fix(restic): attempt to unlock repository at boot

README.md

@@ -8,8 +8,17 @@ concise area of concern.
 
 ## Roles
 
-- [`roles/restic-s3`](roles/restic-s3/README.md): Manage backups using restic
-  and persist them to an s3-compatible backend.
+- [`roles/authelia`](roles/authelia/README.md): Deploys an [authelia.com](https://www.authelia.com)
+  instance, an authentication provider with beta OIDC provider support.
+
+- [`roles/gitea`](roles/gitea/README.md): Deploy [gitea.io](https://gitea.io), a
+  lightweight, self-hosted git service.
+
+- [`roles/jellyfin`](roles/jellyfin/README.md): Deploy [jellyfin.org](https://jellyfin.org),
+  the free software media system for streaming stored media to any device.
+
+- [`roles/restic`](roles/restic/README.md): Manage backups using restic
+  and persist them to a configurable backend.
 
 - [`roles/minio`](roles/minio/README.md): Deploy [min.io](https://min.io), an
   s3-compatible object storage server, using docker containers.

roles/authelia/README.md

@@ -0,0 +1,74 @@
+# `finallycoffee.services.authelia` ansible role
+
+Deploys [authelia](https://www.authelia.com), an open-source full-featured
+authentication server with OIDC beta support.
+
+## Configuration
+
+Most configurations options are exposed to be overrideable by setting
+`authelia_config_{flat_config_key}`, which means `totp.digits: 8`
+would become `authelia_config_totp_digits: 8`.
+
+If configuration is not exposed in [`defaults/main.yml`](defaults/main.yml),
+it can be overridden in `authelia_extra_config`, which is merged recursively
+to the default config. Entire blocks can currently not be easily overridden,
+it's best to rely on the `authelia_extra_config` here.
+
+Below are some configuration hints towards enabling 2nd factor
+providers like TOTP, WebAuthN etc.
+
+### TOTP
+
+See [the authelia docs on TOTP](https://www.authelia.com/docs/configuration/one-time-password.html#algorithm)
+before adjusting some of the fine-grained configuration, as many
+TOTP clients do not properly support all by-spec supported values.
+
+```yaml
+authelia_config_totp_disable: false
+authelia_config_totp_issuer: "your.authelia.domain"
+# Best to stick to authelias guide here
+authelia_config_totp_algorithm: [...]
+authelia_config_totp_digits: [...]
+authelia_config_totp_period: [...]
+```
+
+### WebAuthN
+
+```yaml
+authelia_config_webauthn_disable: false
+authelia_config_webauthn_timeout: 30s
+# Force user to touch the security key's confirmation button
+authelia_config_webauthn_user_verification: required
+```
+
+For more information about possible WebAuthN configuration, see
+[the authelia docs on WebAuthN](https://www.authelia.com/docs/configuration/webauthn.html).
+
+### Database & Redis
+
+While Authelia can use a sqlite DB with in memory store by setting
+`authelia_sqlite_storage_file_path`, it is recommended to use a proper
+database and a redis instance:
+```yaml
+authelia_database_type: postgres
+authelia_database_host: /var/run/postgres/
+authelia_database_user: authelia
+authelia_database_pass: authelia
+
+# Redis
+authelia_redis_host: /var/run/redis/
+authelia_redis_pass: very_long_static_secret
+
+```
+
+### Notifications
+
+For a test setup, notifications can be written into a config file, this behaviour
+is enabled by setting `authelia_config_notifier_filesystem_filename`. For real-world
+use, an SMTP server is strongly recommended, its config is as follows:
+```
+authelia_smtp_host: mail.domain.com
+authelia_smtp_port: 587 # for StartTLS
+authelia_smtp_user: authelia@domain.com
+authelia_smtp_pass: authelia_user_pass
+```

