Merge pull request 'Rolle | Tandoor' (#6 ) from task-230-tandoor into main

Reviewed-on: #6
[task-230] [mod] kleine Anpassungen
2025-01-12 10:07:19 +01:00 · 2025-01-12 10:05:20 +01:00 · 2025-01-11 15:49:53 +01:00 · 2025-01-11 15:47:48 +01:00 · 2025-01-11 15:45:08 +01:00 · 2025-01-08 22:56:02 +01:00
68 changed files with 488 additions and 783 deletions
--- a/roles/authelia-for-dokuwiki/tasks/main.json
+++ b/roles/authelia-for-dokuwiki/tasks/main.json
@ -1,4 +1,12 @@
 [
 	{
 		"name": "configuration | compute client secret hash",
 		"become": true,
 		"ansible.builtin.shell": {
 			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_dokuwiki_client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
 		"register": "temp_authelia_for_dokuwiki_client_secret_hashed"
 	},
 	{
 		"name": "configuration | emplace",
 		"become": true,
--- a/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2
+++ b/roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2
@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_dokuwiki_client_id}}",
-	"client_secret": "{{var_authelia_for_dokuwiki_client_secret}}",
+	"client_secret": "{{temp_authelia_for_dokuwiki_client_secret_hashed.stdout}}",
 	"client_name": "DokuWiki",
 	"public": false,
 	"authorization_policy": "one_factor",
--- a/roles/authelia-for-forgejo/tasks/main.json
+++ b/roles/authelia-for-forgejo/tasks/main.json
@ -1,4 +1,12 @@
 [
 	{
 		"name": "configuration | compute client secret hash",
 		"become": true,
 		"ansible.builtin.shell": {
 			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_forgejo_client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
 		"register": "temp_authelia_for_forgejo_client_secret_hashed"
 	},
 	{
 		"name": "configuration | emplace",
 		"become": true,
--- a/roles/authelia-for-forgejo/templates/authelia-client-conf.json.j2
+++ b/roles/authelia-for-forgejo/templates/authelia-client-conf.json.j2
@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_forgejo_client_id}}",
-	"client_secret": "{{var_authelia_for_forgejo_client_secret}}",
+	"client_secret": "{{temp_authelia_for_forgejo_client_secret_hashed.stdout}}",
 	"client_name": "Forgejo",
 	"public": false,
 	"authorization_policy": "one_factor",
--- a/roles/authelia-for-gitlab/tasks/main.json
+++ b/roles/authelia-for-gitlab/tasks/main.json
@ -1,4 +1,12 @@
 [
 	{
 		"name": "configuration | compute client secret hash",
 		"become": true,
 		"ansible.builtin.shell": {
 			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_gitlab_client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
 		"register": "temp_authelia_for_gitlab_client_secret_hashed"
 	},
 	{
 		"name": "configuration | emplace",
 		"become": true,
--- a/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2
+++ b/roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2
@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_gitlab_client_id}}",
-	"client_secret": "{{var_authelia_for_gitlab_client_secret}}",
+	"client_secret": "{{temp_authelia_for_gitlab_client_secret_hashed.stdout}}",
 	"client_name": "GitLab",
 	"public": false,
 	"authorization_policy": "one_factor",
--- a/roles/authelia-for-hedgedoc/tasks/main.json
+++ b/roles/authelia-for-hedgedoc/tasks/main.json
@ -1,4 +1,12 @@
 [
 	{
 		"name": "configuration | compute client secret hash",
 		"become": true,
 		"ansible.builtin.shell": {
 			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_hedgedoc_client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
 		"register": "temp_authelia_for_hedgedoc_client_secret_hashed"
 	},
 	{
 		"name": "configuration | emplace",
 		"become": true,
--- a/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2
+++ b/roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2
@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_hedgedoc_client_id}}",
-	"client_secret": "{{var_authelia_for_hedgedoc_client_secret}}",
+	"client_secret": "{{temp_authelia_for_hedgedoc_client_secret_hashed.stdout}}",
 	"client_name": "Hedgedoc",
 	"public": false,
 	"authorization_policy": "one_factor",
@ -12,10 +12,6 @@
 	"redirect_uris": [
 		"{{var_authelia_for_hedgedoc_hedgedoc_url_base}}/auth/oauth2/callback"
 	],
 	"grant_types": [
 		"refresh_token",
 		"authorization_code"
 	],
 	"response_types": [
 		"code"
 	],
--- a/roles/authelia-for-mas/defaults/main.json
+++ b/roles/authelia-for-mas/defaults/main.json
@ -1,6 +0,0 @@
 {
 	"var_authelia_for_mas_mas_url_base": "https://mas.example.org",
 	"var_authelia_for_mas_id": "01JADRQ54Y0KCQS0AEJQ4YTY36",
 	"var_authelia_for_mas_client_id": "mas",
 	"var_authelia_for_mas_client_secret": "REPLACE_ME"
 }
--- a/roles/authelia-for-mas/info.md
+++ b/roles/authelia-for-mas/info.md
@ -1,8 +0,0 @@
 ## Beschreibung
 Um [MAS](../mas) gegen [Authelia](../authelia) authentifizieren zu lassen
 ## Verweise
 - [MAS-Dokumentation | Configure an upstream SSO provider](https://element-hq.github.io/matrix-authentication-service/setup/sso.html)
--- a/roles/authelia-for-mas/templates/authelia-client-conf.json.j2
+++ b/roles/authelia-for-mas/templates/authelia-client-conf.json.j2
@ -1,16 +0,0 @@
 {
 	"client_id": "{{var_authelia_for_mas_client_id}}",
 	"client_secret": "{{var_authelia_for_mas_client_secret}}",
 	"client_name": "MAS",
 	"public": false,
 	"authorization_policy": "one_factor",
 	"redirect_uris": [
 		"{{var_authelia_for_mas_mas_url_base}}/upstream/callback/{{var_authelia_for_mas_id}}"
 	],
 	"scopes": [
 		"openid",
 		"email",
 		"profile"
 	],
 	"token_endpoint_auth_method": "client_secret_basic"
 }
--- a/roles/authelia-for-mas/vardef.json
+++ b/roles/authelia-for-mas/vardef.json
@ -1,19 +0,0 @@
 {
 	"mas_url_base": {
 		"type": "string",
 		"mandatory": false
 	},
 	"id": {
 		"type": "string",
 		"mandatory": false,
 		"description": "needs to be a ULID"
 	},
 	"client_id": {
 		"type": "string",
 		"mandatory": false
 	},
 	"client_secret": {
 		"type": "string",
 		"mandatory": false
 	}
 }
--- a/roles/authelia-for-owncloud/defaults/main.json
+++ b/roles/authelia-for-owncloud/defaults/main.json
@ -4,5 +4,7 @@
 	"var_authelia_for_owncloud_android_client_id": "owncloud_android",
 	"var_authelia_for_owncloud_android_client_secret": "REPLACE_ME",
 	"var_authelia_for_owncloud_ios_client_id": "owncloud_ios",
-	"var_authelia_for_owncloud_ios_client_secret": "REPLACE_ME"
+	"var_authelia_for_owncloud_ios_client_secret": "REPLACE_ME",
 	"var_authelia_for_owncloud_desktop_client_id": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
 	"var_authelia_for_owncloud_desktop_client_secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh"
 }
--- a/roles/authelia-for-owncloud/tasks/main.json
+++ b/roles/authelia-for-owncloud/tasks/main.json
@ -1,4 +1,36 @@
 [
 	{
 		"name": "configuration | compute client secret hash | web",
 		"become": true,
 		"ansible.builtin.shell": {
 			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_owncloud_web_client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
 		"register": "temp_authelia_for_owncloud_web_client_secret_hashed"
 	},
 	{
 		"name": "configuration | compute client secret hash | android",
 		"become": true,
 		"ansible.builtin.shell": {
