From 7a17b169808550816a96bb904376e59c3faa7b3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 22:28:48 +0200 Subject: [PATCH 01/15] portainer: add role to playbook --- playbook.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbook.yml b/playbook.yml index b38a02c..f5c8c9a 100644 --- a/playbook.yml +++ b/playbook.yml @@ -3,6 +3,7 @@ roles: - docker - nginx + - portainer - jellyfin - openldap - postgres -- 2.40.1 From 6702afc8f786a3c9e129579917181e981c4f566c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 22:29:11 +0200 Subject: [PATCH 02/15] portainer: add main task --- roles/portainer/tasks/main.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 roles/portainer/tasks/main.yml diff --git a/roles/portainer/tasks/main.yml b/roles/portainer/tasks/main.yml new file mode 100644 index 0000000..72729e2 --- /dev/null +++ b/roles/portainer/tasks/main.yml @@ -0,0 +1,12 @@ +- name: run container + docker_container: + name: 'portainer' + image: portainer/portainer-ce + networks: + - name: bridge + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + ports: + - "8000:8000" + - "9000:9000" + state: started \ No newline at end of file -- 2.40.1 From 6b70fa2587c559a242262a30df5fae20e0e5ba23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 22:29:25 +0200 Subject: [PATCH 03/15] portainer: add nginx conf --- roles/portainer/templates/portainer.conf.j2 | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 roles/portainer/templates/portainer.conf.j2 diff --git a/roles/portainer/templates/portainer.conf.j2 b/roles/portainer/templates/portainer.conf.j2 new file mode 100644 index 0000000..c61a7fe --- /dev/null +++ b/roles/portainer/templates/portainer.conf.j2 @@ -0,0 +1,20 @@ +server { + listen 80; + server_name portainer.{{ base_domain }}; + return 301 https://$host$request_uri; +} + +server { + server_name portainer.{{ base_domain }}; + listen 443 ssl http2; + + include /etc/nginx/snippets/authelia-endpoint.conf; + + location / { + include /etc/nginx/snippets/proxy.conf; + include /etc/nginx/snippets/authelia-auth.conf; + + set $upstream http://portainer:9000; # This example assumes a Docker deployment + proxy_pass $upstream; + } +} \ No newline at end of file -- 2.40.1 From 2593c84400ee29af0fbbdd2a4e0456cde4d26db5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 22:29:41 +0200 Subject: [PATCH 04/15] Set portainer to one_factor --- roles/authelia/templates/configuration.yml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/authelia/templates/configuration.yml.j2 b/roles/authelia/templates/configuration.yml.j2 index f66503b..0bff2a2 100644 --- a/roles/authelia/templates/configuration.yml.j2 +++ b/roles/authelia/templates/configuration.yml.j2 @@ -29,6 +29,8 @@ access_control: rules: - domain: "*.{{ base_domain }}" policy: bypass + - domain: portainer.{{ base_domain }} + policy: one_factor session: name: authelia_session secret: somerandomsecret -- 2.40.1 From 1ad9787b174c145bff9ed52af969072089338d15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 22:32:51 +0200 Subject: [PATCH 05/15] portainer: add nginx-internal network --- roles/portainer/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/portainer/tasks/main.yml b/roles/portainer/tasks/main.yml index 72729e2..0ddef47 100644 --- a/roles/portainer/tasks/main.yml +++ b/roles/portainer/tasks/main.yml @@ -3,6 +3,7 @@ name: 'portainer' image: portainer/portainer-ce networks: + - name: nginx-internal - name: bridge volumes: - "/var/run/docker.sock:/var/run/docker.sock" -- 2.40.1 From f5824a5ffe1ad811aea1513080941b9c93dce57b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Sun, 20 Jun 2021 23:26:54 +0200 Subject: [PATCH 06/15] portainer: copy nginx conf --- roles/portainer/tasks/main.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/portainer/tasks/main.yml b/roles/portainer/tasks/main.yml index 0ddef47..7879e89 100644 --- a/roles/portainer/tasks/main.yml +++ b/roles/portainer/tasks/main.yml @@ -10,4 +10,10 @@ ports: - "8000:8000" - "9000:9000" - state: started \ No newline at end of file + state: started +- name: copy nginx conf + template: + src: portainer.conf.j2 + dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf" + mode: "755" + notify: reload nginx \ No newline at end of file -- 2.40.1 From c418b61ede2035167af6fc4ef0a144224837de58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Mon, 21 Jun 2021 10:38:18 +0200 Subject: [PATCH 07/15] Improve networks Create a single external network called "external". Create container-specific networks. Only a few containers need access to these. So far: openldap, postgres. --- roles/authelia/tasks/main.yml | 4 ++-- roles/jellyfin/tasks/main.yml | 2 +- roles/keycloak/tasks/main.yml | 3 ++- roles/nginx/tasks/main.yml | 9 ++++----- roles/openldap/tasks/main.yml | 8 +++++++- roles/portainer/tasks/main.yml | 3 +-- 6 files changed, 17 insertions(+), 12 deletions(-) diff --git a/roles/authelia/tasks/main.yml b/roles/authelia/tasks/main.yml index d8e5b9e..cb9aa1d 100644 --- a/roles/authelia/tasks/main.yml +++ b/roles/authelia/tasks/main.yml @@ -17,8 +17,8 @@ ports: - "9091:9091" networks: - - name: bridge - - name: nginx-internal + - name: external + - name: openldap volumes: - "{{ data_folder }}/authelia:/config" - name: copy nginx endpoint conf diff --git a/roles/jellyfin/tasks/main.yml b/roles/jellyfin/tasks/main.yml index 1a09025..5236940 100644 --- a/roles/jellyfin/tasks/main.yml +++ b/roles/jellyfin/tasks/main.yml @@ -12,7 +12,7 @@ name: 'jellyfin' image: linuxserver/jellyfin networks: - - name: nginx-internal + - name: external volumes: - "{{ data_folder }}/jellyfin:/config" - "{{ media.tv }}:/data/tv" diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index 066db09..2a5640b 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -5,8 +5,9 @@ ports: - "8080:8080" networks: + - name: external - name: postgres - - name: nginx-internal + - name: openldap env: "KEYCLOAK_USER": "{{ vault_keycloak_user }}" "KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}" diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 8f2b214..91480e5 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -14,11 +14,11 @@ - name: generate self-signed certs import_tasks: self-signed.yml when: self_signed -- name: create nginx bridge network +- name: create external bridge network docker_network: - name: nginx-internal + name: external attachable: true - internal: true + internal: false state: present - name: copy nginx.conf template: @@ -37,8 +37,7 @@ name: 'nginx' image: nginx networks: - - name: bridge - - name: nginx-internal + - name: external volumes: - "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d" - "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf" diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml index 8b2dc3d..a1c0942 100644 --- a/roles/openldap/tasks/main.yml +++ b/roles/openldap/tasks/main.yml @@ -6,13 +6,19 @@ loop: - "{{ data_folder }}/openldap" - "{{ data_folder }}/openldap/data" +- name: create network + docker_network: + name: openldap + attachable: true + internal: true + state: present - name: run container docker_container: name: "openldap" image: osixia/openldap hostname: openldap networks: - - name: nginx-internal + - name: openldap ports: - "389:389" - "636:636" diff --git a/roles/portainer/tasks/main.yml b/roles/portainer/tasks/main.yml index 7879e89..2546423 100644 --- a/roles/portainer/tasks/main.yml +++ b/roles/portainer/tasks/main.yml @@ -3,8 +3,7 @@ name: 'portainer' image: portainer/portainer-ce networks: - - name: nginx-internal - - name: bridge + - name: external volumes: - "/var/run/docker.sock:/var/run/docker.sock" ports: -- 2.40.1 From 069314f9d6292146ff9f9aa48e42618d32661fac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Mon, 21 Jun 2021 11:11:27 +0200 Subject: [PATCH 08/15] minor: fix space --- roles/keycloak/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index 2a5640b..cfe0a9a 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -21,6 +21,6 @@ - name: copy nginx conf template: src: "keycloak.conf.j2" - dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf" + dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf" mode: "755" notify: reload nginx \ No newline at end of file -- 2.40.1 From a13a7adf67dfbf4525a0827b516c9d79b4b25c3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Mon, 21 Jun 2021 11:28:36 +0200 Subject: [PATCH 09/15] nginx: make sure https redirect works --- roles/authelia/templates/authelia.conf.j2 | 4 ++-- roles/jellyfin/templates/jellyfin.conf.j2 | 3 ++- roles/keycloak/templates/keycloak.conf.j2 | 5 +++-- roles/portainer/templates/portainer.conf.j2 | 4 ++-- 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/roles/authelia/templates/authelia.conf.j2 b/roles/authelia/templates/authelia.conf.j2 index 73e2ddc..7495132 100644 --- a/roles/authelia/templates/authelia.conf.j2 +++ b/roles/authelia/templates/authelia.conf.j2 @@ -1,7 +1,7 @@ server { - listen 80; server_name auth.{{ base_domain }}; - return 301 https://$host$request_uri; + listen 80; + return 301 https://$server_name$request_uri; } server { diff --git a/roles/jellyfin/templates/jellyfin.conf.j2 b/roles/jellyfin/templates/jellyfin.conf.j2 index 66960f9..b247502 100644 --- a/roles/jellyfin/templates/jellyfin.conf.j2 +++ b/roles/jellyfin/templates/jellyfin.conf.j2 @@ -1,6 +1,7 @@ server { + server_name "jellyfin.{{ base_domain }}"; listen 80; - return 301 https://$host$request_uri; + return 301 https://$server_name$request_uri; } server { diff --git a/roles/keycloak/templates/keycloak.conf.j2 b/roles/keycloak/templates/keycloak.conf.j2 index 6bb5776..c2e3fdf 100644 --- a/roles/keycloak/templates/keycloak.conf.j2 +++ b/roles/keycloak/templates/keycloak.conf.j2 @@ -1,6 +1,7 @@ server { - listen 80; - return 301 https://$host$request_uri; + server_name "keycloak.{{ base_domain }}"; + listen 80; + return 301 https://$server_name$request_uri; } server { diff --git a/roles/portainer/templates/portainer.conf.j2 b/roles/portainer/templates/portainer.conf.j2 index c61a7fe..4dd854f 100644 --- a/roles/portainer/templates/portainer.conf.j2 +++ b/roles/portainer/templates/portainer.conf.j2 @@ -1,7 +1,7 @@ server { - listen 80; server_name portainer.{{ base_domain }}; - return 301 https://$host$request_uri; + listen 80; + return 301 https://$server_name$request_uri; } server { -- 2.40.1 From 45f14658e45b55e8f9f160048bde4d6ccdd01029 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Mon, 21 Jun 2021 11:28:52 +0200 Subject: [PATCH 10/15] portainer: allow access to ldap --- roles/portainer/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/portainer/tasks/main.yml b/roles/portainer/tasks/main.yml index 2546423..446ef39 100644 --- a/roles/portainer/tasks/main.yml +++ b/roles/portainer/tasks/main.yml @@ -4,6 +4,7 @@ image: portainer/portainer-ce networks: - name: external + - name: openldap volumes: - "/var/run/docker.sock:/var/run/docker.sock" ports: -- 2.40.1 From 17a5d0550d37053715d6a74fb96265c5a074387c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Mon, 21 Jun 2021 11:32:24 +0200 Subject: [PATCH 11/15] authelia: secure portainer, keycloak, allow local --- roles/authelia/templates/configuration.yml.j2 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/authelia/templates/configuration.yml.j2 b/roles/authelia/templates/configuration.yml.j2 index 0bff2a2..7aee676 100644 --- a/roles/authelia/templates/configuration.yml.j2 +++ b/roles/authelia/templates/configuration.yml.j2 @@ -26,11 +26,19 @@ authentication_backend: password: {{ vault_openldap_admin_password }} access_control: default_policy: deny + networks: + - name: local + networks: + - 192.168.0.0/24 rules: - domain: "*.{{ base_domain }}" + networks: + - local policy: bypass - domain: portainer.{{ base_domain }} policy: one_factor + - domain: keycloak.{{ base_domain }} + policy: one_factor session: name: authelia_session secret: somerandomsecret -- 2.40.1 From bdb6b109af0fb2392d92c23b70e49913c6a0a015 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Mon, 21 Jun 2021 11:32:43 +0200 Subject: [PATCH 12/15] docker: add convenience packages --- roles/docker/tasks/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 9bfc0b4..502d445 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -3,6 +3,9 @@ name: - docker - python-pip + - neovim + - fish + - curlie state: present update_cache: true - name: start @@ -12,8 +15,9 @@ - name: add user to group user: name: lukas - groups: docker + groups: docker,wheel append: true + shell: /usr/bin/fish - name: install python docker pip: name: -- 2.40.1 From 6638b4d3577ee96ee5b82e27b56b7f8023222aa4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Mon, 21 Jun 2021 11:53:49 +0200 Subject: [PATCH 13/15] openldap: move above portainer --- playbook.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbook.yml b/playbook.yml index f5c8c9a..3f8b62a 100644 --- a/playbook.yml +++ b/playbook.yml @@ -3,9 +3,9 @@ roles: - docker - nginx + - openldap - portainer - jellyfin - - openldap - postgres - authelia - keycloak -- 2.40.1 From e43907992a542b2c8c55fcfb9cc08ede0ce76099 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Mon, 21 Jun 2021 11:54:03 +0200 Subject: [PATCH 14/15] openldap: remove cruft --- roles/openldap/templates/base.ldif.j2 | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 roles/openldap/templates/base.ldif.j2 diff --git a/roles/openldap/templates/base.ldif.j2 b/roles/openldap/templates/base.ldif.j2 deleted file mode 100644 index 755e9b1..0000000 --- a/roles/openldap/templates/base.ldif.j2 +++ /dev/null @@ -1,6 +0,0 @@ -dn: dc=kucharczyk,dc=xyz -objectclass: top -objectclass: dcObject -objectclass: organization -dc: kucharczyk -o: Homelab \ No newline at end of file -- 2.40.1 From 2a8b5464e675d47e2e58e3327a9076bba00711e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Mon, 21 Jun 2021 11:54:24 +0200 Subject: [PATCH 15/15] jellyfin, nginx, openldap: do not restart --- roles/jellyfin/tasks/main.yml | 1 - roles/nginx/tasks/main.yml | 3 +-- roles/openldap/tasks/main.yml | 3 +-- 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/roles/jellyfin/tasks/main.yml b/roles/jellyfin/tasks/main.yml index 5236940..2ad9f37 100644 --- a/roles/jellyfin/tasks/main.yml +++ b/roles/jellyfin/tasks/main.yml @@ -29,7 +29,6 @@ devices: - /dev/dri:/dev/dri state: started - restart: yes - name: copy jellyfin nginx config template: src: jellyfin.conf.j2 diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 91480e5..82e722c 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -52,5 +52,4 @@ env: NGINX_HOST: "{{ base_domain }}" NGINX_PORT: '80' - state: started - restart: yes + state: started \ No newline at end of file diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml index a1c0942..15c4212 100644 --- a/roles/openldap/tasks/main.yml +++ b/roles/openldap/tasks/main.yml @@ -29,5 +29,4 @@ LDAP_DOMAIN: "kucharczyk.xyz" LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}" LDAP_REMOVE_CONFIG_AFTER_SETUP: "false" - state: started - restart: yes \ No newline at end of file + state: started \ No newline at end of file -- 2.40.1