap: - bind_password: {{var_owncloud_bind_password}} -ocdav: - insecure: true -ocm: - service_account: - service_account_id: {{var_owncloud_account_id}} - service_account_secret: {{var_owncloud_account_secret}} -thumbnails: - thumbnail: - transfer_secret: vEycSxTtr+4kqQBx1XLM9db*2Ac4v5l# - webdav_allow_insecure: true - cs3_allow_insecure: true -search: - events: - tls_insecure: true - service_account: - service_account_id: {{var_owncloud_account_id}} - service_account_secret: {{var_owncloud_account_secret}} -audit: - events: - tls_insecure: true -settings: - service_account_ids: - - {{var_owncloud_account_id}} -sharing: - events: - tls_insecure: true -storage_users: - events: - tls_insecure: true - mount_id: 7762e662-d016-4d2d-a353-28e439270b46 - service_account: - service_account_id: {{var_owncloud_account_id}} - service_account_secret: {{var_owncloud_account_secret}} -notifications: - notifications: - events: - tls_insecure: true - service_account: - service_account_id: {{var_owncloud_account_id}} - service_account_secret: {{var_owncloud_account_secret}} -nats: - nats: - tls_skip_verify_client_cert: true -gateway: - storage_registry: - storage_users_mount_id: 7762e662-d016-4d2d-a353-28e439270b46 -userlog: - service_account: - service_account_id: {{var_owncloud_account_id}} - service_account_secret: {{var_owncloud_account_secret}} -auth_service: - service_account: - service_account_id: {{var_owncloud_account_id}} - service_account_secret: {{var_owncloud_account_secret}} -clientlog: - service_account: - service_account_id: {{var_owncloud_account_id}} - service_account_secret: {{var_owncloud_account_secret}} -web: -{% if var_owncloud_authentication_kind == 'authelia' %} - oidc: - client_id: "{{var_owncloud_authentication_data_authelia_web_client_id}}" - client_secret: "{{var_owncloud_authentication_data_authelia_web_client_secret}}" - scope: "openid profile email groups" -{% endif %} diff --git a/roles/owncloud/templates/systemd_unit.j2 b/roles/owncloud/templates/systemd_unit.j2 index 46203ff..7e43971 100644 --- a/roles/owncloud/templates/systemd_unit.j2 +++ b/roles/owncloud/templates/systemd_unit.j2 @@ -4,9 +4,7 @@ After=network.target [Service] WorkingDirectory={{var_owncloud_directory}} -{% if var_owncloud_authentication_kind == 'authelia' %} -Environment="OCIS_OIDC_ISSUER='{{var_owncloud_authentication_data_authelia_url_base}}'" -{% endif %} +EnvironmentFile={{var_owncloud_directory}}/.env ExecStart={{var_owncloud_directory}}/ocis server Type=simple Restart=always diff --git a/roles/owncloud/vardef.json b/roles/owncloud/vardef.json index 2940d4a..0fe8404 100644 --- a/roles/owncloud/vardef.json +++ b/roles/owncloud/vardef.json @@ -15,6 +15,10 @@ "type": "string", "mandatory": false }, + "domain": { + "type": "string", + "mandatory": false + }, "admin_password": { "type": "string", "mandatory": true @@ -26,5 +30,41 @@ "none", "authelia" ] + }, + "authentication_data_authelia_url_base": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_web_client_id": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_web_client_secret": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_desktop_client_id": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_desktop_client_secret": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_android_client_id": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_android_client_secret": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_ios_client_id": { + "type": "string", + "mandatory": false + }, + "authentication_data_authelia_ios_client_secret": { + "type": "string", + "mandatory": false } } From 2b18625dd3d353edccba2bdc1306873668e32fb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 2 Jul 2024 18:59:16 +0200 Subject: [PATCH 09/51] =?UTF-8?q?[mod]=20role:owncloud:Einstellungen=20f?= =?UTF-8?q?=C3=BCr=20=C3=B6ffentliche=20Freigaben?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/owncloud/defaults/main.json | 4 +++- roles/owncloud/info.md | 1 + roles/owncloud/templates/env.j2 | 19 +++++++++++++++++++ roles/owncloud/vardef.json | 13 +++++++++++++ 4 files changed, 36 insertions(+), 1 deletion(-) diff --git a/roles/owncloud/defaults/main.json b/roles/owncloud/defaults/main.json index 0f5e6df..2d57364 100644 --- a/roles/owncloud/defaults/main.json +++ b/roles/owncloud/defaults/main.json @@ -14,5 +14,7 @@ "var_owncloud_authentication_data_authelia_android_client_id": "owncloud_android", "var_owncloud_authentication_data_authelia_android_client_secret": "REPLACE_ME", "var_owncloud_authentication_data_authelia_ios_client_id": "owncloud_ios", - "var_owncloud_authentication_data_authelia_ios_client_secret": "REPLACE_ME" + "var_owncloud_authentication_data_authelia_ios_client_secret": "REPLACE_ME", + "var_owncloud_public_share_password_necessity": "writable", + "var_owncloud_public_share_password_policy_active": true } diff --git a/roles/owncloud/info.md b/roles/owncloud/info.md index c81bd53..bb50a4d 100644 --- a/roles/owncloud/info.md +++ b/roles/owncloud/info.md @@ -9,6 +9,7 @@ Cloud-Plattform [ownCloud](https://owncloud.com/) (the rewrite in Go named "Infi - [ownCloud-Dokumentation | oCIS](https://owncloud.dev/ocis/) - [ownCloud-Dokumentation | Service | Proxy](https://doc.owncloud.com/ocis/next/deployment/services/s-list/proxy.html) - [ownCloud-Dokumentation | Service | Web](https://doc.owncloud.com/ocis/next/deployment/services/s-list/web.html) +- [ownCloud-Dokumentation | Service | Sharing](https://doc.owncloud.com/ocis/next/deployment/services/s-list/sharing.html) - [GitHub | ocis](https://github.com/owncloud/ocis/) diff --git a/roles/owncloud/templates/env.j2 b/roles/owncloud/templates/env.j2 index 3b3b194..731508c 100644 --- a/roles/owncloud/templates/env.j2 +++ b/roles/owncloud/templates/env.j2 @@ -23,3 +23,22 @@ WEB_OIDC_METADATA_URL="{{var_owncloud_authentication_data_authelia_url_base}}/.w WEB_OIDC_CLIENT_ID="{{var_owncloud_authentication_data_authelia_web_client_id}}" WEB_OIDC_SCOPE="openid profile email groups" {% endif %} + +{% if var_owncloud_public_share_password_necessity == 'nothing' %} +SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="false" +SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="false" +{% endif %} +{% if var_owncloud_public_share_password_necessity == 'writable' %} +SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="false" +SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="true" +{% endif %} +{% if var_owncloud_public_share_password_necessity == 'all' %} +SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="true" +SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="true" +{% endif %} + +{% if var_owncloud_public_share_password_policy_active %} +SHARING_PASSWORD_POLICY_DISABLED="false" +{% else %} +SHARING_PASSWORD_POLICY_DISABLED="true" +{% endif %} diff --git a/roles/owncloud/vardef.json b/roles/owncloud/vardef.json index 0fe8404..d480c01 100644 --- a/roles/owncloud/vardef.json +++ b/roles/owncloud/vardef.json @@ -66,5 +66,18 @@ "authentication_data_authelia_ios_client_secret": { "type": "string", "mandatory": false + }, + "public_share_password_necessity": { + "type": "string", + "mandatory": false, + "options": [ + "nothing", + "writable", + "all" + ] + }, + "public_share_password_policy_active": { + "type": "boolean", + "mandatory": false } } From a81ba565e106fafb861a0ace311b9ffce0b78b3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 3 Jul 2024 08:26:19 +0200 Subject: [PATCH 10/51] =?UTF-8?q?[mod]=20role:owncloud:Einstellungen=20f?= =?UTF-8?q?=C3=BCr=20=C3=B6ffentliche=20Freigaben?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/owncloud/templates/env.j2 | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/owncloud/templates/env.j2 b/roles/owncloud/templates/env.j2 index 731508c..ae97e3a 100644 --- a/roles/owncloud/templates/env.j2 +++ b/roles/owncloud/templates/env.j2 @@ -25,20 +25,20 @@ WEB_OIDC_SCOPE="openid profile email groups" {% endif %} {% if var_owncloud_public_share_password_necessity == 'nothing' %} -SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="false" -SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="false" +OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="false" +OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="false" {% endif %} {% if var_owncloud_public_share_password_necessity == 'writable' %} -SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="false" -SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="true" +OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="false" +OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="true" {% endif %} {% if var_owncloud_public_share_password_necessity == 'all' %} -SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="true" -SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="true" +OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD="true" +OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD="true" {% endif %} {% if var_owncloud_public_share_password_policy_active %} -SHARING_PASSWORD_POLICY_DISABLED="false" +OCIS_SHARING_PASSWORD_POLICY_DISABLED="false" {% else %} -SHARING_PASSWORD_POLICY_DISABLED="true" +OCIS_SHARING_PASSWORD_POLICY_DISABLED="true" {% endif %} From dc28d22a908966f04e67019b3cee3f701f84e3d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 3 Jul 2024 21:55:57 +0200 Subject: [PATCH 11/51] [mod] role:hedgedoc-and-nginx:tls mode --- roles/hedgedoc-and-nginx/defaults/main.json | 3 +- roles/hedgedoc-and-nginx/templates/conf.j2 | 38 +++++++++++++++------ roles/hedgedoc-and-nginx/vardef.json | 15 ++++++++ 3 files changed, 45 insertions(+), 11 deletions(-) create mode 100644 roles/hedgedoc-and-nginx/vardef.json diff --git a/roles/hedgedoc-and-nginx/defaults/main.json b/roles/hedgedoc-and-nginx/defaults/main.json index 840159e..aab8b85 100644 --- a/roles/hedgedoc-and-nginx/defaults/main.json +++ b/roles/hedgedoc-and-nginx/defaults/main.json @@ -1,3 +1,4 @@ { - "var_hedgedoc_and_nginx_domain": "hedgedoc.example.org" + "var_hedgedoc_and_nginx_domain": "hedgedoc.example.org", + "var_hedgedoc_and_nginx_tls_mode": "enable" } diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index 467a014..cb5480d 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -3,16 +3,7 @@ map $http_upgrade $connection_upgrade { '' close; } -server { - server_name {{var_hedgedoc_and_nginx_domain}}; - - listen [::]:443 ssl http2; - listen 443 ssl http2; - - ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; - +{% macro hedgedoc_common() %} location / { proxy_pass http://localhost:3000; proxy_set_header Host $host; @@ -30,4 +21,31 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } +{% endmacro %} + +server { + server_name {{var_hedgedoc_and_nginx_domain}}; + + listen 80; + listen [::]:80; + +{% if (var_element_and_nginx_tls_mode == "force") %} + return 301 https://$http_host$request_uri; +{% else %} + {{ hedgedoc_common() }} +{% endif %} +} + +{% if (var_element_and_nginx_tls_mode != "disable") %} +server { + server_name {{var_hedgedoc_and_nginx_domain}}; + + listen [::]:443 ssl http2; + listen 443 ssl http2; + + ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + {{ hedgedoc_common() }} } diff --git a/roles/hedgedoc-and-nginx/vardef.json b/roles/hedgedoc-and-nginx/vardef.json new file mode 100644 index 0000000..e1e1a74 --- /dev/null +++ b/roles/hedgedoc-and-nginx/vardef.json @@ -0,0 +1,15 @@ +{ + "domain": { + "type": "string", + "mandatory": false + }, + "tls_mode": { + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "mandatory": false + } +} From fc03370b1942bce475b9a4eeac9b3e5e8cf86e4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 3 Jul 2024 22:02:06 +0200 Subject: [PATCH 12/51] [mod] role:authelia-and-nginx:tls mode --- roles/authelia-and-nginx/defaults/main.json | 3 +- roles/authelia-and-nginx/templates/conf.j2 | 54 ++++++++++++--------- roles/authelia-and-nginx/vardef.json | 15 ++++++ 3 files changed, 49 insertions(+), 23 deletions(-) create mode 100644 roles/authelia-and-nginx/vardef.json diff --git a/roles/authelia-and-nginx/defaults/main.json b/roles/authelia-and-nginx/defaults/main.json index 7559dcb..e1d1396 100644 --- a/roles/authelia-and-nginx/defaults/main.json +++ b/roles/authelia-and-nginx/defaults/main.json @@ -1,3 +1,4 @@ { - "var_authelia_and_nginx_domain": "authelia.example.org" + "var_authelia_and_nginx_domain": "authelia.example.org", + "var_authelia_and_nginx_tls_mode": "enable" } diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2 index 231a61d..8bd176e 100644 --- a/roles/authelia-and-nginx/templates/conf.j2 +++ b/roles/authelia-and-nginx/templates/conf.j2 @@ -1,22 +1,4 @@ -server { - server_name {{var_authelia_and_nginx_domain}}; - - listen [::]:80; - listen 80; - - return 301 https://$server_name$request_uri; -} - -server { - server_name {{var_authelia_and_nginx_domain}}; - - listen [::]:443 ssl http2; - listen 443 ssl http2; - - ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; - +{% macro authelia_common() %} location / { ## Headers