Compare commits
	
		
			11 Commits
		
	
	
		
			0d0276764b
			...
			transcaffe
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 5b47da2bd0 | |||
| 98c3877081 | |||
| 884a71ed23 | |||
| ddebf0618c | |||
| e6f9256566 | |||
| b454d3918d | |||
| bece0ede75 | |||
| a83a1f8d20 | |||
| 1effea434e | |||
| b1d9f73b86 | |||
| 41aa9f0365 | 
							
								
								
									
										16
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										16
									
								
								README.md
									
									
									
									
									
								
							| @@ -8,8 +8,20 @@ concise area of concern. | |||||||
|  |  | ||||||
| ## Roles | ## Roles | ||||||
|  |  | ||||||
| - [`roles/restic-s3`](roles/restic-s3/README.md): Manage backups using restic | - [`roles/authelia`](roles/authelia/README.md): Deploys an [authelia.com](https://www.authelia.com) | ||||||
|   and persist them to an s3-compatible backend. |   instance, an authentication provider with beta OIDC provider support. | ||||||
|  |  | ||||||
|  | - [`roles/gitea`](roles/gitea/README.md): Deploy [gitea.io](https://gitea.io), a | ||||||
|  |   lightweight, self-hosted git service. | ||||||
|  |  | ||||||
|  | - [`roles/jellyfin`](roles/jellyfin/README.md): Deploy [jellyfin.org](https://jellyfin.org), | ||||||
|  |   the free software media system for streaming stored media to any device. | ||||||
|  |  | ||||||
|  | - [`roles/restic`](roles/restic/README.md): Manage backups using restic | ||||||
|  |   and persist them to a configurable backend. | ||||||
|  |  | ||||||
|  | - [`roles/minio`](roles/minio/README.md): Deploy [min.io](https://min.io), an | ||||||
|  |   s3-compatible object storage server, using docker containers. | ||||||
|  |  | ||||||
| ## License | ## License | ||||||
|  |  | ||||||
|   | |||||||
							
								
								
									
										74
									
								
								roles/authelia/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										74
									
								
								roles/authelia/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,74 @@ | |||||||
|  | # `finallycoffee.services.authelia` ansible role | ||||||
|  |  | ||||||
|  | Deploys [authelia](https://www.authelia.com), an open-source full-featured | ||||||
|  | authentication server with OIDC beta support. | ||||||
|  |  | ||||||
|  | ## Configuration | ||||||
|  |  | ||||||
|  | Most configurations options are exposed to be overrideable by setting | ||||||
|  | `authelia_config_{flat_config_key}`, which means `totp.digits: 8` | ||||||
|  | would become `authelia_config_totp_digits: 8`. | ||||||
|  |  | ||||||
|  | If configuration is not exposed in [`defaults/main.yml`](defaults/main.yml), | ||||||
|  | it can be overridden in `authelia_extra_config`, which is merged recursively | ||||||
|  | to the default config. Entire blocks can currently not be easily overridden, | ||||||
|  | it's best to rely on the `authelia_extra_config` here. | ||||||
|  |  | ||||||
|  | Below are some configuration hints towards enabling 2nd factor | ||||||
|  | providers like TOTP, WebAuthN etc. | ||||||
|  |  | ||||||
|  | ### TOTP | ||||||
|  |  | ||||||
|  | See [the authelia docs on TOTP](https://www.authelia.com/docs/configuration/one-time-password.html#algorithm) | ||||||
|  | before adjusting some of the fine-grained configuration, as many | ||||||
|  | TOTP clients do not properly support all by-spec supported values. | ||||||
|  |  | ||||||
|  | ```yaml | ||||||
|  | authelia_config_totp_disable: false | ||||||
|  | authelia_config_totp_issuer: "your.authelia.domain" | ||||||
|  | # Best to stick to authelias guide here | ||||||
|  | authelia_config_totp_algorithm: [...] | ||||||
|  | authelia_config_totp_digits: [...] | ||||||
|  | authelia_config_totp_period: [...] | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | ### WebAuthN | ||||||
|  |  | ||||||
|  | ```yaml | ||||||
|  | authelia_config_webauthn_disable: false | ||||||
|  | authelia_config_webauthn_timeout: 30s | ||||||
|  | # Force user to touch the security key's confirmation button | ||||||
|  | authelia_config_webauthn_user_verification: required | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | For more information about possible WebAuthN configuration, see | ||||||
|  | [the authelia docs on WebAuthN](https://www.authelia.com/docs/configuration/webauthn.html). | ||||||
|  |  | ||||||
|  | ### Database & Redis | ||||||
|  |  | ||||||
|  | While Authelia can use a sqlite DB with in memory store by setting | ||||||
|  | `authelia_sqlite_storage_file_path`, it is recommended to use a proper | ||||||
|  | database and a redis instance: | ||||||
|  | ```yaml | ||||||
|  | authelia_database_type: postgres | ||||||
|  | authelia_database_host: /var/run/postgres/ | ||||||
|  | authelia_database_user: authelia | ||||||
|  | authelia_database_pass: authelia | ||||||
|  |  | ||||||
|  | # Redis | ||||||
|  | authelia_redis_host: /var/run/redis/ | ||||||
|  | authelia_redis_pass: very_long_static_secret | ||||||
|  |  | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | ### Notifications | ||||||
|  |  | ||||||
|  | For a test setup, notifications can be written into a config file, this behaviour | ||||||
|  | is enabled by setting `authelia_config_notifier_filesystem_filename`. For real-world | ||||||
|  | use, an SMTP server is strongly recommended, its config is as follows: | ||||||
|  | ``` | ||||||
|  | authelia_smtp_host: mail.domain.com | ||||||
|  | authelia_smtp_port: 587 # for StartTLS | ||||||
|  | authelia_smtp_user: authelia@domain.com | ||||||
|  | authelia_smtp_pass: authelia_user_pass | ||||||
|  | ``` | ||||||
							
								
								
									
										180
									
								
								roles/authelia/defaults/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										180
									
