From 8b322c0c2ef0ec6c9762e1bc070f043da4ea6d32 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Sun, 10 Dec 2023 20:44:52 +0100
Subject: [PATCH 01/11] [int]

---
 ansible/roles/hedgedoc/defaults/main.json     |  5 ++++
 ansible/roles/hedgedoc/info.md                |  3 ++
 ansible/roles/hedgedoc/tasks/main.json        |  2 ++
 .../roles/hedgedoc/templates/config.json.j2   | 28 +++++++++++++++++++
 4 files changed, 38 insertions(+)
 create mode 100644 ansible/roles/hedgedoc/defaults/main.json
 create mode 100644 ansible/roles/hedgedoc/info.md
 create mode 100644 ansible/roles/hedgedoc/tasks/main.json
 create mode 100644 ansible/roles/hedgedoc/templates/config.json.j2

diff --git a/ansible/roles/hedgedoc/defaults/main.json b/ansible/roles/hedgedoc/defaults/main.json
new file mode 100644
index 0000000..9370b77
--- /dev/null
+++ b/ansible/roles/hedgedoc/defaults/main.json
@@ -0,0 +1,5 @@
+{
+	"var_hedgedoc_session_secret": "session_secret",
+	"var_hedgedoc_database_path": "/var/hedgedoc/data.sqlite",
+	"var_hedgedoc_oauth2_provider_name": "external auth",
+}
diff --git a/ansible/roles/hedgedoc/info.md b/ansible/roles/hedgedoc/info.md
new file mode 100644
index 0000000..e2c1fa2
--- /dev/null
+++ b/ansible/roles/hedgedoc/info.md
@@ -0,0 +1,3 @@
+## Verweise
+
+- [Projekt-Website](https://docs.hedgedoc.org/)
diff --git a/ansible/roles/hedgedoc/tasks/main.json b/ansible/roles/hedgedoc/tasks/main.json
new file mode 100644
index 0000000..0d4f101
--- /dev/null
+++ b/ansible/roles/hedgedoc/tasks/main.json
@@ -0,0 +1,2 @@
+[
+]
diff --git a/ansible/roles/hedgedoc/templates/config.json.j2 b/ansible/roles/hedgedoc/templates/config.json.j2
new file mode 100644
index 0000000..d5f04cc
--- /dev/null
+++ b/ansible/roles/hedgedoc/templates/config.json.j2
@@ -0,0 +1,28 @@
+{
+	"development": {
+		"domain": "localhost:3000",
+		"url": {
+			"addport": true
+		},
+		"loglevel": "debug",
+		"sessionSecret": "{{var_hedgedoc_session_secret}}",
+		"db": {
+			"dialect": "sqlite",
+			"storage": "./db.hedgedoc.sqlite"
+		},
+		"urlAddPort": false,
+		"protocolUseSSL": false,
+		"oauth2": {
+			"providerName": "authelia",
+			"clientId": "b45421efcb7b1e5672d9b2bc55b3fdb2b6c62f3a72668110bd38f77fa1242ece",
+			"clientSecret": "e8493098b9a280610a2ba9fa0b49f14035a9f048e8505cf4981f0555a2885655",
+			"scope": "openid email profile",
+			"userProfileUsernameAttr": "sub",
+			"userProfileDisplayNameAttr": "name",
+			"userProfileEmailAttr": "email",
+			"userProfileUrl": "http://authelia.local:9091/api/oidc/userinfo",
+			"tokenUrl": "http://authelia.local:9091/api/oidc/token",
+			"authorizationUrl": "http://authelia.local:9091/api/oidc/authorize"
+		}
+	}
+}

From 5d24351cf64f2e42a57d0bc869d3ac9846336e15 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Wed, 13 Dec 2023 18:04:57 +0100
Subject: [PATCH 02/11] [fix] role:tlscert_acme_netcup

---
 .../roles/tlscert_acme_netcup/tasks/main.json    | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/ansible/roles/tlscert_acme_netcup/tasks/main.json b/ansible/roles/tlscert_acme_netcup/tasks/main.json
index ed198dd..4a9f98f 100644
--- a/ansible/roles/tlscert_acme_netcup/tasks/main.json
+++ b/ansible/roles/tlscert_acme_netcup/tasks/main.json
@@ -1,14 +1,24 @@
 [
 	{
-		"name": "packages",
+		"name": "packages | debian",
 		"become": true,
 		"ansible.builtin.apt": {
 			"pkg": [
 				"openssl",
-				"python3-cryptography"
+				"python3-cryptography",
+				"python3-pip"
 			]
 		}
 	},
+	{
+		"name": "packages | python",
+		"ansible.builtin.pip": {
+			"name": "nc_dnsapi"
+		},
+		"environment": {
+			"PIP_BREAK_SYSTEM_PACKAGES": "1"
+		}
+	},
 	{
 		"name": "setup directories | keys",
 		"become": true,
@@ -105,7 +115,7 @@
 		"name": "dns challenge | wait",
 		"when": "'challenge_data' in temp_acme_data",
 		"ansible.builtin.pause": {
-			"seconds": 60
+			"seconds": 300
 		}
 	},
 	{

