From 6dcb21fe7575aff4d3a4be65c8083b11b9f4d158 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= <lukas@kucharczyk.xyz>
Date: Tue, 18 May 2021 23:09:37 +0200
Subject: [PATCH 1/7] Add PostgreSQL (#14)

---
 README.adoc                   |  1 +
 playbook.yml                  |  2 ++
 roles/postgres/tasks/main.yml | 36 +++++++++++++++++++++++++++++++++++
 vault/passwords.yml           | 14 ++++++++++++++
 4 files changed, 53 insertions(+)
 create mode 100644 roles/postgres/tasks/main.yml
 create mode 100644 vault/passwords.yml

diff --git a/README.adoc b/README.adoc
index 1ea0011..25833b0 100644
--- a/README.adoc
+++ b/README.adoc
@@ -14,6 +14,7 @@ homelab.
 
 * NGINX
 * Jellyfin
+* PostgreSQL
 
 === Testing
 To run locally, specify the inventory file with `-i hosts`.
diff --git a/playbook.yml b/playbook.yml
index f2ddd81..a945adf 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -5,5 +5,7 @@
     - nginx
     - jellyfin
     - openldap
+    - postgres
   vars_files:
     - vault/certs/{{ base_domain }}.yml
+    - vault/passwords.yml
diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml
new file mode 100644
index 0000000..00d9130
--- /dev/null
+++ b/roles/postgres/tasks/main.yml
@@ -0,0 +1,36 @@
+- name: install psycopg2
+  pip:
+    name: psycopg2-binary
+    state: present
+- name: ensure directories exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+  loop:
+    - "{{ data_folder }}/postgres/data"
+    - "{{ data_folder }}/postgres/init"
+- name: copy init sql files
+  template:
+    src: "{{ item }}"
+    dest: "{{ data_folder }}/postgres/init/{{ item | basename | regex_replace('.j2$', '') }}"
+  with_fileglob:
+    - "../templates/*.sql.j2"
+- name: create network
+  docker_network:
+    name: postgres
+    attachable: true
+    internal: true
+    state: present
+- name: run container
+  docker_container:
+    name: "postgres"
+    image: "postgres:13"
+    networks:
+      - name: postgres
+    volumes:
+      - "{{ data_folder }}/postgres/data:/var/lib/postgresql/data"
+      - "{{ data_folder }}/postgres/init:/docker-entrypoint-initdb.d"
+    env:
+      POSTGRES_PASSWORD: "{{ vault_postgres_password }}"
+    state: started
\ No newline at end of file
diff --git a/vault/passwords.yml b/vault/passwords.yml
new file mode 100644
index 0000000..c1df0f3
--- /dev/null
+++ b/vault/passwords.yml
@@ -0,0 +1,14 @@
+$ANSIBLE_VAULT;1.1;AES256
+32656133366339323166343734353434356561306461363033383266373733646161323166353438
+3537666138666438373366353530626339303866353162340a386539353333323835383237356566
+66636133383662333334396162323637393335336463316235386334353930616238623133613636
+6535613536633662340a386333373465613466303137643232356664363233326561653235656263
+63316130346236376235623632356364353538306439616362313837303438363736316137346237
+36623333643062626532383439663730653139633836613636343232323437643564643531336661
+34386135386437656135616536356538663731336261393636396562666337616462323330623732
+65363536383238376166393563636532353336306335613131653261333662613965633265333462
+30353564316435636330623434623832623463336231393630616266336435646434303963353665
+63616631313863303838613362343538663236656235353966306231643132633938373935646466
+63333036376136353831653236663631343761303830336461326264316563643037363935623731
+38393037396530346232656366626535363539653462393663653739653935376436333934616562
+3931
-- 
2.40.1


From e98699146630e7f6e6e9a577e145ae7867dbe823 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= <lukas@kucharczyk.xyz>
Date: Tue, 18 May 2021 23:10:37 +0200
Subject: [PATCH 2/7] Add Keycloak (#1)

