From 71292dea5291d5ae3c15b5c06c9470271ced1729 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 13 Oct 2024 11:44:01 +0200 Subject: [PATCH 01/22] [int] --- roles/authelia-for-mas/defaults/main.json | 6 + roles/authelia-for-mas/info.md | 8 ++ roles/authelia-for-mas/tasks/main.json | 25 ++++ .../templates/authelia-client-conf.json.j2 | 16 +++ roles/mas-and-nginx/defaults/main.json | 5 + roles/mas-and-nginx/info.md | 8 ++ roles/mas-and-nginx/tasks/main.json | 35 +++++ roles/mas-and-nginx/templates/conf.j2 | 36 +++++ roles/mas-and-nginx/vardef.json | 19 +++ roles/mas-for-synapse/defaults/main.json | 5 + roles/mas-for-synapse/info.md | 9 ++ roles/mas-for-synapse/tasks/main.json | 25 ++++ .../templates/mas-client-conf.json.j2 | 5 + roles/mas/defaults/main.json | 24 ++++ roles/mas/files/conf-compose.py | 127 ++++++++++++++++++ roles/mas/info.md | 8 ++ roles/mas/tasks/main.json | 87 ++++++++++++ roles/mas/templates/config-base.json.j2 | 109 +++++++++++++++ roles/mas/templates/systemd_unit.j2 | 15 +++ roles/mas/vardef.json | 82 +++++++++++ roles/postgresql-for-mas/defaults/main.json | 5 + roles/postgresql-for-mas/tasks/main.json | 49 +++++++ 22 files changed, 708 insertions(+) create mode 100644 roles/authelia-for-mas/defaults/main.json create mode 100644 roles/authelia-for-mas/info.md create mode 100644 roles/authelia-for-mas/tasks/main.json create mode 100644 roles/authelia-for-mas/templates/authelia-client-conf.json.j2 create mode 100644 roles/mas-and-nginx/defaults/main.json create mode 100644 roles/mas-and-nginx/info.md create mode 100644 roles/mas-and-nginx/tasks/main.json create mode 100644 roles/mas-and-nginx/templates/conf.j2 create mode 100644 roles/mas-and-nginx/vardef.json create mode 100644 roles/mas-for-synapse/defaults/main.json create mode 100644 roles/mas-for-synapse/info.md create mode 100644 roles/mas-for-synapse/tasks/main.json create mode 100644 roles/mas-for-synapse/templates/mas-client-conf.json.j2 create mode 100644 roles/mas/defaults/main.json create mode 100644 roles/mas/files/conf-compose.py create mode 100644 roles/mas/info.md create mode 100644 roles/mas/tasks/main.json create mode 100644 roles/mas/templates/config-base.json.j2 create mode 100644 roles/mas/templates/systemd_unit.j2 create mode 100644 roles/mas/vardef.json create mode 100644 roles/postgresql-for-mas/defaults/main.json create mode 100644 roles/postgresql-for-mas/tasks/main.json diff --git a/roles/authelia-for-mas/defaults/main.json b/roles/authelia-for-mas/defaults/main.json new file mode 100644 index 0000000..636a5cb --- /dev/null +++ b/roles/authelia-for-mas/defaults/main.json @@ -0,0 +1,6 @@ +{ + "var_authelia_for_mas_mas_url_base": "https://mas.example.org", + "var_authelia_for_mas_id": "mas", + "var_authelia_for_mas_client_id": "mas", + "var_authelia_for_mas_client_secret": "REPLACE_ME" +} diff --git a/roles/authelia-for-mas/info.md b/roles/authelia-for-mas/info.md new file mode 100644 index 0000000..281cfd0 --- /dev/null +++ b/roles/authelia-for-mas/info.md @@ -0,0 +1,8 @@ +## Beschreibung + +Um [MAS](../mas) gegen [Authelia](../authelia) authentifizieren zu lassen + + +## Verweise + +- [MAS-Dokumentation | Configure an upstream SSO provider](https://element-hq.github.io/matrix-authentication-service/setup/sso.html) diff --git a/roles/authelia-for-mas/tasks/main.json b/roles/authelia-for-mas/tasks/main.json new file mode 100644 index 0000000..3067d3d --- /dev/null +++ b/roles/authelia-for-mas/tasks/main.json @@ -0,0 +1,25 @@ +[ + { + "name": "configuration | emplace", + "become": true, + "ansible.builtin.template": { + "src": "authelia-client-conf.json.j2", + "dest": "/etc/authelia/conf.d/clients/vikunja.json" + } + }, + { + "name": "configuration | apply", + "become": true, + "ansible.builtin.command": { + "cmd": "/usr/bin/authelia-conf-compose" + } + }, + { + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "authelia" + } + } +] diff --git a/roles/authelia-for-mas/templates/authelia-client-conf.json.j2 b/roles/authelia-for-mas/templates/authelia-client-conf.json.j2 new file mode 100644 index 0000000..1310283 --- /dev/null +++ b/roles/authelia-for-mas/templates/authelia-client-conf.json.j2 @@ -0,0 +1,16 @@ +{ + "client_id": "{{var_authelia_for_mas_client_id}}", + "client_secret": "{{var_authelia_for_mas_client_secret}}", + "client_name": "MAS", + "public": false, + "authorization_policy": "one_factor", + "redirect_uris": [ + "{{var_authelia_for_mas_mas_url_base}}/upstream/callback/{{var_authelia_for_mas_id}}" + ], + "scopes": [ + "openid", + "email", + "profile" + ], + "token_endpoint_auth_method": "client_secret_basic" +} diff --git a/roles/mas-and-nginx/defaults/main.json b/roles/mas-and-nginx/defaults/main.json new file mode 100644 index 0000000..f3be49f --- /dev/null +++ b/roles/mas-and-nginx/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_mas_and_nginx_server_port": 2839, + "var_mas_and_nginx_domain": "REPLACE_ME", + "var_mas_and_nginx_tls_mode": "force" +} diff --git a/roles/mas-and-nginx/info.md b/roles/mas-and-nginx/info.md new file mode 100644 index 0000000..117fbee --- /dev/null +++ b/roles/mas-and-nginx/info.md @@ -0,0 +1,8 @@ +## Beschreibung + +- zur Einrichtung von [nginx](../nginx) als Reverse-Proxy für [MAS](../mas) + + +## Verweise + +- [MAS-Dokumentation | Configuring a reverse proxy](https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html) diff --git a/roles/mas-and-nginx/tasks/main.json b/roles/mas-and-nginx/tasks/main.json new file mode 100644 index 0000000..63a1213 --- /dev/null +++ b/roles/mas-and-nginx/tasks/main.json @@ -0,0 +1,35 @@ +[ + { + "name": "deactivate default site", + "become": true, + "ansible.builtin.file": { + "state": "absent", + "dest": "/etc/nginx/sites-enabled/default" + } + }, + { + "name": "emplace configuration | data", + "become": true, + "ansible.builtin.template": { + "src": "conf.j2", + "dest": "/etc/nginx/sites-available/{{var_mas_and_nginx_domain}}" + } + }, + { + "name": "emplace configuration | link", + "become": true, + "ansible.builtin.file": { + "state": "link", + "src": "/etc/nginx/sites-available/{{var_mas_and_nginx_domain}}", + "dest": "/etc/nginx/sites-enabled/{{var_mas_and_nginx_domain}}" + } + }, + { + "name": "restart nginx", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "nginx" + } + } +] diff --git a/roles/mas-and-nginx/templates/conf.j2 b/roles/mas-and-nginx/templates/conf.j2 new file mode 100644 index 0000000..779f527 --- /dev/null +++ b/roles/mas-and-nginx/templates/conf.j2 @@ -0,0 +1,36 @@ +{% macro mas_common() %} + location / { + proxy_http_version 1.1; + proxy_pass http://localhost:{{var_mas_and_nginx_server_port | string}}; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +{% endmacro %} + +server { + server_name {{var_mas_and_nginx_domain}}; + + listen 80; + listen [::]:80; + +{% if (var_mas_and_nginx_tls_mode == 'force') %} + return 301 https://$http_host$request_uri; +{% else %} +{{ mas_common() }} +{% endif %} +} + +{% if (var_mas_and_nginx_tls_mode != 'disable') %} +server { + server_name {{var_mas_and_nginx_domain}}; + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ssl_certificate_key /etc/ssl/private/{{var_mas_and_nginx_domain}}.pem; + ssl_certificate /etc/ssl/fullchains/{{var_mas_and_nginx_domain}}.pem; + include /etc/nginx/ssl-hardening.conf; + +{{ mas_common() }} +} +{% endif %} diff --git a/roles/mas-and-nginx/vardef.json b/roles/mas-and-nginx/vardef.json new file mode 100644 index 0000000..2ae6020 --- /dev/null +++ b/roles/mas-and-nginx/vardef.json @@ -0,0 +1,19 @@ +{ + "port": { + "type": "integer", + "mandatory": false + }, + "domain": { + "type": "string", + "mandatory": false + }, + "tls_mode": { + "type": "string", + "options": [ + "disable", + "enable", + "force" + ], + "mandatory": false + } +} diff --git a/roles/mas-for-synapse/defaults/main.json b/roles/mas-for-synapse/defaults/main.json new file mode 100644 index 0000000..c90cf80 --- /dev/null +++ b/roles/mas-for-synapse/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_mas_for_synapse_synapse_url_base": "https://synapse.example.org", + "var_mas_for_synapse_client_id": "synapse", + "var_mas_for_synapse_client_secret": "REPLACE_ME" +} diff --git a/roles/mas-for-synapse/info.md b/roles/mas-for-synapse/info.md new file mode 100644 index 0000000..f22001b --- /dev/null +++ b/roles/mas-for-synapse/info.md @@ -0,0 +1,9 @@ +## Beschreibung + +Um [Synapse](../synapse) gegen [MAS](../mas) authentifizieren zu lassen + + +## Verweise + +- [Synapse-Dokumentation | OpenID Connect](https://matrix-org.github.io/synapse/latest/openid.html) +- [MAS-Dokumentation | Homeserver configuration](https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html) diff --git a/roles/mas-for-synapse/tasks/main.json b/roles/mas-for-synapse/tasks/main.json