 			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_owncloud_android_client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
 		"register": "temp_authelia_for_owncloud_android_client_secret_hashed"
 	},
 	{
 		"name": "configuration | compute client secret hash | ios",
 		"become": true,
 		"ansible.builtin.shell": {
 			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_owncloud_ios_client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
 		"register": "temp_authelia_for_owncloud_ios_client_secret_hashed"
 	},
 	{
 		"name": "configuration | compute client secret hash | desktop",
 		"become": true,
 		"ansible.builtin.shell": {
 			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_owncloud_desktop_client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
 		"register": "temp_authelia_for_owncloud_desktop_client_secret_hashed"
 	},
 	{
 		"name": "configuration | emplace",
 		"become": true,
--- a/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2
+++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2
@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_owncloud_android_client_id}}",
-	"client_secret": "{{var_authelia_for_owncloud_android_client_secret}}",
+	"client_secret": "{{temp_authelia_for_owncloud_android_client_secret_hashed.stdout}}",
 	"client_name": "ownCloud | Android Client",
 	"authorization_policy": "one_factor",
 	"scopes": [
@ -10,6 +10,9 @@
 		"email",
 		"offline_access"
 	],
 	"response_types": [
 		"code"
 	],
 	"redirect_uris": [
 		"oc://android.owncloud.com"
 	]
--- a/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2
+++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2
@ -1,6 +1,6 @@
 {
-	"client_id": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
+	"client_id": "{{var_authelia_for_owncloud_desktop_client_id}}",
-	"client_secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh",
+	"client_secret": "{{temp_authelia_for_owncloud_desktop_client_secret_hashed.stdout}}",
 	"client_name": "ownCloud | Desktop Client",
 	"authorization_policy": "one_factor",
 	"scopes": [
@ -10,6 +10,9 @@
 		"email",
 		"offline_access"
 	],
 	"response_types": [
 		"code"
 	],
 	"redirect_uris": [
 		"http://127.0.0.1",
 		"http://localhost"
--- a/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2
+++ b/roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2
@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_owncloud_ios_client_id}}",
-	"client_secret": "{{var_authelia_for_owncloud_ios_client_secret}}",
+	"client_secret": "{{temp_authelia_for_owncloud_ios_client_secret_hashed.stdout}}",
 	"client_name": "ownCloud | iOS Client",
 	"authorization_policy": "one_factor",
 	"scopes": [
@ -10,6 +10,9 @@
 		"email",
 		"offline_access"
 	],
 	"response_types": [
 		"code"
 	],
 	"redirect_uris": [
 		"oc://ios.owncloud.com",
 		"oc.ios://ios.owncloud.com"
--- a/roles/authelia-for-owncloud/vardef.json
+++ b/roles/authelia-for-owncloud/vardef.json
@ -13,13 +13,21 @@
 	},
 	"android_client_secret": {
 		"type": "string",
-		"mandatory": false
+		"mandatory": true
 	},
 	"ios_client_id": {
 		"type": "string",
 		"mandatory": false
 	},
 	"ios_client_secret": {
 		"type": "string",
 		"mandatory": true
 	},
 	"dektop_client_id": {
 		"type": "string",
 		"mandatory": false
 	},
 	"desktop_client_secret": {
 		"type": "string",
 		"mandatory": false
 	}
--- a/roles/authelia-for-synapse/tasks/main.json
+++ b/roles/authelia-for-synapse/tasks/main.json
@ -1,4 +1,12 @@
 [
 	{
 		"name": "configuration | compute client secret hash",
 		"become": true,
 		"ansible.builtin.shell": {
 			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_synapse_client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
 		"register": "temp_authelia_for_synapse_client_secret_hashed"
 	},
 	{
 		"name": "configuration | emplace",
 		"become": true,
--- a/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2
+++ b/roles/authelia-for-synapse/templates/authelia-client-conf.json.j2
@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_synapse_client_id}}",
-	"client_secret": "{{var_authelia_for_synapse_client_secret}}",
+	"client_secret": "{{temp_authelia_for_synapse_client_secret_hashed.stdout}}",
 	"client_name": "Synapse",
 	"public": false,
 	"authorization_policy": "one_factor",
--- a/roles/authelia-for-tandoor/defaults/main.json
+++ b/roles/authelia-for-tandoor/defaults/main.json
@ -0,0 +1,5 @@
 {
 	"var_authelia_for_tandoor_tandoor_url_base": "https://tandoor.example.org",
 	"var_authelia_for_tandoor_client_id": "tandoor",
 	"var_authelia_for_tandoor_client_secret": "REPLACE_ME"
 }
--- a/roles/authelia-for-tandoor/info.md
+++ b/roles/authelia-for-tandoor/info.md
@ -0,0 +1,8 @@
 ## Beschreibung
 Um [Tandoor](../tandoor) gegen [Authelia](../authelia) authentifizieren zu lassen
 ## Verweise
 - [allauth-Dokumentation | Authelia](https://django-allauth.readthedocs.io/en/latest/socialaccount/providers/authelia.html)
--- a/roles/authelia-for-tandoor/tasks/main.json
+++ b/roles/authelia-for-tandoor/tasks/main.json
@ -1,10 +1,18 @@
 [
 	{
 		"name": "configuration | compute client secret hash",
 		"become": true,
 		"ansible.builtin.shell": {
 			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_tandoor_client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
 		"register": "temp_authelia_for_tandoor_client_secret_hashed"
 	},
 	{
 		"name": "configuration | emplace",
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "authelia-client-conf.json.j2",
-			"dest": "/etc/authelia/conf.d/clients/mas.json"
+			"dest": "/etc/authelia/conf.d/clients/tandoor.json"
 		}
 	},
 	{
--- a/roles/authelia-for-tandoor/templates/authelia-client-conf.json.j2
+++ b/roles/authelia-for-tandoor/templates/authelia-client-conf.json.j2
@ -0,0 +1,17 @@
 {
 	"client_id": "{{var_authelia_for_tandoor_client_id}}",
 	"client_secret": "{{temp_authelia_for_tandoor_client_secret_hashed.stdout}}",
 	"client_name": "Tandoor",
 	"public": false,
 	"authorization_policy": "one_factor",
 	"redirect_uris": [
 		"{{var_authelia_for_tandoor_tandoor_url_base}}/accounts/oidc/authelia/login/callback/"
 	],
 	"scopes": [
 		"openid",
 		"email",
 		"profile"
 	],
 	"userinfo_signed_response_alg": "none",
 	"token_endpoint_auth_method": "client_secret_basic"
 }
--- a/roles/authelia-for-vikunja/tasks/main.json
+++ b/roles/authelia-for-vikunja/tasks/main.json
@ -1,4 +1,12 @@
 [
 	{
 		"name": "configuration | compute client secret hash",
 		"become": true,
 		"ansible.builtin.shell": {
 			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_vikunja_client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
 		"register": "temp_authelia_for_vikunja_client_secret_hashed"
 	},
 	{
 		"name": "configuration | emplace",
 		"become": true,
--- a/roles/authelia-for-vikunja/templates/authelia-client-conf.json.j2
+++ b/roles/authelia-for-vikunja/templates/authelia-client-conf.json.j2
@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_vikunja_client_id}}",
-	"client_secret": "{{var_authelia_for_vikunja_client_secret}}",
+	"client_secret": "{{temp_authelia_for_vikunja_client_secret_hashed.stdout}}",
 	"client_name": "Vikunja",
 	"public": false,
 	"authorization_policy": "one_factor",
