feat(authelia): add ansible role for authelia

2022-04-10 16:27:10 +02:00
7 changed files with 41 additions and 150 deletions
--- a/README.md
+++ b/README.md
@@ -8,9 +8,6 @@ concise area of concern.
 ## Roles
 - [`roles/authelia`](roles/authelia/README.md): Deploys an [authelia.com](https://www.authelia.com)
  instance, an authentication provider with beta OIDC provider support.
 - [`roles/gitea`](roles/gitea/README.md): Deploy [gitea.io](https://gitea.io), a
  lightweight, self-hosted git service.
--- a/roles/authelia/README.md
+++ b/roles/authelia/README.md
@@ -1,74 +0,0 @@
 # `finallycoffee.services.authelia` ansible role
 Deploys [authelia](https://www.authelia.com), an open-source full-featured
 authentication server with OIDC beta support.
 ## Configuration
 Most configurations options are exposed to be overrideable by setting
 `authelia_config_{flat_config_key}`, which means `totp.digits: 8`
 would become `authelia_config_totp_digits: 8`.
 If configuration is not exposed in [`defaults/main.yml`](defaults/main.yml),
 it can be overridden in `authelia_extra_config`, which is merged recursively
 to the default config. Entire blocks can currently not be easily overridden,
 it's best to rely on the `authelia_extra_config` here.
 Below are some configuration hints towards enabling 2nd factor
 providers like TOTP, WebAuthN etc.
 ### TOTP
 See [the authelia docs on TOTP](https://www.authelia.com/docs/configuration/one-time-password.html#algorithm)
 before adjusting some of the fine-grained configuration, as many
 TOTP clients do not properly support all by-spec supported values.
 ```yaml
 authelia_config_totp_disable: false
 authelia_config_totp_issuer: "your.authelia.domain"
 # Best to stick to authelias guide here
 authelia_config_totp_algorithm: [...]
 authelia_config_totp_digits: [...]
 authelia_config_totp_period: [...]
 ```
 ### WebAuthN
 ```yaml
 authelia_config_webauthn_disable: false
 authelia_config_webauthn_timeout: 30s
 # Force user to touch the security key's confirmation button
 authelia_config_webauthn_user_verification: required
 ```
 For more information about possible WebAuthN configuration, see
 [the authelia docs on WebAuthN](https://www.authelia.com/docs/configuration/webauthn.html).
 ### Database & Redis
 While Authelia can use a sqlite DB with in memory store by setting
 `authelia_sqlite_storage_file_path`, it is recommended to use a proper
 database and a redis instance:
 ```yaml
 authelia_database_type: postgres
 authelia_database_host: /var/run/postgres/
 authelia_database_user: authelia
 authelia_database_pass: authelia
 # Redis
 authelia_redis_host: /var/run/redis/
 authelia_redis_pass: very_long_static_secret
 ```
 ### Notifications
 For a test setup, notifications can be written into a config file, this behaviour
 is enabled by setting `authelia_config_notifier_filesystem_filename`. For real-world
 use, an SMTP server is strongly recommended, its config is as follows:
 ```
 authelia_smtp_host: mail.domain.com
 authelia_smtp_port: 587 # for StartTLS
 authelia_smtp_user: authelia@domain.com
 authelia_smtp_pass: authelia_user_pass
 ```
--- a/roles/authelia/defaults/main.yml
+++ b/roles/authelia/defaults/main.yml
@@ -15,11 +15,9 @@ authelia_user_storage_file: "{{ authelia_data_dir }}/user_database.yml"
 authelia_container_name: authelia
 authelia_container_image_name: docker.io/authelia/authelia
 authelia_container_image_tag: ~
-authelia_container_image_ref: "{{ authelia_container_image_name }}:{{ authelia_container_image_tag | default(authelia_version, true) }}"
+authelia_container_image_ref: "{{ authelia_container_image_name }}:{{ authelia_container_image_tag | default('v' + authelia_version) }}"
 authelia_container_image_force_pull: "{{ authelia_container_image_tag | default(false, True) }}"
-authelia_container_env:
+authelia_container_env: {}
  PUID: "{{ authelia_run_user }}"
  PGID: "{{ authelia_run_group }}"
 authelia_container_labels: >-2
  {{ authelia_container_base_labels | combine(authelia_container_extra_labels) }}
 authelia_container_extra_labels: {}
@@ -80,14 +78,22 @@ authelia_config_authentication_backend_disable_reset_password: false
 authelia_config_authentication_backend_refresh_interval: 5m
 authelia_config_authentication_backend_password_reset_custom_url: ~
 authelia_config_authentication_backend_ldap_implementation: custom
-authelia_config_authentication_backend_ldap_url: ldap://127.0.0.1:389
+authelia_config_authentication_backend_ldap_url: ldap://127.0.0.1
 authelia_config_authentication_backend_ldap_timeout: 5s
 authelia_config_authentication_backend_ldap_start_tls: false
 authelia_config_authentication_backend_ldap_tls_skip_verify: false
 authelia_config_authentication_backend_ldap_minimum_version: "{{ authelia_tls_minimum_version }}"
 authelia_config_authentication_backend_ldap_base_dn: ~
 authelia_config_authentication_backend_ldap_additional_users_dn: "ou=users"
-authelia_config_authentication_backend_ldap_users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=inetOrgPerson))"
+authelia_config_authentication_backend_ldap_users_filter: >-2
  (&
    (|
      ({username_attribute}={input})
      ({mail_attribute}={input})
    )
    (objectClass=inetOrgPerson)
    (enabled=TRUE)
  )
 authelia_config_authentication_backend_ldap_additional_groups_dn: "ou=groups"
 authelia_config_authentication_backend_ldap_groups_filter: "(member={dn})"
 authelia_config_authentication_backend_ldap_group_name_attribute: cn
@@ -147,8 +153,8 @@ authelia_config_notifier_disable_startup_check: false
 authelia_config_notifier_filesystem_filename: ~
 authelia_config_notifier_smtp_host: "{{ authelia_smtp_host }}"
 authelia_config_notifier_smtp_port: "{{ authelia_stmp_port }}"
-authelia_config_notifier_smtp_username: "{{ authelia_smtp_user }}"
+authelia_config_notifier_smtp_user: "{{ authelia_stmp_user }}"
-authelia_config_notifier_smtp_password: "{{ authelia_smtp_pass }}"
+authelia_config_notifier_smtp_pass: "{{ authelia_stmp_pass }}"
 authelia_config_notifier_smtp_timeout: 5s
 authelia_config_notifier_smtp_sender: "Authelia on {{ authelia_domain }} <admin@{{ authelia_domain }}>"
 authelia_config_notifier_smtp_identifier: "{{ authelia_domain }}"
--- a/roles/authelia/tasks/main.yml
+++ b/roles/authelia/tasks/main.yml
@@ -40,7 +40,7 @@
    mode: "0640"
    access_time: preserve
    modification_time: preserve
-  when: authelia_config_storage_local_path | default(false, true)
+  when: "{{ authelia_config_storage_local_path | default(false, true) }}"
 - name: Ensure user database exists before mounting it
  file:
@@ -51,7 +51,7 @@
    mode: "0640"
    access_time: preserve
    modification_time: preserve
-  when: authelia_config_authentication_backend_file_path | default(false, true)
+  when: "{{ authelia_config_authentication_backend_file_path | default(false, true) }}"
 - name: Ensure notification reports file exists before mounting it
  file:
@@ -62,10 +62,10 @@
    mode: "0640"
    access_time: preserve
    modification_time: preserve
-  when: authelia_config_notifier_filesystem_filename | default(false, true)
+  when: "{{ authelia_config_notifier_filesystem_filename | default(false, true) }}"
 - name: Ensure authelia container image is present
-  community.docker.docker_image:
+  docker_image:
    name: "{{ authelia_container_image_ref }}"
    state: present
    source: pull
@@ -82,7 +82,7 @@
    labels: "{{ authelia_container_labels }}"
    volumes: "{{ authelia_container_volumes }}"
    networks: "{{ authelia_container_networks | default(omit, true) }}"
-    purge_networks: "{{ authelia_container_purge_networks | default(omit, true)}}"
+    purge_networks: "{{ authelia_container_purge_networks }}"
    restart_policy: "{{ authelia_container_restart_policy }}"
    state: "{{ authelia_container_state }}"
  register: authelia_container_info
--- a/roles/authelia/vars/main.yml
+++ b/roles/authelia/vars/main.yml
@@ -5,8 +5,8 @@ authelia_run_group: "{{ (authelia_user_info.group) if authelia_user_info is defi
 authelia_container_base_volumes: >-2
  {{ [ authelia_config_file + ":/config/configuration.yml:ro"]