---
 README.adoc                               |  1 +
 playbook.yml                              |  1 +
 roles/keycloak/tasks/main.yml             | 25 ++++++++++++++++++++++
 roles/keycloak/templates/keycloak.conf.j2 | 26 +++++++++++++++++++++++
 roles/postgres/templates/keycloak.sql.j2  |  3 +++
 5 files changed, 56 insertions(+)
 create mode 100644 roles/keycloak/tasks/main.yml
 create mode 100644 roles/keycloak/templates/keycloak.conf.j2
 create mode 100644 roles/postgres/templates/keycloak.sql.j2

diff --git a/README.adoc b/README.adoc
index 25833b0..42f41a1 100644
--- a/README.adoc
+++ b/README.adoc
@@ -15,6 +15,7 @@ homelab.
 * NGINX
 * Jellyfin
 * PostgreSQL
+* Keycloak
 
 === Testing
 To run locally, specify the inventory file with `-i hosts`.
diff --git a/playbook.yml b/playbook.yml
index a945adf..b2079c2 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -6,6 +6,7 @@
     - jellyfin
     - openldap
     - postgres
+    - keycloak
   vars_files:
     - vault/certs/{{ base_domain }}.yml
     - vault/passwords.yml
diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml
new file mode 100644
index 0000000..066db09
--- /dev/null
+++ b/roles/keycloak/tasks/main.yml
@@ -0,0 +1,25 @@
+- name: run container
+  docker_container:
+    name: "keycloak"
+    image: "quay.io/keycloak/keycloak"
+    ports:
+      - "8080:8080"
+    networks:
+      - name: postgres
+      - name: nginx-internal
+    env:
+      "KEYCLOAK_USER": "{{ vault_keycloak_user }}"
+      "KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
+      "DB_VENDOR": POSTGRES
+      "DB_ADDR": postgres
+      "DB_DATABASE": keycloak
+      "DB_USER": keycloak
+      "DB_SCHEMA": public
+      "DB_PASSWORD": "{{ vault_postgres_keycloak_user_password }}"
+      "PROXY_ADDRESS_FORWARDING": "true"
+- name: copy nginx conf
+  template:
+    src: "keycloak.conf.j2"
+    dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf"
+    mode: "755"
+  notify: reload nginx
\ No newline at end of file
diff --git a/roles/keycloak/templates/keycloak.conf.j2 b/roles/keycloak/templates/keycloak.conf.j2
new file mode 100644
index 0000000..e16765c
--- /dev/null
+++ b/roles/keycloak/templates/keycloak.conf.j2
@@ -0,0 +1,26 @@
+server {
+  listen 80;
+  return 301 https://$host$request_uri;
+}
+
+server {
+  listen 443 ssl http2;
+  server_name "keycloak.{{ base_domain }}";
+  set $keycloak keycloak;
+
+  # Security/XSS Mitigation Headers
+  add_header X-Frame-Options "SAMEORIGIN";
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Content-Type-Options "nosniff";
+
+  location / {
+    proxy_pass http://$keycloak:8080;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Protocol $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_buffering off;
+  }
+}
\ No newline at end of file
diff --git a/roles/postgres/templates/keycloak.sql.j2 b/roles/postgres/templates/keycloak.sql.j2
new file mode 100644
index 0000000..05bc40a
--- /dev/null
+++ b/roles/postgres/templates/keycloak.sql.j2
@@ -0,0 +1,3 @@
+CREATE USER keycloak WITH PASSWORD '{{ vault_postgres_keycloak_user_password }}';
+CREATE DATABASE keycloak;
+GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;
\ No newline at end of file
-- 
2.40.1


From 592273fc5be406e0b07d16542b38faec658c59f2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= <lukas@kucharczyk.xyz>
Date: Tue, 18 May 2021 23:18:11 +0200
Subject: [PATCH 3/7] List OpenLDAP in README

---
 README.adoc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.adoc b/README.adoc
index 42f41a1..2823f1c 100644
--- a/README.adoc
+++ b/README.adoc
@@ -14,6 +14,7 @@ homelab.
 
 * NGINX
 * Jellyfin
+* OpenLDAP
 * PostgreSQL
 * Keycloak
 
-- 
2.40.1


From 6fca397d25292550d66e00869e54e64e4037987f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= <lukas@kucharczyk.xyz>
Date: Sun, 20 Jun 2021 18:16:10 +0200
Subject: [PATCH 4/7] openldap: move admin password to vault

---
 roles/openldap/tasks/main.yml |  8 +-------
 vault/passwords.yml           | 29 ++++++++++++++++-------------
 2 files changed, 17 insertions(+), 20 deletions(-)

diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml
index f5dd228..afc4b9f 100644
--- a/roles/openldap/tasks/main.yml
+++ b/roles/openldap/tasks/main.yml
@@ -37,13 +37,7 @@
     env:
       LDAP_ORGANISATION: "Homelab"
       LDAP_DOMAIN: "kucharczyk.xyz"
+      LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}"
       LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
-      LDAP_ADMIN_PASSWORD: !vault |
-        $ANSIBLE_VAULT;1.1;AES256
-        35623735376134353839323136623133393035343162363366643632376262393539653736326431
-        6635373265313033653861393463633835333639346239650a303463323063373866316162616131
-        66356335346631386265363462353034393735366430636634643466376435313638303938363363
-        3838396139663964300a633931303135376566633363303336373937373138643564636263656233
-        6239
     state: started
     restart: yes
\ No newline at end of file
diff --git a/vault/passwords.yml b/vault/passwords.yml
index c1df0f3..f31064e 100644
--- a/vault/passwords.yml
+++ b/vault/passwords.yml
@@ -1,14 +1,17 @@
 $ANSIBLE_VAULT;1.1;AES256
-32656133366339323166343734353434356561306461363033383266373733646161323166353438
-3537666138666438373366353530626339303866353162340a386539353333323835383237356566
-66636133383662333334396162323637393335336463316235386334353930616238623133613636
-6535613536633662340a386333373465613466303137643232356664363233326561653235656263
-63316130346236376235623632356364353538306439616362313837303438363736316137346237
-36623333643062626532383439663730653139633836613636343232323437643564643531336661
-34386135386437656135616536356538663731336261393636396562666337616462323330623732
-65363536383238376166393563636532353336306335613131653261333662613965633265333462
-30353564316435636330623434623832623463336231393630616266336435646434303963353665
-63616631313863303838613362343538663236656235353966306231643132633938373935646466
-63333036376136353831653236663631343761303830336461326264316563643037363935623731
-38393037396530346232656366626535363539653462393663653739653935376436333934616562
-3931
+65653231333939666430306463383836633664623438373661666234343165633864353934663563
+3335396466623862353633363264373666353036623134360a356438636230613139633264373265
+36643231356335653261616238613266306165616363643763356234363537616138353831383064
+3436353361333263330a313361306236626164343261363432343762313361636338333165376238
+38666336356361613930316536323338653338353666666162666333636261373866653934626536
+31643931343338383039616261616130613763383737313037303163366263623066633031646630
+35373436646635613665343038363931396630653264633964646434346534393531333163643836
+62323634643537363365313662363766373436633262336339643734613732663832326133363434
+38643434326266373638366262386162666661383232383965613536663239336361623861613161
+32313439653132353434316563633638353164626236633766313864343036353562303163373335
+39653437623132623635363266353636613130666363353633366134663638346263643134383762
+37316631313437646232326237313436353732333065363666316364373336396135396238363562
+39633163316532616564366632303965316362653066613536316461643237373834316136383865
+64353238643638623832656463333563633838633931636166323335336662636362643466303566
+31333962656530326664636562343738393864613561333734333134386263356533373664666666
+66373538393037373761
-- 
2.40.1


From d38701a0e937fb82326f364c5d3f43207d4cc342 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= <lukas@kucharczyk.xyz>
Date: Sun, 20 Jun 2021 18:18:21 +0200
Subject: [PATCH 5/7] openldap: remove cruft