roles/authelia/defaults/main.yml

@@ -0,0 +1,180 @@
+---
+
+authelia_version: 4.34.6
+authelia_user: authelia
+authelia_base_dir: /opt/authelia
+authelia_domain: authelia.example.org
+
+authelia_config_dir: "{{ authelia_base_dir }}/config"
+authelia_config_file: "{{ authelia_config_dir }}/config.yaml"
+authelia_data_dir: "{{ authelia_base_dir }}/data"
+authelia_sqlite_storage_file: "{{ authelia_data_dir }}/authelia.sqlite3"
+authelia_notification_storage_file: "{{ authelia_data_dir }}/notifications.txt"
+authelia_user_storage_file: "{{ authelia_data_dir }}/user_database.yml"
+
+authelia_container_name: authelia
+authelia_container_image_name: docker.io/authelia/authelia
+authelia_container_image_tag: ~
+authelia_container_image_ref: "{{ authelia_container_image_name }}:{{ authelia_container_image_tag | default(authelia_version, true) }}"
+authelia_container_image_force_pull: "{{ authelia_container_image_tag | default(false, True) }}"
+authelia_container_env:
+  PUID: "{{ authelia_run_user }}"
+  PGID: "{{ authelia_run_group }}"
+authelia_container_labels: >-2
+  {{ authelia_container_base_labels | combine(authelia_container_extra_labels) }}
+authelia_container_extra_labels: {}
+authelia_container_extra_volumes: []
+authelia_container_volumes: >-2
+  {{ authelia_container_base_volumes
+    + authelia_container_extra_volumes }}
+authelia_container_ports: ~
+authelia_container_networks: ~
+authelia_container_purge_networks: ~
+authelia_container_restart_policy: unless-stopped
+authelia_container_state: started
+
+authelia_container_listen_port: 9091
+authelia_tls_minimum_version: TLS1.2
+
+authelia_config_theme: auto
+authelia_config_jwt_secret: ~
+authelia_config_default_redirection_url: ~
+authelia_config_server_host: 0.0.0.0
+authelia_config_server_port: "{{ authelia_container_listen_port }}"
+authelia_config_server_path: ""
+authelia_config_server_read_buffer_size: 4096
+authelia_config_server_write_buffer_size: 4096
+authelia_config_server_enable_pprof: true
+authelia_config_server_enable_expvars: true
+authelia_config_server_disable_healthcheck:
+authelia_config_server_tls_key: ~
+authelia_config_server_tls_certificate: ~
+authelia_config_server_tls_client_certificates: []
+authelia_config_server_headers_csp_template: ~
+authelia_config_log_level: info
+authelia_config_log_format: json
+authelia_config_log_file_path: ~
+authelia_config_log_keep_stdout: false
+authelia_config_totp_disable: true
+authelia_config_totp_issuer: "{{ authelia_domain }}"
+authelia_config_totp_algorithm: sha1
+authelia_config_totp_digits: 6
+authelia_config_totp_period: 30
+authelia_config_totp_skew: 1
+authelia_config_totp_secret_size: 32
+authelia_config_webauthn_disable: true
+authelia_config_webauthn_timeout: 60s
+authelia_config_webauthn_display_name: "Authelia ({{ authelia_domain }})"
+authelia_config_webauthn_attestation_conveyance_preference: indirect
+authelia_config_webauthn_user_verification: preferred
+authelia_config_duo_api_hostname: ~
+authelia_config_duo_api_integration_key: ~
+authelia_config_duo_api_secret_key: ~
+authelia_config_duo_api_enable_self_enrollment: false
+authelia_config_ntp_address: "time.cloudflare.com:123"
+authelia_config_ntp_version: 4
+authelia_config_ntp_max_desync: 3s
+authelia_config_ntp_disable_startup_check: false
+authelia_config_ntp_disable_failure: false
+authelia_config_authentication_backend_disable_reset_password: false
+authelia_config_authentication_backend_refresh_interval: 5m
+authelia_config_authentication_backend_password_reset_custom_url: ~
+authelia_config_authentication_backend_ldap_implementation: custom
+authelia_config_authentication_backend_ldap_url: ldap://127.0.0.1:389
+authelia_config_authentication_backend_ldap_timeout: 5s
+authelia_config_authentication_backend_ldap_start_tls: false
+authelia_config_authentication_backend_ldap_tls_skip_verify: false
+authelia_config_authentication_backend_ldap_minimum_version: "{{ authelia_tls_minimum_version }}"
+authelia_config_authentication_backend_ldap_base_dn: ~
+authelia_config_authentication_backend_ldap_additional_users_dn: "ou=users"
+authelia_config_authentication_backend_ldap_users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=inetOrgPerson))"
+authelia_config_authentication_backend_ldap_additional_groups_dn: "ou=groups"
+authelia_config_authentication_backend_ldap_groups_filter: "(member={dn})"
+authelia_config_authentication_backend_ldap_group_name_attribute: cn
+authelia_config_authentication_backend_ldap_username_attribute: uid
+authelia_config_authentication_backend_ldap_mail_attribute: mail
+authelia_config_authentication_backend_ldap_display_name_attribute: displayName
+authelia_config_authentication_backend_ldap_user: ~
+authelia_config_authentication_backend_ldap_password: ~
+authelia_config_authentication_backend_file_path: ~
+authelia_config_authentication_backend_file_password_algorithm: argon2id
+authelia_config_authentication_backend_file_password_iterations: 5
+authelia_config_authentication_backend_file_password_key_length: 32
+authelia_config_authentication_backend_file_password_salt_length: 16
+authelia_config_authentication_backend_file_password_memory: 1024
+authelia_config_authentication_backend_file_password_parallelism: 8
+authelia_config_password_policy_standard_enabled: false
+authelia_config_password_policy_standard_min_length: 12
+authelia_config_password_policy_standard_max_length: 0
+authelia_config_password_policy_standard_require_uppercase: true
+authelia_config_password_policy_standard_require_lowercase: true
+authelia_config_password_policy_standard_require_number: true
+authelia_config_password_policy_standard_require_special: false
+authelia_config_password_policy_zxcvbn_enabled: true
+authelia_config_access_control_default_policy: deny
+authelia_config_access_control_networks: []
+authelia_config_access_control_rules: []
+authelia_config_session_name: authelia_session
+authelia_config_session_domain: example.org
+authelia_config_session_same_site: lax
+authelia_config_session_secret: ~
+authelia_config_session_expiration: 1h
+authelia_config_session_inactivity: 5m
+authelia_config_session_remember_me_duration: 1M
+authelia_config_session_redis_host: "{{ authelia_redis_host }}"
+authelia_config_session_redis_port: "{{ authelia_redis_port }}"
+authelia_config_session_redis_username: "{{ authelia_redis_user }}"
+authelia_config_session_redis_password: "{{ authelia_redis_pass }}"
+authelia_config_session_redis_database_index: 0
+authelia_config_session_redis_maximum_active_connections: 8
+authelia_config_session_redis_minimum_idle_connections: 0
+authelia_config_session_redis_enable_tls: false
+authelia_config_session_redis_tls_server_name: ~
+authelia_config_session_redis_tls_skip_verify: false
+authelia_config_session_redis_tls_minimum_version: "{{ authelia_tls_minimum_version }}"
+authelia_config_regulation_max_retries: 3
+authelia_config_regulation_find_time: 2m
+authelia_config_regulation_ban_time: 5m
+authelia_config_storage_encryption_key: ~
+authelia_config_storage_local_path: ~
+authelia_config_storage_mysql_port: 3306
+authelia_config_storage_postgres_port: 5432
+authelia_config_storage_postgres_ssl_mode: disable
+authelia_config_storage_postgres_ssl_root_certificate: disable
+authelia_config_storage_postgres_ssl_certificate: disable
+authelia_config_storage_postgres_ssl_key: disable
+authelia_config_notifier_disable_startup_check: false
+authelia_config_notifier_filesystem_filename: ~
+authelia_config_notifier_smtp_host: "{{ authelia_smtp_host }}"
+authelia_config_notifier_smtp_port: "{{ authelia_stmp_port }}"
+authelia_config_notifier_smtp_username: "{{ authelia_smtp_user }}"
+authelia_config_notifier_smtp_password: "{{ authelia_smtp_pass }}"
+authelia_config_notifier_smtp_timeout: 5s
+authelia_config_notifier_smtp_sender: "Authelia on {{ authelia_domain }} <admin@{{ authelia_domain }}>"
+authelia_config_notifier_smtp_identifier: "{{ authelia_domain }}"
+authelia_config_notifier_smtp_subject: "[Authelia @ {{ authelia_domain }}] {title}"
+authelia_config_notifier_smtp_startup_check_address: false
+authelia_config_notifier_smtp_disable_require_tls: false
+authelia_config_notifier_smtp_disable_html_emails: false
+authelia_config_notifier_smtp_tls_skip_verify: false
+authelia_config_notifier_smtp_tls_minimum_version: "{{ authelia_tls_minimum_version }}"
+#authelia_config_identity_provider_
+
+authelia_database_type: ~
+authelia_database_host: ~
+authelia_database_user: authelia
+authelia_database_pass: ~
+authelia_database_name: authelia
+authelia_database_timeout: 5s
+
+authelia_smtp_host: ~
+authelia_stmp_port: 465
+authelia_stmp_user: authelia
+authelia_stmp_pass: ~
+
+authelia_redis_host: ~
+authelia_redis_port: 6379
+authelia_redis_user: ~
+authelia_redis_pass: ~
+
+authelia_extra_config: {}