--- a/roles/authelia-for-wiki_js/tasks/main.json
+++ b/roles/authelia-for-wiki_js/tasks/main.json
@ -1,4 +1,12 @@
 [
 	{
 		"name": "configuration | compute client secret hash",
 		"become": true,
 		"ansible.builtin.shell": {
 			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_wiki_js_client_secret}} | cut --delimiter=' ' --fields='2-'"
 		},
 		"register": "temp_authelia_for_wiki_js_client_secret_hashed"
 	},
 	{
 		"name": "configuration | emplace",
 		"become": true,
--- a/roles/authelia-for-wiki_js/templates/authelia-client-conf.json.j2
+++ b/roles/authelia-for-wiki_js/templates/authelia-client-conf.json.j2
@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_wiki_js_client_id}}",
-	"client_secret": "{{var_authelia_for_wiki_js_client_secret}}",
+	"client_secret": "{{temp_authelia_for_wiki_js_client_secret_hashed.stdout}}",
 	"client_name": "Wiki.js",
 	"public": false,
 	"authorization_policy": "one_factor",
--- a/roles/authelia/templates/conf-main.json.j2
+++ b/roles/authelia/templates/conf-main.json.j2
@ -173,8 +173,7 @@
 {% endif %}
 {% if var_authelia_notification_mode == "smtp" %}
 		"smtp": {
-			"host": "{{var_authelia_notification_smtp_host}}",
+			"address": "{{var_authelia_notification_smtp_host}}:{{var_authelia_notification_smtp_port | string}}",
 			"port": {{var_authelia_notification_smtp_port | string}},
 			"username": "{{var_authelia_notification_smtp_username}}",
 			"password": "{{var_authelia_notification_smtp_password}}",
 			"sender": "{{var_authelia_notification_smtp_sender}}",
@ -189,7 +188,12 @@
 	"identity_providers": {
 		"oidc": {
 			"hmac_secret": "{{var_authelia_oidc_hmac_secret}}",
-			"issuer_private_key": "{{temp_tls_result.privatekey | replace('\n', '\\n')}}",
+			"jwks": [
 				{
 					"algorithm": "RS256",
 					"key": "{{temp_tls_result.privatekey | replace('\n', '\\n')}}"
 				}
 			],
 			"lifespans": {
 				"access_token": "{{var_authelia_oidc_lifespan_access_token}}",
 				"refresh_token": "{{var_authelia_oidc_lifespan_refresh_token}}"
--- a/roles/mas-and-nginx/defaults/main.json
+++ b/roles/mas-and-nginx/defaults/main.json
@ -1,5 +0,0 @@
 {
 	"var_mas_and_nginx_server_port": 2839,
 	"var_mas_and_nginx_domain": "REPLACE_ME",
 	"var_mas_and_nginx_tls_mode": "force"
 }
--- a/roles/mas-and-nginx/info.md
+++ b/roles/mas-and-nginx/info.md
@ -1,8 +0,0 @@
 ## Beschreibung
 - zur Einrichtung von [nginx](../nginx) als Reverse-Proxy für [MAS](../mas)
 ## Verweise
 - [MAS-Dokumentation | Configuring a reverse proxy](https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html)
--- a/roles/mas-and-nginx/templates/conf.j2
+++ b/roles/mas-and-nginx/templates/conf.j2
@ -1,36 +0,0 @@
 {% macro mas_common() %}
 	location / {
 		proxy_http_version 1.1;
 		proxy_pass http://localhost:{{var_mas_and_nginx_server_port | string}};
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 	}
 {% endmacro %}
 server {
 	server_name {{var_mas_and_nginx_domain}};
 	listen 80;
 	listen [::]:80;
 {% if (var_mas_and_nginx_tls_mode == 'force') %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 {{ mas_common() }}
 {% endif %}
 }
 {% if (var_mas_and_nginx_tls_mode != 'disable') %}
 server {
 	server_name {{var_mas_and_nginx_domain}};
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 	ssl_certificate_key /etc/ssl/private/{{var_mas_and_nginx_domain}}.pem;
 	ssl_certificate /etc/ssl/fullchains/{{var_mas_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 {{ mas_common() }}
 }
 {% endif %}
--- a/roles/mas-for-synapse/defaults/main.json
+++ b/roles/mas-for-synapse/defaults/main.json
@ -1,5 +0,0 @@
 {
 	"var_mas_for_synapse_synapse_url_base": "https://synapse.example.org",
 	"var_mas_for_synapse_client_id": "01JAE3YFB91XFWEDQY0WFDW5VN",
 	"var_mas_for_synapse_client_secret": "REPLACE_ME"
 }
--- a/roles/mas-for-synapse/info.md
+++ b/roles/mas-for-synapse/info.md
@ -1,9 +0,0 @@
 ## Beschreibung
 Um [Synapse](../synapse) gegen [MAS](../mas) authentifizieren zu lassen
 ## Verweise
 - [Synapse-Dokumentation | OpenID Connect](https://matrix-org.github.io/synapse/latest/openid.html)
 - [MAS-Dokumentation | Homeserver configuration](https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html)
--- a/roles/mas-for-synapse/tasks/main.json
+++ b/roles/mas-for-synapse/tasks/main.json
@ -1,25 +0,0 @@
 [
 	{
 		"name": "configuration | emplace",
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "mas-client-conf.json.j2",
 			"dest": "/opt/mas/conf.d/clients/synapse.json"
 		}
 	},
 	{
 		"name": "configuration | apply",
 		"become": true,
 		"ansible.builtin.command": {
 			"cmd": "/usr/local/bin/mas-conf-compose"
 		}
 	},
 	{
 		"name": "restart service",
 		"become": true,
 		"ansible.builtin.systemd_service": {
 			"state": "restarted",
 			"name": "mas"
 		}
 	}
 ]
--- a/roles/mas-for-synapse/templates/mas-client-conf.json.j2
+++ b/roles/mas-for-synapse/templates/mas-client-conf.json.j2
@ -1,5 +0,0 @@
 {
 	"client_id": "{{var_mas_for_synapse_client_id}}",
 	"client_secret": "{{var_mas_for_synapse_client_secret}}",
 	"client_auth_method": "client_secret_basic"
 }
--- a/roles/mas/defaults/main.json
+++ b/roles/mas/defaults/main.json
@ -1,23 +0,0 @@
 {
 	"var_mas_user": "mas",
 	"var_mas_directory": "/opt/mas",
 	"var_mas_server_server_address": "[::]",
 	"var_mas_server_server_port": 2839,
 	"var_mas_server_server_domain": "mas.example.org",
 	"var_mas_database_host": "postgresql.example.org",
 	"var_mas_database_port": 5432,
 	"var_mas_database_username": "mas_user",
 	"var_mas_database_password": "REPLACE_ME",
 	"var_mas_database_schema": "mas",
 	"var_mas_matrix_server": "synapse.example.org",
 	"var_mas_matrix_secret": "REPLACE_ME",
 	"var_mas_matrix_endpoint": "https://synapse.example.org/",
 	"var_mas_encryption_key": "REPLACE_ME",
 	"var_mas_authentication_upstream_kind": "none",
 	"var_mas_authentication_upstream_data_authelia_url_base": "https://authelia.example.org",
 	"var_mas_authentication_upstream_data_authelia_auth_method": "client_secret_basic",
 	"var_mas_authentication_upstream_data_authelia_scope": "openid profile email",
 	"var_mas_authentication_upstream_data_authelia_id": "01JADRQ54Y0KCQS0AEJQ4YTY36",
 	"var_mas_authentication_upstream_data_authelia_client_id": "mas",
 	"var_mas_authentication_upstream_data_authelia_client_secret": "REPLACE_ME"
 }
--- a/roles/mas/files/conf-compose.py
+++ b/roles/mas/files/conf-compose.py
@ -1,160 +0,0 @@
 #!/usr/bin/env python3
 import sys as _sys
 import os as _os
 import yaml as _yaml
 import json as _json
 import argparse as _argparse
 def file_read(path):
 	handle = open(path, "r")
 	content = handle.read()
 	handle.close()
 	return content
 def file_write(path, content):
 	directory = _os.path.dirname(path)
 	if (not _os.path.exists(directory)):
 		_os.makedirs(directory, exist_ok = True)
 	else:
 		pass
 	handle = open(path, "w")
 	handle.write(content)
 	handle.close()
 	return content
 def dict_merge(core, mantle, path = None):
 	if (path is None):
 		path = []
 	result = {}
 	for source in [core, mantle]:
 		for (key, value_new, ) in source.items():
 			path_ = (path + [key])
 			type_new = type(value_new)
 			if (not (key in result)):
 				result[key] = value_new
