Compare commits
No commits in common. "b7c3a3af8a6a541044e54fb05fcf2678031c369c" and "5b5f53564f1821a9148a197ec309735390ae7f7d" have entirely different histories.
b7c3a3af8a
...
5b5f53564f
|
@ -14,9 +14,6 @@ homelab.
|
||||||
|
|
||||||
* NGINX
|
* NGINX
|
||||||
* Jellyfin
|
* Jellyfin
|
||||||
* OpenLDAP
|
|
||||||
* PostgreSQL
|
|
||||||
* Keycloak
|
|
||||||
|
|
||||||
=== Testing
|
=== Testing
|
||||||
To run locally, specify the inventory file with `-i hosts`.
|
To run locally, specify the inventory file with `-i hosts`.
|
||||||
|
|
|
@ -5,8 +5,5 @@
|
||||||
- nginx
|
- nginx
|
||||||
- jellyfin
|
- jellyfin
|
||||||
- openldap
|
- openldap
|
||||||
- postgres
|
|
||||||
- keycloak
|
|
||||||
vars_files:
|
vars_files:
|
||||||
- vault/certs/{{ base_domain }}.yml
|
- vault/certs/{{ base_domain }}.yml
|
||||||
- vault/passwords.yml
|
|
||||||
|
|
|
@ -1,25 +0,0 @@
|
||||||
- name: run container
|
|
||||||
docker_container:
|
|
||||||
name: "keycloak"
|
|
||||||
image: "quay.io/keycloak/keycloak"
|
|
||||||
ports:
|
|
||||||
- "8080:8080"
|
|
||||||
networks:
|
|
||||||
- name: postgres
|
|
||||||
- name: nginx-internal
|
|
||||||
env:
|
|
||||||
"KEYCLOAK_USER": "{{ vault_keycloak_user }}"
|
|
||||||
"KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
|
|
||||||
"DB_VENDOR": POSTGRES
|
|
||||||
"DB_ADDR": postgres
|
|
||||||
"DB_DATABASE": keycloak
|
|
||||||
"DB_USER": keycloak
|
|
||||||
"DB_SCHEMA": public
|
|
||||||
"DB_PASSWORD": "{{ vault_postgres_keycloak_user_password }}"
|
|
||||||
"PROXY_ADDRESS_FORWARDING": "true"
|
|
||||||
- name: copy nginx conf
|
|
||||||
template:
|
|
||||||
src: "keycloak.conf.j2"
|
|
||||||
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf"
|
|
||||||
mode: "755"
|
|
||||||
notify: reload nginx
|
|
|
@ -1,26 +0,0 @@
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
server_name "keycloak.{{ base_domain }}";
|
|
||||||
set $keycloak keycloak;
|
|
||||||
|
|
||||||
# Security/XSS Mitigation Headers
|
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
add_header X-Content-Type-Options "nosniff";
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://$keycloak:8080;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
||||||
proxy_buffering off;
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -6,22 +6,44 @@
|
||||||
loop:
|
loop:
|
||||||
- "{{ data_folder }}/openldap"
|
- "{{ data_folder }}/openldap"
|
||||||
- "{{ data_folder }}/openldap/data"
|
- "{{ data_folder }}/openldap/data"
|
||||||
|
- "{{ data_folder }}/openldap/slapd.d"
|
||||||
|
- "{{ data_folder }}/openldap/ldifs"
|
||||||
|
# - name: copy slapd.conf
|
||||||
|
# template:
|
||||||
|
# src: slapd.conf.j2
|
||||||
|
# dest: "{{ data_folder }}/openldap/slapd.d/slapd.conf"
|
||||||
|
# mode: '0755'
|
||||||
|
- name: copy user ldif
|
||||||
|
template:
|
||||||
|
src: lukas.ldif.j2
|
||||||
|
dest: "{{ data_folder }}/openldap/ldifs/lukas.ldif"
|
||||||
|
mode: '0755'
|
||||||
- name: run container
|
- name: run container
|
||||||
docker_container:
|
docker_container:
|
||||||
name: "openldap"
|
name: "openldap"
|
||||||
image: osixia/openldap
|
image: osixia/openldap
|
||||||
hostname: openldap
|
command: "--loglevel debug"
|
||||||
|
hostname: ldap.dev.local
|
||||||
networks:
|
networks:
|
||||||
|
# - name: bridge
|
||||||
- name: nginx-internal
|
- name: nginx-internal
|
||||||
ports:
|
ports:
|
||||||
- "389:389"
|
- "389:389"
|
||||||
- "636:636"
|
- "636:636"
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ data_folder }}/openldap/data:/var/lib/ldap"
|
- "{{ data_folder }}/openldap/data:/var/lib/ldap"
|
||||||
|
- "{{ data_folder }}/openldap/slapd.d:/etc/ldap/slapd.d"
|
||||||
|
- "{{ data_folder }}/openldap/ldifs:/container/service/slapd/assets/config/bootstrap/ldif/custom"
|
||||||
env:
|
env:
|
||||||
LDAP_ORGANISATION: "Homelab"
|
LDAP_ORGANISATION: "Homelab"
|
||||||
LDAP_DOMAIN: "kucharczyk.xyz"
|
LDAP_DOMAIN: "kucharczyk.xyz"
|
||||||
LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}"
|
|
||||||
LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
|
LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
|
||||||
|
LDAP_ADMIN_PASSWORD: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
35623735376134353839323136623133393035343162363366643632376262393539653736326431
|
||||||
|
6635373265313033653861393463633835333639346239650a303463323063373866316162616131
