a lot of fixes and additions

ansible-checkmode-command-unhb4.sh

@@ -1,2 +1,2 @@
 #!/bin/bash
-ansible-playbook site.yml -i inventory.yml --limit unhb4
+ansible-playbook site.yml -i inventory.yml --limit unhb4 --check --diff

ansible-deploy-command-unhb4.sh

@@ -1,2 +1,2 @@
 #!/bin/bash
-ansible-playbook site.yml -i inventory.yml --limit unhb4 --check --diff
+ansible-playbook site.yml -i inventory.yml --limit unhb4 --diff

ansible.cfg

@@ -0,0 +1,7 @@
+[defaults]
+fact_caching = yaml
+fact_caching_connection = tmp
+vault_password_file = .vaultpw
+
+[ssh_connection]
+pipelining = True

group_vars/all/apt.yml

@@ -0,0 +1,6 @@
+---
+
+APT_Periodic_Update_Package_Lists: "1"
+APT_Periodic_Download_Upgradeable_Packages: "1"
+APT_Periodic_AutocleanInterval: "7"
+APT_Periodic_Unattended_Upgrade: "1"

group_vars/all/vault.yml

@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+38653965373362373633626561363436306535383363306363323934333030653434303238393764
+3963303739303161336635643963336365653066656534380a643739333261383731343966613132
+65383261343733353263383436616363323739326135346139646564326362386234356262663365
+3963616639656131310a343065363336653135666163646664626363386236623064633634636234
+36306234626538313563646138663031613031626237333462303038653839303534336630346661
+37363737306330626436613763373365663231333165616362346138663866643134336630653061
+663332333639616437346239643635363264

host_vars/firewall.yml

@@ -1,11 +0,0 @@
----
-
-firewall_services:
-  - http
-  - https
-
-#firewall_ports:
-#  - 1337/tcp
-#  - 42/udp
-
-# uncomment and change if necessary

host_vars/unhb4/authentik-vault.yml

@@ -0,0 +1,22 @@
+$ANSIBLE_VAULT;1.1;AES256
+31343963396633396632623766363862386661353265393166666536656530623938383233653464
+3034386666346435313062306463383864393233623363360a363464343263353337306634656630
+37623936636161363766386130663838633933393862386466383433326661663565353836663539
+3839303839336432330a613031613936613166313034346437373635346639313733666562333331
+62636632313339356363316436316238303338306538346564346431363730656466656265303134
+32393662666332313665373464656262646636336632306562616536633166303434346135623461
+62316339653533326430636361313931656366623330316638373139343835366535666639663630
+39313230613331613663643736326563323734353861613036623565303931653932376134643336
+62623965363034373939646165366461366134653538623262343462363736636365346133653034
+39633030376237326436316632393433333733333966323366313536393233343866353831393462
+39393132613534396534386539643864323966633363353934363838323830356463663936353336
+36346638663336616265656363636264383563336663313364646461306662323531303038373364
+33633536646331393738613534613430663330663462346432616230306338386131326566636331
+66663065393939393733646131663031313963353830316633376263383666333930613664366635
+64333563393639653364373636393134326362626131336232306439323634666462616534326439
+62616533643065623063303536303964366531313164366532316536643839363764316430323236
+31336333333031363661323935623739363263663461323266616338306139393265323332363462
+64616637346239366131663863326261373838626164613230383862313361633136396365636666
+39383035363236323036613365316565383232363631393839626436336665626566303964653163
+31646634323536343730366462393137656135646661383030346137373364613138386638316138
+3634

host_vars/unhb4/authentik.yml

@@ -0,0 +1,11 @@
+---
+
+authentik_error_reporting: "true"
+authentik_email_host: "mail.un-hack-bar.de"
+authentik_email_port: "587"
+authentik_email_use_tls: "true"
+authentik_email_use_ssl: "false"
+authentik_email_timeout: "10"
+authentik_port_http: "9000"
+authentik_port_https: "9443"
+authentik_domain: "auth.un-hack-bar.de,auth.unhb.de"

