a lot of fixes and additions
This commit is contained in:
parent
c045196670
commit
b530df3762
17 changed files with 317 additions and 14 deletions
|
@ -1,2 +1,2 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
ansible-playbook site.yml -i inventory.yml --limit unhb4
|
ansible-playbook site.yml -i inventory.yml --limit unhb4 --check --diff
|
||||||
|
|
|
@ -1,2 +1,2 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
ansible-playbook site.yml -i inventory.yml --limit unhb4 --check --diff
|
ansible-playbook site.yml -i inventory.yml --limit unhb4 --diff
|
||||||
|
|
7
ansible.cfg
Normal file
7
ansible.cfg
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
[defaults]
|
||||||
|
fact_caching = yaml
|
||||||
|
fact_caching_connection = tmp
|
||||||
|
vault_password_file = .vaultpw
|
||||||
|
|
||||||
|
[ssh_connection]
|
||||||
|
pipelining = True
|
6
group_vars/all/apt.yml
Normal file
6
group_vars/all/apt.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
APT_Periodic_Update_Package_Lists: "1"
|
||||||
|
APT_Periodic_Download_Upgradeable_Packages: "1"
|
||||||
|
APT_Periodic_AutocleanInterval: "7"
|
||||||
|
APT_Periodic_Unattended_Upgrade: "1"
|
8
group_vars/all/vault.yml
Normal file
8
group_vars/all/vault.yml
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
38653965373362373633626561363436306535383363306363323934333030653434303238393764
|
||||||
|
3963303739303161336635643963336365653066656534380a643739333261383731343966613132
|
||||||
|
65383261343733353263383436616363323739326135346139646564326362386234356262663365
|
||||||
|
3963616639656131310a343065363336653135666163646664626363386236623064633634636234
|
||||||
|
36306234626538313563646138663031613031626237333462303038653839303534336630346661
|
||||||
|
37363737306330626436613763373365663231333165616362346138663866643134336630653061
|
||||||
|
663332333639616437346239643635363264
|
|
@ -1,11 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
firewall_services:
|
|
||||||
- http
|
|
||||||
- https
|
|
||||||
|
|
||||||
#firewall_ports:
|
|
||||||
# - 1337/tcp
|
|
||||||
# - 42/udp
|
|
||||||
|
|
||||||
# uncomment and change if necessary
|
|
22
host_vars/unhb4/authentik-vault.yml
Normal file
22
host_vars/unhb4/authentik-vault.yml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
31343963396633396632623766363862386661353265393166666536656530623938383233653464
|
||||||
|
3034386666346435313062306463383864393233623363360a363464343263353337306634656630
|
||||||
|
37623936636161363766386130663838633933393862386466383433326661663565353836663539
|
||||||
|
3839303839336432330a613031613936613166313034346437373635346639313733666562333331
|
||||||
|
62636632313339356363316436316238303338306538346564346431363730656466656265303134
|
||||||
|
32393662666332313665373464656262646636336632306562616536633166303434346135623461
|
||||||
|
62316339653533326430636361313931656366623330316638373139343835366535666639663630
|
||||||
|
39313230613331613663643736326563323734353861613036623565303931653932376134643336
|
||||||
|
62623965363034373939646165366461366134653538623262343462363736636365346133653034
|
||||||
|
39633030376237326436316632393433333733333966323366313536393233343866353831393462
|
||||||
|
39393132613534396534386539643864323966633363353934363838323830356463663936353336
|
||||||
|
36346638663336616265656363636264383563336663313364646461306662323531303038373364
|
||||||
|
33633536646331393738613534613430663330663462346432616230306338386131326566636331
|
||||||
|
66663065393939393733646131663031313963353830316633376263383666333930613664366635
|
||||||
|
64333563393639653364373636393134326362626131336232306439323634666462616534326439
|
||||||
|
62616533643065623063303536303964366531313164366532316536643839363764316430323236
|
||||||
|
31336333333031363661323935623739363263663461323266616338306139393265323332363462
|
||||||
|
64616637346239366131663863326261373838626164613230383862313361633136396365636666
|
||||||
|
39383035363236323036613365316565383232363631393839626436336665626566303964653163
|
||||||
|
31646634323536343730366462393137656135646661383030346137373364613138386638316138
|
||||||
|
3634
|
11
host_vars/unhb4/authentik.yml
Normal file
11
host_vars/unhb4/authentik.yml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
authentik_error_reporting: "true"
|
||||||
|
authentik_email_host: "mail.un-hack-bar.de"
|
||||||
|
authentik_email_port: "587"
|
||||||
|
authentik_email_use_tls: "true"
|
||||||
|
authentik_email_use_ssl: "false"
|
||||||
|
authentik_email_timeout: "10"
|
||||||
|
authentik_port_http: "9000"
|
||||||
|
authentik_port_https: "9443"
|
||||||
|
authentik_domain: "auth.un-hack-bar.de,auth.unhb.de"
|
4
host_vars/unhb4/docker.yml
Normal file
4
host_vars/unhb4/docker.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
docker_compose_config_dir: "/srv/docker-config"
|
||||||
|
docker_volumes_dir: "/srv/docker-volumes"
|
13
host_vars/unhb4/firewall.yml
Normal file
13
host_vars/unhb4/firewall.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
firewall_services:
|
||||||
|
- ssh
|
||||||
|
- http
|
||||||
|
- https
|
||||||
|
- smtp
|
||||||
|
- pop3
|
||||||
|
|
||||||
|
firewall_ports:
|
||||||
|
- 64738/tcp # Mumble
|
||||||
|
- 64738/udp # Mumble
|
||||||
|
- 21117/tcp # Rustdesk
|
14
roles/authentik_docker/handlers/main.yml
Normal file
14
roles/authentik_docker/handlers/main.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: systemctl-daemon-reload
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
when: unit.changed
|
||||||
|
notify: restart-authentik-docker
|
||||||
|
tags: molecule-notest
|
||||||
|
|
||||||
|
- name: restart-authentik-docker
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
state: restarted
|
||||||
|
name: authentik-docker.service
|
||||||
|
tags: molecule-notest
|
70
roles/authentik_docker/tasks/main.yml
Normal file
70
roles/authentik_docker/tasks/main.yml
Normal file
|
@ -0,0 +1,70 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "Install dependencies"
|
||||||
|
ansible.builtin.apt:
|
||||||
|
pkg:
|
||||||
|
- docker-compose
|
||||||
|
- apparmor # if not installed, Docker will complain
|
||||||
|
|
||||||
|
- name: "Create directories for authentik-docker"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
owner: authentik-docker
|
||||||
|
group: root
|
||||||
|
mode: '0755'
|
||||||
|
with_items:
|
||||||
|
- "{{ docker_compose_config_dir }}/authentik"
|
||||||
|
- "{{ docker_volumes_dir }}/authentik/database"
|
||||||
|
- "{{ docker_volumes_dir }}/authentik/redis"
|
||||||
|
- "{{ docker_volumes_dir }}/authentik/media"
|
||||||
|
- "{{ docker_volumes_dir }}/authentik/custom-templates"
|
||||||
|
- "{{ docker_volumes_dir }}/authentik/certs"
|
||||||
|
|
||||||
|
- name: "Template .env filexs for authentik-docker"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "{{ item }}.j2"
|
||||||
|
dest: "/{{ docker_compose_config_dir }}/authentik/{{ item }}"
|
||||||
|
force: true
|
||||||
|
owner: authentik-docker
|
||||||
|
group: root
|
||||||
|
mode: '0600'
|
||||||
|
with_items:
|
||||||
|
- .env
|
||||||
|
notify: restart-authentik-docker
|
||||||
|
|
||||||
|
- name: "Template docker-compose.yml for authentik-docker"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "{{ item }}.j2"
|
||||||
|
dest: "/{{ docker_compose_config_dir }}/authentik/{{ item }}"
|
||||||
|
force: true
|
||||||
|
owner: root
|
||||||
|
group: docker
|
||||||
|
mode: '0640'
|
||||||
|
with_items:
|
||||||
|
- docker-compose.yml
|
||||||
|
notify: restart-authentik-docker
|
||||||
|
|
||||||
|
- name: "Add a user that will run the container"
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: authentik-docker