proxy_set_header Host $host; @@ -28,7 +10,7 @@ server { proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Connection ""; - + ## Basic Proxy Configuration client_body_buffer_size 128k; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead. @@ -37,7 +19,7 @@ server { proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; - + ## Trusted Proxies Configuration ## Please read the following documentation before configuring this: ## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies @@ -47,7 +29,7 @@ server { # set_real_ip_from fc00::/7; real_ip_header X-Forwarded-For; real_ip_recursive on; - + ## Advanced Proxy Configuration send_timeout 5m; proxy_read_timeout 360; @@ -60,4 +42,32 @@ server { location /api/verify { proxy_pass http://localhost:9091; } +{% endmacro %} + +server { + server_name {{var_authelia_and_nginx_domain}}; + + listen 80; + listen [::]:80; + +{% if (var_authelia_and_nginx_tls_mode == "force") %} + return 301 https://$http_host$request_uri; +{% else %} + {{ authelia_common() }} +{% endif %} } + +{% if (var_element_and_nginx_tls_mode != "disable") %} +server { + server_name {{var_authelia_and_nginx_domain}}; + + listen [::]:443 ssl http2; + listen 443 ssl http2; + + ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + {{ authelia_common() }} +} +{% endif %} diff --git a/roles/authelia-and-nginx/vardef.json b/roles/authelia-and-nginx/vardef.json new file mode 100644 index 0000000..e1e1a74 --- /dev/null +++ b/roles/authelia-and-nginx/vardef.json @@ -0,0 +1,15 @@ +{ + "domain": { + "type": "string", + "mandatory": false + }, + "tls_mode": { + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "mandatory": false + } +} From 6d42a70bd411417223c9030ee7c523b577938e1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 3 Jul 2024 22:10:07 +0200 Subject: [PATCH 13/51] [mod] roles:dokuwiki-and-nginx:tls mode --- roles/dokuwiki-and-nginx/defaults/main.json | 2 +- roles/dokuwiki-and-nginx/templates/conf.j2 | 48 +++++++++++++-------- roles/dokuwiki-and-nginx/vardef.json | 19 ++++++++ 3 files changed, 49 insertions(+), 20 deletions(-) create mode 100644 roles/dokuwiki-and-nginx/vardef.json diff --git a/roles/dokuwiki-and-nginx/defaults/main.json b/roles/dokuwiki-and-nginx/defaults/main.json index 22367fe..05e1d7f 100644 --- a/roles/dokuwiki-and-nginx/defaults/main.json +++ b/roles/dokuwiki-and-nginx/defaults/main.json @@ -1,5 +1,5 @@ { "var_dokuwiki_and_nginx_directory": "/opt/dokuwiki", "var_dokuwiki_and_nginx_domain": "dokuwiki.example.org", - "var_dokuwiki_and_nginx_tls_enable": true + "var_dokuwiki_and_nginx_tls_mode": "enable" } diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index 514ceab..03cbbda 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -1,22 +1,4 @@ -server { - listen 80; - listen [::]:80; - server_name {{var_dokuwiki_and_nginx_domain}}; - return 301 https://$server_name$request_uri; -} - -server { - listen [::]:443 ssl; - listen 443 ssl; - - server_name {{var_dokuwiki_and_nginx_domain}}; - -{% if var_dokuwiki_and_nginx_tls_enable %} - ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; -{% endif %} - +{% macro dokuwiki_common() %} # Maximum file upload size is 4MB - change accordingly if needed client_max_body_size 4M; client_body_buffer_size 128k; @@ -58,4 +40,32 @@ server { fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; # fastcgi_pass unix:/var/run/php5-fpm.sock; #old php version } +{% endif %} + +server { + server_name {{var_dokuwki_and_nginx_domain}}; + + listen 80; + listen [::]:80; + +{% if (var_dokuwki_and_nginx_tls_mode == "force") %} + return 301 https://$http_host$request_uri; +{% else %} + {{ dokuwki_common() }} +{% endif %} } + +{% if (var_element_and_nginx_tls_mode != "disable") %} +server { + server_name {{var_dokuwki_and_nginx_domain}}; + + listen [::]:443 ssl http2; + listen 443 ssl http2; + + ssl_certificate_key /etc/ssl/private/{{var_dokuwki_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_dokuwki_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + {{ dokuwki_common() }} +} +{% endif %} diff --git a/roles/dokuwiki-and-nginx/vardef.json b/roles/dokuwiki-and-nginx/vardef.json new file mode 100644 index 0000000..a3fa777 --- /dev/null +++ b/roles/dokuwiki-and-nginx/vardef.json @@ -0,0 +1,19 @@ +{ + "directory": { + "type": "string", + "mandatory": false + }, + "domain": { + "type": "string", + "mandatory": false + }, + "tls_mode": { + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "mandatory": false + } +} From d08f287d738d51b64a44b04520e9ba4a14bf5f9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 3 Jul 2024 22:31:49 +0200 Subject: [PATCH 14/51] [mod] roles:synapse-and-nginx:tls mode --- roles/synapse-and-nginx/defaults/main.json | 3 +- roles/synapse-and-nginx/templates/conf.j2 | 49 +++++++++++++++------- roles/synapse-and-nginx/vardef.json | 15 +++++++ 3 files changed, 50 insertions(+), 17 deletions(-) create mode 100644 roles/synapse-and-nginx/vardef.json diff --git a/roles/synapse-and-nginx/defaults/main.json b/roles/synapse-and-nginx/defaults/main.json index 8a172d0..e504fa6 100644 --- a/roles/synapse-and-nginx/defaults/main.json +++ b/roles/synapse-and-nginx/defaults/main.json @@ -1,3 +1,4 @@ { - "var_synapse_and_nginx_domain": "REPLACE_ME" + "var_synapse_and_nginx_domain": "REPLACE_ME", + "var_synapse_and_nginx_tls_mode": "enable" } diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index e59fb99..d1bace3 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -1,19 +1,4 @@ -server { - listen 80; - listen [::]:80; - listen 443 ssl; - listen [::]:443 ssl; - - ## For the federation port - listen 8448 ssl http2 default_server; - listen [::]:8448 ssl http2 default_server; - - server_name {{var_synapse_and_nginx_domain}}; - - ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; - +{% macro synapse_common() %} location ~ ^(/_matrix|/_synapse/client) { proxy_pass http://localhost:8008; proxy_set_header X-Forwarded-For $remote_addr; @@ -24,4 +9,36 @@ server { proxy_http_version 1.1; } +{% endif %} + +server { + server_name {{var_synapse_and_nginx_domain}}; + + listen 80; + listen [::]:80; + +{% if (var_synapse_and_nginx_tls_mode == "force") %} + return 301 https://$http_host$request_uri; +{% else %} + {{ synapse_common() }} +{% endif %} } + +{% if (var_element_and_nginx_tls_mode != "disable") %} +server { + server_name {{var_synapse_and_nginx_domain}}; + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ## For the federation port + listen 8448 ssl http2 default_server; + listen [::]:8448 ssl http2 default_server; + + ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + {{ synapse_common() }} +} +{% endif %} diff --git a/roles/synapse-and-nginx/vardef.json b/roles/synapse-and-nginx/vardef.json new file mode 100644 index 0000000..e1e1a74 --- /dev/null +++ b/roles/synapse-and-nginx/vardef.json @@ -0,0 +1,15 @@ +{ + "domain": { + "type": "string", + "mandatory": false + }, + "tls_mode": { + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "mandatory": false + } +} From 1553ea9f53a8c9f9646c2669f0182a2cd38f73e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 3 Jul 2024 22:34:15 +0200 Subject: [PATCH 15/51] [mod] roles:vikunja-and-nginx:tls mode --- roles/vikunja-and-nginx/defaults/main.json | 3 +- roles/vikunja-and-nginx/templates/conf.j2 | 41 +++++++++++++++------- roles/vikunja-and-nginx/vardef.json | 15 ++++++++ 3 files changed, 46 insertions(+), 13 deletions(-) create mode 100644 roles/vikunja-and-nginx/vardef.json diff --git a/roles/vikunja-and-nginx/defaults/main.json b/roles/vikunja-and-nginx/defaults/main.json index e08064b..494801c 100644 --- a/roles/vikunja-and-nginx/defaults/main.json +++ b/roles/vikunja-and-nginx/defaults/main.json @@ -1,3 +1,4 @@ { - "var_vikunja_and_nginx_domain": "vikunja.example.org" + "var_vikunja_and_nginx_domain": "vikunja.example.org", + "var_vikunja_and_nginx_tls_mode": "enable" } diff --git a/roles/vikunja-and-nginx/templates/conf.j2 b/roles/vikunja-and-nginx/templates/conf.j2 index a9a8241..b7fac76 100644 --- a/roles/vikunja-and-nginx/templates/conf.j2 +++ b/roles/vikunja-and-nginx/templates/conf.j2 @@ -1,17 +1,34 @@ -server { - listen 80; - listen [::]:80; - listen 443 ssl; - listen [::]:443 ssl; - - server_name {{var_vikunja_and_nginx_domain}}; - - ssl_certificate /etc/ssl/fullchains/{{var_vikunja_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_vikunja_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; - +{% macro vikunja_common() %} location / { proxy_pass http://localhost:3456; client_max_body_size 20M; } +{% endif %} + +server { + server_name {{var_vikunja_and_nginx_domain}}; + + listen 80; + listen [::]:80; + +{% if (var_vikunja_and_nginx_tls_mode == "force") %} + return 301 https://$http_host$request_uri; +{% else %} + {{ vikunja_common() }} +{% endif %} } + +{% if (var_element_and_nginx_tls_mode != "disable") %} +server { + server_name {{var_vikunja_and_nginx_domain}}; + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ssl_certificate_key /etc/ssl/private/{{var_vikunja_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_vikunja_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + {{ vikunja_common() }} +} +{% endif %} diff --git a/roles/vikunja-and-nginx/vardef.json b/roles/vikunja-and-nginx/vardef.json new file mode 100644 index 0000000..e1e1a74 --- /dev/null +++ b/roles/vikunja-and-nginx/vardef.json @@ -0,0 +1,15 @@ +{ + "domain": { + "type": "string", + "mandatory": false + }, + "tls_mode": { + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "mandatory": false + } +} From 0d8d5c3651d53e1b17e39c8d64464853d31b07a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 4 Jul 2024 09:47:26 +0200 Subject: [PATCH 16/51] =?UTF-8?q?[mod]=20role:authelia:Variablen=20f=C3=BC?= =?UTF-8?q?r=20ownCloud-Anbindung?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/authelia/defaults/main.json | 5 ++++- roles/authelia/templates/conf-main.json.j2 | 8 +++++++ roles/authelia/vardef.json | 26 ++++++++++++++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) diff --git a/roles/authelia/defaults/main.json b/roles/authelia/defaults/main.json index 47b1e01..16b0b06 100644 --- a/roles/authelia/defaults/main.json +++ b/roles/authelia/defaults/main.json @@ -32,5 +32,8 @@ "var_authelia_notification_smtp_username": "authelia", "var_authelia_notification_smtp_password": "REPLACE_ME", "var_authelia_notification_smtp_sender": "authelia@example.org", - "var_authelia_oidc_hmac_secret": "REPLACE_ME" + "var_authelia_oidc_hmac_secret": "REPLACE_ME", + "var_authelia_oidc_lifespan_access_token": "1h", + "var_authelia_oidc_lifespan_authorization_code": "1m", + "var_authelia_oidc_cors_endpoints": null } diff --git a/roles/authelia/templates/conf-main.json.j2 b/roles/authelia/templates/conf-main.json.j2 index 475cda4..b2b267d 100644 --- a/roles/authelia/templates/conf-main.json.j2 +++ b/roles/authelia/templates/conf-main.json.j2 @@ -190,8 +190,16 @@ "oidc": { "hmac_secret": "{{var_authelia_oidc_hmac_secret}}", "issuer_private_key": "{{temp_tls_result.privatekey | replace('\n', '\\n')}}", + "lifespans": { + "access_token": "{{var_authelia_oidc_lifespan_access_token}}", + "authorization_code": "{{var_authelia_oidc_lifespan_authorization_code}}" + }, "cors": { "allowed_origins_from_client_redirect_uris": true +{% if oidc_cors_endpoints is None %} +{% else %} + ,"endpoints": {{var_authelia_oidc_cors_endpoints | json}} +{% endif %} }, "clients": [ ] diff --git a/roles/authelia/vardef.json b/roles/authelia/vardef.json index 9b7d5bc..731cf8a 100644 --- a/roles/authelia/vardef.json +++ b/roles/authelia/vardef.json @@ -139,5 +139,31 @@ "oidc_hmac_secret": { "type": "string", "mandatory": true + }, + "oidc_lifespan_access_token": { + "nullable": true, + "type": "string", + "mandatory": false + }, + "oidc_lifespan_authorization_code": { + "nullable": true, + "type": "string", + "mandatory": false + }, + "oidc_cors_endpoints": { + "nullable": true, + "type": "array", + "items": { + "type": "string", + "enum": [ + "authorization", + "pushed-authorization-request", + "token", + "revocation", + "introspection", + "userinfo" + ] + }, + "mandatory": false } } From 717898fea8310de0abe3d4924578391732518c4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 4 Jul 2024 09:48:33 +0200 Subject: [PATCH 17/51] [fix] role:authelia-for-owncloud:desktop client stuff [fix] role:owncloud:desktop client stuff --- .../authelia-for-owncloud/defaults/main.json | 3 --- .../authelia-client-conf-desktop.json.j2 | 5 ++-- roles/authelia-for-owncloud/vardef.json | 26 +++++++++++++++++++ roles/owncloud/defaults/main.json | 2 -- roles/owncloud/vardef.json | 8 ------ 5 files changed, 29 insertions(+), 15 deletions(-) create mode 100644 roles/authelia-for-owncloud/vardef.json diff --git a/roles/authelia-for-owncloud/defaults/main.json b/roles/authelia-for-owncloud/defaults/main.json index df89782..b12d86f 100644 --- a/roles/authelia-for-owncloud/defaults/main.json +++ b/roles/authelia-for-owncloud/defaults/main.json @@ -1,9 +1,6 @@ { "var_authelia_for_owncloud_owncloud_url_base": "https://owncloud.example.org", "var_authelia_for_owncloud_web_client_id": "owncloud_web", - "var_authelia_for_owncloud_web_client_secret": "REPLACE_ME", - "var_authelia_for_owncloud_desktop_client_id": "owncloud_desktop", - "var_authelia_for_owncloud_desktop_client_secret": "REPLACE_ME", "var_authelia_for_owncloud_android_client_id": "owncloud_android", "var_authelia_for_owncloud_android_client_secret": "REPLACE_ME", "var_authelia_for_owncloud_ios_client_id": "owncloud_ios", diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 index bafc164..61b3e43 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2 @@ -1,7 +1,8 @@ { - "client_id": "{{var_authelia_for_owncloud_desktop_client_id}}", - "client_secret": "{{var_authelia_for_owncloud_desktop_client_secret}}", + "client_id": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69", + "client_secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh", "client_name": "ownCloud | Desktop Client", + "authorization_policy": "one_factor", "scopes": [ "openid", "groups", diff --git a/roles/authelia-for-owncloud/vardef.json b/roles/authelia-for-owncloud/vardef.json new file mode 100644 index 0000000..8bf599d --- /dev/null +++ b/roles/authelia-for-owncloud/vardef.json @@ -0,0 +1,26 @@ +{ + "owncloud_url_base": { + "type": "string", + "mandatory": false + }, + "web_client_id": { + "type": "string", + "mandatory": false + }, + "android_client_id": { + "type": "string", + "mandatory": false + }, + "android_client_secret": { + "type": "string", + "mandatory": false + }, + "ios_client_id": { + "type": "string", + "mandatory": false + }, + "ios_client_secret": { + "type": "string", + "mandatory": false + } +} diff --git a/roles/owncloud/defaults/main.json b/roles/owncloud/defaults/main.json index 2d57364..18ef408 100644 --- a/roles/owncloud/defaults/main.json +++ b/roles/owncloud/defaults/main.json @@ -9,8 +9,6 @@ "var_owncloud_authentication_data_authelia_url_base": "https://authelia.example.org", "var_owncloud_authentication_data_authelia_web_client_id": "owncloud_web", "var_owncloud_authentication_data_authelia_web_client_secret": "REPLACE_ME", - "var_owncloud_authentication_data_authelia_desktop_client_id": "owncloud_desktop", - "var_owncloud_authentication_data_authelia_desktop_client_secret": "REPLACE_ME", "var_owncloud_authentication_data_authelia_android_client_id": "owncloud_android", "var_owncloud_authentication_data_authelia_android_client_secret": "REPLACE_ME", "var_owncloud_authentication_data_authelia_ios_client_id": "owncloud_ios", diff --git a/roles/owncloud/vardef.json b/roles/owncloud/vardef.json index d480c01..95edd32 100644 --- a/roles/owncloud/vardef.json +++ b/roles/owncloud/vardef.json @@ -43,14 +43,6 @@ "type": "string", "mandatory": false }, - "authentication_data_authelia_desktop_client_id": { - "type": "string", - "mandatory": false - }, - "authentication_data_authelia_desktop_client_secret": { - "type": "string", - "mandatory": false - }, "authentication_data_authelia_android_client_id": { "type": "string", "mandatory": false From 6cf5a0666bf3716a05d8216f7310ae452c5f1d76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 4 Jul 2024 11:20:40 +0200 Subject: [PATCH 18/51] =?UTF-8?q?[fix]=20role:authelia:Variablen=20f=C3=BC?= =?UTF-8?q?r=20ownCloud-Anbindung?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/authelia/defaults/main.json | 2 +- roles/authelia/vardef.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/authelia/defaults/main.json b/roles/authelia/defaults/main.json index 16b0b06..04a1f7f 100644 --- a/roles/authelia/defaults/main.json +++ b/roles/authelia/defaults/main.json @@ -34,6 +34,6 @@ "var_authelia_notification_smtp_sender": "authelia@example.org", "var_authelia_oidc_hmac_secret": "REPLACE_ME", "var_authelia_oidc_lifespan_access_token": "1h", - "var_authelia_oidc_lifespan_authorization_code": "1m", + "var_authelia_oidc_lifespan_refresh_token": "1m", "var_authelia_oidc_cors_endpoints": null } diff --git a/roles/authelia/vardef.json b/roles/authelia/vardef.json index 731cf8a..9b651a1 100644 --- a/roles/authelia/vardef.json +++ b/roles/authelia/vardef.json @@ -145,7 +145,7 @@ "type": "string", "mandatory": false }, - "oidc_lifespan_authorization_code": { + "oidc_lifespan_refresh_token": { "nullable": true, "type": "string", "mandatory": false From 37a5b0cb7bcc161e0a3047d746e3534848607a62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 4 Jul 2024 23:00:25 +0200 Subject: [PATCH 19/51] [mod] role:owncloud-and-nginx:tls switch --- roles/owncloud-and-nginx/defaults/main.json | 3 ++- roles/owncloud-and-nginx/templates/conf.j2 | 25 +++++++++++++++++---- roles/owncloud-and-nginx/vardef.json | 16 +++++++++++++ 3 files changed, 39 insertions(+), 5 deletions(-) create mode 100644 roles/owncloud-and-nginx/vardef.json diff --git a/roles/owncloud-and-nginx/defaults/main.json b/roles/owncloud-and-nginx/defaults/main.json index c9d2b8f..72f31e1 100644 --- a/roles/owncloud-and-nginx/defaults/main.json +++ b/roles/owncloud-and-nginx/defaults/main.json @@ -1,3 +1,4 @@ { - "var_owncloud_and_nginx_domain": "owncloud.example.org" + "var_owncloud_and_nginx_domain": "owncloud.example.org", + "var_owncloud_and_nginx_tls_mode": "enable" } diff --git a/roles/owncloud-and-nginx/templates/conf.j2 b/roles/owncloud-and-nginx/templates/conf.j2 index 77e4eaf..80fb668 100644 --- a/roles/owncloud-and-nginx/templates/conf.j2 +++ b/roles/owncloud-and-nginx/templates/conf.j2 @@ -1,16 +1,33 @@ +{% macro owncloud_common() %} + location / { + proxy_pass http://localhost:9200; + } +{% endmacro %} + server { listen 80; listen [::]:80; + + server_name {{var_owncloud_and_nginx_domain}}; + +{% if var_owncloud_and_nginx_tls_mode == 'force' %} + return 301 https://$http_host$request_uri; +{% else %} + {{ owncloud_common() }} +{% endif %} +} + +{% if var_owncloud_and_nginx_tls_mode != 'disable' %} +server { listen 443 ssl; listen [::]:443 ssl; server_name {{var_owncloud_and_nginx_domain}}; - ssl_certificate /etc/ssl/fullchains/{{var_owncloud_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_owncloud_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_owncloud_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - location / { - proxy_pass http://localhost:9200; - } + {{ owncloud_common() }} } +{% endif %} diff --git a/roles/owncloud-and-nginx/vardef.json b/roles/owncloud-and-nginx/vardef.json new file mode 100644 index 0000000..78b56a8 --- /dev/null +++ b/roles/owncloud-and-nginx/vardef.json @@ -0,0 +1,16 @@ + +{ + "domain": { + "type": "string", + "mandatory": false + }, + "tls_mode": { + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "mandatory": false + } +} From 37682a6e24d0ab5878a87b1384f1e95b50fe0dbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 09:10:50 +0200 Subject: [PATCH 20/51] [mod] role:system_basics:install package "acl" --- roles/system_basics/tasks/main.json | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/system_basics/tasks/main.json b/roles/system_basics/tasks/main.json index d19d6fb..cb39ff3 100644 --- a/roles/system_basics/tasks/main.json +++ b/roles/system_basics/tasks/main.json @@ -21,6 +21,7 @@ "become": true, "ansible.builtin.apt": { "pkg": [ + "acl", "vim", "htop", "tmux", From bceb605f6802f527d09e49737055191c6fe16a10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 09:11:20 +0200 Subject: [PATCH 21/51] [mod] roles:gitlab-and-nginx:tls mode --- roles/gitlab-and-nginx/defaults/main.json | 3 +- roles/gitlab-and-nginx/templates/conf.j2 | 125 ++++++++++++---------- roles/gitlab-and-nginx/vardef.json | 19 ++++ 3 files changed, 88 insertions(+), 59 deletions(-) create mode 100644 roles/gitlab-and-nginx/vardef.json diff --git a/roles/gitlab-and-nginx/defaults/main.json b/roles/gitlab-and-nginx/defaults/main.json index 6bffbd7..4f0da06 100644 --- a/roles/gitlab-and-nginx/defaults/main.json +++ b/roles/gitlab-and-nginx/defaults/main.json @@ -1,4 +1,5 @@ { "var_gitlab_and_nginx_domain": "element.example.org", - "var_gitlab_and_nginx_path": "/opt/element" + "var_gitlab_and_nginx_path": "/opt/element", + "var_gitlab_and_nginx_tls_mode": "enable" } diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index 4208162..abbb012 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -1,64 +1,7 @@ -upstream gitlab-workhorse { - server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0; -} - -map $http_upgrade $connection_upgrade_gitlab_ssl { - default upgrade; - '' close; -} - -log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"'; - -map $request_uri $gitlab_ssl_temp_request_uri_1 { - default $request_uri; - ~(?i)^(?.*)(?[\?&]private[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; -} - -map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 { - default $gitlab_ssl_temp_request_uri_1; - ~(?i)^(?.*)(?[\?&]authenticity[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; -} - -map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri { - default $gitlab_ssl_temp_request_uri_2; - ~(?i)^(?.*)(?[\?&]feed[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; -} - -map $http_referer $gitlab_ssl_filtered_http_referer { - default $http_referer; - ~^(?.*)\? $temp; -} - -server { - listen 80 default_server; - listen [::]:80 ipv6only=on default_server; - - server_name {{var_gitlab_and_nginx_domain}}; - server_tokens off; - - return 301 https://$http_host$request_uri; - - access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; - error_log /var/log/nginx/gitlab_error.log; -} - -server { - listen 0.0.0.0:443 ssl http2; - listen [::]:443 ipv6only=on ssl http2 default_server; - - server_name {{var_gitlab_and_nginx_domain}}; - server_tokens off; - - ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; - ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; - include /etc/nginx/ssl-hardening.conf; - +{% macro gitlab_common() %} real_ip_header X-Real-IP; real_ip_recursive off; - access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; - error_log /var/log/nginx/gitlab_error.log; - location / { client_max_body_size 0; gzip off; @@ -90,5 +33,71 @@ server { root /home/git/gitlab/public; internal; } +{% endmacro %} + +upstream gitlab-workhorse { + server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0; } +map $http_upgrade $connection_upgrade_gitlab_ssl { + default upgrade; + '' close; +} + +log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"'; + +map $request_uri $gitlab_ssl_temp_request_uri_1 { + default $request_uri; + ~(?i)^(?.*)(?[\?&]private[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; +} + +map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 { + default $gitlab_ssl_temp_request_uri_1; + ~(?i)^(?.*)(?[\?&]authenticity[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; +} + +map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri { + default $gitlab_ssl_temp_request_uri_2; + ~(?i)^(?.*)(?[\?&]feed[\-_]token)=[^&]*(?.*)$ "$start$temp=[FILTERED]$rest"; +} + +map $http_referer $gitlab_ssl_filtered_http_referer { + default $http_referer; + ~^(?.