ansible
/
homelab
1
0
Fork 0
Code Issues 33 Pull Requests Projects 1 Releases Wiki Activity

Compare commits

base: ansible:main
Branches Tags
ansible:main
..
compare: ansible:171ef655f85d25ffe4889d3b074dd110cd748ada
Branches Tags
ansible:main

No commits in common. "main" and "171ef655f85d25ffe4889d3b074dd110cd748ada" have entirely different histories.
main ... 171ef655f8

23 changed files with 75 additions and 188 deletions
Show Stats Expand all files Collapse all files

7
README.adoc
View File

@ -12,14 +12,11 @@ homelab.
=== Containers === Containers
* Authelia
* Jellyfin
* Keycloak
* NGINX * NGINX
* Jellyfin
* OpenLDAP * OpenLDAP
* Portainer
* PostgreSQL * PostgreSQL
* Radarr * Keycloak
=== Testing === Testing
To run locally, specify the inventory file with `-i hosts`. To run locally, specify the inventory file with `-i hosts`.

5
group_vars/all
View File

@ -14,8 +14,3 @@ tz: "Europe/Prague"
media: media:
tv: "{{ data_folder }}/media/tv" tv: "{{ data_folder }}/media/tv"
movies: "{{ data_folder }}/media/movies" movies: "{{ data_folder }}/media/movies"
downloads:
nzb: "{{ data_folder }}/downloads/nzb"
torrent: "{{ data_folder }}/downloads/torrent"
torrent_blackhole: "{{ data_folder }}/downloads/blackhole"
music: "{{ data_folder }}/downloads/music"

4
playbook.yml
View File

@ -3,13 +3,11 @@
roles: roles:
- docker - docker
- nginx - nginx
- openldap
- portainer
- jellyfin - jellyfin
- openldap
- postgres - postgres
- authelia - authelia
- keycloak - keycloak
- radarr
vars_files: vars_files:
- vault/certs/{{ base_domain }}.yml - vault/certs/{{ base_domain }}.yml
- vault/passwords.yml - vault/passwords.yml

1
provision.sh
View File

@ -1,2 +1 @@
#!/bin/env fish
ANSIBLE_VAULT_PASSWORD_FILE=(pass show ansible-homelab | psub) vagrant provision ANSIBLE_VAULT_PASSWORD_FILE=(pass show ansible-homelab | psub) vagrant provision

4
roles/authelia/tasks/main.yml
View File

@ -17,8 +17,8 @@
ports: ports:
- "9091:9091" - "9091:9091"
networks: networks:
- name: external - name: bridge
- name: openldap - name: nginx-internal
volumes: volumes:
- "{{ data_folder }}/authelia:/config" - "{{ data_folder }}/authelia:/config"
- name: copy nginx endpoint conf - name: copy nginx endpoint conf

16
roles/authelia/templates/authelia-auth.conf.j2
View File

@ -1,5 +1,14 @@
auth_request /authelia/api/verify; # Basic Authelia Config
# Send a subsequent request to Authelia to verify if the user is authenticated
# and has the right permissions to access the resource.
auth_request /authelia;
# Set the `target_url` variable based on the request. It will be used to build the portal
# URL with the correct redirection parameter.
auth_request_set $target_url $scheme://$http_host$request_uri; auth_request_set $target_url $scheme://$http_host$request_uri;
# Set the X-Forwarded-User and X-Forwarded-Groups with the headers
# returned by Authelia for the backends which can consume them.
# This is not safe, as the backend must make sure that they come from the
# proxy. In the future, it's gonna be safe to just use OAuth.
auth_request_set $user $upstream_http_remote_user; auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups; auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name; auth_request_set $name $upstream_http_remote_name;
@ -8,4 +17,7 @@ proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name; proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email; proxy_set_header Remote-Email $email;
error_page 401 =302 https://$http_host/authelia/?rd=$target_url; # If Authelia returns 401, then nginx redirects the user to the login portal.
# If it returns 200, then the request pass through to the backend.
# For other type of errors, nginx will handle them as usual.
error_page 401 =302 https://auth.{{ base_domain }}/?rd=$target_url;

17
roles/authelia/templates/authelia-endpoint.conf.j2
View File

@ -1,17 +1,10 @@
location ^~ /authelia { set $upstream_authelia http://authelia:9091/api/verify;
include /etc/nginx/snippets/proxy.conf;
set $upstream_authelia authelia;
proxy_pass http://$upstream_authelia:9091;
}
location = /authelia/api/verify { # Virtual endpoint created by nginx to forward auth requests.
location /authelia {
internal; internal;
if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) {
return 401;
}
set $upstream_authelia authelia;
proxy_pass_request_body off; proxy_pass_request_body off;
proxy_pass http://$upstream_authelia:9091; proxy_pass $upstream_authelia;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
# Timeout if the real server is dead # Timeout if the real server is dead
@ -26,11 +19,11 @@ location = /authelia/api/verify {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Method $request_method; proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://; proxy_redirect http:// $scheme://;
proxy_http_version 1.1; proxy_http_version 1.1;

6
roles/authelia/templates/authelia.conf.j2
View File

@ -1,7 +1,7 @@
server { server {
server_name auth.{{ base_domain }};
listen 80; listen 80;
return 301 https://$server_name$request_uri; server_name auth.{{ base_domain }};
return 301 https://$host$request_uri;
} }
server { server {
@ -9,8 +9,8 @@ server {
listen 443 ssl http2; listen 443 ssl http2;
location / { location / {
include /etc/nginx/snippets/proxy.conf;
set $upstream_authelia http://authelia:9091; # This example assumes a Docker deployment set $upstream_authelia http://authelia:9091; # This example assumes a Docker deployment
proxy_pass $upstream_authelia; proxy_pass $upstream_authelia;
include /etc/nginx/snippets/proxy.conf;
} }
} }

19
roles/authelia/templates/configuration.yml.j2
View File

@ -26,21 +26,12 @@ authentication_backend:
password: {{ vault_openldap_admin_password }} password: {{ vault_openldap_admin_password }}
access_control: access_control:
default_policy: deny default_policy: deny
networks:
- name: local
networks:
- 192.168.0.0/24
rules: rules:
- domain: "*.{{ base_domain }}" - domain:
networks: - "{{ base_domain }}"
- local - "*.{{ base_domain }}"
policy: bypass - "keycloak.{{ base_domain }}"
- domain: portainer.{{ base_domain }} policy: deny
policy: one_factor
- domain: keycloak.{{ base_domain }}
policy: one_factor
- domain: radarr.{{ base_domain }}
policy: two_factor
session: session:
name: authelia_session name: authelia_session
secret: somerandomsecret secret: somerandomsecret

6
roles/docker/tasks/main.yml
View File

@ -3,9 +3,6 @@
name: name:
- docker - docker
- python-pip - python-pip
- neovim
- fish
- curlie
state: present state: present
update_cache: true update_cache: true
- name: start - name: start
@ -15,9 +12,8 @@
- name: add user to group - name: add user to group
user: user:
name: lukas name: lukas
groups: docker,wheel groups: docker
append: true append: true
shell: /usr/bin/fish
- name: install python docker - name: install python docker
pip: pip:
name: name:

3
roles/jellyfin/tasks/main.yml
View File

@ -12,7 +12,7 @@
name: 'jellyfin' name: 'jellyfin'
image: linuxserver/jellyfin image: linuxserver/jellyfin
networks: networks:
- name: external - name: nginx-internal
volumes: volumes:
- "{{ data_folder }}/jellyfin:/config" - "{{ data_folder }}/jellyfin:/config"
- "{{ media.tv }}:/data/tv" - "{{ media.tv }}:/data/tv"
@ -29,6 +29,7 @@
devices: devices:
- /dev/dri:/dev/dri - /dev/dri:/dev/dri
state: started state: started
restart: yes
- name: copy jellyfin nginx config - name: copy jellyfin nginx config
template: template:
src: jellyfin.conf.j2 src: jellyfin.conf.j2

3
roles/jellyfin/templates/jellyfin.conf.j2
View File

@ -1,7 +1,6 @@
server { server {
server_name "jellyfin.{{ base_domain }}";
listen 80; listen 80;
return 301 https://$server_name$request_uri; return 301 https://$host$request_uri;
} }
server { server {

