chore: add authelia to repo README

README.md

@@ -8,6 +8,9 @@ concise area of concern.
 
 ## Roles
 
+- [`roles/authelia`](roles/authelia/README.md): Deploys an [authelia.com](https://www.authelia.com)
+  instance, an authentication provider with beta OIDC provider support.
+
 - [`roles/gitea`](roles/gitea/README.md): Deploy [gitea.io](https://gitea.io), a
   lightweight, self-hosted git service.
 

roles/authelia/README.md

@@ -0,0 +1,74 @@
+# `finallycoffee.services.authelia` ansible role
+
+Deploys [authelia](https://www.authelia.com), an open-source full-featured
+authentication server with OIDC beta support.
+
+## Configuration
+
+Most configurations options are exposed to be overrideable by setting
+`authelia_config_{flat_config_key}`, which means `totp.digits: 8`
+would become `authelia_config_totp_digits: 8`.
+
+If configuration is not exposed in [`defaults/main.yml`](defaults/main.yml),
+it can be overridden in `authelia_extra_config`, which is merged recursively
+to the default config. Entire blocks can currently not be easily overridden,
+it's best to rely on the `authelia_extra_config` here.
+
+Below are some configuration hints towards enabling 2nd factor
+providers like TOTP, WebAuthN etc.
+
+### TOTP
+
+See [the authelia docs on TOTP](https://www.authelia.com/docs/configuration/one-time-password.html#algorithm)
+before adjusting some of the fine-grained configuration, as many
+TOTP clients do not properly support all by-spec supported values.
+
+```yaml
+authelia_config_totp_disable: false
+authelia_config_totp_issuer: "your.authelia.domain"
+# Best to stick to authelias guide here
+authelia_config_totp_algorithm: [...]
+authelia_config_totp_digits: [...]
+authelia_config_totp_period: [...]
+```
+
+### WebAuthN
+
+```yaml
+authelia_config_webauthn_disable: false
+authelia_config_webauthn_timeout: 30s
+# Force user to touch the security key's confirmation button
+authelia_config_webauthn_user_verification: required
+```
+
+For more information about possible WebAuthN configuration, see
+[the authelia docs on WebAuthN](https://www.authelia.com/docs/configuration/webauthn.html).
+
+### Database & Redis
+
+While Authelia can use a sqlite DB with in memory store by setting
+`authelia_sqlite_storage_file_path`, it is recommended to use a proper
+database and a redis instance:
+```yaml
+authelia_database_type: postgres
+authelia_database_host: /var/run/postgres/
+authelia_database_user: authelia
+authelia_database_pass: authelia
+
+# Redis
+authelia_redis_host: /var/run/redis/
+authelia_redis_pass: very_long_static_secret
+
+```
+
+### Notifications
+
+For a test setup, notifications can be written into a config file, this behaviour
+is enabled by setting `authelia_config_notifier_filesystem_filename`. For real-world
+use, an SMTP server is strongly recommended, its config is as follows:
+```
+authelia_smtp_host: mail.domain.com
+authelia_smtp_port: 587 # for StartTLS
+authelia_smtp_user: authelia@domain.com
+authelia_smtp_pass: authelia_user_pass
+```

roles/authelia/defaults/main.yml

@@ -15,9 +15,11 @@ authelia_user_storage_file: "{{ authelia_data_dir }}/user_database.yml"
 authelia_container_name: authelia
 authelia_container_image_name: docker.io/authelia/authelia
 authelia_container_image_tag: ~
-authelia_container_image_ref: "{{ authelia_container_image_name }}:{{ authelia_container_image_tag | default('v' + authelia_version) }}"
+authelia_container_image_ref: "{{ authelia_container_image_name }}:{{ authelia_container_image_tag | default(authelia_version, true) }}"
 authelia_container_image_force_pull: "{{ authelia_container_image_tag | default(false, True) }}"
-authelia_container_env: {}
+authelia_container_env:
+  PUID: "{{ authelia_run_user }}"
+  PGID: "{{ authelia_run_group }}"
 authelia_container_labels: >-2
   {{ authelia_container_base_labels | combine(authelia_container_extra_labels) }}
 authelia_container_extra_labels: {}
@@ -78,22 +80,14 @@ authelia_config_authentication_backend_disable_reset_password: false
 authelia_config_authentication_backend_refresh_interval: 5m
 authelia_config_authentication_backend_password_reset_custom_url: ~
 authelia_config_authentication_backend_ldap_implementation: custom
-authelia_config_authentication_backend_ldap_url: ldap://127.0.0.1
+authelia_config_authentication_backend_ldap_url: ldap://127.0.0.1:389
 authelia_config_authentication_backend_ldap_timeout: 5s
 authelia_config_authentication_backend_ldap_start_tls: false
 authelia_config_authentication_backend_ldap_tls_skip_verify: false
 authelia_config_authentication_backend_ldap_minimum_version: "{{ authelia_tls_minimum_version }}"
 authelia_config_authentication_backend_ldap_base_dn: ~
 authelia_config_authentication_backend_ldap_additional_users_dn: "ou=users"
-authelia_config_authentication_backend_ldap_users_filter: >-2
+authelia_config_authentication_backend_ldap_users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=inetOrgPerson))"
-  (&
-    (|
-      ({username_attribute}={input})
-      ({mail_attribute}={input})
-    )
-    (objectClass=inetOrgPerson)
-    (enabled=TRUE)
-  )
 authelia_config_authentication_backend_ldap_additional_groups_dn: "ou=groups"
 authelia_config_authentication_backend_ldap_groups_filter: "(member={dn})"
 authelia_config_authentication_backend_ldap_group_name_attribute: cn
@@ -153,8 +147,8 @@ authelia_config_notifier_disable_startup_check: false
 authelia_config_notifier_filesystem_filename: ~
 authelia_config_notifier_smtp_host: "{{ authelia_smtp_host }}"
 authelia_config_notifier_smtp_port: "{{ authelia_stmp_port }}"
-authelia_config_notifier_smtp_user: "{{ authelia_stmp_user }}"
+authelia_config_notifier_smtp_username: "{{ authelia_smtp_user }}"
-authelia_config_notifier_smtp_pass: "{{ authelia_stmp_pass }}"
+authelia_config_notifier_smtp_password: "{{ authelia_smtp_pass }}"
 authelia_config_notifier_smtp_timeout: 5s
 authelia_config_notifier_smtp_sender: "Authelia on {{ authelia_domain }} <admin@{{ authelia_domain }}>"
 authelia_config_notifier_smtp_identifier: "{{ authelia_domain }}"

roles/authelia/tasks/main.yml

@@ -40,7 +40,7 @@
     mode: "0640"
     access_time: preserve
     modification_time: preserve
-  when: "{{ authelia_config_storage_local_path | default(false, true) }}"
+  when: authelia_config_storage_local_path | default(false, true)
 
 - name: Ensure user database exists before mounting it
   file:
@@ -51,7 +51,7 @@
     mode: "0640"
     access_time: preserve
     modification_time: preserve
-  when: "{{ authelia_config_authentication_backend_file_path | default(false, true) }}"
+  when: authelia_config_authentication_backend_file_path | default(false, true)
 
 - name: Ensure notification reports file exists before mounting it
   file:
@@ -62,10 +62,10 @@
     mode: "0640"
     access_time: preserve
     modification_time: preserve
-  when: "{{ authelia_config_notifier_filesystem_filename | default(false, true) }}"
+  when: authelia_config_notifier_filesystem_filename | default(false, true)
 
 - name: Ensure authelia container image is present
-  docker_image:
+  community.docker.docker_image:
     name: "{{ authelia_container_image_ref }}"
     state: present
     source: pull
@@ -82,7 +82,7 @@
     labels: "{{ authelia_container_labels }}"
     volumes: "{{ authelia_container_volumes }}"
     networks: "{{ authelia_container_networks | default(omit, true) }}"
-    purge_networks: "{{ authelia_container_purge_networks }}"
+    purge_networks: "{{ authelia_container_purge_networks | default(omit, true)}}"
     restart_policy: "{{ authelia_container_restart_policy }}"
     state: "{{ authelia_container_state }}"
   register: authelia_container_info

roles/authelia/vars/main.yml

@@ -5,8 +5,8 @@ authelia_run_group: "{{ (authelia_user_info.group) if authelia_user_info is defi
 
 authelia_container_base_volumes: >-2
   {{ [ authelia_config_file + ":/config/configuration.yml:ro"]
-    + ([ authelia_sqlite_storage_file + ":" + authelia_config_storage_local_path + ":z" ])
+    + ([ authelia_sqlite_storage_file + ":" + authelia_config_storage_local_path + ":z" ]
-      if authelia_config_storage_local_path | default(false, true) else []
+      if authelia_config_storage_local_path | default(false, true) else [])
     + ([ authelia_notification_storage_file + ":" + authelia_config_notifier_filesystem_filename + ":z" ]
       if authelia_config_notifier_filesystem_filename | default(false, true) else [])
     + ( [authelia_user_storage_file + ":" + authelia_config_authentication_backend_file_path + ":z"]
@@ -16,7 +16,7 @@ authelia_container_base_volumes: >-2
 authelia_container_base_labels:
   version: "{{ authelia_version }}"
 
-authelia_config: "{{ authelia_base_config | combine(authelia_extra_config) }}"
+authelia_config: "{{ authelia_base_config | combine(authelia_extra_config, recursive=True) }}"
 authelia_top_level_config:
   theme: "{{ authelia_config_theme }}"
   jwt_secret: "{{ authelia_config_jwt_secret }}"
@@ -26,7 +26,7 @@ authelia_top_level_config:
   duo_api: "{{ authelia_config_duo_api }}"
   ntp: "{{ authelia_config_ntp }}"
   authentication_backend: "{{ authelia_config_authentication_backend }}"
-  password_policy: "{{ authelia_config_password_policy }}"
+#  password_policy: "{{ authelia_config_password_policy }}"
   access_control: "{{ authelia_config_access_control }}"
   session: "{{ authelia_config_session }}"
   regulation: "{{ authelia_config_regulation }}"
@@ -41,7 +41,7 @@ authelia_base_config: >-2
     | combine(({"server": authelia_config_server })
       | combine({"tls": authelia_config_server_tls}
         if authelia_config_server_tls_key | default(false, true) else {}))
-    
+   }}
 
 authelia_config_server: >-2
   {{
@@ -79,7 +79,7 @@ authelia_config_totp:
   digits: "{{ authelia_config_totp_digits }}"
   period: "{{ authelia_config_totp_period }}"
   skew: "{{ authelia_config_totp_skew }}"
-  secret_size: "{{ authelia_config_totp_secret_size }}"
+#  secret_size: "{{ authelia_config_totp_secret_size }}"
 authelia_config_webauthn:
   disable: "{{ authelia_config_webauthn_disable }}"
   timeout: "{{ authelia_config_webauthn_timeout }}"
@@ -107,7 +107,7 @@ authelia_config_authentication_backend: >-2
     | combine({"password_reset": authelia_config_authentication_backend_password_reset}
       if authelia_config_authentication_backend_password_reset_custom_url | default(false, true) else {})
     | combine({"file": authelia_config_authentication_backend_file}
-      if authelia_config_authentication_backend_file | default(false, true)
+      if authelia_config_authentication_backend_file_path | default(false, true)
       else {"ldap": authelia_config_authentication_backend_ldap})
   }}
 authelia_config_authentication_backend_password_reset:
@@ -123,7 +123,7 @@ authelia_config_authentication_backend_ldap:
   base_dn: "{{ authelia_config_authentication_backend_ldap_base_dn }}"
   additional_users_dn: "{{ authelia_config_authentication_backend_ldap_additional_users_dn }}"
   additional_groups_dn: "{{ authelia_config_authentication_backend_ldap_additional_groups_dn }}" 
-  users_filter: "{{ authelia_config_authentication_backend_ldap_groups_filter }}" 
+  users_filter: "{{ authelia_config_authentication_backend_ldap_users_filter }}" 
   groups_filter: "{{ authelia_config_authentication_backend_ldap_groups_filter }}"
   group_name_attribute: "{{ authelia_config_authentication_backend_ldap_group_name_attribute }}"
   username_attribute: "{{ authelia_config_authentication_backend_ldap_username_attribute }}"
@@ -140,17 +140,22 @@ authelia_config_authentication_backend_file:
     salt_lenght: "{{ authelia_config_authentication_backend_file_password_salt_length }}"
     memory: "{{ authelia_config_authentication_backend_file_password_memory }}"
     parallelism: "{{ authelia_config_authentication_backend_file_password_parallelism }}"
-authelia_config_password_policy:
+authelia_config_password_policy: >-2
-  standard:
+  {{
-    enabled: "{{ authelia_config_password_policy_standard_enabled }}"
+    {"standard": authelia_config_password_policy_standard}
-    min_length: "{{ authelia_config_password_policy_standard_min_length }}"
+    if authelia_config_password_policy_standard_enabled
-    max_length: "{{ authelia_config_password_policy_standard_max_length }}"
+    else {"zxcvbn": authelia_config_password_policy_zxcvbn}
-    require_uppercase: "{{ authelia_config_password_policy_standard_require_uppercase }}"
+  }}
-    require_lowercase: "{{ authelia_config_password_policy_standard_require_lowercase }}"
+authelia_config_password_policy_standard:
-    require_number: "{{ authelia_config_password_policy_standard_require_number }}"
+  enabled: "{{ authelia_config_password_policy_standard_enabled }}"
-    require_special: "{{ authelia_config_password_policy_standard_require_special }}"
+  min_length: "{{ authelia_config_password_policy_standard_min_length }}"
-  zxcvbn:
+  max_length: "{{ authelia_config_password_policy_standard_max_length }}"
-    enabled: "{{ authelia_config_password_policy_zxcvbn_enabled }}"
+  require_uppercase: "{{ authelia_config_password_policy_standard_require_uppercase }}"
+  require_lowercase: "{{ authelia_config_password_policy_standard_require_lowercase }}"
+  require_number: "{{ authelia_config_password_policy_standard_require_number }}"
+  require_special: "{{ authelia_config_password_policy_standard_require_special }}"
+authelia_config_password_policy_zxcvbn:
+  enabled: "{{ authelia_config_password_policy_zxcvbn_enabled }}"
 authelia_config_access_control:
   default_policy: "{{ authelia_config_access_control_default_policy }}"
   networks: "{{ authelia_config_access_control_networks }}"
@@ -203,7 +208,6 @@ authelia_config_storage: >-2
     | combine({"postgres": authelia_config_storage_postgres}
       if authelia_database_type in ['postgres', 'postgresql'] else {})
   }}
-
 authelia_config_storage_local:
   path: "{{ authelia_config_storage_local_path }}"
 authelia_config_storage_mysql: