authelia: use lldap for simplicity

expanded the config inventory variables.

roles/authelia/defaults/main.yml

@@ -17,8 +17,23 @@ authelia_name: authelia
 # Configuration
 ################################
 
+# Options are light, dark, grey or auto.
+authelia_theme: "auto"
+
 # Options are file or ldap
 authelia_authentication_backend: "file"
+authelia_authentication_backend_password_reset_disable: "false"
+authelia_authentication_backend_password_reset_custom_url: ""
+authelia_authentication_backend_refresh_interval: "5m"
+authelia_authentication_backend_file_path: "/config/users_database.yml"
+authelia_authentication_backend_file_watch: "true"
+authelia_authentication_backend_file_password_algorithm: "argon2"
+authelia_authentication_backend_file_password_argon2_variant: "argon2id"
+authelia_authentication_backend_file_password_argon2_iterations: "3"
+authelia_authentication_backend_file_password_argon2_memory: "65536"
+authelia_authentication_backend_file_password_argon2_parallelism: "4"
+authelia_authentication_backend_file_password_argon2_key_length: "32"
+authelia_authentication_backend_file_password_argon2_salt_length: "16"
 
 # Setting for default Access Control Policy - recommended options one_factor or two_factor
 # Reference: https://www.authelia.com/configuration/security/access-control/#one_factor
@@ -60,6 +75,68 @@ authelia_notifier_smtp_tls_server_name: ""
 authelia_notifier_smtp_tls_skip_verify: ""
 authelia_notifier_smtp_tls_minimum_version: ""
 
+# Settings for Authelia's server
+# Reference: https://www.authelia.com/configuration/miscellaneous/server/
+# https://www.authelia.com/c/server#buffer-sizes
+authelia_server_host: "0.0.0.0"
+authelia_server_port: "9091"
+authelia_server_path: ""
+authelia_server_buffers_read: "10485760"
+authelia_server_buffers_write: "10485760"
+authelia_server_enable_pprof: "false"
+authelia_server_enable_expvars: "false"
+authelia_server_disable_healthcheck: "false"
+authelia_server_headers_csp_template: "frame-ancestors 'self' *.{{ user.domain }} {{ user.domain }}; default-src 'self'; object-src 'none'; style-src 'self' 'nonce-${NONCE}'"
+
+# Settings for Logging
+# Reference: https://www.authelia.com/configuration/miscellaneous/logging/
+authelia_log_level: "info"
+authelia_log_format: "text"
+authelia_log_file_path: "/config/authelia.log"
+authelia_log_keep_stdout: "true"
+
+# JWT
+authelia_jwt_secret: "{{ lookup('password', '/dev/null chars=ascii_letters,digits length=32') }}"
+
+# TOTP
+authelia_totp_issuer: "authelia.com"
+authelia_totp_period: "30"
+authelia_totp_skew: "1"
+authelia_totp_digits: "6"
+authelia_totp_secret_size: "32"
+
+# Default redirection
+authelia_default_redirection_url: ""
+
+# Default 2FA Method
+authelia_default_2fa_method: ""
+
+# NTP
+authelia_ntp_address: "time.cloudflare.com:123"
+authelia_ntp_version: "3"
+authelia_ntp_max_desync: "3s"
+authelia_ntp_disable_startup_check: "false"
+authelia_ntp_disable_failure: "false"
+
+# Password Policy
+authelia_password_policy_standard_enabled: "false"
+authelia_password_policy_standard_min_length: "8"
+authelia_password_policy_standard_max_length: "0"
+authelia_password_policy_standard_require_uppercase: "true"
+authelia_password_policy_standard_require_lowercase: "true"
+authelia_password_policy_standard_require_number: "true"
+authelia_password_policy_standard_require_special: "true"
+authelia_password_policy_zxcvbn_enabled: "false"
+authelia_password_policy_zxcvbn_min_score: "3"
+
+# Access Control
+authelia_access_control_default_policy: "deny"
+authelia_access_control_rules:
+  - domain:
+      - "{{ '*.' + user.domain | lower }}"
+      - "{{ user.domain | lower }}"
+    policy: "{{ authelia_access_control_policy }}"
+
 ################################
 # Paths
 ################################

roles/authelia/tasks/subtasks/ldap_backend.yml

@@ -17,10 +17,6 @@
     {{ saltbox_python }} -c "from tld import get_tld; res = get_tld(\"http://{{ authelia_web_domain | default(user.domain) }}\", as_object=True); print(res.domain)"
   register: authelia_domain
 