new file mode 100644 index 0000000..5eeb79b --- /dev/null +++ b/roles/mas-for-synapse/tasks/main.json @@ -0,0 +1,25 @@ +[ + { + "name": "configuration | emplace", + "become": true, + "ansible.builtin.template": { + "src": "mas-client-conf.json.j2", + "dest": "/opt/mas/conf.d/clients/synapse.json" + } + }, + { + "name": "configuration | apply", + "become": true, + "ansible.builtin.command": { + "cmd": "/usr/bin/mas-conf-compose" + } + }, + { + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "mas" + } + } +] diff --git a/roles/mas-for-synapse/templates/mas-client-conf.json.j2 b/roles/mas-for-synapse/templates/mas-client-conf.json.j2 new file mode 100644 index 0000000..0fa50eb --- /dev/null +++ b/roles/mas-for-synapse/templates/mas-client-conf.json.j2 @@ -0,0 +1,5 @@ +{ + "client_id": "{{var_mas_for_synapse_client_id}}", + "client_secret": "{{var_mas_for_synapse_client_secret}}", + "client_auth_method": "client_secret_basic" +} diff --git a/roles/mas/defaults/main.json b/roles/mas/defaults/main.json new file mode 100644 index 0000000..e402ce6 --- /dev/null +++ b/roles/mas/defaults/main.json @@ -0,0 +1,24 @@ +{ + "var_mas_user": "mas", + "var_mas_directory": "/opt/mas", + "var_mas_server_address": "::", + "var_mas_server_port": 2839, + "var_mas_database_host": "postgresql.example.org", + "var_mas_database_port": 5432, + "var_mas_database_username": "mas_user", + "var_mas_database_password": "REPLACE_ME", + "var_mas_database_schema": "mas", + "var_mas_matrix_server": "localhost:8008", + "var_mas_matrix_secret": "REPLACE_ME", + "var_mas_matrix_endpoint": "http://localhost:8008/", + "var_mas_encryption_key": "REPLACE_ME", + "var_mas_authentication_upstream_active": false, + "var_mas_authentication_upstream_id": "default_upstream", + "var_mas_authentication_upstream_issuer": "https://auth.example.org", + "var_mas_authentication_upstream_client_id": "mas", + "var_mas_authentication_upstream_client_secret": "REPLACE_ME", + "var_mas_authentication_upstream_token_endpoint_auth_method": "client_secret_post" + "var_mas_authentication_upstream_scope": "openid email profile", + "var_mas_authentication_upstream_authorization_endpoint": "https://auth.example.org/authorize", + "var_mas_authentication_upstream_token_endpoint": "https://auth.example.org/token" +} diff --git a/roles/mas/files/conf-compose.py b/roles/mas/files/conf-compose.py new file mode 100644 index 0000000..59434c3 --- /dev/null +++ b/roles/mas/files/conf-compose.py @@ -0,0 +1,127 @@ +#!/usr/bin/env python3 + +import sys as _sys +import os as _os +import yaml as _yaml +import json as _json +import argparse as _argparse + + +def file_read(path): + handle = open(path, "r") + content = handle.read() + handle.close() + return content + + +def file_write(path, content): + directory = _os.path.dirname(path) + if (not _os.path.exists(directory)): + _os.makedirs(directory, exist_ok = True) + else: + pass + handle = open(path, "w") + handle.write(content) + handle.close() + return content + + +def dict_merge(core, mantle, path = None): + if (path is None): + path = [] + result = {} + for source in [core, mantle]: + for (key, value_new, ) in source.items(): + path_ = (path + [key]) + type_new = type(value_new) + if (not (key in result)): + result[key] = value_new + else: + value_old = result[key] + type_old = type(value_old) + if (value_old is None): + result[key] = value_new + else: + if (not (type_old == type_new)): + raise ValueError( + "type mismatch at path %s: %s vs. %s" + % ( + ".".join(path), + str(type_old), + str(type_new), + ) + ) + else: + if (type_old == dict): + result[key] = dict_merge(value_old, value_new, path_) + elif (type_old == list): + result[key] = (value_old + value_new) + else: + result[key] = value_new + return result + + +def main(): + ## args + argument_parser = _argparse.ArgumentParser() + argument_parser.add_argument( + "-b", + "--base-file-path", + type = str, + dest = "base_file_path", + default = "/opt/mas/conf.d/base.json", + metavar = "", + ) + argument_parser.add_argument( + "-c", + "--clients-directory-path", + type = str, + dest = "clients_directory_path", + default = "/opt/mas/conf.d/clients", + metavar = "", + ) + argument_parser.add_argument( + "-f", + "--output-format", + type = str, + choices = ["json", "yaml"], + dest = "output_format", + default = "yaml", + metavar = "", + ) + argument_parser.add_argument( + "-o", + "--output-path", + type = str, + dest = "output_path", + default = "/opt/mas/config.yaml", + metavar = "", + ) + args = argument_parser.parse_args() + + ## exec + data = {} + ### base + if True: + data_ = _json.loads(file_read(args.base_file_path)) + data = dict_merge(data, data_) + ### clients + if True: + for name in _os.listdir(args.clients_directory_path): + data__ = _json.loads(file_read(_os.path.join(args.clients_directory_path, name))) + data_ = { + "clients": data__ + } + data = dict_merge(data, data_) + ## output + if True: + if (args.output_format == "json"): + output_content = _json.dumps(data, indent = "\t") + elif (args.output_format == "yaml"): + output_content = _yaml.dump(data) + else: + raise ValueError("invalid output format") + file_write(args.output_path, output_content) + + +main() diff --git a/roles/mas/info.md b/roles/mas/info.md new file mode 100644 index 0000000..1eaeb83 --- /dev/null +++ b/roles/mas/info.md @@ -0,0 +1,8 @@ +## Beschreibung + +für [Matrix Authentication Service](https://github.com/element-hq/matrix-authentication-service), was eine OIDC-Portal für [Synapse](../synapse) ist + + +## Verweise + +- [Dokumentation](https://element-hq.github.io/matrix-authentication-service/index.html) diff --git a/roles/mas/tasks/main.json b/roles/mas/tasks/main.json new file mode 100644 index 0000000..b3598a3 --- /dev/null +++ b/roles/mas/tasks/main.json @@ -0,0 +1,87 @@ +[ + { + "name": "user", + "become": true, + "ansible.builtin.user": { + "name": "{{var_mas_user}}", + "create_home": true, + "home": "{{var_mas_directory}}" + } + }, + { + "name": "directories", + "become": true, + "loop": [ + "{{var_mas_directory}}/conf.d", + "{{var_mas_directory}}/conf.d/providers", + "{{var_mas_directory}}/conf.d/clients" + ], + "ansible.builtin.file": { + "state": "directory", + "owner": "{{var_mas_user}}", + "path": "{{item}}" + } + }, + { + "name": "download", + "become": true, + "become_user": "{{var_mas_user}}", + "ansible.builtin.get_url": { + "url": "https://github.com/element-hq/matrix-authentication-service/releases/latest/download/mas-cli-x86_64-linux.tar.gz", + "dest": "/tmp/mas.tar.gz" + } + }, + { + "name": "extract", + "become": true, + "become_user": "{{var_mas_user}}", + "ansible.builtin.unarchive": { + "remote_src": true, + "src": "/tmp/mas.tar.gz", + "dest": "{{var_mas_directory}}", + "owner": "{{var_mas_user}}" + } + }, + { + "name": "configuration | compose script", + "become": true, + "ansible.builtin.copy": { + "src": "conf-compose.py", + "dest": "/usr/bin/mas-conf-compose", + "mode": "0700" + } + }, + { + "name": "configuration | base", + "become": true, + "become_user": "{{var_mas_user}}", + "ansible.builtin.template": { + "src": "config-main.yaml.j2", + "dest": "{{var_mas_directory}}/conf.d/base.yaml" + } + }, + { + "name": "configuration | apply", + "become": true, + "ansible.builtin.command": { + "cmd": "/usr/bin/mas-conf-compose" + } + }, + { + "name": "systemd unit", + "become": true, + "ansible.builtin.template": { + "src": "systemd_unit.j2", + "dest": "/etc/systemd/system/mas.service" + } + }, + { + "name": "run", + "become": true, + "ansible.builtin.systemd_service": { + "name": "mas", + "enabled": true, + "state": "restarted" + } + } +] diff --git a/roles/mas/templates/config-base.json.j2 b/roles/mas/templates/config-base.json.j2 new file mode 100644 index 0000000..1ba74d4 --- /dev/null +++ b/roles/mas/templates/config-base.json.j2 @@ -0,0 +1,109 @@ +{ + "database": { + "host": "{{var_mas_database_host}}", + "port": "{{var_mas_database_port | string}}", + "username": "{{var_mas_database_username}}", + "password": "{{var_mas_database_password}}", + "database": "{{var_mas_database_schema}}" + }, + "http": { + "listeners": [ + { + "name": "web", + "resources": [ + { + "name": "discovery" + }, + { + "name": "human" + }, + { + "name": "oauth" + }, + { + "name": "compat" + }, + { + "name": "graphql" + }, + { + "name": "assets" + }, + ], + "binds": [ + { + "address": "[{{var_mas_server_address}}]:{{var_mas_server_port | string}}" + } + ], + "proxy_protocol": false + }, + { + "name": "internal", + "resources": [ + { + "name": "health" + } + ], + "binds": [ + { + "host": "localhost", + "port": 8081 + } + ], + "proxy_protocol": false + } + ], + "trusted_proxies": [ + "192.168.0.0/16", + "172.16.0.0/12", + "10.0.0.0/10", + "127.0.0.1/8", + "fd00::/8", + "::1/128", + ], + "public_base": "http://{{var_mas_server_address}}]:{{var_mas_server_port | string}}/", + "issuer": "http://{{var_mas_server_address}}]:{{var_mas_server_port | string}}/" + }, + "matrix": { + "homeserver": "{{var_mas_matrix_server}}", + "secret": "{{var_mas_matrix_secret}}", + "endpoint": "{{var_mas_matrix_endpoint}}" + }, + "secrets": { + "encryption": "{{var_mas_encryption_key}}", + "keys": [ + "__TODO__" + ] + }, + "passwords": { + "enabled": true, + "schemas": [ + { + "version": 1, + "algorithm": "argon2id" + } + ], + "minimum_complexity": 3 + }, +{% if var_mas_authentication_upstream_active %} + "upstream_oauth2": { + "providers": [ + { + "id": "{{var_mas_authentication_upstream_id}}", + "issuer": "{{var_mas_authentication_upstream_issuer}}", + "client_id": "{{var_mas_authentication_upstream_client_id}}", + "client_secret": "{{var_mas_authentication_upstream_client_secret}}", + "token_endpoint_auth_method": "{{var_mas_authentication_upstream_token_endpoint_auth_method}}", + "scope": "{{var_mas_authentication_upstream_scope}}", + "authorization_endpoint": "{{var_mas_authentication_upstream_authorization_endpoint}}", + "token_endpoint": "{{var_mas_authentication_upstream_token_endpoint}}" + } + ] + }, +{% endif %} + "email": { + "from": "'\"Authentication Service\" '", + "reply_to": "'\"Authentication Service\" '", + "transport": "blackhole" + } +} diff --git a/roles/mas/templates/systemd_unit.j2 b/roles/mas/templates/systemd_unit.j2 new file mode 100644 index 0000000..f68219f --- /dev/null +++ b/roles/mas/templates/systemd_unit.j2 @@ -0,0 +1,15 @@ +[Unit] +Description=MAS +After=network.target + +[Service] +WorkingDirectory={{var_mas_directory}} +ExecStart={{var_mas_directory}}/mas-cli server +Type=simple +Restart=always +User={{var_mas_user}} + +[Install] +WantedBy=default.target +RequiredBy=network.target + diff --git a/roles/mas/vardef.json b/roles/mas/vardef.json new file mode 100644 index 0000000..dc301b8 --- /dev/null +++ b/roles/mas/vardef.json @@ -0,0 +1,82 @@ +{ + "user": { + "type": "string", + "mandatory": false + }, + "directory": { + "type": "string", + "mandatory": false + }, + "database_host": { + "type": "string", + "mandatory": false + }, + "database_port": { + "type": "integer", + "mandatory": false + }, + "database_username": { + "type": "string", + "mandatory": false + }, + "database_password": { + "type": "string", + "mandatory": false + }, + "database_schema": { + "type": "string", + "mandatory": false + }, + "matrix_server": { + "type": "string", + "mandatory": false + }, + "matrix_secret": { + "type": "string", + "mandatory": false + }, + "matrix_endpoint": { + "type": "string", + "mandatory": false + }, + "encryption_key": { + "type": "string", + "mandatory": false + }, + "authentication_upstream_active": { + "nullable": false, + "type": "boolean" + }, + "authentication_upstream_id": { + "nullable": false, + "type": "string" + }, + "authentication_upstream_issuer": { + "nullable": false, + "type": "string" + }, + "authentication_upstream_client_id": { + "nullable": false, + "type": "string" + }, + "authentication_upstream_client_secret": { + "nullable": false, + "type": "string" + }, + "authentication_upstream_token_endpoint_auth_method": { + "nullable": false, + "type": "string" + }, + "authentication_upstream_scope": { + "nullable": false, + "type": "string" + }, + "authentication_upstream_authorization_endpoint": { + "nullable": false, + "type": "string" + }, + "authentication_upstream_token_endpoint": { + "nullable": false, + "type": "string" + } +} diff --git a/roles/postgresql-for-mas/defaults/main.json b/roles/postgresql-for-mas/defaults/main.json new file mode 100644 index 0000000..eac9bc3 --- /dev/null +++ b/roles/postgresql-for-mas/defaults/main.json @@ -0,0 +1,5 @@ +{ + "var_postgresql_for_vikunja_username": "vikunja_user", + "var_postgresql_for_vikunja_password": "REPLACE_ME", + "var_postgresql_for_vikunja_schema": "vikunja" +} diff --git a/roles/postgresql-for-mas/tasks/main.json b/roles/postgresql-for-mas/tasks/main.json new file mode 100644 index 0000000..fb5f787 --- /dev/null +++ b/roles/postgresql-for-mas/tasks/main.json @@ -0,0 +1,49 @@ +[ + { + "name": "packages", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "acl", + "python3-psycopg2" + ] + } + }, + { + "name": "user", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_user": { + "state": "present", + "name": "{{var_postgresql_for_vikunja_username}}", + "password": "{{var_postgresql_for_vikunja_password}}" + }, + "environment": { + "PGOPTIONS": "-c password_encryption=scram-sha-256" + } + }, + { + "name": "schema", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_db": { + "state": "present", + "name": "{{var_postgresql_for_vikunja_schema}}", + "owner": "{{var_postgresql_for_vikunja_username}}" + } + }, + { + "name": "rights", + "become": true, + "become_user": "postgres", + "community.postgresql.postgresql_privs": { + "state": "present", + "db": "{{var_postgresql_for_vikunja_schema}}", + "objs": "ALL_IN_SCHEMA", + "roles": "{{var_postgresql_for_vikunja_username}}", + "privs": "ALL", + "grant_option": true + } + } +] -- 2.39.5 From 0a5acb790778815e982aee805e9558eee3d008d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 17:36:47 +0200 Subject: [PATCH 02/22] [fix] postgresql-for-mas [fix] authelia-for-mas --- roles/authelia-for-mas/tasks/main.json | 2 +- roles/postgresql-for-mas/defaults/main.json | 6 +++--- roles/postgresql-for-mas/tasks/main.json | 12 ++++++------ 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/authelia-for-mas/tasks/main.json b/roles/authelia-for-mas/tasks/main.json index 3067d3d..f5b4616 100644 --- a/roles/authelia-for-mas/tasks/main.json +++ b/roles/authelia-for-mas/tasks/main.json @@ -4,7 +4,7 @@ "become": true, "ansible.builtin.template": { "src": "authelia-client-conf.json.j2", - "dest": "/etc/authelia/conf.d/clients/vikunja.json" + "dest": "/etc/authelia/conf.d/clients/mas.json" } }, { diff --git a/roles/postgresql-for-mas/defaults/main.json b/roles/postgresql-for-mas/defaults/main.json index eac9bc3..42dcb1a 100644 --- a/roles/postgresql-for-mas/defaults/main.json +++ b/roles/postgresql-for-mas/defaults/main.json @@ -1,5 +1,5 @@ { - "var_postgresql_for_vikunja_username": "vikunja_user", - "var_postgresql_for_vikunja_password": "REPLACE_ME", - "var_postgresql_for_vikunja_schema": "vikunja" + "var_postgresql_for_mas_username": "mas_user", + "var_postgresql_for_mas_password": "REPLACE_ME", + "var_postgresql_for_mas_schema": "mas" } diff --git a/roles/postgresql-for-mas/tasks/main.json b/roles/postgresql-for-mas/tasks/main.json index fb5f787..ce83508 100644 --- a/roles/postgresql-for-mas/tasks/main.json +++ b/roles/postgresql-for-mas/tasks/main.json @@ -16,8 +16,8 @@ "become_user": "postgres", "community.postgresql.postgresql_user": { "state": "present", - "name": "{{var_postgresql_for_vikunja_username}}", - "password": "{{var_postgresql_for_vikunja_password}}" + "name": "{{var_postgresql_for_mas_username}}", + "password": "{{var_postgresql_for_mas_password}}" }, "environment": { "PGOPTIONS": "-c password_encryption=scram-sha-256" @@ -29,8 +29,8 @@ "become_user": "postgres", "community.postgresql.postgresql_db": { "state": "present", - "name": "{{var_postgresql_for_vikunja_schema}}", - "owner": "{{var_postgresql_for_vikunja_username}}" + "name": "{{var_postgresql_for_mas_schema}}", + "owner": "{{var_postgresql_for_mas_username}}" } }, { @@ -39,9 +39,9 @@ "become_user": "postgres", "community.postgresql.postgresql_privs": { "state": "present", - "db": "{{var_postgresql_for_vikunja_schema}}", + "db": "{{var_postgresql_for_mas_schema}}", "objs": "ALL_IN_SCHEMA", - "roles": "{{var_postgresql_for_vikunja_username}}", + "roles": "{{var_postgresql_for_mas_username}}", "privs": "ALL", "grant_option": true } -- 2.39.5 From 17354eb042cd6fde2ce69933a29e12bb9cabf3b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 18:06:42 +0200 Subject: [PATCH 03/22] [mod] role:mas:auth --- roles/mas/defaults/main.json | 16 ++++---- roles/mas/templates/config-base.json.j2 | 20 +++++----- roles/mas/vardef.json | 52 ++++++++++++------------- 3 files changed, 42 insertions(+), 46 deletions(-) diff --git a/roles/mas/defaults/main.json b/roles/mas/defaults/main.json index e402ce6..cbb1c0a 100644 --- a/roles/mas/defaults/main.json +++ b/roles/mas/defaults/main.json @@ -12,13 +12,11 @@ "var_mas_matrix_secret": "REPLACE_ME", "var_mas_matrix_endpoint": "http://localhost:8008/", "var_mas_encryption_key": "REPLACE_ME", - "var_mas_authentication_upstream_active": false, - "var_mas_authentication_upstream_id": "default_upstream", - "var_mas_authentication_upstream_issuer": "https://auth.example.org", - "var_mas_authentication_upstream_client_id": "mas", - "var_mas_authentication_upstream_client_secret": "REPLACE_ME", - "var_mas_authentication_upstream_token_endpoint_auth_method": "client_secret_post" - "var_mas_authentication_upstream_scope": "openid