From b530df3762952f539bce32c5d78ba455dc3d9f72 Mon Sep 17 00:00:00 2001 From: erebion Date: Wed, 14 Dec 2022 21:41:29 +0100 Subject: [PATCH] a lot of fixes and additions --- ansible-checkmode-command-unhb4.sh | 2 +- ansible-deploy-command-unhb4.sh | 2 +- ansible.cfg | 7 ++ group_vars/all/apt.yml | 6 ++ group_vars/all/vault.yml | 8 ++ host_vars/firewall.yml | 11 -- host_vars/unhb4/authentik-vault.yml | 22 ++++ host_vars/unhb4/authentik.yml | 11 ++ host_vars/unhb4/docker.yml | 4 + host_vars/unhb4/firewall.yml | 13 +++ roles/authentik_docker/handlers/main.yml | 14 +++ roles/authentik_docker/tasks/main.yml | 70 +++++++++++++ roles/authentik_docker/templates/.env.j2 | 18 ++++ .../templates/authentik-docker.service.j2 | 35 +++++++ .../templates/docker-compose.yml.j2 | 98 ++++++++++++++++++ roles/firewalld/tasks/.main.yml.swp | Bin 12288 -> 0 bytes site.yml | 10 +- 17 files changed, 317 insertions(+), 14 deletions(-) create mode 100644 ansible.cfg create mode 100644 group_vars/all/apt.yml create mode 100644 group_vars/all/vault.yml delete mode 100644 host_vars/firewall.yml create mode 100644 host_vars/unhb4/authentik-vault.yml create mode 100644 host_vars/unhb4/authentik.yml create mode 100644 host_vars/unhb4/docker.yml create mode 100644 host_vars/unhb4/firewall.yml create mode 100644 roles/authentik_docker/handlers/main.yml create mode 100644 roles/authentik_docker/tasks/main.yml create mode 100644 roles/authentik_docker/templates/.env.j2 create mode 100644 roles/authentik_docker/templates/authentik-docker.service.j2 create mode 100644 roles/authentik_docker/templates/docker-compose.yml.j2 delete mode 100644 roles/firewalld/tasks/.main.yml.swp diff --git a/ansible-checkmode-command-unhb4.sh b/ansible-checkmode-command-unhb4.sh index 76eadab..2f22dd0 100755 --- a/ansible-checkmode-command-unhb4.sh +++ b/ansible-checkmode-command-unhb4.sh @@ -1,2 +1,2 @@ #!/bin/bash -ansible-playbook site.yml -i inventory.yml --limit unhb4 +ansible-playbook site.yml -i inventory.yml --limit unhb4 --check --diff diff --git a/ansible-deploy-command-unhb4.sh b/ansible-deploy-command-unhb4.sh index 2f22dd0..b82923e 100755 --- a/ansible-deploy-command-unhb4.sh +++ b/ansible-deploy-command-unhb4.sh @@ -1,2 +1,2 @@ #!/bin/bash -ansible-playbook site.yml -i inventory.yml --limit unhb4 --check --diff +ansible-playbook site.yml -i inventory.yml --limit unhb4 --diff diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..83b23a9 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,7 @@ +[defaults] +fact_caching = yaml +fact_caching_connection = tmp +vault_password_file = .vaultpw + +[ssh_connection] +pipelining = True diff --git a/group_vars/all/apt.yml b/group_vars/all/apt.yml new file mode 100644 index 0000000..fa88c05 --- /dev/null +++ b/group_vars/all/apt.yml @@ -0,0 +1,6 @@ +--- + +APT_Periodic_Update_Package_Lists: "1" +APT_Periodic_Download_Upgradeable_Packages: "1" +APT_Periodic_AutocleanInterval: "7" +APT_Periodic_Unattended_Upgrade: "1" diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml new file mode 100644 index 0000000..28e55ad --- /dev/null +++ b/group_vars/all/vault.yml @@ -0,0 +1,8 @@ +$ANSIBLE_VAULT;1.1;AES256 +38653965373362373633626561363436306535383363306363323934333030653434303238393764 +3963303739303161336635643963336365653066656534380a643739333261383731343966613132 +65383261343733353263383436616363323739326135346139646564326362386234356262663365 +3963616639656131310a343065363336653135666163646664626363386236623064633634636234 +36306234626538313563646138663031613031626237333462303038653839303534336630346661 +37363737306330626436613763373365663231333165616362346138663866643134336630653061 +663332333639616437346239643635363264 diff --git a/host_vars/firewall.yml b/host_vars/firewall.yml deleted file mode 100644 index 4f60cd9..0000000 --- a/host_vars/firewall.