From 5732ffbc00383c2b811d46006aa25ade7465424c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Wed, 13 Dec 2023 20:33:53 +0100
Subject: [PATCH 03/11] [fix] roles:hedgedoc:defaults

---
 ansible/roles/hedgedoc/defaults/main.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/roles/hedgedoc/defaults/main.json b/ansible/roles/hedgedoc/defaults/main.json
index 9370b77..c79099c 100644
--- a/ansible/roles/hedgedoc/defaults/main.json
+++ b/ansible/roles/hedgedoc/defaults/main.json
@@ -1,5 +1,5 @@
 {
 	"var_hedgedoc_session_secret": "session_secret",
 	"var_hedgedoc_database_path": "/var/hedgedoc/data.sqlite",
-	"var_hedgedoc_oauth2_provider_name": "external auth",
+	"var_hedgedoc_oauth2_provider_name": "external auth"
 }

From d59a64c36d51741dbc9ce2a1ce875b5fa6305fef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Sat, 16 Dec 2023 15:13:01 +0100
Subject: [PATCH 04/11] [mod] role:hedgedoc

---
 ansible/roles/hedgedoc/defaults/main.json     | 10 +-
 ansible/roles/hedgedoc/info.md                |  8 +-
 ansible/roles/hedgedoc/tasks/main.json        | 91 +++++++++++++++++++
 .../roles/hedgedoc/templates/config.json.j2   | 45 +++++----
 .../roles/hedgedoc/templates/systemd-unit.j2  | 13 +++
 5 files changed, 149 insertions(+), 18 deletions(-)
 create mode 100644 ansible/roles/hedgedoc/templates/systemd-unit.j2

diff --git a/ansible/roles/hedgedoc/defaults/main.json b/ansible/roles/hedgedoc/defaults/main.json
index c79099c..b7e9a3c 100644
--- a/ansible/roles/hedgedoc/defaults/main.json
+++ b/ansible/roles/hedgedoc/defaults/main.json
@@ -1,5 +1,13 @@
 {
+	"var_hedgedoc_version": "1.9.9",
 	"var_hedgedoc_session_secret": "session_secret",
 	"var_hedgedoc_database_path": "/var/hedgedoc/data.sqlite",
-	"var_hedgedoc_oauth2_provider_name": "external auth"
+	"var_hedgedoc_domain": "hedgedoc.example.org",
+	"var_hedgedoc_oauth2_enable": false,
+	"var_hedgedoc_oauth2_provider_name": "external auth",
+	"var_hedgedoc_oauth2_client_id": "hedgedoc",
+	"var_hedgedoc_oauth2_client_secret": "REPLACE_ME",
+	"var_hedgedoc_oauth2_user_profile_url": "https://auth.example.org/profile",
+	"var_hedgedoc_oauth2_token_url": "https://auth.example.org/token",
+	"var_hedgedoc_oauth2_authorization_url": "https://auth.example.org/authorization"
 }
diff --git a/ansible/roles/hedgedoc/info.md b/ansible/roles/hedgedoc/info.md
index e2c1fa2..7f5ab1a 100644
--- a/ansible/roles/hedgedoc/info.md
+++ b/ansible/roles/hedgedoc/info.md
@@ -1,3 +1,9 @@
+## Beschreibung
+
+Kollaborativer Editor [Hedgedoc](https://docs.hedgedoc.org/)
+
+
 ## Verweise
 
-- [Projekt-Website](https://docs.hedgedoc.org/)
+- [Dokumentation | Manual Installation](https://docs.hedgedoc.org/setup/manual-setup/)
+- [Dokumentation | Configuration](https://docs.hedgedoc.org/configuration/)
diff --git a/ansible/roles/hedgedoc/tasks/main.json b/ansible/roles/hedgedoc/tasks/main.json
index 0d4f101..0285ae7 100644
--- a/ansible/roles/hedgedoc/tasks/main.json
+++ b/ansible/roles/hedgedoc/tasks/main.json
@@ -1,2 +1,93 @@
 [
+	{
+		"name": "packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"pkg": [
+				"acl",
+				"git",
+				"nodejs",
+				"npm",
+				"yarnpkg"
+			]
+		}
+	},
+	{
+		"name": "link yarn",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/usr/bin/yarnpkg",
+			"dest": "/usr/bin/yarn"
+		}
+	},
+	{
+		"name": "user",
+		"become": true,
+		"ansible.builtin.user": {
+			"name": "hedgedoc",
+			"create_home": true
+		}
+	},
+	{
+		"name": "download",
+		"become": false,
+		"ansible.builtin.get_url": {
+			"url": "https://github.com/hedgedoc/hedgedoc/releases/download/{{var_hedgedoc_version}}/hedgedoc-{{var_hedgedoc_version}}.tar.gz",
+			"dest": "/tmp/hedgedoc.tar.gz"
+		}
+	},
+	{
+		"name": "extract",
+		"become": true,
+		"ansible.builtin.unarchive": {
+			"remote_src": true,
+			"src": "/tmp/hedgedoc.tar.gz",
+			"dest": "/opt",
+			"owner": "hedgedoc"
+		}
+	},
+	{
+		"name": "setup",
+		"become": true,
+		"become_user": "hedgedoc",
+		"ansible.builtin.command": {
+			"chdir": "/opt/hedgedoc",
+			"cmd": "bin/setup"
+		}
+	},
+	{
+		"name": "database",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "touch",
+			"path": "{{var_hedgedoc_database_path}}",
+			"owner": "hedgedoc"
+		}
+	},
+	{
+		"name": "configuration",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "config.json.j2",
+			"dest": "/opt/hedgedoc/config.json"
+		}
+	},
+	{
+		"name": "systemd",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "systemd-unit.j2",
+			"dest": "/etc/systemd/system/hedgedoc.service"
+		}
+	},
+	{
+		"name": "apply",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"enabled": true,
+			"state": "started",
+			"name": "hedgedoc"
+		}
+	}
 ]
diff --git a/ansible/roles/hedgedoc/templates/config.json.j2 b/ansible/roles/hedgedoc/templates/config.json.j2
index d5f04cc..a1b9b2d 100644
--- a/ansible/roles/hedgedoc/templates/config.json.j2
+++ b/ansible/roles/hedgedoc/templates/config.json.j2
@@ -1,28 +1,41 @@
 {
-	"development": {
-		"domain": "localhost:3000",
-		"url": {
-			"addport": true
-		},
-		"loglevel": "debug",
-		"sessionSecret": "{{var_hedgedoc_session_secret}}",
+	"production": {
+		"loglevel": "error",
 		"db": {
 			"dialect": "sqlite",
-			"storage": "./db.hedgedoc.sqlite"
+			"storage": "{{var_hedgedoc_database_path}}"
 		},
+		"sessionSecret": "{{var_hedgedoc_session_secret}}",
+		"host": "localhost",
+		"allowOrigin": [
+			"localhost"
+		],
+		"domain": "{{var_hedgedoc_domain}}",
 		"urlAddPort": false,
-		"protocolUseSSL": false,
+		"protocolUseSSL": true,
+{% if var_hedgedoc_oauth2_enable %}
 		"oauth2": {
-			"providerName": "authelia",
-			"clientId": "b45421efcb7b1e5672d9b2bc55b3fdb2b6c62f3a72668110bd38f77fa1242ece",
-			"clientSecret": "e8493098b9a280610a2ba9fa0b49f14035a9f048e8505cf4981f0555a2885655",
+			"providerName": "{{var_hedgedoc_oauth2_provider_name}}",
+			"clientID": "{{var_hedgedoc_oauth2_client_id}}",
+			"clientSecret": "{{var_hedgedoc_oauth2_client_secret}}",
 			"scope": "openid email profile",
 			"userProfileUsernameAttr": "sub",
 			"userProfileDisplayNameAttr": "name",
 			"userProfileEmailAttr": "email",
-			"userProfileUrl": "http://authelia.local:9091/api/oidc/userinfo",
-			"tokenUrl": "http://authelia.local:9091/api/oidc/token",
-			"authorizationUrl": "http://authelia.local:9091/api/oidc/authorize"
-		}
+			"userProfileURL": "{{var_hedgedoc_oauth2_user_profile_url}}",
+			"tokenURL": "{{var_hedgedoc_oauth2_token_url}}",
+			"authorizationURL": "{{var_hedgedoc_oauth2_authorization_url}}"
+		},
+		"email": false,
+		"allowEmailRegister": false,
+{% else %}
+		"email": true,
+		"allowEmailRegister": true,
+{% endif %}
+		"allowAnonymous": false,
+		"allowAnonymousEdits": true,
+		"allowFreeURL": true,
+		"requireFreeURLAuthentication": true,
+		"defaultPermission": "editable"
 	}
 }
diff --git a/ansible/roles/hedgedoc/templates/systemd-unit.j2 b/ansible/roles/hedgedoc/templates/systemd-unit.j2
new file mode 100644
index 0000000..f2574df
--- /dev/null
+++ b/ansible/roles/hedgedoc/templates/systemd-unit.j2
@@ -0,0 +1,13 @@
+[Unit]
+Description=Hedgedoc
+After=multi-user.target
+
+[Service]
+WorkingDirectory=/opt/hedgedoc
+Environment=NODE_ENV=production
+ExecStart=yarn start
+SyslogIdentifier=hedgedoc
+
+[Install]
+WantedBy=multi-user.target
+

From 33186a15cccac0d55a2d373534c069228a71be35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Sat, 16 Dec 2023 15:15:35 +0100
Subject: [PATCH 05/11] [add] role:hedgedoc-and-nginx

---
 .../hedgedoc-and-nginx/defaults/main.json     |  3 ++
 ansible/roles/hedgedoc-and-nginx/info.md      |  8 +++++
 .../roles/hedgedoc-and-nginx/tasks/main.json  | 35 +++++++++++++++++++
 .../hedgedoc-and-nginx/templates/conf.j2      | 32 +++++++++++++++++
 4 files changed, 78 insertions(+)
 create mode 100644 ansible/roles/hedgedoc-and-nginx/defaults/main.json
 create mode 100644 ansible/roles/hedgedoc-and-nginx/info.md
 create mode 100644 ansible/roles/hedgedoc-and-nginx/tasks/main.json
 create mode 100644 ansible/roles/hedgedoc-and-nginx/templates/conf.j2