email profile", - "var_mas_authentication_upstream_authorization_endpoint": "https://auth.example.org/authorize", - "var_mas_authentication_upstream_token_endpoint": "https://auth.example.org/token" + "var_mas_authentication_upstream_kind": "none", + "var_mas_authentication_upstream_data_authelia_url_base": "https://authelia.example.org", + "var_mas_authentication_upstream_data_authelia_auth_method": "client_secret_post", + "var_mas_authentication_upstream_data_authelia_scope": "openid profile email", + "var_mas_authentication_upstream_data_authelia_name": "authelia", + "var_mas_authentication_upstream_data_authelia_client_id": "mas", + "var_mas_authentication_upstream_data_authelia_client_secret": "REPLACE_ME" } diff --git a/roles/mas/templates/config-base.json.j2 b/roles/mas/templates/config-base.json.j2 index 1ba74d4..f49bb37 100644 --- a/roles/mas/templates/config-base.json.j2 +++ b/roles/mas/templates/config-base.json.j2 @@ -85,18 +85,20 @@ ], "minimum_complexity": 3 }, -{% if var_mas_authentication_upstream_active %} +{% if var_mas_authentication_upstream_kind == 'none' %} +{% endif %} +{% if var_mas_authentication_upstream_kind == 'authelia' %} "upstream_oauth2": { "providers": [ { - "id": "{{var_mas_authentication_upstream_id}}", - "issuer": "{{var_mas_authentication_upstream_issuer}}", - "client_id": "{{var_mas_authentication_upstream_client_id}}", - "client_secret": "{{var_mas_authentication_upstream_client_secret}}", - "token_endpoint_auth_method": "{{var_mas_authentication_upstream_token_endpoint_auth_method}}", - "scope": "{{var_mas_authentication_upstream_scope}}", - "authorization_endpoint": "{{var_mas_authentication_upstream_authorization_endpoint}}", - "token_endpoint": "{{var_mas_authentication_upstream_token_endpoint}}" + "id": "{{var_mas_authentication_upstream_data_authelia_name}}", + "issuer": "{{var_mas_authentication_upstream_data_authelia_url_base}}", + "authorization_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/authorization", + "token_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/token", + "token_endpoint_auth_method": "{{var_mas_authentication_upstream_data_authelia_auth_method}}", + "scope": "{{var_mas_authentication_upstream_data_authelia_scope}}", + "client_id": "{{var_mas_authentication_upstream_data_authelia_client_id}}", + "client_secret": "{{var_mas_authentication_upstream_data_authelia_client_secret}}" } ] }, diff --git a/roles/mas/vardef.json b/roles/mas/vardef.json index dc301b8..04f210e 100644 --- a/roles/mas/vardef.json +++ b/roles/mas/vardef.json @@ -43,40 +43,36 @@ "type": "string", "mandatory": false }, - "authentication_upstream_active": { + "authentication_upstream_kind": { "nullable": false, - "type": "boolean" + "type": "string", + "options": [ + "none", + "authelia" + ] }, - "authentication_upstream_id": { - "nullable": false, - "type": "string" + "authentication_upstream_data_authelia_url_base": { + "type": "string", + "mandatory": false }, - "authentication_upstream_issuer": { - "nullable": false, - "type": "string" + "authentication_upstream_data_authelia_auth_method": { + "type": "string", + "mandatory": false }, - "authentication_upstream_client_id": { - "nullable": false, - "type": "string" + "authentication_upstream_data_authelia_scope": { + "type": "string", + "mandatory": false }, - "authentication_upstream_client_secret": { - "nullable": false, - "type": "string" + "authentication_upstream_data_authelia_name": { + "type": "string", + "mandatory": false }, - "authentication_upstream_token_endpoint_auth_method": { - "nullable": false, - "type": "string" + "authentication_upstream_data_authelia_client_id": { + "type": "string", + "mandatory": false }, - "authentication_upstream_scope": { - "nullable": false, - "type": "string" - }, - "authentication_upstream_authorization_endpoint": { - "nullable": false, - "type": "string" - }, - "authentication_upstream_token_endpoint": { - "nullable": false, - "type": "string" + "authentication_upstream_data_authelia_client_secret": { + "type": "string", + "mandatory": false } } -- 2.39.5 From 4dc49134588735c91c0a51e638d2cb275e94e3b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 18:07:02 +0200 Subject: [PATCH 04/22] [mod] hedgedoc:default:auth:changed to "internal" --- roles/hedgedoc/defaults/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/hedgedoc/defaults/main.json b/roles/hedgedoc/defaults/main.json index f59f7f1..5dc2820 100644 --- a/roles/hedgedoc/defaults/main.json +++ b/roles/hedgedoc/defaults/main.json @@ -11,7 +11,7 @@ "var_hedgedoc_database_data_postgresql_password": "REPLACE_ME", "var_hedgedoc_database_data_postgresql_schema": "hedgedoc", "var_hedgedoc_domain": "hedgedoc.example.org", - "var_hedgedoc_authentication_kind": "authelia", + "var_hedgedoc_authentication_kind": "internal", "var_hedgedoc_authentication_data_authelia_client_id": "hedgedoc", "var_hedgedoc_authentication_data_authelia_client_secret": "REPLACE_ME", "var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.example.org", -- 2.39.5 From ecbbc245800817d0b9200b4ad8dee688fc56c4c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 18:34:40 +0200 Subject: [PATCH 05/22] [fix] role:mas --- roles/mas/tasks/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mas/tasks/main.json b/roles/mas/tasks/main.json index b3598a3..30673c6 100644 --- a/roles/mas/tasks/main.json +++ b/roles/mas/tasks/main.json @@ -56,7 +56,7 @@ "become": true, "become_user": "{{var_mas_user}}", "ansible.builtin.template": { - "src": "config-main.yaml.j2", + "src": "config-main.json.j2", "dest": "{{var_mas_directory}}/conf.d/base.yaml" } }, -- 2.39.5 From 9f833de13961ba370b8f344e539e7069c6af8c39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 18:35:04 +0200 Subject: [PATCH 06/22] [mod] role:synapse:mas als authentication-Variante --- roles/synapse/defaults/main.json | 6 +++++ roles/synapse/info.md | 1 + roles/synapse/templates/homeserver.yaml.j2 | 15 ++++++++++++ roles/synapse/vardef.json | 27 +++++++++++++++++++++- 4 files changed, 48 insertions(+), 1 deletion(-) diff --git a/roles/synapse/defaults/main.json b/roles/synapse/defaults/main.json index 87eff2a..efda6b0 100644 --- a/roles/synapse/defaults/main.json +++ b/roles/synapse/defaults/main.json @@ -20,6 +20,12 @@ "var_synapse_authentication_data_authelia_client_id": "synapse", "var_synapse_authentication_data_authelia_client_secret": "REPLACE_ME", "var_synapse_authentication_data_authelia_url_base": "https://authelia.example.org", + "var_synapse_authentication_data_mas_url_base": "http://localhost:2839", + "var_synapse_authentication_data_mas_client_id": "synapse", + "var_synapse_authentication_data_mas_client_secret": "REPLACE_ME", + "var_synapse_authentication_data_mas_admin_token": "REPLACE_ME", + "var_synapse_authentication_data_mas_provider_id": "mas", + "var_synapse_authentication_data_mas_provider_name": "MAS", "var_synapse_smtp_host": "smtp.example.org", "var_synapse_smtp_port": 587, "var_synapse_smtp_username": "synapse@smtp.example.org", diff --git a/roles/synapse/info.md b/roles/synapse/info.md index 9f4407e..88503ae 100644 --- a/roles/synapse/info.md +++ b/roles/synapse/info.md @@ -9,3 +9,4 @@ Zur Einrichtung des [matrix.org](https://matrix.org/)-Servers Synapse - [GitHub-Repository](https://github.com/matrix-org/synapse) - [Configuration Manual](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html) - [Dokumentation | PostgreSQL](https://matrix-org.github.io/synapse/latest/postgres.html#using-postgres) +- [MAS-Dokumentation | Homeserver configuration](https://element-hq.github.io/matrix-authentication-service/setup/homeserver.html) diff --git a/roles/synapse/templates/homeserver.yaml.j2 b/roles/synapse/templates/homeserver.yaml.j2 index a8b43b4..278a4b4 100644 --- a/roles/synapse/templates/homeserver.yaml.j2 +++ b/roles/synapse/templates/homeserver.yaml.j2 @@ -126,6 +126,21 @@ oidc_providers: email_template: "{{"{{"}} user.email {{"}}"}}" {% endif %} +{% if var_synapse_authentication_kind == 'mas' %} +enable_registration: false +enable_registration_without_verification: false + +experimental_features: + msc3861: + enabled: true + issuer: "{{var_synapse_authentication_data_mas_url_base}}" + client_auth_method: client_secret_basic + client_id: "{{var_synapse_authentication_data_mas_client_id}}" + client_secret: "{{var_synapse_authentication_data_mas_client_secret}}" + admin_token: "{{var_synapse_authentication_data_mas_admin_token}}" + account_management_url: "{{var_synapse_authentication_data_mas_url_base}}/account" +{% endif %} + account_validity: bcrypt_rounds: 12 diff --git a/roles/synapse/vardef.json b/roles/synapse/vardef.json index 391dfdb..95e1549 100644 --- a/roles/synapse/vardef.json +++ b/roles/synapse/vardef.json @@ -71,7 +71,8 @@ "mandatory": false, "options": [ "internal", - "authelia" + "authelia", + "mas" ] }, "authentication_data_authelia_provider_id": { @@ -94,6 +95,30 @@ "type": "string", "mandatory": false }, + "authentication_data_mas_url_base": { + "type": "string", + "mandatory": false + }, + "authentication_data_mas_client_id": { + "type": "string", + "mandatory": false + }, + "authentication_data_mas_client_secret": { + "type": "string", + "mandatory": false + }, + "authentication_data_mas_admin_token": { + "type": "string", + "mandatory": false + }, + "authentication_data_mas_provider_id": { + "type": "string", + "mandatory": false + }, + "authentication_data_mas_provider_name": { + "type": "string", + "mandatory": false + }, "smtp_host": { "type": "string", "mandatory": false -- 2.39.5 From af80d094f37b9507cdb530c6f20b396d8d4dc585 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 18:36:32 +0200 Subject: [PATCH 07/22] [fix] role:mas --- roles/mas/tasks/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mas/tasks/main.json b/roles/mas/tasks/main.json index 30673c6..eae7805 100644 --- a/roles/mas/tasks/main.json +++ b/roles/mas/tasks/main.json @@ -56,7 +56,7 @@ "become": true, "become_user": "{{var_mas_user}}", "ansible.builtin.template": { - "src": "config-main.json.j2", + "src": "config-base.json.j2", "dest": "{{var_mas_directory}}/conf.d/base.yaml" } }, -- 2.39.5 From 7bf2c1e142e166f6ed079314849f9d371cddb000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 18:45:45 +0200 Subject: [PATCH 08/22] [fix] role:mas --- roles/mas/tasks/main.json | 10 ++++++---- roles/mas/templates/config-base.json.j2 | 4 ++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/roles/mas/tasks/main.json b/roles/mas/tasks/main.json index eae7805..6237403 100644 --- a/roles/mas/tasks/main.json +++ b/roles/mas/tasks/main.json @@ -14,7 +14,8 @@ "loop": [ "{{var_mas_directory}}/conf.d", "{{var_mas_directory}}/conf.d/providers", - "{{var_mas_directory}}/conf.d/clients" + "{{var_mas_directory}}/conf.d/clients", + "{{var_mas_directory}}/scripts" ], "ansible.builtin.file": { "state": "directory", @@ -47,7 +48,8 @@ "become": true, "ansible.builtin.copy": { "src": "conf-compose.py", - "dest": "/usr/bin/mas-conf-compose", + "dest": "{{var_mas_directory}}/scripts/conf-compose", + "owner": "{{var_mas_user}}", "mode": "0700" } }, @@ -57,14 +59,14 @@ "become_user": "{{var_mas_user}}", "ansible.builtin.template": { "src": "config-base.json.j2", - "dest": "{{var_mas_directory}}/conf.d/base.yaml" + "dest": "{{var_mas_directory}}/conf.d/base.json" } }, { "name": "configuration | apply", "become": true, "ansible.builtin.command": { - "cmd": "/usr/bin/mas-conf-compose" + "cmd": "/usr/local/bin/mas-conf-compose" } }, { diff --git a/roles/mas/templates/config-base.json.j2 b/roles/mas/templates/config-base.json.j2 index f49bb37..7a6f488 100644 --- a/roles/mas/templates/config-base.json.j2 +++ b/roles/mas/templates/config-base.json.j2 @@ -28,7 +28,7 @@ }, { "name": "assets" - }, + } ], "binds": [ { @@ -59,7 +59,7 @@ "10.0.0.0/10", "127.0.0.1/8", "fd00::/8", - "::1/128", + "::1/128" ], "public_base": "http://{{var_mas_server_address}}]:{{var_mas_server_port | string}}/", "issuer": "http://{{var_mas_server_address}}]:{{var_mas_server_port | string}}/" -- 2.39.5 From 56e3b294e5a89a5538729fa278b448d45d28c51c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 18:47:01 +0200 Subject: [PATCH 09/22] [fix] role:mas --- roles/mas/tasks/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mas/tasks/main.json b/roles/mas/tasks/main.json index 6237403..70a4602 100644 --- a/roles/mas/tasks/main.json +++ b/roles/mas/tasks/main.json @@ -66,7 +66,7 @@ "name": "configuration | apply", "become": true, "ansible.builtin.command": { - "cmd": "/usr/local/bin/mas-conf-compose" + "cmd": "{{var_mas_directory}}/scripts/conf-compose" } }, { -- 2.39.5 From bfd6d52796dde3c913fa93d3fa79cc6296dfcca6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 18:52:51 +0200 Subject: [PATCH 10/22] [fix] role:mas --- roles/mas/tasks/main.json | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/mas/tasks/main.json b/roles/mas/tasks/main.json index 70a4602..c393497 100644 --- a/roles/mas/tasks/main.json +++ b/roles/mas/tasks/main.json @@ -48,9 +48,8 @@ "become": true, "ansible.builtin.copy": { "src": "conf-compose.py", - "dest": "{{var_mas_directory}}/scripts/conf-compose", - "owner": "{{var_mas_user}}", - "mode": "0700" + "dest": "/usr/local/bin/mas-conf-compose", + "mode": "0777" } }, { @@ -66,7 +65,7 @@ "name": "configuration | apply", "become": true, "ansible.builtin.command": { - "cmd": "{{var_mas_directory}}/scripts/conf-compose" + "cmd": "/usr/local/bin/mas-conf-compose" } }, { -- 2.39.5 From 799e67ae3ff81f1095c623b92397a34321c91726 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 18:55:16 +0200 Subject: [PATCH 11/22] [fix] role:mas-for-synapse --- roles/mas-for-synapse/tasks/main.json | 2 +- roles/mas/tasks/main.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/mas-for-synapse/tasks/main.json b/roles/mas-for-synapse/tasks/main.json index 5eeb79b..29fc15e 100644 --- a/roles/mas-for-synapse/tasks/main.json +++ b/roles/mas-for-synapse/tasks/main.json @@ -11,7 +11,7 @@ "name": "configuration | apply", "become": true, "ansible.builtin.command": { - "cmd": "/usr/bin/mas-conf-compose" + "cmd": "/usr/local/bin/mas-conf-compose" } }, { diff --git a/roles/mas/tasks/main.json b/roles/mas/tasks/main.json index c393497..32869f2 100644 --- a/roles/mas/tasks/main.json +++ b/roles/mas/tasks/main.json @@ -49,7 +49,7 @@ "ansible.builtin.copy": { "src": "conf-compose.py", "dest": "/usr/local/bin/mas-conf-compose", - "mode": "0777" + "mode": "0555" } }, { -- 2.39.5 From 52862bb20fd0c06a87598091b014c4297fa679d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 19:28:33 +0200 Subject: [PATCH 12/22] [fix] role:mas:server address --- roles/mas/defaults/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mas/defaults/main.json b/roles/mas/defaults/main.json index cbb1c0a..7e5ae2c 100644 --- a/roles/mas/defaults/main.json +++ b/roles/mas/defaults/main.json @@ -1,7 +1,7 @@ { "var_mas_user": "mas", "var_mas_directory": "/opt/mas", - "var_mas_server_address": "::", + "var_mas_server_address": "[::]", "var_mas_server_port": 2839, "var_mas_database_host": "postgresql.example.org", "var_mas_database_port": 5432, -- 2.39.5 From 8e73310fae8951797c31ab2d72dcb65f650b36a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 19:29:05 +0200 Subject: [PATCH 13/22] [fix] role:mas:conf compose script --- roles/mas/files/conf-compose.py | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/roles/mas/files/conf-compose.py b/roles/mas/files/conf-compose.py index 59434c3..c1fe8cc 100644 --- a/roles/mas/files/conf-compose.py +++ b/roles/mas/files/conf-compose.py @@ -103,16 +103,23 @@ def main(): data = {} ### base if True: - data_ = _json.loads(file_read(args.base_file_path)) - data = dict_merge(data, data_) + data = dict_merge( + data, + _json.loads(file_read(args.base_file_path)) + ) ### clients if True: - for name in _os.listdir(args.clients_directory_path): - data__ = _json.loads(file_read(_os.path.join(args.clients_directory_path, name))) - data_ = { - "clients": data__ + data = dict_merge( + data, + { + "clients": list( + map( + lambda name: _json.loads(file_read(_os.path.join(args.clients_directory_path, name))), + _os.listdir(args.clients_directory_path) + ) + ), } - data = dict_merge(data, data_) + ) ## output if True: if (args.output_format == "json"): -- 2.39.5 From e486e595dc69b08feb72bf2e5356d2a79277481c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 19:29:32 +0200 Subject: [PATCH 14/22] [fix] role:mas --- roles/mas/tasks/main.json | 10 ++++++++++ roles/mas/templates/config-base.json.j2 | 11 +++++++---- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/roles/mas/tasks/main.json b/roles/mas/tasks/main.json index 32869f2..c117ce6 100644 --- a/roles/mas/tasks/main.json +++ b/roles/mas/tasks/main.json @@ -15,6 +15,7 @@ "{{var_mas_directory}}/conf.d", "{{var_mas_directory}}/conf.d/providers", "{{var_mas_directory}}/conf.d/clients", + "{{var_mas_directory}}/secrets", "{{var_mas_directory}}/scripts" ], "ansible.builtin.file": { @@ -52,6 +53,15 @@ "mode": "0555" } }, + { + "name": "configuration | private key", + "become": true, + "become_user": "{{var_mas_user}}", + "community.crypto.openssl_privatekey": { + "curve": "secp384r1", + "path": "{{var_mas_directory}}/secrets/private_key.pem" + } + }, { "name": "configuration | base", "become": true, diff --git a/roles/mas/templates/config-base.json.j2 