roles/authelia/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Restart authelia container
+  docker_container:
+    name: "{{ authelia_container_name }}"
+    state: started
+    restart: yes
+  listen: restart-authelia

roles/authelia/tasks/main.yml

@@ -0,0 +1,88 @@
+---
+
+- name: Ensure user {{ authelia_user }} exists
+  user:
+    name: "{{ authelia_user }}"
+    state: present
+    system: true
+  register: authelia_user_info
+
+- name: Ensure host directories are created with correct permissions
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    owner: "{{ item.owner | default(authelia_user) }}"
+    group: "{{ item.group | default(authelia_user) }}"
+    mode: "{{ item.mode | default('0750') }}"
+  loop:
+    - path: "{{ authelia_base_dir }}"
+      mode: "0755"
+    - path: "{{ authelia_config_dir }}"
+      mode: "0750"
+    - path: "{{ authelia_data_dir }}"
+      mode: "0750"
+
+- name: Ensure config file is generated
+  copy:
+    content: "{{ authelia_config | to_nice_yaml(indent=2, width=10000) }}"
+    dest: "{{ authelia_config_file }}"
+    owner: "{{ authelia_run_user }}"
+    group: "{{ authelia_run_group }}"
+    mode: "0640"
+  notify: restart-authelia
+
+- name: Ensure sqlite database file exists before mounting it
+  file:
+    path: "{{ authelia_sqlite_storage_file }}"
+    state: touch
+    owner: "{{ authelia_run_user }}"
+    group: "{{ authelia_run_group }}"
+    mode: "0640"
+    access_time: preserve
+    modification_time: preserve
+  when: authelia_config_storage_local_path | default(false, true)
+
+- name: Ensure user database exists before mounting it
+  file:
+    path: "{{ authelia_user_storage_file }}"
+    state: touch
+    owner: "{{ authelia_run_user }}"
+    group: "{{ authelia_run_group }}"
+    mode: "0640"
+    access_time: preserve
+    modification_time: preserve
+  when: authelia_config_authentication_backend_file_path | default(false, true)
+
+- name: Ensure notification reports file exists before mounting it
+  file:
+    path: "{{ authelia_notification_storage_file }}"
+    state: touch
+    owner: "{{ authelia_run_user }}"
+    group: "{{ authelia_run_group }}"
+    mode: "0640"
+    access_time: preserve
+    modification_time: preserve
+  when: authelia_config_notifier_filesystem_filename | default(false, true)
+
+- name: Ensure authelia container image is present
+  community.docker.docker_image:
+    name: "{{ authelia_container_image_ref }}"
+    state: present
+    source: pull
+    force_source: "{{ authelia_container_image_force_pull }}"
+  register: authelia_container_image_info
+
+- name: Ensure authelia container is running
+  docker_container:
+    name: "{{ authelia_container_name }}"
+    image: "{{ authelia_container_image_ref }}"
+    env: "{{ authelia_container_env }}"
+    user: "{{ authelia_run_user }}:{{ authelia_run_group }}"
+    ports: "{{ authelia_container_ports | default(omit, true) }}"
+    labels: "{{ authelia_container_labels }}"
+    volumes: "{{ authelia_container_volumes }}"
+    networks: "{{ authelia_container_networks | default(omit, true) }}"
+    purge_networks: "{{ authelia_container_purge_networks | default(omit, true)}}"
+    restart_policy: "{{ authelia_container_restart_policy }}"
+    state: "{{ authelia_container_state }}"
+  register: authelia_container_info

