From 701c897aff94f27a91e1ee9d0e60c78bde90f85d Mon Sep 17 00:00:00 2001 From: erebion Date: Wed, 13 Sep 2023 18:03:24 +0200 Subject: [PATCH] Authentik-Rolle einmal ordentlich gemacht und gefixt --- host_vars/unhb4/authentik.yml | 11 ++ host_vars/unhb4/unhb4_vault.yml | 84 ++++++------ .../handlers/main.yml | 7 +- roles/authentik_docker/tasks/main.yml | 120 ++++++++++++++++++ .../templates/authentik-db-docker.service.j2 | 18 +++ .../authentik-redis-docker.service.j2 | 17 +++ .../authentik-server-docker.service.j2 | 21 +++ .../authentik-worker-docker.service.j2 | 22 ++++ .../templates/authentik.env.j2} | 12 +- roles/docker_authentik/tasks/main.yml | 70 ---------- .../templates/authentik-docker.service.j2 | 35 ----- .../templates/docker-compose.yml.j2 | 117 ----------------- .../handlers/main.yml | 0 .../tasks/main.yml | 0 .../templates/pretix-db.env.j2 | 0 .../templates/pretix-db.service.j2 | 0 .../templates/pretix-redis.service.j2 | 0 .../templates/pretix.cfg.j2 | 0 .../templates/pretix.env.j2 | 0 .../templates/pretix.service.j2 | 0 .../templates/pretix_.env | 0 .../handlers/main.yml | 0 .../tasks/main.yml | 0 .../templates/watchtower.env.j2 | 0 .../templates/watchtower.service.j2 | 0 25 files changed, 271 insertions(+), 263 deletions(-) rename roles/{docker_authentik => authentik_docker}/handlers/main.yml (59%) create mode 100644 roles/authentik_docker/tasks/main.yml create mode 100644 roles/authentik_docker/templates/authentik-db-docker.service.j2 create mode 100644 roles/authentik_docker/templates/authentik-redis-docker.service.j2 create mode 100644 roles/authentik_docker/templates/authentik-server-docker.service.j2 create mode 100644 roles/authentik_docker/templates/authentik-worker-docker.service.j2 rename roles/{docker_authentik/templates/.env.j2 => authentik_docker/templates/authentik.env.j2} (62%) delete mode 100644 roles/docker_authentik/tasks/main.yml delete mode 100644 roles/docker_authentik/templates/authentik-docker.service.j2 delete mode 100644 roles/docker_authentik/templates/docker-compose.yml.j2 rename roles/{docker_pretix => pretix_docker}/handlers/main.yml (100%) rename roles/{docker_pretix => pretix_docker}/tasks/main.yml (100%) rename roles/{docker_pretix => pretix_docker}/templates/pretix-db.env.j2 (100%) rename roles/{docker_pretix => pretix_docker}/templates/pretix-db.service.j2 (100%) rename roles/{docker_pretix => pretix_docker}/templates/pretix-redis.service.j2 (100%) rename roles/{docker_pretix => pretix_docker}/templates/pretix.cfg.j2 (100%) rename roles/{docker_pretix => pretix_docker}/templates/pretix.env.j2 (100%) rename roles/{docker_pretix => pretix_docker}/templates/pretix.service.j2 (100%) rename roles/{docker_pretix => pretix_docker}/templates/pretix_.env (100%) rename roles/{docker_watchtower => watchtower_docker}/handlers/main.yml (100%) rename roles/{docker_watchtower => watchtower_docker}/tasks/main.yml (100%) rename roles/{docker_watchtower => watchtower_docker}/templates/watchtower.env.j2 (100%) rename roles/{docker_watchtower => watchtower_docker}/templates/watchtower.service.j2 (100%) diff --git a/host_vars/unhb4/authentik.yml b/host_vars/unhb4/authentik.yml index 68c74e2..bce8081 100644 --- a/host_vars/unhb4/authentik.yml +++ b/host_vars/unhb4/authentik.yml @@ -1,5 +1,12 @@ --- +container_names: + authentik: + server: "authentik-server-1.server4" + worker: "authentik-worker-1.server4" + redis: "authentik-redis-1.server4" + db: "authentik-postgresql-1.server4" + authentik_error_reporting: "true" authentik_email_host: "mail.un-hack-bar.de" authentik_email_port: "587" @@ -12,3 +19,7 @@ authentik_domain: "auth.un-hack-bar.de,auth.unhb.de" authentik_allow_users_to_change_email: "false" # disable emailaddress changes to avoid emailaddress collisions authentik_allow_users_to_change_names: "true" # enables name changes authentik_allow_users_to_change_usernames: "false" # disable username changes to avoid username collisions +authentik_postgres_version: "12-alpine" + +version: + authentik: "2023.5.4" diff --git a/host_vars/unhb4/unhb4_vault.yml b/host_vars/unhb4/unhb4_vault.yml index 20e9363..d1fdbd1 100644 --- a/host_vars/unhb4/unhb4_vault.yml +++ b/host_vars/unhb4/unhb4_vault.yml @@ -1,40 +1,46 @@ $ANSIBLE_VAULT;1.1;AES256 -36633533303235343132386665366638363732633564323339303662393835613961353939613237 -3634613736316165303133363532333865356662346137330a653435303939323066623765326630 -37646565666466323463313466343265373465633765313361333337336162373064366165623033 -3235313935633731360a653361343163613339313061343737326262333834613131313563346137 -37353932376463336431303966363539323734623061613766613063393537333562346232313664 -37383236303137633535363639313134393539383432303764343564393935323266616262366162 -61343164383066353866646466363466356531346139326663626439626234386634656361353436 -31346233643465646566333064633030643963383963356137373234373665363735333366633933 -36373466316161366138363836613637666338613639313032633839616462336232633761623931 -30666538663162323063623564656537623234323338356331646466653337333433656164663434 -63323735613239306132636564623662303039313066623666373338633866343462656462636232 -34353231303561386166336335643134616561656161663766313966613130623964656334336263 -65313063353136316333663430666535633065346163613931303137636137643761666236363065 -34643963376365666363373866323937613434386235623336623161386137303532396235376134 -30386563306138306566633634323266613064626665626530356530353566363434363837383534 -37306261353730643833616461636565326237643934653263316231363038353932313266666335 -65343430343739396165333937346535313465646534363733663532356431383733373430623331 -37306161306261383133326665303365306436656662346663373033333664303366366633656663 -63303938333861653765626234653562353834313764313236353762623430633430383037316138 -37303866373831376133643832333230663332646530363139306163633063316565343934363431 -62313032313661373837313032313531363736316664306134333466663630643633393037346135 -35363564613936663237353664363930656139373630323935636439303834613634653364383234 -33656436613265363864383664653039326635303430623436303439323633613262366264636639 -65353831373036623130653061386162353462383431323730646637373964333233353437343530 -39613662366534643264346130313764356461333266313761323137666634326437613163356232 -32663730383162646466306466386339393964303239613637623538623631306636653434333432 -35353733326162383064306666353839636635633666356537643839633738663464663265663432 -30646239613464313332646438663933356335303835363237316631366138383037386232373664 -65396432393563303639343131363437346561393136316163346261313064366439653637636534 -38343365366264633432363964373435353063393932323231316137623037346638656466303263 -35656565313865323363326135343230333563353864313432376138616365303761656565353030 -30336461636631663666313332383262336635646463306136303438333437366336356533663864 -35373830306138393265633130633334373931663038333666393263366535656135633234313263 -34323330306337363638363464306637653861333839303437616162633561326237656462653235 -66363536376630353830316461616265393136646262376432663637323036336137613461343538 -35636535303534393833303962363735343066333239336266633633633061633034316333343966 -66616238373561346636393337633930613435326634366134363265363332363465643034303635 -35396532643339393565653633626265366532626231333630646235663863386362646466353761 -316134386534613533303132636338316334 +62363930646664323037656666343931623537393562363862313066326630363032623066653335 +6536633330306133323430363561313830623364333031370a663765336437386661313163333235 +66656230373562366266383830306234626665653636356666633062653033323039316366656437 +3762393864313861620a333237343430393566356232643537333634333164383834326431373264 +30313661616163323638326133313538653461383230353636346336396439303662623130663863 +32623833363039663564386661663037663238626634306562326361616262323637643034343330 +32306632356261313936646632663436653533613163316130346539656435653439346635323462 +64343834653964626563653039336361356566366431333634626536376430313737376463303131 +30343031663662313563346366393539346332353736666634643162333965393831343962613137 +66313430646566633438663865303761616335366134313535343639643039386536616435653132 +61653865333035376461663433653065306339316439633034306361383965303965636337343930 +30346635316636663030366237373831383165363039346637386136653363666233353531303931 +32376238626133613531316162663132623265616364373538366161383564656566663634343032 +61633538643665353837313031343431656534626239336464616566643539623562613434366438 +35383130613438333763343336336462383736623634356532376663663637383239663532363362 +66393333373636613233333865336233653336616532396665323738633337636631613832363235 +34383963313063376339643632336566613230653461343632323737333638343764336363313437 +61363635623962663364376361653739316366326634333532303864373439666236623762346661 +62626537633061393233653736666236343735363633663138633234353031666162623866646362 +37366563313864636634643133346166346131343237363333303236333362633433396538653335 +35626633386238303433313363306232393663333238613839336638653637373664303337656635 +66663735393334323761333266386531366137313136356632666139326432306337386635383165 +65653062373332626334346561356132303734633462643136396562363634396230626530613432 +38323030633532386162353363663966663966356135303234376636376434653765613636363463 +33346330353732616239393130396666366532323135313032663730383431346533613666393236 +66323164373965666333643033396534326663653361386334383338633835373661373765633530 +62626437386434333165613332343936363232356464326231386232303261393432366564383231 +34353333373733336434333330613264636431313337376462363262323034303261393532613065 +65316161396639633638396339383430623031666632343931333139383161396132613565386132 +62613564633966363830363835616338356664383334633334623039353539616661373535653266 +62393733656333336532346331306234626465636133396562333239363935643938326263666236 +32396133303434626139393965633261313135656635386362636136666534353765383262383731 +35323937656665323336633035363338363738643137383431303365363938646566383966613238 +37396339303633366534663361666464326339316537656336303734353965616539633131636537 +61366537313835666563363865363463623636366465373563616336363430613062616535383036 +38613938343831633364333739393536343730363533393762353033313632333233336633383561 +61663232356534353833346633613836386239306133663837616364663130633033386231383337 +37396430633134306235363930656265633235353831353062313332373262643934326138353431 +33343739376530366237366233623738373637393837383464663031353166373434313436323232 +38343864313865353662346663646430633131343762353064396638323335636533326266373836 +30323034643939316233666630666265636561303430323931343963346635616536373632623636 +65653565656238653164346539663330363931333230313364646133663036316161393362383939 +38623832363162353130646336623563653362323738343934373138303133303639616138646535 +31383936326163313031346137343663343336383133373935616431646331323138303363646430 +3866 diff --git a/roles/docker_authentik/handlers/main.yml b/roles/authentik_docker/handlers/main.yml similarity index 59% rename from roles/docker_authentik/handlers/main.yml rename to roles/authentik_docker/handlers/main.yml index 50fd2c8..1110b53 100644 --- a/roles/docker_authentik/handlers/main.yml +++ b/roles/authentik_docker/handlers/main.yml @@ -10,5 +10,10 @@ - name: restart-authentik-docker ansible.builtin.systemd: state: restarted - name: authentik-docker.service + name: "{{ item }}" + with_items: + - authentik-redis-docker.service + - authentik-db-docker.service + - authentik-server-docker.service + - authentik-worker-docker.service tags: molecule-notest diff --git a/roles/authentik_docker/tasks/main.yml b/roles/authentik_docker/tasks/main.yml new file mode 100644 index 0000000..70f5f48 --- /dev/null +++ b/roles/authentik_docker/tasks/main.yml @@ -0,0 +1,120 @@ +--- + +- name: "Install dependencies" + ansible.builtin.apt: + pkg: + - docker.io + +- name: "Create directory for Authentik with Docker" + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: root + group: root + mode: '0750' + with_items: + - "{{ docker_volumes_dir }}/authentik" + +- name: "Create directories for Authentik Docker" + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: 1000 + group: 1000 + mode: '0750' + with_items: + - "{{ docker_volumes_dir }}/authentik/media" + - "{{ docker_volumes_dir }}/authentik/custom-templates" + - "{{ docker_volumes_dir }}/authentik/certs" + +- name: "Create Redis and Database directores for Authentik with Docker" + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: 999 + group: root + mode: '0750' + with_items: + - "{{ docker_volumes_dir }}/authentik/redis" + - "{{ docker_volumes_dir }}/authentik/database" + +- name: "Template .env files for Authentik with Docker" + ansible.builtin.template: + src: "authentik.env.j2" + dest: "{{ docker_volumes_dir }}/authentik/authentik.env" + force: true + owner: authentik-docker + group: docker + mode: '0660' + notify: restart-authentik-docker + +#- name: "Template docker-compose.yml for authentik-docker" +# ansible.builtin.template: +# src: "{{ item }}.j2" +# dest: "/{{ docker_compose_config_dir }}/authentik/{{ item }}" +# force: true +# owner: root +# group: docker +# mode: '0640' +# with_items: +# - docker-compose.yml +# notify: restart-authentik-docker + +- name: "Create Docker network authentik_net" + docker_network: + name: authentik_net + +- name: "Template systemd units for Authentik with Docker" + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/etc/systemd/system/{{ item }}" + force: true + owner: root + group: root + mode: '0664' + with_items: + - authentik-server-docker.service + - authentik-worker-docker.service + - authentik-redis-docker.service + - authentik-db-docker.service + register: units + +#- name: "Add a user that will run the container" +# ansible.builtin.user: +# name: authentik-docker +# comment: Authentik Docker User +# home: "{{ docker_volumes_dir }}/authentik" +# group: docker +# system: true + +#- name: "Template systemd unit file for Authentik with Docker" +# ansible.builtin.template: +# src: "authentik-docker.service.j2" +# dest: "/etc/systemd/system/authentik-docker.service" +# force: true +# owner: root +# group: root +# mode: '0644' +# register: unit +# notify: systemctl-daemon-reload + +- name: "Reload systemd units" + ansible.builtin.systemd: + daemon_reload: yes + when: units.changed + +- name: "Enable systemd units for Authentik with Docker" + ansible.builtin.systemd: + state: started + enabled: true + name: "{{ item }}" + with_items: + - authentik-db-docker.service + - authentik-redis-docker.service + - authentik-server-docker.service + - authentik-worker-docker.service + +#- name: "Enable systemctl service for authentik-docker" +# ansible.builtin.service: +# state: started +# name: "authentik-docker.service" diff --git a/roles/authentik_docker/templates/authentik-db-docker.service.j2 b/roles/authentik_docker/templates/authentik-db-docker.service.j2 new file mode 100644 index 0000000..f58131a --- /dev/null +++ b/roles/authentik_docker/templates/authentik-db-docker.service.j2 @@ -0,0 +1,18 @@ +[Unit] +Description=Postgres for Authentik with Docker +After=docker.service +Requires=docker.service + +[Service] +ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.db }} +ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.db }} --network authentik_net \ + --env-file {{ docker_volumes_dir }}/authentik/authentik.env --expose 5432 \ + -v {{ docker_volumes_dir }}/authentik/database:/var/lib/postgresql/data \ + docker.io/library/postgres:{{ authentik_postgres_version }} +ExecStop=/usr/bin/docker stop {{ container_names.authentik.db }} +Restart=always +RestartSec=15s +Type=exec + +[Install] +WantedBy=multi-user.target diff --git a/roles/authentik_docker/templates/authentik-redis-docker.service.j2 b/roles/authentik_docker/templates/authentik-redis-docker.service.j2 new file mode 100644 index 0000000..e8485a5 --- /dev/null +++ b/roles/authentik_docker/templates/authentik-redis-docker.service.j2 @@ -0,0 +1,17 @@ +[Unit] +Description=Redis with Docker for Authentik +After=docker.service +Requires=docker.service + +[Service] +ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.redis }} +ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.redis }} --network authentik_net \ + -v {{ docker_volumes_dir }}/authentik/redis:/data \ + docker.io/library/redis:alpine --save 60 1 --loglevel warning +ExecStop=/usr/bin/docker stop {{ container_names.authentik.redis }} +Restart=always +RestartSec=15s +Type=exec + +[Install] +WantedBy=multi-user.target diff --git a/roles/authentik_docker/templates/authentik-server-docker.service.j2 b/roles/authentik_docker/templates/authentik-server-docker.service.j2 new file mode 100644 index 0000000..0e8643f --- /dev/null +++ b/roles/authentik_docker/templates/authentik-server-docker.service.j2 @@ -0,0 +1,21 @@ +[Unit] +Description=Authentik with Docker +After=docker.service +Requires=docker.service + +[Service] +ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.server }} +ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.server }} --network authentik_net \ + --expose 9000 --expose 9443 \ + --env-file {{ docker_volumes_dir }}/authentik/authentik.env \ + -v {{ docker_volumes_dir }}/authentik/media:/media \ + -v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \ + ghcr.io/goauthentik/server:{{ version.authentik }} server +ExecStartPost=/usr/bin/bash -c "/bin/sleep 10 && /usr/bin/docker network connect nginx_net {{ container_names.authentik.server }}" +ExecStop=/usr/bin/docker stop {{ container_names.authentik.server }} +Restart=always +RestartSec=15s +Type=exec + +[Install] +WantedBy=multi-user.target diff --git a/roles/authentik_docker/templates/authentik-worker-docker.service.j2 b/roles/authentik_docker/templates/authentik-worker-docker.service.j2 new file mode 100644 index 0000000..f75439e --- /dev/null +++ b/roles/authentik_docker/templates/authentik-worker-docker.service.j2 @@ -0,0 +1,22 @@ +[Unit] +Description=Authentik Worker with Docker +After=docker.service +Requires=docker.service + +[Service] +ExecStartPre=-/usr/bin/docker rm --force {{ container_names.authentik.worker }} +ExecStart=/usr/bin/docker run --rm --name {{ container_names.authentik.worker }} --network authentik_net \ + --expose 9000 --expose 9443 \ + --env-file {{ docker_volumes_dir }}/authentik/authentik.env \ + -v {{ docker_volumes_dir }}/authentik/media:/media \ + -v {{ docker_volumes_dir }}/authentik/certs:/certs \ + -v {{ docker_volumes_dir }}/authentik/custom-templates:/templates \ + ghcr.io/goauthentik/server:{{ version.authentik }} server worker +ExecStartPost=/usr/bin/bash -c "/bin/sleep 10 && /usr/bin/docker network connect nginx_net {{ container_names.authentik.worker }}" +ExecStop=/usr/bin/docker stop {{ container_names.authentik.worker }} +Restart=always +RestartSec=15s +Type=exec + +[Install] +WantedBy=multi-user.target diff --git a/roles/docker_authentik/templates/.env.j2 b/roles/authentik_docker/templates/authentik.env.j2 similarity index 62% rename from roles/docker_authentik/templates/.env.j2 rename to roles/authentik_docker/templates/authentik.env.j2 index 905f999..d539c12 100644 --- a/roles/docker_authentik/templates/.env.j2 +++ b/roles/authentik_docker/templates/authentik.env.j2 @@ -1,4 +1,13 @@ -PG_PASS={{ authentik_pg_pass }} +AUTHENTIK_REDIS__HOST="{{ container_names.authentik.redis }}" +AUTHENTIK_POSTGRESQL__HOST="{{ container_names.authentik.db }}" +AUTHENTIK_POSTGRESQL__USER={{ database_vars.postgres.authentik.user }} +AUTHENTIK_POSTGRESQL__NAME={{ database_vars.postgres.authentik.db }} +AUTHENTIK_POSTGRESQL__PASSWORD={{ database_vars.postgres.authentik.password }} +VIRTUAL_HOST={{ authentik_domain }} +VIRTUAL_PORT={{ authentik_port_http }} +LETSENCRYPT_HOST={{ authentik_domain }} +LETSENCRYPT_EMAIL={{letsencrypt_email }} +#PG_PASS={{ database_vars.postgres.authentik.password }} AUTHENTIK_SECRET_KEY={{ authentik_secret }} AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting }} # SMTP Host Emails are sent to @@ -19,3 +28,4 @@ AUTHENTIK_PORT_HTTPS={{ authentik_port_https }} AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL={{ authentik_allow_users_to_change_email }} AUTHENTIK_DEFAULT_USER_CHANGE_NAME={{ authentik_allow_users_to_change_names }} AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME={{ authentik_allow_users_to_change_usernames }} +AUTHENTIK_GEOIP=/dev/null #The docs say this is the way to disable GeoIP... diff --git a/roles/docker_authentik/tasks/main.yml b/roles/docker_authentik/tasks/main.yml deleted file mode 100644 index 870b81c..0000000 --- a/roles/docker_authentik/tasks/main.yml +++ /dev/null @@ -1,70 +0,0 @@ ---- - -- name: "Install dependencies" - ansible.builtin.apt: - pkg: - - docker.io - - apparmor # if not installed, Docker will complain - -- name: "Create directories for authentik-docker" - ansible.builtin.file: - path: "{{ item }}" - state: directory - owner: authentik-docker - group: docker - mode: '0755' - with_items: - - "{{ docker_compose_config_dir }}/authentik" - - "{{ docker_volumes_dir }}/authentik/database" - - "{{ docker_volumes_dir }}/authentik/redis" - - "{{ docker_volumes_dir }}/authentik/media" - - "{{ docker_volumes_dir }}/authentik/custom-templates" - - "{{ docker_volumes_dir }}/authentik/certs" - -- name: "Template .env filexs for authentik-docker" - ansible.builtin.template: - src: "{{ item }}.j2" - dest: "/{{ docker_compose_config_dir }}/authentik/{{ item }}" - force: true - owner: authentik-docker - group: docker - mode: '0660' - with_items: - - .env - notify: restart-authentik-docker - -- name: "Template docker-compose.yml for authentik-docker" - ansible.builtin.template: - src: "{{ item }}.j2" - dest: "/{{ docker_compose_config_dir }}/authentik/{{ item }}" - force: true - owner: root - group: docker - mode: '0640' - with_items: - - docker-compose.yml - notify: restart-authentik-docker - -- name: "Add a user that will run the container" - ansible.builtin.user: - name: authentik-docker - comment: Authentik Docker User - home: "{{ docker_volumes_dir }}/authentik" - group: docker - system: true - -- name: "Template systemd unit file for authentik-docker" - ansible.builtin.template: - src: "authentik-docker.service.j2" - dest: "/etc/systemd/system/authentik-docker.service" - force: true - owner: root - group: root - mode: '0644' - register: unit - notify: systemctl-daemon-reload - -- name: "Enable systemctl service for authentik-docker" - ansible.builtin.service: - state: started - name: "authentik-docker.service" diff --git a/roles/docker_authentik/templates/authentik-docker.service.j2 b/roles/docker_authentik/templates/authentik-docker.service.j2 deleted file mode 100644 index 4bea1c4..0000000 --- a/roles/docker_authentik/templates/authentik-docker.service.j2 +++ /dev/null @@ -1,35 +0,0 @@ -[Unit] -Description=Authentik in Docker - -[Service] -Type=exec -#User=authentik-docker -WorkingDirectory={{ docker_compose_config_dir }}/authentik -ExecStart=docker compose up postgresql redis server worker -Restart=on-failure -RestartSec=30s - -# Optional hardening to improve security -#ReadWritePaths={{ docker_volumes_dir }}/ /tmp/ {{ docker_compose_config_dir }}/ -#NoNewPrivileges=yes -#MemoryDenyWriteExecute=true -#PrivateDevices=yes -#PrivateTmp=yes -#ProtectHome=yes -#ProtectSystem=strict -#ProtectControlGroups=true -#RestrictSUIDSGID=true -#RestrictRealtime=true -#LockPersonality=true -#ProtectKernelLogs=true -#ProtectKernelTunables=true -#ProtectHostname=true -#ProtectKernelModules=true -#PrivateUsers=true -#ProtectClock=true -#SystemCallArchitectures=native -#SystemCallErrorNumber=EPERM -#SystemCallFilter=@system-service - -[Install] -WantedBy=multi-user.target diff --git a/roles/docker_authentik/templates/docker-compose.yml.j2 b/roles/docker_authentik/templates/docker-compose.yml.j2 deleted file mode 100644 index ad1779d..0000000 --- a/roles/docker_authentik/templates/docker-compose.yml.j2 +++ /dev/null @@ -1,117 +0,0 @@ ---- -version: '3.4' - -services: - postgresql: - image: docker.io/library/postgres:12-alpine - restart: unless-stopped - healthcheck: - test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] - start_period: 20s - interval: 30s - retries: 5 - timeout: 5s - volumes: - - {{ docker_volumes_dir }}/authentik/database:/var/lib/postgresql/data - environment: - - POSTGRES_PASSWORD=${PG_PASS:?database password required} - - POSTGRES_USER=${PG_USER:-authentik} - - POSTGRES_DB=${PG_DB:-authentik} - networks: - - authentik_net - env_file: - - .env - redis: - image: docker.io/library/redis:alpine - command: --save 60 1 --loglevel warning - restart: unless-stopped - healthcheck: - test: ["CMD-SHELL", "redis-cli ping | grep PONG"] - start_period: 20s - interval: 30s - retries: 5 - timeout: 3s - volumes: - - {{ docker_volumes_dir }}/authentik/redis:/data - networks: - - authentik_net - server: - image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.12.0} - restart: unless-stopped - command: server - environment: - AUTHENTIK_REDIS__HOST: redis - AUTHENTIK_POSTGRESQL__HOST: postgresql - AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} - AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} - AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} - VIRTUAL_HOST: {{ authentik_domain }} - VIRTUAL_PORT: {{ authentik_port_http }} - LETSENCRYPT_HOST: {{ authentik_domain }} - LETSENCRYPT_EMAIL: {{letsencrypt_email }} - volumes: - - {{ docker_volumes_dir }}/authentik/media:/media - - {{ docker_volumes_dir }}/authentik/custom-templates:/templates - - {{ docker_volumes_dir }}/authentik/geoip:/geoip - networks: - - authentik_net - - nginx_net - env_file: - - .env - expose: - - "${AUTHENTIK_PORT_HTTP:-9000}" - - "${AUTHENTIK_PORT_HTTPS:-9443}" - worker: - image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.3} - restart: unless-stopped - command: worker - environment: - AUTHENTIK_REDIS__HOST: redis - AUTHENTIK_POSTGRESQL__HOST: postgresql - AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} - AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} - AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} - # `user: root` and the docker socket volume are optional. - # See more for the docker socket integration here: - # https://goauthentik.io/docs/outposts/integrations/docker - # Removing `user: root` also prevents the worker from fixing the permissions - # on the mounted folders, so when removing this make sure the folders have the correct UID/GID - # (1000:1000 by default) - user: root - volumes: - - /var/run/docker.sock:/var/run/docker.sock - - {{ docker_volumes_dir }}/authentik/media:/media - - {{ docker_volumes_dir }}/authentik/certs:/certs - - {{ docker_volumes_dir }}/authentik/custom-templates:/templates - - {{ docker_volumes_dir }}/authentik/geoip:/geoip - networks: - - authentik_net - env_file: - - .env - geoipupdate: - image: "maxmindinc/geoipupdate:latest" - volumes: - - "{{ docker_volumes_dir }}/authentik/geoip:/usr/share/GeoIP" - networks: - - authentik_net - environment: - GEOIPUPDATE_EDITION_IDS: "GeoLite2-City" - GEOIPUPDATE_FREQUENCY: "8" - env_file: - - .env - -volumes: - database: - driver: local - redis: - driver: local - geoip: - driver: local - -networks: - authentik_net: - external: false - name: authentik_net - nginx_net: - external: true - name: nginx_net diff --git a/roles/docker_pretix/handlers/main.yml b/roles/pretix_docker/handlers/main.yml similarity index 100% rename from roles/docker_pretix/handlers/main.yml rename to roles/pretix_docker/handlers/main.yml diff --git a/roles/docker_pretix/tasks/main.yml b/roles/pretix_docker/tasks/main.yml similarity index 100% rename from roles/docker_pretix/tasks/main.yml rename to roles/pretix_docker/tasks/main.yml diff --git a/roles/docker_pretix/templates/pretix-db.env.j2 b/roles/pretix_docker/templates/pretix-db.env.j2 similarity index 100% rename from roles/docker_pretix/templates/pretix-db.env.j2 rename to roles/pretix_docker/templates/pretix-db.env.j2 diff --git a/roles/docker_pretix/templates/pretix-db.service.j2 b/roles/pretix_docker/templates/pretix-db.service.j2 similarity index 100% rename from roles/docker_pretix/templates/pretix-db.service.j2 rename to roles/pretix_docker/templates/pretix-db.service.j2 diff --git a/roles/docker_pretix/templates/pretix-redis.service.j2 b/roles/pretix_docker/templates/pretix-redis.service.j2 similarity index 100% rename from roles/docker_pretix/templates/pretix-redis.service.j2 rename to roles/pretix_docker/templates/pretix-redis.service.j2 diff --git a/roles/docker_pretix/templates/pretix.cfg.j2 b/roles/pretix_docker/templates/pretix.cfg.j2 similarity index 100% rename from roles/docker_pretix/templates/pretix.cfg.j2 rename to roles/pretix_docker/templates/pretix.cfg.j2 diff --git a/roles/docker_pretix/templates/pretix.env.j2 b/roles/pretix_docker/templates/pretix.env.j2 similarity index 100% rename from roles/docker_pretix/templates/pretix.env.j2 rename to roles/pretix_docker/templates/pretix.env.j2 diff --git a/roles/docker_pretix/templates/pretix.service.j2 b/roles/pretix_docker/templates/pretix.service.j2 similarity index 100% rename from roles/docker_pretix/templates/pretix.service.j2 rename to roles/pretix_docker/templates/pretix.service.j2 diff --git a/roles/docker_pretix/templates/pretix_.env b/roles/pretix_docker/templates/pretix_.env similarity index 100% rename from roles/docker_pretix/templates/pretix_.env rename to roles/pretix_docker/templates/pretix_.env diff --git a/roles/docker_watchtower/handlers/main.yml b/roles/watchtower_docker/handlers/main.yml similarity index 100% rename from roles/docker_watchtower/handlers/main.yml rename to roles/watchtower_docker/handlers/main.yml diff --git a/roles/docker_watchtower/tasks/main.yml b/roles/watchtower_docker/tasks/main.yml similarity index 100% rename from roles/docker_watchtower/tasks/main.yml rename to roles/watchtower_docker/tasks/main.yml diff --git a/roles/docker_watchtower/templates/watchtower.env.j2 b/roles/watchtower_docker/templates/watchtower.env.j2 similarity index 100% rename from roles/docker_watchtower/templates/watchtower.env.j2 rename to roles/watchtower_docker/templates/watchtower.env.j2 diff --git a/roles/docker_watchtower/templates/watchtower.service.j2 b/roles/watchtower_docker/templates/watchtower.service.j2 similarity index 100% rename from roles/docker_watchtower/templates/watchtower.service.j2 rename to roles/watchtower_docker/templates/watchtower.service.j2