Add Authelia & switch Borgmatic to use Cron (systemd timer broke???)

authelia.yml

@@ -0,0 +1,38 @@
+---
+- name: Setup Authelia using Docker
+  hosts: myhosts
+  become: true
+  vars_files:
+    - vault.yml
+
+  tasks:
+    - name: Do prereqs
+      ansible.builtin.include_role:
+        name: docker_prereqs
+
+    - name: Copy config file for Authelia
+      ansible.builtin.template:
+        src: extra/authelia.yml.j2
+        dest: /opt/authelia/config/configuration.yml
+        mode: "0644"
+
+    - name: Copy user config file for Authelia
+      ansible.builtin.template:
+        src: extra/authelia_users.yml.j2
+        dest: /opt/authelia/config/users_database.yml
+        mode: "0644"
+
+    - name: Copy Compose file over
+      ansible.builtin.template:
+        src: compose/authelia/compose.yml.j2
+        dest: /opt/authelia/compose.yml
+        mode: "0644"
+
+    - name: Start Authelia from compose
+      community.docker.docker_compose_v2:
+        project_src: /opt/authelia/
+      register: output
+
+    - name: Show results of compose
+      ansible.builtin.debug:
+        var: output

borg-backup.yml

@@ -14,7 +14,7 @@
   roles:
     - role: borgbase.ansible_role_borgbackup
       ansible_role_borgbackup_borg_encryption_passphrase: "{{ borg_backup_passphrase_vw }}"
-      ansible_role_borgbackup_borg_repository:
+      borg_repository: # noqa var-naming[no-role-prefix]
         - /mnt/synology/backups/vw.borg
       ansible_role_borgbackup_borg_source_directories:
         - /opt/vaultwarden/data
@@ -52,4 +52,4 @@
         keep_daily: 7
         keep_weekly: 4
         keep_monthly: 6
-      ansible_role_borgbackup_borgmatic_timer: systemd
+      ansible_role_borgbackup_borgmatic_timer: cron

compose/authelia/compose.yml.j2

@@ -0,0 +1,10 @@
+---
+services:
+  authelia:
+    container_name: 'authelia'
+    image: 'docker.io/authelia/authelia:latest'
+    restart: 'unless-stopped'
+    ports:
+      - 9091:9091
+    volumes:
+      - '/opt/authelia/config:/config'

extra/Caddyfile.j2

@@ -102,6 +102,11 @@ push.stilk.tf {
 	reverse_proxy :8098 # ntfy
 }
 
+auth.stilk.tf {
+	import common
+	reverse_proxy :9091 # Authelia
+}
+
 tiles.stilk.tf {
 	import common
 	root * /var/www/tiles

extra/authelia.yml.j2

@@ -0,0 +1,34 @@
+totp:
+    issuer: 'push.stilk.tf'
+identity_validation:
+    reset_password:
+        jwt_secret: '{{ authelia_jwt_secret }}'
+authentication_backend:
+    refresh_interval: '5m'
+    password_reset:
+        disable: false
+    file:
+        path: '/config/users_database.yml'
+session:
+    secret: '{{ authelia_session_secret }}'
+    name: 'authelia_session'
+    same_site: 'lax'
+    inactivity: '5m'
+    expiration: '1h'
+    remember_me: '1M'
+    cookies:
+        - domain: 'stilk.tf'
+          authelia_url: 'https://auth.stilk.tf'
+          remember_me: '1d'
+notifier:
+    filesystem:
+        filename: '/config/notification.txt'
+storage:
+    encryption_key: '{{ authelia_storage_secret }}'
+    local:
+        path: '/config/db.sqlite3'
+access_control:
+    default_policy: deny
+    rules:
+        - domain: "*.stilk.tf"
+          policy: two_factor

extra/authelia_users.yml.j2

@@ -0,0 +1,10 @@
+---
+users:
+    {{ authelia_user_username }}:
+        disabled: false
+        displayname: '{{authelia_user_displayname}}'
+        password: '{{authelia_user_password}}'
+        email: '{{authelia_user_email}}'
+        groups:
+            - 'admins'
+---

roles/docker_prereqs/tasks/main.yml

@@ -0,0 +1,7 @@
+- name: Install prerequisite Python packages for the Ansible module for Docker
+  ansible.builtin.apt:
+    name: python3-requests
+- name: Check if Docker is installed on system
+  ansible.builtin.command: docker --version
+  register: docker_valid
+  changed_when: docker_valid.rc != 0