roles/authelia/vars/main.yml

@@ -0,0 +1,259 @@
+---
+
+authelia_run_user: "{{ (authelia_user_info.uid) if authelia_user_info is defined else authelia_user }}"
+authelia_run_group: "{{ (authelia_user_info.group) if authelia_user_info is defined else authelia_user }}"
+
+authelia_container_base_volumes: >-2
+  {{ [ authelia_config_file + ":/config/configuration.yml:ro"]
+    + ([ authelia_sqlite_storage_file + ":" + authelia_config_storage_local_path + ":z" ]
+      if authelia_config_storage_local_path | default(false, true) else [])
+    + ([ authelia_notification_storage_file + ":" + authelia_config_notifier_filesystem_filename + ":z" ]
+      if authelia_config_notifier_filesystem_filename | default(false, true) else [])
+    + ( [authelia_user_storage_file + ":" + authelia_config_authentication_backend_file_path + ":z"]
+      if authelia_config_authentication_backend_file_path | default(false, true) else [])
+  }}
+
+authelia_container_base_labels:
+  version: "{{ authelia_version }}"
+
+authelia_config: "{{ authelia_base_config | combine(authelia_extra_config, recursive=True) }}"
+authelia_top_level_config:
+  theme: "{{ authelia_config_theme }}"
+  jwt_secret: "{{ authelia_config_jwt_secret }}"
+  log: "{{ authelia_config_log }}"
+  totp: "{{ authelia_config_totp }}"
+  webauthn: "{{ authelia_config_webauthn }}"
+  duo_api: "{{ authelia_config_duo_api }}"
+  ntp: "{{ authelia_config_ntp }}"
+  authentication_backend: "{{ authelia_config_authentication_backend }}"
+#  password_policy: "{{ authelia_config_password_policy }}"
+  access_control: "{{ authelia_config_access_control }}"
+  session: "{{ authelia_config_session }}"
+  regulation: "{{ authelia_config_regulation }}"
+  storage: "{{ authelia_config_storage }}"
+  notifier: "{{ authelia_config_notifier }}"
+
+authelia_base_config: >-2
+  {{
+    authelia_top_level_config
+    | combine({"default_redirection_url": authelia_config_default_redirection_url}
+      if authelia_config_default_redirection_url | default(false, true) else {})
+    | combine(({"server": authelia_config_server })
+      | combine({"tls": authelia_config_server_tls}
+        if authelia_config_server_tls_key | default(false, true) else {}))
+   }}
+
+authelia_config_server: >-2
+  {{
+    {
+      "host": authelia_config_server_host,
+      "port": authelia_config_server_port,
+      "path": authelia_config_server_path,
+      "read_buffer_size": authelia_config_server_read_buffer_size,
+      "write_buffer_size": authelia_config_server_write_buffer_size,
+      "enable_pprof": authelia_config_server_enable_pprof,
+      "enable_expvars": authelia_config_server_enable_expvars,
+      "disable_healthcheck": authelia_config_server_disable_healthcheck,
+    } | combine({"headers": {"csp_template": authelia_config_server_headers_csp_template}}
+        if authelia_config_server_headers_csp_template | default(false, true) else {})
+  }}
+authelia_config_server_tls:
+  key: "{{ authelia_config_server_tls_key }}"
+  certificate: "{{ authelia_config_server_tls_certificate }}"
+  client_certificates: "{{ authelia_config_server_tls_client_certificates }}"
+authelia_config_log: >-2
+  {{
+    {
+      "level": authelia_config_log_level,
+      "format": authelia_config_log_format
+    }
+    | combine({"file_path": authelia_config_log_file_path}
+      if authelia_config_log_file_path | default(false, true) else {})
+    | combine({"keep_stdout": authelia_config_log_keep_stdout}
+      if authelia_config_log_file_path | default(false, true) else {})
+  }}
+authelia_config_totp:
+  disable: "{{ authelia_config_totp_disable }}"
+  issuer: "{{ authelia_config_totp_issuer }}"
+  algorithm: "{{ authelia_config_totp_algorithm }}"
+  digits: "{{ authelia_config_totp_digits }}"
+  period: "{{ authelia_config_totp_period }}"
+  skew: "{{ authelia_config_totp_skew }}"
+#  secret_size: "{{ authelia_config_totp_secret_size }}"
+authelia_config_webauthn:
+  disable: "{{ authelia_config_webauthn_disable }}"
+  timeout: "{{ authelia_config_webauthn_timeout }}"
+  display_name: "{{ authelia_config_webauthn_display_name }}"
+  attestation_conveyance_preference: "{{ authelia_config_webauthn_attestation_conveyance_preference }}"
+  user_verification: "{{ authelia_config_webauthn_user_verification }}"
+authelia_config_duo_api:
+  hostname: "{{ authelia_config_duo_api_hostname }}"
+  integration_key: "{{ authelia_config_duo_api_integration_key }}"
+  secret_key: "{{ authelia_config_duo_api_secret_key }}"
+  enable_self_enrollment: "{{ authelia_config_duo_api_enable_self_enrollment }}"
+authelia_config_ntp:
+  address: "{{ authelia_config_ntp_address }}"
+  version: "{{ authelia_config_ntp_version }}"
+  max_desync: "{{ authelia_config_ntp_max_desync }}"
+  disable_startup_check: "{{ authelia_config_ntp_disable_startup_check }}"
+  disable_failure: "{{ authelia_config_ntp_disable_failure }}"
+
+authelia_config_authentication_backend: >-2
+  {{
+    {
+      "disable_reset_password": authelia_config_authentication_backend_disable_reset_password,
+      "refresh_interval": authelia_config_authentication_backend_refresh_interval,
+    }
+    | combine({"password_reset": authelia_config_authentication_backend_password_reset}
+      if authelia_config_authentication_backend_password_reset_custom_url | default(false, true) else {})
+    | combine({"file": authelia_config_authentication_backend_file}
+      if authelia_config_authentication_backend_file_path | default(false, true)
+      else {"ldap": authelia_config_authentication_backend_ldap})
+  }}
+authelia_config_authentication_backend_password_reset:
+  custom_url: "{{ authelia_config_authentication_backend_password_reset_custom_url }}"
+authelia_config_authentication_backend_ldap:
+  implementation: "{{ authelia_config_authentication_backend_ldap_implementation }}"
+  url: "{{ authelia_config_authentication_backend_ldap_url }}"
+  timeout: "{{ authelia_config_authentication_backend_ldap_timeout }}"
+  start_tls: "{{ authelia_config_authentication_backend_ldap_start_tls }}"
+  tls:
+    skip_verify: "{{ authelia_config_authentication_backend_ldap_tls_skip_verify }}"
+    minimum_version: "{{ authelia_config_authentication_backend_ldap_minimum_version }}"
+  base_dn: "{{ authelia_config_authentication_backend_ldap_base_dn }}"
+  additional_users_dn: "{{ authelia_config_authentication_backend_ldap_additional_users_dn }}"
+  additional_groups_dn: "{{ authelia_config_authentication_backend_ldap_additional_groups_dn }}" 
+  users_filter: "{{ authelia_config_authentication_backend_ldap_users_filter }}" 
+  groups_filter: "{{ authelia_config_authentication_backend_ldap_groups_filter }}"
+  group_name_attribute: "{{ authelia_config_authentication_backend_ldap_group_name_attribute }}"
+  username_attribute: "{{ authelia_config_authentication_backend_ldap_username_attribute }}"
+  mail_attribute: "{{ authelia_config_authentication_backend_ldap_mail_attribute }}"
