Compare commits

...

17 Commits

Author SHA1 Message Date
Lukáš Kucharczyk 08572f6ef8
jellyfin, nginx, openldap: do not restart 2021-06-21 11:54:24 +02:00
Lukáš Kucharczyk c542668491
openldap: remove cruft 2021-06-21 11:54:03 +02:00
Lukáš Kucharczyk 79170487c7
openldap: move above portainer 2021-06-21 11:53:49 +02:00
Lukáš Kucharczyk f1b3417202
docker: add convenience packages 2021-06-21 11:32:43 +02:00
Lukáš Kucharczyk 57c7b06f03
authelia: secure portainer, keycloak, allow local 2021-06-21 11:32:24 +02:00
Lukáš Kucharczyk 11c96fe48d
portainer: allow access to ldap 2021-06-21 11:28:52 +02:00
Lukáš Kucharczyk 8175a62c0b
nginx: make sure https redirect works 2021-06-21 11:28:36 +02:00
Lukáš Kucharczyk 53570a1f08
minor: fix space 2021-06-21 11:11:27 +02:00
Lukáš Kucharczyk a0b1b75a73
Improve networks
Create a single external network called "external".
Create container-specific networks.
Only a few containers need access to these.
So far: openldap, postgres.
2021-06-21 10:38:18 +02:00
Lukáš Kucharczyk d6a6e418b6
nginx: log subrequests 2021-06-21 09:53:47 +02:00
Lukáš Kucharczyk f07c3128e1
portainer: copy nginx conf 2021-06-20 23:26:54 +02:00
Lukáš Kucharczyk a2651e5f79
portainer: add nginx-internal network 2021-06-20 23:09:33 +02:00
Lukáš Kucharczyk 7e2c66c907
Set portainer to one_factor 2021-06-20 23:09:22 +02:00
Lukáš Kucharczyk e28b445cd8
portainer: add nginx conf 2021-06-20 23:07:20 +02:00
Lukáš Kucharczyk f2d80dbe15
portainer: add main task 2021-06-20 23:07:19 +02:00
Lukáš Kucharczyk 7e7c28d68c
portainer: add role to playbook 2021-06-20 23:07:18 +02:00
Lukáš Kucharczyk 8ab660cebb
Fix error introduced in 9cf68c4fda 2021-06-20 23:06:48 +02:00
15 changed files with 85 additions and 29 deletions

View File

@ -3,8 +3,9 @@
roles: roles:
- docker - docker
- nginx - nginx
- jellyfin
- openldap - openldap
- portainer
- jellyfin
- postgres - postgres
- authelia - authelia
- keycloak - keycloak

View File

@ -17,8 +17,8 @@
ports: ports:
- "9091:9091" - "9091:9091"
networks: networks:
- name: bridge - name: external
- name: nginx-internal - name: openldap
volumes: volumes:
- "{{ data_folder }}/authelia:/config" - "{{ data_folder }}/authelia:/config"
- name: copy nginx endpoint conf - name: copy nginx endpoint conf

View File

@ -1,7 +1,7 @@
server { server {
listen 80;
server_name auth.{{ base_domain }}; server_name auth.{{ base_domain }};
return 301 https://$host$request_uri; listen 80;
return 301 https://$server_name$request_uri;
} }
server { server {

View File

@ -26,9 +26,20 @@ authentication_backend:
password: {{ vault_openldap_admin_password }} password: {{ vault_openldap_admin_password }}
access_control: access_control:
default_policy: deny default_policy: deny
networks:
- name: local
networks:
- 192.168.0.0/24
rules: rules:
- domain: "*.{{ base_domain }}" - domain: "*.{{ base_domain }}"
networks:
- local
policy: bypass policy: bypass
- domain: portainer.{{ base_domain }}
policy: one_factor
- domain: keycloak.{{ base_domain }}
policy: one_factor
session:
name: authelia_session name: authelia_session
secret: somerandomsecret secret: somerandomsecret
expiration: 1h expiration: 1h

View File

@ -3,6 +3,9 @@
name: name:
- docker - docker
- python-pip - python-pip
- neovim
- fish
- curlie
state: present state: present
update_cache: true update_cache: true
- name: start - name: start
@ -12,8 +15,9 @@
- name: add user to group - name: add user to group
user: user:
name: lukas name: lukas
groups: docker groups: docker,wheel
append: true append: true
shell: /usr/bin/fish
- name: install python docker - name: install python docker
pip: pip:
name: name:

View File

@ -12,7 +12,7 @@
name: 'jellyfin' name: 'jellyfin'
image: linuxserver/jellyfin image: linuxserver/jellyfin
networks: networks:
- name: nginx-internal - name: external
volumes: volumes:
- "{{ data_folder }}/jellyfin:/config" - "{{ data_folder }}/jellyfin:/config"
- "{{ media.tv }}:/data/tv" - "{{ media.tv }}:/data/tv"
@ -29,7 +29,6 @@
devices: devices:
- /dev/dri:/dev/dri - /dev/dri:/dev/dri
state: started state: started
restart: yes
- name: copy jellyfin nginx config - name: copy jellyfin nginx config
template: template:
src: jellyfin.conf.j2 src: jellyfin.conf.j2

View File

@ -1,6 +1,7 @@
server { server {
server_name "jellyfin.{{ base_domain }}";
listen 80; listen 80;
return 301 https://$host$request_uri; return 301 https://$server_name$request_uri;
} }
server { server {

View File

@ -5,8 +5,9 @@
ports: ports:
- "8080:8080" - "8080:8080"
networks: networks:
- name: external
- name: postgres - name: postgres
- name: nginx-internal - name: openldap
env: env:
"KEYCLOAK_USER": "{{ vault_keycloak_user }}" "KEYCLOAK_USER": "{{ vault_keycloak_user }}"
"KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}" "KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"

View File

@ -1,6 +1,7 @@
server { server {
server_name "keycloak.{{ base_domain }}";
listen 80; listen 80;
return 301 https://$host$request_uri; return 301 https://$server_name$request_uri;
} }
server { server {

View File

@ -14,11 +14,11 @@
- name: generate self-signed certs - name: generate self-signed certs
import_tasks: self-signed.yml import_tasks: self-signed.yml
when: self_signed when: self_signed
- name: create nginx bridge network - name: create external bridge network
docker_network: docker_network:
name: nginx-internal name: external
attachable: true attachable: true
internal: true internal: false
state: present state: present
- name: copy nginx.conf - name: copy nginx.conf
template: template:
@ -37,8 +37,7 @@
name: 'nginx' name: 'nginx'
image: nginx image: nginx
networks: networks:
- name: bridge - name: external
- name: nginx-internal
volumes: volumes:
- "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d" - "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d"
- "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf" - "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf"
@ -54,4 +53,3 @@
NGINX_HOST: "{{ base_domain }}" NGINX_HOST: "{{ base_domain }}"
NGINX_PORT: '80' NGINX_PORT: '80'
state: started state: started
restart: yes

View File

@ -14,6 +14,8 @@ http {
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
default_type application/octet-stream; default_type application/octet-stream;
log_subrequest on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" ' '$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'; '"$http_user_agent" "$http_x_forwarded_for"';

View File

@ -6,13 +6,19 @@
loop: loop:
- "{{ data_folder }}/openldap" - "{{ data_folder }}/openldap"
- "{{ data_folder }}/openldap/data" - "{{ data_folder }}/openldap/data"
- name: create network
docker_network:
name: openldap
attachable: true
internal: true
state: present
- name: run container - name: run container
docker_container: docker_container:
name: "openldap" name: "openldap"
image: osixia/openldap image: osixia/openldap
hostname: openldap hostname: openldap
networks: networks:
- name: nginx-internal - name: openldap
ports: ports:
- "389:389" - "389:389"
- "636:636" - "636:636"
@ -24,4 +30,3 @@
LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}" LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "false" LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
state: started state: started
restart: yes

View File

@ -1,6 +0,0 @@
dn: dc=kucharczyk,dc=xyz
objectclass: top
objectclass: dcObject
objectclass: organization
dc: kucharczyk
o: Homelab

View File

@ -0,0 +1,19 @@
- name: run container
docker_container:
name: 'portainer'
image: portainer/portainer-ce
networks:
- name: external
- name: openldap
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
ports:
- "8000:8000"
- "9000:9000"
state: started
- name: copy nginx conf
template:
src: portainer.conf.j2
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
mode: "755"
notify: reload nginx

View File

@ -0,0 +1,20 @@
server {
server_name portainer.{{ base_domain }};
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name portainer.{{ base_domain }};
listen 443 ssl http2;
include /etc/nginx/snippets/authelia-endpoint.conf;
location / {
include /etc/nginx/snippets/proxy.conf;
include /etc/nginx/snippets/authelia-auth.conf;
set $upstream http://portainer:9000; # This example assumes a Docker deployment
proxy_pass $upstream;
}
}