Compare commits

..

No commits in common. "main" and "171ef655f85d25ffe4889d3b074dd110cd748ada" have entirely different histories.

23 changed files with 75 additions and 188 deletions

View File

@ -12,14 +12,11 @@ homelab.
=== Containers === Containers
* Authelia
* Jellyfin
* Keycloak
* NGINX * NGINX
* Jellyfin
* OpenLDAP * OpenLDAP
* Portainer
* PostgreSQL * PostgreSQL
* Radarr * Keycloak
=== Testing === Testing
To run locally, specify the inventory file with `-i hosts`. To run locally, specify the inventory file with `-i hosts`.

View File

@ -13,9 +13,4 @@ pgid: "1000"
tz: "Europe/Prague" tz: "Europe/Prague"
media: media:
tv: "{{ data_folder }}/media/tv" tv: "{{ data_folder }}/media/tv"
movies: "{{ data_folder }}/media/movies" movies: "{{ data_folder }}/media/movies"
downloads:
nzb: "{{ data_folder }}/downloads/nzb"
torrent: "{{ data_folder }}/downloads/torrent"
torrent_blackhole: "{{ data_folder }}/downloads/blackhole"
music: "{{ data_folder }}/downloads/music"

View File

@ -3,13 +3,11 @@
roles: roles:
- docker - docker
- nginx - nginx
- openldap
- portainer
- jellyfin - jellyfin
- openldap
- postgres - postgres
- authelia - authelia
- keycloak - keycloak
- radarr
vars_files: vars_files:
- vault/certs/{{ base_domain }}.yml - vault/certs/{{ base_domain }}.yml
- vault/passwords.yml - vault/passwords.yml

View File

@ -1,2 +1 @@
#!/bin/env fish
ANSIBLE_VAULT_PASSWORD_FILE=(pass show ansible-homelab | psub) vagrant provision ANSIBLE_VAULT_PASSWORD_FILE=(pass show ansible-homelab | psub) vagrant provision

View File

@ -17,8 +17,8 @@
ports: ports:
- "9091:9091" - "9091:9091"
networks: networks:
- name: external - name: bridge
- name: openldap - name: nginx-internal
volumes: volumes:
- "{{ data_folder }}/authelia:/config" - "{{ data_folder }}/authelia:/config"
- name: copy nginx endpoint conf - name: copy nginx endpoint conf

View File

@ -1,5 +1,14 @@
auth_request /authelia/api/verify; # Basic Authelia Config
# Send a subsequent request to Authelia to verify if the user is authenticated
# and has the right permissions to access the resource.
auth_request /authelia;
# Set the `target_url` variable based on the request. It will be used to build the portal
# URL with the correct redirection parameter.
auth_request_set $target_url $scheme://$http_host$request_uri; auth_request_set $target_url $scheme://$http_host$request_uri;
# Set the X-Forwarded-User and X-Forwarded-Groups with the headers
# returned by Authelia for the backends which can consume them.
# This is not safe, as the backend must make sure that they come from the
# proxy. In the future, it's gonna be safe to just use OAuth.
auth_request_set $user $upstream_http_remote_user; auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups; auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name; auth_request_set $name $upstream_http_remote_name;
@ -8,4 +17,7 @@ proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name; proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email; proxy_set_header Remote-Email $email;
error_page 401 =302 https://$http_host/authelia/?rd=$target_url; # If Authelia returns 401, then nginx redirects the user to the login portal.
# If it returns 200, then the request pass through to the backend.
# For other type of errors, nginx will handle them as usual.
error_page 401 =302 https://auth.{{ base_domain }}/?rd=$target_url;

View File

@ -1,17 +1,10 @@
location ^~ /authelia { set $upstream_authelia http://authelia:9091/api/verify;
include /etc/nginx/snippets/proxy.conf;
set $upstream_authelia authelia;
proxy_pass http://$upstream_authelia:9091;
}
location = /authelia/api/verify { # Virtual endpoint created by nginx to forward auth requests.
location /authelia {
internal; internal;
if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) {
return 401;
}
set $upstream_authelia authelia;
proxy_pass_request_body off; proxy_pass_request_body off;
proxy_pass http://$upstream_authelia:9091; proxy_pass $upstream_authelia;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
# Timeout if the real server is dead # Timeout if the real server is dead
@ -26,11 +19,11 @@ location = /authelia/api/verify {
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Method $request_method; proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://; proxy_redirect http:// $scheme://;
proxy_http_version 1.1; proxy_http_version 1.1;

View File

@ -1,7 +1,7 @@
server { server {
server_name auth.{{ base_domain }};
listen 80; listen 80;
return 301 https://$server_name$request_uri; server_name auth.{{ base_domain }};
return 301 https://$host$request_uri;
} }
server { server {
@ -9,8 +9,8 @@ server {
listen 443 ssl http2; listen 443 ssl http2;
location / { location / {
include /etc/nginx/snippets/proxy.conf;
set $upstream_authelia http://authelia:9091; # This example assumes a Docker deployment set $upstream_authelia http://authelia:9091; # This example assumes a Docker deployment
proxy_pass $upstream_authelia; proxy_pass $upstream_authelia;
include /etc/nginx/snippets/proxy.conf;
} }
} }