*)\? $temp; +} + +server { + server_name {{var_gitlab_and_nginx_domain}}; + server_tokens off; + + listen 80; + listen [::]:80 ipv6only=on; + +{% if var_gitlab_and_nginx_tls_mode == 'force' %} + return 301 https://$http_host$request_uri; +{% else %} + access_log /var/log/nginx/gitlab_access.log; + error_log /var/log/nginx/gitlab_error.log; + + {{ gitlab_common() }} +{% endif %} +} + +{% if var_gitlab_and_nginx_tls_mode != 'disable' %} +server { + server_name {{var_gitlab_and_nginx_domain}}; + server_tokens off; + + listen 443 ssl http2; + listen [::]:443 ipv6only=on ssl http2; + + ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; + error_log /var/log/nginx/gitlab_error.log; + + {{ gitlab_common() }} +} +{% endif %} diff --git a/roles/gitlab-and-nginx/vardef.json b/roles/gitlab-and-nginx/vardef.json new file mode 100644 index 0000000..eff28cf --- /dev/null +++ b/roles/gitlab-and-nginx/vardef.json @@ -0,0 +1,19 @@ +{ + "domain": { + "mandatory": false, + "type": "string" + }, + "path": { + "mandatory": false, + "type": "string" + }, + "tls_mode": { + "mandatory": false, + "type": "string", + "options": [ + "disable", + "enable", + "force" + ] + } +} From e82b76cef18ef98dec7330fc3700a285871d69bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 09:11:41 +0200 Subject: [PATCH 22/51] [fix] role:dokuwiki-and-nginx --- roles/dokuwiki-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index 03cbbda..8dbf888 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -40,7 +40,7 @@ fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; # fastcgi_pass unix:/var/run/php5-fpm.sock; #old php version } -{% endif %} +{% endmacro %} server { server_name {{var_dokuwki_and_nginx_domain}}; From 7e0f48a332d9034d314dc690c7e153aa06eb0893 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 09:11:53 +0200 Subject: [PATCH 23/51] [fix] role:synapse-and-nginx --- roles/synapse-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index d1bace3..c2b1066 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -9,7 +9,7 @@ proxy_http_version 1.1; } -{% endif %} +{% endmacro %} server { server_name {{var_synapse_and_nginx_domain}}; From 2048b1f2ce1a0fe94963c284358d79169bb98c70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 09:12:07 +0200 Subject: [PATCH 24/51] [fix] role:vikunja-and-nginx --- roles/vikunja-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vikunja-and-nginx/templates/conf.j2 b/roles/vikunja-and-nginx/templates/conf.j2 index b7fac76..bcfb5dd 100644 --- a/roles/vikunja-and-nginx/templates/conf.j2 +++ b/roles/vikunja-and-nginx/templates/conf.j2 @@ -3,7 +3,7 @@ proxy_pass http://localhost:3456; client_max_body_size 20M; } -{% endif %} +{% endmacro %} server { server_name {{var_vikunja_and_nginx_domain}}; From 71f0549191e8db2ab3d194b2f4bbc6890ad41f7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 09:14:52 +0200 Subject: [PATCH 25/51] [fix] role:vikunja-and-nginx --- roles/vikunja-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vikunja-and-nginx/templates/conf.j2 b/roles/vikunja-and-nginx/templates/conf.j2 index bcfb5dd..2344097 100644 --- a/roles/vikunja-and-nginx/templates/conf.j2 +++ b/roles/vikunja-and-nginx/templates/conf.j2 @@ -18,7 +18,7 @@ server { {% endif %} } -{% if (var_element_and_nginx_tls_mode != "disable") %} +{% if (var_vikunja_and_nginx_tls_mode != "disable") %} server { server_name {{var_vikunja_and_nginx_domain}}; From 75caf79a51cb97c9c14f82f88e5ae685f6ed6c44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 09:19:57 +0200 Subject: [PATCH 26/51] [mod] nginx-connector-roles:conf formatting --- roles/authelia-and-nginx/templates/conf.j2 | 4 ++-- roles/dokuwiki-and-nginx/templates/conf.j2 | 4 ++-- roles/element-and-nginx/templates/conf.j2 | 4 ++-- roles/gitlab-and-nginx/templates/conf.j2 | 4 ++-- roles/hedgedoc-and-nginx/templates/conf.j2 | 4 ++-- roles/synapse-and-nginx/templates/conf.j2 | 4 ++-- roles/vikunja-and-nginx/templates/conf.j2 | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2 index 8bd176e..e6c60cc 100644 --- a/roles/authelia-and-nginx/templates/conf.j2 +++ b/roles/authelia-and-nginx/templates/conf.j2 @@ -53,7 +53,7 @@ server { {% if (var_authelia_and_nginx_tls_mode == "force") %} return 301 https://$http_host$request_uri; {% else %} - {{ authelia_common() }} +{{ authelia_common() }} {% endif %} } @@ -68,6 +68,6 @@ server { ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - {{ authelia_common() }} +{{ authelia_common() }} } {% endif %} diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index 8dbf888..da2d6d5 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -51,7 +51,7 @@ server { {% if (var_dokuwki_and_nginx_tls_mode == "force") %} return 301 https://$http_host$request_uri; {% else %} - {{ dokuwki_common() }} +{{ dokuwki_common() }} {% endif %} } @@ -66,6 +66,6 @@ server { ssl_certificate /etc/ssl/fullchains/{{var_dokuwki_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - {{ dokuwki_common() }} +{{ dokuwki_common() }} } {% endif %} diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2 index 6df3e18..875c002 100644 --- a/roles/element-and-nginx/templates/conf.j2 +++ b/roles/element-and-nginx/templates/conf.j2 @@ -10,7 +10,7 @@ server { {% if (var_element_and_nginx_tls_mode == "force") %} return 301 https://$http_host$request_uri; {% else %} - {{ element_common() }} +{{ element_common() }} {% endif %} } {% if (var_element_and_nginx_tls_mode != "disable") %} @@ -25,6 +25,6 @@ server { ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - {{ element_common() }} +{{ element_common() }} } {% endif %} diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index abbb012..31fa777 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -79,7 +79,7 @@ server { access_log /var/log/nginx/gitlab_access.log; error_log /var/log/nginx/gitlab_error.log; - {{ gitlab_common() }} +{{ gitlab_common() }} {% endif %} } @@ -98,6 +98,6 @@ server { access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; - {{ gitlab_common() }} +{{ gitlab_common() }} } {% endif %} diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index cb5480d..6dd578e 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -32,7 +32,7 @@ server { {% if (var_element_and_nginx_tls_mode == "force") %} return 301 https://$http_host$request_uri; {% else %} - {{ hedgedoc_common() }} +{{ hedgedoc_common() }} {% endif %} } @@ -47,5 +47,5 @@ server { ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - {{ hedgedoc_common() }} +{{ hedgedoc_common() }} } diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index c2b1066..47f6269 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -20,7 +20,7 @@ server { {% if (var_synapse_and_nginx_tls_mode == "force") %} return 301 https://$http_host$request_uri; {% else %} - {{ synapse_common() }} +{{ synapse_common() }} {% endif %} } @@ -39,6 +39,6 @@ server { ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - {{ synapse_common() }} +{{ synapse_common() }} } {% endif %} diff --git a/roles/vikunja-and-nginx/templates/conf.j2 b/roles/vikunja-and-nginx/templates/conf.j2 index 2344097..854d39d 100644 --- a/roles/vikunja-and-nginx/templates/conf.j2 +++ b/roles/vikunja-and-nginx/templates/conf.j2 @@ -14,7 +14,7 @@ server { {% if (var_vikunja_and_nginx_tls_mode == "force") %} return 301 https://$http_host$request_uri; {% else %} - {{ vikunja_common() }} +{{ vikunja_common() }} {% endif %} } @@ -29,6 +29,6 @@ server { ssl_certificate /etc/ssl/fullchains/{{var_vikunja_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - {{ vikunja_common() }} +{{ vikunja_common() }} } {% endif %} From 3d02e0f4fbf5626bdfe8c6cb4493661d976fdd87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 10:38:28 +0200 Subject: [PATCH 27/51] [mod] nginx-connector-roles:conf formatting --- roles/authelia-and-nginx/templates/conf.j2 | 4 +- roles/dokuwiki-and-nginx/templates/conf.j2 | 4 +- roles/element-and-nginx/defaults/main.json | 12 +---- roles/element-and-nginx/meta/main.json | 32 ------------ roles/element-and-nginx/templates/conf.j2 | 11 +++-- roles/element-and-nginx/vardef.json | 57 +++------------------- roles/gitlab-and-nginx/templates/conf.j2 | 4 +- roles/hedgedoc-and-nginx/templates/conf.j2 | 4 +- roles/synapse-and-nginx/templates/conf.j2 | 4 +- roles/vikunja-and-nginx/templates/conf.j2 | 4 +- 10 files changed, 25 insertions(+), 111 deletions(-) delete mode 100644 roles/element-and-nginx/meta/main.json diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2 index e6c60cc..417fb06 100644 --- a/roles/authelia-and-nginx/templates/conf.j2 +++ b/roles/authelia-and-nginx/templates/conf.j2 @@ -50,14 +50,14 @@ server { listen 80; listen [::]:80; -{% if (var_authelia_and_nginx_tls_mode == "force") %} +{% if (var_authelia_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ authelia_common() }} {% endif %} } -{% if (var_element_and_nginx_tls_mode != "disable") %} +{% if (var_element_and_nginx_tls_mode != 'disable') %} server { server_name {{var_authelia_and_nginx_domain}}; diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index da2d6d5..4cfdac5 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -48,14 +48,14 @@ server { listen 80; listen [::]:80; -{% if (var_dokuwki_and_nginx_tls_mode == "force") %} +{% if (var_dokuwki_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ dokuwki_common() }} {% endif %} } -{% if (var_element_and_nginx_tls_mode != "disable") %} +{% if (var_element_and_nginx_tls_mode != 'disable') %} server { server_name {{var_dokuwki_and_nginx_domain}}; diff --git a/roles/element-and-nginx/defaults/main.json b/roles/element-and-nginx/defaults/main.json index aa43d9e..4c7e5b6 100644 --- a/roles/element-and-nginx/defaults/main.json +++ b/roles/element-and-nginx/defaults/main.json @@ -1,15 +1,5 @@ { "var_element_and_nginx_domain": "element.example.org", "var_element_and_nginx_path": "/opt/element", - "var_element_and_nginx_element_version": "v1.11.47", - "var_element_and_nginx_element_matrix_baseurl": "https://matrix.example.org", - "var_element_and_nginx_element_server_name": "example" - "var_element_and_nginx_tls_mode": "disable", - "var_element_and_nginx_tls_cert_kind": "none", - "var_element_and_nginx_tls_cert_data_existing_key_path": "/tmp/key.pem", - "var_element_and_nginx_tls_cert_data_existing_cert_path": "/tmp/cert.pem", - "var_element_and_nginx_tls_cert_data_existing_fullchain_path": "/tmp/fullchain.pem", - "var_element_and_nginx_tls_cert_data_acme_inwx_acme_account_email": "REPLACE_ME", - "var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_username": "REPLACE_ME", - "var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_password": "REPLACE_ME" + "var_element_and_nginx_tls_mode": "enable" } diff --git a/roles/element-and-nginx/meta/main.json b/roles/element-and-nginx/meta/main.json deleted file mode 100644 index 3b5f228..0000000 --- a/roles/element-and-nginx/meta/main.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "dependencies": [ - { - "role": "element", - "var_element_version": "{{var_element_and_nginx_element_version}}", - "var_element_path": "{{var_element_and_nginx_path}}", - "var_element_matrix_baseurl": "{{var_element_and_nginx_element_matrix_baseurl}}", - "var_element_server_name": "{{var_element_and_nginx_element_server_name}}" - }, - { - "when": "var_element_and_nginx_tls_cert_kind == 'existing'", - "role": "tlscert_existing", - "var_tlscert_existing_domain": "{{var_element_and_nginx_domain}}", - "var_tlscert_existing_key_path": "{{var_element_and_nginx_tls_cert_data_existing_key_path}}", - "var_tlscert_existing_cert_path": "{{var_element_and_nginx_tls_cert_data_existing_cert_path}}", - "var_tlscert_existing_fullchain_path": "{{var_element_and_nginx_tls_cert_data_existing_fullchain_path}}" - }, - { - "when": "var_element_and_nginx_tls_cert_kind == 'selfsigned'", - "role": "tlscert_selfsigned", - "var_tlscert_selfsigned": "{{var_element_and_nginx_domain}}" - }, - { - "when": "var_element_and_nginx_tls_cert_kind == 'acme_inwx'", - "role": "tlscert_acme_inwx", - "var_tlscert_acme_inwx_domain": "{{var_element_and_nginx_domain}}", - "var_tlscert_acme_inwx_acme_account_email": "{{var_element_and_nginx_tls_cert_data_acme_inwx_acme_account_email}}", - "var_tlscert_acme_inwx_inwx_account_username": "{{var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_username}}", - "var_tlscert_acme_inwx_inwx_account_password": "{{var_element_and_nginx_tls_cert_data_acme_inwx_inwx_account_password}}" - } - ] -} diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2 index 875c002..2108550 100644 --- a/roles/element-and-nginx/templates/conf.j2 +++ b/roles/element-and-nginx/templates/conf.j2 @@ -1,28 +1,29 @@ {% macro element_common() %} - root {{var_element_and_nginx_path}}; +root {{var_element_and_nginx_path}}; {% endmacro %} + server { server_name {{var_element_and_nginx_domain}}; listen 80; listen [::]:80; - -{% if (var_element_and_nginx_tls_mode == "force") %} + +{% if (var_element_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ element_common() }} {% endif %} } -{% if (var_element_and_nginx_tls_mode != "disable") %} +{% if (var_element_and_nginx_tls_mode != 'disable') %} server { server_name {{var_element_and_nginx_domain}}; listen 443 ssl; listen [::]:443 ssl; - ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; {{ element_common() }} diff --git a/roles/element-and-nginx/vardef.json b/roles/element-and-nginx/vardef.json index a51eccf..eff28cf 100644 --- a/roles/element-and-nginx/vardef.json +++ b/roles/element-and-nginx/vardef.json @@ -1,64 +1,19 @@ { "domain": { - "type": "string", - "mandatory": false + "mandatory": false, + "type": "string" }, "path": { - "type": "string", - "mandatory": false - }, - "element_version": { - "type": "string", - "mandatory": false - }, - "element_matrix_baseurl": { - "type": "string", - "mandatory": false - }, - "element_server_name": { - "type": "string", - "mandatory": false + "mandatory": false, + "type": "string" }, "tls_mode": { + "mandatory": false, "type": "string", "options": [ "disable", "enable", "force" - ], - "mandatory": false - }, - "tls_cert_kind": { - "type": "string", - "options": [ - "none", - "selfsigned", - "acme_inwx" - ], - "mandatory": false - }, - "tls_cert_data_existing_key_path": { - "type": "string", - "mandatory": false - }, - "tls_cert_data_existing_cert_path": { - "type": "string", - "mandatory": false - }, - "tls_cert_data_existing_fullchain_path": { - "type": "string", - "mandatory": false - }, - "tls_cert_data_acme_inwx_acme_account_email": { - "type": "string", - "mandatory": false - }, - "tls_cert_data_acme_inwx_inwx_account_username": { - "type": "string", - "mandatory": false - }, - "tls_cert_data_acme_inwx_inwx_account_password": { - "type": "string", - "mandatory": false + ] } } diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index 31fa777..fa4e246 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -73,7 +73,7 @@ server { listen 80; listen [::]:80 