|
||||||
|
comment: Authentik Docker User
|
||||||
|
home: "{{ docker_volumes_dir }}/authentik"
|
||||||
|
group: docker
|
||||||
|
system: true
|
||||||
|
|
||||||
|
- name: "Template systemd unit file for authentik-docker"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "authentik-docker.service.j2"
|
||||||
|
dest: "/etc/systemd/system/authentik-docker.service"
|
||||||
|
force: true
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
register: unit
|
||||||
|
notify: systemctl-daemon-reload
|
||||||
|
|
||||||
|
- name: "Enable systemctl service for authentik-docker"
|
||||||
|
ansible.builtin.service:
|
||||||
|
state: started
|
||||||
|
name: "authentik-docker.service"
|
18
roles/authentik_docker/templates/.env.j2
Normal file
18
roles/authentik_docker/templates/.env.j2
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
PG_PASS={{ authentik_pg_pass }}
|
||||||
|
AUTHENTIK_SECRET_KEY={{ authentik_secret }}
|
||||||
|
AUTHENTIK_ERROR_REPORTING__ENABLED={{ authentik_error_reporting }}
|
||||||
|
# SMTP Host Emails are sent to
|
||||||
|
AUTHENTIK_EMAIL__HOST={{ authentik_email_host }}
|
||||||
|
AUTHENTIK_EMAIL__PORT={{ authentik_email_port }}
|
||||||
|
# Optionally authenticate (don't add quotation marks to your password)
|
||||||
|
AUTHENTIK_EMAIL__USERNAME={{ authentik_email_username }}
|
||||||
|
AUTHENTIK_EMAIL__PASSWORD={{ authentik_email_password }}
|
||||||
|
# Use StartTLS
|
||||||
|
AUTHENTIK_EMAIL__USE_TLS={{ authentik_email_use_tls }}
|
||||||
|
# Use SSL
|
||||||
|
AUTHENTIK_EMAIL__USE_SSL={{ authentik_email_use_ssl }}
|
||||||
|
AUTHENTIK_EMAIL__TIMEOUT={{ authentik_email_timeout }}
|
||||||
|
# Email address authentik will send from, should have a correct @domain
|
||||||
|
AUTHENTIK_EMAIL__FROM={{ authentik_email_from }}
|
||||||
|
AUTHENTIK_PORT_HTTP={{ authentik_port_http }}
|
||||||
|
AUTHENTIK_PORT_HTTPS={{ authentik_port_https }}
|
35
roles/authentik_docker/templates/authentik-docker.service.j2
Normal file
35
roles/authentik_docker/templates/authentik-docker.service.j2
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Authentik in Docker
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=exec
|
||||||
|
User=authentik-docker
|
||||||
|
WorkingDirectory={{ docker_compose_config_dir }}/authentik
|
||||||
|
ExecStart=docker compose up postgresql redis server worker
|
||||||
|
Restart=on-failure
|
||||||
|
RestartSec=30s
|
||||||
|
|
||||||
|
# Optional hardening to improve security
|
||||||
|
ReadWritePaths={{ docker_volumes_dir }}/ /tmp/
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
#MemoryDenyWriteExecute=true
|
||||||
|
PrivateDevices=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
ProtectHome=yes
|
||||||
|
ProtectSystem=strict
|
||||||
|
ProtectControlGroups=true
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
RestrictRealtime=true
|
||||||
|
LockPersonality=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
PrivateUsers=true
|
||||||
|
ProtectClock=true
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
SystemCallErrorNumber=EPERM
|
||||||
|
SystemCallFilter=@system-service
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
98
roles/authentik_docker/templates/docker-compose.yml.j2
Normal file
98
roles/authentik_docker/templates/docker-compose.yml.j2
Normal file
|
@ -0,0 +1,98 @@
|
||||||
|
---
|
||||||
|
version: '3.4'
|
||||||
|
|
||||||
|
services:
|
||||||
|
postgresql:
|
||||||
|
image: docker.io/library/postgres:12-alpine
|
||||||
|
restart: unless-stopped
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
|
||||||
|
start_period: 20s
|
||||||
|
interval: 30s
|
||||||
|
retries: 5
|
||||||
|
timeout: 5s
|
||||||
|
volumes:
|
||||||
|
- {{ docker_volumes_dir }}/authentik/database:/var/lib/postgresql/data
|
||||||
|
environment:
|
||||||
|