diff --git a/ansible/roles/hedgedoc-and-nginx/defaults/main.json b/ansible/roles/hedgedoc-and-nginx/defaults/main.json
new file mode 100644
index 0000000..840159e
--- /dev/null
+++ b/ansible/roles/hedgedoc-and-nginx/defaults/main.json
@@ -0,0 +1,3 @@
+{
+	"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org"
+}
diff --git a/ansible/roles/hedgedoc-and-nginx/info.md b/ansible/roles/hedgedoc-and-nginx/info.md
new file mode 100644
index 0000000..7437bf0
--- /dev/null
+++ b/ansible/roles/hedgedoc-and-nginx/info.md
@@ -0,0 +1,8 @@
+## Beschreibung
+
+Um [Hedgedoc](../hedgedoc) mit mittels [nginx](../nginx)-reverse-proxy laufen zu lassen
+
+
+## Verweise
+
+- [Hedgedoc-Dokumentation](https://docs.hedgedoc.org/guides/reverse-proxy/#nginx)
diff --git a/ansible/roles/hedgedoc-and-nginx/tasks/main.json b/ansible/roles/hedgedoc-and-nginx/tasks/main.json
new file mode 100644
index 0000000..40614bb
--- /dev/null
+++ b/ansible/roles/hedgedoc-and-nginx/tasks/main.json
@@ -0,0 +1,35 @@
+[
+	{
+		"name": "deactivate default site",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "absent",
+			"dest": "/etc/nginx/sites-enabled/default"
+		}
+	},
+	{
+		"name": "emplace configuration | data",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "emplace configuration | link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/etc/nginx/sites-available/{{var_hedgedoc_and_nginx_domain}}",
+			"dest": "/etc/nginx/sites-enabled/{{var_hedgedoc_and_nginx_domain}}"
+		}
+	},
+	{
+		"name": "restart nginx",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "nginx"
+		}
+	}
+]
diff --git a/ansible/roles/hedgedoc-and-nginx/templates/conf.j2 b/ansible/roles/hedgedoc-and-nginx/templates/conf.j2
new file mode 100644
index 0000000..0760df4
--- /dev/null
+++ b/ansible/roles/hedgedoc-and-nginx/templates/conf.j2
@@ -0,0 +1,32 @@
+map $http_upgrade $connection_upgrade {
+	default upgrade;
+	'' close;
+}
+
+server {
+	server_name {{var_hedgedoc_and_nginx_domain}};
+	
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	
+	ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem;
+	ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
+	
+	location / {
+		proxy_pass http://localhost:3000;
+		proxy_set_header Host $host; 
+		proxy_set_header X-Real-IP $remote_addr; 
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+	
+	location /socket.io/ {
+		proxy_pass http://localhost:3000;
+		proxy_set_header Host $host; 
+		proxy_set_header X-Real-IP $remote_addr; 
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+	}
+}

From adda3f667720554135ec6620935bd523f62401f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Sat, 16 Dec 2023 15:16:45 +0100
Subject: [PATCH 06/11] [add] role:authelia-for-hedgedoc

---
 .../authelia-for-hedgedoc/defaults/main.json  |  5 ++++
 ansible/roles/authelia-for-hedgedoc/info.md   | 10 +++++++
 .../authelia-for-hedgedoc/tasks/main.json     | 25 +++++++++++++++++
 .../templates/authelia-client-conf.json.j2    | 28 +++++++++++++++++++
 4 files changed, 68 insertions(+)
 create mode 100644 ansible/roles/authelia-for-hedgedoc/defaults/main.json
 create mode 100644 ansible/roles/authelia-for-hedgedoc/info.md
 create mode 100644 ansible/roles/authelia-for-hedgedoc/tasks/main.json
 create mode 100644 ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2

diff --git a/ansible/roles/authelia-for-hedgedoc/defaults/main.json b/ansible/roles/authelia-for-hedgedoc/defaults/main.json
new file mode 100644
index 0000000..b1e3329
--- /dev/null
+++ b/ansible/roles/authelia-for-hedgedoc/defaults/main.json
@@ -0,0 +1,5 @@
+{
+	"var_authelia_for_hedgedoc_hedgedoc_url_base": "https://hedgedoc.example.org",
+	"var_authelia_for_hedgedoc_client_id": "hedgedoc",
+	"var_authelia_for_hedgedoc_client_secret": "REPLACE_ME"
+}
diff --git a/ansible/roles/authelia-for-hedgedoc/info.md b/ansible/roles/authelia-for-hedgedoc/info.md
new file mode 100644
index 0000000..ef620fc
--- /dev/null
+++ b/ansible/roles/authelia-for-hedgedoc/info.md
@@ -0,0 +1,10 @@
+## Beschreibung
+
+Um [Hedgedoc](../hedgedoc) gegen [Authelia](../authelia) authentifizieren zu lassen
+
+
+## Verweise
+
+- [Authelia-Dokumentation | Configuration: OpenID Connect: Client](https://www.authelia.com/configuration/identity-providers/open-id-connect/#clients)
+- [Hedgedoc-Dokumentation | Authelia](https://docs.hedgedoc.org/guides/auth/authelia/)
+- [Hedgedoc-Dokumentation | Conf: OAuth2 Login](https://docs.hedgedoc.org/configuration/#oauth2-login)
diff --git a/ansible/roles/authelia-for-hedgedoc/tasks/main.json b/ansible/roles/authelia-for-hedgedoc/tasks/main.json
new file mode 100644
index 0000000..23c6dab
--- /dev/null
+++ b/ansible/roles/authelia-for-hedgedoc/tasks/main.json
@@ -0,0 +1,25 @@
+[
+	{
+		"name": "configuration | emplace",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "authelia-client-conf.json.j2",
+			"dest": "/etc/authelia/conf.d/clients/hedgedoc.json"
+		}
+	},
+	{
+		"name": "configuration | apply",
+		"become": true,
+		"ansible.builtin.command": {
+			"cmd": "/usr/bin/authelia-conf-compose"
+		}
+	},
+	{
+		"name": "restart service",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "authelia"
+		}
+	}
+]
diff --git a/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2 b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2
new file mode 100644
index 0000000..3024226
--- /dev/null
+++ b/ansible/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2
@@ -0,0 +1,28 @@
+{
+	"id": "{{var_authelia_for_hedgedoc_client_id}}",
+	"description": "Hedgedoc",
+	"secret": "{{var_authelia_for_hedgedoc_client_secret}}",
+	"public": false,
+	"authorization_policy": "one_factor",
+	"scopes": [
+		"openid",
+		"email",
+		"profile"
+	],
+	"redirect_uris": [
+		"{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback"
+	],
+	"grant_types": [
+		"refresh_token",
+		"authorization_code"
+	],
+	"response_types": [
+		"code"
+	],
+	"response_modes": [
+		"form_post",
+		"query",
+		"fragment"
+	],
+	"userinfo_signing_algorithm": "none"
+}

From b9e036e5526c12a71dc34af56a4cb31d1c9b913d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Sun, 17 Dec 2023 00:04:07 +0100
Subject: [PATCH 07/11] [fix] role:hedgedoc

---
 ansible/roles/hedgedoc/info.md         |  5 +++++
 ansible/roles/hedgedoc/tasks/main.json | 17 +++++++++++++----
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/ansible/roles/hedgedoc/info.md b/ansible/roles/hedgedoc/info.md
index 7f5ab1a..a3c2473 100644
--- a/ansible/roles/hedgedoc/info.md
+++ b/ansible/roles/hedgedoc/info.md
@@ -7,3 +7,8 @@ Kollaborativer Editor [Hedgedoc](https://docs.hedgedoc.org/)
 
 - [Dokumentation | Manual Installation](https://docs.hedgedoc.org/setup/manual-setup/)
 - [Dokumentation | Configuration](https://docs.hedgedoc.org/configuration/)
+
+
+## Bemerkungen
+
+- Login über OAuth2 funktioniert vermutlich nicht mit abgelehnten TLS-Zertifikaten (z.B. selbst-signierten)
diff --git a/ansible/roles/hedgedoc/tasks/main.json b/ansible/roles/hedgedoc/tasks/main.json
index 0285ae7..193af87 100644
--- a/ansible/roles/hedgedoc/tasks/main.json
+++ b/ansible/roles/hedgedoc/tasks/main.json
@@ -13,7 +13,7 @@
 		}
 	},
 	{
-		"name": "link yarn",
+		"name": "yarn link",
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "link",
@@ -48,7 +48,7 @@
 		}
 	},
 	{
-		"name": "setup",
+		"name": "setup script",
 		"become": true,
 		"become_user": "hedgedoc",
 		"ansible.builtin.command": {
@@ -56,6 +56,15 @@
 			"cmd": "bin/setup"
 		}
 	},
+	{
+		"name": "var directory",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{var_hedgedoc_database_path | dirname}}",
+			"owner": "hedgedoc"
+		}
+	},
 	{
 		"name": "database",
 		"become": true,
@@ -74,7 +83,7 @@
 		}
 	},
 	{
-		"name": "systemd",
+		"name": "systemd unit",
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "systemd-unit.j2",
@@ -82,7 +91,7 @@
 		}
 	},
 	{
-		"name": "apply",
+		"name": "start",
 		"become": true,
 		"ansible.builtin.systemd_service": {
 			"enabled": true,

From 0d4a51564c963f2a76aab8c8dc2668852ed30686 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Sun, 17 Dec 2023 11:12:47 +0100
Subject: [PATCH 08/11] =?UTF-8?q?[mod]=20role:hedgedoc:Parameter=20f=C3=BC?=
 =?UTF-8?q?r=20Nutzer-Name=20und=20Verzeichnis?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ansible/roles/hedgedoc/defaults/main.json        |  2 ++
 ansible/roles/hedgedoc/tasks/main.json           | 14 +++++++-------
 ansible/roles/hedgedoc/templates/systemd-unit.j2 |  5 +++--
 3 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/ansible/roles/hedgedoc/defaults/main.json b/ansible/roles/hedgedoc/defaults/main.json
index b7e9a3c..a1c03ed 100644
--- a/ansible/roles/hedgedoc/defaults/main.json
+++ b/ansible/roles/hedgedoc/defaults/main.json
@@ -1,4 +1,6 @@
 {
+	"var_hedgedoc_user_name": "hedgedoc",
+	"var_hedgedoc_directory": "/opt/hedgedoc",
 	"var_hedgedoc_version": "1.9.9",
 	"var_hedgedoc_session_secret": "session_secret",
 	"var_hedgedoc_database_path": "/var/hedgedoc/data.sqlite",
diff --git a/ansible/roles/hedgedoc/tasks/main.json b/ansible/roles/hedgedoc/tasks/main.json
index 193af87..984e44d 100644
--- a/ansible/roles/hedgedoc/tasks/main.json
+++ b/ansible/roles/hedgedoc/tasks/main.json
@@ -25,7 +25,7 @@
 		"name": "user",
 		"become": true,
 		"ansible.builtin.user": {
-			"name": "hedgedoc",
+			"name": "{{var_hedgedoc_user_name}}",
 			"create_home": true
 		}
 	},
@@ -43,8 +43,8 @@
 		"ansible.builtin.unarchive": {
 			"remote_src": true,
 			"src": "/tmp/hedgedoc.tar.gz",
-			"dest": "/opt",
-			"owner": "hedgedoc"
+			"dest": "{{var_hedgedoc_directory | dirname}}",
+			"owner": "{{var_hedgedoc_user_name}}"
 		}
 	},
 	{
@@ -52,7 +52,7 @@
 		"become": true,
 		"become_user": "hedgedoc",
 		"ansible.builtin.command": {
-			"chdir": "/opt/hedgedoc",
+			"chdir": "{{var_hedgedoc_directory}}",
 			"cmd": "bin/setup"
 		}
 	},
@@ -62,7 +62,7 @@
 		"ansible.builtin.file": {
 			"state": "directory",
 			"path": "{{var_hedgedoc_database_path | dirname}}",
-			"owner": "hedgedoc"
+			"owner": "{{var_hedgedoc_user_name}}"
 		}
 	},
 	{
@@ -71,7 +71,7 @@
 		"ansible.builtin.file": {
 			"state": "touch",
 			"path": "{{var_hedgedoc_database_path}}",
-			"owner": "hedgedoc"
+			"owner": "{{var_hedgedoc_user_name}}"
 		}
 	},
 	{
@@ -79,7 +79,7 @@
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "config.json.j2",
-			"dest": "/opt/hedgedoc/config.json"
+			"dest": "{{var_hedgedoc_directory}}/config.json"
 		}
 	},
 	{
diff --git a/ansible/roles/hedgedoc/templates/systemd-unit.j2 b/ansible/roles/hedgedoc/templates/systemd-unit.j2
index f2574df..000bd6e 100644
--- a/ansible/roles/hedgedoc/templates/systemd-unit.j2
+++ b/ansible/roles/hedgedoc/templates/systemd-unit.j2
@@ -3,8 +3,9 @@ Description=Hedgedoc
 After=multi-user.target
 
 [Service]
-WorkingDirectory=/opt/hedgedoc
-Environment=NODE_ENV=production
+WorkingDirectory={{var_hedgedoc_directory}}
+User={{var_hedgedoc_user_name}}
+Environment="NODE_ENV=production"
 ExecStart=yarn start
 SyslogIdentifier=hedgedoc
 

From 68a3dc45edf83a90005c855e38781bdc2c5bb509 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Sun, 17 Dec 2023 23:55:42 +0100
Subject: [PATCH 09/11] [add] role:hedgedoc-and-lighttpd

---
 .../hedgedoc-and-lighttpd/defaults/main.json  |  4 +++
 ansible/roles/hedgedoc-and-lighttpd/info.md   |  8 +++++
 .../hedgedoc-and-lighttpd/tasks/main.json     | 34 +++++++++++++++++++
 .../hedgedoc-and-lighttpd/templates/conf.j2   | 33 ++++++++++++++++++
 4 files changed, 79 insertions(+)
 create mode 100644 ansible/roles/hedgedoc-and-lighttpd/defaults/main.json
 create mode 100644 ansible/roles/hedgedoc-and-lighttpd/info.md
 create mode 100644 ansible/roles/hedgedoc-and-lighttpd/tasks/main.json
 create mode 100644 ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2