-    + ([ authelia_sqlite_storage_file + ":" + authelia_config_storage_local_path + ":z" ]
+    + ([ authelia_sqlite_storage_file + ":" + authelia_config_storage_local_path + ":z" ])
-      if authelia_config_storage_local_path | default(false, true) else [])
+      if authelia_config_storage_local_path | default(false, true) else []
    + ([ authelia_notification_storage_file + ":" + authelia_config_notifier_filesystem_filename + ":z" ]
      if authelia_config_notifier_filesystem_filename | default(false, true) else [])
    + ( [authelia_user_storage_file + ":" + authelia_config_authentication_backend_file_path + ":z"]
@@ -16,7 +16,7 @@ authelia_container_base_volumes: >-2
 authelia_container_base_labels:
  version: "{{ authelia_version }}"
-authelia_config: "{{ authelia_base_config | combine(authelia_extra_config, recursive=True) }}"
+authelia_config: "{{ authelia_base_config | combine(authelia_extra_config) }}"
 authelia_top_level_config:
  theme: "{{ authelia_config_theme }}"
  jwt_secret: "{{ authelia_config_jwt_secret }}"
@@ -26,7 +26,7 @@ authelia_top_level_config:
  duo_api: "{{ authelia_config_duo_api }}"
  ntp: "{{ authelia_config_ntp }}"
  authentication_backend: "{{ authelia_config_authentication_backend }}"
-#  password_policy: "{{ authelia_config_password_policy }}"
+  password_policy: "{{ authelia_config_password_policy }}"
  access_control: "{{ authelia_config_access_control }}"
  session: "{{ authelia_config_session }}"
  regulation: "{{ authelia_config_regulation }}"
@@ -41,7 +41,7 @@ authelia_base_config: >-2
    | combine(({"server": authelia_config_server })
      | combine({"tls": authelia_config_server_tls}
        if authelia_config_server_tls_key | default(false, true) else {}))
-   }}
+    
 authelia_config_server: >-2
  {{
@@ -79,7 +79,7 @@ authelia_config_totp:
  digits: "{{ authelia_config_totp_digits }}"
  period: "{{ authelia_config_totp_period }}"
  skew: "{{ authelia_config_totp_skew }}"
-#  secret_size: "{{ authelia_config_totp_secret_size }}"
+  secret_size: "{{ authelia_config_totp_secret_size }}"
 authelia_config_webauthn:
  disable: "{{ authelia_config_webauthn_disable }}"
  timeout: "{{ authelia_config_webauthn_timeout }}"
@@ -107,7 +107,7 @@ authelia_config_authentication_backend: >-2
    | combine({"password_reset": authelia_config_authentication_backend_password_reset}
      if authelia_config_authentication_backend_password_reset_custom_url | default(false, true) else {})
    | combine({"file": authelia_config_authentication_backend_file}
-      if authelia_config_authentication_backend_file_path | default(false, true)
+      if authelia_config_authentication_backend_file | default(false, true)
      else {"ldap": authelia_config_authentication_backend_ldap})
  }}
 authelia_config_authentication_backend_password_reset:
@@ -123,7 +123,7 @@ authelia_config_authentication_backend_ldap:
  base_dn: "{{ authelia_config_authentication_backend_ldap_base_dn }}"
  additional_users_dn: "{{ authelia_config_authentication_backend_ldap_additional_users_dn }}"
  additional_groups_dn: "{{ authelia_config_authentication_backend_ldap_additional_groups_dn }}" 
-  users_filter: "{{ authelia_config_authentication_backend_ldap_users_filter }}" 
+  users_filter: "{{ authelia_config_authentication_backend_ldap_groups_filter }}" 
  groups_filter: "{{ authelia_config_authentication_backend_ldap_groups_filter }}"
  group_name_attribute: "{{ authelia_config_authentication_backend_ldap_group_name_attribute }}"
  username_attribute: "{{ authelia_config_authentication_backend_ldap_username_attribute }}"
@@ -140,22 +140,17 @@ authelia_config_authentication_backend_file:
    salt_lenght: "{{ authelia_config_authentication_backend_file_password_salt_length }}"
    memory: "{{ authelia_config_authentication_backend_file_password_memory }}"
    parallelism: "{{ authelia_config_authentication_backend_file_password_parallelism }}"
-authelia_config_password_policy: >-2
+authelia_config_password_policy:
-  {{
+  standard:
-    {"standard": authelia_config_password_policy_standard}