								
								roles/authelia/defaults/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,180 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | authelia_version: 4.34.6 | ||||||
|  | authelia_user: authelia | ||||||
|  | authelia_base_dir: /opt/authelia | ||||||
|  | authelia_domain: authelia.example.org | ||||||
|  |  | ||||||
|  | authelia_config_dir: "{{ authelia_base_dir }}/config" | ||||||
|  | authelia_config_file: "{{ authelia_config_dir }}/config.yaml" | ||||||
|  | authelia_data_dir: "{{ authelia_base_dir }}/data" | ||||||
|  | authelia_sqlite_storage_file: "{{ authelia_data_dir }}/authelia.sqlite3" | ||||||
|  | authelia_notification_storage_file: "{{ authelia_data_dir }}/notifications.txt" | ||||||
|  | authelia_user_storage_file: "{{ authelia_data_dir }}/user_database.yml" | ||||||
|  |  | ||||||
|  | authelia_container_name: authelia | ||||||
|  | authelia_container_image_name: docker.io/authelia/authelia | ||||||
|  | authelia_container_image_tag: ~ | ||||||
|  | authelia_container_image_ref: "{{ authelia_container_image_name }}:{{ authelia_container_image_tag | default(authelia_version, true) }}" | ||||||
|  | authelia_container_image_force_pull: "{{ authelia_container_image_tag | default(false, True) }}" | ||||||
|  | authelia_container_env: | ||||||
|  |   PUID: "{{ authelia_run_user }}" | ||||||
|  |   PGID: "{{ authelia_run_group }}" | ||||||
|  | authelia_container_labels: >-2 | ||||||
|  |   {{ authelia_container_base_labels | combine(authelia_container_extra_labels) }} | ||||||
|  | authelia_container_extra_labels: {} | ||||||
|  | authelia_container_extra_volumes: [] | ||||||
|  | authelia_container_volumes: >-2 | ||||||
|  |   {{ authelia_container_base_volumes | ||||||
|  |     + authelia_container_extra_volumes }} | ||||||
|  | authelia_container_ports: ~ | ||||||
|  | authelia_container_networks: ~ | ||||||
|  | authelia_container_purge_networks: ~ | ||||||
|  | authelia_container_restart_policy: unless-stopped | ||||||
|  | authelia_container_state: started | ||||||
|  |  | ||||||
|  | authelia_container_listen_port: 9091 | ||||||
|  | authelia_tls_minimum_version: TLS1.2 | ||||||
|  |  | ||||||
|  | authelia_config_theme: auto | ||||||
|  | authelia_config_jwt_secret: ~ | ||||||
|  | authelia_config_default_redirection_url: ~ | ||||||
|  | authelia_config_server_host: 0.0.0.0 | ||||||
|  | authelia_config_server_port: "{{ authelia_container_listen_port }}" | ||||||
|  | authelia_config_server_path: "" | ||||||
|  | authelia_config_server_read_buffer_size: 4096 | ||||||
|  | authelia_config_server_write_buffer_size: 4096 | ||||||
|  | authelia_config_server_enable_pprof: true | ||||||
|  | authelia_config_server_enable_expvars: true | ||||||
|  | authelia_config_server_disable_healthcheck: | ||||||
|  | authelia_config_server_tls_key: ~ | ||||||
|  | authelia_config_server_tls_certificate: ~ | ||||||
|  | authelia_config_server_tls_client_certificates: [] | ||||||
|  | authelia_config_server_headers_csp_template: ~ | ||||||
|  | authelia_config_log_level: info | ||||||
|  | authelia_config_log_format: json | ||||||
|  | authelia_config_log_file_path: ~ | ||||||
|  | authelia_config_log_keep_stdout: false | ||||||
|  | authelia_config_totp_disable: true | ||||||
|  | authelia_config_totp_issuer: "{{ authelia_domain }}" | ||||||
|  | authelia_config_totp_algorithm: sha1 | ||||||
|  | authelia_config_totp_digits: 6 | ||||||
|  | authelia_config_totp_period: 30 | ||||||
|  | authelia_config_totp_skew: 1 | ||||||
|  | authelia_config_totp_secret_size: 32 | ||||||
|  | authelia_config_webauthn_disable: true | ||||||
|  | authelia_config_webauthn_timeout: 60s | ||||||
|  | authelia_config_webauthn_display_name: "Authelia ({{ authelia_domain }})" | ||||||
|  | authelia_config_webauthn_attestation_conveyance_preference: indirect | ||||||
|  | authelia_config_webauthn_user_verification: preferred | ||||||
|  | authelia_config_duo_api_hostname: ~ | ||||||
|  | authelia_config_duo_api_integration_key: ~ | ||||||
|  | authelia_config_duo_api_secret_key: ~ | ||||||
|  | authelia_config_duo_api_enable_self_enrollment: false | ||||||
|  | authelia_config_ntp_address: "time.cloudflare.com:123" | ||||||
|  | authelia_config_ntp_version: 4 | ||||||
|  | authelia_config_ntp_max_desync: 3s | ||||||
|  | authelia_config_ntp_disable_startup_check: false | ||||||
|  | authelia_config_ntp_disable_failure: false | ||||||
|  | authelia_config_authentication_backend_disable_reset_password: false | ||||||
|  | authelia_config_authentication_backend_refresh_interval: 5m | ||||||
|  | authelia_config_authentication_backend_password_reset_custom_url: ~ | ||||||
|  | authelia_config_authentication_backend_ldap_implementation: custom | ||||||
|  | authelia_config_authentication_backend_ldap_url: ldap://127.0.0.1:389 | ||||||
|  | authelia_config_authentication_backend_ldap_timeout: 5s | ||||||
|  | authelia_config_authentication_backend_ldap_start_tls: false | ||||||
|  | authelia_config_authentication_backend_ldap_tls_skip_verify: false | ||||||
|  | authelia_config_authentication_backend_ldap_minimum_version: "{{ authelia_tls_minimum_version }}" | ||||||
|  | authelia_config_authentication_backend_ldap_base_dn: ~ | ||||||
|  | authelia_config_authentication_backend_ldap_additional_users_dn: "ou=users" | ||||||
|  | authelia_config_authentication_backend_ldap_users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=inetOrgPerson))" | ||||||
|  | authelia_config_authentication_backend_ldap_additional_groups_dn: "ou=groups" | ||||||
|  | authelia_config_authentication_backend_ldap_groups_filter: "(member={dn})" | ||||||
|  | authelia_config_authentication_backend_ldap_group_name_attribute: cn | ||||||
|  | authelia_config_authentication_backend_ldap_username_attribute: uid | ||||||
|  | authelia_config_authentication_backend_ldap_mail_attribute: mail | ||||||
|  | authelia_config_authentication_backend_ldap_display_name_attribute: displayName | ||||||
|  | authelia_config_authentication_backend_ldap_user: ~ | ||||||
|  | authelia_config_authentication_backend_ldap_password: ~ | ||||||
|  | authelia_config_authentication_backend_file_path: ~ | ||||||
|  | authelia_config_authentication_backend_file_password_algorithm: argon2id | ||||||
|  | authelia_config_authentication_backend_file_password_iterations: 5 | ||||||
|  | authelia_config_authentication_backend_file_password_key_length: 32 | ||||||
|  | authelia_config_authentication_backend_file_password_salt_length: 16 | ||||||
|  | authelia_config_authentication_backend_file_password_memory: 1024 | ||||||
|  | authelia_config_authentication_backend_file_password_parallelism: 8 | ||||||
|  | authelia_config_password_policy_standard_enabled: false | ||||||
|  | authelia_config_password_policy_standard_min_length: 12 | ||||||
|  | authelia_config_password_policy_standard_max_length: 0 | ||||||
|  | authelia_config_password_policy_standard_require_uppercase: true | ||||||
|  | authelia_config_password_policy_standard_require_lowercase: true | ||||||
|  | authelia_config_password_policy_standard_require_number: true | ||||||
|  | authelia_config_password_policy_standard_require_special: false | ||||||
|  | authelia_config_password_policy_zxcvbn_enabled: true | ||||||
|  | authelia_config_access_control_default_policy: deny | ||||||
|  | authelia_config_access_control_networks: [] | ||||||
|  | authelia_config_access_control_rules: [] | ||||||
|  | authelia_config_session_name: authelia_session | ||||||
|  | authelia_config_session_domain: example.org | ||||||
|  | authelia_config_session_same_site: lax | ||||||
|  | authelia_config_session_secret: ~ | ||||||
|  | authelia_config_session_expiration: 1h | ||||||
|  | authelia_config_session_inactivity: 5m | ||||||
|  | authelia_config_session_remember_me_duration: 1M | ||||||
|  | authelia_config_session_redis_host: "{{ authelia_redis_host }}" | ||||||
|  | authelia_config_session_redis_port: "{{ authelia_redis_port }}" | ||||||
|  | authelia_config_session_redis_username: "{{ authelia_redis_user }}" | ||||||
|  | authelia_config_session_redis_password: "{{ authelia_redis_pass }}" | ||||||
|  | authelia_config_session_redis_database_index: 0 | ||||||
|  | authelia_config_session_redis_maximum_active_connections: 8 | ||||||
|  | authelia_config_session_redis_minimum_idle_connections: 0 | ||||||
|  | authelia_config_session_redis_enable_tls: false | ||||||
|  | authelia_config_session_redis_tls_server_name: ~ | ||||||
|  | authelia_config_session_redis_tls_skip_verify: false | ||||||
|  | authelia_config_session_redis_tls_minimum_version: "{{ authelia_tls_minimum_version }}" | ||||||
|  | authelia_config_regulation_max_retries: 3 | ||||||
|  | authelia_config_regulation_find_time: 2m | ||||||
|  | authelia_config_regulation_ban_time: 5m | ||||||
|  | authelia_config_storage_encryption_key: ~ | ||||||
|  | authelia_config_storage_local_path: ~ | ||||||
|  | authelia_config_storage_mysql_port: 3306 | ||||||
|  | authelia_config_storage_postgres_port: 5432 | ||||||
|  | authelia_config_storage_postgres_ssl_mode: disable | ||||||
|  | authelia_config_storage_postgres_ssl_root_certificate: disable | ||||||
|  | authelia_config_storage_postgres_ssl_certificate: disable | ||||||
|  | authelia_config_storage_postgres_ssl_key: disable | ||||||
|  | authelia_config_notifier_disable_startup_check: false | ||||||
|  | authelia_config_notifier_filesystem_filename: ~ | ||||||
|  | authelia_config_notifier_smtp_host: "{{ authelia_smtp_host }}" | ||||||
|  | authelia_config_notifier_smtp_port: "{{ authelia_stmp_port }}" | ||||||
|  | authelia_config_notifier_smtp_username: "{{ authelia_smtp_user }}" | ||||||
|  | authelia_config_notifier_smtp_password: "{{ authelia_smtp_pass }}" | ||||||
|  | authelia_config_notifier_smtp_timeout: 5s | ||||||
|  | authelia_config_notifier_smtp_sender: "Authelia on {{ authelia_domain }} <admin@{{ authelia_domain }}>" | ||||||
|  | authelia_config_notifier_smtp_identifier: "{{ authelia_domain }}" | ||||||
|  | authelia_config_notifier_smtp_subject: "[Authelia @ {{ authelia_domain }}] {title}" | ||||||
|  | authelia_config_notifier_smtp_startup_check_address: false | ||||||
|  | authelia_config_notifier_smtp_disable_require_tls: false | ||||||
|  | authelia_config_notifier_smtp_disable_html_emails: false | ||||||
|  | authelia_config_notifier_smtp_tls_skip_verify: false | ||||||
|  | authelia_config_notifier_smtp_tls_minimum_version: "{{ authelia_tls_minimum_version }}" | ||||||
|  | #authelia_config_identity_provider_ | ||||||
|  |  | ||||||
|  | authelia_database_type: ~ | ||||||
|  | authelia_database_host: ~ | ||||||
|  | authelia_database_user: authelia | ||||||
|  | authelia_database_pass: ~ | ||||||
|  | authelia_database_name: authelia | ||||||
|  | authelia_database_timeout: 5s | ||||||
|  |  | ||||||
|  | authelia_smtp_host: ~ | ||||||
|  | authelia_stmp_port: 465 | ||||||
|  | authelia_stmp_user: authelia | ||||||
|  | authelia_stmp_pass: ~ | ||||||
|  |  | ||||||
|  | authelia_redis_host: ~ | ||||||
|  | authelia_redis_port: 6379 | ||||||
|  | authelia_redis_user: ~ | ||||||
|  | authelia_redis_pass: ~ | ||||||
|  |  | ||||||
|  | authelia_extra_config: {} | ||||||
							
