From 884a71ed23838bd7b7716a0020a2fbd7d0d6a2ce Mon Sep 17 00:00:00 2001 From: Johanna Dorothea Reichmann Date: Sun, 10 Apr 2022 11:05:40 +0200 Subject: [PATCH 1/2] feat(authelia): add ansible role for authelia --- roles/authelia/README.md | 74 +++++++++ roles/authelia/defaults/main.yml | 180 +++++++++++++++++++++ roles/authelia/handlers/main.yml | 8 + roles/authelia/tasks/main.yml | 88 +++++++++++ roles/authelia/vars/main.yml | 259 +++++++++++++++++++++++++++++++ 5 files changed, 609 insertions(+) create mode 100644 roles/authelia/README.md create mode 100644 roles/authelia/defaults/main.yml create mode 100644 roles/authelia/handlers/main.yml create mode 100644 roles/authelia/tasks/main.yml create mode 100644 roles/authelia/vars/main.yml diff --git a/roles/authelia/README.md b/roles/authelia/README.md new file mode 100644 index 0000000..0bbc61c --- /dev/null +++ b/roles/authelia/README.md @@ -0,0 +1,74 @@ +# `finallycoffee.services.authelia` ansible role + +Deploys [authelia](https://www.authelia.com), an open-source full-featured +authentication server with OIDC beta support. + +## Configuration + +Most configurations options are exposed to be overrideable by setting +`authelia_config_{flat_config_key}`, which means `totp.digits: 8` +would become `authelia_config_totp_digits: 8`. + +If configuration is not exposed in [`defaults/main.yml`](defaults/main.yml), +it can be overridden in `authelia_extra_config`, which is merged recursively +to the default config. Entire blocks can currently not be easily overridden, +it's best to rely on the `authelia_extra_config` here. + +Below are some configuration hints towards enabling 2nd factor +providers like TOTP, WebAuthN etc. + +### TOTP + +See [the authelia docs on TOTP](https://www.authelia.com/docs/configuration/one-time-password.html#algorithm) +before adjusting some of the fine-grained configuration, as many +TOTP clients do not properly support all by-spec supported values. + +```yaml +authelia_config_totp_disable: false +authelia_config_totp_issuer: "your.authelia.domain" +# Best to stick to authelias guide here +authelia_config_totp_algorithm: [...] +authelia_config_totp_digits: [...] +authelia_config_totp_period: [...] +``` + +### WebAuthN + +```yaml +authelia_config_webauthn_disable: false +authelia_config_webauthn_timeout: 30s +# Force user to touch the security key's confirmation button +authelia_config_webauthn_user_verification: required +``` + +For more information about possible WebAuthN configuration, see +[the authelia docs on WebAuthN](https://www.authelia.com/docs/configuration/webauthn.html). + +### Database & Redis + +While Authelia can use a sqlite DB with in memory store by setting +`authelia_sqlite_storage_file_path`, it is recommended to use a proper +database and a redis instance: +```yaml +authelia_database_type: postgres +authelia_database_host: /var/run/postgres/ +authelia_database_user: authelia +authelia_database_pass: authelia + +# Redis +authelia_redis_host: /var/run/redis/ +authelia_redis_pass: very_long_static_secret + +``` + +### Notifications + +For a test setup, notifications can be written into a config file, this behaviour +is enabled by setting `authelia_config_notifier_filesystem_filename`. For real-world +use, an SMTP server is strongly recommended, its config is as follows: +``` +authelia_smtp_host: mail.domain.com +authelia_smtp_port: 587 # for StartTLS +authelia_smtp_user: authelia@domain.com +authelia_smtp_pass: authelia_user_pass +``` diff --git a/roles/authelia/defaults/main.yml b/roles/authelia/defaults/main.yml new file mode 100644 index 0000000..4169af6 --- /dev/null +++ b/roles/authelia/defaults/main.yml @@ -0,0 +1,180 @@ +--- + +authelia_version: 4.34.6 +authelia_user: authelia +authelia_base_dir: /opt/authelia +authelia_domain: authelia.example.org + +authelia_config_dir: "{{ authelia_base_dir }}/config" +authelia_config_file: "{{ authelia_config_dir }}/config.yaml" +authelia_data_dir: "{{ authelia_base_dir }}/data" +authelia_sqlite_storage_file: "{{ authelia_data_dir }}/authelia.sqlite3" +authelia_notification_storage_file: "{{ authelia_data_dir }}/notifications.txt" +authelia_user_storage_file: "{{ authelia_data_dir }}/user_database.yml" + +authelia_container_name: authelia +authelia_container_image_name: docker.io/authelia/authelia +authelia_container_image_tag: ~ +authelia_container_image_ref: "{{ authelia_container_image_name }}:{{ authelia_container_image_tag | default(authelia_version, true) }}" +authelia_container_image_force_pull: "{{ authelia_container_image_tag | default(false, True) }}" +authelia_container_env: + PUID: "{{ authelia_run_user }}" + PGID: "{{ authelia_run_group }}" +authelia_container_labels: >-2 + {{ authelia_container_base_labels | combine(authelia_container_extra_labels) }} +authelia_container_extra_labels: {} +authelia_container_extra_volumes: [] +authelia_container_volumes: >-2 + {{ authelia_container_base_volumes + + authelia_container_extra_volumes }} +authelia_container_ports: ~ +authelia_container_networks: ~ +authelia_container_purge_networks: ~ +authelia_container_restart_policy: unless-stopped +authelia_container_state: started + +authelia_container_listen_port: 9091 +authelia_tls_minimum_version: TLS1.2 + +authelia_config_theme: auto +authelia_config_jwt_secret: ~ +authelia_config_default_redirection_url: ~ +authelia_config_server_host: 0.0.0.0 +authelia_config_server_port: "{{ authelia_container_listen_port }}" +authelia_config_server_path: "" +authelia_config_server_read_buffer_size: 4096 +authelia_config_server_write_buffer_size: 4096 +authelia_config_server_enable_pprof: true +authelia_config_server_enable_expvars: true +authelia_config_server_disable_healthcheck: +authelia_config_server_tls_key: ~ +authelia_config_server_tls_certificate: ~ +authelia_config_server_tls_client_certificates: [] +authelia_config_server_headers_csp_template: ~ +authelia_config_log_level: info +authelia_config_log_format: json +authelia_config_log_file_path: ~ +authelia_config_log_keep_stdout: false +authelia_config_totp_disable: true +authelia_config_totp_issuer: "{{ authelia_domain }}" +authelia_config_totp_algorithm: sha1 +authelia_config_totp_digits: 6 +authelia_config_totp_period: 30 +authelia_config_totp_skew: 1 +authelia_config_totp_secret_size: 32 +authelia_config_webauthn_disable: true +authelia_config_webauthn_timeout: 60s +authelia_config_webauthn_display_name: "Authelia ({{ authelia_domain }})" +authelia_config_webauthn_attestation_conveyance_preference: indirect +authelia_config_webauthn_user_verification: preferred +authelia_config_duo_api_hostname: ~ +authelia_config_duo_api_integration_key: ~ +authelia_config_duo_api_secret_key: ~ +authelia_config_duo_api_enable_self_enrollment: false +authelia_config_ntp_address: "time.cloudflare.com:123" +authelia_config_ntp_version: 4 +authelia_config_ntp_max_desync: 3s +authelia_config_ntp_disable_startup_check: false +authelia_config_ntp_disable_failure: false +authelia_config_authentication_backend_disable_reset_password: false +authelia_config_authentication_backend_refresh_interval: 5m +authelia_config_authentication_backend_password_reset_custom_url: ~ +authelia_config_authentication_backend_ldap_implementation: custom +authelia_config_authentication_backend_ldap_url: ldap://127.0.0.1:389 +authelia_config_authentication_backend_ldap_timeout: 5s +authelia_config_authentication_backend_ldap_start_tls: false +authelia_config_authentication_backend_ldap_tls_skip_verify: false +authelia_config_authentication_backend_ldap_minimum_version: "{{ authelia_tls_minimum_version }}" +authelia_config_authentication_backend_ldap_base_dn: ~ +authelia_config_authentication_backend_ldap_additional_users_dn: "ou=users" +authelia_config_authentication_backend_ldap_users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=inetOrgPerson))" +authelia_config_authentication_backend_ldap_additional_groups_dn: "ou=groups" +authelia_config_authentication_backend_ldap_groups_filter: "(member={dn})" +authelia_config_authentication_backend_ldap_group_name_attribute: cn +authelia_config_authentication_backend_ldap_username_attribute: uid +authelia_config_authentication_backend_ldap_mail_attribute: mail +authelia_config_authentication_backend_ldap_display_name_attribute: displayName +authelia_config_authentication_backend_ldap_user: ~ +authelia_config_authentication_backend_ldap_password: ~ +authelia_config_authentication_backend_file_path: ~ +authelia_config_authentication_backend_file_password_algorithm: argon2id +authelia_config_authentication_backend_file_password_iterations: 5 +authelia_config_authentication_backend_file_password_key_length: 32 +authelia_config_authentication_backend_file_password_salt_length: 16 +authelia_config_authentication_backend_file_password_memory: 1024 +authelia_config_authentication_backend_file_password_parallelism: 8 +authelia_config_password_policy_standard_enabled: false +authelia_config_password_policy_standard_min_length: 12 +authelia_config_password_policy_standard_max_length: 0 +authelia_config_password_policy_standard_require_uppercase: true +authelia_config_password_policy_standard_require_lowercase: true +authelia_config_password_policy_standard_require_number: true +authelia_config_password_policy_standard_require_special: false +authelia_config_password_policy_zxcvbn_enabled: true +authelia_config_access_control_default_policy: deny +authelia_config_access_control_networks: [] +authelia_config_access_control_rules: [] +authelia_config_session_name: authelia_session +authelia_config_session_domain: example.org +authelia_config_session_same_site: lax +authelia_config_session_secret: ~ +authelia_config_session_expiration: 1h +authelia_config_session_inactivity: 5m +authelia_config_session_remember_me_duration: 1M +authelia_config_session_redis_host: "{{ authelia_redis_host }}" +authelia_config_session_redis_port: "{{ authelia_redis_port }}" +authelia_config_session_redis_username: "{{ authelia_redis_user }}" +authelia_config_session_redis_password: "{{ authelia_redis_pass }}" +authelia_config_session_redis_database_index: 0 +authelia_config_session_redis_maximum_active_connections: 8 +authelia_config_session_redis_minimum_idle_connections: 0 +authelia_config_session_redis_enable_tls: false +authelia_config_session_redis_tls_server_name: ~ +authelia_config_session_redis_tls_skip_verify: false +authelia_config_session_redis_tls_minimum_version: "{{ authelia_tls_minimum_version }}" +authelia_config_regulation_max_retries: 3 +authelia_config_regulation_find_time: 2m +authelia_config_regulation_ban_time: 5m +authelia_config_storage_encryption_key: ~ +authelia_config_storage_local_path: ~ +authelia_config_storage_mysql_port: 3306 +authelia_config_storage_postgres_port: 5432 +authelia_config_storage_postgres_ssl_mode: disable +authelia_config_storage_postgres_ssl_root_certificate: disable +authelia_config_storage_postgres_ssl_certificate: disable +authelia_config_storage_postgres_ssl_key: disable +authelia_config_notifier_disable_startup_check: false +authelia_config_notifier_filesystem_filename: ~ +authelia_config_notifier_smtp_host: "{{ authelia_smtp_host }}" +authelia_config_notifier_smtp_port: "{{ authelia_stmp_port }}" +authelia_config_notifier_smtp_username: "{{ authelia_smtp_user }}" +authelia_config_notifier_smtp_password: "{{ authelia_smtp_pass }}" +authelia_config_notifier_smtp_timeout: 5s +authelia_config_notifier_smtp_sender: "Authelia on {{ authelia_domain }} " +authelia_config_notifier_smtp_identifier: "{{ authelia_domain }}" +authelia_config_notifier_smtp_subject: "[Authelia @ {{ authelia_domain }}] {title}" +authelia_config_notifier_smtp_startup_check_address: false +authelia_config_notifier_smtp_disable_require_tls: false +authelia_config_notifier_smtp_disable_html_emails: false +authelia_config_notifier_smtp_tls_skip_verify: false +authelia_config_notifier_smtp_tls_minimum_version: "{{ authelia_tls_minimum_version }}" +#authelia_config_identity_provider_ + +authelia_database_type: ~ +authelia_database_host: ~ +authelia_database_user: authelia +authelia_database_pass: ~ +authelia_database_name: authelia +authelia_database_timeout: 5s + +authelia_smtp_host: ~ +authelia_stmp_port: 465 +authelia_stmp_user: authelia +authelia_stmp_pass: ~ + +authelia_redis_host: ~ +authelia_redis_port: 6379 +authelia_redis_user: ~ +authelia_redis_pass: ~ + +authelia_extra_config: {} diff --git a/roles/authelia/handlers/main.yml b/roles/authelia/handlers/main.yml new file mode 100644 index 0000000..e30beca --- /dev/null +++ b/roles/authelia/handlers/main.yml @@ -0,0 +1,8 @@ +--- + +- name: Restart authelia container + docker_container: + name: "{{ authelia_container_name }}" + state: started + restart: yes + listen: restart-authelia diff --git a/roles/authelia/tasks/main.yml b/roles/authelia/tasks/main.yml new file mode 100644 index 0000000..52b4e32 --- /dev/null +++ b/roles/authelia/tasks/main.yml @@ -0,0 +1,88 @@ +--- + +- name: Ensure user {{ authelia_user }} exists + user: + name: "{{ authelia_user }}" + state: present + system: true + register: authelia_user_info + +- name: Ensure host directories are created with correct permissions + file: + path: "{{ item.path }}" + state: directory + owner: "{{ item.owner | default(authelia_user) }}" + group: "{{ item.group | default(authelia_user) }}" + mode: "{{ item.mode | default('0750') }}" + loop: + - path: "{{ authelia_base_dir }}" + mode: "0755" + - path: "{{ authelia_config_dir }}" + mode: "0750" + - path: "{{ authelia_data_dir }}" + mode: "0750" + +- name: Ensure config file is generated + copy: + content: "{{ authelia_config | to_nice_yaml(indent=2, width=10000) }}" + dest: "{{ authelia_config_file }}" + owner: "{{ authelia_run_user }}" + group: "{{ authelia_run_group }}" + mode: "0640" + notify: restart-authelia + +- name: Ensure sqlite database file exists before mounting it + file: + path: "{{ authelia_sqlite_storage_file }}" + state: touch + owner: "{{ authelia_run_user }}" + group: "{{ authelia_run_group }}" + mode: "0640" + access_time: preserve + modification_time: preserve + when: authelia_config_storage_local_path | default(false, true) + +- name: Ensure user database exists before mounting it + file: + path: "{{ authelia_user_storage_file }}" + state: touch + owner: "{{ authelia_run_user }}" + group: "{{ authelia_run_group }}" + mode: "0640" + access_time: preserve + modification_time: preserve + when: authelia_config_authentication_backend_file_path | default(false, true) + +- name: Ensure notification reports file exists before mounting it + file: + path: "{{ authelia_notification_storage_file }}" + state: touch + owner: "{{ authelia_run_user }}" + group: "{{ authelia_run_group }}" + mode: "0640" + access_time: preserve + modification_time: preserve + when: authelia_config_notifier_filesystem_filename | default(false, true) + +- name: Ensure authelia container image is present + community.docker.docker_image: + name: "{{ authelia_container_image_ref }}" + state: present + source: pull + force_source: "{{ authelia_container_image_force_pull }}" + register: authelia_container_image_info + +- name: Ensure authelia container is running + docker_container: + name: "{{ authelia_container_name }}" + image: "{{ authelia_container_image_ref }}" + env: "{{ authelia_container_env }}" + user: "{{ authelia_run_user }}:{{ authelia_run_group }}" + ports: "{{ authelia_container_ports | default(omit, true) }}" + labels: "{{ authelia_container_labels }}" + volumes: "{{ authelia_container_volumes }}" + networks: "{{ authelia_container_networks | default(omit, true) }}" + purge_networks: "{{ authelia_container_purge_networks | default(omit, true)}}" + restart_policy: "{{ authelia_container_restart_policy }}" + state: "{{ authelia_container_state }}" + register: authelia_container_info diff --git a/roles/authelia/vars/main.yml b/roles/authelia/vars/main.yml new file mode 100644 index 0000000..3d6996e --- /dev/null +++ b/roles/authelia/vars/main.yml @@ -0,0 +1,259 @@ +--- + +authelia_run_user: "{{ (authelia_user_info.uid) if authelia_user_info is defined else authelia_user }}" +authelia_run_group: "{{ (authelia_user_info.group) if authelia_user_info is defined else authelia_user }}" + +authelia_container_base_volumes: >-2 + {{ [ authelia_config_file + ":/config/configuration.yml:ro"] + + ([ authelia_sqlite_storage_file + ":" + authelia_config_storage_local_path + ":z" ] + if authelia_config_storage_local_path | default(false, true) else []) + + ([ authelia_notification_storage_file + ":" + authelia_config_notifier_filesystem_filename + ":z" ] + if authelia_config_notifier_filesystem_filename | default(false, true) else []) + + ( [authelia_user_storage_file + ":" + authelia_config_authentication_backend_file_path + ":z"] + if authelia_config_authentication_backend_file_path | default(false, true) else []) + }} + +authelia_container_base_labels: + version: "{{ authelia_version }}" + +authelia_config: "{{ authelia_base_config | combine(authelia_extra_config, recursive=True) }}" +authelia_top_level_config: + theme: "{{ authelia_config_theme }}" + jwt_secret: "{{ authelia_config_jwt_secret }}" + log: "{{ authelia_config_log }}" + totp: "{{ authelia_config_totp }}" + webauthn: "{{ authelia_config_webauthn }}" + duo_api: "{{ authelia_config_duo_api }}" + ntp: "{{ authelia_config_ntp }}" + authentication_backend: "{{ authelia_config_authentication_backend }}" +# password_policy: "{{ authelia_config_password_policy }}" + access_control: "{{ authelia_config_access_control }}" + session: "{{ authelia_config_session }}" + regulation: "{{ authelia_config_regulation }}" + storage: "{{ authelia_config_storage }}" + notifier: "{{ authelia_config_notifier }}" + +authelia_base_config: >-2 + {{ + authelia_top_level_config + | combine({"default_redirection_url": authelia_config_default_redirection_url} + if authelia_config_default_redirection_url | default(false, true) else {}) + | combine(({"server": authelia_config_server }) + | combine({"tls": authelia_config_server_tls} + if authelia_config_server_tls_key | default(false, true) else {})) + }} + +authelia_config_server: >-2 + {{ + { + "host": authelia_config_server_host, + "port": authelia_config_server_port, + "path": authelia_config_server_path, + "read_buffer_size": authelia_config_server_read_buffer_size, + "write_buffer_size": authelia_config_server_write_buffer_size, + "enable_pprof": authelia_config_server_enable_pprof, + "enable_expvars": authelia_config_server_enable_expvars, + "disable_healthcheck": authelia_config_server_disable_healthcheck, + } | combine({"headers": {"csp_template": authelia_config_server_headers_csp_template}} + if authelia_config_server_headers_csp_template | default(false, true) else {}) + }} +authelia_config_server_tls: + key: "{{ authelia_config_server_tls_key }}" + certificate: "{{ authelia_config_server_tls_certificate }}" + client_certificates: "{{ authelia_config_server_tls_client_certificates }}" +authelia_config_log: >-2 + {{ + { + "level": authelia_config_log_level, + "format": authelia_config_log_format + } + | combine({"file_path": authelia_config_log_file_path} + if authelia_config_log_file_path | default(false, true) else {}) + | combine({"keep_stdout": authelia_config_log_keep_stdout} + if authelia_config_log_file_path | default(false, true) else {}) + }} +authelia_config_totp: + disable: "{{ authelia_config_totp_disable }}" + issuer: "{{ authelia_config_totp_issuer }}" + algorithm: "{{ authelia_config_totp_algorithm }}" + digits: "{{ authelia_config_totp_digits }}" + period: "{{ authelia_config_totp_period }}" + skew: "{{ authelia_config_totp_skew }}" +# secret_size: "{{ authelia_config_totp_secret_size }}" +authelia_config_webauthn: + disable: "{{ authelia_config_webauthn_disable }}" + timeout: "{{ authelia_config_webauthn_timeout }}" + display_name: "{{ authelia_config_webauthn_display_name }}" + attestation_conveyance_preference: "{{ authelia_config_webauthn_attestation_conveyance_preference }}" + user_verification: "{{ authelia_config_webauthn_user_verification }}" +authelia_config_duo_api: + hostname: "{{ authelia_config_duo_api_hostname }}" + integration_key: "{{ authelia_config_duo_api_integration_key }}" + secret_key: "{{ authelia_config_duo_api_secret_key }}" + enable_self_enrollment: "{{ authelia_config_duo_api_enable_self_enrollment }}" +authelia_config_ntp: + address: "{{ authelia_config_ntp_address }}" + version: "{{ authelia_config_ntp_version }}" + max_desync: "{{ authelia_config_ntp_max_desync }}" + disable_startup_check: "{{ authelia_config_ntp_disable_startup_check }}" + disable_failure: "{{ authelia_config_ntp_disable_failure }}" + +authelia_config_authentication_backend: >-2 + {{ + { + "disable_reset_password": authelia_config_authentication_backend_disable_reset_password, + "refresh_interval": authelia_config_authentication_backend_refresh_interval, + } + | combine({"password_reset": authelia_config_authentication_backend_password_reset} + if authelia_config_authentication_backend_password_reset_custom_url | default(false, true) else {}) + | combine({"file": authelia_config_authentication_backend_file} + if authelia_config_authentication_backend_file_path | default(false, true) + else {"ldap": authelia_config_authentication_backend_ldap}) + }} +authelia_config_authentication_backend_password_reset: + custom_url: "{{ authelia_config_authentication_backend_password_reset_custom_url }}" +authelia_config_authentication_backend_ldap: + implementation: "{{ authelia_config_authentication_backend_ldap_implementation }}" + url: "{{ authelia_config_authentication_backend_ldap_url }}" + timeout: "{{ authelia_config_authentication_backend_ldap_timeout }}" + start_tls: "{{ authelia_config_authentication_backend_ldap_start_tls }}" + tls: + skip_verify: "{{ authelia_config_authentication_backend_ldap_tls_skip_verify }}" + minimum_version: "{{ authelia_config_authentication_backend_ldap_minimum_version }}" + base_dn: "{{ authelia_config_authentication_backend_ldap_base_dn }}" + additional_users_dn: "{{ authelia_config_authentication_backend_ldap_additional_users_dn }}" + additional_groups_dn: "{{ authelia_config_authentication_backend_ldap_additional_groups_dn }}" + users_filter: "{{ authelia_config_authentication_backend_ldap_users_filter }}" + groups_filter: "{{ authelia_config_authentication_backend_ldap_groups_filter }}" + group_name_attribute: "{{ authelia_config_authentication_backend_ldap_group_name_attribute }}" + username_attribute: "{{ authelia_config_authentication_backend_ldap_username_attribute }}" + mail_attribute: "{{ authelia_config_authentication_backend_ldap_mail_attribute }}" + display_name_attribute: "{{ authelia_config_authentication_backend_ldap_display_name_attribute }}" + user: "{{ authelia_config_authentication_backend_ldap_user }}" + password: "{{ authelia_config_authentication_backend_ldap_password }}" +authelia_config_authentication_backend_file: + path: "{{ authelia_config_authentication_backend_file_path }}" + password: + algorithm: "{{ authelia_config_authentication_backend_file_password_algorithm }}" + iterations: "{{ authelia_config_authentication_backend_file_password_iterations }}" + key_length: "{{ authelia_config_authentication_backend_file_password_key_length }}" + salt_lenght: "{{ authelia_config_authentication_backend_file_password_salt_length }}" + memory: "{{ authelia_config_authentication_backend_file_password_memory }}" + parallelism: "{{ authelia_config_authentication_backend_file_password_parallelism }}" +authelia_config_password_policy: >-2 + {{ + {"standard": authelia_config_password_policy_standard} + if authelia_config_password_policy_standard_enabled + else {"zxcvbn": authelia_config_password_policy_zxcvbn} + }} +authelia_config_password_policy_standard: + enabled: "{{ authelia_config_password_policy_standard_enabled }}" + min_length: "{{ authelia_config_password_policy_standard_min_length }}" + max_length: "{{ authelia_config_password_policy_standard_max_length }}" + require_uppercase: "{{ authelia_config_password_policy_standard_require_uppercase }}" + require_lowercase: "{{ authelia_config_password_policy_standard_require_lowercase }}" + require_number: "{{ authelia_config_password_policy_standard_require_number }}" + require_special: "{{ authelia_config_password_policy_standard_require_special }}" +authelia_config_password_policy_zxcvbn: + enabled: "{{ authelia_config_password_policy_zxcvbn_enabled }}" +authelia_config_access_control: + default_policy: "{{ authelia_config_access_control_default_policy }}" + networks: "{{ authelia_config_access_control_networks }}" + rules: "{{ authelia_config_access_control_rules }}" +authelia_config_session: + name: "{{ authelia_config_session_name }}" + domain: "{{ authelia_config_session_domain }}" + same_site: "{{ authelia_config_session_same_site }}" + secret: "{{ authelia_config_session_secret }}" + expiration: "{{ authelia_config_session_expiration }}" + inactivity: "{{ authelia_config_session_inactivity }}" + remember_me_duration: "{{ authelia_config_session_remember_me_duration }}" +authelia_config_session_redis: >-2 + {{ + { + "host": authelia_config_session_redis_host, + "database_index": authelia_config_session_redis_database_index, + "maximum_active_connections": authelia_config_session_redis_maximum_active_connections, + "minimum_idle_connections": authelia_config_session_redis_minimum_idle_connections + } + | combine({"password": authelia_config_session_redis_password} + if authelia_config_session_redis_password | default(false, true) else {}) + | combine({"username": authelia_config_session_redis_username} + if authelia_config_session_redis_username | default(false, true) else {}) + | combine({"port": authelia_config_session_redis_port} + if '/' not in authelia_config_session_redis_host else {}) + | combine({"tls": authelia_config_session_redis_tls} + if authelia_config_session_redis_enable_tls | default(false, true) else {}) + }} +authelia_config_session_redis_tls: >-2 + {{ + { + "skip_verify": authelia_config_session_redis_tls_skip_verify, + "minimum_version": authelia_config_session_redis_tls_minimum_version, + } + | combine({"server_name": authelia_config_session_redis_tls_server_name} + if