+    enabled: "{{ authelia_config_password_policy_standard_enabled }}"
-    if authelia_config_password_policy_standard_enabled
+    min_length: "{{ authelia_config_password_policy_standard_min_length }}"
-    else {"zxcvbn": authelia_config_password_policy_zxcvbn}
+    max_length: "{{ authelia_config_password_policy_standard_max_length }}"
-  }}
+    require_uppercase: "{{ authelia_config_password_policy_standard_require_uppercase }}"
-authelia_config_password_policy_standard:
+    require_lowercase: "{{ authelia_config_password_policy_standard_require_lowercase }}"
-  enabled: "{{ authelia_config_password_policy_standard_enabled }}"
+    require_number: "{{ authelia_config_password_policy_standard_require_number }}"
-  min_length: "{{ authelia_config_password_policy_standard_min_length }}"
+    require_special: "{{ authelia_config_password_policy_standard_require_special }}"
-  max_length: "{{ authelia_config_password_policy_standard_max_length }}"
+  zxcvbn:
-  require_uppercase: "{{ authelia_config_password_policy_standard_require_uppercase }}"
+    enabled: "{{ authelia_config_password_policy_zxcvbn_enabled }}"
  require_lowercase: "{{ authelia_config_password_policy_standard_require_lowercase }}"
  require_number: "{{ authelia_config_password_policy_standard_require_number }}"
  require_special: "{{ authelia_config_password_policy_standard_require_special }}"
 authelia_config_password_policy_zxcvbn:
  enabled: "{{ authelia_config_password_policy_zxcvbn_enabled }}"
 authelia_config_access_control:
  default_policy: "{{ authelia_config_access_control_default_policy }}"
  networks: "{{ authelia_config_access_control_networks }}"
@@ -208,6 +203,7 @@ authelia_config_storage: >-2
    | combine({"postgres": authelia_config_storage_postgres}
      if authelia_database_type in ['postgres', 'postgresql'] else {})
  }}
 authelia_config_storage_local:
  path: "{{ authelia_config_storage_local_path }}"
 authelia_config_storage_mysql:
--- a/roles/restic/tasks/main.yml
+++ b/roles/restic/tasks/main.yml
@@ -44,22 +44,14 @@
 - name: Ensure systemd service file for '{{ restic_job_name }}' is templated
  template:
-    dest: "/etc/systemd/system/{{ service.unit_name }}.service"
+    dest: "/etc/systemd/system/{{ restic_systemd_unit_naming_scheme }}.service"
-    src: "{{ service.file }}"
+    src: restic.service.j2
    owner: root
    group: root
    mode: 0640
  notify:
    - reload-systemd
    - trigger-restic
  loop:
    - unit_name: "{{ restic_systemd_unit_naming_scheme }}"
      file: restic.service.j2
    - unit_name: "{{ restic_systemd_unit_naming_scheme }}-unlock"
      file: restic-unlock.service.j2
  loop_control:
    loop_var: service
    label: "{{ service.file }}"
 - name: Ensure systemd service file for '{{ restic_job_name }}' is templated
  template:
@@ -74,11 +66,6 @@
 - name: Flush handlers to ensure systemd knows about '{{ restic_job_name }}'
  meta: flush_handlers
 - name: Ensure systemd service for unlocking repository for '{{ restic_job_name }}' is enabled
  systemd:
    name: "{{ restic_systemd_unit_naming_scheme }}-unlock.service"
    enabled: true
 - name: Ensure systemd timer for '{{ restic_job_name }}' is activated
  systemd:
    name: "{{ restic_systemd_unit_naming_scheme }}.timer"
--- a/roles/restic/templates/restic-unlock.service.j2
+++ b/roles/restic/templates/restic-unlock.service.j2
@@ -1,21 +0,0 @@
 [Unit]
 Description={{ restic_job_description }} - Unlock after reboot job
 [Service]
 Type=oneshot
 User={{ restic_user }}
 WorkingDirectory={{ restic_systemd_working_directory }}
 SyslogIdentifier={{ restic_systemd_syslog_identifier }}
 Environment=RESTIC_REPOSITORY={{ restic_repo_url }}
 Environment=RESTIC_PASSWORD={{ restic_repo_password }}
 {% if restic_s3_key_id and restic_s3_access_key %}
 Environment=AWS_ACCESS_KEY_ID={{ restic_s3_key_id }}
 Environment=AWS_SECRET_ACCESS_KEY={{ restic_s3_access_key }}
 {% endif %}
 ExecStartPre=-/bin/sh -c '/usr/bin/restic snapshots || /usr/bin/restic init'
 ExecStart=/usr/bin/restic unlock
 [Install]
 WantedBy=multi-user.target