diff --git a/ansible/roles/hedgedoc-and-lighttpd/defaults/main.json b/ansible/roles/hedgedoc-and-lighttpd/defaults/main.json
new file mode 100644
index 0000000..16c8d4e
--- /dev/null
+++ b/ansible/roles/hedgedoc-and-lighttpd/defaults/main.json
@@ -0,0 +1,4 @@
+{
+	"var_hedgedoc_and_lighttpd_domain": "hedgedoc.example.org",
+	"var_hedgedoc_and_lighttpd_tls_enable": true
+}
diff --git a/ansible/roles/hedgedoc-and-lighttpd/info.md b/ansible/roles/hedgedoc-and-lighttpd/info.md
new file mode 100644
index 0000000..99a615a
--- /dev/null
+++ b/ansible/roles/hedgedoc-and-lighttpd/info.md
@@ -0,0 +1,8 @@
+## Beschreibung
+
+- zur Einrichtung von [Lighttpd](../lighttpd) als Reverse-Proxy für [Hedgedoc](../hedgedoc)
+
+
+## Verweise
+
+- [Hedgedoc-Dokumentation | Using a Reverse Proxy](https://docs.hedgedoc.org/guides/reverse-proxy/)
diff --git a/ansible/roles/hedgedoc-and-lighttpd/tasks/main.json b/ansible/roles/hedgedoc-and-lighttpd/tasks/main.json
new file mode 100644
index 0000000..1bbe93f
--- /dev/null
+++ b/ansible/roles/hedgedoc-and-lighttpd/tasks/main.json
@@ -0,0 +1,34 @@
+[
+	{
+		"name": "activate proxy module",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "lighttpd-enable-mod proxy || exit 0"
+		}
+	},
+	{
+		"name": "emplace configuration | data",
+		"become": true,
+		"ansible.builtin.template": {
+			"src": "conf.j2",
+			"dest": "/etc/lighttpd/conf-available/{{var_hedgedoc_and_lighttpd_domain}}.conf"
+		}
+	},
+	{
+		"name": "emplace configuration | link",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "link",
+			"src": "/etc/lighttpd/conf-available/{{var_hedgedoc_and_lighttpd_domain}}.conf",
+			"dest": "/etc/lighttpd/conf-enabled/{{var_hedgedoc_and_lighttpd_domain}}.conf"
+		}
+	},
+	{
+		"name": "restart lighttpd",
+		"become": true,
+		"ansible.builtin.systemd_service": {
+			"state": "restarted",
+			"name": "lighttpd"
+		}
+	}
+]
diff --git a/ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2 b/ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2
new file mode 100644
index 0000000..4b6013c
--- /dev/null
+++ b/ansible/roles/hedgedoc-and-lighttpd/templates/conf.j2
@@ -0,0 +1,33 @@
+$HTTP["host"] == "{{var_hedgedoc_and_lighttpd_domain}}" {
+	server.name = "{{var_hedgedoc_and_lighttpd_domain}}"
+	proxy.server = (
+		"" => (
+			"" => (
+				"host" => "127.0.0.1",
+				"port" => 2400
+			)
+		)
+	)
+	proxy.header = (
+		"upgrade" => "enable"
+	)
+	
+{% if var_hedgedoc_and_lighttpd_tls_enable %}
+	## alle Anfragen auf Port 80
+	$SERVER["socket"] == ":80" {
+		## auf HTTPS umleiten
+		url.redirect = ("^/(.*)$" => "https://{{var_hedgedoc_and_lighttpd_domain}}/$1")
+	}
+	
+	## alle Anfragen auf Port 443
+	$SERVER["socket"] == ":443" {
+		## mit dem SSL-Kram beglücken
+		ssl.engine  = "enable"
+		ssl.pemfile = "/etc/ssl/certs/{{var_hedgedoc_and_lighttpd_domain}}.pem"
+		ssl.privkey = "/etc/ssl/keys/{{var_hedgedoc_and_lighttpd_domain}}.pem"
+		ssl.ca-file = "/etc/ssl/fullchains/{{var_hedgedoc_and_lighttpd_domain}}.pem"
+		ssl.use-sslv2 = "disable"
+		ssl.use-sslv3 = "disable"
+	}
+{% endif %}
+}

From e81cbdcedfdb9dbcd1e605d24096b4fd8d2728c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Mon, 18 Dec 2023 00:18:34 +0100
Subject: [PATCH 10/11] [mod] role:hedgedoc:postgresql-Anbindung und mehr
 Parameter