								
								
									
										8
									
								
								roles/authelia/handlers/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								roles/authelia/handlers/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,8 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | - name: Restart authelia container | ||||||
|  |   docker_container: | ||||||
|  |     name: "{{ authelia_container_name }}" | ||||||
|  |     state: started | ||||||
|  |     restart: yes | ||||||
|  |   listen: restart-authelia | ||||||
							
								
								
									
										88
									
								
								roles/authelia/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										88
									
								
								roles/authelia/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,88 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | - name: Ensure user {{ authelia_user }} exists | ||||||
|  |   user: | ||||||
|  |     name: "{{ authelia_user }}" | ||||||
|  |     state: present | ||||||
|  |     system: true | ||||||
|  |   register: authelia_user_info | ||||||
|  |  | ||||||
|  | - name: Ensure host directories are created with correct permissions | ||||||
|  |   file: | ||||||
|  |     path: "{{ item.path }}" | ||||||
|  |     state: directory | ||||||
|  |     owner: "{{ item.owner | default(authelia_user) }}" | ||||||
|  |     group: "{{ item.group | default(authelia_user) }}" | ||||||
|  |     mode: "{{ item.mode | default('0750') }}" | ||||||
|  |   loop: | ||||||
|  |     - path: "{{ authelia_base_dir }}" | ||||||
|  |       mode: "0755" | ||||||
|  |     - path: "{{ authelia_config_dir }}" | ||||||
|  |       mode: "0750" | ||||||
|  |     - path: "{{ authelia_data_dir }}" | ||||||
|  |       mode: "0750" | ||||||
|  |  | ||||||
|  | - name: Ensure config file is generated | ||||||
|  |   copy: | ||||||
|  |     content: "{{ authelia_config | to_nice_yaml(indent=2, width=10000) }}" | ||||||
|  |     dest: "{{ authelia_config_file }}" | ||||||
|  |     owner: "{{ authelia_run_user }}" | ||||||
|  |     group: "{{ authelia_run_group }}" | ||||||
|  |     mode: "0640" | ||||||
|  |   notify: restart-authelia | ||||||
|  |  | ||||||
|  | - name: Ensure sqlite database file exists before mounting it | ||||||
|  |   file: | ||||||
|  |     path: "{{ authelia_sqlite_storage_file }}" | ||||||
|  |     state: touch | ||||||
|  |     owner: "{{ authelia_run_user }}" | ||||||
|  |     group: "{{ authelia_run_group }}" | ||||||
|  |     mode: "0640" | ||||||
|  |     access_time: preserve | ||||||
|  |     modification_time: preserve | ||||||
|  |   when: authelia_config_storage_local_path | default(false, true) | ||||||
|  |  | ||||||
|  | - name: Ensure user database exists before mounting it | ||||||
|  |   file: | ||||||
|  |     path: "{{ authelia_user_storage_file }}" | ||||||
|  |     state: touch | ||||||
|  |     owner: "{{ authelia_run_user }}" | ||||||
|  |     group: "{{ authelia_run_group }}" | ||||||
|  |     mode: "0640" | ||||||
|  |     access_time: preserve | ||||||
|  |     modification_time: preserve | ||||||
|  |   when: authelia_config_authentication_backend_file_path | default(false, true) | ||||||
|  |  | ||||||
|  | - name: Ensure notification reports file exists before mounting it | ||||||
|  |   file: | ||||||
|  |     path: "{{ authelia_notification_storage_file }}" | ||||||
|  |     state: touch | ||||||
|  |     owner: "{{ authelia_run_user }}" | ||||||
|  |     group: "{{ authelia_run_group }}" | ||||||
|  |     mode: "0640" | ||||||
|  |     access_time: preserve | ||||||
|  |     modification_time: preserve | ||||||
|  |   when: authelia_config_notifier_filesystem_filename | default(false, true) | ||||||
|  |  | ||||||
|  | - name: Ensure authelia container image is present | ||||||
|  |   community.docker.docker_image: | ||||||
|  |     name: "{{ authelia_container_image_ref }}" | ||||||
|  |     state: present | ||||||
|  |     source: pull | ||||||
|  |     force_source: "{{ authelia_container_image_force_pull }}" | ||||||
|  |   register: authelia_container_image_info | ||||||
|  |  | ||||||
|  | - name: Ensure authelia container is running | ||||||
|  |   docker_container: | ||||||
|  |     name: "{{ authelia_container_name }}" | ||||||
|  |     image: "{{ authelia_container_image_ref }}" | ||||||
|  |     env: "{{ authelia_container_env }}" | ||||||
|  |     user: "{{ authelia_run_user }}:{{ authelia_run_group }}" | ||||||
|  |     ports: "{{ authelia_container_ports | default(omit, true) }}" | ||||||
|  |     labels: "{{ authelia_container_labels }}" | ||||||
|  |     volumes: "{{ authelia_container_volumes }}" | ||||||
|  |     networks: "{{ authelia_container_networks | default(omit, true) }}" | ||||||
|  |     purge_networks: "{{ authelia_container_purge_networks | default(omit, true)}}" | ||||||
|  |     restart_policy: "{{ authelia_container_restart_policy }}" | ||||||
|  |     state: "{{ authelia_container_state }}" | ||||||
|  |   register: authelia_container_info | ||||||
							
								
								
									
										259
									
								
								roles/authelia/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										259
									
