diff --git a/playbook.yml b/playbook.yml index b38a02c..3f8b62a 100644 --- a/playbook.yml +++ b/playbook.yml @@ -3,8 +3,9 @@ roles: - docker - nginx - - jellyfin - openldap + - portainer + - jellyfin - postgres - authelia - keycloak diff --git a/roles/authelia/tasks/main.yml b/roles/authelia/tasks/main.yml index d8e5b9e..cb9aa1d 100644 --- a/roles/authelia/tasks/main.yml +++ b/roles/authelia/tasks/main.yml @@ -17,8 +17,8 @@ ports: - "9091:9091" networks: - - name: bridge - - name: nginx-internal + - name: external + - name: openldap volumes: - "{{ data_folder }}/authelia:/config" - name: copy nginx endpoint conf diff --git a/roles/authelia/templates/authelia.conf.j2 b/roles/authelia/templates/authelia.conf.j2 index 73e2ddc..7495132 100644 --- a/roles/authelia/templates/authelia.conf.j2 +++ b/roles/authelia/templates/authelia.conf.j2 @@ -1,7 +1,7 @@ server { - listen 80; server_name auth.{{ base_domain }}; - return 301 https://$host$request_uri; + listen 80; + return 301 https://$server_name$request_uri; } server { diff --git a/roles/authelia/templates/configuration.yml.j2 b/roles/authelia/templates/configuration.yml.j2 index f66503b..7aee676 100644 --- a/roles/authelia/templates/configuration.yml.j2 +++ b/roles/authelia/templates/configuration.yml.j2 @@ -26,9 +26,19 @@ authentication_backend: password: {{ vault_openldap_admin_password }} access_control: default_policy: deny + networks: + - name: local + networks: + - 192.168.0.0/24 rules: - domain: "*.{{ base_domain }}" + networks: + - local policy: bypass + - domain: portainer.{{ base_domain }} + policy: one_factor + - domain: keycloak.{{ base_domain }} + policy: one_factor session: name: authelia_session secret: somerandomsecret diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 9bfc0b4..502d445 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -3,6 +3,9 @@ name: - docker - python-pip + - neovim + - fish + - curlie state: present update_cache: true - name: start @@ -12,8 +15,9 @@ - name: add user to group user: name: lukas - groups: docker + groups: docker,wheel append: true + shell: /usr/bin/fish - name: install python docker pip: name: diff --git a/roles/jellyfin/tasks/main.yml b/roles/jellyfin/tasks/main.yml index 1a09025..2ad9f37 100644 --- a/roles/jellyfin/tasks/main.yml +++ b/roles/jellyfin/tasks/main.yml @@ -12,7 +12,7 @@ name: 'jellyfin' image: linuxserver/jellyfin networks: - - name: nginx-internal + - name: external volumes: - "{{ data_folder }}/jellyfin:/config" - "{{ media.tv }}:/data/tv" @@ -29,7 +29,6 @@ devices: - /dev/dri:/dev/dri state: started - restart: yes - name: copy jellyfin nginx config template: src: jellyfin.conf.j2 diff --git a/roles/jellyfin/templates/jellyfin.conf.j2 b/roles/jellyfin/templates/jellyfin.conf.j2 index 66960f9..b247502 100644 --- a/roles/jellyfin/templates/jellyfin.conf.j2 +++ b/roles/jellyfin/templates/jellyfin.conf.j2 @@ -1,6 +1,7 @@ server { + server_name "jellyfin.{{ base_domain }}"; listen 80; - return 301 https://$host$request_uri; + return 301 https://$server_name$request_uri; } server { diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index 066db09..cfe0a9a 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -5,8 +5,9 @@ ports: - "8080:8080" networks: + - name: external - name: postgres - - name: nginx-internal + - name: openldap env: "KEYCLOAK_USER": "{{ vault_keycloak_user }}" "KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}" @@ -20,6 +21,6 @@ - name: copy nginx conf template: src: "keycloak.conf.j2" - dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf" + dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf" mode: "755" notify: reload nginx \ No newline at end of file diff --git a/roles/keycloak/templates/keycloak.conf.j2 b/roles/keycloak/templates/keycloak.conf.j2 index 6bb5776..c2e3fdf 100644 --- a/roles/keycloak/templates/keycloak.conf.j2 +++ b/roles/keycloak/templates/keycloak.conf.j2 @@ -1,6 +1,7 @@ server { - listen 80; - return 301 https://$host$request_uri; + server_name "keycloak.{{ base_domain }}"; + listen 80; + return 301 https://$server_name$request_uri; } server { diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 8f2b214..82e722c 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -14,11 +14,11 @@ - name: generate self-signed certs import_tasks: self-signed.yml when: self_signed -- name: create nginx bridge network +- name: create external bridge network docker_network: - name: nginx-internal + name: external attachable: true - internal: true + internal: false state: present - name: copy nginx.conf template: @@ -37,8 +37,7 @@ name: 'nginx' image: nginx networks: - - name: bridge - - name: nginx-internal + - name: external volumes: - "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d" - "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf" @@ -53,5 +52,4 @@ env: NGINX_HOST: "{{ base_domain }}" NGINX_PORT: '80' - state: started - restart: yes + state: started \ No newline at end of file diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml index 8b2dc3d..15c4212 100644 --- a/roles/openldap/tasks/main.yml +++ b/roles/openldap/tasks/main.yml @@ -6,13 +6,19 @@ loop: - "{{ data_folder }}/openldap" - "{{ data_folder }}/openldap/data" +- name: create network + docker_network: + name: openldap + attachable: true + internal: true + state: present - name: run container docker_container: name: "openldap" image: osixia/openldap hostname: openldap networks: - - name: nginx-internal + - name: openldap ports: - "389:389" - "636:636" @@ -23,5 +29,4 @@ LDAP_DOMAIN: "kucharczyk.xyz" LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}" LDAP_REMOVE_CONFIG_AFTER_SETUP: "false" - state: started - restart: yes \ No newline at end of file + state: started \ No newline at end of file diff --git a/roles/openldap/templates/base.ldif.j2 b/roles/openldap/templates/base.ldif.j2 deleted file mode 100644 index 755e9b1..0000000 --- a/roles/openldap/templates/base.ldif.j2 +++ /dev/null @@ -1,6 +0,0 @@ -dn: dc=kucharczyk,dc=xyz -objectclass: top -objectclass: dcObject -objectclass: organization -dc: kucharczyk -o: Homelab \ No newline at end of file diff --git a/roles/portainer/tasks/main.yml b/roles/portainer/tasks/main.yml new file mode 100644 index 0000000..446ef39 --- /dev/null +++ b/roles/portainer/tasks/main.yml @@ -0,0 +1,19 @@ +- name: run container + docker_container: + name: 'portainer' + image: portainer/portainer-ce + networks: + - name: external + - name: openldap + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + ports: + - "8000:8000" + - "9000:9000" + state: started +- name: copy nginx conf + template: + src: portainer.conf.j2 + dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf" + mode: "755" + notify: reload nginx \ No newline at end of file diff --git a/roles/portainer/templates/portainer.conf.j2 b/roles/portainer/templates/portainer.conf.j2 new file mode 100644 index 0000000..4dd854f --- /dev/null +++ b/roles/portainer/templates/portainer.conf.j2 @@ -0,0 +1,20 @@ +server { + server_name portainer.{{ base_domain }}; + listen 80; + return 301 https://$server_name$request_uri; +} + +server { + server_name portainer.{{ base_domain }}; + listen 443 ssl http2; + + include /etc/nginx/snippets/authelia-endpoint.conf; + + location / { + include /etc/nginx/snippets/proxy.conf; + include /etc/nginx/snippets/authelia-auth.conf; + + set $upstream http://portainer:9000; # This example assumes a Docker deployment + proxy_pass $upstream; + } +} \ No newline at end of file