 			else:
 				value_old = result[key]
 				type_old = type(value_old)
 				if (value_old is None):
 					result[key] = value_new
 				else:
 					if (not (type_old == type_new)):
 						raise ValueError(
 							"type mismatch at path %s: %s vs. %s"
 							% (
 								".".join(path),
 								str(type_old),
 								str(type_new),
 							)
 						)
 					else:
 						if (type_old == dict):
 							result[key] = dict_merge(value_old, value_new, path_)
 						elif (type_old == list):
 							result[key] = (value_old + value_new)
 						else:
 							result[key] = value_new
 	return result
 def main():
 	## args
 	argument_parser = _argparse.ArgumentParser()
 	argument_parser.add_argument(
 		"-s",
 		"--source-directory",
 		type = str,
 		dest = "source_directory",
 		default = "/opt/mas/conf.d",
 		metavar = "<source-directory>",
 	)
 	argument_parser.add_argument(
 		"-f",
 		"--output-format",
 		type = str,
 		choices = ["json", "yaml"],
 		dest = "output_format",
 		default = "yaml",
 		metavar = "<output-format>",
 	)
 	argument_parser.add_argument(
 		"-o",
 		"--output-path",
 		type = str,
 		dest = "output_path",
 		default = "/opt/mas/config.yaml",
 		metavar = "<output-path>",
 	)
 	args = argument_parser.parse_args()
 	## exec
 	data = {}
 	### base
 	if True:
 		data_raw = _yaml.safe_load(file_read(_os.path.join(args.source_directory, "base.yaml")))
 		data = dict_merge(
 			data,
 			{
 				"secrets": data_raw["secrets"],
 				"passwords": data_raw["passwords"],
 			}
 		)
 	### database
 	if True:
 		data = dict_merge(
 			data,
 			_json.loads(file_read(_os.path.join(args.source_directory, "database.json")))
 		)
 	### http
 	if True:
 		data = dict_merge(
 			data,
 			_json.loads(file_read(_os.path.join(args.source_directory, "http.json")))
 		)
 	### matrix
 	if True:
 		data = dict_merge(
 			data,
 			_json.loads(file_read(_os.path.join(args.source_directory, "matrix.json")))
 		)
 	### upstream
 	if True:
 		data = dict_merge(
 			data,
 			_json.loads(file_read(_os.path.join(args.source_directory, "upstream.json")))
 		)
 	### email
 	if True:
 		data = dict_merge(
 			data,
 			_json.loads(file_read(_os.path.join(args.source_directory, "email.json")))
 		)
 	### clients
 	if True:
 		data = dict_merge(
 			data,
 			{
 				"clients": list(
 					map(
 						lambda name: _json.loads(file_read(_os.path.join(args.source_directory, "clients", name))),
 						_os.listdir(_os.path.join(args.source_directory, "clients"))
 					)
 				),
 			}
 		)
 	## output
 	if True:
 		if (args.output_format == "json"):
 			output_content = _json.dumps(data, indent = "\t")
 		elif (args.output_format == "yaml"):
 			output_content = _yaml.dump(data)
 		else:
 			raise ValueError("invalid output format")
 		file_write(args.output_path, output_content)
 main()
--- a/roles/mas/info.md
+++ b/roles/mas/info.md
@ -1,8 +0,0 @@
 ## Beschreibung
 für [Matrix Authentication Service](https://github.com/element-hq/matrix-authentication-service), was eine OIDC-Portal für [Synapse](../synapse) ist
 ## Verweise
 - [Dokumentation](https://element-hq.github.io/matrix-authentication-service/index.html)
--- a/roles/mas/tasks/main.json
+++ b/roles/mas/tasks/main.json
@ -1,123 +0,0 @@
 [
 	{
 		"name": "user",
 		"become": true,
 		"ansible.builtin.user": {
 			"name": "{{var_mas_user}}",
 			"create_home": true,
 			"home": "{{var_mas_directory}}"
 		}
 	},
 	{
 		"name": "directories",
 		"become": true,
 		"loop": [
 			"{{var_mas_directory}}/conf.d",
 			"{{var_mas_directory}}/conf.d/clients",
 			"{{var_mas_directory}}/scripts"
 		],
 		"ansible.builtin.file": {
 			"state": "directory",
 			"owner": "{{var_mas_user}}",
 			"path": "{{item}}"
 		}
 	},
 	{
 		"name": "download",
 		"become": true,
 		"become_user": "{{var_mas_user}}",
 		"ansible.builtin.get_url": {
 			"url": "https://github.com/element-hq/matrix-authentication-service/releases/latest/download/mas-cli-x86_64-linux.tar.gz",
 			"dest": "/tmp/mas.tar.gz"
 		}
 	},
 	{
 		"name": "extract",
 		"become": true,
 		"become_user": "{{var_mas_user}}",
 		"ansible.builtin.unarchive": {
 			"remote_src": true,
 			"src": "/tmp/mas.tar.gz",
 			"dest": "{{var_mas_directory}}",
 			"owner": "{{var_mas_user}}"
 		}
 	},
 	{
 		"name": "configuration | compose script",
 		"become": true,
 		"ansible.builtin.copy": {
 			"src": "conf-compose.py",
 			"dest": "/usr/local/bin/mas-conf-compose",
 			"mode": "0555"
 		}
 	},
 	{
 		"name": "configuration | base",
 		"become": true,
 		"become_user": "{{var_mas_user}}",
 		"ansible.builtin.shell": {
 			"cmd": "./mas-cli config generate > {{var_mas_directory}}/conf.d/base.yaml",
 			"chdir": "{{var_mas_directory}}"
 		}
 	},
 	{
 		"name": "configuration | database",
 		"become": true,
 		"become_user": "{{var_mas_user}}",
 		"ansible.builtin.template": {
 			"src": "config-database.json.j2",
 			"dest": "{{var_mas_directory}}/conf.d/database.json"
 		}
 	},
 	{
 		"name": "configuration | http",
 		"become": true,
 		"become_user": "{{var_mas_user}}",
 		"ansible.builtin.template": {
 			"src": "config-http.json.j2",
 			"dest": "{{var_mas_directory}}/conf.d/http.json"
 		}
 	},
 	{
 		"name": "configuration | matrix",
 		"become": true,
 		"become_user": "{{var_mas_user}}",
 		"ansible.builtin.template": {
 			"src": "config-matrix.json.j2",
 			"dest": "{{var_mas_directory}}/conf.d/matrix.json"
 		}
 	},
 	{
 		"name": "configuration | upstream",
 		"become": true,
 		"become_user": "{{var_mas_user}}",
 		"ansible.builtin.template": {
 			"src": "config-upstream.json.j2",
 			"dest": "{{var_mas_directory}}/conf.d/upstream.json"
 		}
 	},
 	{
 		"name": "configuration | apply",
 		"become": true,
 		"ansible.builtin.command": {
 			"cmd": "/usr/local/bin/mas-conf-compose"
 		}
 	},
 	{
 		"name": "systemd unit",
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "systemd_unit.j2",
 			"dest": "/etc/systemd/system/mas.service"
 		}
 	},
 	{
 		"name": "run",
 		"become": true,
 		"ansible.builtin.systemd_service": {
 			"name": "mas",
 			"enabled": true,
 			"state": "restarted"
 		}
 	}
 ]
--- a/roles/mas/templates/config-database.json.j2
+++ b/roles/mas/templates/config-database.json.j2
@ -1,9 +0,0 @@
 {
 	"database": {
 		"host": "{{var_mas_database_host}}",
 		"port": {{var_mas_database_port | string}},
 		"username": "{{var_mas_database_username}}",
 		"password": "{{var_mas_database_password}}",
 		"database": "{{var_mas_database_schema}}"
 	}
 }
--- a/roles/mas/templates/config-email.json.j2
+++ b/roles/mas/templates/config-email.json.j2
@ -1,7 +0,0 @@
 {
 	"email": {
 		"from": "Authentication Service <root@localhost>",
 		"reply_to": "Authentication Service <root@localhost>",
 		"transport": "blackhole"
 	}
 }
--- a/roles/mas/templates/config-http.json.j2
+++ b/roles/mas/templates/config-http.json.j2
@ -1,60 +0,0 @@
 {
 	"http": {
 		"listeners": [
 			{
 				"name": "web",
 				"resources": [
 					{
 						"name": "discovery"
 					},
 					{
 						"name": "human"
 					},
 					{
 						"name": "oauth"
 					},
 					{
 						"name": "compat"
 					},
 					{
 						"name": "graphql"
 					},
 					{
 						"name": "assets"