-- name: LDAP | Import OpenLDAP Role
+- name: LDAP | Import lldap Role
   ansible.builtin.include_role:
-    name: openldap
-
-- name: LDAP | Import phpLDAPadmin Role
-  ansible.builtin.include_role:
-    name: phpldapadmin
+    name: lldap

roles/authelia/templates/configuration.yml.j2

@@ -3,35 +3,51 @@
 #                   Authelia configuration                    #
 ###############################################################
 
-jwt_secret: {{ lookup('password', '/dev/null chars=ascii_letters,digits length=32') }}
+jwt_secret: {{ authelia_jwt_secret }}
 
 # Options are light, dark, grey or auto
-theme: auto
+theme: {{ authelia_theme }}
+
+{% if authelia_default_redirection_url | length > 0 %}
+default_redirection_url: {{ authelia_default_redirection_url }}
+
+{% endif %}
+default_2fa_method: "{{ authelia_default_2fa_method }}"
 
 server:
-  host: 0.0.0.0
-  port: 9091
-  path: ""
+  host: {{ authelia_server_host }}
+  port: {{ authelia_server_port }}
+  path: "{{ authelia_server_path }}"
   buffers:
-    read: 10485760
-    write: 10485760
-  enable_pprof: false
-  enable_expvars: false
-  disable_healthcheck: false
+    read: {{ authelia_server_buffers_read }}
+    write: {{ authelia_server_buffers_write }}
+  enable_pprof: {{ authelia_server_enable_pprof }}
+  enable_expvars: {{ authelia_server_enable_expvars }}
+  disable_healthcheck: {{ authelia_server_disable_healthcheck }}
   headers:
-    csp_template: "frame-ancestors 'self' *.{{ user.domain }} {{ user.domain }}; default-src 'self'; object-src 'none'; style-src 'self' 'nonce-${NONCE}'"
+    csp_template: "{{ authelia_server_headers_csp_template }}"
 
 log:
-  level: info
-  format: text
-  file_path: "/config/authelia.log"
-  keep_stdout: true
+  level: {{ authelia_log_level }}
+  format: {{ authelia_log_format }}
+  file_path: {{ authelia_log_file_path }}
+  keep_stdout: {{ authelia_log_keep_stdout }}
 
 totp:
-  issuer: authelia.com
-  period: 30
-  skew: 1
+  issuer: {{ authelia_totp_issuer }}
+  period: {{ authelia_totp_period }}
+  skew: {{ authelia_totp_skew }}
+  digits: {{ authelia_totp_digits }}
+  secret_size: {{ authelia_totp_secret_size }}
 
+{% if authelia_duo_enabled == 'true' %}
+duo_api:
+  disable: false
+  hostname: {{ authelia_duo_hostname }}
+  integration_key: {{ authelia_duo_integration_key }}
+  secret_key: {{ authelia_duo_secret_key }}
+  enable_self_enrollment: {{ authelia_duo_self_enrollment }}
+{% else %}
 #
 # If you want to use Duo Push notifications
 #
@@ -42,15 +58,8 @@ totp:
 #
 # Read more at https://www.authelia.com/docs/configuration/duo-push-notifications.html
 #
-{% if authelia_duo_enabled == 'true' %}
-
-duo_api:
-  hostname: {{ authelia_duo_hostname }}
-  integration_key: {{ authelia_duo_integration_key }}
-  secret_key: {{ authelia_duo_secret_key }}
-  enable_self_enrollment: {{ authelia_duo_self_enrollment }}
-
 {% endif %}
+
 webauthn:
   disable: {{ authelia_webauthn_disable }}
   display_name: {{ authelia_webauthn_display_name }}
@@ -59,44 +68,63 @@ webauthn:
   timeout: {{ authelia_webauthn_timeout }}
 
