inventory, roles, config, docs: update all files to refactor the ansible variables structure

2026-04-01 21:30:56 +09:00
parent d1e0eb30c0
commit 84d961c7e3
62 changed files with 321 additions and 254 deletions
--- a/config/services/containers/auth/authelia/authelia.container.j2
+++ b/config/services/containers/auth/authelia/authelia.container.j2
@@ -15,7 +15,7 @@ ContainerName=authelia
 HostName=authelia

 # Web UI
-PublishPort=9091:9091/tcp
+PublishPort={{ services['authelia']['ports']['http'] }}:9091/tcp


 Volume=%h/containers/authelia/config:/config:rw
@@ -56,8 +56,9 @@ Exec=--config /config/authelia.yaml
 # Wait for dependency
 # They run as rootless podman container, so their port is not opened until they are normaly running
 # Check their ports with nc command 
-ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
-ExecStartPre=/usr/bin/nc -zv {{ infra_uri['ldap']['domain'] }} {{ infra_uri['ldap']['ports']['ldaps'] }}
+ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
+# services['ldap']['ports']['ldaps'] is 6360, but nftables works on 636 the original port
+ExecStartPre=/usr/bin/nc -zv {{ services['ldap']['domain'] }}.{{ domain['internal'] }} 636
 ExecStartPre=sleep 5
 Restart=always
 RestartSec=10s
--- a/config/services/containers/auth/authelia/config/authelia.yaml.j2
+++ b/config/services/containers/auth/authelia/config/authelia.yaml.j2
@@ -20,7 +20,7 @@ log:
 # TOTP configuration
 totp:
  # issure option is for 2FA app. It works as identifier. "My homelab' or 'ilnmors.internal', 'Authelia - ilnmors'
-  issuer: 'ilnmors.internal'
+  issuer: '{{ domain['internal'] }}'

 # Identity validation confituration
 identity_validation:
@@ -31,21 +31,21 @@ identity_validation:
 authentication_backend:
  ldap:
    # ldaps uses 636 -> NAT automatically change port 636 in output packet -> 2636 which lldap server uses.
-    address: 'ldaps://ldap.ilnmors.internal'
+    address: 'ldaps://{{ services['ldap']['domain'] }}.{{ domain['internal'] }}'
    implementation: 'lldap'
-    # tls configruation, it uses certificates_directory's /etc/ssl/authelia/ilnmors_root_ca.crt
+    # tls configruation, it uses certificates_directory's /etc/ssl/authelia/{{ root_cert_filename }}
    tls:
-      server_name: 'ldap.ilnmors.internal'
+      server_name: '{{ services['ldap']['domain'] }}.{{ domain['internal'] }}'
      skip_verify: false
    # LLDAP base DN
-    base_dn: 'dc=ilnmors,dc=internal'
+    base_dn: '{{ domain['dc'] }}'
    additional_users_dn: 'ou=people'
    additional_groups_dn: 'ou=groups'
    # LLDAP filters
    users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))'
    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
    # LLDAP bind account configuration
-    user: 'uid=authelia,ou=people,dc=ilnmors,dc=internal'
+    user: 'uid=authelia,ou=people,{{ domain['dc'] }}'
    password: '' # $AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE option is designated in container file

 # Access control configuration
@@ -53,14 +53,12 @@ access_control:
  default_policy: 'deny'
  rules:
    # authelia portal
-    - domain: 'authelia.ilnmors.internal'
+    - domain: '{{ services['authelia']['domain'] }}.{{ domain['public'] }}'
      policy: 'bypass'
-    - domain: 'authelia.ilnmors.com'
-      policy: 'bypass'
-    - domain: 'test.ilnmors.com'
-      policy: 'one_factor'
-      subject:
-        - 'group:admins'
+#    - domain: 'test.ilnmors.com'
+#      policy: 'one_factor'
+#      subject:
+#        - 'group:admins'
 # Session provider configuration
 session:
  secret: '' # $AUTHELIA_SESSION_SECRET_FILE  is designated in container file
@@ -68,8 +66,8 @@ session:
  inactivity: '24 hours' # Session maintains for 24 hours without actions
  cookies:
    - name: 'authelia_public_session'
-      domain: 'ilnmors.com'
-      authelia_url: 'https://authelia.ilnmors.com'
+      domain: '{{ domain['public'] }}'
+      authelia_url: 'https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}'
      same_site: 'lax'

 # This authelia doesn't use Redis.
@@ -78,12 +76,12 @@ session:
 storage:
  encryption_key: '' # $AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE is designated in container file
  postgres:
-    address: 'tcp://{{ infra_uri['postgresql']['domain'] }}:{{ infra_uri['postgresql']['ports']['tcp'] }}'
+    address: 'tcp://{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}'
    database: 'authelia_db'
    username: 'authelia'
    password: '' # $AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE is designated in container file
    tls:
-      server_name: '{{ infra_uri['postgresql']['domain'] }}'
+      server_name: '{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}'
      skip_verify: false

 # Notification provider
@@ -117,7 +115,7 @@ identity_providers:
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
-          - 'https://{{ infra_uri['nas']['domain'] }}:{{ infra_uri['nas']['ports']['https'] }}'
+          - 'https://{{ services['nas']['domain'] }}.{{ domain['internal'] }}:{{ services['nas']['ports']['https'] }}'
        scopes:
          - 'openid'
          - 'profile'
@@ -140,7 +138,7 @@ identity_providers:
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
-          - 'https://gitea.ilnmors.com/user/oauth2/authelia/callback'
+          - 'https://{{ services['gitea']['domain']['public'] }}.{{ domain['public'] }}/user/oauth2/authelia/callback'
        scopes:
          - 'openid'
          - 'email'
@@ -161,8 +159,8 @@ identity_providers:
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
-          - 'https://immich.ilnmors.com/auth/login'
-          - 'https://immich.ilnmors.com/user-settings'
+          - 'https://{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}/auth/login'
+          - 'https://{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}/user-settings'
          - 'app.immich:///oauth-callback'
        scopes:
          - 'openid'
@@ -184,7 +182,7 @@ identity_providers:
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
-          - 'https://budget.ilnmors.com/openid/callback'
+          - 'https://{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}/openid/callback'
        scopes:
          - 'openid'
          - 'profile'
@@ -206,7 +204,7 @@ identity_providers:
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
-          - 'https://paperless.ilnmors.com/accounts/oidc/authelia/login/callback/'
+          - 'https://{{ services['paperless']['domain']['public'] }}.{{ domain['public'] }}/accounts/oidc/authelia/login/callback/'
        scopes:
          - 'openid'
          - 'profile'
@@ -228,7 +226,7 @@ identity_providers:
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
-          - 'https://vikunja.ilnmors.com/auth/openid/authelia'
+          - 'https://{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }}/auth/openid/authelia'
        scopes:
          - 'openid'
          - 'profile'