b/roles/mas/templates/config-base.json.j2 index 7a6f488..0c727a1 100644 --- a/roles/mas/templates/config-base.json.j2 +++ b/roles/mas/templates/config-base.json.j2 @@ -1,7 +1,7 @@ { "database": { "host": "{{var_mas_database_host}}", - "port": "{{var_mas_database_port | string}}", + "port": {{var_mas_database_port | string}}, "username": "{{var_mas_database_username}}", "password": "{{var_mas_database_password}}", "database": "{{var_mas_database_schema}}" @@ -61,8 +61,8 @@ "fd00::/8", "::1/128" ], - "public_base": "http://{{var_mas_server_address}}]:{{var_mas_server_port | string}}/", - "issuer": "http://{{var_mas_server_address}}]:{{var_mas_server_port | string}}/" + "public_base": "http://{{var_mas_server_address}}:{{var_mas_server_port | string}}/", + "issuer": "http://{{var_mas_server_address}}:{{var_mas_server_port | string}}/" }, "matrix": { "homeserver": "{{var_mas_matrix_server}}", @@ -72,7 +72,10 @@ "secrets": { "encryption": "{{var_mas_encryption_key}}", "keys": [ - "__TODO__" + { + "kid": "x1", + "key_file": "{{var_mas_directory}}/secrets/private_key.pem" + } ] }, "passwords": { -- 2.39.5 From 4e1647fa4bb02db72535d49c7f379296fd9281f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 20:20:10 +0200 Subject: [PATCH 15/22] [mod] role:mas:conf --- roles/mas/defaults/main.json | 2 +- roles/mas/files/conf-compose.py | 42 +++++++++++++-------- roles/mas/tasks/config-database.json.j2 | 9 +++++ roles/mas/tasks/main.json | 31 ++++++++++++++- roles/mas/templates/config-base.json.j2 | 2 +- roles/mas/templates/config-matrix.json.j2 | 7 ++++ roles/mas/templates/config-upstream.json.j2 | 20 ++++++++++ 7 files changed, 93 insertions(+), 20 deletions(-) create mode 100644 roles/mas/tasks/config-database.json.j2 create mode 100644 roles/mas/templates/config-matrix.json.j2 create mode 100644 roles/mas/templates/config-upstream.json.j2 diff --git a/roles/mas/defaults/main.json b/roles/mas/defaults/main.json index 7e5ae2c..8536c1b 100644 --- a/roles/mas/defaults/main.json +++ b/roles/mas/defaults/main.json @@ -16,7 +16,7 @@ "var_mas_authentication_upstream_data_authelia_url_base": "https://authelia.example.org", "var_mas_authentication_upstream_data_authelia_auth_method": "client_secret_post", "var_mas_authentication_upstream_data_authelia_scope": "openid profile email", - "var_mas_authentication_upstream_data_authelia_name": "authelia", + "var_mas_authentication_upstream_data_authelia_id": "01JADRQ54Y0KCQS0AEJQ4YTY36", "var_mas_authentication_upstream_data_authelia_client_id": "mas", "var_mas_authentication_upstream_data_authelia_client_secret": "REPLACE_ME" } diff --git a/roles/mas/files/conf-compose.py b/roles/mas/files/conf-compose.py index c1fe8cc..354e882 100644 --- a/roles/mas/files/conf-compose.py +++ b/roles/mas/files/conf-compose.py @@ -65,20 +65,12 @@ def main(): ## args argument_parser = _argparse.ArgumentParser() argument_parser.add_argument( - "-b", - "--base-file-path", + "-s", + "--source-directory", type = str, - dest = "base_file_path", - default = "/opt/mas/conf.d/base.json", - metavar = "", - ) - argument_parser.add_argument( - "-c", - "--clients-directory-path", - type = str, - dest = "clients_directory_path", - default = "/opt/mas/conf.d/clients", - metavar = "", + dest = "source_directory", + default = "/opt/mas/conf.d", + metavar = "", ) argument_parser.add_argument( "-f", @@ -105,7 +97,25 @@ def main(): if True: data = dict_merge( data, - _json.loads(file_read(args.base_file_path)) + _yaml.loads(file_read(_os.path.join(args.source_directory, "base.yaml"))) + ) + ### database + if True: + data = dict_merge( + data, + _json.loads(file_read(_os.path.join(args.source_directory, "database.json"))) + ) + ### matrix + if True: + data = dict_merge( + data, + _json.loads(file_read(_os.path.join(args.source_directory, "matrix.json"))) + ) + ### upstream + if True: + data = dict_merge( + data, + _json.loads(file_read(_os.path.join(args.source_directory, "upstream.json"))) ) ### clients if True: @@ -114,8 +124,8 @@ def main(): { "clients": list( map( - lambda name: _json.loads(file_read(_os.path.join(args.clients_directory_path, name))), - _os.listdir(args.clients_directory_path) + lambda name: _json.loads(file_read(_os.path.join(args.source_directory, "clients", name))), + _os.listdir(_os.path.join(args.source_directory, "clients")) ) ), } diff --git a/roles/mas/tasks/config-database.json.j2 b/roles/mas/tasks/config-database.json.j2 new file mode 100644 index 0000000..c227ba6 --- /dev/null +++ b/roles/mas/tasks/config-database.json.j2 @@ -0,0 +1,9 @@ +{ + "database": { + "host": "{{var_mas_database_host}}", + "port": {{var_mas_database_port | string}}, + "username": "{{var_mas_database_username}}", + "password": "{{var_mas_database_password}}", + "database": "{{var_mas_database_schema}}" + } +} diff --git a/roles/mas/tasks/main.json b/roles/mas/tasks/main.json index c117ce6..6a18f0f 100644 --- a/roles/mas/tasks/main.json +++ b/roles/mas/tasks/main.json @@ -66,9 +66,36 @@ "name": "configuration | base", "become": true, "become_user": "{{var_mas_user}}", + "ansible.builtin.command": { + "cmd": "./mas-cli config generate > {{var_mas_directory}}/conf.d/base.yaml", + "chdir": "{{var_mas_directory}}" + } + }, + { + "name": "configuration | database", + "become": true, + "become_user": "{{var_mas_user}}", "ansible.builtin.template": { - "src": "config-base.json.j2", - "dest": "{{var_mas_directory}}/conf.d/base.json" + "src": "config-database.json.j2", + "dest": "{{var_mas_directory}}/conf.d/database.json" + } + }, + { + "name": "configuration | matrix", + "become": true, + "become_user": "{{var_mas_user}}", + "ansible.builtin.template": { + "src": "config-matrix.json.j2", + "dest": "{{var_mas_directory}}/conf.d/matrix.json" + } + }, + { + "name": "configuration | upstream", + "become": true, + "become_user": "{{var_mas_user}}", + "ansible.builtin.template": { + "src": "config-upstream.json.j2", + "dest": "{{var_mas_directory}}/conf.d/upstream.json" } }, { diff --git a/roles/mas/templates/config-base.json.j2 b/roles/mas/templates/config-base.json.j2 index 0c727a1..f70405b 100644 --- a/roles/mas/templates/config-base.json.j2 +++ b/roles/mas/templates/config-base.json.j2 @@ -94,7 +94,7 @@ "upstream_oauth2": { "providers": [ { - "id": "{{var_mas_authentication_upstream_data_authelia_name}}", + "id": "{{var_mas_authentication_upstream_data_authelia_id}}", "issuer": "{{var_mas_authentication_upstream_data_authelia_url_base}}", "authorization_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/authorization", "token_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/token", diff --git a/roles/mas/templates/config-matrix.json.j2 b/roles/mas/templates/config-matrix.json.j2 new file mode 100644 index 0000000..5c6d5d1 --- /dev/null +++ b/roles/mas/templates/config-matrix.json.j2 @@ -0,0 +1,7 @@ +{ + "matrix": { + "homeserver": "{{var_mas_matrix_server}}", + "secret": "{{var_mas_matrix_secret}}", + "endpoint": "{{var_mas_matrix_endpoint}}" + } +} diff --git a/roles/mas/templates/config-upstream.json.j2 b/roles/mas/templates/config-upstream.json.j2 new file mode 100644 index 0000000..5b246fd --- /dev/null +++ b/roles/mas/templates/config-upstream.json.j2 @@ -0,0 +1,20 @@ +{ +{% if var_mas_authentication_upstream_kind == 'none' %} +{% endif %} +{% if var_mas_authentication_upstream_kind == 'authelia' %} + "upstream_oauth2": { + "providers": [ + { + "id": "{{var_mas_authentication_upstream_data_authelia_id}}", + "issuer": "{{var_mas_authentication_upstream_data_authelia_url_base}}", + "authorization_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/authorization", + "token_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/token", + "token_endpoint_auth_method": "{{var_mas_authentication_upstream_data_authelia_auth_method}}", + "scope": "{{var_mas_authentication_upstream_data_authelia_scope}}", + "client_id": "{{var_mas_authentication_upstream_data_authelia_client_id}}", + "client_secret": "{{var_mas_authentication_upstream_data_authelia_client_secret}}" + } + ] + } +{% endif %} +} -- 2.39.5 From 9fa41dde42c2bebb0b19990b54dfb40d579bb989 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 20:22:45 +0200 Subject: [PATCH 16/22] [mod] role:mas:conf --- roles/mas/tasks/main.json | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/roles/mas/tasks/main.json b/roles/mas/tasks/main.json index 6a18f0f..0cac0ab 100644 --- a/roles/mas/tasks/main.json +++ b/roles/mas/tasks/main.json @@ -13,9 +13,7 @@ "become": true, "loop": [ "{{var_mas_directory}}/conf.d", - "{{var_mas_directory}}/conf.d/providers", "{{var_mas_directory}}/conf.d/clients", - "{{var_mas_directory}}/secrets", "{{var_mas_directory}}/scripts" ], "ansible.builtin.file": { @@ -53,20 +51,11 @@ "mode": "0555" } }, - { - "name": "configuration | private key", - "become": true, - "become_user": "{{var_mas_user}}", - "community.crypto.openssl_privatekey": { - "curve": "secp384r1", - "path": "{{var_mas_directory}}/secrets/private_key.pem" - } - }, { "name": "configuration | base", "become": true, "become_user": "{{var_mas_user}}", - "ansible.builtin.command": { + "ansible.builtin.shell": { "cmd": "./mas-cli config generate > {{var_mas_directory}}/conf.d/base.yaml", "chdir": "{{var_mas_directory}}" } -- 2.39.5 From 34e01247e41af729ee87d543c3f999933df5702e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 20:24:55 +0200 Subject: [PATCH 17/22] [mod] role:mas:conf --- roles/mas/{tasks => templates}/config-database.json.j2 | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename roles/mas/{tasks => templates}/config-database.json.j2 (100%) diff --git a/roles/mas/tasks/config-database.json.j2 b/roles/mas/templates/config-database.json.j2 similarity index 100% rename from roles/mas/tasks/config-database.json.j2 rename to roles/mas/templates/config-database.json.j2 -- 2.39.5 From fe9a2caed21f315a3a79543057f61501cc2141ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 21:08:13 +0200 Subject: [PATCH 18/22] [fix] role:mas:conf --- roles/mas/files/conf-compose.py | 18 +++- roles/mas/tasks/main.json | 9 ++ roles/mas/templates/config-base.json.j2 | 114 ----------------------- roles/mas/templates/config-email.json.j2 | 7 ++ roles/mas/templates/config-http.json.j2 | 60 ++++++++++++ 5 files changed, 93 insertions(+), 115 deletions(-) delete mode 100644 roles/mas/templates/config-base.json.j2 create mode 100644 roles/mas/templates/config-email.json.j2 create mode 100644 roles/mas/templates/config-http.json.j2 diff --git a/roles/mas/files/conf-compose.py b/roles/mas/files/conf-compose.py index 354e882..fc8fc60 100644 --- a/roles/mas/files/conf-compose.py +++ b/roles/mas/files/conf-compose.py @@ -95,9 +95,13 @@ def main(): data = {} ### base if True: + data_raw = _yaml.safe_load(file_read(_os.path.join(args.source_directory, "base.yaml"))) data = dict_merge( data, - _yaml.loads(file_read(_os.path.join(args.source_directory, "base.yaml"))) + { + "secrets": data_raw["secrets"], + "passwords": data_raw["passwords"], + } ) ### database if True: @@ -105,6 +109,12 @@ def main(): data, _json.loads(file_read(_os.path.join(args.source_directory, "database.json"))) ) + ### http + if True: + data = dict_merge( + data, + _json.loads(file_read(_os.path.join(args.source_directory, "http.json"))) + ) ### matrix if True: data = dict_merge( @@ -117,6 +127,12 @@ def main(): data, _json.loads(file_read(_os.path.join(args.source_directory, "upstream.json"))) ) + ### email + if True: + data = dict_merge( + data, + _json.loads(file_read(_os.path.join(args.source_directory, "email.json"))) + ) ### clients if True: data = dict_merge( diff --git a/roles/mas/tasks/main.json b/roles/mas/tasks/main.json index 0cac0ab..019ebe2 100644 --- a/roles/mas/tasks/main.json +++ b/roles/mas/tasks/main.json @@ -69,6 +69,15 @@ "dest": "{{var_mas_directory}}/conf.d/database.json" } }, + { + "name": "configuration | http", + "become": true, + "become_user": "{{var_mas_user}}", + "ansible.builtin.template": { + "src": "config-http.json.j2", + "dest": "{{var_mas_directory}}/conf.d/http.json" + } + }, { "name": "configuration | matrix", "become": true, diff --git a/roles/mas/templates/config-base.json.j2 b/roles/mas/templates/config-base.json.j2 deleted file mode 100644 index f70405b..0000000 --- a/roles/mas/templates/config-base.json.j2 +++ /dev/null @@ -1,114 +0,0 @@ -{ - "database": { - "host": "{{var_mas_database_host}}", - "port": {{var_mas_database_port | string}}, - "username": "{{var_mas_database_username}}", - "password": "{{var_mas_database_password}}", - "database": "{{var_mas_database_schema}}" - }, - "http": { - "listeners": [ - { - "name": "web", - "resources": [ - { - "name": "discovery" - }, - { - "name": "human" - }, - { - "name": "oauth" - }, - { - "name": "compat" - }, - { - "name": "graphql" - }, - { - "name": "assets" - } - ], - "binds": [ - { - "address": "[{{var_mas_server_address}}]:{{var_mas_server_port | string}}" - } - ], - "proxy_protocol": false - }, - { - "name": "internal", - "resources": [ - { - "name": "health" - } - ], - "binds": [ - { - "host": "localhost", - "port": 8081 - } - ], - "proxy_protocol": false - } - ], - "trusted_proxies": [ - "192.168.0.0/16", - "172.16.0.0/12", - "10.0.0.0/10", - "127.0.0.1/8", - "fd00::/8", - "::1/128" - ], - "public_base": "http://{{var_mas_server_address}}:{{var_mas_server_port | string}}/", - "issuer": "http://{{var_mas_server_address}}:{{var_mas_server_port | string}}/" - }, - "matrix": { - "homeserver": "{{var_mas_matrix_server}}", - "secret": "{{var_mas_matrix_secret}}", - "endpoint": "{{var_mas_matrix_endpoint}}" - }, - "secrets": { - "encryption": "{{var_mas_encryption_key}}", - "keys": [ - { - "kid": "x1", - "key_file": "{{var_mas_directory}}/secrets/private_key.pem" - } - ] - }, - "passwords": { - "enabled": true, - "schemas": [ - { - "version": 1, - "algorithm": "argon2id" - } - ], - "minimum_complexity": 3 - }, -{% if var_mas_authentication_upstream_kind == 'none' %} -{% endif %} -{% if var_mas_authentication_upstream_kind == 'authelia' %} - "upstream_oauth2": { - "providers": [ - { - "id": "{{var_mas_authentication_upstream_data_authelia_id}}", - "issuer": "{{var_mas_authentication_upstream_data_authelia_url_base}}", - "authorization_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/authorization", - "token_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/token", - "token_endpoint_auth_method": "{{var_mas_authentication_upstream_data_authelia_auth_method}}", - "scope": "{{var_mas_authentication_upstream_data_authelia_scope}}", - "client_id": "{{var_mas_authentication_upstream_data_authelia_client_id}}", - "client_secret": "{{var_mas_authentication_upstream_data_authelia_client_secret}}" - } - ] - }, -{% endif %} - "email": { - "from": "'\"Authentication Service\" '", - "reply_to": "'\"Authentication Service\" '", - "transport": "blackhole" - } -} diff --git a/roles/mas/templates/config-email.json.j2 b/roles/mas/templates/config-email.json.j2 new file mode 100644 index 0000000..39608c6 --- /dev/null +++ b/roles/mas/templates/config-email.json.j2 @@ -0,0 +1,7 @@ +{ + "email": { + "from": "Authentication Service ", + "reply_to": "Authentication Service ", + "transport": "blackhole" + } +} diff --git a/roles/mas/templates/config-http.json.j2 b/roles/mas/templates/config-http.json.j2 new file mode 100644 index 0000000..a05d45e --- /dev/null +++ b/roles/mas/templates/config-http.json.j2 @@ -0,0 +1,60 @@ +{ + "http": { + "listeners": [ + { + "name": "web", + "resources": [ + { + "name": "discovery" + }, + { + "name": "human" + }, + { + "name": "oauth" + }, + { + "name": "compat" + }, + { + "name": "graphql" + }, + { + "name": "assets" + } + ], + "binds": [ + { + "address": "[{{var_mas_server_address}}]:{{var_mas_server_port | string}}" + } + ], + "proxy_protocol": false + }, + { + "name": "internal", + "resources": [ + { + "name": "health" + } + ], + "binds": [ + { + "host": "localhost", + "port": 8081 + } + ], + "proxy_protocol": false + } + ], + "trusted_proxies": [ + "192.168.0.0/16", + "172.16.0.0/12", + "10.0.0.0/10", + "127.0.0.1/8", + "fd00::/8", + "::1/128" + ], + "public_base": "http://{{var_mas_server_address}}:{{var_mas_server_port | string}}/", + "issuer": "http://{{var_mas_server_address}}:{{var_mas_server_port | string}}/" + } +} -- 2.39.5 From 3a9de7a7b453cc9ec389b1e452c89237989a1788 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 17 Oct 2024 23:15:10 +0200 Subject: [PATCH 19/22] [int] --- roles/authelia-for-mas/defaults/main.json | 2 +- roles/authelia-for-mas/vardef.json | 19 +++++++++++++++++ roles/mas-for-synapse/defaults/main.json | 2 +- roles/mas/defaults/main.json | 11 +++++----- roles/mas/templates/config-http.json.j2 | 6 +++--- roles/mas/templates/config-upstream.json.j2 | 19 +++++++++++++++-- roles/mas/vardef.json | 23 ++++++++++++++++----- roles/synapse-and-nginx/info.md | 6 ++++++ roles/synapse/defaults/main.json | 2 +- 9 files changed, 72 insertions(+), 18 deletions(-) create mode 100644 roles/authelia-for-mas/vardef.json diff --git a/roles/authelia-for-mas/defaults/main.json b/roles/authelia-for-mas/defaults/main.json index 636a5cb..58848ef 100644 --- a/roles/authelia-for-mas/defaults/main.json +++ b/roles/authelia-for-mas/defaults/main.json @@ -1,6 +1,6 @@ { "var_authelia_for_mas_mas_url_base": "https://mas.example.org", - "var_authelia_for_mas_id": "mas", + "var_authelia_for_mas_id": "01JADRQ54Y0KCQS0AEJQ4YTY36", "var_authelia_for_mas_client_id": "mas", "var_authelia_for_mas_client_secret": "REPLACE_ME" } diff --git