authelia_config_session_redis_tls_server_name | default(false, true) else {}) + }} +authelia_config_regulation: + max_retries: "{{ authelia_config_regulation_max_retries }}" + find_time: "{{ authelia_config_regulation_find_time }}" + ban_time: "{{ authelia_config_regulation_ban_time }}" +authelia_config_storage: >-2 + {{ + { "encryption_key": authelia_config_storage_encryption_key } + | combine({"local": authelia_config_storage_local} + if authelia_database_type in ['local', 'sqlite'] else {}) + | combine({"mysql": authelia_config_storage_mysql} + if authelia_database_type == 'mysql' else {}) + | combine({"postgres": authelia_config_storage_postgres} + if authelia_database_type in ['postgres', 'postgresql'] else {}) + }} +authelia_config_storage_local: + path: "{{ authelia_config_storage_local_path }}" +authelia_config_storage_mysql: + host: "{{ authelia_database_host }}" + port: "{{ authelia_config_storage_mysql_port }}" + database: "{{ authelia_database_name }}" + username: "{{ authelia_database_user }}" + password: "{{ authelia_database_pass }}" + timeout: "{{ authelia_database_timeout }}" +authelia_config_storage_postgres: + host: "{{ authelia_database_host }}" + port: "{{ authelia_config_storage_postgres_port }}" + database: "{{ authelia_database_name }}" + schema: public + username: "{{ authelia_database_user }}" + password: "{{ authelia_database_pass }}" + timeout: "{{ authelia_database_timeout }}" +authelia_config_storage_postgres_ssl: + mode: "{{ authelia_config_storage_postgres_ssl_mode }}" + root_certificate: "{{ authelia_config_storage_postgres_ssl_root_certificate }}" + certificate: "{{ authelia_config_storage_postgres_ssl_certificate }}" + key: "{{ authelia_config_storage_postgres_ssl_key }}" +authelia_config_notifier: >-2 + {{ + { + "disable_startup_check": authelia_config_notifier_disable_startup_check + } + | combine({"filesystem": authelia_config_notifier_filesystem} + if authelia_config_notifier_filesystem_filename else {}) + | combine({"smtp": authelia_config_notifier_smtp} + if not authelia_config_notifier_filesystem_filename else {}) + }} +authelia_config_notifier_filesystem: + filename: "{{ authelia_config_notifier_filesystem_filename }}" +authelia_config_notifier_smtp: + host: "{{ authelia_config_notifier_smtp_host }}" + port: "{{ authelia_config_notifier_smtp_port }}" + timeout: "{{ authelia_config_notifier_smtp_timeout }}" + username: "{{ authelia_config_notifier_smtp_username }}" + password: "{{ authelia_config_notifier_smtp_password }}" + sender: "{{ authelia_config_notifier_smtp_sender }}" + identifier: "{{ authelia_config_notifier_smtp_identifier }}" + subject: "{{ authelia_config_notifier_smtp_subject }}" + startup_check_address: "{{ authelia_config_notifier_smtp_startup_check_address }}" + disable_require_tls: "{{ authelia_config_notifier_smtp_disable_require_tls }}" + disable_html_emails: "{{ authelia_config_notifier_smtp_disable_html_emails }}" + tls: + skip_verify: "{{ authelia_config_notifier_smtp_tls_skip_verify }}" + minimum_version: "{{ authelia_config_notifier_smtp_tls_minimum_version }}" -- 2.45.2 From 98c3877081038d859588c0c0e3eaa4df955c75aa Mon Sep 17 00:00:00 2001 From: Johanna Dorothea Reichmann Date: Sat, 16 Apr 2022 14:35:07 +0200 Subject: [PATCH 2/2] chore: add authelia to repo README --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 55be81a..95f2f10 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,9 @@ concise area of concern. ## Roles +- [`roles/authelia`](roles/authelia/README.md): Deploys an [authelia.com](https://www.authelia.com) + instance, an authentication provider with beta OIDC provider support. + - [`roles/gitea`](roles/gitea/README.md): Deploy [gitea.io](https://gitea.io), a lightweight, self-hosted git service. -- 2.45.2