---
 ansible/roles/hedgedoc/defaults/main.json     | 15 ++++++++---
 .../roles/hedgedoc/templates/config.json.j2   | 26 +++++++++++++++++--
 2 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/ansible/roles/hedgedoc/defaults/main.json b/ansible/roles/hedgedoc/defaults/main.json
index a1c03ed..438eb14 100644
--- a/ansible/roles/hedgedoc/defaults/main.json
+++ b/ansible/roles/hedgedoc/defaults/main.json
@@ -2,8 +2,14 @@
 	"var_hedgedoc_user_name": "hedgedoc",
 	"var_hedgedoc_directory": "/opt/hedgedoc",
 	"var_hedgedoc_version": "1.9.9",
-	"var_hedgedoc_session_secret": "session_secret",
-	"var_hedgedoc_database_path": "/var/hedgedoc/data.sqlite",
+	"var_hedgedoc_session_secret": "REPLACE_ME",
+	"var_hedgedoc_database_kind": "sqlite",
+	"var_hedgedoc_database_data_sqlite_path": "/var/hedgedoc/data.sqlite",
+	"var_hedgedoc_database_data_postgresql_host": "localhost",
+	"var_hedgedoc_database_data_postgresql_port": 5432,
+	"var_hedgedoc_database_data_postgresql_username": "hedgedoc_user",
+	"var_hedgedoc_database_data_postgresql_password": "REPLACE_ME",
+	"var_hedgedoc_database_data_postgresql_schema": "hedgedoc",
 	"var_hedgedoc_domain": "hedgedoc.example.org",
 	"var_hedgedoc_oauth2_enable": false,
 	"var_hedgedoc_oauth2_provider_name": "external auth",
@@ -11,5 +17,8 @@
 	"var_hedgedoc_oauth2_client_secret": "REPLACE_ME",
 	"var_hedgedoc_oauth2_user_profile_url": "https://auth.example.org/profile",
 	"var_hedgedoc_oauth2_token_url": "https://auth.example.org/token",
-	"var_hedgedoc_oauth2_authorization_url": "https://auth.example.org/authorization"
+	"var_hedgedoc_oauth2_authorization_url": "https://auth.example.org/authorization",
+	"var_hedgedoc_guest_allow_create": false,
+	"var_hedgedoc_guest_allow_change": false,
+	"var_hedgedoc_free_names_mode": "authed"
 }
diff --git a/ansible/roles/hedgedoc/templates/config.json.j2 b/ansible/roles/hedgedoc/templates/config.json.j2
index a1b9b2d..6c953c5 100644
--- a/ansible/roles/hedgedoc/templates/config.json.j2
+++ b/ansible/roles/hedgedoc/templates/config.json.j2
@@ -1,10 +1,22 @@
 {
 	"production": {
 		"loglevel": "error",
+{% if var_hedgedoc_database_kind == 'sqlite' %}
 		"db": {
 			"dialect": "sqlite",
 			"storage": "{{var_hedgedoc_database_path}}"
 		},
+{% endif %}
+{% if var_hedgedoc_database_kind == 'postgresql' %}
+		"db": {
+			"dialect": "postgres",
+			"host": "{{var_hedgedoc_database_data_postgresql_host}}",
+			"port": {{var_hedgedoc_database_data_postgresql_port | to_json}},
+			"username": "{{var_hedgedoc_database_data_postgresql_username}}",
+			"password": "{{var_hedgedoc_database_data_postgresql_password}}",
+			"database": "{{var_hedgedoc_database_data_postgresql_schema}}"
+		},
+{% endif %}
 		"sessionSecret": "{{var_hedgedoc_session_secret}}",
 		"host": "localhost",
 		"allowOrigin": [
@@ -32,10 +44,20 @@
 		"email": true,
 		"allowEmailRegister": true,
 {% endif %}
-		"allowAnonymous": false,
-		"allowAnonymousEdits": true,
+		"allowAnonymous": {{var_hedgedoc_guest_allow_create | to_json}},
+		"allowAnonymousEdits": {{var_hedgedoc_guest_allow_edit | to_json}},
+{% if var_hedgedoc_free_names_mode == 'never' %}
+		"allowFreeURL": false,
+		"requireFreeURLAuthentication": false,
+{% endif %}
+{% if var_hedgedoc_free_names_mode == 'authed' %}
 		"allowFreeURL": true,
 		"requireFreeURLAuthentication": true,
+{% endif %}
+{% if var_hedgedoc_free_names_mode == 'always' %}
+		"allowFreeURL": true,
+		"requireFreeURLAuthentication": false,
+{% endif %}
 		"defaultPermission": "editable"
 	}
 }

From bf4afbdc7aaa711056502d6b6050d6f5e030edba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Mon, 18 Dec 2023 00:19:03 +0100
Subject: [PATCH 11/11] [add] role:postgresql-for-hedgedoc

---
 .../defaults/main.json                        |  5 +++
 .../postgresql-for-hedgedoc/tasks/main.json   | 45 +++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 ansible/roles/postgresql-for-hedgedoc/defaults/main.json
 create mode 100644 ansible/roles/postgresql-for-hedgedoc/tasks/main.json

diff --git a/ansible/roles/postgresql-for-hedgedoc/defaults/main.json b/ansible/roles/postgresql-for-hedgedoc/defaults/main.json
new file mode 100644
index 0000000..a0e1eeb
--- /dev/null
+++ b/ansible/roles/postgresql-for-hedgedoc/defaults/main.json
@@ -0,0 +1,5 @@
+{
+	"var_postgresql_for_hedgedoc_username": "hedgedoc_user",
+	"var_postgresql_for_hedgedoc_password": "REPLACE_ME",
+	"var_postgresql_for_hedgedoc_schema": "hedgedoc"
+}
diff --git a/ansible/roles/postgresql-for-hedgedoc/tasks/main.json b/ansible/roles/postgresql-for-hedgedoc/tasks/main.json
new file mode 100644
index 0000000..85431cc
--- /dev/null
+++ b/ansible/roles/postgresql-for-hedgedoc/tasks/main.json
@@ -0,0 +1,45 @@
+[
+	{
+		"name": "packages",
+		"become": true,
+		"ansible.builtin.apt": {
+			"pkg": [
+				"acl",
+				"python3-psycopg2"
+			]
+		}
+	},
+	{
+		"name": "user",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_user": {
+			"state": "present",
+			"name": "{{var_postgresql_for_hedgedoc_username}}",
+			"password": "{{var_postgresql_for_hedgedoc_password}}"
+		}
+	},
+	{
+		"name": "schema",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_db": {
+			"state": "present",
+			"name": "{{var_postgresql_for_hedgedoc_schema}}",
+			"owner": "{{var_postgresql_for_hedgedoc_username}}"
+		}
+	},
+	{
+		"name": "rights",
+		"become": true,
+		"become_user": "postgres",
+		"community.postgresql.postgresql_privs": {
+			"state": "present",
+			"db": "{{var_postgresql_for_hedgedoc_schema}}",
+			"objs": "ALL_IN_SCHEMA",
+			"roles": "{{var_postgresql_for_hedgedoc_username}}",
+			"privs": "ALL",
+			"grant_option": true
+		}
+	}
+]