|
||||||
|
66356335346631386265363462353034393735366430636634643466376435313638303938363363
|
||||||
|
3838396139663964300a633931303135376566633363303336373937373138643564636263656233
|
||||||
|
6239
|
||||||
state: started
|
state: started
|
||||||
restart: yes
|
restart: yes
|
|
@ -0,0 +1,14 @@
|
||||||
|
dn: uid=lukas,dc=kucharczyk,dc=xyz
|
||||||
|
uid: lukas
|
||||||
|
cn: lukas
|
||||||
|
givenName: Lukas
|
||||||
|
sn: Kucharczyk
|
||||||
|
objectClass: top
|
||||||
|
objectClass: posixAccount
|
||||||
|
objectClass: inetOrgPerson
|
||||||
|
loginShell: /bin/bash
|
||||||
|
homeDirectory: /home/lukas
|
||||||
|
uidNumber: 1000
|
||||||
|
gidNumber: 1000
|
||||||
|
userPassword: {SSHA}zsJllCeWKbz1we+L/gu/yt0hxeBdvJfT
|
||||||
|
mail: lukas@kucharczyk.xyz
|
|
@ -0,0 +1,16 @@
|
||||||
|
# default config from /etc/openldap/slapd.conf
|
||||||
|
include /etc/openldap/schema/core.schema
|
||||||
|
pidfile /run/openldap/slapd.pid
|
||||||
|
argsfile /run/openldap/slapd.args
|
||||||
|
|
||||||
|
# custom config
|
||||||
|
allow bind_anon_dn
|
||||||
|
access to attrs=userPassword by * auth
|
||||||
|
access to * by * read
|
||||||
|
loglevel 256
|
||||||
|
|
||||||
|
database mdb
|
||||||
|
suffix "dc=kucharczyk, dc=xyz"
|
||||||
|
rootdn "cn=admin, dc=kucharczyk, dc=xyz"
|
||||||
|
rootpw {SSHA}sgIeW4kyz3t0OyfZ1IZjzEDDb31JI3xK
|
||||||
|
directory /var/lib/ldap
|
|
@ -1,36 +0,0 @@
|
||||||
- name: install psycopg2
|
|
||||||
pip:
|
|
||||||
name: psycopg2-binary
|
|
||||||
state: present
|
|
||||||
- name: ensure directories exist
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
mode: "0755"
|
|
||||||
loop:
|
|
||||||
- "{{ data_folder }}/postgres/data"
|
|
||||||
- "{{ data_folder }}/postgres/init"
|
|
||||||
- name: copy init sql files
|
|
||||||
template:
|
|
||||||
src: "{{ item }}"
|
|
||||||
dest: "{{ data_folder }}/postgres/init/{{ item | basename | regex_replace('.j2$', '') }}"
|
|
||||||
with_fileglob:
|
|
||||||
- "../templates/*.sql.j2"
|
|
||||||
- name: create network
|
|
||||||
docker_network:
|
|
||||||
name: postgres
|
|
||||||
attachable: true
|
|
||||||
internal: true
|
|
||||||
state: present
|
|
||||||
- name: run container
|
|
||||||
docker_container:
|
|
||||||
name: "postgres"
|
|
||||||
image: "postgres:13"
|
|
||||||
networks:
|
|
||||||
- name: postgres
|
|
||||||
volumes:
|
|
||||||
- "{{ data_folder }}/postgres/data:/var/lib/postgresql/data"
|
|
||||||
- "{{ data_folder }}/postgres/init:/docker-entrypoint-initdb.d"
|
|
||||||
env:
|
|
||||||
POSTGRES_PASSWORD: "{{ vault_postgres_password }}"
|
|
||||||
state: started
|
|
|
@ -1,3 +0,0 @@
|
||||||
CREATE USER keycloak WITH PASSWORD '{{ vault_postgres_keycloak_user_password }}';
|
|
||||||
CREATE DATABASE keycloak;
|
|
||||||
GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;
|
|
|
@ -1,17 +0,0 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
65653231333939666430306463383836633664623438373661666234343165633864353934663563
|
|
||||||
3335396466623862353633363264373666353036623134360a356438636230613139633264373265
|
|
||||||
36643231356335653261616238613266306165616363643763356234363537616138353831383064
|
|
||||||
3436353361333263330a313361306236626164343261363432343762313361636338333165376238
|
|
||||||
38666336356361613930316536323338653338353666666162666333636261373866653934626536
|
|
||||||
31643931343338383039616261616130613763383737313037303163366263623066633031646630
|
|
||||||
35373436646635613665343038363931396630653264633964646434346534393531333163643836
|
|
||||||
62323634643537363365313662363766373436633262336339643734613732663832326133363434
|
|
||||||
38643434326266373638366262386162666661383232383965613536663239336361623861613161
|
|
||||||
32313439653132353434316563633638353164626236633766313864343036353562303163373335
|
|
||||||
39653437623132623635363266353636613130666363353633366134663638346263643134383762
|
|
||||||
37316631313437646232326237313436353732333065363666316364373336396135396238363562
|
|
||||||
39633163316532616564366632303965316362653066613536316461643237373834316136383865
|
|
||||||
64353238643638623832656463333563633838633931636166323335336662636362643466303566
|
|
||||||
31333962656530326664636562343738393864613561333734333134386263356533373664666666
|
|
||||||
66373538393037373761
|
|
Loading…
Reference in New Issue