---
 roles/openldap/tasks/main.yml | 17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml
index afc4b9f..1e7316c 100644
--- a/roles/openldap/tasks/main.yml
+++ b/roles/openldap/tasks/main.yml
@@ -6,34 +6,19 @@
   loop:
     - "{{ data_folder }}/openldap"
     - "{{ data_folder }}/openldap/data"
-    - "{{ data_folder }}/openldap/slapd.d"
-    - "{{ data_folder }}/openldap/ldifs"
-# - name: copy slapd.conf
-#   template:
-#     src: slapd.conf.j2
-#     dest: "{{ data_folder }}/openldap/slapd.d/slapd.conf"
-#     mode: '0755'
-- name: copy user ldif
-  template:
-    src: lukas.ldif.j2
-    dest: "{{ data_folder }}/openldap/ldifs/lukas.ldif"
-    mode: '0755'
 - name: run container
   docker_container:
     name: "openldap"
     image: osixia/openldap
     command: "--loglevel debug"
-    hostname: ldap.dev.local
+    hostname: openldap
     networks:
-      # - name: bridge
       - name: nginx-internal
     ports:
       - "389:389"
       - "636:636"
     volumes:
       - "{{ data_folder }}/openldap/data:/var/lib/ldap"
-      - "{{ data_folder }}/openldap/slapd.d:/etc/ldap/slapd.d"
-      - "{{ data_folder }}/openldap/ldifs:/container/service/slapd/assets/config/bootstrap/ldif/custom"
     env:
       LDAP_ORGANISATION: "Homelab"
       LDAP_DOMAIN: "kucharczyk.xyz"
-- 
2.40.1


From da527acb174aaba4d1edd9b20a8471d64f4ac2b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= <lukas@kucharczyk.xyz>
Date: Sun, 20 Jun 2021 18:18:44 +0200
Subject: [PATCH 6/7] openldap: remove more cruft

---
 roles/openldap/templates/lukas.ldif.j2 | 14 --------------
 roles/openldap/templates/slapd.conf.j2 | 16 ----------------
 2 files changed, 30 deletions(-)
 delete mode 100644 roles/openldap/templates/lukas.ldif.j2
 delete mode 100644 roles/openldap/templates/slapd.conf.j2

diff --git a/roles/openldap/templates/lukas.ldif.j2 b/roles/openldap/templates/lukas.ldif.j2
deleted file mode 100644
index f0325cd..0000000
--- a/roles/openldap/templates/lukas.ldif.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-dn: uid=lukas,dc=kucharczyk,dc=xyz
-uid: lukas
-cn: lukas
-givenName: Lukas
-sn: Kucharczyk
-objectClass: top
-objectClass: posixAccount
-objectClass: inetOrgPerson
-loginShell: /bin/bash
-homeDirectory: /home/lukas
-uidNumber: 1000
-gidNumber: 1000
-userPassword: {SSHA}zsJllCeWKbz1we+L/gu/yt0hxeBdvJfT
-mail: lukas@kucharczyk.xyz
\ No newline at end of file
diff --git a/roles/openldap/templates/slapd.conf.j2 b/roles/openldap/templates/slapd.conf.j2
deleted file mode 100644
index 215ba5d..0000000
--- a/roles/openldap/templates/slapd.conf.j2
+++ /dev/null
@@ -1,16 +0,0 @@
-# default config from /etc/openldap/slapd.conf
-include /etc/openldap/schema/core.schema
-pidfile /run/openldap/slapd.pid
-argsfile  /run/openldap/slapd.args
-
-# custom config
-allow bind_anon_dn
-access to attrs=userPassword by * auth
-access to * by * read
-loglevel 256
-
-database mdb
-suffix "dc=kucharczyk, dc=xyz"
-rootdn "cn=admin, dc=kucharczyk, dc=xyz"
-rootpw {SSHA}sgIeW4kyz3t0OyfZ1IZjzEDDb31JI3xK
-directory /var/lib/ldap
\ No newline at end of file
-- 
2.40.1


From b7c3a3af8a6a541044e54fb05fcf2678031c369c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= <lukas@kucharczyk.xyz>
Date: Sun, 20 Jun 2021 18:19:18 +0200
Subject: [PATCH 7/7] openldap: disable debug logging

---
 roles/openldap/tasks/main.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml
index 1e7316c..8b2dc3d 100644
--- a/roles/openldap/tasks/main.yml
+++ b/roles/openldap/tasks/main.yml
@@ -10,7 +10,6 @@
   docker_container:
     name: "openldap"
     image: osixia/openldap
-    command: "--loglevel debug"
     hostname: openldap
     networks:
       - name: nginx-internal
-- 
2.40.1