ipv6only=on; -{% if var_gitlab_and_nginx_tls_mode == 'force' %} +{% if (var_gitlab_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} access_log /var/log/nginx/gitlab_access.log; @@ -83,7 +83,7 @@ server { {% endif %} } -{% if var_gitlab_and_nginx_tls_mode != 'disable' %} +{% if (var_gitlab_and_nginx_tls_mode != 'disable') %} server { server_name {{var_gitlab_and_nginx_domain}}; server_tokens off; diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index 6dd578e..d70f0fc 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -29,14 +29,14 @@ server { listen 80; listen [::]:80; -{% if (var_element_and_nginx_tls_mode == "force") %} +{% if (var_element_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ hedgedoc_common() }} {% endif %} } -{% if (var_element_and_nginx_tls_mode != "disable") %} +{% if (var_element_and_nginx_tls_mode != 'disable') %} server { server_name {{var_hedgedoc_and_nginx_domain}}; diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index 47f6269..c2c40d5 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -17,14 +17,14 @@ server { listen 80; listen [::]:80; -{% if (var_synapse_and_nginx_tls_mode == "force") %} +{% if (var_synapse_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ synapse_common() }} {% endif %} } -{% if (var_element_and_nginx_tls_mode != "disable") %} +{% if (var_element_and_nginx_tls_mode != 'disable') %} server { server_name {{var_synapse_and_nginx_domain}}; diff --git a/roles/vikunja-and-nginx/templates/conf.j2 b/roles/vikunja-and-nginx/templates/conf.j2 index 854d39d..211f4ea 100644 --- a/roles/vikunja-and-nginx/templates/conf.j2 +++ b/roles/vikunja-and-nginx/templates/conf.j2 @@ -11,14 +11,14 @@ server { listen 80; listen [::]:80; -{% if (var_vikunja_and_nginx_tls_mode == "force") %} +{% if (var_vikunja_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ vikunja_common() }} {% endif %} } -{% if (var_vikunja_and_nginx_tls_mode != "disable") %} +{% if (var_vikunja_and_nginx_tls_mode != 'disable') %} server { server_name {{var_vikunja_and_nginx_domain}}; From 361abc6a74f5c966605e92fe05339dc995bc038d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 10:42:02 +0200 Subject: [PATCH 28/51] [fix] role:dokuwiki-and-nginx --- roles/dokuwiki-and-nginx/templates/conf.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index 4cfdac5..edfe9f2 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -43,7 +43,7 @@ {% endmacro %} server { - server_name {{var_dokuwki_and_nginx_domain}}; + server_name {{var_dokuwiki_and_nginx_domain}}; listen 80; listen [::]:80; @@ -57,13 +57,13 @@ server { {% if (var_element_and_nginx_tls_mode != 'disable') %} server { - server_name {{var_dokuwki_and_nginx_domain}}; + server_name {{var_dokuwiki_and_nginx_domain}}; listen [::]:443 ssl http2; listen 443 ssl http2; - ssl_certificate_key /etc/ssl/private/{{var_dokuwki_and_nginx_domain}}.pem; - ssl_certificate /etc/ssl/fullchains/{{var_dokuwki_and_nginx_domain}}.pem; + ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; {{ dokuwki_common() }} From f2b4ba5fed6c2bdd4a1587d08c91bcb1d6117638 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 10:44:06 +0200 Subject: [PATCH 29/51] [fix] role:dokuwiki-and-nginx --- roles/dokuwiki-and-nginx/templates/conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index edfe9f2..ea14fd4 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -48,14 +48,14 @@ server { listen 80; listen [::]:80; -{% if (var_dokuwki_and_nginx_tls_mode == 'force') %} +{% if (var_dokuwiki_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} {{ dokuwki_common() }} {% endif %} } -{% if (var_element_and_nginx_tls_mode != 'disable') %} +{% if (var_dokuwiki_and_nginx_tls_mode != 'disable') %} server { server_name {{var_dokuwiki_and_nginx_domain}}; From 2a96f510dfddd96e5440e71f42d95591ffe606e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 11:07:14 +0200 Subject: [PATCH 30/51] [fix] role:dokuwiki-and-nginx --- roles/dokuwiki-and-nginx/templates/conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index ea14fd4..e5e5252 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -51,7 +51,7 @@ server { {% if (var_dokuwiki_and_nginx_tls_mode == 'force') %} return 301 https://$http_host$request_uri; {% else %} -{{ dokuwki_common() }} +{{ dokuwiki_common() }} {% endif %} } @@ -66,6 +66,6 @@ server { ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; -{{ dokuwki_common() }} +{{ dokuwiki_common() }} } {% endif %} From 34c6ae6e548a77b626e0ad64fa3da9b0cb13f950 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 11:13:47 +0200 Subject: [PATCH 31/51] [fix] authelia-and-nginx --- roles/authelia-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2 index 417fb06..cd3b8d6 100644 --- a/roles/authelia-and-nginx/templates/conf.j2 +++ b/roles/authelia-and-nginx/templates/conf.j2 @@ -57,7 +57,7 @@ server { {% endif %} } -{% if (var_element_and_nginx_tls_mode != 'disable') %} +{% if (var_authelia_and_nginx_tls_mode != 'disable') %} server { server_name {{var_authelia_and_nginx_domain}}; From 79415ee5bc5eee027da04f881073c0017a375d5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 11:14:06 +0200 Subject: [PATCH 32/51] [fix] role:hedgedoc-and-nginx --- roles/hedgedoc-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index d70f0fc..e8fe34b 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -36,7 +36,7 @@ server { {% endif %} } -{% if (var_element_and_nginx_tls_mode != 'disable') %} +{% if (var_hedgedoc_and_nginx_tls_mode != 'disable') %} server { server_name {{var_hedgedoc_and_nginx_domain}}; From 6fb16d609a2f7d20f4d14bfbb65ae82dd1e5d456 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 11:14:19 +0200 Subject: [PATCH 33/51] [fix] role:synapse-and-nginx --- roles/synapse-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index c2c40d5..952b9e4 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -24,7 +24,7 @@ server { {% endif %} } -{% if (var_element_and_nginx_tls_mode != 'disable') %} +{% if (var_synapse_and_nginx_tls_mode != 'disable') %} server { server_name {{var_synapse_and_nginx_domain}}; From bfd815e708a621b4b0e3a0eb1c883099e55d2958 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 11:14:42 +0200 Subject: [PATCH 34/51] [mod] role:hedgedoc:defaults:authelia_url --- roles/hedgedoc/defaults/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/hedgedoc/defaults/main.json b/roles/hedgedoc/defaults/main.json index e2a58c4..f59f7f1 100644 --- a/roles/hedgedoc/defaults/main.json +++ b/roles/hedgedoc/defaults/main.json @@ -14,7 +14,7 @@ "var_hedgedoc_authentication_kind": "authelia", "var_hedgedoc_authentication_data_authelia_client_id": "hedgedoc", "var_hedgedoc_authentication_data_authelia_client_secret": "REPLACE_ME", - "var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.linke.sx", + "var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.example.org", "var_hedgedoc_guest_allow_create": false, "var_hedgedoc_guest_allow_change": false, "var_hedgedoc_free_names_mode": "authed" From 349832c77ec4a26bbc862a1958ab26f88b69a5dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 13:28:50 +0200 Subject: [PATCH 35/51] [mod] role:owncloud:auth --- roles/owncloud/defaults/main.json | 2 +- roles/owncloud/templates/env.j2 | 2 +- roles/owncloud/vardef.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/owncloud/defaults/main.json b/roles/owncloud/defaults/main.json index 18ef408..1101e12 100644 --- a/roles/owncloud/defaults/main.json +++ b/roles/owncloud/defaults/main.json @@ -5,7 +5,7 @@ "var_owncloud_platform": "linux-amd64", "var_owncloud_domain": "owncloud.example.org", "var_owncloud_admin_password": "REPLACE_ME", - "var_owncloud_authentication_kind": "none", + "var_owncloud_authentication_kind": "internal", "var_owncloud_authentication_data_authelia_url_base": "https://authelia.example.org", "var_owncloud_authentication_data_authelia_web_client_id": "owncloud_web", "var_owncloud_authentication_data_authelia_web_client_secret": "REPLACE_ME", diff --git a/roles/owncloud/templates/env.j2 b/roles/owncloud/templates/env.j2 index ae97e3a..a0526f9 100644 --- a/roles/owncloud/templates/env.j2 +++ b/roles/owncloud/templates/env.j2 @@ -3,7 +3,7 @@ OCIS_INSECURE="false" PROXY_TLS="false" -{% if var_owncloud_authentication_kind != 'none' %} +{% if var_owncloud_authentication_kind != 'internal' %} PROXY_AUTOPROVISION_ACCOUNTS="false" {% endif %} diff --git a/roles/owncloud/vardef.json b/roles/owncloud/vardef.json index 95edd32..6641a03 100644 --- a/roles/owncloud/vardef.json +++ b/roles/owncloud/vardef.json @@ -27,7 +27,7 @@ "type": "string", "mandatory": false, "options": [ - "none", + "internal", "authelia" ] }, From 97a0fc7db10aa5da8043afa6f0cafa43598aef5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 13:36:46 +0200 Subject: [PATCH 36/51] [fix] role:owncloud --- roles/owncloud/tasks/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/owncloud/tasks/main.json b/roles/owncloud/tasks/main.json index 5c63d19..0a6e356 100644 --- a/roles/owncloud/tasks/main.json +++ b/roles/owncloud/tasks/main.json @@ -24,7 +24,7 @@ "become_user": "{{var_owncloud_user}}", "ansible.builtin.shell": { "chdir": "{{var_owncloud_directory}}", - "cmd": "./ocis init --insecure no --admin-password={{var_owncloud_admin_password}}" + "cmd": "rm -f {{var_owncloud_directory}}/.ocis/config/ocis.yaml && ./ocis init --insecure no --admin-password={{var_owncloud_admin_password}}" } }, { From bef3f226e1a3869f1af742ab3bd0edaf06ab23fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 9 Jul 2024 13:47:27 +0200 Subject: [PATCH 37/51] [fix] role:owncloud --- roles/owncloud/templates/env.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/owncloud/templates/env.j2 b/roles/owncloud/templates/env.j2 index a0526f9..eb2c299 100644 --- a/roles/owncloud/templates/env.j2 +++ b/roles/owncloud/templates/env.j2 @@ -1,4 +1,4 @@ -OCIS_URL="{{var_owncloud_domain}}" +OCIS_URL="https://{{var_owncloud_domain}}" OCIS_INSECURE="false" PROXY_TLS="false" From f1524c5b04d9372abb357506f1e2e0dd90be3af5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 30 Jul 2024 08:46:18 +0200 Subject: [PATCH 38/51] =?UTF-8?q?[mod]=20roles:owncloud-and-nginx:gr=C3=B6?= =?UTF-8?q?=C3=9Fere=20Uploads=20erlauben?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/owncloud-and-nginx/templates/conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/owncloud-and-nginx/templates/conf.j2 b/roles/owncloud-and-nginx/templates/conf.j2 index 80fb668..52a4c90 100644 --- a/roles/owncloud-and-nginx/templates/conf.j2 +++ b/roles/owncloud-and-nginx/templates/conf.j2 @@ -1,6 +1,7 @@ {% macro owncloud_common() %} location / { proxy_pass http://localhost:9200; + client_max_body_size 1G; } {% endmacro %} From 320cd91ccd82f20742da81a12decff9011a16d5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 30 Jul 2024 15:35:16 +0200 Subject: [PATCH 39/51] [res] --- .../defaults/main.json.orig | 8 ----- roles/authelia-and-nginx/vardef.json.orig | 25 ---------------- .../defaults/main.json.orig | 9 ------ roles/dokuwiki-and-nginx/vardef.json.orig | 29 ------------------- .../element-and-nginx/defaults/main.json.orig | 9 ------ .../gitlab-and-nginx/defaults/main.json.orig | 9 ------ .../defaults/main.json.orig | 8 ----- roles/hedgedoc-and-nginx/vardef.json.orig | 25 ---------------- .../synapse-and-nginx/defaults/main.json.orig | 8 ----- roles/synapse-and-nginx/vardef.json.orig | 25 ---------------- .../vikunja-and-nginx/defaults/main.json.orig | 8 ----- roles/vikunja-and-nginx/vardef.json.orig | 25 ---------------- 12 files changed, 188 deletions(-) delete mode 100644 roles/authelia-and-nginx/defaults/main.json.orig delete mode 100644 roles/authelia-and-nginx/vardef.json.orig delete mode 100644 roles/dokuwiki-and-nginx/defaults/main.json.orig delete mode 100644 roles/dokuwiki-and-nginx/vardef.json.orig delete mode 100644 roles/element-and-nginx/defaults/main.json.orig delete mode 100644 roles/gitlab-and-nginx/defaults/main.json.orig delete mode 100644 roles/hedgedoc-and-nginx/defaults/main.json.orig delete mode 100644 roles/hedgedoc-and-nginx/vardef.json.orig delete mode 100644 roles/synapse-and-nginx/defaults/main.json.orig delete mode 100644 roles/synapse-and-nginx/vardef.json.orig delete mode 100644 roles/vikunja-and-nginx/defaults/main.json.orig delete mode 100644 roles/vikunja-and-nginx/vardef.json.orig diff --git a/roles/authelia-and-nginx/defaults/main.json.orig b/roles/authelia-and-nginx/defaults/main.json.orig deleted file mode 100644 index 45e49bb..0000000 --- a/roles/authelia-and-nginx/defaults/main.json.orig +++ /dev/null @@ -1,8 +0,0 @@ -{ - "var_authelia_and_nginx_domain": "authelia.example.org", -<<<<<<< HEAD - "var_authelia_and_nginx_tls_mode": "enable" -======= - "var_authelia_and_nginx_tls_mode": "force" ->>>>>>> main -} diff --git a/roles/authelia-and-nginx/vardef.json.orig b/roles/authelia-and-nginx/vardef.json.orig deleted file mode 100644 index 7b4f161..0000000 --- a/roles/authelia-and-nginx/vardef.json.orig +++ /dev/null @@ -1,25 +0,0 @@ -{ - "domain": { - "type": "string", - "mandatory": false - }, - "tls_mode": { -<<<<<<< HEAD - "type": "string", - "options": [ - "disable", - "enable", - "force" - ], - "mandatory": false -======= - "type": "string", - "options": [ - "disable", - "enable", - "force" - ], - "mandatory": false ->>>>>>> main - } -} diff --git a/roles/dokuwiki-and-nginx/defaults/main.json.orig b/roles/dokuwiki-and-nginx/defaults/main.json.orig deleted file mode 100644 index 3fd9025..0000000 --- a/roles/dokuwiki-and-nginx/defaults/main.json.orig +++ /dev/null @@ -1,9 +0,0 @@ -{ - "var_dokuwiki_and_nginx_directory": "/opt/dokuwiki", - "var_dokuwiki_and_nginx_domain": "dokuwiki.example.org", -<<<<<<< HEAD - "var_dokuwiki_and_nginx_tls_mode": "enable" -======= - "var_dokuwiki_and_nginx_tls_mode": "force" ->>>>>>> main -} diff --git a/roles/dokuwiki-and-nginx/vardef.json.orig b/roles/dokuwiki-and-nginx/vardef.json.orig deleted file mode 100644 index b2b79c4..0000000 --- a/roles/dokuwiki-and-nginx/vardef.json.orig +++ /dev/null @@ -1,29 +0,0 @@ -{ - "directory": { - "type": "string", - "mandatory": false - }, - "domain": { - "type": "string", - "mandatory": false - }, - "tls_mode": { -<<<<<<< HEAD - "type": "string", - "options": [ - "disable", - "enable", - "force" - ], - "mandatory": false -======= - "type": "string", - "options": [ - "disable", - "enable", - "force" - ], - "mandatory": false ->>>>>>> main - } -} diff --git a/roles/element-and-nginx/defaults/main.json.orig b/roles/element-and-nginx/defaults/main.json.orig deleted file mode 100644 index eb35196..0000000 --- a/roles/element-and-nginx/defaults/main.json.orig +++ /dev/null @@ -1,9 +0,0 @@ -{ - "var_element_and_nginx_domain": "element.example.org", - "var_element_and_nginx_path": "/opt/element", -<<<<<<< HEAD - "var_element_and_nginx_tls_mode": "enable" -======= - "var_element_and_nginx_tls_mode": "force" ->>>>>>> main -} diff --git a/roles/gitlab-and-nginx/defaults/main.json.orig b/roles/gitlab-and-nginx/defaults/main.json.orig deleted file mode 100644 index 20ce517..0000000 --- a/roles/gitlab-and-nginx/defaults/main.json.orig +++ /dev/null @@ -1,9 +0,0 @@ -{ - "var_gitlab_and_nginx_domain": "element.example.org", - "var_gitlab_and_nginx_path": "/opt/element", -<<<<<<< HEAD - "var_gitlab_and_nginx_tls_mode": "enable" -======= - "var_gitlab_and_nginx_tls_mode": "force" ->>>>>>> main -} diff --git a/roles/hedgedoc-and-nginx/defaults/main.json.orig b/roles/hedgedoc-and-nginx/defaults/main.json.orig deleted file mode 100644 index 9140f21..0000000 --- a/roles/hedgedoc-and-nginx/defaults/main.json.orig +++ /dev/null @@ -1,8 +0,0 @@ -{ - "var_hedgedoc_and_nginx_domain": "hedgedoc.example.org", -<<<<<<< HEAD - "var_hedgedoc_and_nginx_tls_mode": "enable" -======= - "var_hedgedoc_and_nginx_tls_mode": "force" ->>>>>>> main -} diff --git a/roles/hedgedoc-and-nginx/vardef.json.orig b/roles/hedgedoc-and-nginx/vardef.json.orig deleted file mode 100644 index 7b4f161..0000000 --- a/roles/hedgedoc-and-nginx/vardef.json.orig +++ /dev/null @@ -1,25 +0,0 @@ -{ - "domain": { - "type": "string", - "mandatory": false - }, - "tls_mode": { -<<<<<<< HEAD - "type": "string", - "options": [ - "disable", - "enable", - "force" - ], - "mandatory": false -======= - "type": "string", - "options": [ - "disable", - "enable", - "force" - ], - "mandatory": false ->>>>>>> main - } -} diff --git a/roles/synapse-and-nginx/defaults/main.json.orig b/roles/synapse-and-nginx/defaults/main.json.orig deleted file mode 100644 index b7d6849..0000000 --- a/roles/synapse-and-nginx/defaults/main.json.orig +++ /dev/null @@ -1,8 +0,0 @@ -{ - "var_synapse_and_nginx_domain": "REPLACE_ME", -<<<<<<< HEAD - "var_synapse_and_nginx_tls_mode": "enable" -======= - "var_synapse_and_nginx_tls_mode": "force" ->>>>>>> main -} diff --git a/roles/synapse-and-nginx/vardef.json.orig b/roles/synapse-and-nginx/vardef.json.orig deleted file mode 100644 index 7b4f161..0000000 --- a/roles/synapse-and-nginx/vardef.json.orig +++ /dev/null @@ -1,25 +0,0 @@ -{ - "domain": { - "type": "string", - "mandatory": false - }, - "tls_mode": { -<<<<<<< HEAD - "type": "string", - "options": [ - "disable", - "enable", - "force" - ], - "mandatory": false -======= - "type": "string", - "options": [ - "disable", - "enable", - "force" - ], - "mandatory": false ->>>>>>> main - } -} diff --git a/roles/vikunja-and-nginx/defaults/main.json.orig b/roles/vikunja-and-nginx/defaults/main.json.orig deleted file mode 100644 index 229204a..0000000 --- a/roles/vikunja-and-nginx/defaults/main.json.orig +++ /dev/null @@ -1,8 +0,0 @@ -{ - "var_vikunja_and_nginx_domain": "vikunja.example.org", -<<<<<<< HEAD - "var_vikunja_and_nginx_tls_mode": "enable" -======= - "var_vikunja_and_nginx_tls_mode": "force" ->>>>>>> main -} diff --git a/roles/vikunja-and-nginx/vardef.json.orig b/roles/vikunja-and-nginx/vardef.json.orig deleted file mode 100644 index 7b4f161..0000000 --- a/roles/vikunja-and-nginx/vardef.json.orig +++ /dev/null @@ -1,25 +0,0 @@ -{ - "domain": { - "type": "string", - "mandatory": false - }, - "tls_mode": { -<<<<<<< HEAD - "type": "string", - "options": [ - "disable", - "enable", - "force" - ], - "mandatory": false -======= - "type": "string", - "options": [ - "disable", - "enable", - "force" - ], - "mandatory": false ->>>>>>> main - } -} From 9831e1a8e46d0b1a5c828dabac977d2bff5747ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 30 Jul 2024 15:36:47 +0200 Subject: [PATCH 40/51] [mod] role:owncloud-and-nginx:force tls --- roles/owncloud-and-nginx/defaults/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/owncloud-and-nginx/defaults/main.json b/roles/owncloud-and-nginx/defaults/main.json index 72f31e1..3e0977f 100644 --- a/roles/owncloud-and-nginx/defaults/main.json +++ b/roles/owncloud-and-nginx/defaults/main.json @@ -1,4 +1,4 @@ { "var_owncloud_and_nginx_domain": "owncloud.example.org", - "var_owncloud_and_nginx_tls_mode": "enable" + "var_owncloud_and_nginx_tls_mode": "force" } From 9b0535e39afbb12db8ff7c3d501e9c4a2ed82b39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 20 Aug 2024 10:07:47 +0200 Subject: [PATCH 41/51] =?UTF-8?q?[mod]=20role:owncloud:Variable=20f=C3=BCr?= =?UTF-8?q?=20Hinauflad-Gr=C3=B6=C3=9Fen-Grenzen?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/owncloud-and-nginx/defaults/main.json | 3 ++- roles/owncloud-and-nginx/templates/conf.j2 | 2 +- roles/owncloud-and-nginx/vardef.json | 4 ++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/roles/owncloud-and-nginx/defaults/main.json b/roles/owncloud-and-nginx/defaults/main.json index 3e0977f..9ad192e 100644 --- a/roles/owncloud-and-nginx/defaults/main.json +++ b/roles/owncloud-and-nginx/defaults/main.json @@ -1,4 +1,5 @@ { "var_owncloud_and_nginx_domain": "owncloud.example.org", - "var_owncloud_and_nginx_tls_mode": "force" + "var_owncloud_and_nginx_tls_mode": "force", + "var_owncloud_and_nginx_maximum_upload_size": "1G" } diff --git a/roles/owncloud-and-nginx/templates/conf.j2 b/roles/owncloud-and-nginx/templates/conf.j2 index 52a4c90..85e67ab 100644 --- a/roles/owncloud-and-nginx/templates/conf.j2 +++ b/roles/owncloud-and-nginx/templates/conf.j2 @@ -1,7 +1,7 @@ {% macro owncloud_common() %} location / { proxy_pass http://localhost:9200; - client_max_body_size 1G; + client_max_body_size {{var_owncloud_and_nginx_maximum_upload_size}}; } {% endmacro %} diff --git a/roles/owncloud-and-nginx/vardef.json b/roles/owncloud-and-nginx/vardef.json index 78b56a8..7872cb8 100644 --- a/roles/owncloud-and-nginx/vardef.json +++ b/roles/owncloud-and-nginx/vardef.json @@ -12,5 +12,9 @@ "force" ], "mandatory": false + }, + "maximum_upload_size": { + "type": "string", + "mandatory": false } } From 824eeb3fb31a9abde3d3c84c4166e98adb61968d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 21 Aug 2024 20:14:17 +0200 Subject: [PATCH 42/51] [mod] role:hedgedoc:user directory --- roles/hedgedoc/tasks/main.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/hedgedoc/tasks/main.json b/roles/hedgedoc/tasks/main.json index b4fd779..5347cc1 100644 --- a/roles/hedgedoc/tasks/main.json +++ b/roles/hedgedoc/tasks/main.json @@ -27,7 +27,8 @@ "become": true, "ansible.builtin.user": { "name": "{{var_hedgedoc_user_name}}", - "create_home": true + "create_home": true, + "home": "{{var_hedgedoc_directory}}" } }, { From c25f90eefee0d00b80d375757687393167c74c4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 22 Aug 2024 15:24:20 +0200 Subject: [PATCH 43/51] [fix] role:authelia-for-owncloud:enable 1fa --- .../templates/authelia-client-conf-android.json.j2 | 1 + .../templates/authelia-client-conf-ios.json.j2 | 1 + .../templates/authelia-client-conf-web.json.j2 | 1 + 3 files changed, 3 insertions(+) diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 index a0f0bcb..fab1372 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2 @@ -2,6 +2,7 @@ "client_id": "{{var_authelia_for_owncloud_android_client_id}}", "client_secret": "{{var_authelia_for_owncloud_android_client_secret}}", "client_name": "ownCloud | Android Client", + "authorization_policy": "one_factor", "scopes": [ "openid", "groups", diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 index 8477691..ce465a9 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2 @@ -2,6 +2,7 @@ "client_id": "{{var_authelia_for_owncloud_ios_client_id}}", "client_secret": "{{var_authelia_for_owncloud_ios_client_secret}}", "client_name": "ownCloud | iOS Client", + "authorization_policy": "one_factor", "scopes": [ "openid", "groups", diff --git a/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 index b60041e..45b6983 100644 --- a/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 +++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-web.json.j2 @@ -2,6 +2,7 @@ "client_id": "{{var_authelia_for_owncloud_web_client_id}}", "client_name": "ownCloud | Web Client", "public": true, + "authorization_policy": "one_factor", "scopes": [ "openid", "email", From 0a8cc8d1df2be33e0a254d3fa4fca3e74cc3c699 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 22 Aug 2024 15:27:43 +0200 Subject: [PATCH 44/51] [mod] role:authelia:variable lifespans and cors endpoints --- roles/authelia/defaults/main.json | 5 ++++- roles/authelia/templates/conf-main.json.j2 | 8 +++++++ roles/authelia/vardef.json | 26 ++++++++++++++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) diff --git a/roles/authelia/defaults/main.json b/roles/authelia/defaults/main.json index 47b1e01..04a1f7f 100644 --- a/roles/authelia/defaults/main.json +++ b/roles/authelia/defaults/main.json @@ -32,5 +32,8 @@ "var_authelia_notification_smtp_username": "authelia", "var_authelia_notification_smtp_password": "REPLACE_ME", "var_authelia_notification_smtp_sender": "authelia@example.org", - "var_authelia_oidc_hmac_secret": "REPLACE_ME" + "var_authelia_oidc_hmac_secret": "REPLACE_ME", + "var_authelia_oidc_lifespan_access_token": "1h", + "var_authelia_oidc_lifespan_refresh_token": "1m", + "var_authelia_oidc_cors_endpoints": null } diff --git a/roles/authelia/templates/conf-main.json.j2 b/roles/authelia/templates/conf-main.json.j2 index 475cda4..81bee44 100644 --- a/roles/authelia/templates/conf-main.json.j2 +++ b/roles/authelia/templates/conf-main.json.j2 @@ -190,8 +190,16 @@ "oidc": { "hmac_secret": "{{var_authelia_oidc_hmac_secret}}", "issuer_private_key": "{{temp_tls_result.privatekey | replace('\n', '\\n')}}", + "lifespans": { + "access_token": "{{var_authelia_oidc_lifespan_access_token}}", + "refresh_token": "{{var_authelia_oidc_lifespan_refresh_token}}" + }, "cors": { "allowed_origins_from_client_redirect_uris": true +{% if var_authelia_oidc_cors_endpoints == None %} +{% else %} + ,"endpoints": {{var_authelia_oidc_cors_endpoints | to_json}} +{% endif %} }, "clients": [ ] diff --git a/roles/authelia/vardef.json b/roles/authelia/vardef.json index 9b7d5bc..9b651a1 100644 --- a/roles/authelia/vardef.json +++ b/roles/authelia/vardef.json @@ -139,5 +139,31 @@ "oidc_hmac_secret": { "type": "string", "mandatory": true + }, + "oidc_lifespan_access_token": { + "nullable": true, + "type": "string", + "mandatory": false + }, + "oidc_lifespan_refresh_token": { + "nullable": true, + "type": "string", + "mandatory": false + }, + "oidc_cors_endpoints": { + "nullable": true, + "type": "array", + "items": { + "type": "string", + "enum": [ + "authorization", + "pushed-authorization-request", + "token", + "revocation", + "introspection", + "userinfo" + ] + }, + "mandatory": false } } From 4ec9a5c89979ed72896577e635f67e78d74533a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 22 Aug 2024 15:28:31 +0200 Subject: [PATCH 45/51] [fix] role:hedgedoc-and-nginx:syntax for vserver conf --- roles/hedgedoc-and-nginx/templates/conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index e8fe34b..b9c6601 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -49,3 +49,4 @@ server { {{ hedgedoc_common() }} } +{% endif %} From 67e9e06c82daaab09b44d453c1afe3a1bfb7bbbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 22 Aug 2024 15:29:48 +0200 Subject: [PATCH 