+  display_name_attribute: "{{ authelia_config_authentication_backend_ldap_display_name_attribute }}"
+  user: "{{ authelia_config_authentication_backend_ldap_user }}"
+  password: "{{ authelia_config_authentication_backend_ldap_password }}"
+authelia_config_authentication_backend_file:
+  path: "{{ authelia_config_authentication_backend_file_path }}"
+  password:
+    algorithm: "{{ authelia_config_authentication_backend_file_password_algorithm }}"
+    iterations: "{{ authelia_config_authentication_backend_file_password_iterations }}"
+    key_length: "{{ authelia_config_authentication_backend_file_password_key_length }}"
+    salt_lenght: "{{ authelia_config_authentication_backend_file_password_salt_length }}"
+    memory: "{{ authelia_config_authentication_backend_file_password_memory }}"
+    parallelism: "{{ authelia_config_authentication_backend_file_password_parallelism }}"
+authelia_config_password_policy: >-2
+  {{
+    {"standard": authelia_config_password_policy_standard}
+    if authelia_config_password_policy_standard_enabled
+    else {"zxcvbn": authelia_config_password_policy_zxcvbn}
+  }}
+authelia_config_password_policy_standard:
+  enabled: "{{ authelia_config_password_policy_standard_enabled }}"
+  min_length: "{{ authelia_config_password_policy_standard_min_length }}"
+  max_length: "{{ authelia_config_password_policy_standard_max_length }}"
+  require_uppercase: "{{ authelia_config_password_policy_standard_require_uppercase }}"
+  require_lowercase: "{{ authelia_config_password_policy_standard_require_lowercase }}"
+  require_number: "{{ authelia_config_password_policy_standard_require_number }}"
+  require_special: "{{ authelia_config_password_policy_standard_require_special }}"
+authelia_config_password_policy_zxcvbn:
+  enabled: "{{ authelia_config_password_policy_zxcvbn_enabled }}"
+authelia_config_access_control:
+  default_policy: "{{ authelia_config_access_control_default_policy }}"
+  networks: "{{ authelia_config_access_control_networks }}"
+  rules: "{{ authelia_config_access_control_rules }}"
+authelia_config_session:
+  name: "{{ authelia_config_session_name }}"
+  domain: "{{ authelia_config_session_domain }}"
+  same_site: "{{ authelia_config_session_same_site }}"
+  secret: "{{ authelia_config_session_secret }}"
+  expiration: "{{ authelia_config_session_expiration }}" 
+  inactivity: "{{ authelia_config_session_inactivity }}"
+  remember_me_duration: "{{ authelia_config_session_remember_me_duration }}"
+authelia_config_session_redis: >-2
+  {{
+    {
+      "host": authelia_config_session_redis_host,
+      "database_index": authelia_config_session_redis_database_index,
+      "maximum_active_connections": authelia_config_session_redis_maximum_active_connections,
+      "minimum_idle_connections": authelia_config_session_redis_minimum_idle_connections
+    }
+    | combine({"password": authelia_config_session_redis_password}
+      if authelia_config_session_redis_password | default(false, true) else {})
+    | combine({"username": authelia_config_session_redis_username}
+      if authelia_config_session_redis_username | default(false, true) else {})
+    | combine({"port": authelia_config_session_redis_port}
+      if '/' not in authelia_config_session_redis_host else {})
+    | combine({"tls": authelia_config_session_redis_tls}
+      if authelia_config_session_redis_enable_tls | default(false, true) else {})
+  }}
+authelia_config_session_redis_tls: >-2
+  {{
+    {
+      "skip_verify": authelia_config_session_redis_tls_skip_verify,
+      "minimum_version": authelia_config_session_redis_tls_minimum_version,
+    }
+    | combine({"server_name": authelia_config_session_redis_tls_server_name}
+      if authelia_config_session_redis_tls_server_name | default(false, true) else {})
+  }}
+authelia_config_regulation:
+  max_retries: "{{ authelia_config_regulation_max_retries }}"
+  find_time: "{{ authelia_config_regulation_find_time }}"
+  ban_time: "{{ authelia_config_regulation_ban_time }}"
+authelia_config_storage: >-2
+  {{
+    { "encryption_key": authelia_config_storage_encryption_key }
+    | combine({"local": authelia_config_storage_local}
+      if authelia_database_type in ['local', 'sqlite'] else {})
+    | combine({"mysql": authelia_config_storage_mysql}
+      if authelia_database_type == 'mysql' else {})
+    | combine({"postgres": authelia_config_storage_postgres}
+      if authelia_database_type in ['postgres', 'postgresql'] else {})
+  }}
+authelia_config_storage_local:
+  path: "{{ authelia_config_storage_local_path }}"
+authelia_config_storage_mysql:
+  host: "{{ authelia_database_host }}"
+  port: "{{ authelia_config_storage_mysql_port }}"
+  database: "{{ authelia_database_name }}"
+  username: "{{ authelia_database_user }}"
+  password: "{{ authelia_database_pass }}"
+  timeout: "{{ authelia_database_timeout }}"
+authelia_config_storage_postgres:
+  host: "{{ authelia_database_host }}"
+  port: "{{ authelia_config_storage_postgres_port }}"
+  database: "{{ authelia_database_name }}"
+  schema: public
+  username: "{{ authelia_database_user }}"
+  password: "{{ authelia_database_pass }}"
+  timeout: "{{ authelia_database_timeout }}"
+authelia_config_storage_postgres_ssl:
+  mode: "{{ authelia_config_storage_postgres_ssl_mode }}"
+  root_certificate: "{{ authelia_config_storage_postgres_ssl_root_certificate }}"
+  certificate: "{{ authelia_config_storage_postgres_ssl_certificate }}"
+  key: "{{ authelia_config_storage_postgres_ssl_key }}"
+authelia_config_notifier: >-2
+  {{
+    {
+      "disable_startup_check": authelia_config_notifier_disable_startup_check
+    }
+    | combine({"filesystem": authelia_config_notifier_filesystem}
+      if authelia_config_notifier_filesystem_filename else {})
+    | combine({"smtp": authelia_config_notifier_smtp}
+      if not authelia_config_notifier_filesystem_filename else {})
+  }}
+authelia_config_notifier_filesystem:
+  filename: "{{ authelia_config_notifier_filesystem_filename }}"
+authelia_config_notifier_smtp:
+  host: "{{ authelia_config_notifier_smtp_host }}"
+  port: "{{ authelia_config_notifier_smtp_port }}"
+  timeout: "{{ authelia_config_notifier_smtp_timeout }}"
+  username: "{{ authelia_config_notifier_smtp_username }}"
+  password: "{{ authelia_config_notifier_smtp_password }}"
+  sender: "{{ authelia_config_notifier_smtp_sender }}"
+  identifier: "{{ authelia_config_notifier_smtp_identifier }}"
+  subject: "{{ authelia_config_notifier_smtp_subject }}"
+  startup_check_address: "{{ authelia_config_notifier_smtp_startup_check_address }}"
+  disable_require_tls: "{{ authelia_config_notifier_smtp_disable_require_tls }}"
+  disable_html_emails: "{{ authelia_config_notifier_smtp_disable_html_emails }}"
+  tls:
+    skip_verify: "{{ authelia_config_notifier_smtp_tls_skip_verify }}"
+    minimum_version: "{{ authelia_config_notifier_smtp_tls_minimum_version }}"