 authentication_backend:
+  password_reset:
+    disable: {{ authelia_authentication_backend_password_reset_disable }}
+    custom_url: "{{ authelia_authentication_backend_password_reset_custom_url }}"
+  refresh_interval: {{ authelia_authentication_backend_refresh_interval }}
 {% if authelia_authentication_backend == 'file' %}
   file:
-    path: /config/users_database.yml
+    path: {{ authelia_authentication_backend_file_path }}
+    watch: {{ authelia_authentication_backend_file_watch }}
     password:
-      algorithm: argon2id
-      iterations: 1
-      salt_length: 16
-      parallelism: 8
-      memory: 64
+      algorithm: {{ authelia_authentication_backend_file_password_algorithm }}
+      argon2:
+        variant: {{ authelia_authentication_backend_file_password_argon2_variant }}
+        iterations: {{ authelia_authentication_backend_file_password_argon2_iterations }}
+        memory: {{ authelia_authentication_backend_file_password_argon2_memory }}
+        parallelism: {{ authelia_authentication_backend_file_password_argon2_parallelism }}
+        key_length: {{ authelia_authentication_backend_file_password_argon2_key_length }}
+        salt_length: {{ authelia_authentication_backend_file_password_argon2_salt_length }}
 {% endif %}
 {% if authelia_authentication_backend == 'ldap' %}
   ldap:
     implementation: custom
-    url: ldap://openldap
+    url: ldap://lldap:3890
     start_tls: false
     tls:
       skip_verify: true
       minimum_version: TLS1.2
     base_dn: dc={{ authelia_domain.stdout }},dc={{ authelia_tld.stdout }}
     additional_users_dn: ou=people
-    users_filter: (&({username_attribute}={input})(objectClass=person))
+    users_filter: "(&({username_attribute}={input})(objectClass=person))"
     additional_groups_dn: ou=groups
-    groups_filter: (&(uniquemember={dn})(objectclass=groupOfUniqueNames))
+    groups_filter: "(member={dn})"
     group_name_attribute: cn
-    user: cn=admin,dc={{ authelia_domain.stdout }},dc={{ authelia_tld.stdout }}
+    mail_attribute: mail
+    display_name_attribute: displayName
+    user: uid={{ user.name }},ou=people,dc={{ authelia_domain.stdout }},dc={{ authelia_tld.stdout }}
     password: {{ user.pass }}
 {% endif %}
 
+password_policy:
+  standard:
+    enabled: {{ authelia_password_policy_standard_enabled }}
+    min_length: {{ authelia_password_policy_standard_min_length }}
+    max_length: {{ authelia_password_policy_standard_max_length }}
+    require_uppercase: {{ authelia_password_policy_standard_require_uppercase }}
+    require_lowercase: {{ authelia_password_policy_standard_require_lowercase }}
+    require_number: {{ authelia_password_policy_standard_require_number }}
+    require_special: {{ authelia_password_policy_standard_require_special }}
+  zxcvbn:
+    enabled: {{ authelia_password_policy_zxcvbn_enabled }}
+    min_score: {{ authelia_password_policy_zxcvbn_min_score }}
+
 #
 # Read more at https://www.authelia.com/docs/configuration/access-control.html
 #
 access_control:
-  default_policy: deny
-  rules:
-    - domain:
-        - "{{ '*.' + user.domain | lower }}"
-        - "{{ user.domain | lower }}"
-      policy: {{ authelia_access_control_policy }}
+  default_policy: {{ authelia_access_control_default_policy }}
+  rules: {{ authelia_access_control_rules }}
 
 session:
   name: {{ authelia_web_subdomain + '.' + authelia_web_domain | lower }}
@@ -121,18 +149,17 @@ storage:
     path: /config/db.sqlite3
 
 ntp:
-  address: time.cloudflare.com:123
-  version: 3
-  max_desync: 3s
-  disable_startup_check: false
-  disable_failure: false
+  address: "{{ authelia_ntp_address }}"
+  version: {{ authelia_ntp_version }}
+  max_desync: {{ authelia_ntp_max_desync }}
+  disable_startup_check: {{ authelia_ntp_disable_startup_check }}
+  disable_failure: {{ authelia_ntp_disable_failure }}
 
 notifier:
   disable_startup_check: {{ authelia_notifier_disable_startup_check }}
 {% if authelia_notifier == 'filesystem' %}
   filesystem:
     filename: /config/notification.txt
-
 {% endif %}
 {% if authelia_notifier == 'smtp' %}
   smtp:
@@ -151,8 +178,7 @@ notifier:
       server_name: {{ (authelia_notifier_smtp_tls_server_name) | default(omit) }}
       skip_verify: {{ (authelia_notifier_smtp_tls_skip_verify) | default(omit) }}
       minimum_version: {{ (authelia_notifier_smtp_tls_minimum_version) | default(omit) }}
-{% endif %}
-
+{% else %}
 #
 # If you want to use email here is a template (Replace the above entry as you can only have one notifier configured)
 #
@@ -177,6 +203,7 @@ notifier:
 #
 # Read more at https://www.authelia.com/docs/configuration/notifier/smtp.html
 #
+{% endif %}
 
 telemetry:
   metrics: