Compare commits
5 Commits
main
...
d70dc99f89
Author | SHA1 | Date |
---|---|---|
Lukáš Kucharczyk | d70dc99f89 | |
Lukáš Kucharczyk | ec6256ad16 | |
Lukáš Kucharczyk | 8934fb8855 | |
Lukáš Kucharczyk | 6f5140f0e6 | |
Lukáš Kucharczyk | b9f88564f7 |
|
@ -12,14 +12,12 @@ homelab.
|
||||||
|
|
||||||
=== Containers
|
=== Containers
|
||||||
|
|
||||||
* Authelia
|
|
||||||
* Jellyfin
|
|
||||||
* Keycloak
|
|
||||||
* NGINX
|
* NGINX
|
||||||
|
* Jellyfin
|
||||||
* OpenLDAP
|
* OpenLDAP
|
||||||
* Portainer
|
|
||||||
* PostgreSQL
|
* PostgreSQL
|
||||||
* Radarr
|
* Keycloak
|
||||||
|
* Authelia
|
||||||
|
|
||||||
=== Testing
|
=== Testing
|
||||||
To run locally, specify the inventory file with `-i hosts`.
|
To run locally, specify the inventory file with `-i hosts`.
|
||||||
|
|
|
@ -14,8 +14,3 @@ tz: "Europe/Prague"
|
||||||
media:
|
media:
|
||||||
tv: "{{ data_folder }}/media/tv"
|
tv: "{{ data_folder }}/media/tv"
|
||||||
movies: "{{ data_folder }}/media/movies"
|
movies: "{{ data_folder }}/media/movies"
|
||||||
downloads:
|
|
||||||
nzb: "{{ data_folder }}/downloads/nzb"
|
|
||||||
torrent: "{{ data_folder }}/downloads/torrent"
|
|
||||||
torrent_blackhole: "{{ data_folder }}/downloads/blackhole"
|
|
||||||
music: "{{ data_folder }}/downloads/music"
|
|
|
@ -3,13 +3,12 @@
|
||||||
roles:
|
roles:
|
||||||
- docker
|
- docker
|
||||||
- nginx
|
- nginx
|
||||||
- openldap
|
|
||||||
- portainer
|
- portainer
|
||||||
- jellyfin
|
- jellyfin
|
||||||
|
- openldap
|
||||||
- postgres
|
- postgres
|
||||||
- authelia
|
- authelia
|
||||||
- keycloak
|
- keycloak
|
||||||
- radarr
|
|
||||||
vars_files:
|
vars_files:
|
||||||
- vault/certs/{{ base_domain }}.yml
|
- vault/certs/{{ base_domain }}.yml
|
||||||
- vault/passwords.yml
|
- vault/passwords.yml
|
||||||
|
|
|
@ -17,8 +17,8 @@
|
||||||
ports:
|
ports:
|
||||||
- "9091:9091"
|
- "9091:9091"
|
||||||
networks:
|
networks:
|
||||||
- name: external
|
- name: bridge
|
||||||
- name: openldap
|
- name: nginx-internal
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ data_folder }}/authelia:/config"
|
- "{{ data_folder }}/authelia:/config"
|
||||||
- name: copy nginx endpoint conf
|
- name: copy nginx endpoint conf
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
server {
|
server {
|
||||||
server_name auth.{{ base_domain }};
|
|
||||||
listen 80;
|
listen 80;
|
||||||
return 301 https://$server_name$request_uri;
|
server_name auth.{{ base_domain }};
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
|
|
|
@ -26,22 +26,11 @@ authentication_backend:
|
||||||
password: {{ vault_openldap_admin_password }}
|
password: {{ vault_openldap_admin_password }}
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: deny
|
||||||
networks:
|
|
||||||
- name: local
|
|
||||||
networks:
|
|
||||||
- 192.168.0.0/24
|
|
||||||
rules:
|
rules:
|
||||||
- domain: "*.{{ base_domain }}"
|
- domain: "*.{{ base_domain }}"
|
||||||
networks:
|
|
||||||
- local
|
|
||||||
policy: bypass
|
policy: bypass
|
||||||
- domain: portainer.{{ base_domain }}
|
- domain: portainer.{{ base_domain }}
|
||||||
policy: one_factor
|
policy: one_factor
|
||||||
- domain: keycloak.{{ base_domain }}
|
|
||||||
policy: one_factor
|
|
||||||
- domain: radarr.{{ base_domain }}
|
|
||||||
policy: two_factor
|
|
||||||
session:
|
|
||||||
name: authelia_session
|
name: authelia_session
|
||||||
secret: somerandomsecret
|
secret: somerandomsecret
|
||||||
expiration: 1h
|
expiration: 1h
|
||||||
|
|
|
@ -3,9 +3,6 @@
|
||||||
name:
|
name:
|
||||||
- docker
|
- docker
|
||||||
- python-pip
|
- python-pip
|
||||||
- neovim
|
|
||||||
- fish
|
|
||||||
- curlie
|
|
||||||
state: present
|
state: present
|
||||||
update_cache: true
|
update_cache: true
|
||||||
- name: start
|
- name: start
|
||||||
|
@ -15,9 +12,8 @@
|
||||||
- name: add user to group
|
- name: add user to group
|
||||||
user:
|
user:
|
||||||
name: lukas
|
name: lukas
|
||||||
groups: docker,wheel
|
groups: docker
|
||||||
append: true
|
append: true
|
||||||
shell: /usr/bin/fish
|
|
||||||
- name: install python docker
|
- name: install python docker
|
||||||
pip:
|
pip:
|
||||||
name:
|
name:
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
name: 'jellyfin'
|
name: 'jellyfin'
|
||||||
image: linuxserver/jellyfin
|
image: linuxserver/jellyfin
|
||||||
networks:
|
networks:
|
||||||
- name: external
|
- name: nginx-internal
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ data_folder }}/jellyfin:/config"
|
- "{{ data_folder }}/jellyfin:/config"
|
||||||
- "{{ media.tv }}:/data/tv"
|
- "{{ media.tv }}:/data/tv"
|
||||||
|
@ -29,6 +29,7 @@
|
||||||
devices:
|
devices:
|
||||||
- /dev/dri:/dev/dri
|
- /dev/dri:/dev/dri
|
||||||
state: started
|
state: started
|
||||||
|
restart: yes
|
||||||
- name: copy jellyfin nginx config
|
- name: copy jellyfin nginx config
|
||||||
template:
|
template:
|
||||||
src: jellyfin.conf.j2
|
src: jellyfin.conf.j2
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
server {
|
server {
|
||||||
server_name "jellyfin.{{ base_domain }}";
|
|
||||||
listen 80;
|
listen 80;
|
||||||
return 301 https://$server_name$request_uri;
|
return 301 https://$host$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
|
|
|
@ -5,9 +5,8 @@
|
||||||
ports:
|
ports:
|
||||||
- "8080:8080"
|
- "8080:8080"
|
||||||
networks:
|
networks:
|
||||||
- name: external
|
|
||||||
- name: postgres
|
- name: postgres
|
||||||
- name: openldap
|
- name: nginx-internal
|
||||||
env:
|
env:
|
||||||
"KEYCLOAK_USER": "{{ vault_keycloak_user }}"
|
"KEYCLOAK_USER": "{{ vault_keycloak_user }}"
|
||||||
"KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
|
"KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
|
||||||
|
@ -21,6 +20,6 @@
|
||||||
- name: copy nginx conf
|
- name: copy nginx conf
|
||||||
template:
|
template:
|
||||||
src: "keycloak.conf.j2"
|
src: "keycloak.conf.j2"
|
||||||
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
|
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf"
|
||||||
mode: "755"
|
mode: "755"
|
||||||
notify: reload nginx
|
notify: reload nginx
|
|
@ -1,7 +1,6 @@
|
||||||
server {
|
server {
|
||||||
server_name "keycloak.{{ base_domain }}";
|
listen 80;
|
||||||
listen 80;
|
return 301 https://$host$request_uri;
|
||||||
return 301 https://$server_name$request_uri;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
|
|
|
@ -14,11 +14,11 @@
|
||||||
- name: generate self-signed certs
|
- name: generate self-signed certs
|
||||||
import_tasks: self-signed.yml
|
import_tasks: self-signed.yml
|
||||||
when: self_signed
|
when: self_signed
|
||||||
- name: create external bridge network
|
- name: create nginx bridge network
|
||||||
docker_network:
|
docker_network:
|
||||||
name: external
|
name: nginx-internal
|
||||||
attachable: true
|
attachable: true
|
||||||
internal: false
|
internal: true
|
||||||
state: present
|
state: present
|
||||||
- name: copy nginx.conf
|
- name: copy nginx.conf
|
||||||
template:
|
template:
|
||||||
|
@ -37,7 +37,8 @@
|
||||||
name: 'nginx'
|
name: 'nginx'
|
||||||
image: nginx
|
image: nginx
|
||||||
networks:
|
networks:
|
||||||
- name: external
|
- name: bridge
|
||||||
|
- name: nginx-internal
|
||||||
volumes:
|
volumes:
|
||||||
- "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d"
|
- "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d"
|
||||||
- "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf"
|
- "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf"
|
||||||
|
@ -53,3 +54,4 @@
|
||||||
NGINX_HOST: "{{ base_domain }}"
|
NGINX_HOST: "{{ base_domain }}"
|
||||||
NGINX_PORT: '80'
|
NGINX_PORT: '80'
|
||||||
state: started
|
state: started
|
||||||
|
restart: yes
|
||||||
|
|
|
@ -14,8 +14,6 @@ http {
|
||||||
include /etc/nginx/mime.types;
|
include /etc/nginx/mime.types;
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
|
|
||||||
log_subrequest on;
|
|
||||||
|
|
||||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
'$status $body_bytes_sent "$http_referer" '
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
|
@ -6,19 +6,13 @@
|
||||||
loop:
|
loop:
|
||||||
- "{{ data_folder }}/openldap"
|
- "{{ data_folder }}/openldap"
|
||||||
- "{{ data_folder }}/openldap/data"
|
- "{{ data_folder }}/openldap/data"
|
||||||
- name: create network
|
|
||||||
docker_network:
|
|
||||||
name: openldap
|
|
||||||
attachable: true
|
|
||||||
internal: true
|
|
||||||
state: present
|
|
||||||
- name: run container
|
- name: run container
|
||||||
docker_container:
|
docker_container:
|
||||||
name: "openldap"
|
name: "openldap"
|
||||||
image: osixia/openldap
|
image: osixia/openldap
|
||||||
hostname: openldap
|
hostname: openldap
|
||||||
networks:
|
networks:
|
||||||
- name: openldap
|
- name: nginx-internal
|
||||||
ports:
|
ports:
|
||||||
- "389:389"
|
- "389:389"
|
||||||
- "636:636"
|
- "636:636"
|
||||||
|
@ -30,3 +24,4 @@
|
||||||
LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}"
|
LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}"
|
||||||
LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
|
LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
|
||||||
state: started
|
state: started
|
||||||
|
restart: yes
|
|
@ -0,0 +1,6 @@
|
||||||
|
dn: dc=kucharczyk,dc=xyz
|
||||||
|
objectclass: top
|
||||||
|
objectclass: dcObject
|
||||||
|
objectclass: organization
|
||||||
|
dc: kucharczyk
|
||||||
|
o: Homelab
|
|
@ -3,17 +3,11 @@
|
||||||
name: 'portainer'
|
name: 'portainer'
|
||||||
image: portainer/portainer-ce
|
image: portainer/portainer-ce
|
||||||
networks:
|
networks:
|
||||||
- name: external
|
- name: nginx-internal
|
||||||
- name: openldap
|
- name: bridge
|
||||||
volumes:
|
volumes:
|
||||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
- "/var/run/docker.sock:/var/run/docker.sock"
|
||||||
ports:
|
ports:
|
||||||
- "8000:8000"
|
- "8000:8000"
|
||||||
- "9000:9000"
|
- "9000:9000"
|
||||||
state: started
|
state: started
|
||||||
- name: copy nginx conf
|
|
||||||
template:
|
|
||||||
src: portainer.conf.j2
|
|
||||||
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
|
|
||||||
mode: "755"
|
|
||||||
notify: reload nginx
|
|
|
@ -1,7 +1,7 @@
|
||||||
server {
|
server {
|
||||||
server_name portainer.{{ base_domain }};
|
|
||||||
listen 80;
|
listen 80;
|
||||||
return 301 https://$server_name$request_uri;
|
server_name portainer.{{ base_domain }};
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
|
|
|
@ -1,34 +0,0 @@
|
||||||
- name: ensure directories exist
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
mode: '0755'
|
|
||||||
loop:
|
|
||||||
- "{{ data_folder }}/radarr"
|
|
||||||
- "{{ media.tv }}"
|
|
||||||
- "{{ media.movies }}"
|
|
||||||
- "{{ downloads.nzb }}"
|
|
||||||
- name: run container
|
|
||||||
docker_container:
|
|
||||||
name: "{{ role_name }}"
|
|
||||||
image: "linuxserver/radarr"
|
|
||||||
networks:
|
|
||||||
- name: external
|
|
||||||
env:
|
|
||||||
"TZ": "{{ tz }}"
|
|
||||||
"PUID": "{{ puid }}"
|
|
||||||
"PGID": "{{ pgid }}"
|
|
||||||
"UMASK": "022"
|
|
||||||
volumes:
|
|
||||||
- "{{ data_folder }}/radarr:/config"
|
|
||||||
- "{{ downloads.nzb }}:/downloads"
|
|
||||||
- "{{ media.movies }}:/movies"
|
|
||||||
ports:
|
|
||||||
- "7878:7878"
|
|
||||||
state: started
|
|
||||||
- name: copy nginx conf
|
|
||||||
template:
|
|
||||||
src: "{{ role_name }}.conf.j2"
|
|
||||||
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
|
|
||||||
mode: "755"
|
|
||||||
notify: reload nginx
|
|
|
@ -1,20 +0,0 @@
|
||||||
server {
|
|
||||||
server_name {{ role_name }}.{{ base_domain }};
|
|
||||||
listen 80;
|
|
||||||
return 301 https://$server_name$request_uri;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
server_name {{ role_name }}.{{ base_domain }};
|
|
||||||
listen 443 ssl http2;
|
|
||||||
|
|
||||||
include /etc/nginx/snippets/authelia-endpoint.conf;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
include /etc/nginx/snippets/proxy.conf;
|
|
||||||
include /etc/nginx/snippets/authelia-auth.conf;
|
|
||||||
|
|
||||||
set $upstream http://{{ role_name }}:7878;
|
|
||||||
proxy_pass $upstream;
|
|
||||||
}
|
|
||||||
}
|
|
Loading…
Reference in New Issue