a/roles/authelia-for-mas/vardef.json b/roles/authelia-for-mas/vardef.json new file mode 100644 index 0000000..798ef2a --- /dev/null +++ b/roles/authelia-for-mas/vardef.json @@ -0,0 +1,19 @@ +{ + "mas_url_base": { + "type": "string", + "mandatory": false + }, + "id": { + "type": "string", + "mandatory": false, + "description": "needs to be a ULID" + } + "client_id": { + "type": "string", + "mandatory": false + }, + "client_secret": { + "type": "string", + "mandatory": false + } +} diff --git a/roles/mas-for-synapse/defaults/main.json b/roles/mas-for-synapse/defaults/main.json index c90cf80..5802580 100644 --- a/roles/mas-for-synapse/defaults/main.json +++ b/roles/mas-for-synapse/defaults/main.json @@ -1,5 +1,5 @@ { "var_mas_for_synapse_synapse_url_base": "https://synapse.example.org", - "var_mas_for_synapse_client_id": "synapse", + "var_mas_for_synapse_client_id": "01JAE3YFB91XFWEDQY0WFDW5VN", "var_mas_for_synapse_client_secret": "REPLACE_ME" } diff --git a/roles/mas/defaults/main.json b/roles/mas/defaults/main.json index 8536c1b..e50f260 100644 --- a/roles/mas/defaults/main.json +++ b/roles/mas/defaults/main.json @@ -1,20 +1,21 @@ { "var_mas_user": "mas", "var_mas_directory": "/opt/mas", - "var_mas_server_address": "[::]", - "var_mas_server_port": 2839, + "var_mas_server_server_address": "[::]", + "var_mas_server_server_port": 2839, + "var_mas_server_server_domain": "mas.example.org", "var_mas_database_host": "postgresql.example.org", "var_mas_database_port": 5432, "var_mas_database_username": "mas_user", "var_mas_database_password": "REPLACE_ME", "var_mas_database_schema": "mas", - "var_mas_matrix_server": "localhost:8008", + "var_mas_matrix_server": "synapse.example.org", "var_mas_matrix_secret": "REPLACE_ME", - "var_mas_matrix_endpoint": "http://localhost:8008/", + "var_mas_matrix_endpoint": "https://synapse.example.org/", "var_mas_encryption_key": "REPLACE_ME", "var_mas_authentication_upstream_kind": "none", "var_mas_authentication_upstream_data_authelia_url_base": "https://authelia.example.org", - "var_mas_authentication_upstream_data_authelia_auth_method": "client_secret_post", + "var_mas_authentication_upstream_data_authelia_auth_method": "client_secret_basic", "var_mas_authentication_upstream_data_authelia_scope": "openid profile email", "var_mas_authentication_upstream_data_authelia_id": "01JADRQ54Y0KCQS0AEJQ4YTY36", "var_mas_authentication_upstream_data_authelia_client_id": "mas", diff --git a/roles/mas/templates/config-http.json.j2 b/roles/mas/templates/config-http.json.j2 index a05d45e..3ec21c0 100644 --- a/roles/mas/templates/config-http.json.j2 +++ b/roles/mas/templates/config-http.json.j2 @@ -25,7 +25,7 @@ ], "binds": [ { - "address": "[{{var_mas_server_address}}]:{{var_mas_server_port | string}}" + "address": "{{var_mas_server_server_address}}:{{var_mas_server_server_port | string}}" } ], "proxy_protocol": false @@ -54,7 +54,7 @@ "fd00::/8", "::1/128" ], - "public_base": "http://{{var_mas_server_address}}:{{var_mas_server_port | string}}/", - "issuer": "http://{{var_mas_server_address}}:{{var_mas_server_port | string}}/" + "public_base": "https://{{var_mas_server_server_domain}}/", + "issuer": "https://{{var_mas_server_server_domain}}/" } } diff --git a/roles/mas/templates/config-upstream.json.j2 b/roles/mas/templates/config-upstream.json.j2 index 5b246fd..220db66 100644 --- a/roles/mas/templates/config-upstream.json.j2 +++ b/roles/mas/templates/config-upstream.json.j2 @@ -11,9 +11,24 @@ "token_endpoint": "{{var_mas_authentication_upstream_data_authelia_url_base}}/api/oidc/token", "token_endpoint_auth_method": "{{var_mas_authentication_upstream_data_authelia_auth_method}}", "scope": "{{var_mas_authentication_upstream_data_authelia_scope}}", + "discovery_mode": "insecure", "client_id": "{{var_mas_authentication_upstream_data_authelia_client_id}}", - "client_secret": "{{var_mas_authentication_upstream_data_authelia_client_secret}}" - } + "client_secret": "{{var_mas_authentication_upstream_data_authelia_client_secret}}", + "claims_imports": { + "localpart": { + "action": "require", + "template": "{{"{{"}} user.preferred_username {{"}}"}}" + }, + "displayname": { + "action": "suggest", + "template": "{{"{{"}} user.name {{"}}"}}" + }, + "email": { + "action": "suggest", + "template": "{{"{{"}} user.email {{"}}"}}", + "set_email_verification": "always" + } + } ] } {% endif %} diff --git a/roles/mas/vardef.json b/roles/mas/vardef.json index 04f210e..176dd0e 100644 --- a/roles/mas/vardef.json +++ b/roles/mas/vardef.json @@ -7,6 +7,18 @@ "type": "string", "mandatory": false }, + "server_address": { + "type": "string", + "mandatory": false + }, + "server_port": { + "type": "string", + "mandatory": false + }, + "domain": { + "type": "string", + "mandatory": false + }, "database_host": { "type": "string", "mandatory": false @@ -21,7 +33,7 @@ }, "database_password": { "type": "string", - "mandatory": false + "mandatory": true }, "database_schema": { "type": "string", @@ -33,7 +45,7 @@ }, "matrix_secret": { "type": "string", - "mandatory": false + "mandatory": true }, "matrix_endpoint": { "type": "string", @@ -41,7 +53,7 @@ }, "encryption_key": { "type": "string", - "mandatory": false + "mandatory": true }, "authentication_upstream_kind": { "nullable": false, @@ -63,9 +75,10 @@ "type": "string", "mandatory": false }, - "authentication_upstream_data_authelia_name": { + "authentication_upstream_data_authelia_id": { "type": "string", - "mandatory": false + "mandatory": false, + "description": "needs to be a ULID" }, "authentication_upstream_data_authelia_client_id": { "type": "string", diff --git a/roles/synapse-and-nginx/info.md b/roles/synapse-and-nginx/info.md index 7d09e48..686d632 100644 --- a/roles/synapse-and-nginx/info.md +++ b/roles/synapse-and-nginx/info.md @@ -6,3 +6,9 @@ ## Verweise - [Synapse-Dokumentation über die Nutzung von Reverse-Proxies](https://matrix-org.github.io/synapse/latest/reverse_proxy.html) + + +## ToDo + +- MAS-Einbindung (siehe https://element-hq.github.io/matrix-authentication-service/setup/reverse-proxy.html) + diff --git a/roles/synapse/defaults/main.json b/roles/synapse/defaults/main.json index efda6b0..ba81aba 100644 --- a/roles/synapse/defaults/main.json +++ b/roles/synapse/defaults/main.json @@ -21,7 +21,7 @@ "var_synapse_authentication_data_authelia_client_secret": "REPLACE_ME", "var_synapse_authentication_data_authelia_url_base": "https://authelia.example.org", "var_synapse_authentication_data_mas_url_base": "http://localhost:2839", - "var_synapse_authentication_data_mas_client_id": "synapse", + "var_synapse_authentication_data_mas_client_id": "01JAE3YFB91XFWEDQY0WFDW5VN", "var_synapse_authentication_data_mas_client_secret": "REPLACE_ME", "var_synapse_authentication_data_mas_admin_token": "REPLACE_ME", "var_synapse_authentication_data_mas_provider_id": "mas", -- 2.39.5 From 2a6dd27f8144fe9fd948f4dc1efcbff169d02e97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Fri, 18 Oct 2024 08:46:17 +0200 Subject: [PATCH 20/22] [mod] role:synapse-and-nginx:expose well-known stuff --- roles/synapse-and-nginx/templates/conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index 952b9e4..1373f00 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -1,5 +1,5 @@ {% macro synapse_common() %} - location ~ ^(/_matrix|/_synapse/client) { + location ~ ^(/_matrix|/_synapse/client|/.well-known) { proxy_pass http://localhost:8008; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; -- 2.39.5 From 98243708139b214aef9c68e0abb98d942b508986 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 24 Oct 2024 18:22:55 +0200 Subject: [PATCH 21/22] [fix] authelia-for-mas:vardef --- roles/authelia-for-mas/vardef.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authelia-for-mas/vardef.json b/roles/authelia-for-mas/vardef.json index 798ef2a..03568f8 100644 --- a/roles/authelia-for-mas/vardef.json +++ b/roles/authelia-for-mas/vardef.json @@ -7,7 +7,7 @@ "type": "string", "mandatory": false, "description": "needs to be a ULID" - } + }, "client_id": { "type": "string", "mandatory": false -- 2.39.5 From 4252e77ddf7a68e80718ac51d7f1cc4b869ca38c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Fri, 25 Oct 2024 10:16:01 +0200 Subject: [PATCH 22/22] [fix] role:synapse:apt stuff --- roles/synapse/tasks/main.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/synapse/tasks/main.json b/roles/synapse/tasks/main.json index 63e0e78..0450ca2 100644 --- a/roles/synapse/tasks/main.json +++ b/roles/synapse/tasks/main.json @@ -7,6 +7,13 @@ "dest": "/etc/apt/sources.list.d/bullseye-backports-for-synapse.list" } }, + { + "name": "update sources", + "become": true, + "ansible.builtin.apt": { + "update_cache": true + } + }, { "name": "prepare package installation | server-name", "become": true, -- 2.39.5