roles/gitea/README.md

@@ -0,0 +1,34 @@
+# `finallycoffee.services.gitea` ansible role
+
+## Overview
+
+This role deploys [gitea](https://gitea.com/)
+using its official available docker image, and is able to setup SSH
+forwarding from the host to the container (enabling git-over-SSH without
+the need for a non-standard SSH port while running an SSH server on the
+host aswell).
+
+### Configuration
+
+#### Email notifications
+
+To enable to send emails, you need to set the following variables, demonstrated
+here with an SMTP server. A TLS connection is strongly advised, as otherwise, it
+can be trival to intercept a login to the mail server and record the authentication
+details, enabling anyone to send mail as if they were your gitea instance.
+
+```yaml
+gitea_config_mailer_enabled: true
+# Can be `sendmail` or `smtp`
+gitea_config_mailer_type: smtp
+# Including the port can be used to force secure smtp (SMTPS)
+gitea_config_mailer_host: mail.my-domain.tld:465
+gitea_config_mailer_user: gitea
+gitea_config_mailer_passwd: very_long_password
+gitea_config_mailer_tls: true
+gitea_config_mailer_from_addr: "gitea@{{ gitea_domain }}"
+# Set `gitea_config_mailer_sendmail_path` when using a sendmail binary
+gitea_config_mailer_sendmail_path: /usr/sbin/sendmail
+```
+
+For more information, see [the gitea docs on email setup](https://docs.gitea.io/en-us/email-setup/).

roles/gitea/defaults/main.yml

@@ -0,0 +1,51 @@
+---
+
+gitea_version: "1.16.4"
+gitea_user: git
+gitea_base_path: "/opt/gitea"
+gitea_data_path: "{{ gitea_base_path }}/data"
+
+# Set this to the (sub)domain gitea will run at
+gitea_domain: ~
+
+# container config
+gitea_container_name: "git"
+gitea_container_image_name: "docker.io/gitea/gitea"
+gitea_container_image_tag: "{{ gitea_version }}"
+gitea_container_image: "{{ gitea_container_image_name }}:{{ gitea_container_image_tag }}"
+gitea_container_networks: []
+gitea_container_purge_networks: ~
+gitea_container_restart_policy: "unless-stopped"
+gitea_container_extra_env: {}
+gitea_contianer_extra_labels: {}
+gitea_container_extra_ports: []
+gitea_container_extra_volumes: []
+
+# container defaults
+gitea_container_base_volumes:
+  - "{{ gitea_data_path }}:/data:z"
+  - "/home/{{ gitea_user }}/.ssh/:/data/git/.ssh:z"
+
+gitea_container_base_ports:
+  - "127.0.0.1:{{ git_container_port_webui }}:{{ git_container_port_webui }}"
+  - "127.0.0.1:{{ git_container_port_ssh }}:{{ git_container_port_ssh }}"
+
+gitea_container_base_env:
+  USER_UID: "{{ gitea_user_res.uid | default(gitea_user) }}"
+  USER_GID: "{{ gitea_user_res.group | default(gitea_user) }}"
+
+gitea_container_base_labels:
+  version: "{{ gitea_version }}"
+
+gitea_config_mailer_enabled: false
+gitea_config_mailer_type: ~
+gitea_config_mailer_from_addr: ~
+gitea_config_mailer_host: ~
+gitea_config_mailer_user: ~
+gitea_config_mailer_passwd: ~
+gitea_config_mailer_tls: ~
+gitea_config_mailer_sendmail_path: ~
+gitea_config_metrics_enabled: false
+
+gitea_config: "{{ gitea_config_base | combine(gitea_extra_config, recursive=True, list_merge='append') }}"
+gitea_extra_config: {}

roles/gitea/tasks/main.yml

@@ -0,0 +1,92 @@
+---
+
+- name: Create gitea user
+  user:
+    name: "{{ gitea_user }}"
+    state: present
+    system: no
+  register: gitea_user_res
+
+- name: Ensure host directories exist
+  file:
+    path: "{{ item }}"
+    owner: "{{ gitea_user_res.uid }}"
+    group: "{{ gitea_user_res.group }}"
+    state: directory
+  loop:
+    - "{{ gitea_base_path }}"
+    - "{{ gitea_data_path }}"
+
+- name: Ensure .ssh folder for gitea user exists
+  file:
+    path: "/home/{{ gitea_user }}/.ssh"
+    state: directory
+    owner: "{{ gitea_user_res.uid }}"
+    group: "{{ gitea_user_res.group }}"
+    mode: 0700
+
+- name: Generate SSH keypair for host<>container
+  community.crypto.openssh_keypair:
+    path: "/home/{{ gitea_user }}/.ssh/id_ssh_ed25519"
+    type: ed25519
+    state: present
+    comment: "Gitea:Host2Container"
+    owner: "{{ gitea_user_res.uid }}"
+    group: "{{ gitea_user_res.group }}"
+    mode: 0600
+  register: gitea_user_ssh_key
+
+- name: Create forwarding script
+  copy:
+    dest: "/usr/local/bin/gitea"
+    owner: "{{ gitea_user_res.uid }}"
+    group: "{{ gitea_user_res.group }}"
+    mode: 0700
+    content: |
+      ssh -p {{ gitea_public_ssh_server_port }} -o StrictHostKeyChecking=no {{ gitea_user }}@127.0.0.1 -i /home/{{ gitea_user }}/.ssh/id_ssh_ed25519 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
+
+- name: Add host pubkey to git users authorized_keys file
+  lineinfile:
+    path: "/home/{{ gitea_user }}/.ssh/authorized_keys"
+    line: "{{ gitea_user_ssh_key.public_key }} Gitea:Host2Container"
+    state: present
+    create: yes
+    owner: "{{ gitea_user_res.uid }}"
+    group: "{{ gitea_user_res.group }}"
+    mode: 0600
+
+- name: Ensure gitea container image is present
+  docker_image:
+    name: "{{ gitea_container_image }}"
+    state: present
+    source: pull
+    force_source: "{{ gitea_container_image.endswith(':latest') }}"
+
+- name: Ensure container '{{ gitea_container_name }}' with gitea is running
+  docker_container:
+    name: "{{ gitea_container_name }}"
+    image: "{{ gitea_container_image }}"
+    env: "{{ gitea_container_env }}"
+    volumes: "{{ gitea_container_volumes }}"
+    networks: "{{ gitea_container_networks | default(omit, True) }}"
+    purge_networks: "{{ gitea_container_purge_networks | default(omit, True) }}"
+    published_ports: "{{ gitea_container_ports }}"
+    restart_policy: "{{ gitea_container_restart_policy }}"
+    state: started
+
+- name: Ensure given configuration is set in the config file
+  ini_file:
+    path: "{{ gitea_data_path }}/gitea/conf/app.ini"
+    section: "{{ section }}"
+    option: "{{ option }}"
+    value: "{{ entry.value }}"
+    state: "{{ 'present' if (entry.value is not none) else 'absent' }}"
+  loop: "{{ lookup('ansible.utils.to_paths', gitea_config) | dict2items }}"
+  loop_control:
+    loop_var: entry
+    label: "{{ section | default('/', True) }}->{{ option }}"
+  vars:
+    key_split: "{{ entry.key | split('.') }}"
+    # sections can be named `section_name`.`sub_section`, f.ex.: `repository.upload`
+    section: "{{ '' if key_split|length == 1 else (key_split[:-1] | join('.')) }}"
+    option: "{{ key_split | first if key_split|length == 1 else key_split | last }}"

roles/gitea/vars/main.yml

@@ -0,0 +1,34 @@
+---
+
+gitea_container_volumes: "{{ gitea_container_base_volumes + gitea_container_extra_volumes }}"
+
+gitea_container_labels: "{{ gitea_container_base_labels | combine(gitea_container_extra_labels) }}"
+
+gitea_container_env: "{{ gitea_container_base_env | combine(gitea_container_extra_env) }}"
+
+gitea_container_ports: "{{ gitea_container_base_ports + gitea_container_extra_ports }}"
+
+
+gitea_container_port_webui: 3000
+gitea_container_port_ssh: 22
+
+gitea_config_base:
+  RUN_MODE: prod
+  RUN_USER: "{{ gitea_user }}"
+  server:
+    SSH_DOMAIN: "{{ gitea_domain }}"
+    DOMAIN: "{{ gitea_domain }}"
+    HTTP_PORT: "{{ gitea_container_port_webui }}"
+    DISABLE_SSH: false
+    START_SSH_SERVER: false
+  mailer:
+    ENABLED: "{{ gitea_config_mailer_enabled }}"
+    MAILER_TYP: "{{ gitea_config_mailer_type }}"
+    HOST: "{{ gitea_config_mailer_host }}"
+    USER: "{{ gitea_config_mailer_user }}"
+    PASSWD: "{{ gitea_config_mailer_passwd }}"
+    IS_TLS_ENABLED: "{{ gitea_config_mailer_tls }}"
+    FROM: "{{ gitea_config_mailer_from_addr }}"
+    SENDMAIL_PATH: "{{ gitea_config_mailer_sendmail_path }}"
+  metrics:
+    ENABLED: "{{ gitea_config_metrics_enabled }}"

roles/jellyfin/defaults/main.yml

@@ -0,0 +1,29 @@
+---
+
+jellyfin_user: jellyfin
+
+jellyfin_base_path: /opt/jellyfin
+jellyfin_config_path: "{{ jellyfin_base_path }}/config"
+jellyfin_cache_path: "{{ jellyfin_base_path }}/cache"
+
+jellyfin_media_volumes: []
+
+jellyfin_container_name: jellyfin
+jellyfin_container_image_name: "docker.io/jellyfin/jellyfin"
+jellyfin_container_image_tag: "latest"
+jellyfin_container_image_ref: "{{ jellyfin_container_image_name }}:{{ jellyfin_container_image_tag }}"
+jellyfin_container_network_mode: host
+jellyfin_container_networks: ~
+jellyfin_container_volumes: "{{ jellyfin_container_base_volumes + jellyfin_media_volumes }}"
+jellyfin_container_restart_policy: "unless-stopped"
+
+jellyfin_host_directories:
+  - path: "{{ jellyfin_base_path }}"
+    mode: "0750"
+  - path: "{{ jellyfin_config_path }}"
+    mode: "0750"
+  - path: "{{ jellyfin_cache_path }}"
+    mode: "0750"
+
+jellyfin_uid: "{{ jellyfin_user_info.uid | default(jellyfin_user) }}"
+jellyfin_gid: "{{ jellyfin_user_info.group | default(jellyfin_user) }}"

roles/jellyfin/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+
+- name: Ensure user '{{ jellyfin_user }}' for jellyfin is created
+  user:
+    name: "{{ jellyfin_user }}"
+    state: present
+    system: yes
+  register: jellyfin_user_info
+
+- name: Ensure host directories for jellyfin exist
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    owner: "{{ item.owner  | default(jellyfin_uid) }}"
+    group: "{{ item.group | default(jellyfin_gid) }}"
+    mode: "{{ item.mode }}"
+  loop: "{{ jellyfin_host_directories }}"
+
+- name: Ensure container image for jellyfin is available
+  docker_image:
+    name: "{{ jellyfin_container_image_ref }}"
+    state: present
+    source: pull
+    force_source: "{{ jellyfin_container_image_tag in ['stable', 'unstable'] }}"
+
+- name: Ensure container '{{ jellyfin_container_name }}' is running
+  docker_container:
+    name: "{{ jellyfin_container_name }}"
+    image: "{{ jellyfin_container_image_ref }}"
+    user: "{{ jellyfin_uid }}:{{ jellyfin_gid }}"
+    volumes: "{{ jellyfin_container_volumes }}"
+    networks: "{{ jellyfin_container_networks | default(omit, True) }}"
+    network_mode: "{{ jellyfin_container_network_mode }}"
+    restart_policy: "{{ jellyfin_container_restart_policy }}"
+    state: started

roles/jellyfin/vars/main.yml

@@ -0,0 +1,5 @@
+---
+
+jellyfin_container_base_volumes:
+  - "{{ jellyfin_config_path }}:/config:z"
+  - "{{ jellyfin_cache_path }}:/cache:z"

roles/restic/README.md

@@ -1,14 +1,28 @@
-# `finallycoffee.services.restic-s3`
+# `finallycoffee.services.restic`
 
-Ansible role for backup up data using `restic` to an `s3`-compatible backend,
-utilizing `systemd` timers for scheduling
+Ansible role for backup up data using `restic`, utilizing `systemd` timers for scheduling.
 
 ## Overview
 
-The s3 repository and the credentials for it are specified in `restic_repo_url`,
-`restic_s3_key_id` and `restic_s3_access_key`. As restic encrypts the data before
-storing it, the `restic_repo_password` needs to be populated with a strong key,
-and saved accordingly as only this key can be used to decrypt the data for a restore!
+As restic encrypts the data before storing it, the `restic_repo_password` needs
+to be populated with a strong key, and saved accordingly as only this key can
+be used to decrypt the data for a restore!
+
+### Backends
+
+#### S3 Backend
+
+To use a `s3`-compatible backend like AWS buckets or minio, both `restic_s3_key_id`
+and `restic_s3_access_key` need to be populated, and the `restic_repo_url` has the
+format `s3:https://my.s3.endpoint:port/bucket-name`.
+
+#### SFTP Backend
+
+Using the `sftp` backend requires the configured `restic_user` to be able to
+authenticate to the configured SFTP-Server using password-less methods like
+publickey-authentication. The `restic_repo_url` then follows the format
+`sftp:{user}@{server}:/my-restic-repository` (or without leading `/` for relative
+paths to the `{user}`s home directory.
 
 ### Backing up data
 

roles/restic/tasks/main.yml

@@ -44,14 +44,22 @@
 
 - name: Ensure systemd service file for '{{ restic_job_name }}' is templated
   template:
-    dest: "/etc/systemd/system/{{ restic_systemd_unit_naming_scheme }}.service"
-    src: restic.service.j2
+    dest: "/etc/systemd/system/{{ service.unit_name }}.service"
+    src: "{{ service.file }}"
     owner: root
     group: root
     mode: 0640
   notify:
     - reload-systemd
     - trigger-restic
+  loop:
+    - unit_name: "{{ restic_systemd_unit_naming_scheme }}"
+      file: restic.service.j2
+    - unit_name: "{{ restic_systemd_unit_naming_scheme }}-unlock"
+      file: restic-unlock.service.j2
+  loop_control:
+    loop_var: service
+    label: "{{ service.file }}"
 
 - name: Ensure systemd service file for '{{ restic_job_name }}' is templated
   template:
@@ -66,6 +74,11 @@
 - name: Flush handlers to ensure systemd knows about '{{ restic_job_name }}'
   meta: flush_handlers
 
+- name: Ensure systemd service for unlocking repository for '{{ restic_job_name }}' is enabled
+  systemd:
+    name: "{{ restic_systemd_unit_naming_scheme }}-unlock.service"
+    enabled: true
+
 - name: Ensure systemd timer for '{{ restic_job_name }}' is activated
   systemd:
     name: "{{ restic_systemd_unit_naming_scheme }}.timer"

roles/restic/templates/restic-unlock.service.j2

@@ -0,0 +1,21 @@
+[Unit]
+Description={{ restic_job_description }} - Unlock after reboot job
+
+[Service]
+Type=oneshot
+User={{ restic_user }}
+WorkingDirectory={{ restic_systemd_working_directory }}
+SyslogIdentifier={{ restic_systemd_syslog_identifier }}
+
+Environment=RESTIC_REPOSITORY={{ restic_repo_url }}
+Environment=RESTIC_PASSWORD={{ restic_repo_password }}
+{% if restic_s3_key_id and restic_s3_access_key %}
+Environment=AWS_ACCESS_KEY_ID={{ restic_s3_key_id }}
+Environment=AWS_SECRET_ACCESS_KEY={{ restic_s3_access_key }}
+{% endif %}
+
+ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
+ExecStart=/usr/bin/restic unlock
+
+[Install]
+WantedBy=multi-user.target

roles/restic/templates/restic.service.j2

@@ -9,8 +9,10 @@ SyslogIdentifier={{ restic_systemd_syslog_identifier }}
 
 Environment=RESTIC_REPOSITORY={{ restic_repo_url }}
 Environment=RESTIC_PASSWORD={{ restic_repo_password }}
+{% if restic_s3_key_id and restic_s3_access_key %}
 Environment=AWS_ACCESS_KEY_ID={{ restic_s3_key_id }}
 Environment=AWS_SECRET_ACCESS_KEY={{ restic_s3_access_key }}
+{% endif %}
 
 ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
 {% if restic_backup_stdin_command %}