46/51] [fix] role:murmur:ssl paths --- roles/murmur/tasks/main.json | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/murmur/tasks/main.json b/roles/murmur/tasks/main.json index 5b61756..f6c84a6 100644 --- a/roles/murmur/tasks/main.json +++ b/roles/murmur/tasks/main.json @@ -15,7 +15,7 @@ "become": true, "ansible.builtin.file": { "state": "directory", - "path": "/var/murmur" + "path": "/var/murmurd" } }, { @@ -23,11 +23,10 @@ "when": "var_murmur_tls", "become": true, "loop": [ - {"from": "/etc/ssl/private/{{var_murmur_domain}}.pem", "to": "/var/murmur/tls-key.pem"}, - {"from": "/etc/ssl/fullchains/{{var_murmur_domain}}.pem", "to": "/var/murmur/tls-fullchain.pem"} + {"from": "/etc/ssl/private/{{var_murmur_domain}}.pem", "to": "/var/murmurd/tls-key.pem"}, + {"from": "/etc/ssl/fullchains/{{var_murmur_domain}}.pem", "to": "/var/murmurd/tls-fullchain.pem"} ], "ansible.builtin.copy": { - "state": "directory", "remote_src": true, "src": "{{item.from}}", "dest": "{{item.to}}", From 1d765fc78e3c5b816a7c34f6a280739ef16f90b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 22 Aug 2024 13:31:42 +0000 Subject: [PATCH 47/51] Rolle | Forgejo --- roles/authelia-for-forgejo/defaults/main.json | 5 + roles/authelia-for-forgejo/info.md | 9 ++ roles/authelia-for-forgejo/tasks/main.json | 25 ++++ .../templates/authelia-client-conf.json.j2 | 17 +++ roles/forgejo-and-nginx/defaults/main.json | 5 + roles/forgejo-and-nginx/info.md | 1 + roles/forgejo-and-nginx/tasks/main.json | 35 +++++ roles/forgejo-and-nginx/templates/conf.j2 | 34 +++++ roles/forgejo-and-nginx/vardef.json | 19 +++ roles/forgejo/defaults/main.json | 31 +++++ roles/forgejo/info.md | 14 ++ roles/forgejo/tasks/main.json | 101 ++++++++++++++ roles/forgejo/templates/config.ini.j2 | 123 +++++++++++++++++ roles/forgejo/templates/systemd-unit.j2 | 21 +++ roles/forgejo/vardef.json | 126 ++++++++++++++++++ .../postgresql-for-forgejo/defaults/main.json | 5 + roles/postgresql-for-forgejo/tasks/main.json | 49 +++++++ 17 files changed, 620 insertions(+) create mode 100644 roles/authelia-for-forgejo/defaults/main.json create mode 100644 roles/authelia-for-forgejo/info.md create mode 100644 roles/authelia-for-forgejo/tasks/main.json create mode 100644 roles/authelia-for-forgejo/templates/authelia-client-conf.json.j2 create mode 100644 roles/forgejo-and-nginx/defaults/main.json create mode 100644 roles/forgejo-and-nginx/info.md create mode 100644 roles/forgejo-and-nginx/tasks/main.json create mode 100644 roles/forgejo-and-nginx/templates/conf.j2 create mode 100644 roles/forgejo-and-nginx/vardef.json create mode 100644 roles/forgejo/defaults/main.json create mode 100644 roles/forgejo/info.md create mode 100644 roles/forgejo/tasks/main.json create mode 100644 roles/forgejo/templates/config.ini.j2 create mode 100644 roles/forgejo/templates/systemd-unit.j2 create mode 100644 roles/forgejo/vardef.json create mode 100644 roles/postgresql-for-forgejo/defaults/main.json create mode 100644 roles/postgresql-for-forgejo/tasks/main.json diff --git a/roles/authelia-for-forgejo/defaults/main.json b/roles/authelia-for-forgejo/defaults/main.json new file mode 100644 index 0000000..211419e --- /dev/null +++ b/roles/authelia-for-forgejo/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_authelia_for_forgejo_forgejo_url_base": "https://forgejo.example.org", + "var_authelia_for_forgejo_client_id": "forgejo", + "var_authelia_for_forgejo_client_secret": "REPLACE_ME" +} diff --git a/roles/authelia-for-forgejo/info.md b/roles/authelia-for-forgejo/info.md new file mode 100644 index 0000000..14a539f --- /dev/null +++ b/roles/authelia-for-forgejo/info.md @@ -0,0 +1,9 @@ +## Beschreibung + +Um [Forgejo](../forgejo) gegen [Authelia](../authelia) authentifizieren zu lassen + + +## Verweise + +- [Forgejo-Dokumentation | Configuration | OpenID](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#openid-openid) +- [Authelia-Dokumentation | Gitea Integration](https://www.authelia.com/integration/openid-connect/gitea/) diff --git a/roles/authelia-for-forgejo/tasks/main.json b/roles/authelia-for-forgejo/tasks/main.json new file mode 100644 index 0000000..a0aa05d --- /dev/null +++ b/roles/authelia-for-forgejo/tasks/main.json @@ -0,0 +1,25 @@ +[ + { + "name": "configuration | emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf.json.j2", + "dest": "/etc/authelia/conf.d/clients/forgejo.json" + } + }, + { + "name": "configuration | apply", + "become": true, + "ansible.builtin.command": { + "cmd": "/usr/bin/authelia-conf-compose" + } + }, + { + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "authelia" + } + } +] diff --git a/roles/authelia-for-forgejo/templates/authelia-client-conf.json.j2 b/roles/authelia-for-forgejo/templates/authelia-client-conf.json.j2 new file mode 100644 index 0000000..3f0e1c7 --- /dev/null +++ b/roles/authelia-for-forgejo/templates/authelia-client-conf.json.j2 @@ -0,0 +1,17 @@ +{ + "client_id": "{{var_authelia_for_forgejo_client_id}}", + "client_secret": "{{var_authelia_for_forgejo_client_secret}}", + "client_name": "Forgejo", + "public": false, + "authorization_policy": "one_factor", + "redirect_uris": [ + "{{var_authelia_for_forgejo_forgejo_url_base}}/user/oauth2/authelia/callback" + ], + "scopes": [ + "openid", + "email", + "profile" + ], + "userinfo_signed_response_alg": "none", + "token_endpoint_auth_method": "client_secret_basic" +} diff --git a/roles/forgejo-and-nginx/defaults/main.json b/roles/forgejo-and-nginx/defaults/main.json new file mode 100644 index 0000000..fadcf82 --- /dev/null +++ b/roles/forgejo-and-nginx/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_forgejo_and_nginx_domain": "forgejo.example.org", + "var_forgejo_and_nginx_port": 2378, + "var_forgejo_and_nginx_tls_mode": "force" +} diff --git a/roles/forgejo-and-nginx/info.md b/roles/forgejo-and-nginx/info.md new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/roles/forgejo-and-nginx/info.md @@ -0,0 +1 @@ + diff --git a/roles/forgejo-and-nginx/tasks/main.json b/roles/forgejo-and-nginx/tasks/main.json new file mode 100644 index 0000000..7dc3b80 --- /dev/null +++ b/roles/forgejo-and-nginx/tasks/main.json @@ -0,0 +1,35 @@ +[ + { + "name": "deactivate default site", + "become": true, + "ansible.builtin.file": { + "state": "absent", + "dest": "/etc/nginx/sites-enabled/default" + } + }, + { + "name": "emplace configuration | data", + "become": true, + "ansible.builtin.template": { + "src": "conf.j2", + "dest": "/etc/nginx/sites-available/{{var_forgejo_and_nginx_domain}}" + } + }, + { + "name": "emplace configuration | link", + "become": true, + "ansible.builtin.file": { + "state": "link", + "src": "/etc/nginx/sites-available/{{var_forgejo_and_nginx_domain}}", + "dest": "/etc/nginx/sites-enabled/{{var_forgejo_and_nginx_domain}}" + } + }, + { + "name": "restart nginx", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "nginx" + } + } +] diff --git a/roles/forgejo-and-nginx/templates/conf.j2 b/roles/forgejo-and-nginx/templates/conf.j2 new file mode 100644 index 0000000..4e78b94 --- /dev/null +++ b/roles/forgejo-and-nginx/templates/conf.j2 @@ -0,0 +1,34 @@ +{% macro forgejo_common() %} + location / { + proxy_pass http://localhost:{{var_forgejo_and_nginx_port | string}}; + client_max_body_size 20M; + } +{% endmacro %} + +server { + listen 80; + listen [::]:80; + + server_name {{var_forgejo_and_nginx_domain}}; + +{% if var_forgejo_and_nginx_tls_mode == 'force' %} + return 301 https://$http_host$request_uri; +{% else %} +{{ forgejo_common() }} +{% endif %} +} + +{% if var_forgejo_and_nginx_tls_mode != 'disable' %} +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{var_forgejo_and_nginx_domain}}; + + ssl_certificate_key /etc/ssl/private/{{var_forgejo_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_forgejo_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + +{{ forgejo_common() }} +} +{% endif %} diff --git a/roles/forgejo-and-nginx/vardef.json b/roles/forgejo-and-nginx/vardef.json new file mode 100644 index 0000000..882b53b --- /dev/null +++ b/roles/forgejo-and-nginx/vardef.json @@ -0,0 +1,19 @@ +{ + "domain": { + "mandatory": false, + "type": "string" + }, + "port": { + "mandatory": false, + "type": "integer" + }, + "tls_mode": { + "mandatory": false, + "type": "string", + "options": [ + "disable", + "enable", + "force" + ] + } +} diff --git a/roles/forgejo/defaults/main.json b/roles/forgejo/defaults/main.json new file mode 100644 index 0000000..fb59d7b --- /dev/null +++ b/roles/forgejo/defaults/main.json @@ -0,0 +1,31 @@ +{ + "var_forgejo_user": "forgejo", + "var_forgejo_directory_main": "/opt/forgejo", + "var_forgejo_directory_repositories": "/var/forgejo/repositories", + "var_forgejo_version": "7.0.5", + "var_forgejo_platform": "linux-amd64", + "var_forgejo_secret_key": "REPLACE_ME", + "var_forgejo_internal_token": "REPLACE_ME", + "var_forgejo_domain": "forgejo.example.org", + "var_forgejo_listen_address": "0.0.0.0", + "var_forgejo_listen_port": 2378, + "var_forgejo_database_kind": "sqlite", + "var_forgejo_database_data_sqlite_path": "/var/forgejo/data.sqlite", + "var_forgejo_database_data_postgresql_host": "postgresql.example.org", + "var_forgejo_database_data_postgresql_port": 5432, + "var_forgejo_database_data_postgresql_username": "forgejo_user", + "var_forgejo_database_data_postgresql_password": "REPLACE_ME", + "var_forgejo_database_data_postgresql_scheme": "forgejo", + "var_forgejo_authentication_kind": "internal", + "var_forgejo_authentication_data_authelia_url_base": "https://authelia.example.org", + "var_forgejo_authentication_data_authelia_client_id": "forgejo", + "var_forgejo_authentication_data_authelia_client_secret": "REPLACE_ME", + "var_forgejo_smtp_host": "smtp.example.org", + "var_forgejo_smtp_port": 465, + "var_forgejo_smtp_username": "REPLACE_ME", + "var_forgejo_smtp_password": "REPLACE_ME", + "var_forgejo_email_sending_enabled": false, + "var_forgejo_email_sending_sender": "forgejo@example.org", + "var_forgejo_email_sending_html": false, + "var_forgejo_title": "Forgejo: Beyond coding. We Forge." +} diff --git a/roles/forgejo/info.md b/roles/forgejo/info.md new file mode 100644 index 0000000..db535da --- /dev/null +++ b/roles/forgejo/info.md @@ -0,0 +1,14 @@ +## Beschreibung + +Zur Einrichtung der DevOps-Platform [Forgejo](https://forgejo.org/) + + +## Verweise + +- [Forgejo | Documentation | Administrator Guide](https://forgejo.org/docs/latest/admin/) +- [Forgejo | Documentation | Configuration Cheat Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/) + + +## ToDo + +- Download verfizieren diff --git a/roles/forgejo/tasks/main.json b/roles/forgejo/tasks/main.json new file mode 100644 index 0000000..5905488 --- /dev/null +++ b/roles/forgejo/tasks/main.json @@ -0,0 +1,101 @@ +[ + { + "name": "packages", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "git" + ] + } + }, + { + "name": "user", + "become": true, + "ansible.builtin.user": { + "name": "{{var_forgejo_user}}", + "create_home": true, + "home": "{{var_forgejo_directory_main}}" + } + }, + { + "name": "directories | external", + "become": true, + "loop": [ + "{{var_forgejo_database_data_sqlite_path | dirname}}", + "{{var_forgejo_directory_repositories}}" + ], + "ansible.builtin.file": { + "path": "{{item}}", + "state": "directory", + "owner": "{{var_forgejo_user}}" + } + }, + { + "name": "directories | internal", + "become": true, + "become_user": "{{var_forgejo_user}}", + "loop": [ + "{{var_forgejo_directory_main}}/custom/conf" + ], + "ansible.builtin.file": { + "path": "{{item}}", + "state": "directory" + } + }, + { + "name": "download", + "become": true, + "become_user": "{{var_forgejo_user}}", + "ansible.builtin.get_url": { + "url": "https://codeberg.org/forgejo/forgejo/releases/download/v{{var_forgejo_version}}/forgejo-{{var_forgejo_version}}-{{var_forgejo_platform}}", + "dest": "{{var_forgejo_directory_main}}/forgejo", + "mode": "u+rx" + } + }, + { + "name": "config | base", + "become": true, + "become_user": "{{var_forgejo_user}}", + "ansible.builtin.template": { + "src": "config.ini.j2", + "dest": "{{var_forgejo_directory_main}}/custom/conf/app.ini" + } + }, + { + "name": "config | database", + "become": true, + "become_user": "{{var_forgejo_user}}", + "ansible.builtin.command": { + "chdir": "{{var_forgejo_directory_main}}", + "cmd": "./forgejo migrate" + } + }, + { + "name": "config | authelia", + "when": "var_forgejo_authentication_kind == 'authelia'", + "become": true, + "become_user": "{{var_forgejo_user}}", + "ansible.builtin.shell": { + "chdir": "{{var_forgejo_directory_main}}", + "cmd": "(./forgejo admin auth list | grep authelia) || ./forgejo admin auth add-oauth --provider='openidConnect' --name='authelia' --key={{var_forgejo_authentication_data_authelia_client_id}} --secret={{var_forgejo_authentication_data_authelia_client_secret}} --auto-discover-url='{{var_forgejo_authentication_data_authelia_url_base}}/.well-known/openid-configuration' --scopes='openid email profile'" + } + }, + { + "name": "systemd