host_vars/unhb4/docker.yml

@@ -0,0 +1,4 @@
+---
+
+docker_compose_config_dir: "/srv/docker-config"
+docker_volumes_dir: "/srv/docker-volumes"

host_vars/unhb4/firewall.yml

@@ -0,0 +1,13 @@
+---
+
+firewall_services:
+  - ssh
+  - http
+  - https
+  - smtp
+  - pop3
+
+firewall_ports:
+  - 64738/tcp # Mumble
+  - 64738/udp # Mumble
+  - 21117/tcp # Rustdesk

roles/authentik_docker/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+
+- name: systemctl-daemon-reload
+  ansible.builtin.systemd:
+    daemon_reload: true
+  when: unit.changed
+  notify: restart-authentik-docker
+  tags: molecule-notest
+
+- name: restart-authentik-docker
+  ansible.builtin.systemd:
+    state: restarted
+    name: authentik-docker.service
+  tags: molecule-notest

roles/authentik_docker/tasks/main.yml

@@ -0,0 +1,70 @@
+---
+
+- name: "Install dependencies"
+  ansible.builtin.apt:
+    pkg:
+      - docker-compose
+      - apparmor # if not installed, Docker will complain
+
+- name: "Create directories for authentik-docker"
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: authentik-docker
+    group: root
+    mode: '0755'
+  with_items:
+    - "{{ docker_compose_config_dir }}/authentik"
+    - "{{ docker_volumes_dir }}/authentik/database"
+    - "{{ docker_volumes_dir }}/authentik/redis"
+    - "{{ docker_volumes_dir }}/authentik/media"
+    - "{{ docker_volumes_dir }}/authentik/custom-templates"
+    - "{{ docker_volumes_dir }}/authentik/certs"
+
+- name: "Template .env filexs for authentik-docker"
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/{{ docker_compose_config_dir }}/authentik/{{ item }}"
+    force: true
+    owner: authentik-docker
+    group: root
+    mode: '0600'
+  with_items:
+    - .env
+  notify: restart-authentik-docker
+
+- name: "Template docker-compose.yml for authentik-docker"
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/{{ docker_compose_config_dir }}/authentik/{{ item }}"
+    force: true
+    owner: root
+    group: docker
+    mode: '0640'
+  with_items:
+    - docker-compose.yml
+  notify: restart-authentik-docker
+
+- name: "Add a user that will run the container"
+  ansible.builtin.user:
+    name: authentik-docker
+    comment: Authentik Docker User
+    home: "{{ docker_volumes_dir }}/authentik"
+    group: docker
+    system: true
+
+- name: "Template systemd unit file for authentik-docker"
+  ansible.builtin.template:
+    src: "authentik-docker.service.j2"
+    dest: "/etc/systemd/system/authentik-docker.service"
+    force: true
+    owner: root
+    group: root
+    mode: '0644'
+  register: unit
+  notify: systemctl-daemon-reload
+
+- name: "Enable systemctl service for authentik-docker"
+  ansible.builtin.service:
+    state: started
+    name: "authentik-docker.service"

roles/authentik_docker/templates/.env.j2

@@ -0,0 +1,18 @@
+PG_PASS={{ authentik_pg_pass }}
+AUTHENTIK_SECRET_KEY={{ authentik_secret }}
+AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting }}
+# SMTP Host Emails are sent to
+AUTHENTIK_EMAIL__HOST={{ authentik_email_host }}
+AUTHENTIK_EMAIL__PORT={{ authentik_email_port }}
+# Optionally authenticate (don't add quotation marks to your password)
+AUTHENTIK_EMAIL__USERNAME={{ authentik_email_username }}
+AUTHENTIK_EMAIL__PASSWORD={{ authentik_email_password }}
+# Use StartTLS
+AUTHENTIK_EMAIL__USE_TLS={{ authentik_email_use_tls }}
+# Use SSL
+AUTHENTIK_EMAIL__USE_SSL={{ authentik_email_use_ssl }}
+AUTHENTIK_EMAIL__TIMEOUT={{ authentik_email_timeout }}
+# Email address authentik will send from, should have a correct @domain
+AUTHENTIK_EMAIL__FROM={{ authentik_email_from }}
+AUTHENTIK_PORT_HTTP={{ authentik_port_http }}
+AUTHENTIK_PORT_HTTPS={{ authentik_port_https }}