								
								roles/authelia/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,259 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | authelia_run_user: "{{ (authelia_user_info.uid) if authelia_user_info is defined else authelia_user }}" | ||||||
|  | authelia_run_group: "{{ (authelia_user_info.group) if authelia_user_info is defined else authelia_user }}" | ||||||
|  |  | ||||||
|  | authelia_container_base_volumes: >-2 | ||||||
|  |   {{ [ authelia_config_file + ":/config/configuration.yml:ro"] | ||||||
|  |     + ([ authelia_sqlite_storage_file + ":" + authelia_config_storage_local_path + ":z" ] | ||||||
|  |       if authelia_config_storage_local_path | default(false, true) else []) | ||||||
|  |     + ([ authelia_notification_storage_file + ":" + authelia_config_notifier_filesystem_filename + ":z" ] | ||||||
|  |       if authelia_config_notifier_filesystem_filename | default(false, true) else []) | ||||||
|  |     + ( [authelia_user_storage_file + ":" + authelia_config_authentication_backend_file_path + ":z"] | ||||||
|  |       if authelia_config_authentication_backend_file_path | default(false, true) else []) | ||||||
|  |   }} | ||||||
|  |  | ||||||
|  | authelia_container_base_labels: | ||||||
|  |   version: "{{ authelia_version }}" | ||||||
|  |  | ||||||
|  | authelia_config: "{{ authelia_base_config | combine(authelia_extra_config, recursive=True) }}" | ||||||
|  | authelia_top_level_config: | ||||||
|  |   theme: "{{ authelia_config_theme }}" | ||||||
|  |   jwt_secret: "{{ authelia_config_jwt_secret }}" | ||||||
|  |   log: "{{ authelia_config_log }}" | ||||||
|  |   totp: "{{ authelia_config_totp }}" | ||||||
|  |   webauthn: "{{ authelia_config_webauthn }}" | ||||||
|  |   duo_api: "{{ authelia_config_duo_api }}" | ||||||
|  |   ntp: "{{ authelia_config_ntp }}" | ||||||
|  |   authentication_backend: "{{ authelia_config_authentication_backend }}" | ||||||
|  | #  password_policy: "{{ authelia_config_password_policy }}" | ||||||
|  |   access_control: "{{ authelia_config_access_control }}" | ||||||
|  |   session: "{{ authelia_config_session }}" | ||||||
|  |   regulation: "{{ authelia_config_regulation }}" | ||||||
|  |   storage: "{{ authelia_config_storage }}" | ||||||
|  |   notifier: "{{ authelia_config_notifier }}" | ||||||
|  |  | ||||||
|  | authelia_base_config: >-2 | ||||||
|  |   {{ | ||||||
|  |     authelia_top_level_config | ||||||
|  |     | combine({"default_redirection_url": authelia_config_default_redirection_url} | ||||||
|  |       if authelia_config_default_redirection_url | default(false, true) else {}) | ||||||
|  |     | combine(({"server": authelia_config_server }) | ||||||
|  |       | combine({"tls": authelia_config_server_tls} | ||||||
|  |         if authelia_config_server_tls_key | default(false, true) else {})) | ||||||
|  |    }} | ||||||
|  |  | ||||||
|  | authelia_config_server: >-2 | ||||||
|  |   {{ | ||||||
|  |     { | ||||||
|  |       "host": authelia_config_server_host, | ||||||
|  |       "port": authelia_config_server_port, | ||||||
|  |       "path": authelia_config_server_path, | ||||||
|  |       "read_buffer_size": authelia_config_server_read_buffer_size, | ||||||
|  |       "write_buffer_size": authelia_config_server_write_buffer_size, | ||||||
|  |       "enable_pprof": authelia_config_server_enable_pprof, | ||||||
|  |       "enable_expvars": authelia_config_server_enable_expvars, | ||||||
|  |       "disable_healthcheck": authelia_config_server_disable_healthcheck, | ||||||
|  |     } | combine({"headers": {"csp_template": authelia_config_server_headers_csp_template}} | ||||||
|  |         if authelia_config_server_headers_csp_template | default(false, true) else {}) | ||||||
|  |   }} | ||||||
|  | authelia_config_server_tls: | ||||||
|  |   key: "{{ authelia_config_server_tls_key }}" | ||||||
|  |   certificate: "{{ authelia_config_server_tls_certificate }}" | ||||||
|  |   client_certificates: "{{ authelia_config_server_tls_client_certificates }}" | ||||||
|  | authelia_config_log: >-2 | ||||||
|  |   {{ | ||||||
|  |     { | ||||||
|  |       "level": authelia_config_log_level, | ||||||
|  |       "format": authelia_config_log_format | ||||||
|  |     } | ||||||
|  |     | combine({"file_path": authelia_config_log_file_path} | ||||||
|  |       if authelia_config_log_file_path | default(false, true) else {}) | ||||||
|  |     | combine({"keep_stdout": authelia_config_log_keep_stdout} | ||||||
|  |       if authelia_config_log_file_path | default(false, true) else {}) | ||||||
|  |   }} | ||||||
|  | authelia_config_totp: | ||||||
|  |   disable: "{{ authelia_config_totp_disable }}" | ||||||
|  |   issuer: "{{ authelia_config_totp_issuer }}" | ||||||
|  |   algorithm: "{{ authelia_config_totp_algorithm }}" | ||||||
|  |   digits: "{{ authelia_config_totp_digits }}" | ||||||
|  |   period: "{{ authelia_config_totp_period }}" | ||||||
|  |   skew: "{{ authelia_config_totp_skew }}" | ||||||
|  | #  secret_size: "{{ authelia_config_totp_secret_size }}" | ||||||
|  | authelia_config_webauthn: | ||||||
|  |   disable: "{{ authelia_config_webauthn_disable }}" | ||||||
|  |   timeout: "{{ authelia_config_webauthn_timeout }}" | ||||||
|  |   display_name: "{{ authelia_config_webauthn_display_name }}" | ||||||
|  |   attestation_conveyance_preference: "{{ authelia_config_webauthn_attestation_conveyance_preference }}" | ||||||
|  |   user_verification: "{{ authelia_config_webauthn_user_verification }}" | ||||||
|  | authelia_config_duo_api: | ||||||
|  |   hostname: "{{ authelia_config_duo_api_hostname }}" | ||||||
|  |   integration_key: "{{ authelia_config_duo_api_integration_key }}" | ||||||
|  |   secret_key: "{{ authelia_config_duo_api_secret_key }}" | ||||||
|  |   enable_self_enrollment: "{{ authelia_config_duo_api_enable_self_enrollment }}" | ||||||
|  | authelia_config_ntp: | ||||||
|  |   address: "{{ authelia_config_ntp_address }}" | ||||||
|  |   version: "{{ authelia_config_ntp_version }}" | ||||||
|  |   max_desync: "{{ authelia_config_ntp_max_desync }}" | ||||||
|  |   disable_startup_check: "{{ authelia_config_ntp_disable_startup_check }}" | ||||||
|  |   disable_failure: "{{ authelia_config_ntp_disable_failure }}" | ||||||
|  |  | ||||||
|  | authelia_config_authentication_backend: >-2 | ||||||
|  |   {{ | ||||||
|  |     { | ||||||
|  |       "disable_reset_password": authelia_config_authentication_backend_disable_reset_password, | ||||||
|  |       "refresh_interval": authelia_config_authentication_backend_refresh_interval, | ||||||
|  |     } | ||||||
|  |     | combine({"password_reset": authelia_config_authentication_backend_password_reset} | ||||||
|  |       if authelia_config_authentication_backend_password_reset_custom_url | default(false, true) else {}) | ||||||
|  |     | combine({"file": authelia_config_authentication_backend_file} | ||||||
|  |       if authelia_config_authentication_backend_file_path | default(false, true) | ||||||
|  |       else {"ldap": authelia_config_authentication_backend_ldap}) | ||||||
|  |   }} | ||||||
|  | authelia_config_authentication_backend_password_reset: | ||||||
|  |   custom_url: "{{ authelia_config_authentication_backend_password_reset_custom_url }}" | ||||||
|  | authelia_config_authentication_backend_ldap: | ||||||
|  |   implementation: "{{ authelia_config_authentication_backend_ldap_implementation }}" | ||||||
|  |   url: "{{ authelia_config_authentication_backend_ldap_url }}" | ||||||
|  |   timeout: "{{ authelia_config_authentication_backend_ldap_timeout }}" | ||||||
|  |   start_tls: "{{ authelia_config_authentication_backend_ldap_start_tls }}" | ||||||
|  |   tls: | ||||||
|  |     skip_verify: "{{ authelia_config_authentication_backend_ldap_tls_skip_verify }}" | ||||||
|  |     minimum_version: "{{ authelia_config_authentication_backend_ldap_minimum_version }}" | ||||||
|  |   base_dn: "{{ authelia_config_authentication_backend_ldap_base_dn }}" | ||||||
|  |   additional_users_dn: "{{ authelia_config_authentication_backend_ldap_additional_users_dn }}" | ||||||
|  |   additional_groups_dn: "{{ authelia_config_authentication_backend_ldap_additional_groups_dn }}"  | ||||||
|  |   users_filter: "{{ authelia_config_authentication_backend_ldap_users_filter }}"  | ||||||
|  |   groups_filter: "{{ authelia_config_authentication_backend_ldap_groups_filter }}" | ||||||
|  |   group_name_attribute: "{{ authelia_config_authentication_backend_ldap_group_name_attribute }}" | ||||||
|  |   username_attribute: "{{ authelia_config_authentication_backend_ldap_username_attribute }}" | ||||||