unit", + "become": true, + "ansible.builtin.template": { + "src": "systemd-unit.j2", + "dest": "/etc/systemd/system/forgejo.service" + } + }, + { + "name": "start", + "become": true, + "ansible.builtin.systemd_service": { + "enabled": true, + "state": "restarted", + "name": "forgejo" + } + } +] diff --git a/roles/forgejo/templates/config.ini.j2 b/roles/forgejo/templates/config.ini.j2 new file mode 100644 index 0000000..524cfd8 --- /dev/null +++ b/roles/forgejo/templates/config.ini.j2 @@ -0,0 +1,123 @@ +APP_NAME = {{var_forgejo_title}} +RUN_USER = {{var_forgejo_user}} +RUN_MODE = prod + +[server] +DOMAIN = {{var_forgejo_domain}} +ROOT_URL = https://{{var_forgejo_domain}} +;HTTP_ADDR = {{var_forgejo_listen_address}} +HTTP_PORT = {{var_forgejo_listen_port | string}} +;LANDING_PAGE = home + +[database] +{% if var_forgejo_database_kind == 'sqlite' %} +DB_TYPE = sqlite3 +PATH = {{var_forgejo_database_data_sqlite_path}} +{% endif %} +{% if var_forgejo_database_kind == 'postgresql' %} +DB_TYPE = postgres +HOST = {{var_forgejo_database_data_postgresql_host}}:{{var_forgejo_database_data_postgresql_port | string}} +USER = {{var_forgejo_database_data_postgresql_username}} +PASSWD = {{var_forgejo_database_data_postgresql_password}} +NAME = {{var_forgejo_database_data_postgresql_scheme}} +{% endif %} + +[security] +INSTALL_LOCK = true +SECRET_KEY = {{var_forgejo_secret_key}} +INTERNAL_TOKEN = {{var_forgejo_internal_token}} +DISABLE_GIT_HOOKS = true + +[oauth2] +ENABLED = false + +[log] +MODE = console +LEVEL = Info + +[git] +HOME_PATH = {{var_forgejo_directory_main}} + +[service] +REGISTER_EMAIL_CONFIRM = false + +{% if var_forgejo_authentication_kind == 'internal' %} +DISABLE_REGISTRATION = false +ALLOW_ONLY_INTERNAL_REGISTRATION = true +ALLOW_ONLY_EXTERNAL_REGISTRATION = false +SHOW_REGISTRATION_BUTTON = true +{% else %} +DISABLE_REGISTRATION = false +ALLOW_ONLY_INTERNAL_REGISTRATION = false +ALLOW_ONLY_EXTERNAL_REGISTRATION = true +SHOW_REGISTRATION_BUTTON = false +{% endif %} + +;REQUIRE_SIGNIN_VIEW = false +ENABLE_NOTIFY_MAIL = true + +;ENABLE_BASIC_AUTHENTICATION = true +;ENABLE_REVERSE_PROXY_AUTHENTICATION = false +;ENABLE_REVERSE_PROXY_AUTHENTICATION_API = false +;ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false +;ENABLE_REVERSE_PROXY_EMAIL = false +;ENABLE_REVERSE_PROXY_FULL_NAME = false + +;DEFAULT_KEEP_EMAIL_PRIVATE = false +;DEFAULT_ALLOW_CREATE_ORGANIZATION = true +;DEFAULT_USER_IS_RESTRICTED = false +;DEFAULT_USER_VISIBILITY = public +;ALLOWED_USER_VISIBILITY_MODES = public,limited,private +;DEFAULT_ORG_VISIBILITY = public +;DEFAULT_ORG_MEMBER_VISIBLE = false +;DEFAULT_ENABLE_DEPENDENCIES = true +;ALLOW_CROSS_REPOSITORY_DEPENDENCIES = true +ENABLE_USER_HEATMAP = false +ENABLE_TIMETRACKING = false +DEFAULT_ENABLE_TIMETRACKING = false + +{% if var_forgejo_authentication_kind == 'internal' %} +SHOW_REGISTRATION_BUTTON = true +{% else %} +SHOW_REGISTRATION_BUTTON = false +{% endif %} + +AUTO_WATCH_NEW_REPOS = false +AUTO_WATCH_ON_CHANGES = false + +[repository] +ROOT = {{var_forgejo_directory_repositories}} + +{% if var_forgejo_authentication_kind == 'internal' %} +[openid] +ENABLE_OPENID_SIGNIN = false +ENABLE_OPENID_SIGNUP = false +{% else %} +[openid] +ENABLE_OPENID_SIGNIN = false +ENABLE_OPENID_SIGNUP = true +WHITELISTED_URIS = {{var_forgejo_authentication_data_authelia_url_base}} + +[oauth2_client] +REGISTER_EMAIL_CONFIRM = false +OPENID_CONNECT_SCOPES = openid email profile +ENABLE_AUTO_REGISTRATION = true +USERNAME = nickname +{% endif %} + +[mailer] +{% if var_forgejo_email_sending_enabled %} +ENABLED = true +SMTP_ADDR = {{var_forgejo_smtp_host}} +SMTP_PORT = {{var_forgejo_smtp_port | string}} +FROM = {{var_forgejo_email_sending_sender}} +USER = {{var_forgejo_smtp_username}} +PASSWD = {{var_forgejo_smtp_password}} +{% if var_forgejo_email_sending_html %} +SEND_AS_PLAIN_TEXT = false +{% else %} +SEND_AS_PLAIN_TEXT = true +{% endif %} +{% else %} +ENABLED = false +{% endif %} diff --git a/roles/forgejo/templates/systemd-unit.j2 b/roles/forgejo/templates/systemd-unit.j2 new file mode 100644 index 0000000..8e2ed2e --- /dev/null +++ b/roles/forgejo/templates/systemd-unit.j2 @@ -0,0 +1,21 @@ +[Unit] +Description=Forgejo +After=network.target +{% if var_forgejo_database_kind == 'postgresql' %} +Wants=postgresql.service +After=postgresql.service +{% endif %} + +[Service] +RestartSec=2s +Type=simple +User={{var_forgejo_user}} +Group={{var_forgejo_user}} +WorkingDirectory={{var_forgejo_directory_main}} +ExecStart={{var_forgejo_directory_main}}/forgejo web --config {{var_forgejo_directory_main}}/custom/conf/app.ini +Restart=always +# Environment=USER=git HOME=/home/git FORGEJO_WORK_DIR=/var/lib/forgejo +# Environment=PATH=/path/to/git/bin:/bin:/sbin:/usr/bin:/usr/sbin + +[Install] +WantedBy=multi-user.target diff --git a/roles/forgejo/vardef.json b/roles/forgejo/vardef.json new file mode 100644 index 0000000..025ef2e --- /dev/null +++ b/roles/forgejo/vardef.json @@ -0,0 +1,126 @@ +{ + "user": { + "type": "string", + "mandatory": false + }, + "directory_main": { + "type": "string", + "mandatory": false + }, + "directory_repositories": { + "type": "string", + "mandatory": false + }, + "version": { + "type": "string", + "mandatory": false + }, + "platform": { + "type": "string", + "mandatory": false + }, + "secret_key": { + "type": "string", + "mandatory": true + }, + "internal_token": { + "type": "string", + "mandatory": true + }, + "domain": { + "type": "string", + "mandatory": false + }, + "listen_address": { + "type": "string", + "mandatory": false + }, + "listen_port": { + "type": "integer", + "mandatory": false + }, + "database_kind": { + "mandatory": false, + "type": "string", + "options": [ + "sqlite", + "postgresql" + ] + }, + "database_data_sqlite_path": { + "mandatory": false, + "type": "string" + }, + "database_data_postgresql_host": { + "mandatory": false, + "type": "string" + }, + "database_data_postgresql_port": { + "mandatory": false, + "type": "string" + }, + "database_data_postgresql_username": { + "mandatory": false, + "type": "string" + }, + "database_data_postgresql_password": { + "mandatory": false, + "type": "string" + }, + "database_data_postgresql_schema": { + "mandatory": false, + "type": "string" + }, + "authentication_kind": { + "mandatory": false, + "type": "string", + "options": [ + "internal", + "authelia" + ] + }, + "authentication_data_authelia_url_base": { + "mandatory": false, + "type": "string" + }, + "authentication_data_authelia_client_id": { + "mandatory": false, + "type": "string" + }, + "authentication_data_authelia_client_secret": { + "mandatory": false, + "type": "string" + }, + "smtp_host": { + "mandatory": false, + "type": "string" + }, + "smtp_port": { + "mandatory": false, + "type": "integer" + }, + "smtp_username": { + "mandatory": false, + "type": "string" + }, + "smtp_password": { + "mandatory": false, + "type": "string" + }, + "email_sending_enabled": { + "mandatory": false, + "type": "boolean" + }, + "email_sending_sender": { + "mandatory": false, + "type": "string" + }, + "email_sending_html": { + "mandatory": false, + "type": "boolean" + }, + "title": { + "mandatory": false, + "type": "string" + } +} diff --git a/roles/postgresql-for-forgejo/defaults/main.json b/roles/postgresql-for-forgejo/defaults/main.json new file mode 100644 index 0000000..2fecd7a --- /dev/null +++ b/roles/postgresql-for-forgejo/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_postgresql_for_forgejo_username": "forgejo_user", + "var_postgresql_for_forgejo_password": "REPLACE_ME", + "var_postgresql_for_forgejo_schema": "forgejo" +} diff --git a/roles/postgresql-for-forgejo/tasks/main.json b/roles/postgresql-for-forgejo/tasks/main.json new file mode 100644 index 0000000..6427c07 --- /dev/null +++ b/roles/postgresql-for-forgejo/tasks/main.json @@ -0,0 +1,49 @@ +[ + { + "name": "packages", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "acl", + "python3-psycopg2" + ] + } + }, + { + "name": "user", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_user": { + "state": "present", + "name": "{{var_postgresql_for_forgejo_username}}", + "password": "{{var_postgresql_for_forgejo_password}}" + }, + "environment": { + "PGOPTIONS": "-c password_encryption=scram-sha-256" + } + }, + { + "name": "schema", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_db": { + "state": "present", + "name": "{{var_postgresql_for_forgejo_schema}}", + "owner": "{{var_postgresql_for_forgejo_username}}" + } + }, + { + "name": "rights", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_privs": { + "state": "present", + "db": "{{var_postgresql_for_forgejo_schema}}", + "objs": "ALL_IN_SCHEMA", + "roles": "{{var_postgresql_for_forgejo_username}}", + "privs": "ALL", + "grant_option": true + } + } +] From 93cf477d43feaf8b7cc6bd644394857ed2ffa07e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Fri, 23 Aug 2024 10:26:28 +0200 Subject: [PATCH 48/51] [fix] role:owncloud:auth --- roles/owncloud/templates/env.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/owncloud/templates/env.j2 b/roles/owncloud/templates/env.j2 index eb2c299..1c53400 100644 --- a/roles/owncloud/templates/env.j2 +++ b/roles/owncloud/templates/env.j2 @@ -3,7 +3,7 @@ OCIS_INSECURE="false" PROXY_TLS="false" -{% if var_owncloud_authentication_kind != 'internal' %} +{% if var_owncloud_authentication_kind == 'internal' %} PROXY_AUTOPROVISION_ACCOUNTS="false" {% endif %} From a89fe95c787154e5618c8001bcaf0bbab6e7ae45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Fri, 23 Aug 2024 10:26:38 +0200 Subject: [PATCH 49/51] [mod] role:owncloud:info --- roles/owncloud/info.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/owncloud/info.md b/roles/owncloud/info.md index bb50a4d..b74ee6d 100644 --- a/roles/owncloud/info.md +++ b/roles/owncloud/info.md @@ -11,8 +11,9 @@ Cloud-Plattform [ownCloud](https://owncloud.com/) (the rewrite in Go named "Infi - [ownCloud-Dokumentation | Service | Web](https://doc.owncloud.com/ocis/next/deployment/services/s-list/web.html) - [ownCloud-Dokumentation | Service | Sharing](https://doc.owncloud.com/ocis/next/deployment/services/s-list/sharing.html) - [GitHub | ocis](https://github.com/owncloud/ocis/) +- [ownCloud-Foren | OCIS + Authelia](https://central.owncloud.org/t/ocis-authelia/44222) ## ToDo -- Downlowd prüfen +- Download prüfen From 1ffba118daabcf4778516121f246b44a2454ebe5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Fri, 23 Aug 2024 10:26:46 +0200 Subject: [PATCH 50/51] [mod] todo --- todo.md | 1 - 1 file changed, 1 deletion(-) diff --git a/todo.md b/todo.md index 414e546..fa8064d 100644 --- a/todo.md +++ b/todo.md @@ -1,4 +1,3 @@ - postgresql:hba-setup -- [Gitea](https://about.gitea.com/) - [Seafile](https://www.seafile.com/en/home/) From 1ca2b0afbf5f5f13832923df0337c5a44fe8ed5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Tue, 27 Aug 2024 15:22:52 +0200 Subject: [PATCH 51/51] =?UTF-8?q?[mod]=20role:synapse:Variablen=20f=C3=BCr?= =?UTF-8?q?=20E-Mail-Benachrichtigungen?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/synapse/defaults/main.json | 2 ++ roles/synapse/templates/homeserver.yaml.j2 | 3 ++- roles/synapse/vardef.json | 8 ++++++++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/roles/synapse/defaults/main.json b/roles/synapse/defaults/main.json index b9b9a60..791dd98 100644 --- a/roles/synapse/defaults/main.json +++ b/roles/synapse/defaults/main.json @@ -24,6 +24,8 @@ "var_synapse_smtp_port": 587, "var_synapse_smtp_username": "synapse@smtp.example.org", "var_synapse_smtp_password": "REPLACE_ME", + "var_synapse_notifications_via_email_enabled_by_default": false, + "var_synapse_notifications_via_email_delay": "1h", "var_synapse_admin_user_define": true, "var_synapse_admin_user_name": "admin", "var_synapse_admin_user_password": "REPLACE_ME" diff --git a/roles/synapse/templates/homeserver.yaml.j2 b/roles/synapse/templates/homeserver.yaml.j2 index d46f115..a9c6729 100644 --- a/roles/synapse/templates/homeserver.yaml.j2 +++ b/roles/synapse/templates/homeserver.yaml.j2 @@ -172,7 +172,8 @@ email: require_transport_security: true notif_from: "%(app)s | {{var_synapse_title}}" enable_notifs: true - notif_for_new_users: false + notif_for_new_users: {{var_synapse_notifications_via_email_enabled_by_default | to_yaml}} + notif_delay_before_mail: {{var_synapse_notifications_via_email_delay}} subjects: password_reset: "[%(server_name)s] Passwort zurücksetzen" email_validation: "[%(server_name)s] Nutzer-Konto-Freischaltung" diff --git a/roles/synapse/vardef.json b/roles/synapse/vardef.json index ebf6005..8c4e584 100644 --- a/roles/synapse/vardef.json +++ b/roles/synapse/vardef.json @@ -110,6 +110,14 @@ "type": "string", "mandatory": true }, + "notifications_via_email_enabled_by_default": { + "type": "boolean", + "mandatory": false + }, + "notifications_via_email_delay": { + "type": "string", + "mandatory": false + }, "admin_user_define": { "type": "boolean", "mandatory": false