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -firewall_services: - - http - - https - -#firewall_ports: -# - 1337/tcp -# - 42/udp - -# uncomment and change if necessary diff --git a/host_vars/unhb4/authentik-vault.yml b/host_vars/unhb4/authentik-vault.yml new file mode 100644 index 0000000..38376b9 --- /dev/null +++ b/host_vars/unhb4/authentik-vault.yml @@ -0,0 +1,22 @@ +$ANSIBLE_VAULT;1.1;AES256 +31343963396633396632623766363862386661353265393166666536656530623938383233653464 +3034386666346435313062306463383864393233623363360a363464343263353337306634656630 +37623936636161363766386130663838633933393862386466383433326661663565353836663539 +3839303839336432330a613031613936613166313034346437373635346639313733666562333331 +62636632313339356363316436316238303338306538346564346431363730656466656265303134 +32393662666332313665373464656262646636336632306562616536633166303434346135623461 +62316339653533326430636361313931656366623330316638373139343835366535666639663630 +39313230613331613663643736326563323734353861613036623565303931653932376134643336 +62623965363034373939646165366461366134653538623262343462363736636365346133653034 +39633030376237326436316632393433333733333966323366313536393233343866353831393462 +39393132613534396534386539643864323966633363353934363838323830356463663936353336 +36346638663336616265656363636264383563336663313364646461306662323531303038373364 +33633536646331393738613534613430663330663462346432616230306338386131326566636331 +66663065393939393733646131663031313963353830316633376263383666333930613664366635 +64333563393639653364373636393134326362626131336232306439323634666462616534326439 +62616533643065623063303536303964366531313164366532316536643839363764316430323236 +31336333333031363661323935623739363263663461323266616338306139393265323332363462 +64616637346239366131663863326261373838626164613230383862313361633136396365636666 +39383035363236323036613365316565383232363631393839626436336665626566303964653163 +31646634323536343730366462393137656135646661383030346137373364613138386638316138 +3634 diff --git a/host_vars/unhb4/authentik.yml b/host_vars/unhb4/authentik.yml new file mode 100644 index 0000000..5157bdc --- /dev/null +++ b/host_vars/unhb4/authentik.yml @@ -0,0 +1,11 @@ +--- + +authentik_error_reporting: "true" +authentik_email_host: "mail.un-hack-bar.de" +authentik_email_port: "587" +authentik_email_use_tls: "true" +authentik_email_use_ssl: "false" +authentik_email_timeout: "10" +authentik_port_http: "9000" +authentik_port_https: "9443" +authentik_domain: "auth.un-hack-bar.de,auth.unhb.de" diff --git a/host_vars/unhb4/docker.yml b/host_vars/unhb4/docker.yml new file mode 100644 index 0000000..80e744c --- /dev/null +++ b/host_vars/unhb4/docker.yml @@ -0,0 +1,4 @@ +--- + +docker_compose_config_dir: "/srv/docker-config" +docker_volumes_dir: "/srv/docker-volumes" diff --git a/host_vars/unhb4/firewall.yml b/host_vars/unhb4/firewall.yml new file mode 100644 index 0000000..452494d --- /dev/null +++ b/host_vars/unhb4/firewall.yml @@ -0,0 +1,13 @@ +--- + +firewall_services: + - ssh + - http + - https + - smtp + - pop3 + +firewall_ports: + - 64738/tcp # Mumble + - 64738/udp # Mumble + - 21117/tcp # Rustdesk diff --git a/roles/authentik_docker/handlers/main.yml b/roles/authentik_docker/handlers/main.yml new file mode 100644 index 0000000..50fd2c8 --- /dev/null +++ b/roles/authentik_docker/handlers/main.yml @@ -0,0 +1,14 @@ +--- + +- name: systemctl-daemon-reload + ansible.builtin.systemd: + daemon_reload: true + when: unit.changed + notify: restart-authentik-docker + tags: molecule-notest + +- name: restart-authentik-docker + ansible.builtin.systemd: + state: restarted + name: authentik-docker.service + tags: molecule-notest diff --git a/roles/authentik_docker/tasks/main.yml b/roles/authentik_docker/tasks/main.yml new file mode 100644 index 0000000..ce2f66c --- /dev/null +++ b/roles/authentik_docker/tasks/main.yml @@ -0,0 +1,70 @@ +--- + +- name: "Install dependencies" + ansible.builtin.apt: + pkg: + - docker-compose + - apparmor # if not installed, Docker will complain + +- name: "Create directories for authentik-docker" + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: authentik-docker + group: root + mode: '0755' + with_items: + - "{{ docker_compose_config_dir }}/authentik" + - "{{ docker_volumes_dir }}/authentik/database" + - "{{ docker_volumes_dir }}/authentik/redis" + - "{{ docker_volumes_dir }}/authentik/media" + - "{{ docker_volumes_dir }}/authentik/custom-templates" + - "{{ docker_volumes_dir }}/authentik/certs" + +- name: "Template .env filexs for authentik-docker" + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/{{ docker_compose_config_dir }}/authentik/{{ item }}" + force: true + owner: authentik-docker + group: root + mode: '0600' + with_items: + - .env + notify: restart-authentik-docker + +- name: "Template docker-compose.yml for authentik-docker" + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/{{ docker_compose_config_dir }}/authentik/{{ item }}" + force: true + owner: root + group: docker + mode: '0640' + with_items: + - docker-compose.yml + notify: restart-authentik-docker + +- name: "Add a user that will run the container" + ansible.builtin.user: + name: authentik-docker + comment: Authentik Docker User + home: "{{ docker_volumes_dir }}/authentik" + group: docker + system: true + +- name: "Template systemd unit file for authentik-docker" + ansible.builtin.template: + src: "authentik-docker.service.j2" + dest: "/etc/systemd/system/authentik-docker.service" + force: true + owner: root + group: root + mode: '0644' + register: unit + notify: systemctl-daemon-reload + +- name: "Enable systemctl service for authentik-docker" + ansible.builtin.service: + state: started + name: "authentik-docker.service" diff --git a/roles/authentik_docker/templates/.env.j2 b/roles/authentik_docker/templates/.env.j2 new file mode 100644 index 0000000..270fa58 --- /dev/null +++ b/roles/authentik_docker/templates/.env.j2 @@ -0,0 +1,18 @@ +PG_PASS={{ authentik_pg_pass }} +AUTHENTIK_SECRET_KEY={{ authentik_secret }} +AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting }} +# SMTP Host Emails are sent to +AUTHENTIK_EMAIL__HOST={{ authentik_email_host }} +AUTHENTIK_EMAIL__PORT={{ authentik_email_port }} +# Optionally authenticate (don't add quotation marks to your password) +AUTHENTIK_EMAIL__USERNAME={{ authentik_email_username }} +AUTHENTIK_EMAIL__PASSWORD={{ authentik_email_password }} +# Use StartTLS +AUTHENTIK_EMAIL__USE_TLS={{ authentik_email_use_tls }} +# Use SSL +AUTHENTIK_EMAIL__USE_SSL={{ authentik_email_use_ssl }} +AUTHENTIK_EMAIL__TIMEOUT={{ authentik_email_timeout }} +# Email address authentik will send from, should have a correct @domain +AUTHENTIK_EMAIL__FROM={{ authentik_email_from }} +AUTHENTIK_PORT_HTTP={{ authentik_port_http }} +AUTHENTIK_PORT_HTTPS={{ authentik_port_https }} diff --git a/roles/authentik_docker/templates/authentik-docker.service.j2 b/roles/authentik_docker/templates/authentik-docker.service.j2 new file mode 100644 index 0000000..a668c2e --- /dev/null +++ b/roles/authentik_docker/templates/authentik-docker.service.j2 @@ -0,0 +1,35 @@ +[Unit] +Description=Authentik in Docker + +[Service] +Type=exec +User=authentik-docker +WorkingDirectory={{ docker_compose_config_dir }}/authentik +ExecStart=docker compose up postgresql redis server worker +Restart=on-failure +RestartSec=30s + +# Optional hardening to improve security +ReadWritePaths={{ docker_volumes_dir }}/ /tmp/ +NoNewPrivileges=yes +#MemoryDenyWriteExecute=true +PrivateDevices=yes +PrivateTmp=yes +ProtectHome=yes +ProtectSystem=strict +ProtectControlGroups=true +RestrictSUIDSGID=true +RestrictRealtime=true +LockPersonality=true +ProtectKernelLogs=true +ProtectKernelTunables=true +ProtectHostname=true +ProtectKernelModules=true +PrivateUsers=true +ProtectClock=true +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service + +[Install] +WantedBy=multi-user.target diff --git a/roles/authentik_docker/templates/docker-compose.yml.j2 b/roles/authentik_docker/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..2269e41 --- /dev/null +++ b/roles/authentik_docker/templates/docker-compose.yml.j2 @@ -0,0 +1,98 @@ +--- +version: '3.4' + +services: + postgresql: + image: docker.io/library/postgres:12-alpine + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] + start_period: 20s + interval: 30s + retries: 5 + timeout: 5s + volumes: + - {{ docker_volumes_dir }}/authentik/database:/var/lib/postgresql/data + environment: + - POSTGRES_PASSWORD=${PG_PASS:?database password required} + - POSTGRES_USER=${PG_USER:-authentik} + - POSTGRES_DB=${PG_DB:-authentik} + env_file: + - .env + redis: + image: docker.io/library/redis:alpine + command: --save 60 1 --loglevel warning + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "redis-cli ping | grep PONG"] + start_period: 20s + interval: 30s + retries: 5 + timeout: 3s + volumes: + - {{ docker_volumes_dir }}/authentik/redis:/data + server: + image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.3} + restart: unless-stopped + command: server + environment: + AUTHENTIK_REDIS__HOST: redis + AUTHENTIK_POSTGRESQL__HOST: postgresql + AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} + AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} + AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} + VIRTUAL_HOST: {{ authentik_domain }} + VIRTUAL_PORT: {{ authentik_port_http }} + LETSENCRYPT_HOST: {{ authentik_domain }} + LETSENCRYPT_EMAIL: {{letsencrypt_email }} + volumes: + - {{ docker_volumes_dir }}/authentik/media:/media + - {{ docker_volumes_dir }}/authentik/custom-templates:/templates + - {{ docker_volumes_dir }}/authentik/geoip:/geoip + env_file: + - .env + expose: + - "${AUTHENTIK_PORT_HTTP:-9000}" + - "${AUTHENTIK_PORT_HTTPS:-9443}" + worker: + image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.3} + restart: unless-stopped + command: worker + environment: + AUTHENTIK_REDIS__HOST: redis + AUTHENTIK_POSTGRESQL__HOST: postgresql + AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik} + AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik} + AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} + # `user: root` and the docker socket volume are optional. + # See more for the docker socket integration here: + # https://goauthentik.io/docs/outposts/integrations/docker + # Removing `user: root` also prevents the worker from fixing the permissions + # on the mounted folders, so when removing this make sure the folders have the correct UID/GID + # (1000:1000 by default) + user: root + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - {{ docker_volumes_dir }}/authentik/media:/media + - {{ docker_volumes_dir }}/authentik/certs:/certs + - {{ docker_volumes_dir }}/authentik/custom-templates:/templates + - {{ docker_volumes_dir }}/authentik/geoip:/geoip + env_file: + - .env + geoipupdate: + image: "maxmindinc/geoipupdate:latest" + volumes: + - "{{ docker_volumes_dir }}/authentik/geoip:/usr/share/GeoIP" + environment: + GEOIPUPDATE_EDITION_IDS: "GeoLite2-City" + GEOIPUPDATE_FREQUENCY: "8" + env_file: + - .env + +volumes: + database: + driver: local + redis: + driver: local + geoip: + driver: local diff --git a/roles/firewalld/tasks/.main.yml.swp b/roles/firewalld/tasks/.main.yml.swp deleted file mode 100644 index 0bc45f06b67d91d42d16f50453e4f11aa1a8c5b4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12288 zcmeI2zi-n(6vwYczyJjV3j;`xR0tvAq@+TKEG&Rvh>)o0T3zgGa>PDczDr9~3KM?= z{{bUx{8*WpSrHQKh!qCDb}mj-M1sl$dR9I<#d*2+{CUn`<#krp@3iS!eMR6nAq1T{ z6kc3>BhGdYh$y_OWpRGaQN{(yoG2k4mw}D0c8!4vdNS+>9hnExSlx+LBTr*x8=E>; z+cJ)$hLg5$8;R7WK1|}dyK?{=U<0!aEQ!_TuM2xt|CSdvzy{a=8(;%$fDNz#Hoykh02^QfY~UX> zAR{5J92MdVDE|K+KmY$YF2r~6348$Wz)SD~JOvNHI=Bg%AOJ_e*JDC_1nmDm>5c6Rp0?(WtQM5L2MMOr%5qM@?o zDeKC&%1BHx7h4f!Do>J|f;S9+ z4=Gnkx}`|F(&@g0xrFWXH9-XDK7T;xBM9VjlxwvFh-kht>`t$C>?j&vS Py*RG!Aw2g7K_GqtIO{*k diff --git a/site.yml b/site.yml index cb64d60..b405d1b 100644 --- a/site.yml +++ b/site.yml @@ -9,4 +9,12 @@ - apt-update-upgrade - apt_listchanges - basic_common_settings - #- firewalld - not currently in use + - firewalld + +- name: Set up roles on unhb4 + hosts: unhb4 + remote_user: root + + roles: + - authentik_docker +