roles/authentik_docker/templates/authentik-docker.service.j2

@@ -0,0 +1,35 @@
+[Unit]
+Description=Authentik in Docker
+
+[Service]
+Type=exec
+User=authentik-docker
+WorkingDirectory={{ docker_compose_config_dir }}/authentik
+ExecStart=docker compose up postgresql redis server worker 
+Restart=on-failure
+RestartSec=30s
+
+# Optional hardening to improve security
+ReadWritePaths={{ docker_volumes_dir }}/ /tmp/
+NoNewPrivileges=yes
+#MemoryDenyWriteExecute=true
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=strict
+ProtectControlGroups=true
+RestrictSUIDSGID=true
+RestrictRealtime=true
+LockPersonality=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectHostname=true
+ProtectKernelModules=true
+PrivateUsers=true
+ProtectClock=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target

roles/authentik_docker/templates/docker-compose.yml.j2

@@ -0,0 +1,98 @@
+---
+version: '3.4'
+
+services:
+  postgresql:
+    image: docker.io/library/postgres:12-alpine
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - {{ docker_volumes_dir }}/authentik/database:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=${PG_PASS:?database password required}
+      - POSTGRES_USER=${PG_USER:-authentik}
+      - POSTGRES_DB=${PG_DB:-authentik}
+    env_file:
+      - .env
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - {{ docker_volumes_dir }}/authentik/redis:/data
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.3}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+      VIRTUAL_HOST: {{ authentik_domain }}
+      VIRTUAL_PORT: {{ authentik_port_http }}
+      LETSENCRYPT_HOST: {{ authentik_domain }}
+      LETSENCRYPT_EMAIL: {{letsencrypt_email }}
+    volumes:
+      - {{ docker_volumes_dir }}/authentik/media:/media
+      - {{ docker_volumes_dir }}/authentik/custom-templates:/templates
+      - {{ docker_volumes_dir }}/authentik/geoip:/geoip
+    env_file:
+      - .env
+    expose:
+      - "${AUTHENTIK_PORT_HTTP:-9000}"
+      - "${AUTHENTIK_PORT_HTTPS:-9443}"
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.3}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: postgresql
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: root
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - {{ docker_volumes_dir }}/authentik/media:/media
+      - {{ docker_volumes_dir }}/authentik/certs:/certs
+      - {{ docker_volumes_dir }}/authentik/custom-templates:/templates
+      - {{ docker_volumes_dir }}/authentik/geoip:/geoip
+    env_file:
+      - .env
+  geoipupdate:
+    image: "maxmindinc/geoipupdate:latest"
+    volumes:
+      - "{{ docker_volumes_dir }}/authentik/geoip:/usr/share/GeoIP"
+    environment:
+      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
+      GEOIPUPDATE_FREQUENCY: "8"
+    env_file:
+      - .env
+
+volumes:
+  database:
+    driver: local
+  redis:
+    driver: local
+  geoip:
+    driver: local

site.yml

@@ -9,4 +9,12 @@
     - apt-update-upgrade
     - apt_listchanges
     - basic_common_settings
-    #- firewalld - not currently in use
+    - firewalld
+
+- name: Set up roles on unhb4
+  hosts: unhb4
+  remote_user: root
+  
+  roles:
+    - authentik_docker
+