5
roles/keycloak/tasks/main.yml
View File

@ -5,9 +5,8 @@
ports: ports:
- "8080:8080" - "8080:8080"
networks: networks:
- name: external
- name: postgres - name: postgres
- name: openldap - name: nginx-internal
env: env:
"KEYCLOAK_USER": "{{ vault_keycloak_user }}" "KEYCLOAK_USER": "{{ vault_keycloak_user }}"
"KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}" "KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
@ -21,6 +20,6 @@
- name: copy nginx conf - name: copy nginx conf
template: template:
src: "keycloak.conf.j2" src: "keycloak.conf.j2"
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf" dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf"
mode: "755" mode: "755"
notify: reload nginx notify: reload nginx

5
roles/keycloak/templates/keycloak.conf.j2
View File

@ -1,7 +1,6 @@
server { server {
server_name "keycloak.{{ base_domain }}"; listen 80;
listen 80; return 301 https://$host$request_uri;
return 301 https://$server_name$request_uri;
} }
server { server {

10
roles/nginx/tasks/main.yml
View File

@ -14,11 +14,11 @@
- name: generate self-signed certs - name: generate self-signed certs
import_tasks: self-signed.yml import_tasks: self-signed.yml
when: self_signed when: self_signed
- name: create external bridge network - name: create nginx bridge network
docker_network: docker_network:
name: external name: nginx-internal
attachable: true attachable: true
internal: false internal: true
state: present state: present
- name: copy nginx.conf - name: copy nginx.conf
template: template:
@ -37,7 +37,8 @@
name: 'nginx' name: 'nginx'
image: nginx image: nginx
networks: networks:
- name: external - name: bridge
- name: nginx-internal
volumes: volumes:
- "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d" - "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d"
- "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf" - "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf"
@ -53,3 +54,4 @@
NGINX_HOST: "{{ base_domain }}" NGINX_HOST: "{{ base_domain }}"
NGINX_PORT: '80' NGINX_PORT: '80'
state: started state: started
restart: yes

2
roles/nginx/templates/nginx.conf.j2
View File

@ -14,8 +14,6 @@ http {
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
default_type application/octet-stream; default_type application/octet-stream;
log_subrequest on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" ' '$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'; '"$http_user_agent" "$http_x_forwarded_for"';

9
roles/openldap/tasks/main.yml
View File

@ -6,19 +6,13 @@
loop: loop:
- "{{ data_folder }}/openldap" - "{{ data_folder }}/openldap"
- "{{ data_folder }}/openldap/data" - "{{ data_folder }}/openldap/data"
- name: create network
docker_network:
name: openldap
attachable: true
internal: true
state: present
- name: run container - name: run container
docker_container: docker_container:
name: "openldap" name: "openldap"
image: osixia/openldap image: osixia/openldap
hostname: openldap hostname: openldap
networks: networks:
- name: openldap - name: nginx-internal
ports: ports:
- "389:389" - "389:389"
- "636:636" - "636:636"
@ -30,3 +24,4 @@
LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}" LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "false" LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
state: started state: started
restart: yes

6
roles/openldap/templates/base.ldif.j2 Normal file
View File

@ -0,0 +1,6 @@
dn: dc=kucharczyk,dc=xyz
objectclass: top
objectclass: dcObject
objectclass: organization
dc: kucharczyk
o: Homelab

19
roles/portainer/tasks/main.yml
View File

@ -1,19 +0,0 @@
- name: run container
docker_container:
name: 'portainer'
image: portainer/portainer-ce
networks:
- name: external
- name: openldap
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
ports:
- "8000:8000"
- "9000:9000"
state: started
- name: copy nginx conf
template:
src: portainer.conf.j2
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
mode: "755"
notify: reload nginx

20
roles/portainer/templates/portainer.conf.j2
View File

@ -1,20 +0,0 @@
server {
server_name portainer.{{ base_domain }};
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name portainer.{{ base_domain }};
listen 443 ssl http2;
include /etc/nginx/snippets/authelia-endpoint.conf;
location / {
include /etc/nginx/snippets/proxy.conf;
include /etc/nginx/snippets/authelia-auth.conf;
set $upstream http://portainer:9000; # This example assumes a Docker deployment
proxy_pass $upstream;
}
}

34
roles/radarr/tasks/main.yml
View File

@ -1,34 +0,0 @@
- name: ensure directories exist
file:
path: "{{ item }}"
state: directory
mode: '0755'
loop:
- "{{ data_folder }}/radarr"
- "{{ media.tv }}"
- "{{ media.movies }}"
- "{{ downloads.nzb }}"
- name: run container
docker_container:
name: "{{ role_name }}"
image: "linuxserver/radarr"
networks:
- name: external
env:
"TZ": "{{ tz }}"
"PUID": "{{ puid }}"
"PGID": "{{ pgid }}"
"UMASK": "022"
volumes:
- "{{ data_folder }}/radarr:/config"
- "{{ downloads.nzb }}:/downloads"
- "{{ media.movies }}:/movies"
ports:
- "7878:7878"
state: started
- name: copy nginx conf
template:
src: "{{ role_name }}.conf.j2"
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
mode: "755"
notify: reload nginx

20
roles/radarr/templates/radarr.conf.j2
View File

@ -1,20 +0,0 @@
server {
server_name {{ role_name }}.{{ base_domain }};
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name {{ role_name }}.{{ base_domain }};
listen 443 ssl http2;
include /etc/nginx/snippets/authelia-endpoint.conf;
location / {
include /etc/nginx/snippets/proxy.conf;
include /etc/nginx/snippets/authelia-auth.conf;
set $upstream http://{{ role_name }}:7878;
proxy_pass $upstream;
}
}

36
vault/passwords.yml
View File

@ -1,19 +1,19 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
35356537316639386637316365393533643061363734323630393363313237643935666639653963 30346235333931303864373164626134343138306564323034633139363931653066326263333063
3734376266353938653631323266663139306335646635660a373233663964623335663366333434 6532376231363635613930376137326439306437636433370a643535356131363164373764613531
34386136656530386639646234316238326132616131616632346537613963636637393839613661 36363735323930306338623164636563626334653532386632303936343737363731323166323530
6366326639643632320a386436316165343166366134633464393461653434323934326238313430 3439353635343236350a663261636633633033396262333164363062396464366135306135386337
39323439306637306134326635323138616337646336653238636539643538613664303764303661 37333232376531353332373930306462393634386533636363343736646537666665633262633363
39636661353538393532663937396363656664613334383261336664336237356366663334633430 64373434633963316365306562333765313439366431313234313563376630643931386363383233
36356235383930653835393439373737623036613565313131626462363034303062323662663832 33363665613937366433643133613565646364303362626433396339313535383166326138313139
66613833613336646633383835653161386363386136663764653734313763383231626434393864 61616333333530333761393631323461376536363733323764333631346338393166613531666335
63313061346335383933623630396336336561633938613237643238616531343766613734666132 35373764376434346638356439393964313436366439366363393766643333623165353266386634
32306362616131396266656162653563356137383239616464306662643032623438373764306361 66326434333165663630326332333061626366356363313538393130356365343738363237653565
32363133626662633435626232653061373831626563323861626635383039613136303632613335 63613439373930326165326538386566636466306137636336663736333063613238356137346630
61363265316534653033393763646565393330633063323634353932353936303638356433306362 31643064623563656438613665393332656435636233623265323063366139643937633132656337
65383938306637333765383263653939633964613230613835326630313761323561376162646439 65326137396134333230616262333337373833663439313635663438396461373130396332316331
62323035323634323766393233326363383364653531306432663263303831623936616139306639 66613933343365363335653135663237363538353863623534373563626166313034323039396334
64303863386265343165666435363761653464386366636366323261353731643263356635383536 61383766343264313438353261306233373562343939663232383466336232373865356561316139
66326666616339653731633530663161363933383334376238313637356331663431336433643338 38316466306531326165343265393262646463626563306363353765343462316534323336356432
64313861306161373538363332663363623131303561373237326436373838393965306663333835 34373661363562636137393235323839616430376163393362313363626636343064663739313963
3764356534323963303832653964666431626538316361613137 3361333438346265623738393431346433353436666262396264