From 6dcb21fe7575aff4d3a4be65c8083b11b9f4d158 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Tue, 18 May 2021 23:09:37 +0200 Subject: [PATCH 1/7] Add PostgreSQL (#14) --- README.adoc | 1 + playbook.yml | 2 ++ roles/postgres/tasks/main.yml | 36 +++++++++++++++++++++++++++++++++++ vault/passwords.yml | 14 ++++++++++++++ 4 files changed, 53 insertions(+) create mode 100644 roles/postgres/tasks/main.yml create mode 100644 vault/passwords.yml diff --git a/README.adoc b/README.adoc index 1ea0011..25833b0 100644 --- a/README.adoc +++ b/README.adoc @@ -14,6 +14,7 @@ homelab. * NGINX * Jellyfin +* PostgreSQL === Testing To run locally, specify the inventory file with `-i hosts`. diff --git a/playbook.yml b/playbook.yml index f2ddd81..a945adf 100644 --- a/playbook.yml +++ b/playbook.yml @@ -5,5 +5,7 @@ - nginx - jellyfin - openldap + - postgres vars_files: - vault/certs/{{ base_domain }}.yml + - vault/passwords.yml diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml new file mode 100644 index 0000000..00d9130 --- /dev/null +++ b/roles/postgres/tasks/main.yml @@ -0,0 +1,36 @@ +- name: install psycopg2 + pip: + name: psycopg2-binary + state: present +- name: ensure directories exist + file: + path: "{{ item }}" + state: directory + mode: "0755" + loop: + - "{{ data_folder }}/postgres/data" + - "{{ data_folder }}/postgres/init" +- name: copy init sql files + template: + src: "{{ item }}" + dest: "{{ data_folder }}/postgres/init/{{ item | basename | regex_replace('.j2$', '') }}" + with_fileglob: + - "../templates/*.sql.j2" +- name: create network + docker_network: + name: postgres + attachable: true + internal: true + state: present +- name: run container + docker_container: + name: "postgres" + image: "postgres:13" + networks: + - name: postgres + volumes: + - "{{ data_folder }}/postgres/data:/var/lib/postgresql/data" + - "{{ data_folder }}/postgres/init:/docker-entrypoint-initdb.d" + env: + POSTGRES_PASSWORD: "{{ vault_postgres_password }}" + state: started \ No newline at end of file diff --git a/vault/passwords.yml b/vault/passwords.yml new file mode 100644 index 0000000..c1df0f3 --- /dev/null +++ b/vault/passwords.yml @@ -0,0 +1,14 @@ +$ANSIBLE_VAULT;1.1;AES256 +32656133366339323166343734353434356561306461363033383266373733646161323166353438 +3537666138666438373366353530626339303866353162340a386539353333323835383237356566 +66636133383662333334396162323637393335336463316235386334353930616238623133613636 +6535613536633662340a386333373465613466303137643232356664363233326561653235656263 +63316130346236376235623632356364353538306439616362313837303438363736316137346237 +36623333643062626532383439663730653139633836613636343232323437643564643531336661 +34386135386437656135616536356538663731336261393636396562666337616462323330623732 +65363536383238376166393563636532353336306335613131653261333662613965633265333462 +30353564316435636330623434623832623463336231393630616266336435646434303963353665 +63616631313863303838613362343538663236656235353966306231643132633938373935646466 +63333036376136353831653236663631343761303830336461326264316563643037363935623731 +38393037396530346232656366626535363539653462393663653739653935376436333934616562 +3931 -- 2.40.1 From e98699146630e7f6e6e9a577e145ae7867dbe823 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Tue, 18 May 2021 23:10:37 +0200 Subject: [PATCH 2/7] Add Keycloak (#1) --- README.adoc | 1 + playbook.yml | 1 + roles/keycloak/tasks/main.yml | 25 ++++++++++++++++++++++ roles/keycloak/templates/keycloak.conf.j2 | 26 +++++++++++++++++++++++ roles/postgres/templates/keycloak.sql.j2 | 3 +++ 5 files changed, 56 insertions(+) create mode 100644 roles/keycloak/tasks/main.yml create mode 100644 roles/keycloak/templates/keycloak.conf.j2 create mode 100644 roles/postgres/templates/keycloak.sql.j2 diff --git a/README.adoc b/README.adoc index 25833b0..42f41a1 100644 --- a/README.adoc +++ b/README.adoc @@ -15,6 +15,7 @@ homelab. * NGINX * Jellyfin * PostgreSQL +* Keycloak === Testing To run locally, specify the inventory file with `-i hosts`. diff --git a/playbook.yml b/playbook.yml index a945adf..b2079c2 100644 --- a/playbook.yml +++ b/playbook.yml @@ -6,6 +6,7 @@ - jellyfin - openldap - postgres + - keycloak vars_files: - vault/certs/{{ base_domain }}.yml - vault/passwords.yml diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml new file mode 100644 index 0000000..066db09 --- /dev/null +++ b/roles/keycloak/tasks/main.yml @@ -0,0 +1,25 @@ +- name: run container + docker_container: + name: "keycloak" + image: "quay.io/keycloak/keycloak" + ports: + - "8080:8080" + networks: + - name: postgres + - name: nginx-internal + env: + "KEYCLOAK_USER": "{{ vault_keycloak_user }}" + "KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}" + "DB_VENDOR": POSTGRES + "DB_ADDR": postgres + "DB_DATABASE": keycloak + "DB_USER": keycloak + "DB_SCHEMA": public + "DB_PASSWORD": "{{ vault_postgres_keycloak_user_password }}" + "PROXY_ADDRESS_FORWARDING": "true" +- name: copy nginx conf + template: + src: "keycloak.conf.j2" + dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf" + mode: "755" + notify: reload nginx \ No newline at end of file diff --git a/roles/keycloak/templates/keycloak.conf.j2 b/roles/keycloak/templates/keycloak.conf.j2 new file mode 100644 index 0000000..e16765c --- /dev/null +++ b/roles/keycloak/templates/keycloak.conf.j2 @@ -0,0 +1,26 @@ +server { + listen 80; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl http2; + server_name "keycloak.{{ base_domain }}"; + set $keycloak keycloak; + + # Security/XSS Mitigation Headers + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + + location / { + proxy_pass http://$keycloak:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_buffering off; + } +} \ No newline at end of file diff --git a/roles/postgres/templates/keycloak.sql.j2 b/roles/postgres/templates/keycloak.sql.j2 new file mode 100644 index 0000000..05bc40a --- /dev/null +++ b/roles/postgres/templates/keycloak.sql.j2 @@ -0,0 +1,3 @@ +CREATE USER keycloak WITH PASSWORD '{{ vault_postgres_keycloak_user_password }}'; +CREATE DATABASE keycloak; +GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak; \ No newline at end of file -- 2.40.1 From 592273fc5be406e0b07d16542b38faec658c59f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Tue, 18 May 2021 23:18:11 +0200 Subject: [PATCH 3/7] List OpenLDAP in README --- README.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/README.adoc b/README.adoc index 42f41a1..2823f1c 100644 --- a/README.adoc +++ b/README.adoc @@ -14,6 +14,7 @@ homelab. * NGINX * Jellyfin +* OpenLDAP * PostgreSQL * Keycloak -- 2.40.1 From 6fca397d25292550d66e00869e54e64e4037987f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 18:16:10 +0200 Subject: [PATCH 4/7] openldap: move admin password to vault --- roles/openldap/tasks/main.yml | 8 +------- vault/passwords.yml | 29 ++++++++++++++++------------- 2 files changed, 17 insertions(+), 20 deletions(-) diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml index f5dd228..afc4b9f 100644 --- a/roles/openldap/tasks/main.yml +++ b/roles/openldap/tasks/main.yml @@ -37,13 +37,7 @@ env: LDAP_ORGANISATION: "Homelab" LDAP_DOMAIN: "kucharczyk.xyz" + LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}" LDAP_REMOVE_CONFIG_AFTER_SETUP: "false" - LDAP_ADMIN_PASSWORD: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 35623735376134353839323136623133393035343162363366643632376262393539653736326431 - 6635373265313033653861393463633835333639346239650a303463323063373866316162616131 - 66356335346631386265363462353034393735366430636634643466376435313638303938363363 - 3838396139663964300a633931303135376566633363303336373937373138643564636263656233 - 6239 state: started restart: yes \ No newline at end of file diff --git a/vault/passwords.yml b/vault/passwords.yml index c1df0f3..f31064e 100644 --- a/vault/passwords.yml +++ b/vault/passwords.yml @@ -1,14 +1,17 @@ $ANSIBLE_VAULT;1.1;AES256 -32656133366339323166343734353434356561306461363033383266373733646161323166353438 -3537666138666438373366353530626339303866353162340a386539353333323835383237356566 -66636133383662333334396162323637393335336463316235386334353930616238623133613636 -6535613536633662340a386333373465613466303137643232356664363233326561653235656263 -63316130346236376235623632356364353538306439616362313837303438363736316137346237 -36623333643062626532383439663730653139633836613636343232323437643564643531336661 -34386135386437656135616536356538663731336261393636396562666337616462323330623732 -65363536383238376166393563636532353336306335613131653261333662613965633265333462 -30353564316435636330623434623832623463336231393630616266336435646434303963353665 -63616631313863303838613362343538663236656235353966306231643132633938373935646466 -63333036376136353831653236663631343761303830336461326264316563643037363935623731 -38393037396530346232656366626535363539653462393663653739653935376436333934616562 -3931 +65653231333939666430306463383836633664623438373661666234343165633864353934663563 +3335396466623862353633363264373666353036623134360a356438636230613139633264373265 +36643231356335653261616238613266306165616363643763356234363537616138353831383064 +3436353361333263330a313361306236626164343261363432343762313361636338333165376238 +38666336356361613930316536323338653338353666666162666333636261373866653934626536 +31643931343338383039616261616130613763383737313037303163366263623066633031646630 +35373436646635613665343038363931396630653264633964646434346534393531333163643836 +62323634643537363365313662363766373436633262336339643734613732663832326133363434 +38643434326266373638366262386162666661383232383965613536663239336361623861613161 +32313439653132353434316563633638353164626236633766313864343036353562303163373335 +39653437623132623635363266353636613130666363353633366134663638346263643134383762 +37316631313437646232326237313436353732333065363666316364373336396135396238363562 +39633163316532616564366632303965316362653066613536316461643237373834316136383865 +64353238643638623832656463333563633838633931636166323335336662636362643466303566 +31333962656530326664636562343738393864613561333734333134386263356533373664666666 +66373538393037373761 -- 2.40.1 From d38701a0e937fb82326f364c5d3f43207d4cc342 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 18:18:21 +0200 Subject: [PATCH 5/7] openldap: remove cruft --- roles/openldap/tasks/main.yml | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml index afc4b9f..1e7316c 100644 --- a/roles/openldap/tasks/main.yml +++ b/roles/openldap/tasks/main.yml @@ -6,34 +6,19 @@ loop: - "{{ data_folder }}/openldap" - "{{ data_folder }}/openldap/data" - - "{{ data_folder }}/openldap/slapd.d" - - "{{ data_folder }}/openldap/ldifs" -# - name: copy slapd.conf -# template: -# src: slapd.conf.j2 -# dest: "{{ data_folder }}/openldap/slapd.d/slapd.conf" -# mode: '0755' -- name: copy user ldif - template: - src: lukas.ldif.j2 - dest: "{{ data_folder }}/openldap/ldifs/lukas.ldif" - mode: '0755' - name: run container docker_container: name: "openldap" image: osixia/openldap command: "--loglevel debug" - hostname: ldap.dev.local + hostname: openldap networks: - # - name: bridge - name: nginx-internal ports: - "389:389" - "636:636" volumes: - "{{ data_folder }}/openldap/data:/var/lib/ldap" - - "{{ data_folder }}/openldap/slapd.d:/etc/ldap/slapd.d" - - "{{ data_folder }}/openldap/ldifs:/container/service/slapd/assets/config/bootstrap/ldif/custom" env: LDAP_ORGANISATION: "Homelab" LDAP_DOMAIN: "kucharczyk.xyz" -- 2.40.1 From da527acb174aaba4d1edd9b20a8471d64f4ac2b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 18:18:44 +0200 Subject: [PATCH 6/7] openldap: remove more cruft --- roles/openldap/templates/lukas.ldif.j2 | 14 -------------- roles/openldap/templates/slapd.conf.j2 | 16 ---------------- 2 files changed, 30 deletions(-) delete mode 100644 roles/openldap/templates/lukas.ldif.j2 delete mode 100644 roles/openldap/templates/slapd.conf.j2 diff --git a/roles/openldap/templates/lukas.ldif.j2 b/roles/openldap/templates/lukas.ldif.j2 deleted file mode 100644 index f0325cd..0000000 --- a/roles/openldap/templates/lukas.ldif.j2 +++ /dev/null @@ -1,14 +0,0 @@ -dn: uid=lukas,dc=kucharczyk,dc=xyz -uid: lukas -cn: lukas -givenName: Lukas -sn: Kucharczyk -objectClass: top -objectClass: posixAccount -objectClass: inetOrgPerson -loginShell: /bin/bash -homeDirectory: /home/lukas -uidNumber: 1000 -gidNumber: 1000 -userPassword: {SSHA}zsJllCeWKbz1we+L/gu/yt0hxeBdvJfT -mail: lukas@kucharczyk.xyz \ No newline at end of file diff --git a/roles/openldap/templates/slapd.conf.j2 b/roles/openldap/templates/slapd.conf.j2 deleted file mode 100644 index 215ba5d..0000000 --- a/roles/openldap/templates/slapd.conf.j2 +++ /dev/null @@ -1,16 +0,0 @@ -# default config from /etc/openldap/slapd.conf -include /etc/openldap/schema/core.schema -pidfile /run/openldap/slapd.pid -argsfile /run/openldap/slapd.args - -# custom config -allow bind_anon_dn -access to attrs=userPassword by * auth -access to * by * read -loglevel 256 - -database mdb -suffix "dc=kucharczyk, dc=xyz" -rootdn "cn=admin, dc=kucharczyk, dc=xyz" -rootpw {SSHA}sgIeW4kyz3t0OyfZ1IZjzEDDb31JI3xK -directory /var/lib/ldap \ No newline at end of file -- 2.40.1 From b7c3a3af8a6a541044e54fb05fcf2678031c369c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 18:19:18 +0200 Subject: [PATCH 7/7] openldap: disable debug logging --- roles/openldap/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml index 1e7316c..8b2dc3d 100644 --- a/roles/openldap/tasks/main.yml +++ b/roles/openldap/tasks/main.yml @@ -10,7 +10,6 @@ docker_container: name: "openldap" image: osixia/openldap - command: "--loglevel debug" hostname: openldap networks: - name: nginx-internal -- 2.40.1