 					}
 				],
 				"binds": [
 					{
 						"address": "{{var_mas_server_server_address}}:{{var_mas_server_server_port | string}}"
 					}
 				],
 				"proxy_protocol": false
 			},
 			{
 				"name": "internal",
 				"resources": [
 					{
 						"name": "health"
 					}
 				],
 				"binds": [
 					{
 						"host": "localhost",
 						"port": 8081
 					}
 				],
 				"proxy_protocol": false
 			}
 		],
 		"trusted_proxies": [
 			"192.168.0.0/16",
 			"172.16.0.0/12",
 			"10.0.0.0/10",
 			"127.0.0.1/8",
 			"fd00::/8",
 			"::1/128"
 		],
 		"public_base": "https://{{var_mas_server_server_domain}}/",
 		"issuer": "https://{{var_mas_server_server_domain}}/"
 	}
 }
--- a/roles/mas/templates/config-matrix.json.j2
+++ b/roles/mas/templates/config-matrix.json.j2
@ -1,7 +0,0 @@
 {
 	"matrix": {
 		"homeserver": "{{var_mas_matrix_server}}",
 		"secret": "{{var_mas_matrix_secret}}",
 		"endpoint": "{{var_mas_matrix_endpoint}}"
 	}
 }
--- a/roles/mas/templates/config-upstream.json.j2
+++ b/roles/mas/templates/config-upstream.json.j2
@ -1,35 +0,0 @@
 {
 {% if var_mas_authentication_upstream_kind == 'none' %}
 {% endif %}
 {% if var_mas_authentication_upstream_kind == 'authelia' %}
 	"upstream_oauth2": {
 		"providers": [
 			{
 				"id": "{{var_mas_authentication_upstream_data_authelia_id}}",
 				"issuer": "{{var_mas_authentication_upstream_data_authelia_url_base}}",
 				"authorization_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/authorization",
 				"token_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/token",
 				"token_endpoint_auth_method": "{{var_mas_authentication_upstream_data_authelia_auth_method}}",
 				"scope": "{{var_mas_authentication_upstream_data_authelia_scope}}",
 				"discovery_mode": "insecure",
 				"client_id": "{{var_mas_authentication_upstream_data_authelia_client_id}}",
 				"client_secret": "{{var_mas_authentication_upstream_data_authelia_client_secret}}",
 				"claims_imports": {
 					"localpart": {
 						"action": "require",
 						"template": "{{"{{"}} user.preferred_username {{"}}"}}"
 					},
 					"displayname": {
 						"action": "suggest",
 						"template": "{{"{{"}} user.name {{"}}"}}"
 					},
 					"email": {
 						"action": "suggest",
 						"template": "{{"{{"}} user.email {{"}}"}}",
 						"set_email_verification": "always"
 					}
 				}
 		]
 	}
 {% endif %}	
 }
--- a/roles/mas/templates/systemd_unit.j2
+++ b/roles/mas/templates/systemd_unit.j2
@ -1,15 +0,0 @@
 [Unit]
 Description=MAS
 After=network.target
 [Service]
 WorkingDirectory={{var_mas_directory}}
 ExecStart={{var_mas_directory}}/mas-cli server
 Type=simple
 Restart=always
 User={{var_mas_user}}
 [Install]
 WantedBy=default.target
 RequiredBy=network.target
--- a/roles/mas/vardef.json
+++ b/roles/mas/vardef.json
@ -1,91 +0,0 @@
 {
 	"user": {
 		"type": "string",
 		"mandatory": false
 	},
 	"directory": {
 		"type": "string",
 		"mandatory": false
 	},
 	"server_address": {
 		"type": "string",
 		"mandatory": false
 	},
 	"server_port": {
 		"type": "string",
 		"mandatory": false
 	},
 	"domain": {
 		"type": "string",
 		"mandatory": false
 	},
 	"database_host": {
 		"type": "string",
 		"mandatory": false
 	},
 	"database_port": {
 		"type": "integer",
 		"mandatory": false
 	},
 	"database_username": {
 		"type": "string",
 		"mandatory": false
 	},
 	"database_password": {
 		"type": "string",
 		"mandatory": true
 	},
 	"database_schema": {
 		"type": "string",
 		"mandatory": false
 	},
 	"matrix_server": {
 		"type": "string",
 		"mandatory": false
 	},
 	"matrix_secret": {
 		"type": "string",
 		"mandatory": true
 	},
 	"matrix_endpoint": {
 		"type": "string",
 		"mandatory": false
 	},
 	"encryption_key": {
 		"type": "string",
 		"mandatory": true
 	},
 	"authentication_upstream_kind": {
 		"nullable": false,
 		"type": "string",
 		"options": [
 			"none",
 			"authelia"
 		]
 	},
 	"authentication_upstream_data_authelia_url_base": {
 		"type": "string",
 		"mandatory": false
 	},
 	"authentication_upstream_data_authelia_auth_method": {
 		"type": "string",
 		"mandatory": false
 	},
 	"authentication_upstream_data_authelia_scope": {
 		"type": "string",
 		"mandatory": false
 	},
 	"authentication_upstream_data_authelia_id": {
 		"type": "string",
 		"mandatory": false,
 		"description": "needs to be a ULID"
 	},
 	"authentication_upstream_data_authelia_client_id": {
 		"type": "string",
 		"mandatory": false
 	},
 	"authentication_upstream_data_authelia_client_secret": {
 		"type": "string",
 		"mandatory": false
 	}
 }
--- a/roles/postgresql-for-mas/defaults/main.json
+++ b/roles/postgresql-for-mas/defaults/main.json
@ -1,5 +0,0 @@
 {
 	"var_postgresql_for_mas_username": "mas_user",
 	"var_postgresql_for_mas_password": "REPLACE_ME",
 	"var_postgresql_for_mas_schema": "mas"
 }
--- a/roles/postgresql-for-tandoor/defaults/main.json
+++ b/roles/postgresql-for-tandoor/defaults/main.json
@ -0,0 +1,5 @@
 {
 	"var_postgresql_for_tandoor_username": "tandoor_user",
 	"var_postgresql_for_tandoor_password": "REPLACE_ME",
 	"var_postgresql_for_tandoor_schema": "tandoor"
 }
--- a/roles/postgresql-for-tandoor/tasks/main.json
+++ b/roles/postgresql-for-tandoor/tasks/main.json
@ -6,7 +6,8 @@
 			"update_cache": true,
 			"pkg": [
 				"acl",
-				"python3-psycopg2"
+				"python3-psycopg2",
 				"libpq-dev"
 			]
 		}
 	},
@ -16,8 +17,8 @@
 		"become_user": "postgres",
 		"community.postgresql.postgresql_user": {
 			"state": "present",
-			"name": "{{var_postgresql_for_mas_username}}",
+			"name": "{{var_postgresql_for_tandoor_username}}",
-			"password": "{{var_postgresql_for_mas_password}}"
+			"password": "{{var_postgresql_for_tandoor_password}}"
 		},
 		"environment": {
 			"PGOPTIONS": "-c password_encryption=scram-sha-256"
@ -29,8 +30,8 @@
 		"become_user": "postgres",
 		"community.postgresql.postgresql_db": {
 			"state": "present",
-			"name": "{{var_postgresql_for_mas_schema}}",
+			"name": "{{var_postgresql_for_tandoor_schema}}",
-			"owner": "{{var_postgresql_for_mas_username}}"
+			"owner": "{{var_postgresql_for_tandoor_username}}"
 		}
 	},
 	{
@ -39,9 +40,9 @@
 		"become_user": "postgres",
 		"community.postgresql.postgresql_privs": {
 			"state": "present",
-			"db": "{{var_postgresql_for_mas_schema}}",
+			"db": "{{var_postgresql_for_tandoor_schema}}",
 			"objs": "ALL_IN_SCHEMA",
-			"roles": "{{var_postgresql_for_mas_username}}",
+			"roles": "{{var_postgresql_for_tandoor_username}}",
 			"privs": "ALL",
 			"grant_option": true
 		}
--- a/roles/synapse-and-nginx/info.md
+++ b/roles/synapse-and-nginx/info.md
@ -6,9 +6,3 @@
 ## Verweise
 - [Synapse-Dokumentation über die Nutzung von Reverse-Proxies](https://matrix-org.github.io/synapse/latest/reverse_proxy.html)
 ## ToDo
 - MAS-Einbindung (siehe https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html)
--- a/roles/synapse-and-nginx/templates/conf.j2
+++ b/roles/synapse-and-nginx/templates/conf.j2
@ -1,5 +1,5 @@
 {% macro synapse_common() %}
-	location ~ ^(/_matrix|/_synapse/client|/.well-known) {
+	location ~ ^(/_matrix|/_synapse/client) {
 		proxy_pass http://localhost:8008;
 		proxy_set_header X-Forwarded-For $remote_addr;