|  |   mail_attribute: "{{ authelia_config_authentication_backend_ldap_mail_attribute }}" | ||||||
|  |   display_name_attribute: "{{ authelia_config_authentication_backend_ldap_display_name_attribute }}" | ||||||
|  |   user: "{{ authelia_config_authentication_backend_ldap_user }}" | ||||||
|  |   password: "{{ authelia_config_authentication_backend_ldap_password }}" | ||||||
|  | authelia_config_authentication_backend_file: | ||||||
|  |   path: "{{ authelia_config_authentication_backend_file_path }}" | ||||||
|  |   password: | ||||||
|  |     algorithm: "{{ authelia_config_authentication_backend_file_password_algorithm }}" | ||||||
|  |     iterations: "{{ authelia_config_authentication_backend_file_password_iterations }}" | ||||||
|  |     key_length: "{{ authelia_config_authentication_backend_file_password_key_length }}" | ||||||
|  |     salt_lenght: "{{ authelia_config_authentication_backend_file_password_salt_length }}" | ||||||
|  |     memory: "{{ authelia_config_authentication_backend_file_password_memory }}" | ||||||
|  |     parallelism: "{{ authelia_config_authentication_backend_file_password_parallelism }}" | ||||||
|  | authelia_config_password_policy: >-2 | ||||||
|  |   {{ | ||||||
|  |     {"standard": authelia_config_password_policy_standard} | ||||||
|  |     if authelia_config_password_policy_standard_enabled | ||||||
|  |     else {"zxcvbn": authelia_config_password_policy_zxcvbn} | ||||||
|  |   }} | ||||||
|  | authelia_config_password_policy_standard: | ||||||
|  |   enabled: "{{ authelia_config_password_policy_standard_enabled }}" | ||||||
|  |   min_length: "{{ authelia_config_password_policy_standard_min_length }}" | ||||||
|  |   max_length: "{{ authelia_config_password_policy_standard_max_length }}" | ||||||
|  |   require_uppercase: "{{ authelia_config_password_policy_standard_require_uppercase }}" | ||||||
|  |   require_lowercase: "{{ authelia_config_password_policy_standard_require_lowercase }}" | ||||||
|  |   require_number: "{{ authelia_config_password_policy_standard_require_number }}" | ||||||
|  |   require_special: "{{ authelia_config_password_policy_standard_require_special }}" | ||||||
|  | authelia_config_password_policy_zxcvbn: | ||||||
|  |   enabled: "{{ authelia_config_password_policy_zxcvbn_enabled }}" | ||||||
|  | authelia_config_access_control: | ||||||
|  |   default_policy: "{{ authelia_config_access_control_default_policy }}" | ||||||
|  |   networks: "{{ authelia_config_access_control_networks }}" | ||||||
|  |   rules: "{{ authelia_config_access_control_rules }}" | ||||||
|  | authelia_config_session: | ||||||
|  |   name: "{{ authelia_config_session_name }}" | ||||||
|  |   domain: "{{ authelia_config_session_domain }}" | ||||||
|  |   same_site: "{{ authelia_config_session_same_site }}" | ||||||
|  |   secret: "{{ authelia_config_session_secret }}" | ||||||
|  |   expiration: "{{ authelia_config_session_expiration }}"  | ||||||
|  |   inactivity: "{{ authelia_config_session_inactivity }}" | ||||||
|  |   remember_me_duration: "{{ authelia_config_session_remember_me_duration }}" | ||||||
|  | authelia_config_session_redis: >-2 | ||||||
|  |   {{ | ||||||
|  |     { | ||||||
|  |       "host": authelia_config_session_redis_host, | ||||||
|  |       "database_index": authelia_config_session_redis_database_index, | ||||||
|  |       "maximum_active_connections": authelia_config_session_redis_maximum_active_connections, | ||||||
|  |       "minimum_idle_connections": authelia_config_session_redis_minimum_idle_connections | ||||||
|  |     } | ||||||
|  |     | combine({"password": authelia_config_session_redis_password} | ||||||
|  |       if authelia_config_session_redis_password | default(false, true) else {}) | ||||||
|  |     | combine({"username": authelia_config_session_redis_username} | ||||||
|  |       if authelia_config_session_redis_username | default(false, true) else {}) | ||||||
|  |     | combine({"port": authelia_config_session_redis_port} | ||||||
|  |       if '/' not in authelia_config_session_redis_host else {}) | ||||||
|  |     | combine({"tls": authelia_config_session_redis_tls} | ||||||
|  |       if authelia_config_session_redis_enable_tls | default(false, true) else {}) | ||||||
|  |   }} | ||||||
|  | authelia_config_session_redis_tls: >-2 | ||||||
|  |   {{ | ||||||
|  |     { | ||||||
|  |       "skip_verify": authelia_config_session_redis_tls_skip_verify, | ||||||
|  |       "minimum_version": authelia_config_session_redis_tls_minimum_version, | ||||||
|  |     } | ||||||
|  |     | combine({"server_name": authelia_config_session_redis_tls_server_name} | ||||||
|  |       if authelia_config_session_redis_tls_server_name | default(false, true) else {}) | ||||||
|  |   }} | ||||||
|  | authelia_config_regulation: | ||||||
|  |   max_retries: "{{ authelia_config_regulation_max_retries }}" | ||||||
|  |   find_time: "{{ authelia_config_regulation_find_time }}" | ||||||
|  |   ban_time: "{{ authelia_config_regulation_ban_time }}" | ||||||
|  | authelia_config_storage: >-2 | ||||||
|  |   {{ | ||||||
|  |     { "encryption_key": authelia_config_storage_encryption_key } | ||||||
|  |     | combine({"local": authelia_config_storage_local} | ||||||
|  |       if authelia_database_type in ['local', 'sqlite'] else {}) | ||||||
|  |     | combine({"mysql": authelia_config_storage_mysql} | ||||||
|  |       if authelia_database_type == 'mysql' else {}) | ||||||
|  |     | combine({"postgres": authelia_config_storage_postgres} | ||||||
|  |       if authelia_database_type in ['postgres', 'postgresql'] else {}) | ||||||
|  |   }} | ||||||
|  | authelia_config_storage_local: | ||||||
|  |   path: "{{ authelia_config_storage_local_path }}" | ||||||
|  | authelia_config_storage_mysql: | ||||||
|  |   host: "{{ authelia_database_host }}" | ||||||
|  |   port: "{{ authelia_config_storage_mysql_port }}" | ||||||
|  |   database: "{{ authelia_database_name }}" | ||||||
|  |   username: "{{ authelia_database_user }}" | ||||||
|  |   password: "{{ authelia_database_pass }}" | ||||||
|  |   timeout: "{{ authelia_database_timeout }}" | ||||||
|  | authelia_config_storage_postgres: | ||||||
|  |   host: "{{ authelia_database_host }}" | ||||||
|  |   port: "{{ authelia_config_storage_postgres_port }}" | ||||||
|  |   database: "{{ authelia_database_name }}" | ||||||
|  |   schema: public | ||||||
|  |   username: "{{ authelia_database_user }}" | ||||||
|  |   password: "{{ authelia_database_pass }}" | ||||||
|  |   timeout: "{{ authelia_database_timeout }}" | ||||||
|  | authelia_config_storage_postgres_ssl: | ||||||
|  |   mode: "{{ authelia_config_storage_postgres_ssl_mode }}" | ||||||
|  |   root_certificate: "{{ authelia_config_storage_postgres_ssl_root_certificate }}" | ||||||
|  |   certificate: "{{ authelia_config_storage_postgres_ssl_certificate }}" | ||||||
|  |   key: "{{ authelia_config_storage_postgres_ssl_key }}" | ||||||
|  | authelia_config_notifier: >-2 | ||||||
|  |   {{ | ||||||
|  |     { | ||||||
|  |       "disable_startup_check": authelia_config_notifier_disable_startup_check | ||||||
|  |     } | ||||||
|  |     | combine({"filesystem": authelia_config_notifier_filesystem} | ||||||
|  |       if authelia_config_notifier_filesystem_filename else {}) | ||||||
|  |     | combine({"smtp": authelia_config_notifier_smtp} | ||||||
|  |       if not authelia_config_notifier_filesystem_filename else {}) | ||||||
|  |   }} | ||||||
|  | authelia_config_notifier_filesystem: | ||||||
|  |   filename: "{{ authelia_config_notifier_filesystem_filename }}" | ||||||
|  | authelia_config_notifier_smtp: | ||||||
|  |   host: "{{ authelia_config_notifier_smtp_host }}" | ||||||
|  |   port: "{{ authelia_config_notifier_smtp_port }}" | ||||||
|  |   timeout: "{{ authelia_config_notifier_smtp_timeout }}" | ||||||
|  |   username: "{{ authelia_config_notifier_smtp_username }}" | ||||||
|  |   password: "{{ authelia_config_notifier_smtp_password }}" | ||||||
|  |   sender: "{{ authelia_config_notifier_smtp_sender }}" | ||||||
|  |   identifier: "{{ authelia_config_notifier_smtp_identifier }}" | ||||||
|  |   subject: "{{ authelia_config_notifier_smtp_subject }}" | ||||||
|  |   startup_check_address: "{{ authelia_config_notifier_smtp_startup_check_address }}" | ||||||
|  |   disable_require_tls: "{{ authelia_config_notifier_smtp_disable_require_tls }}" | ||||||
|  |   disable_html_emails: "{{ authelia_config_notifier_smtp_disable_html_emails }}" | ||||||
|  |   tls: | ||||||
|  |     skip_verify: "{{ authelia_config_notifier_smtp_tls_skip_verify }}" | ||||||
|  |     minimum_version: "{{ authelia_config_notifier_smtp_tls_minimum_version }}" | ||||||
							