View File

@ -26,21 +26,12 @@ authentication_backend:
password: {{ vault_openldap_admin_password }} password: {{ vault_openldap_admin_password }}
access_control: access_control:
default_policy: deny default_policy: deny
networks:
- name: local
networks:
- 192.168.0.0/24
rules: rules:
- domain: "*.{{ base_domain }}" - domain:
networks: - "{{ base_domain }}"
- local - "*.{{ base_domain }}"
policy: bypass - "keycloak.{{ base_domain }}"
- domain: portainer.{{ base_domain }} policy: deny
policy: one_factor
- domain: keycloak.{{ base_domain }}
policy: one_factor
- domain: radarr.{{ base_domain }}
policy: two_factor
session: session:
name: authelia_session name: authelia_session
secret: somerandomsecret secret: somerandomsecret

View File

@ -3,9 +3,6 @@
name: name:
- docker - docker
- python-pip - python-pip
- neovim
- fish
- curlie
state: present state: present
update_cache: true update_cache: true
- name: start - name: start
@ -15,9 +12,8 @@
- name: add user to group - name: add user to group
user: user:
name: lukas name: lukas
groups: docker,wheel groups: docker
append: true append: true
shell: /usr/bin/fish
- name: install python docker - name: install python docker
pip: pip:
name: name:

View File

@ -12,7 +12,7 @@
name: 'jellyfin' name: 'jellyfin'
image: linuxserver/jellyfin image: linuxserver/jellyfin
networks: networks:
- name: external - name: nginx-internal
volumes: volumes:
- "{{ data_folder }}/jellyfin:/config" - "{{ data_folder }}/jellyfin:/config"
- "{{ media.tv }}:/data/tv" - "{{ media.tv }}:/data/tv"
@ -29,6 +29,7 @@
devices: devices:
- /dev/dri:/dev/dri - /dev/dri:/dev/dri
state: started state: started
restart: yes
- name: copy jellyfin nginx config - name: copy jellyfin nginx config
template: template:
src: jellyfin.conf.j2 src: jellyfin.conf.j2

View File

@ -1,7 +1,6 @@
server { server {
server_name "jellyfin.{{ base_domain }}";
listen 80; listen 80;
return 301 https://$server_name$request_uri; return 301 https://$host$request_uri;
} }
server { server {

View File

@ -5,9 +5,8 @@
ports: ports:
- "8080:8080" - "8080:8080"
networks: networks:
- name: external
- name: postgres - name: postgres
- name: openldap - name: nginx-internal
env: env:
"KEYCLOAK_USER": "{{ vault_keycloak_user }}" "KEYCLOAK_USER": "{{ vault_keycloak_user }}"
"KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}" "KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
@ -21,6 +20,6 @@
- name: copy nginx conf - name: copy nginx conf
template: template:
src: "keycloak.conf.j2" src: "keycloak.conf.j2"
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf" dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf"
mode: "755" mode: "755"
notify: reload nginx notify: reload nginx

View File

@ -1,7 +1,6 @@
server { server {
server_name "keycloak.{{ base_domain }}"; listen 80;
listen 80; return 301 https://$host$request_uri;
return 301 https://$server_name$request_uri;
} }
server { server {

View File

@ -14,11 +14,11 @@
- name: generate self-signed certs - name: generate self-signed certs
import_tasks: self-signed.yml import_tasks: self-signed.yml
when: self_signed when: self_signed
- name: create external bridge network - name: create nginx bridge network
docker_network: docker_network:
name: external name: nginx-internal
attachable: true attachable: true
internal: false internal: true
state: present state: present
- name: copy nginx.conf - name: copy nginx.conf
template: template:
@ -37,7 +37,8 @@
name: 'nginx' name: 'nginx'
image: nginx image: nginx
networks: networks:
- name: external - name: bridge
- name: nginx-internal
volumes: volumes:
- "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d" - "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d"
- "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf" - "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf"
@ -52,4 +53,5 @@
env: env:
NGINX_HOST: "{{ base_domain }}" NGINX_HOST: "{{ base_domain }}"
NGINX_PORT: '80' NGINX_PORT: '80'
state: started state: started
restart: yes

View File

@ -13,8 +13,6 @@ events {
http { http {
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
default_type application/octet-stream; default_type application/octet-stream;
log_subrequest on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" ' '$status $body_bytes_sent "$http_referer" '

View File

@ -6,19 +6,13 @@
loop: loop:
- "{{ data_folder }}/openldap" - "{{ data_folder }}/openldap"
- "{{ data_folder }}/openldap/data" - "{{ data_folder }}/openldap/data"
- name: create network
docker_network:
name: openldap
attachable: true
internal: true
state: present
- name: run container - name: run container
docker_container: docker_container:
name: "openldap" name: "openldap"
image: osixia/openldap image: osixia/openldap
hostname: openldap hostname: openldap
networks: networks:
- name: openldap - name: nginx-internal
ports: ports:
- "389:389" - "389:389"
- "636:636" - "636:636"
@ -29,4 +23,5 @@
LDAP_DOMAIN: "kucharczyk.xyz" LDAP_DOMAIN: "kucharczyk.xyz"
LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}" LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "false" LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
state: started state: started
restart: yes

View File

@ -0,0 +1,6 @@
dn: dc=kucharczyk,dc=xyz
objectclass: top
objectclass: dcObject
objectclass: organization
dc: kucharczyk
o: Homelab

View File

@ -1,19 +0,0 @@
- name: run container
docker_container:
name: 'portainer'
image: portainer/portainer-ce
networks:
- name: external
- name: openldap
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
ports:
- "8000:8000"
- "9000:9000"
state: started
- name: copy nginx conf
template:
src: portainer.conf.j2
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
mode: "755"
notify: reload nginx

View File

@ -1,20 +0,0 @@
server {
server_name portainer.{{ base_domain }};
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name portainer.{{ base_domain }};
listen 443 ssl http2;
include /etc/nginx/snippets/authelia-endpoint.conf;
location / {
include /etc/nginx/snippets/proxy.conf;
include /etc/nginx/snippets/authelia-auth.conf;
set $upstream http://portainer:9000; # This example assumes a Docker deployment
proxy_pass $upstream;
}
}

View File

@ -1,34 +0,0 @@
- name: ensure directories exist
file:
path: "{{ item }}"
state: directory
mode: '0755'
loop:
- "{{ data_folder }}/radarr"
- "{{ media.tv }}"
- "{{ media.movies }}"
- "{{ downloads.nzb }}"
- name: run container
docker_container:
name: "{{ role_name }}"
image: "linuxserver/radarr"
networks:
- name: external
env:
"TZ": "{{ tz }}"
"PUID": "{{ puid }}"
"PGID": "{{ pgid }}"
"UMASK": "022"
volumes:
- "{{ data_folder }}/radarr:/config"
- "{{ downloads.nzb }}:/downloads"
- "{{ media.movies }}:/movies"
ports:
- "7878:7878"
state: started
- name: copy nginx conf
template:
src: "{{ role_name }}.conf.j2"
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
mode: "755"
notify: reload nginx

View File

@ -1,20 +0,0 @@
server {
server_name {{ role_name }}.{{ base_domain }};
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name {{ role_name }}.{{ base_domain }};
listen 443 ssl http2;
include /etc/nginx/snippets/authelia-endpoint.conf;
location / {
include /etc/nginx/snippets/proxy.conf;
include /etc/nginx/snippets/authelia-auth.conf;
set $upstream http://{{ role_name }}:7878;
proxy_pass $upstream;
}
}

View File

@ -1,19 +1,19 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
35356537316639386637316365393533643061363734323630393363313237643935666639653963 30346235333931303864373164626134343138306564323034633139363931653066326263333063
3734376266353938653631323266663139306335646635660a373233663964623335663366333434 6532376231363635613930376137326439306437636433370a643535356131363164373764613531
34386136656530386639646234316238326132616131616632346537613963636637393839613661 36363735323930306338623164636563626334653532386632303936343737363731323166323530
6366326639643632320a386436316165343166366134633464393461653434323934326238313430 3439353635343236350a663261636633633033396262333164363062396464366135306135386337
39323439306637306134326635323138616337646336653238636539643538613664303764303661 37333232376531353332373930306462393634386533636363343736646537666665633262633363
39636661353538393532663937396363656664613334383261336664336237356366663334633430 64373434633963316365306562333765313439366431313234313563376630643931386363383233
36356235383930653835393439373737623036613565313131626462363034303062323662663832 33363665613937366433643133613565646364303362626433396339313535383166326138313139
66613833613336646633383835653161386363386136663764653734313763383231626434393864 61616333333530333761393631323461376536363733323764333631346338393166613531666335
63313061346335383933623630396336336561633938613237643238616531343766613734666132 35373764376434346638356439393964313436366439366363393766643333623165353266386634
32306362616131396266656162653563356137383239616464306662643032623438373764306361 66326434333165663630326332333061626366356363313538393130356365343738363237653565
32363133626662633435626232653061373831626563323861626635383039613136303632613335 63613439373930326165326538386566636466306137636336663736333063613238356137346630
61363265316534653033393763646565393330633063323634353932353936303638356433306362 31643064623563656438613665393332656435636233623265323063366139643937633132656337
65383938306637333765383263653939633964613230613835326630313761323561376162646439 65326137396134333230616262333337373833663439313635663438396461373130396332316331
62323035323634323766393233326363383364653531306432663263303831623936616139306639 66613933343365363335653135663237363538353863623534373563626166313034323039396334
64303863386265343165666435363761653464386366636366323261353731643263356635383536 61383766343264313438353261306233373562343939663232383466336232373865356561316139
66326666616339653731633530663161363933383334376238313637356331663431336433643338 38316466306531326165343265393262646463626563306363353765343462316534323336356432
64313861306161373538363332663363623131303561373237326436373838393965306663333835 34373661363562636137393235323839616430376163393362313363626636343064663739313963
3764356534323963303832653964666431626538316361613137 3361333438346265623738393431346433353436666262396264