Add Keycloak #35

Merged
lukas merged 7 commits from add-keycloak into main 2021-06-20 16:31:39 +00:00
10 changed files with 115 additions and 54 deletions

View File

@ -14,6 +14,9 @@ homelab.
* NGINX * NGINX
* Jellyfin * Jellyfin
* OpenLDAP
* PostgreSQL
* Keycloak
=== Testing === Testing
To run locally, specify the inventory file with `-i hosts`. To run locally, specify the inventory file with `-i hosts`.

View File

@ -5,5 +5,8 @@
- nginx - nginx
- jellyfin - jellyfin
- openldap - openldap
- postgres
- keycloak
vars_files: vars_files:
- vault/certs/{{ base_domain }}.yml - vault/certs/{{ base_domain }}.yml
- vault/passwords.yml

View File

@ -0,0 +1,25 @@
- name: run container
docker_container:
name: "keycloak"
image: "quay.io/keycloak/keycloak"
ports:
- "8080:8080"
networks:
- name: postgres
- name: nginx-internal
env:
"KEYCLOAK_USER": "{{ vault_keycloak_user }}"
"KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
"DB_VENDOR": POSTGRES
"DB_ADDR": postgres
"DB_DATABASE": keycloak
"DB_USER": keycloak
"DB_SCHEMA": public
"DB_PASSWORD": "{{ vault_postgres_keycloak_user_password }}"
"PROXY_ADDRESS_FORWARDING": "true"
- name: copy nginx conf
template:
src: "keycloak.conf.j2"
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf"
mode: "755"
notify: reload nginx

View File

@ -0,0 +1,26 @@
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name "keycloak.{{ base_domain }}";
set $keycloak keycloak;
# Security/XSS Mitigation Headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
location / {
proxy_pass http://$keycloak:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
}
}

View File

@ -6,44 +6,22 @@
loop: loop:
- "{{ data_folder }}/openldap" - "{{ data_folder }}/openldap"
- "{{ data_folder }}/openldap/data" - "{{ data_folder }}/openldap/data"
- "{{ data_folder }}/openldap/slapd.d"
- "{{ data_folder }}/openldap/ldifs"
# - name: copy slapd.conf
# template:
# src: slapd.conf.j2
# dest: "{{ data_folder }}/openldap/slapd.d/slapd.conf"
# mode: '0755'
- name: copy user ldif
template:
src: lukas.ldif.j2
dest: "{{ data_folder }}/openldap/ldifs/lukas.ldif"
mode: '0755'
- name: run container - name: run container
docker_container: docker_container:
name: "openldap" name: "openldap"
image: osixia/openldap image: osixia/openldap
command: "--loglevel debug" hostname: openldap
hostname: ldap.dev.local
networks: networks:
# - name: bridge
- name: nginx-internal - name: nginx-internal
ports: ports:
- "389:389" - "389:389"
- "636:636" - "636:636"
volumes: volumes:
- "{{ data_folder }}/openldap/data:/var/lib/ldap" - "{{ data_folder }}/openldap/data:/var/lib/ldap"
- "{{ data_folder }}/openldap/slapd.d:/etc/ldap/slapd.d"
- "{{ data_folder }}/openldap/ldifs:/container/service/slapd/assets/config/bootstrap/ldif/custom"
env: env:
LDAP_ORGANISATION: "Homelab" LDAP_ORGANISATION: "Homelab"
LDAP_DOMAIN: "kucharczyk.xyz" LDAP_DOMAIN: "kucharczyk.xyz"
LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "false" LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
LDAP_ADMIN_PASSWORD: !vault |
$ANSIBLE_VAULT;1.1;AES256
35623735376134353839323136623133393035343162363366643632376262393539653736326431
6635373265313033653861393463633835333639346239650a303463323063373866316162616131
66356335346631386265363462353034393735366430636634643466376435313638303938363363
3838396139663964300a633931303135376566633363303336373937373138643564636263656233
6239
state: started state: started
restart: yes restart: yes

View File

@ -1,14 +0,0 @@
dn: uid=lukas,dc=kucharczyk,dc=xyz
uid: lukas
cn: lukas
givenName: Lukas
sn: Kucharczyk
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/lukas
uidNumber: 1000
gidNumber: 1000
userPassword: {SSHA}zsJllCeWKbz1we+L/gu/yt0hxeBdvJfT
mail: lukas@kucharczyk.xyz

View File

@ -1,16 +0,0 @@
# default config from /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
pidfile /run/openldap/slapd.pid
argsfile /run/openldap/slapd.args
# custom config
allow bind_anon_dn
access to attrs=userPassword by * auth
access to * by * read
loglevel 256
database mdb
suffix "dc=kucharczyk, dc=xyz"
rootdn "cn=admin, dc=kucharczyk, dc=xyz"
rootpw {SSHA}sgIeW4kyz3t0OyfZ1IZjzEDDb31JI3xK
directory /var/lib/ldap

View File

@ -0,0 +1,36 @@
- name: install psycopg2
pip:
name: psycopg2-binary
state: present
- name: ensure directories exist
file:
path: "{{ item }}"
state: directory
mode: "0755"
loop:
- "{{ data_folder }}/postgres/data"
- "{{ data_folder }}/postgres/init"
- name: copy init sql files
template:
src: "{{ item }}"
dest: "{{ data_folder }}/postgres/init/{{ item | basename | regex_replace('.j2$', '') }}"
with_fileglob:
- "../templates/*.sql.j2"
- name: create network
docker_network:
name: postgres
attachable: true
internal: true
state: present
- name: run container
docker_container:
name: "postgres"
image: "postgres:13"
networks:
- name: postgres
volumes:
- "{{ data_folder }}/postgres/data:/var/lib/postgresql/data"
- "{{ data_folder }}/postgres/init:/docker-entrypoint-initdb.d"
env:
POSTGRES_PASSWORD: "{{ vault_postgres_password }}"
state: started

View File

@ -0,0 +1,3 @@
CREATE USER keycloak WITH PASSWORD '{{ vault_postgres_keycloak_user_password }}';
CREATE DATABASE keycloak;
GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;

17
vault/passwords.yml Normal file
View File

@ -0,0 +1,17 @@
$ANSIBLE_VAULT;1.1;AES256
65653231333939666430306463383836633664623438373661666234343165633864353934663563
3335396466623862353633363264373666353036623134360a356438636230613139633264373265
36643231356335653261616238613266306165616363643763356234363537616138353831383064
3436353361333263330a313361306236626164343261363432343762313361636338333165376238
38666336356361613930316536323338653338353666666162666333636261373866653934626536
31643931343338383039616261616130613763383737313037303163366263623066633031646630
35373436646635613665343038363931396630653264633964646434346534393531333163643836
62323634643537363365313662363766373436633262336339643734613732663832326133363434
38643434326266373638366262386162666661383232383965613536663239336361623861613161
32313439653132353434316563633638353164626236633766313864343036353562303163373335
39653437623132623635363266353636613130666363353633366134663638346263643134383762
37316631313437646232326237313436353732333065363666316364373336396135396238363562
39633163316532616564366632303965316362653066613536316461643237373834316136383865
64353238643638623832656463333563633838633931636166323335336662636362643466303566
31333962656530326664636562343738393864613561333734333134386263356533373664666666
66373538393037373761