								
								
									
										34
									
								
								roles/gitea/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										34
									
								
								roles/gitea/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,34 @@ | |||||||
|  | # `finallycoffee.services.gitea` ansible role | ||||||
|  |  | ||||||
|  | ## Overview | ||||||
|  |  | ||||||
|  | This role deploys [gitea](https://gitea.com/) | ||||||
|  | using its official available docker image, and is able to setup SSH | ||||||
|  | forwarding from the host to the container (enabling git-over-SSH without | ||||||
|  | the need for a non-standard SSH port while running an SSH server on the | ||||||
|  | host aswell). | ||||||
|  |  | ||||||
|  | ### Configuration | ||||||
|  |  | ||||||
|  | #### Email notifications | ||||||
|  |  | ||||||
|  | To enable to send emails, you need to set the following variables, demonstrated | ||||||
|  | here with an SMTP server. A TLS connection is strongly advised, as otherwise, it | ||||||
|  | can be trival to intercept a login to the mail server and record the authentication | ||||||
|  | details, enabling anyone to send mail as if they were your gitea instance. | ||||||
|  |  | ||||||
|  | ```yaml | ||||||
|  | gitea_config_mailer_enabled: true | ||||||
|  | # Can be `sendmail` or `smtp` | ||||||
|  | gitea_config_mailer_type: smtp | ||||||
|  | # Including the port can be used to force secure smtp (SMTPS) | ||||||
|  | gitea_config_mailer_host: mail.my-domain.tld:465 | ||||||
|  | gitea_config_mailer_user: gitea | ||||||
|  | gitea_config_mailer_passwd: very_long_password | ||||||
|  | gitea_config_mailer_tls: true | ||||||
|  | gitea_config_mailer_from_addr: "gitea@{{ gitea_domain }}" | ||||||
|  | # Set `gitea_config_mailer_sendmail_path` when using a sendmail binary | ||||||
|  | gitea_config_mailer_sendmail_path: /usr/sbin/sendmail | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | For more information, see [the gitea docs on email setup](https://docs.gitea.io/en-us/email-setup/). | ||||||
							
								
								
									
										51
									
								
								roles/gitea/defaults/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										51
									
								
								roles/gitea/defaults/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,51 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | gitea_version: "1.16.4" | ||||||
|  | gitea_user: git | ||||||
|  | gitea_base_path: "/opt/gitea" | ||||||
|  | gitea_data_path: "{{ gitea_base_path }}/data" | ||||||
|  |  | ||||||
|  | # Set this to the (sub)domain gitea will run at | ||||||
|  | gitea_domain: ~ | ||||||
|  |  | ||||||
|  | # container config | ||||||
|  | gitea_container_name: "git" | ||||||
|  | gitea_container_image_name: "docker.io/gitea/gitea" | ||||||
|  | gitea_container_image_tag: "{{ gitea_version }}" | ||||||
|  | gitea_container_image: "{{ gitea_container_image_name }}:{{ gitea_container_image_tag }}" | ||||||
|  | gitea_container_networks: [] | ||||||
|  | gitea_container_purge_networks: ~ | ||||||
|  | gitea_container_restart_policy: "unless-stopped" | ||||||
|  | gitea_container_extra_env: {} | ||||||
|  | gitea_contianer_extra_labels: {} | ||||||
|  | gitea_container_extra_ports: [] | ||||||
|  | gitea_container_extra_volumes: [] | ||||||
|  |  | ||||||
|  | # container defaults | ||||||
|  | gitea_container_base_volumes: | ||||||
|  |   - "{{ gitea_data_path }}:/data:z" | ||||||
|  |   - "/home/{{ gitea_user }}/.ssh/:/data/git/.ssh:z" | ||||||
|  |  | ||||||
|  | gitea_container_base_ports: | ||||||
|  |   - "127.0.0.1:{{ git_container_port_webui }}:{{ git_container_port_webui }}" | ||||||
|  |   - "127.0.0.1:{{ git_container_port_ssh }}:{{ git_container_port_ssh }}" | ||||||
|  |  | ||||||
|  | gitea_container_base_env: | ||||||
|  |   USER_UID: "{{ gitea_user_res.uid | default(gitea_user) }}" | ||||||
|  |   USER_GID: "{{ gitea_user_res.group | default(gitea_user) }}" | ||||||
|  |  | ||||||
|  | gitea_container_base_labels: | ||||||
|  |   version: "{{ gitea_version }}" | ||||||
|  |  | ||||||
|  | gitea_config_mailer_enabled: false | ||||||
|  | gitea_config_mailer_type: ~ | ||||||
|  | gitea_config_mailer_from_addr: ~ | ||||||
|  | gitea_config_mailer_host: ~ | ||||||
|  | gitea_config_mailer_user: ~ | ||||||
|  | gitea_config_mailer_passwd: ~ | ||||||
|  | gitea_config_mailer_tls: ~ | ||||||
|  | gitea_config_mailer_sendmail_path: ~ | ||||||
|  | gitea_config_metrics_enabled: false | ||||||
|  |  | ||||||
|  | gitea_config: "{{ gitea_config_base | combine(gitea_extra_config, recursive=True, list_merge='append') }}" | ||||||
|  | gitea_extra_config: {} | ||||||
							
								
								
									
										92
									
								
								roles/gitea/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										92
									
								
								roles/gitea/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,92 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | - name: Create gitea user | ||||||
|  |   user: | ||||||
|  |     name: "{{ gitea_user }}" | ||||||
|  |     state: present | ||||||
|  |     system: no | ||||||
|  |   register: gitea_user_res | ||||||
|  |  | ||||||
|  | - name: Ensure host directories exist | ||||||
|  |   file: | ||||||
|  |     path: "{{ item }}" | ||||||
|  |     owner: "{{ gitea_user_res.uid }}" | ||||||
|  |     group: "{{ gitea_user_res.group }}" | ||||||
|  |     state: directory | ||||||
|  |   loop: | ||||||
|  |     - "{{ gitea_base_path }}" | ||||||
|  |     - "{{ gitea_data_path }}" | ||||||
|  |  | ||||||
|  | - name: Ensure .ssh folder for gitea user exists | ||||||
|  |   file: | ||||||
|  |     path: "/home/{{ gitea_user }}/.ssh" | ||||||
|  |     state: directory | ||||||
|  |     owner: "{{ gitea_user_res.uid }}" | ||||||
|  |     group: "{{ gitea_user_res.group }}" | ||||||
|  |     mode: 0700 | ||||||
|  |  | ||||||
|  | - name: Generate SSH keypair for host<>container | ||||||
|  |   community.crypto.openssh_keypair: | ||||||
|  |     path: "/home/{{ gitea_user }}/.ssh/id_ssh_ed25519" | ||||||
|  |     type: ed25519 | ||||||
|  |     state: present | ||||||
|  |     comment: "Gitea:Host2Container" | ||||||
|  |     owner: "{{ gitea_user_res.uid }}" | ||||||
|  |     group: "{{ gitea_user_res.group }}" | ||||||
|  |     mode: 0600 | ||||||
|  |   register: gitea_user_ssh_key | ||||||
|  |  | ||||||
|  | - name: Create forwarding script | ||||||
|  |   copy: | ||||||
|  |     dest: "/usr/local/bin/gitea" | ||||||
|  |     owner: "{{ gitea_user_res.uid }}" | ||||||
|  |     group: "{{ gitea_user_res.group }}" | ||||||
|  |     mode: 0700 | ||||||
|  |     content: | | ||||||
|  |       ssh -p {{ gitea_public_ssh_server_port }} -o StrictHostKeyChecking=no {{ gitea_user }}@127.0.0.1 -i /home/{{ gitea_user }}/.ssh/id_ssh_ed25519 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@" | ||||||
|  |  | ||||||
|  | - name: Add host pubkey to git users authorized_keys file | ||||||
|  |   lineinfile: | ||||||
|  |     path: "/home/{{ gitea_user }}/.ssh/authorized_keys" | ||||||
|  |     line: "{{ gitea_user_ssh_key.public_key }} Gitea:Host2Container" | ||||||
|  |     state: present | ||||||
|  |     create: yes | ||||||
|  |     owner: "{{ gitea_user_res.uid }}" | ||||||
|  |     group: "{{ gitea_user_res.group }}" | ||||||
|  |     mode: 0600 | ||||||
|  |  | ||||||
|  | - name: Ensure gitea container image is present | ||||||
|  |   docker_image: | ||||||
|  |     name: "{{ gitea_container_image }}" | ||||||
|  |     state: present | ||||||
|  |     source: pull | ||||||
|  |     force_source: "{{ gitea_container_image.endswith(':latest') }}" | ||||||
|  |  | ||||||
|  | - name: Ensure container '{{ gitea_container_name }}' with gitea is running | ||||||
|  |   docker_container: | ||||||
|  |     name: "{{ gitea_container_name }}" | ||||||
|  |     image: "{{ gitea_container_image }}" | ||||||
|  |     env: "{{ gitea_container_env }}" | ||||||
|  |     volumes: "{{ gitea_container_volumes }}" | ||||||
|  |     networks: "{{ gitea_container_networks | default(omit, True) }}" | ||||||
|  |     purge_networks: "{{ gitea_container_purge_networks | default(omit, True) }}" | ||||||
|  |     published_ports: "{{ gitea_container_ports }}" | ||||||
|  |     restart_policy: "{{ gitea_container_restart_policy }}" | ||||||
|  |     state: started | ||||||
|  |  | ||||||
|  | - name: Ensure given configuration is set in the config file | ||||||
|  |   ini_file: | ||||||
|  |     path: "{{ gitea_data_path }}/gitea/conf/app.ini" | ||||||
|  |     section: "{{ section }}" | ||||||
|  |     option: "{{ option }}" | ||||||
|  |     value: "{{ entry.value }}" | ||||||
|  |     state: "{{ 'present' if (entry.value is not none) else 'absent' }}" | ||||||
|  |   loop: "{{ lookup('ansible.utils.to_paths', gitea_config) | dict2items }}" | ||||||
|  |   loop_control: | ||||||
|  |     loop_var: entry | ||||||
|  |     label: "{{ section | default('/', True) }}->{{ option }}" | ||||||
|  |   vars: | ||||||
|  |     key_split: "{{ entry.key | split('.') }}" | ||||||
|  |     # sections can be named `section_name`.`sub_section`, f.ex.: `repository.upload` | ||||||
|  |     section: "{{ '' if key_split|length == 1 else (key_split[:-1] | join('.')) }}" | ||||||
|  |     option: "{{ key_split | first if key_split|length == 1 else key_split | last }}" | ||||||
							