 		proxy_set_header X-Forwarded-Proto $scheme;
--- a/roles/synapse/defaults/main.json
+++ b/roles/synapse/defaults/main.json
@ -20,12 +20,6 @@
 	"var_synapse_authentication_data_authelia_client_id": "synapse",
 	"var_synapse_authentication_data_authelia_client_secret": "REPLACE_ME",
 	"var_synapse_authentication_data_authelia_url_base": "https://authelia.example.org",
 	"var_synapse_authentication_data_mas_url_base": "http://localhost:2839",
 	"var_synapse_authentication_data_mas_client_id": "01JAE3YFB91XFWEDQY0WFDW5VN",
 	"var_synapse_authentication_data_mas_client_secret": "REPLACE_ME",
 	"var_synapse_authentication_data_mas_admin_token": "REPLACE_ME",
 	"var_synapse_authentication_data_mas_provider_id": "mas",
 	"var_synapse_authentication_data_mas_provider_name": "MAS",
 	"var_synapse_smtp_host": "smtp.example.org",
 	"var_synapse_smtp_port": 587,
 	"var_synapse_smtp_username": "synapse@smtp.example.org",
--- a/roles/synapse/info.md
+++ b/roles/synapse/info.md
@ -1,6 +1,6 @@
 ## Beschreibung
-Zur Einrichtung des [matrix.org](https://matrix.org/)-Servers Synapse
+Zur Einrichtung des [matrix.org](https://matrix.org/)-Servers [Synapse](https://github.com/element-hq/synapse)
 ## Verweise
@ -9,4 +9,3 @@ Zur Einrichtung des [matrix.org](https://matrix.org/)-Servers Synapse
 - [GitHub-Repository](https://github.com/matrix-org/synapse)
 - [Configuration Manual](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html)
 - [Dokumentation | PostgreSQL](https://matrix-org.github.io/synapse/latest/postgres.html#using-postgres)
 - [MAS-Dokumentation | Homeserver configuration](https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html)
--- a/roles/synapse/templates/homeserver.yaml.j2
+++ b/roles/synapse/templates/homeserver.yaml.j2
@ -126,21 +126,6 @@ oidc_providers:
        email_template: "{{"{{"}} user.email {{"}}"}}"
 {% endif %}
 {% if var_synapse_authentication_kind == 'mas' %}
 enable_registration: false
 enable_registration_without_verification: false
 experimental_features:
  msc3861:
    enabled: true
    issuer: "{{var_synapse_authentication_data_mas_url_base}}"
    client_auth_method: client_secret_basic
    client_id: "{{var_synapse_authentication_data_mas_client_id}}"
    client_secret: "{{var_synapse_authentication_data_mas_client_secret}}"
    admin_token: "{{var_synapse_authentication_data_mas_admin_token}}"
    account_management_url: "{{var_synapse_authentication_data_mas_url_base}}/account"
 {% endif %}
 account_validity:
 bcrypt_rounds: 12
--- a/roles/synapse/vardef.json
+++ b/roles/synapse/vardef.json
@ -71,8 +71,7 @@
 		"mandatory": false,
 		"options": [
 			"internal",
-			"authelia",
+			"authelia"
 			"mas"
 		]
 	},
 	"authentication_data_authelia_provider_id": {
@ -95,30 +94,6 @@
 		"type": "string",
 		"mandatory": false
 	},
 	"authentication_data_mas_url_base": {
 		"type": "string",
 		"mandatory": false
 	},
 	"authentication_data_mas_client_id": {
 		"type": "string",
 		"mandatory": false
 	},
 	"authentication_data_mas_client_secret": {
 		"type": "string",
 		"mandatory": false
 	},
 	"authentication_data_mas_admin_token": {
 		"type": "string",
 		"mandatory": false
 	},
 	"authentication_data_mas_provider_id": {
 		"type": "string",
 		"mandatory": false
 	},
 	"authentication_data_mas_provider_name": {
 		"type": "string",
 		"mandatory": false
 	},
 	"smtp_host": {
 		"type": "string",
 		"mandatory": false
--- a/roles/tandoor-and-nginx/defaults/main.json
+++ b/roles/tandoor-and-nginx/defaults/main.json
@ -0,0 +1,5 @@
 {
 	"var_tandoor_and_nginx_domain": "tandoor.example.org",
 	"var_tandoor_and_nginx_tls_mode": "force",
 	"var_tandoor_and_nginx_directory": "/opt/tandoor"
 }
--- a/roles/tandoor-and-nginx/info.md
+++ b/roles/tandoor-and-nginx/info.md
@ -0,0 +1,4 @@
 ## Verweise
 - [Tandoor-Dokumentation | nginx](https://docs.tandoor.dev/install/manual/#nginx)
--- a/roles/tandoor-and-nginx/tasks/main.json
+++ b/roles/tandoor-and-nginx/tasks/main.json
@ -12,7 +12,7 @@
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "conf.j2",
-			"dest": "/etc/nginx/sites-available/{{var_mas_and_nginx_domain}}"
+			"dest": "/etc/nginx/sites-available/{{var_tandoor_and_nginx_domain}}"
 		}
 	},
 	{
@ -20,8 +20,8 @@
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "link",
-			"src": "/etc/nginx/sites-available/{{var_mas_and_nginx_domain}}",
+			"src": "/etc/nginx/sites-available/{{var_tandoor_and_nginx_domain}}",
-			"dest": "/etc/nginx/sites-enabled/{{var_mas_and_nginx_domain}}"
+			"dest": "/etc/nginx/sites-enabled/{{var_tandoor_and_nginx_domain}}"
 		}
 	},
 	{
--- a/roles/tandoor-and-nginx/templates/conf.j2
+++ b/roles/tandoor-and-nginx/templates/conf.j2
@ -0,0 +1,43 @@
 {% macro tandoor_common() %}
 	location /static {
 		alias {{var_tandoor_and_nginx_directory}}/program/staticfiles;
 	}
 	location /media {
 		alias {{var_tandoor_and_nginx_directory}}/program/mediafiles;
 	}
 	location / {
 		proxy_set_header Host $http_host;
 		proxy_pass http://unix:{{var_tandoor_and_nginx_directory}}/program/recipes.sock;
 		proxy_set_header X-Forwarded-Proto $scheme;
 	}
 {% endmacro %}
 server {
 	listen 80;
 	listen [::]:80;
 	server_name {{var_tandoor_and_nginx_domain}};
 {% if var_tandoor_and_nginx_tls_mode == 'force' %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 {{ tandoor_common() }}
 {% endif %}
 }
 {% if var_tandoor_and_nginx_tls_mode != 'disable' %}
 server {
 	listen 443 ssl;
 	listen [::]:443 ssl;
 	server_name {{var_tandoor_and_nginx_domain}};
 	ssl_certificate_key /etc/ssl/private/{{var_tandoor_and_nginx_domain}}.pem;
 	ssl_certificate /etc/ssl/fullchains/{{var_tandoor_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 {{ tandoor_common() }}
 }
 {% endif %}
--- a/roles/tandoor-and-nginx/vardef.json
+++ b/roles/tandoor-and-nginx/vardef.json
@ -1,19 +1,19 @@
 {
 	"port": {
 		"type": "integer",
 		"mandatory": false
 	},
 	"domain": {
-		"type": "string",
+		"mandatory": false,
-		"mandatory": false
+		"type": "string"
 	},
 	"port": {
 		"mandatory": false,
 		"type": "integer"
 	},
 	"tls_mode": {
 		"mandatory": false,
 		"type": "string",
 		"options": [
 			"disable",
 			"enable",
 			"force"
-		],
+		]
 		"mandatory": false
 	}
 }
--- a/roles/tandoor/defaults/main.json
+++ b/roles/tandoor/defaults/main.json
@ -0,0 +1,27 @@
 {
 	"var_tandoor_user": "tandoor",
 	"var_tandoor_directory": "/opt/tandoor",
 	"var_tandoor_repository_url": "https://github.com/vabene1111/recipes.git",
 	"var_tandoor_repository_reference": "master",
 	"var_tandoor_database_kind": "sqlite",
 	"var_tandoor_database_data_postgresql_host": "postgresql.example.org",
 	"var_tandoor_database_data_postgresql_port": 5432,
 	"var_tandoor_database_data_postgresql_username": "tandoor_user",
 	"var_tandoor_database_data_postgresql_password": "REPLACE_ME",
 	"var_tandoor_database_data_postgresql_schema": "tandoor",
 	"var_tandoor_authentication_kind": "internal",
 	"var_tandoor_authentication_data_authelia_client_id": "REPLACE_ME",
 	"var_tandoor_authentication_data_authelia_client_secret": "REPLACE_ME",
 	"var_tandoor_authentication_data_authelia_url_base": "https://authelia.example.org",
 	"var_tandoor_authentication_data_authelia_label": "Authelia",
 	"var_tandoor_smtp_host": "smtp.example.org",
 	"var_tandoor_smtp_port": 587,
 	"var_tandoor_smtp_username": "tandoor@smtp.example.org",
 	"var_tandoor_smtp_password": "REPLACE_ME",
 	"var_tandoor_notification_sender": "notification@tandoor.example.org",
 	"var_tandoor_secret_key": "REPLACE_ME",
 	"var_tandoor_admin_username": "admin",
 	"var_tandoor_admin_password": "REPLACE_ME",
 	"var_tandoor_admin_email": "admin@tandoor.example.org",
 	"var_tandoor_domain": "tandoor.exmaple.org"
 }
--- a/roles/tandoor/info.md
+++ b/roles/tandoor/info.md
@ -0,0 +1,18 @@
 ## Beschreibung
 Für Rezepte-Sammlung [Tandoor](https://tandoor.dev/)
 ## Verweise
 - [Tandoor-Dokumentation | Installation](https://docs.tandoor.dev/install/manual/)
 - [Tandoor-Dokumentation | Konfiguration](https://docs.tandoor.dev/system/configuration/)
 - [Tandoor-Dokumentation | Allauth](https://docs.tandoor.dev/features/authentication/#allauth)
 - [Django-Dokumentation | Variable `DJANGO_SUPERUSER_PASSWORD`](https://docs.djangoproject.com/en/5.1/ref/django-admin/#envvar-DJANGO_SUPERUSER_PASSWORD)
 - [allauth-Dokumentation | OpenID Connect](https://docs.allauth.org/en/latest/socialaccount/providers/openid_connect.html)
 - [allauth-Dokumentation | Authelia](https://docs.allauth.org/en/latest/socialaccount/providers/authelia.html)
 ## ToDo
 - Idempotenz
--- a/roles/tandoor/tasks/main.json
+++ b/roles/tandoor/tasks/main.json
@ -0,0 +1,136 @@
 [
 	{
 		"name": "packages",
 		"become": true,
 		"ansible.builtin.apt": {
 			"update_cache": true,
 			"pkg": [
 				"git",
 				"gcc",
 				"libpq-dev",
 				"libldap2-dev",
 				"libsasl2-dev",
 				"python3-venv",
 				"python3-dev",
 				"nodejs",
 				"yarnpkg"
 			]
 		}
 	},
 	{
 		"name": "user and directory",
 		"become": true,
 		"ansible.builtin.user": {
 			"name": "{{var_tandoor_user}}",
 			"create_home": true,
 			"home": "{{var_tandoor_directory}}"
 		}
 	},
 	{
 		"name": "sources",
 		"become": true,
 		"become_user": "{{var_tandoor_user}}",
 		"ansible.builtin.git": {
 			"repo": "{{var_tandoor_repository_url}}",
 			"version": "{{var_tandoor_repository_reference}}",
 			"single_branch": true,
 			"dest": "{{var_tandoor_directory}}/program",
 			"force": true
 		}
 	},
 	{
 		"name": "venv",
 		"become": true,
 		"become_user": "{{var_tandoor_user}}",
 		"ansible.builtin.command": {
 			"chdir": "{{var_tandoor_directory}}",
 			"cmd": "python3 -m venv program"
 		}
 	},
 	{
 		"name": "python requirements",
 		"become": true,
 		"become_user": "{{var_tandoor_user}}",
 		"ansible.builtin.pip": {
 			"virtualenv": "{{var_tandoor_directory}}/program",
 			"virtualenv_python": "python3",
 			"requirements": "{{var_tandoor_directory}}/program/requirements.txt"
 		}
 	},
 	{
 		"name": "configuration",
 		"become": true,
 		"become_user": "{{var_tandoor_user}}",
 		"ansible.builtin.template": {
 			"src": "conf.j2",
 			"dest": "{{var_tandoor_directory}}/program/.env",
 			"mode": "644"
 		}
 	},
 	{
 		"name": "initialize",
 		"become": true,
 		"become_user": "{{var_tandoor_user}}",
 		"environment": {
 			"VIRTUAL_ENV": "{{var_tandoor_directory}}/program"
 		},
 		"loop": [
 			"migrate",
 			"collectstatic --no-input",
 			"collectstatic_js_reverse"
 		],
 		"ansible.builtin.shell": {
 			"chdir": "{{var_tandoor_directory}}/program",
 			"cmd": "bin/python3 manage.py {{item}}"
 		}
 	},
 	{
 		"name": "admin account",
 		"become": true,
 		"become_user": "{{var_tandoor_user}}",
 		"environment": {
 			"VIRTUAL_ENV": "{{var_tandoor_directory}}/program"
 		},
 		"ansible.builtin.shell": {
 			"chdir": "{{var_tandoor_directory}}/program",
 			"cmd": "DJANGO_SUPERUSER_PASSWORD={{var_tandoor_admin_password}} bin/python3 manage.py createsuperuser --no-input --username {{var_tandoor_admin_username}} --email {{var_tandoor_admin_email}}"
 		}
 	},
 	{
 		"name": "frontend stuff | core",
 		"become": true,
 		"become_user": "{{var_tandoor_user}}",
 		"ansible.builtin.shell": {
 			"chdir": "{{var_tandoor_directory}}/program/vue",
 			"cmd": "yarnpkg install && yarnpkg build"
 		}
 	},
 	{
 		"name": "frontend stuff | link",
 		"become": true,
 		"become_user": "{{var_tandoor_user}}",
 		"ansible.builtin.file": {
 			"type": "link",
 			"src": "{{var_tandoor_directory}}/program/cookbook/static/vue",
 			"dest": "{{var_tandoor_directory}}/program/staticfiles/vue",
 		}
 	},
 	{
 		"name": "systemd unit",
 		"become": true,
 		"ansible.builtin.template": {
 			"src": "systemd-unit.j2",
 			"dest": "/etc/systemd/system/tandoor.service"
 		}
 	},
 	{
 		"name": "start",
 		"become": true,
 		"ansible.builtin.systemd_service": {
 			"enabled": true,
 			"state": "started",
 			"name": "tandoor"
 		}
 	}
 ]
--- a/roles/tandoor/templates/conf.j2
+++ b/roles/tandoor/templates/conf.j2
@ -0,0 +1,42 @@
 {% if var_tandoor_database_kind == 'sqlite' %}
 DB_ENGINE=django.db.backends.sqlite3
 {% endif %}
 {% if var_tandoor_database_kind == 'postgresql' %}
 DB_ENGINE=django.db.backends.postgresql
 POSTGRES_HOST={{var_tandoor_database_data_postgresql_host}}
 POSTGRES_DB={{var_tandoor_database_data_postgresql_schema}}
 POSTGRES_PORT={{var_tandoor_database_data_postgresql_port | string}}
 POSTGRES_USER={{var_tandoor_database_data_postgresql_username}}
 POSTGRES_PASSWORD={{var_tandoor_database_data_postgresql_password}}
 {% endif %}
 {% if var_tandoor_authentication_kind == 'internal' %}
 ENABLE_SIGNUP=1
 REMOTE_USER_AUTH=0
 {% endif %}
 {% if var_tandoor_authentication_kind == 'authelia' %}
 ENABLE_SIGNUP=0
 REMOTE_USER_AUTH=1
 SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid
 # SOCIALACCOUNT_PROVIDERS={"openid_connect": {"OAUTH_PKCE_ENABLED": false, "APPS": [{"provider_id": "authelia", "name": "{{var_tandoor_authentication_data_authelia_label}}", "client_id": "{{var_tandoor_authentication_data_authelia_client_id}}", "secret": "{{var_tandoor_authentication_data_authelia_client_secret}}", "settings": {"server_url":"{{var_tandoor_authentication_data_authelia_url_base}}", "token_auth_method": "client_secret_basic", "oauth_pkce_enabled": false}}]}}
 SOCIALACCOUNT_PROVIDERS={"openid_connect": {"APPS": [{"provider_id": "authelia", "name": "{{var_tandoor_authentication_data_authelia_label}}", "client_id": "{{var_tandoor_authentication_data_authelia_client_id}}", "secret": "{{var_tandoor_authentication_data_authelia_client_secret}}", "settings": {"server_url": "{{var_tandoor_authentication_data_authelia_url_base}}/.well-known/openid-configuration"}}]}}
 {% endif %}
 EMAIL_HOST={{var_tandoor_smtp_host}}
 EMAIL_PORT={{var_tandoor_smtp_port | string}}
 EMAIL_HOST_USER={{var_tandoor_smtp_username}}
 EMAIL_HOST_PASSWORD={{var_tandoor_smtp_password}}
 EMAIL_USE_TLS=1
 EMAIL_USE_SSL=0
 DEFAULT_FROM_EMAIL={{var_tandoor_notification_sender}}
 SECRET_KEY={{var_tandoor_secret_key}}
 ALLOWED_HOSTS={{var_tandoor_domain}}
 ENABLE_METRICS=0
 ENABLE_PDF_EXPORT=0
 DEBUG=0
--- a/roles/tandoor/templates/systemd-unit.j2
+++ b/roles/tandoor/templates/systemd-unit.j2
@ -0,0 +1,16 @@
 [Unit]
 Description=Tandoor (gunicorn daemon)
 After=network.target
 [Service]
 Type=simple
 Restart=always
 RestartSec=3
 User={{var_tandoor_user}}
 Group=www-data
 WorkingDirectory={{var_tandoor_directory}}/program
 EnvironmentFile={{var_tandoor_directory}}/program/.env
 ExecStart={{var_tandoor_directory}}/program/bin/gunicorn --capture-output --bind unix:{{var_tandoor_directory}}/program/recipes.sock recipes.wsgi:application
 [Install]
 WantedBy=multi-user.target
--- a/roles/wiki_js/files/wiki-js-cli
+++ b/roles/wiki_js/files/wiki-js-cli
@ -288,7 +288,7 @@ var _wiki_js_cli;
         */
        async function call_finalize(admin_email, admin_password, site_url, telemetry) {
            const http_request = {
-                "target": (_wiki_js_cli.conf.get().api.url_base + "/finalize"),
+                "target": (_url_base + "/finalize"),
                "method": "POST",
                "headers": {
                    "Content-Type": "application/json",
--- a/roles/wiki_js/tasks/main.json
+++ b/roles/wiki_js/tasks/main.json
@ -55,7 +55,8 @@
 		"ansible.builtin.copy": {
 			"src": "wiki-js-cli",
 			"dest": "/usr/local/bin/wiki-js-cli",
-			"mode": "0700"
+			"owner": "{{var_wiki_js_user}}",
 			"mode": "0770"
 		}
 	},
 	{
@ -129,7 +130,7 @@
 		"become_user": "{{var_wiki_js_user}}",
 		"ansible.builtin.command": {
 			"chdir": "{{var_wiki_js_directory}}",
-			"cmd": "/usr/local/bin/wiki-js-cli -b http://127.0.0.1:{{var_wiki_js_port | string}} -u {{var_wiki_js_admin_email_address}} -p {{var_wiki_js_admin_password}} email-settings-set {{var_wiki_js_smtp_host}} {{var_wiki_js_smtp_port}} {{var_wiki_js_smtp_username}} {{var_wiki_js_smtp_password}} {{email_sending_sender_name}} {{email_sending_sender_email_address}}"
+			"cmd": "/usr/local/bin/wiki-js-cli -b http://127.0.0.1:{{var_wiki_js_port | string}} -u {{var_wiki_js_admin_email_address}} -p {{var_wiki_js_admin_password}} email-settings-set {{var_wiki_js_smtp_host}} {{var_wiki_js_smtp_port}} {{var_wiki_js_smtp_username}} {{var_wiki_js_smtp_password}} {{var_wiki_js_email_sending_sender_name}} {{var_wiki_js_email_sending_sender_email_address}}"
 		}
 	},
 	{
Author	SHA1	Message	Date
roydfalk	605737c675	Merge pull request 'Rolle \| Tandoor' (#6 ) from task-230-tandoor into main Reviewed-on: #6	2025-01-12 10:07:19 +01:00
Christian Fraß	eaa5f24046	[task-230] [mod] kleine Anpassungen	2025-01-12 10:05:20 +01:00
Christian Fraß	59ea4e256c	[task-230] [fix] role:postgresql-for-tandoor	2025-01-11 15:49:53 +01:00
Christian Fraß	41ece50aa2	[task-230] [fix] role:postgresql-for-tandoor	2025-01-11 15:47:48 +01:00
Christian Fraß	9a86117869	[task-230] [fix] role:postgresql-for-tandoor	2025-01-11 15:45:08 +01:00
Christian Fraß	5a7f10561c	[task-230] [fix] tandoor: authelia	2025-01-08 22:56:02 +01:00
Christian Fraß	52c675f6e3	[task-230] [add] authelia-for-tandoor	2025-01-08 22:00:01 +01:00
Christian Fraß	f426927df1	[task-230] [mod] tandoor: admin user and auth stuff	2025-01-08 21:59:45 +01:00
Christian Fraß	46a1a98751	[task-230] [fix] tandoor stuff	2025-01-08 20:10:56 +01:00
Christian Fraß	6ce4717a45	[taks-230] [fix] tandoor: systemd-unit-Zeilen	2024-12-31 14:21:14 +01:00
Christian Fraß	173d7790f6	[taks-230] [fix] tandoor: systemd-unit-Einsatz	2024-12-31 13:56:40 +01:00
Christian Fraß	2971154dba	[taks-230] [fix] tandoor: git-Aufruf	2024-12-31 13:40:26 +01:00
Christian Fraß	e740be07f4	[taks-230] [fix] tandoor: Daten nur holen, falls noch nicht da	2024-12-31 13:37:47 +01:00
Christian Fraß	f80e6ee661	[task-230] [mod] tandoor: Befehle in Schleife zusammengefasst [fix] yarn-Befehl korrigiert	2024-12-31 13:34:24 +01:00
Christian Fraß	43c35f0620	[task-230] [mod] tandoor: richtiges Verzeichnis auswählen	2024-12-31 13:23:17 +01:00
Christian Fraß	8ab3117ba8	[task-230] [mod] tandoor: env-Variablen richtig setzen	2024-12-31 13:21:29 +01:00
Christian Fraß	9b473372db	[task-230] [mod] tandoor: Abhängigkeiten installieren	2024-12-31 13:17:26 +01:00
Christian Fraß	5d7019fdee	[task-230] [mod] become-Parameter ergänzt	2024-12-30 17:04:03 +01:00
Christian Fraß	a6a7460230	[task-230] [mod] tandoor: create venv	2024-12-30 17:02:04 +01:00
Christian Fraß	5a1eb1a764	[task-230] [mod] tandoor: fix pip install	2024-12-30 15:09:22 +01:00
Christian Fraß	b2a6c20c94	[task-230] [mod] tandoor: fix pip install	2024-12-30 14:59:39 +01:00
Christian Fraß	4319326513	[task-230] [mod] install path	2024-12-30 14:55:58 +01:00
Christian Fraß	bacbc78b2e	[add] tandoor-and-nginx	2024-12-30 13:35:31 +01:00
Christian Fraß	83fcb5aca2	[add] tandoor	2024-12-30 13:35:21 +01:00
Christian Fraß	5b9545010a	[add] postgresql-for-tandoor	2024-12-30 13:35:11 +01:00
roydfalk	45cd387e99	Merge pull request 'Authelia \| scopes richten' (#5 ) from task-187 into main Reviewed-on: #5	2024-10-26 13:43:32 +02:00
Christian Fraß	9002fc9604	[task-187] [mod] authelia-for-hedgedoc:"grant_types" entfernt	2024-10-26 12:15:12 +02:00
roydfalk	62b4aac895	Merge pull request 'Authelia \| response types richten' (#4 ) from task-186 into main Reviewed-on: #4	2024-10-26 12:13:47 +02:00
roydfalk	9da7a88358	Merge pull request 'Authelia \| client-secrets hashen' (#3 ) from dev-authelia_hashed_client_secrets into main Reviewed-on: #3	2024-10-26 12:10:57 +02:00
Christian Fraß	f2766fcf43	[task-183] [mod] authelia-for-owncloud	2024-10-26 11:54:25 +02:00
Christian Fraß	cef1c0aeda	[task-186] [mod] authelia-for-owncloud:"response_types" zu conf-Vorlagen hinzugefügt	2024-10-26 11:45:47 +02:00
Christian Fraß	b14b80b129	[task-184] [mod] authelia:conf template	2024-10-26 11:13:05 +02:00
Christian Fraß	cd31cdea2e	[task-185] [mod] authelia:conf template	2024-10-26 11:06:20 +02:00
Christian Fraß	4d4059f294	[task-184] [mod] authelia:conf template	2024-10-26 11:05:48 +02:00
Christian Fraß	d690a6454a	[task-183] [mod] authelia-for-vikunja	2024-10-26 10:33:41 +02:00
Christian Fraß	0eaf14609c	[task-183] [mod] authelia-for-synapse	2024-10-26 10:32:43 +02:00
Christian Fraß	50b5dd63e2	[task-183] [mod] authelia-for-owncloud	2024-10-26 10:31:15 +02:00
Christian Fraß	c54ef3281c	[task-183] [mod] authelia-for-hedgedoc	2024-10-26 10:25:00 +02:00
Christian Fraß	40fbc3d001	[task-183] [mod] authelia-for-gitlab	2024-10-26 10:23:55 +02:00
Christian Fraß	a9e1070d46	[task-183] [mod] authelia-for-forgejo	2024-10-26 10:23:40 +02:00
Christian Fraß	ff436ae67c	[task-183] [mod] authelia-for-dokuwiki	2024-10-26 10:20:55 +02:00
Christian Fraß	27ac5d7173	[task-183] [mod] authelia-for-wiki_js	2024-10-26 10:13:25 +02:00
Christian Fraß	05d1c0a8c1	[task-183] [mod] authelia-for-wiki_js	2024-10-26 10:10:47 +02:00
Christian Fraß	13561a2019	[task-183] [mod] authelia-for-wiki_js	2024-10-26 10:07:49 +02:00
Christian Fraß	09e667a34d	[task-183] [mod] authelia-for-wiki_js	2024-10-26 10:00:34 +02:00
Christian Fraß	6aa922a20a	[fix] role:wiki.js:file:cli client	2024-10-26 01:54:27 +02:00
Christian Fraß	30313bff2e	[fix] role:wiki.js	2024-10-26 01:13:25 +02:00
Christian Fraß	6378c0dd92	[fix] role:wiki.js	2024-10-26 01:08:52 +02:00
Christian Fraß	ef84185102	[fix] role:synapse:apt stuff	2024-10-25 10:16:13 +02:00
Christian Fraß	55d5c57cc2	[mod] hedgedoc:default:auth:changed to "internal"	2024-10-17 18:07:16 +02:00
Christian Fraß	6a1e9938f8	[mod] synapse:info	2024-10-13 13:16:00 +02:00
		`@ -0,0 +1,4 @@`
							`## Verweise`

							`- [Tandoor-Dokumentation \| nginx](https://docs.tandoor.dev/install/manual/#nginx)`