27 changed files with 95 additions and 385 deletions
--- a/README.adoc
+++ b/README.adoc
@ -12,14 +12,10 @@ homelab.

 === Containers

-* Authelia
-* Jellyfin
-* Keycloak
 * NGINX
-* OpenLDAP
-* Portainer
+* Jellyfin
 * PostgreSQL
-* Radarr
+* Keycloak

 === Testing
 To run locally, specify the inventory file with `-i hosts`.
--- a/group_vars/all
+++ b/group_vars/all
@ -14,8 +14,3 @@ tz: "Europe/Prague"
 media:
  tv: "{{ data_folder }}/media/tv"
  movies: "{{ data_folder }}/media/movies"
-downloads:
-  nzb: "{{ data_folder }}/downloads/nzb"
-  torrent: "{{ data_folder }}/downloads/torrent"
-  torrent_blackhole: "{{ data_folder }}/downloads/blackhole"
-  music: "{{ data_folder }}/downloads/music"
--- a/playbook.yml
+++ b/playbook.yml
@ -3,13 +3,10 @@
  roles:
    - docker
    - nginx
-    - openldap
-    - portainer
    - jellyfin
+    - openldap
    - postgres
-    - authelia
    - keycloak
-    - radarr
  vars_files:
    - vault/certs/{{ base_domain }}.yml
    - vault/passwords.yml
--- a/provision.sh
+++ b/provision.sh
@ -1,2 +0,0 @@
-#!/bin/env fish
-ANSIBLE_VAULT_PASSWORD_FILE=(pass show ansible-homelab | psub) vagrant provision
--- a/roles/authelia/tasks/main.yml
+++ b/roles/authelia/tasks/main.yml
@ -1,39 +0,0 @@
- name: ensure directories exist
-  file:
-    path: "{{ item }}"
-    state: directory
-    mode: '0755'
-  loop:
-    - "{{ data_folder }}/authelia"
- name: copy configuration.yml
-  template:
-    src: "configuration.yml.j2"
-    dest: "{{ data_folder }}/authelia/configuration.yml"
-    mode: "755"
- name: run container
-  docker_container:
-    name: "authelia"
-    image: "authelia/authelia"
-    ports:
-      - "9091:9091"
-    networks:
-      - name: external
-      - name: openldap
-    volumes:
-      - "{{ data_folder }}/authelia:/config"
- name: copy nginx endpoint conf
-  template:
-    src: "authelia-endpoint.conf.j2"
-    dest: "{{ data_folder }}/nginx/snippets/authelia-endpoint.conf"
-    mode: "755"
- name: copy nginx auth conf
-  template:
-    src: "authelia-auth.conf.j2"
-    dest: "{{ data_folder }}/nginx/snippets/authelia-auth.conf"
-    mode: "755"
- name: copy nginx conf
-  template:
-    src: "authelia.conf.j2"
-    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
-    mode: "755"
-  notify: reload nginx
--- a/roles/authelia/templates/authelia-auth.conf.j2
+++ b/roles/authelia/templates/authelia-auth.conf.j2
@ -1,11 +0,0 @@
-auth_request /authelia/api/verify;
-auth_request_set $target_url $scheme://$http_host$request_uri;
-auth_request_set $user $upstream_http_remote_user;
-auth_request_set $groups $upstream_http_remote_groups;
-auth_request_set $name $upstream_http_remote_name;
-auth_request_set $email $upstream_http_remote_email;
-proxy_set_header Remote-User $user;
-proxy_set_header Remote-Groups $groups;
-proxy_set_header Remote-Name $name;
-proxy_set_header Remote-Email $email;
-error_page 401 =302 https://$http_host/authelia/?rd=$target_url;
--- a/roles/authelia/templates/authelia-endpoint.conf.j2
+++ b/roles/authelia/templates/authelia-endpoint.conf.j2
@ -1,47 +0,0 @@
-location ^~ /authelia {
-    include /etc/nginx/snippets/proxy.conf;
-    set $upstream_authelia authelia;
-    proxy_pass http://$upstream_authelia:9091;
-}
-
-location = /authelia/api/verify {
-    internal;
-    if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) {
-        return 401;
-    }
-    set $upstream_authelia authelia;
-    proxy_pass_request_body off;
-    proxy_pass http://$upstream_authelia:9091;
-    proxy_set_header Content-Length "";
-
-    # Timeout if the real server is dead
-    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
-
-    # [REQUIRED] Needed by Authelia to check authorizations of the resource.
-    # Provide either X-Original-URL and X-Forwarded-Proto or
-    # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
-    # Those headers will be used by Authelia to deduce the target url of the user.
-    # Basic Proxy Config
-    client_body_buffer_size 128k;
-    proxy_set_header Host $host;
-    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_set_header X-Forwarded-Method $request_method;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header X-Forwarded-Host $http_host;
-    proxy_set_header X-Forwarded-Uri $request_uri;
-    proxy_set_header X-Forwarded-Ssl on;
-    proxy_redirect  http://  $scheme://;
-    proxy_http_version 1.1;
-    proxy_set_header Connection "";
-    proxy_cache_bypass $cookie_session;
-    proxy_no_cache $cookie_session;
-    proxy_buffers 4 32k;
-
-    # Advanced Proxy Config
-    send_timeout 5m;
-    proxy_read_timeout 240;
-    proxy_send_timeout 240;
-    proxy_connect_timeout 240;
-}
--- a/roles/authelia/templates/authelia.conf.j2
+++ b/roles/authelia/templates/authelia.conf.j2
@ -1,16 +0,0 @@
-server {
-    server_name auth.{{ base_domain }};
-    listen 80;
-    return 301 https://$server_name$request_uri;
-}
-
-server {
-    server_name auth.{{ base_domain }};
-    listen 443 ssl http2;
-
-    location / {
-        include /etc/nginx/snippets/proxy.conf;
-        set $upstream_authelia http://authelia:9091; # This example assumes a Docker deployment
-        proxy_pass $upstream_authelia;
-    }
-}
--- a/roles/authelia/templates/configuration.yml.j2
+++ b/roles/authelia/templates/configuration.yml.j2
@ -1,71 +0,0 @@
-host: 0.0.0.0
-port: 9091
-server:
-  read_buffer_size: 4096
-  write_buffer_size: 4096
-  path: "authelia"
-log_level: debug
-jwt_secret: somethingsomethingrandomrecret
-default_redirection_url: https://{{ base_domain }}
-authentication_backend:
-  disable_reset_password: false
-  ldap:
-    implementation: custom
-    url: ldap://openldap
-    start_tls: false
-    tls:
-      server_name: openldap
-      skip_verify: false
-      minimum_version: TLS1.2
-    base_dn: dc=kucharczyk,dc=xyz
-    username_attribute: uid
-    users_filter: ({username_attribute}={input})
-    groups_filter: (member={dn})
-    mail_attribute: mail
-    user: cn=admin,dc=kucharczyk,dc=xyz
-    password: {{ vault_openldap_admin_password }}
-access_control:
-  default_policy: deny
-  networks:
-    - name: local
-      networks:
-        - 192.168.0.0/24
-  rules:
-    - domain: "*.{{ base_domain }}"
-      networks:
-        - local
-      policy: bypass
-    - domain: portainer.{{ base_domain }}
-      policy: one_factor
-    - domain: keycloak.{{ base_domain }}
-      policy: one_factor
-    - domain: radarr.{{ base_domain }}
-      policy: two_factor
-session:
-  name: authelia_session
-  secret: somerandomsecret
-  expiration: 1h
-  inactivity: 5m
-  remember_me_duration: 1M
-  domain: {{ base_domain }}
-regulation:
-  max_retries: 3
-  find_time: 2m
-  ban_time: 99y
-storage:
-  local:
-    path: /config/db.sqlite3
-notifier:
-  disable_startup_check: false
-  smtp:
-    username: kucharczyk.lukas@gmail.com
-    password: {{ vault_email_gmail_password }}
-    host: smtp.gmail.com
-    port: 587
-    sender: kucharczyk.lukas@gmail.com
-    subject: "[Authelia] {title}"
-    startup_check_address: test@authelia.com
-    disable_require_tls: false
-    tls:
-      skip_verify: false
-      minimum_version: TLS1.2
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -3,9 +3,6 @@
    name:
      - docker
      - python-pip
-      - neovim
-      - fish
-      - curlie
    state: present
    update_cache: true
 - name: start
@ -15,9 +12,8 @@
 - name: add user to group
  user:
    name: lukas
-    groups: docker,wheel
+    groups: docker
    append: true
-    shell: /usr/bin/fish
 - name: install python docker
  pip:
    name:
--- a/roles/jellyfin/tasks/main.yml
+++ b/roles/jellyfin/tasks/main.yml
@ -12,7 +12,7 @@
    name: 'jellyfin'
    image: linuxserver/jellyfin
    networks:
-      - name: external
+      - name: nginx-internal
    volumes:
      - "{{ data_folder }}/jellyfin:/config"
      - "{{ media.tv }}:/data/tv"
@ -29,6 +29,7 @@
    devices:
      - /dev/dri:/dev/dri
    state: started
+    restart: yes
 - name: copy jellyfin nginx config
  template:
    src: jellyfin.conf.j2
--- a/roles/jellyfin/templates/jellyfin.conf.j2
+++ b/roles/jellyfin/templates/jellyfin.conf.j2
@ -1,7 +1,6 @@
 server {
-    server_name "jellyfin.{{ base_domain }}";
    listen 80;
-    return 301 https://$server_name$request_uri;
+    return 301 https://$host$request_uri;
 }

 server {
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@ -5,9 +5,8 @@
    ports:
      - "8080:8080"
    networks:
-      - name: external
      - name: postgres
-      - name: openldap
+      - name: nginx-internal
    env:
      "KEYCLOAK_USER": "{{ vault_keycloak_user }}"
      "KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
@ -21,6 +20,6 @@
 - name: copy nginx conf
  template:
    src: "keycloak.conf.j2"
-    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
+    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf"
    mode: "755"
  notify: reload nginx
--- a/roles/keycloak/templates/keycloak.conf.j2
+++ b/roles/keycloak/templates/keycloak.conf.j2
@ -1,7 +1,6 @@
 server {
-    server_name "keycloak.{{ base_domain }}";
  listen 80;
-    return 301 https://$server_name$request_uri;
+  return 301 https://$host$request_uri;
 }

 server {
@ -14,11 +13,8 @@ server {
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options "nosniff";

-  include /etc/nginx/snippets/authelia-endpoint.conf;
-
  location / {
    proxy_pass http://$keycloak:8080;
-    include /etc/nginx/snippets/authelia-auth.conf;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -14,11 +14,11 @@
 - name: generate self-signed certs
  import_tasks: self-signed.yml
  when: self_signed
- name: create external bridge network
+- name: create nginx bridge network
  docker_network:
-    name: external
+    name: nginx-internal
    attachable: true
-    internal: false
+    internal: true
    state: present
 - name: copy nginx.conf
  template:
@ -37,7 +37,8 @@
    name: 'nginx'
    image: nginx
    networks:
-      - name: external
+      - name: bridge
+      - name: nginx-internal
    volumes:
      - "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d"
      - "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf"
@ -53,3 +54,4 @@
      NGINX_HOST: "{{ base_domain }}"
      NGINX_PORT: '80'
    state: started
+    restart: yes
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@ -14,8 +14,6 @@ http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

-    log_subrequest on;
-
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
--- a/roles/nginx/templates/snippets/proxy.conf.j2
+++ b/roles/nginx/templates/snippets/proxy.conf.j2
@ -1,36 +0,0 @@
-client_body_buffer_size 128k;
-
-#Timeout if the real server is dead
-proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
-
-# Advanced Proxy Config
-send_timeout 5m;
-proxy_read_timeout 360;
-proxy_send_timeout 360;
-proxy_connect_timeout 360;
-
-# Basic Proxy Config
-proxy_set_header Host $host;
-proxy_set_header X-Real-IP $remote_addr;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Proto $scheme;
-proxy_set_header X-Forwarded-Host $http_host;
-proxy_set_header X-Forwarded-Uri $request_uri;
-proxy_set_header X-Forwarded-Ssl on;
-proxy_redirect  http://  $scheme://;
-proxy_http_version 1.1;
-proxy_set_header Connection "";
-proxy_cache_bypass $cookie_session;
-proxy_no_cache $cookie_session;
-proxy_buffers 64 256k;
-
-# If behind reverse proxy, forwards the correct IP
-set_real_ip_from 10.0.0.0/8;
-set_real_ip_from 172.16.0.0/12;
-set_real_ip_from 172.17.0.0/16;
-set_real_ip_from 172.18.0.0/16;
-set_real_ip_from 172.19.0.0/16;
-set_real_ip_from 192.168.0.0/16;
-set_real_ip_from fc00::/7;
-real_ip_header X-Forwarded-For;
-real_ip_recursive on;
--- a/roles/openldap/tasks/main.yml
+++ b/roles/openldap/tasks/main.yml
@ -6,27 +6,44 @@
  loop:
    - "{{ data_folder }}/openldap"
    - "{{ data_folder }}/openldap/data"
- name: create network
-  docker_network:
-    name: openldap
-    attachable: true
-    internal: true
-    state: present
+    - "{{ data_folder }}/openldap/slapd.d"
+    - "{{ data_folder }}/openldap/ldifs"
+# - name: copy slapd.conf
+#   template:
+#     src: slapd.conf.j2
+#     dest: "{{ data_folder }}/openldap/slapd.d/slapd.conf"
+#     mode: '0755'
+- name: copy user ldif
+  template:
+    src: lukas.ldif.j2
+    dest: "{{ data_folder }}/openldap/ldifs/lukas.ldif"
+    mode: '0755'
 - name: run container
  docker_container:
    name: "openldap"
    image: osixia/openldap
-    hostname: openldap
+    command: "--loglevel debug"
+    hostname: ldap.dev.local
    networks:
-      - name: openldap
+      # - name: bridge
+      - name: nginx-internal
    ports:
      - "389:389"
      - "636:636"
    volumes:
      - "{{ data_folder }}/openldap/data:/var/lib/ldap"
+      - "{{ data_folder }}/openldap/slapd.d:/etc/ldap/slapd.d"
+      - "{{ data_folder }}/openldap/ldifs:/container/service/slapd/assets/config/bootstrap/ldif/custom"
    env:
      LDAP_ORGANISATION: "Homelab"
      LDAP_DOMAIN: "kucharczyk.xyz"
-      LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}"
      LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
+      LDAP_ADMIN_PASSWORD: !vault |
+        $ANSIBLE_VAULT;1.1;AES256
+        35623735376134353839323136623133393035343162363366643632376262393539653736326431
+        6635373265313033653861393463633835333639346239650a303463323063373866316162616131
+        66356335346631386265363462353034393735366430636634643466376435313638303938363363
+        3838396139663964300a633931303135376566633363303336373937373138643564636263656233
+        6239
    state: started
+    restart: yes
--- a/roles/openldap/templates/base.ldif.j2
+++ b/roles/openldap/templates/base.ldif.j2
@ -0,0 +1,6 @@
+dn: dc=kucharczyk,dc=xyz
+objectclass: top
+objectclass: dcObject
+objectclass: organization
+dc: kucharczyk
+o: Homelab
--- a/roles/openldap/templates/lukas.ldif.j2
+++ b/roles/openldap/templates/lukas.ldif.j2
@ -0,0 +1,14 @@
+dn: uid=lukas,dc=kucharczyk,dc=xyz
+uid: lukas
+cn: lukas
+givenName: Lukas
+sn: Kucharczyk
+objectClass: top
+objectClass: posixAccount
+objectClass: inetOrgPerson
+loginShell: /bin/bash
+homeDirectory: /home/lukas
+uidNumber: 1000
+gidNumber: 1000
+userPassword: {SSHA}zsJllCeWKbz1we+L/gu/yt0hxeBdvJfT
+mail: lukas@kucharczyk.xyz
--- a/roles/openldap/templates/slapd.conf.j2
+++ b/roles/openldap/templates/slapd.conf.j2
@ -0,0 +1,16 @@
+# default config from /etc/openldap/slapd.conf
+include /etc/openldap/schema/core.schema
+pidfile /run/openldap/slapd.pid
+argsfile  /run/openldap/slapd.args
+
+# custom config
+allow bind_anon_dn
+access to attrs=userPassword by * auth
+access to * by * read
+loglevel 256
+
+database mdb
+suffix "dc=kucharczyk, dc=xyz"
+rootdn "cn=admin, dc=kucharczyk, dc=xyz"
+rootpw {SSHA}sgIeW4kyz3t0OyfZ1IZjzEDDb31JI3xK
+directory /var/lib/ldap
--- a/roles/portainer/tasks/main.yml
+++ b/roles/portainer/tasks/main.yml
@ -1,19 +0,0 @@
- name: run container
-  docker_container:
-    name: 'portainer'
-    image: portainer/portainer-ce
-    networks:
-      - name: external
-      - name: openldap
-    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock"
-    ports:
-      - "8000:8000"
-      - "9000:9000"
-    state: started
- name: copy nginx conf
-  template:
-    src: portainer.conf.j2
-    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
-    mode: "755"
-  notify: reload nginx
--- a/roles/portainer/templates/portainer.conf.j2
+++ b/roles/portainer/templates/portainer.conf.j2
@ -1,20 +0,0 @@
-server {
-    server_name portainer.{{ base_domain }};
-    listen 80;
-    return 301 https://$server_name$request_uri;
-}
-
-server {
-    server_name portainer.{{ base_domain }};
-    listen 443 ssl http2;
-
-    include /etc/nginx/snippets/authelia-endpoint.conf;
-
-    location / {
-        include /etc/nginx/snippets/proxy.conf;
-        include /etc/nginx/snippets/authelia-auth.conf;
-
-        set $upstream http://portainer:9000; # This example assumes a Docker deployment
-        proxy_pass $upstream;
-    }
-}
--- a/roles/radarr/tasks/main.yml
+++ b/roles/radarr/tasks/main.yml
@ -1,34 +0,0 @@
- name: ensure directories exist
-  file:
-    path: "{{ item }}"
-    state: directory
-    mode: '0755'
-  loop:
-    - "{{ data_folder }}/radarr"
-    - "{{ media.tv }}"
-    - "{{ media.movies }}"
-    - "{{ downloads.nzb }}"
- name: run container
-  docker_container:
-    name: "{{ role_name }}"
-    image: "linuxserver/radarr"
-    networks:
-      - name: external
-    env:
-      "TZ": "{{ tz }}"
-      "PUID": "{{ puid }}"
-      "PGID": "{{  pgid }}"
-      "UMASK": "022"
-    volumes:
-      - "{{ data_folder }}/radarr:/config"
-      - "{{ downloads.nzb }}:/downloads"
-      - "{{ media.movies }}:/movies"
-    ports:
-      - "7878:7878"
-    state: started
- name: copy nginx conf
-  template:
-    src: "{{ role_name }}.conf.j2"
-    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
-    mode: "755"
-  notify: reload nginx
--- a/roles/radarr/templates/radarr.conf.j2
+++ b/roles/radarr/templates/radarr.conf.j2
@ -1,20 +0,0 @@
-server {
-    server_name {{ role_name }}.{{ base_domain }};
-    listen 80;
-    return 301 https://$server_name$request_uri;
-}
-
-server {
-    server_name {{ role_name }}.{{ base_domain }};
-    listen 443 ssl http2;
-
-    include /etc/nginx/snippets/authelia-endpoint.conf;
-
-    location / {
-        include /etc/nginx/snippets/proxy.conf;
-        include /etc/nginx/snippets/authelia-auth.conf;
-
-        set $upstream http://{{ role_name }}:7878;
-        proxy_pass $upstream;
-    }
-}
--- a/show-pass.sh
+++ b/show-pass.sh
@ -1,2 +0,0 @@
-#!/bin/env fish
-ansible-vault view --vault-password-file (pass show ansible-homelab | psub) vault/passwords.yml
--- a/vault/passwords.yml
+++ b/vault/passwords.yml
@ -1,19 +1,14 @@
 $ANSIBLE_VAULT;1.1;AES256
-35356537316639386637316365393533643061363734323630393363313237643935666639653963
-3734376266353938653631323266663139306335646635660a373233663964623335663366333434
-34386136656530386639646234316238326132616131616632346537613963636637393839613661
-6366326639643632320a386436316165343166366134633464393461653434323934326238313430
-39323439306637306134326635323138616337646336653238636539643538613664303764303661
-39636661353538393532663937396363656664613334383261336664336237356366663334633430
-36356235383930653835393439373737623036613565313131626462363034303062323662663832
-66613833613336646633383835653161386363386136663764653734313763383231626434393864
-63313061346335383933623630396336336561633938613237643238616531343766613734666132
-32306362616131396266656162653563356137383239616464306662643032623438373764306361
-32363133626662633435626232653061373831626563323861626635383039613136303632613335
-61363265316534653033393763646565393330633063323634353932353936303638356433306362
-65383938306637333765383263653939633964613230613835326630313761323561376162646439
-62323035323634323766393233326363383364653531306432663263303831623936616139306639
-64303863386265343165666435363761653464386366636366323261353731643263356635383536
-66326666616339653731633530663161363933383334376238313637356331663431336433643338
-64313861306161373538363332663363623131303561373237326436373838393965306663333835
-3764356534323963303832653964666431626538316361613137
+32656133366339323166343734353434356561306461363033383266373733646161323166353438
+3537666138666438373366353530626339303866353162340a386539353333323835383237356566
+66636133383662333334396162323637393335336463316235386334353930616238623133613636
+6535613536633662340a386333373465613466303137643232356664363233326561653235656263
+63316130346236376235623632356364353538306439616362313837303438363736316137346237
+36623333643062626532383439663730653139633836613636343232323437643564643531336661
+34386135386437656135616536356538663731336261393636396562666337616462323330623732
+65363536383238376166393563636532353336306335613131653261333662613965633265333462
+30353564316435636330623434623832623463336231393630616266336435646434303963353665
+63616631313863303838613362343538663236656235353966306231643132633938373935646466
+63333036376136353831653236663631343761303830336461326264316563643037363935623731
+38393037396530346232656366626535363539653462393663653739653935376436333934616562
+3931