								
								
									
										34
									
								
								roles/gitea/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										34
									
								
								roles/gitea/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,34 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | gitea_container_volumes: "{{ gitea_container_base_volumes + gitea_container_extra_volumes }}" | ||||||
|  |  | ||||||
|  | gitea_container_labels: "{{ gitea_container_base_labels | combine(gitea_container_extra_labels) }}" | ||||||
|  |  | ||||||
|  | gitea_container_env: "{{ gitea_container_base_env | combine(gitea_container_extra_env) }}" | ||||||
|  |  | ||||||
|  | gitea_container_ports: "{{ gitea_container_base_ports + gitea_container_extra_ports }}" | ||||||
|  |  | ||||||
|  |  | ||||||
|  | gitea_container_port_webui: 3000 | ||||||
|  | gitea_container_port_ssh: 22 | ||||||
|  |  | ||||||
|  | gitea_config_base: | ||||||
|  |   RUN_MODE: prod | ||||||
|  |   RUN_USER: "{{ gitea_user }}" | ||||||
|  |   server: | ||||||
|  |     SSH_DOMAIN: "{{ gitea_domain }}" | ||||||
|  |     DOMAIN: "{{ gitea_domain }}" | ||||||
|  |     HTTP_PORT: "{{ gitea_container_port_webui }}" | ||||||
|  |     DISABLE_SSH: false | ||||||
|  |     START_SSH_SERVER: false | ||||||
|  |   mailer: | ||||||
|  |     ENABLED: "{{ gitea_config_mailer_enabled }}" | ||||||
|  |     MAILER_TYP: "{{ gitea_config_mailer_type }}" | ||||||
|  |     HOST: "{{ gitea_config_mailer_host }}" | ||||||
|  |     USER: "{{ gitea_config_mailer_user }}" | ||||||
|  |     PASSWD: "{{ gitea_config_mailer_passwd }}" | ||||||
|  |     IS_TLS_ENABLED: "{{ gitea_config_mailer_tls }}" | ||||||
|  |     FROM: "{{ gitea_config_mailer_from_addr }}" | ||||||
|  |     SENDMAIL_PATH: "{{ gitea_config_mailer_sendmail_path }}" | ||||||
|  |   metrics: | ||||||
|  |     ENABLED: "{{ gitea_config_metrics_enabled }}" | ||||||
							
								
								
									
										29
									
								
								roles/jellyfin/defaults/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										29
									
								
								roles/jellyfin/defaults/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,29 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | jellyfin_user: jellyfin | ||||||
|  |  | ||||||
|  | jellyfin_base_path: /opt/jellyfin | ||||||
|  | jellyfin_config_path: "{{ jellyfin_base_path }}/config" | ||||||
|  | jellyfin_cache_path: "{{ jellyfin_base_path }}/cache" | ||||||
|  |  | ||||||
|  | jellyfin_media_volumes: [] | ||||||
|  |  | ||||||
|  | jellyfin_container_name: jellyfin | ||||||
|  | jellyfin_container_image_name: "docker.io/jellyfin/jellyfin" | ||||||
|  | jellyfin_container_image_tag: "latest" | ||||||
|  | jellyfin_container_image_ref: "{{ jellyfin_container_image_name }}:{{ jellyfin_container_image_tag }}" | ||||||
|  | jellyfin_container_network_mode: host | ||||||
|  | jellyfin_container_networks: ~ | ||||||
|  | jellyfin_container_volumes: "{{ jellyfin_container_base_volumes + jellyfin_media_volumes }}" | ||||||
|  | jellyfin_container_restart_policy: "unless-stopped" | ||||||
|  |  | ||||||
|  | jellyfin_host_directories: | ||||||
|  |   - path: "{{ jellyfin_base_path }}" | ||||||
|  |     mode: "0750" | ||||||
|  |   - path: "{{ jellyfin_config_path }}" | ||||||
|  |     mode: "0750" | ||||||
|  |   - path: "{{ jellyfin_cache_path }}" | ||||||
|  |     mode: "0750" | ||||||
|  |  | ||||||
|  | jellyfin_uid: "{{ jellyfin_user_info.uid | default(jellyfin_user) }}" | ||||||
|  | jellyfin_gid: "{{ jellyfin_user_info.group | default(jellyfin_user) }}" | ||||||
							
								
								
									
										35
									
								
								roles/jellyfin/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										35
									
								
								roles/jellyfin/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,35 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | - name: Ensure user '{{ jellyfin_user }}' for jellyfin is created | ||||||
|  |   user: | ||||||
|  |     name: "{{ jellyfin_user }}" | ||||||
|  |     state: present | ||||||
|  |     system: yes | ||||||
|  |   register: jellyfin_user_info | ||||||
|  |  | ||||||
|  | - name: Ensure host directories for jellyfin exist | ||||||
|  |   file: | ||||||
|  |     path: "{{ item.path }}" | ||||||
|  |     state: directory | ||||||
|  |     owner: "{{ item.owner  | default(jellyfin_uid) }}" | ||||||
|  |     group: "{{ item.group | default(jellyfin_gid) }}" | ||||||
|  |     mode: "{{ item.mode }}" | ||||||
|  |   loop: "{{ jellyfin_host_directories }}" | ||||||
|  |  | ||||||
|  | - name: Ensure container image for jellyfin is available | ||||||
|  |   docker_image: | ||||||
|  |     name: "{{ jellyfin_container_image_ref }}" | ||||||
|  |     state: present | ||||||
|  |     source: pull | ||||||
|  |     force_source: "{{ jellyfin_container_image_tag in ['stable', 'unstable'] }}" | ||||||
|  |  | ||||||
|  | - name: Ensure container '{{ jellyfin_container_name }}' is running | ||||||
|  |   docker_container: | ||||||
|  |     name: "{{ jellyfin_container_name }}" | ||||||
|  |     image: "{{ jellyfin_container_image_ref }}" | ||||||
|  |     user: "{{ jellyfin_uid }}:{{ jellyfin_gid }}" | ||||||
|  |     volumes: "{{ jellyfin_container_volumes }}" | ||||||
|  |     networks: "{{ jellyfin_container_networks | default(omit, True) }}" | ||||||
|  |     network_mode: "{{ jellyfin_container_network_mode }}" | ||||||
|  |     restart_policy: "{{ jellyfin_container_restart_policy }}" | ||||||
|  |     state: started | ||||||
							
								
								