- POSTGRES_PASSWORD=${PG_PASS:?database password required}
|
||||||
|
- POSTGRES_USER=${PG_USER:-authentik}
|
||||||
|
- POSTGRES_DB=${PG_DB:-authentik}
|
||||||
|
env_file:
|
||||||
|
- .env
|
||||||
|
redis:
|
||||||
|
image: docker.io/library/redis:alpine
|
||||||
|
command: --save 60 1 --loglevel warning
|
||||||
|
restart: unless-stopped
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
|
||||||
|
start_period: 20s
|
||||||
|
interval: 30s
|
||||||
|
retries: 5
|
||||||
|
timeout: 3s
|
||||||
|
volumes:
|
||||||
|
- {{ docker_volumes_dir }}/authentik/redis:/data
|
||||||
|
server:
|
||||||
|
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.3}
|
||||||
|
restart: unless-stopped
|
||||||
|
command: server
|
||||||
|
environment:
|
||||||
|
AUTHENTIK_REDIS__HOST: redis
|
||||||
|
AUTHENTIK_POSTGRESQL__HOST: postgresql
|
||||||
|
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
|
||||||
|
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
|
||||||
|
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
|
||||||
|
VIRTUAL_HOST: {{ authentik_domain }}
|
||||||
|
VIRTUAL_PORT: {{ authentik_port_http }}
|
||||||
|
LETSENCRYPT_HOST: {{ authentik_domain }}
|
||||||
|
LETSENCRYPT_EMAIL: {{letsencrypt_email }}
|
||||||
|
volumes:
|
||||||
|
- {{ docker_volumes_dir }}/authentik/media:/media
|
||||||
|
- {{ docker_volumes_dir }}/authentik/custom-templates:/templates
|
||||||
|
- {{ docker_volumes_dir }}/authentik/geoip:/geoip
|
||||||
|
env_file:
|
||||||
|
- .env
|
||||||
|
expose:
|
||||||
|
- "${AUTHENTIK_PORT_HTTP:-9000}"
|
||||||
|
- "${AUTHENTIK_PORT_HTTPS:-9443}"
|
||||||
|
worker:
|
||||||
|
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.3}
|
||||||
|
restart: unless-stopped
|
||||||
|
command: worker
|
||||||
|
environment:
|
||||||
|
AUTHENTIK_REDIS__HOST: redis
|
||||||
|
AUTHENTIK_POSTGRESQL__HOST: postgresql
|
||||||
|
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
|
||||||
|
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
|
||||||
|
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
|
||||||
|
# `user: root` and the docker socket volume are optional.
|
||||||
|
# See more for the docker socket integration here:
|
||||||
|
# https://goauthentik.io/docs/outposts/integrations/docker
|
||||||
|
# Removing `user: root` also prevents the worker from fixing the permissions
|
||||||
|
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
|
||||||
|
# (1000:1000 by default)
|
||||||
|
user: root
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
- {{ docker_volumes_dir }}/authentik/media:/media
|
||||||
|
- {{ docker_volumes_dir }}/authentik/certs:/certs
|
||||||
|
- {{ docker_volumes_dir }}/authentik/custom-templates:/templates
|
||||||
|
- {{ docker_volumes_dir }}/authentik/geoip:/geoip
|
||||||
|
env_file:
|
||||||
|
- .env
|
||||||
|
geoipupdate:
|
||||||
|
image: "maxmindinc/geoipupdate:latest"
|
||||||
|
volumes:
|
||||||
|
- "{{ docker_volumes_dir }}/authentik/geoip:/usr/share/GeoIP"
|
||||||
|
environment:
|
||||||
|
GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
|
||||||
|
GEOIPUPDATE_FREQUENCY: "8"
|
||||||
|
env_file:
|
||||||
|
- .env
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
database:
|
||||||
|
driver: local
|
||||||
|
redis:
|
||||||
|
driver: local
|
||||||
|
geoip:
|
||||||
|
driver: local
|
Binary file not shown.
10
site.yml
10
site.yml
|
@ -9,4 +9,12 @@
|
||||||
- apt-update-upgrade
|
- apt-update-upgrade
|
||||||
- apt_listchanges
|
- apt_listchanges
|
||||||
- basic_common_settings
|
- basic_common_settings
|
||||||
#- firewalld - not currently in use
|
- firewalld
|
||||||
|
|
||||||
|
- name: Set up roles on unhb4
|
||||||
|
hosts: unhb4
|
||||||
|
remote_user: root
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- authentik_docker
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue