portainer: add nginx-internal network

portainer: require one_factor
portainer: add nginx conf
2021-06-20 22:32:51 +02:00 · 2021-06-20 22:29:41 +02:00 · 2021-06-20 22:29:25 +02:00 · 2021-06-20 22:29:11 +02:00 · 2021-06-20 22:28:48 +02:00
19 changed files with 38 additions and 122 deletions
--- a/README.adoc
+++ b/README.adoc
@ -12,14 +12,12 @@ homelab.

 === Containers

-* Authelia
-* Jellyfin
-* Keycloak
 * NGINX
+* Jellyfin
 * OpenLDAP
-* Portainer
 * PostgreSQL
-* Radarr
+* Keycloak
+* Authelia

 === Testing
 To run locally, specify the inventory file with `-i hosts`.
--- a/group_vars/all
+++ b/group_vars/all
@ -13,9 +13,4 @@ pgid: "1000"
 tz: "Europe/Prague"
 media:
  tv: "{{ data_folder }}/media/tv"
-  movies: "{{ data_folder }}/media/movies"
-downloads:
-  nzb: "{{ data_folder }}/downloads/nzb"
-  torrent: "{{ data_folder }}/downloads/torrent"
-  torrent_blackhole: "{{ data_folder }}/downloads/blackhole"
-  music: "{{ data_folder }}/downloads/music"
+  movies: "{{ data_folder }}/media/movies"
--- a/playbook.yml
+++ b/playbook.yml
@ -3,13 +3,12 @@
  roles:
    - docker
    - nginx
-    - openldap
    - portainer
    - jellyfin
+    - openldap
    - postgres
    - authelia
    - keycloak
-    - radarr
  vars_files:
    - vault/certs/{{ base_domain }}.yml
    - vault/passwords.yml
--- a/roles/authelia/tasks/main.yml
+++ b/roles/authelia/tasks/main.yml
@ -17,8 +17,8 @@
    ports:
      - "9091:9091"
    networks:
-      - name: external
-      - name: openldap
+      - name: bridge
+      - name: nginx-internal
    volumes:
      - "{{ data_folder }}/authelia:/config"
 - name: copy nginx endpoint conf
--- a/roles/authelia/templates/authelia.conf.j2
+++ b/roles/authelia/templates/authelia.conf.j2
@ -1,7 +1,7 @@
 server {
-    server_name auth.{{ base_domain }};
    listen 80;
-    return 301 https://$server_name$request_uri;
+    server_name auth.{{ base_domain }};
+    return 301 https://$host$request_uri;
 }

 server {
--- a/roles/authelia/templates/configuration.yml.j2
+++ b/roles/authelia/templates/configuration.yml.j2
@ -26,22 +26,11 @@ authentication_backend:
    password: {{ vault_openldap_admin_password }}
 access_control:
  default_policy: deny
-  networks:
-    - name: local
-      networks:
-        - 192.168.0.0/24
  rules:
    - domain: "*.{{ base_domain }}"
-      networks:
-        - local
      policy: bypass
    - domain: portainer.{{ base_domain }}
      policy: one_factor
-    - domain: keycloak.{{ base_domain }}
-      policy: one_factor
-    - domain: radarr.{{ base_domain }}
-      policy: two_factor
-session:
  name: authelia_session
  secret: somerandomsecret
  expiration: 1h
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -3,9 +3,6 @@
    name:
      - docker
      - python-pip
-      - neovim
-      - fish
-      - curlie
    state: present
    update_cache: true
 - name: start
@ -15,9 +12,8 @@
 - name: add user to group
  user:
    name: lukas
-    groups: docker,wheel
+    groups: docker
    append: true
-    shell: /usr/bin/fish
 - name: install python docker
  pip:
    name:
--- a/roles/jellyfin/tasks/main.yml
+++ b/roles/jellyfin/tasks/main.yml
@ -12,7 +12,7 @@
    name: 'jellyfin'
    image: linuxserver/jellyfin
    networks:
-      - name: external
+      - name: nginx-internal
    volumes:
      - "{{ data_folder }}/jellyfin:/config"
      - "{{ media.tv }}:/data/tv"
@ -29,6 +29,7 @@
    devices:
      - /dev/dri:/dev/dri
    state: started
+    restart: yes
 - name: copy jellyfin nginx config
  template:
    src: jellyfin.conf.j2
--- a/roles/jellyfin/templates/jellyfin.conf.j2
+++ b/roles/jellyfin/templates/jellyfin.conf.j2
@ -1,7 +1,6 @@
 server {
-    server_name "jellyfin.{{ base_domain }}";
    listen 80;
-    return 301 https://$server_name$request_uri;
+    return 301 https://$host$request_uri;
 }

 server {
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@ -5,9 +5,8 @@
    ports:
      - "8080:8080"
    networks:
-      - name: external
      - name: postgres
-      - name: openldap
+      - name: nginx-internal
    env:
      "KEYCLOAK_USER": "{{ vault_keycloak_user }}"
      "KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
@ -21,6 +20,6 @@
 - name: copy nginx conf
  template:
    src: "keycloak.conf.j2"
-    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
+    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf"
    mode: "755"
  notify: reload nginx
--- a/roles/keycloak/templates/keycloak.conf.j2
+++ b/roles/keycloak/templates/keycloak.conf.j2
@ -1,7 +1,6 @@
 server {
-    server_name "keycloak.{{ base_domain }}";
-    listen 80;
-    return 301 https://$server_name$request_uri;
+  listen 80;
+  return 301 https://$host$request_uri;
 }

 server {
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -14,11 +14,11 @@
 - name: generate self-signed certs
  import_tasks: self-signed.yml
  when: self_signed
- name: create external bridge network
+- name: create nginx bridge network
  docker_network:
-    name: external
+    name: nginx-internal
    attachable: true
-    internal: false
+    internal: true
    state: present
 - name: copy nginx.conf
  template:
@ -37,7 +37,8 @@
    name: 'nginx'
    image: nginx
    networks:
-      - name: external
+      - name: bridge
+      - name: nginx-internal
    volumes:
      - "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d"
      - "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf"
@ -52,4 +53,5 @@
    env:
      NGINX_HOST: "{{ base_domain }}"
      NGINX_PORT: '80'
-    state: started
+    state: started
+    restart: yes
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@ -13,8 +13,6 @@ events {
 http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
-    
-    log_subrequest on;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
--- a/roles/openldap/tasks/main.yml
+++ b/roles/openldap/tasks/main.yml
@ -6,19 +6,13 @@
  loop:
    - "{{ data_folder }}/openldap"
    - "{{ data_folder }}/openldap/data"
- name: create network
-  docker_network:
-    name: openldap
-    attachable: true
-    internal: true
-    state: present
 - name: run container
  docker_container:
    name: "openldap"
    image: osixia/openldap
    hostname: openldap
    networks:
-      - name: openldap
+      - name: nginx-internal
    ports:
      - "389:389"
      - "636:636"
@ -29,4 +23,5 @@
      LDAP_DOMAIN: "kucharczyk.xyz"
      LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}"
      LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
-    state: started
+    state: started
+    restart: yes
--- a/roles/openldap/templates/base.ldif.j2
+++ b/roles/openldap/templates/base.ldif.j2
@ -0,0 +1,6 @@
+dn: dc=kucharczyk,dc=xyz
+objectclass: top
+objectclass: dcObject
+objectclass: organization
+dc: kucharczyk
+o: Homelab
--- a/roles/portainer/tasks/main.yml
+++ b/roles/portainer/tasks/main.yml
@ -3,17 +3,11 @@
    name: 'portainer'
    image: portainer/portainer-ce
    networks:
-      - name: external
-      - name: openldap
+      - name: nginx-internal
+      - name: bridge
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    ports:
      - "8000:8000"
      - "9000:9000"
-    state: started
- name: copy nginx conf
-  template:
-    src: portainer.conf.j2
-    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
-    mode: "755"
-  notify: reload nginx
+    state: started
--- a/roles/portainer/templates/portainer.conf.j2
+++ b/roles/portainer/templates/portainer.conf.j2
@ -1,7 +1,7 @@
 server {
-    server_name portainer.{{ base_domain }};
    listen 80;
-    return 301 https://$server_name$request_uri;
+    server_name portainer.{{ base_domain }};
+    return 301 https://$host$request_uri;
 }

 server {
--- a/roles/radarr/tasks/main.yml
+++ b/roles/radarr/tasks/main.yml
@ -1,34 +0,0 @@
- name: ensure directories exist
-  file:
-    path: "{{ item }}"
-    state: directory
-    mode: '0755'
-  loop:
-    - "{{ data_folder }}/radarr"
-    - "{{ media.tv }}"
-    - "{{ media.movies }}"
-    - "{{ downloads.nzb }}"
- name: run container
-  docker_container:
-    name: "{{ role_name }}"
-    image: "linuxserver/radarr"
-    networks:
-      - name: external
-    env:
-      "TZ": "{{ tz }}"
-      "PUID": "{{ puid }}"
-      "PGID": "{{  pgid }}"
-      "UMASK": "022"
-    volumes:
-      - "{{ data_folder }}/radarr:/config"
-      - "{{ downloads.nzb }}:/downloads"
-      - "{{ media.movies }}:/movies"
-    ports:
-      - "7878:7878"
-    state: started
- name: copy nginx conf
-  template:
-    src: "{{ role_name }}.conf.j2"
-    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
-    mode: "755"
-  notify: reload nginx
--- a/roles/radarr/templates/radarr.conf.j2
+++ b/roles/radarr/templates/radarr.conf.j2
@ -1,20 +0,0 @@
-server {
-    server_name {{ role_name }}.{{ base_domain }};
-    listen 80;
-    return 301 https://$server_name$request_uri;
-}
-
-server {
-    server_name {{ role_name }}.{{ base_domain }};
-    listen 443 ssl http2;
-
-    include /etc/nginx/snippets/authelia-endpoint.conf;
-
-    location / {
-        include /etc/nginx/snippets/proxy.conf;
-        include /etc/nginx/snippets/authelia-auth.conf;
-
-        set $upstream http://{{ role_name }}:7878;
-        proxy_pass $upstream;
-    }
-}
Author	SHA1	Message	Date
Lukáš Kucharczyk	d70dc99f89	portainer: add nginx-internal network	2021-06-20 22:32:51 +02:00
Lukáš Kucharczyk	ec6256ad16	portainer: require one_factor	2021-06-20 22:29:41 +02:00
Lukáš Kucharczyk	8934fb8855	portainer: add nginx conf	2021-06-20 22:29:25 +02:00
Lukáš Kucharczyk	6f5140f0e6	portainer: add main task	2021-06-20 22:29:11 +02:00
Lukáš Kucharczyk	b9f88564f7	portainer: add role to playbook	2021-06-20 22:28:48 +02:00