									
										5
									
								
								roles/jellyfin/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								roles/jellyfin/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | jellyfin_container_base_volumes: | ||||||
|  |   - "{{ jellyfin_config_path }}:/config:z" | ||||||
|  |   - "{{ jellyfin_cache_path }}:/cache:z" | ||||||
| @@ -10,7 +10,7 @@ minio_root_username: root | |||||||
| minio_root_password: ~ | minio_root_password: ~ | ||||||
|  |  | ||||||
| minio_container_name: minio | minio_container_name: minio | ||||||
| minio_container_image_name: quay.io/minio/minio | minio_container_image_name: docker.io/minio/minio | ||||||
| minio_container_image_tag: latest | minio_container_image_tag: latest | ||||||
| minio_container_image: "{{ minio_container_image_name }}:{{ minio_container_image_tag }}" | minio_container_image: "{{ minio_container_image_name }}:{{ minio_container_image_tag }}" | ||||||
| minio_container_networks: [] | minio_container_networks: [] | ||||||
| @@ -32,7 +32,7 @@ minio_container_command: | |||||||
|   - "{{ minio_container_data_path }}" |   - "{{ minio_container_data_path }}" | ||||||
|   - "--console-address \":{{ minio_container_listen_port_console }}\"" |   - "--console-address \":{{ minio_container_listen_port_console }}\"" | ||||||
| minio_container_restart_policy: "unless-stopped" | minio_container_restart_policy: "unless-stopped" | ||||||
| minio_container_force_source: "{{ (minio_container_image_tag == 'latest')|bool }}" | minio_container_image_force_source: "{{ (minio_container_image_tag == 'latest')|bool }}" | ||||||
|  |  | ||||||
| minio_container_listen_port_api: 9000 | minio_container_listen_port_api: 9000 | ||||||
| minio_container_listen_port_console: 8900 | minio_container_listen_port_console: 8900 | ||||||
|   | |||||||
| @@ -20,7 +20,7 @@ | |||||||
|     name: "{{ minio_container_image }}" |     name: "{{ minio_container_image }}" | ||||||
|     state: present |     state: present | ||||||
|     source: pull |     source: pull | ||||||
|     force_source: "{{ minio_container_force_source }}" |     force_source: "{{ minio_container_image_force_source }}" | ||||||
|  |  | ||||||
| - name: Ensure container {{ minio_container_name }} is running | - name: Ensure container {{ minio_container_name }} is running | ||||||
|   docker_container: |   docker_container: | ||||||
| @@ -35,5 +35,3 @@ | |||||||
|     command: "{{ minio_container_command }}" |     command: "{{ minio_container_command }}" | ||||||
|     restart_policy: "{{ minio_container_restart_policy }}" |     restart_policy: "{{ minio_container_restart_policy }}" | ||||||
|     state: started |     state: started | ||||||
|     comparisons: |  | ||||||
|       env: strict |  | ||||||
|   | |||||||
| @@ -1,14 +1,28 @@ | |||||||
| # `finallycoffee.services.restic-s3` | # `finallycoffee.services.restic` | ||||||
| 
 | 
 | ||||||
| Ansible role for backup up data using `restic` to an `s3`-compatible backend, | Ansible role for backup up data using `restic`, utilizing `systemd` timers for scheduling. | ||||||
| utilizing `systemd` timers for scheduling |  | ||||||
| 
 | 
 | ||||||
| ## Overview | ## Overview | ||||||
| 
 | 
 | ||||||
| The s3 repository and the credentials for it are specified in `restic_repo_url`, | As restic encrypts the data before storing it, the `restic_repo_password` needs | ||||||
| `restic_s3_key_id` and `restic_s3_access_key`. As restic encrypts the data before | to be populated with a strong key, and saved accordingly as only this key can | ||||||
| storing it, the `restic_repo_password` needs to be populated with a strong key, | be used to decrypt the data for a restore! | ||||||
| and saved accordingly as only this key can be used to decrypt the data for a restore! | 
 | ||||||
|  | ### Backends | ||||||
|  | 
 | ||||||
|  | #### S3 Backend | ||||||
|  | 
 | ||||||
|  | To use a `s3`-compatible backend like AWS buckets or minio, both `restic_s3_key_id` | ||||||
|  | and `restic_s3_access_key` need to be populated, and the `restic_repo_url` has the | ||||||
|  | format `s3:https://my.s3.endpoint:port/bucket-name`. | ||||||
|  | 
 | ||||||
|  | #### SFTP Backend | ||||||
|  | 
 | ||||||
|  | Using the `sftp` backend requires the configured `restic_user` to be able to | ||||||
|  | authenticate to the configured SFTP-Server using password-less methods like | ||||||
|  | publickey-authentication. The `restic_repo_url` then follows the format | ||||||
|  | `sftp:{user}@{server}:/my-restic-repository` (or without leading `/` for relative | ||||||
|  | paths to the `{user}`s home directory. | ||||||
| 
 | 
 | ||||||
| ### Backing up data | ### Backing up data | ||||||
| 
 | 
 | ||||||
| @@ -44,14 +44,22 @@ | |||||||
| 
 | 
 | ||||||
| - name: Ensure systemd service file for '{{ restic_job_name }}' is templated | - name: Ensure systemd service file for '{{ restic_job_name }}' is templated | ||||||
|   template: |   template: | ||||||
|     dest: "/etc/systemd/system/{{ restic_systemd_unit_naming_scheme }}.service" |     dest: "/etc/systemd/system/{{ service.unit_name }}.service" | ||||||
|     src: restic.service.j2 |     src: "{{ service.file }}" | ||||||
|     owner: root |     owner: root | ||||||
|     group: root |     group: root | ||||||
|     mode: 0640 |     mode: 0640 | ||||||
|   notify: |   notify: | ||||||
|     - reload-systemd |     - reload-systemd | ||||||
|     - trigger-restic |     - trigger-restic | ||||||
|  |   loop: | ||||||
|  |     - unit_name: "{{ restic_systemd_unit_naming_scheme }}" | ||||||
|  |       file: restic.service.j2 | ||||||
|  |     - unit_name: "{{ restic_systemd_unit_naming_scheme }}-unlock" | ||||||
|  |       file: restic-unlock.service.j2 | ||||||
|  |   loop_control: | ||||||
|  |     loop_var: service | ||||||
|  |     label: "{{ service.file }}" | ||||||
| 
 | 
 | ||||||
| - name: Ensure systemd service file for '{{ restic_job_name }}' is templated | - name: Ensure systemd service file for '{{ restic_job_name }}' is templated | ||||||
|   template: |   template: | ||||||
| @@ -66,6 +74,11 @@ | |||||||
| - name: Flush handlers to ensure systemd knows about '{{ restic_job_name }}' | - name: Flush handlers to ensure systemd knows about '{{ restic_job_name }}' | ||||||
|   meta: flush_handlers |   meta: flush_handlers | ||||||
| 
 | 
 | ||||||
|  | - name: Ensure systemd service for unlocking repository for '{{ restic_job_name }}' is enabled | ||||||
|  |   systemd: | ||||||
|  |     name: "{{ restic_systemd_unit_naming_scheme }}-unlock.service" | ||||||
|  |     enabled: true | ||||||
|  | 
 | ||||||
| - name: Ensure systemd timer for '{{ restic_job_name }}' is activated | - name: Ensure systemd timer for '{{ restic_job_name }}' is activated | ||||||
|   systemd: |   systemd: | ||||||
|     name: "{{ restic_systemd_unit_naming_scheme }}.timer" |     name: "{{ restic_systemd_unit_naming_scheme }}.timer" | ||||||
							
								
								
									
										21
									
								
								roles/restic/templates/restic-unlock.service.j2
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								roles/restic/templates/restic-unlock.service.j2
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | |||||||
|  | [Unit] | ||||||
|  | Description={{ restic_job_description }} - Unlock after reboot job | ||||||
|  |  | ||||||
|  | [Service] | ||||||
|  | Type=oneshot | ||||||
|  | User={{ restic_user }} | ||||||
|  | WorkingDirectory={{ restic_systemd_working_directory }} | ||||||
|  | SyslogIdentifier={{ restic_systemd_syslog_identifier }} | ||||||
|  |  | ||||||
|  | Environment=RESTIC_REPOSITORY={{ restic_repo_url }} | ||||||
|  | Environment=RESTIC_PASSWORD={{ restic_repo_password }} | ||||||
|  | {% if restic_s3_key_id and restic_s3_access_key %} | ||||||
|  | Environment=AWS_ACCESS_KEY_ID={{ restic_s3_key_id }} | ||||||
|  | Environment=AWS_SECRET_ACCESS_KEY={{ restic_s3_access_key }} | ||||||
|  | {% endif %} | ||||||
|  |  | ||||||
|  | ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init' | ||||||
|  | ExecStart=/usr/bin/restic unlock | ||||||
|  |  | ||||||
|  | [Install] | ||||||
|  | WantedBy=multi-user.target | ||||||
| @@ -9,8 +9,10 @@ SyslogIdentifier={{ restic_systemd_syslog_identifier }} | |||||||
| 
 | 
 | ||||||
| Environment=RESTIC_REPOSITORY={{ restic_repo_url }} | Environment=RESTIC_REPOSITORY={{ restic_repo_url }} | ||||||
| Environment=RESTIC_PASSWORD={{ restic_repo_password }} | Environment=RESTIC_PASSWORD={{ restic_repo_password }} | ||||||
|  | {% if restic_s3_key_id and restic_s3_access_key %} | ||||||
| Environment=AWS_ACCESS_KEY_ID={{ restic_s3_key_id }} | Environment=AWS_ACCESS_KEY_ID={{ restic_s3_key_id }} | ||||||
| Environment=AWS_SECRET_ACCESS_KEY={{ restic_s3_access_key }} | Environment=AWS_SECRET_ACCESS_KEY={{ restic_s3_access_key }} | ||||||
|  | {% endif %} | ||||||
| 
 | 
 | ||||||
| ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init' | ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init' | ||||||
| {% if restic_backup_stdin_command %} | {% if restic_backup_stdin_command %} | ||||||
		Reference in New Issue
	
	Block a user