migrate authelia from yaml to env

2 years ago · 1ddc1ac083
parent 487ed7b64d
commit 1ddc1ac083
7 changed files with 152 additions and 1465 deletions
--- a/readme.md
+++ b/readme.md
@ -4,6 +4,11 @@ Experiment in digital autonomy
 Latest code is hosted on https://git.woodbine.nyc/micro/woodbine.nyc
 In general, everything is orchestrated by the compose files.
 Sometimes, you will see a -setup service in the compose file.
 This usually runs a script that checks or generates secrets, and does initial configuration if needed.
 ## Goals
 We hope this is understandable by a single individual, after learning a bit about docker compose and caddy.
@ -12,6 +17,8 @@ We hope this is understandable by a single individual, after learning a bit abou
 Make a backblaze B2 account for backups. Add the secrets to ./secrets/backup/.
 Fill out smtp secrets for the mail server
 ## running
 To enable additional services, add their compose file to the following command
@ -19,6 +26,7 @@ To enable additional services, add their compose file to the following command
    podman compose --env-file env.production \
      --file services/secrets.yaml \
      --file services/backup.yaml \
      --file services/smtp.yaml \
      --file services/caddy.yaml \
      --file services/authelia.yaml \
      --file services/web.yaml \
@ -33,18 +41,36 @@ One simple way is to allow unprivileged users access to these low ports
    echo 'net.ipv4.ip_unprivileged_port_start=80' | sudo tee -a /etc/sysctl.conf
    sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80
-## beta release
+## alpha
 - [~] single sign-on (authelia)
    - [ ] per-user webdav folders via authelia
    - [ ] any OIDC service setup
 - [~] file backup (duplicity) 
 - [ ] postgres backup (duplicity)
 - [ ] decide on single postgres instance or multiple
 - [x] reverse proxy (caddy)
 - [x] personal home pages (caddy-webdav)
 - [x] migrate from yaml to env for authelia config
 - [x] setup notifications via smtp
 ## beta
- [x] caddy for homepage
+- [ ] file restore
- [x] webdav for personal home pages
+- [ ] postgres restore
 - [?] ~~zitadel~~ authelia single sign-on
 - [x] mount caddy files from service compose files
 - [ ] backup using duplicity uploaded to backblaze b2
 - [ ] restore using duplicity downloaded from backblaze b2
 - [ ] wiki
- [ ] see if we can only expose 443
+- [ ] matrix server (dendrite)
- [ ] dendrite matrix server
+- [ ] mail server (stalwart or maddy)
- [ ] gitea
+- [ ] mailing list (listmonk)
 - [ ] code forge (gitea or forgejo)
 ## 0.1
 - [ ] only expose 443, 587, 993
 - [ ] running on betabasement-woodbine.nyc
 - [ ] audit on secrets management
 - [ ] audit on mail server
 - [ ] audit on general architecture
 ## credits
--- a/services/authelia.yaml
+++ b/services/authelia.yaml
@ -9,6 +9,12 @@ secrets:
    file: ../secrets/authelia/STORAGE_PASSWORD
  STORAGE_ENCRYPTION_KEY:
    file: ../secrets/authelia/STORAGE_ENCRYPTION_KEY
  SMTP_PASSWORD:
    file: ../secrets/smtp/SMTP_PASSWORD
  SMTP_HOST:
    file: ../secrets/smtp/SMTP_HOST
  SMTP_PORT:
    file: ../secrets/smtp/SMTP_PORT
 services:
  authelia:
@ -19,17 +25,33 @@ services:
      - postgres
      - secrets
      - caddy
      - smtp
    restart: unless-stopped
    expose:
      - 9091
-    secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
+    secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY, SMTP_PASSWORD, SMTP_HOST, SMTP_PORT]
    environment:
      PUID: 1000
      PGID: 1000
      AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET
      AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
      AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY
      AUTHELIA_STORAGE_POSTGRES_DATABASE: authelia
      AUTHELIA_STORAGE_POSTGRES_ADDRESS: postgres
      AUTHELIA_STORAGE_POSTGRES_USERNAME: authelia
      AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
      AUTHELIA_DEFAULT_REDIRECTION_URL: https://${DOMAIN}
      AUTHELIA_TOTP_ISSUER: ${DOMAIN}
      AUTHELIA_WEBAUTHN_DISPLAY_NAME: ${DOMAIN}
      AUTHELIA_ACCESS_CONTROL_DEFAULT_POLICY: two_factor
      AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/SMTP_PASSWORD
      AUTHELIA_NOTIFIER_SMTP_HOST_FILE: /run/secrets/SMTP_HOST
      AUTHELIA_NOTIFIER_SMTP_PORT_FILE: /run/secrets/SMTP_PORT
      AUTHELIA_NOTIFIER_SMTP_USERNAME: "authelia@${DOMAIN}"
      AUTHELIA_NOTIFIER_SMTP_SENDER: "Authelia <authelia@${DOMAIN}>"
    volumes:
      - ../data/authelia/config:/config
@ -57,6 +79,16 @@ services:
    volumes:
      - ../data/authelia/config:/mnt/backup/src/authelia/config:ro
  # backup the postgres database
  backup-postgres:
    volumes:
      - ../secrets/authelia/STORAGE_PASSWORD:/run/secrets/AUTHELIA_PGPASSWORD
    environment:
      - AUTHELIA_PGHOST: authelia
      - AUTHELIA_PGUSER: authelia
      - AUTHELIA_DBS_TO_INCLUDE: authelia
      - AUTHELIA_PGPASSWORD_FILE: /run/secrets/AUTHELIA_PGPASSWORD
  # generate all these secrets if they are empty on start
  secrets:
    volumes:
--- a/services/authelia/config.template.yml
+++ b/services/authelia/config.template.yml
--- a/services/backup.yaml
+++ b/services/backup.yaml
@ -18,7 +18,24 @@ services:
    depends_on: [secrets]
    secrets: [B2_APPLICATION_KEY, B2_APPLICATION_KEY_ID, BUCKET_NAME, PASSPHRASE]
    environment:
-      DESTINATION: b2://${B2_APPLICATION_KEY_ID}:${B2_APPLICATION_KEY}@${BUCKET_NAME}
+      HOSTNAME: ${DOMAIN}
      TZ: America/New_York
    entrypoint: ["/run"]
    volumes:
      - ./backup/run:/run:ro
  backup-postgres:
    container_name: backup-postgres
    image: tecnativa/docker-duplicity-postgres:latest
    restart: unless-stopped
    depends_on: [secrets]
    secrets: [B2_APPLICATION_KEY, B2_APPLICATION_KEY_ID, BUCKET_NAME, PASSPHRASE]
    environment:
      HOSTNAME: ${DOMAIN}
      TZ: America/New_York
    entrypoint: ["/run-postgres"]
    volumes:
      - ./backup/run-postgres:/run-postgres:ro
  secrets:
    volumes:
--- a/services/backup/run
+++ b/services/backup/run
@ -1,14 +1,9 @@
-. ../../env.production
+read B2_APPLICATION_KEY_ID < /run/secrets/B2_APPLICATION_KEY_ID
 read B2_APPLICATION_KEY < /run/secrets/B2_APPLICATION_KEY
 read BUCKET_NAME < /run/secrets/BUCKET_NAME
 export DST=b2://${B2_APPLICATION_KEY_ID}:${B2_APPLICATION_KEY}@${BUCKET_NAME}
-service=$(basename $PWD)
+read PASSPHRASE < /run/secrets/PASSPHRASE
-secrets="../../secrets/$service"
+export PASSPHRASE
-read B2_APPLICATION_KEY_ID < $secrets/application-key-id
+/usr/local/bin/entrypoint
 read B2_APPLICATION_KEY < $secrets/application-key
 export BUCKET_NAME=${DOMAIN}-backup
 export DESTINATION=b2://${B2_APPLICATION_KEY_ID}:${B2_APPLICATION_KEY}@${BUCKET_NAME}
 read PASSPHRASE < $secrets/passphrase
 env PASSPHRASE=$PASSPHRASE duplicity backup ../../data $DESTINATION >&2
 env PASSPHRASE=$PASSPHRASE duplicity remove-older-than 28D $DESTINATION >&2
--- a/services/backup/run-postgres
+++ b/services/backup/run-postgres
@ -0,0 +1,14 @@
 read B2_APPLICATION_KEY_ID < /run/secrets/B2_APPLICATION_KEY_ID
 read B2_APPLICATION_KEY < /run/secrets/B2_APPLICATION_KEY
 read BUCKET_NAME < /run/secrets/BUCKET_NAME
 export DST=b2://${B2_APPLICATION_KEY_ID}:${B2_APPLICATION_KEY}@${BUCKET_NAME}
 read PASSPHRASE < /run/secrets/PASSPHRASE
 export PASSPHRASE
 for environment in /backup/*; do
  . $environment
  export PGHOST PGPASSWORD PGUSER DBS_TO_INCLUDE DBS_TO_EXCLUDE 
  /usr/local/bin/entrypoint
  unset PGHOST PGPASSWORD PGUSER DBS_TO_INCLUDE DBS_TO_EXCLUDE
 done
--- a/services/smtp.yaml
+++ b/services/smtp.yaml
@ -0,0 +1,41 @@
 version: "3.8"
 secrets:
  SMTP_HOST:
    file: ../secrets/smtp/SMTP_HOST
  SMTP_PORT:
    file: ../secrets/smtp/SMTP_PORT
  SMTP_USERNAME:
    file: ../secrets/smtp/SMTP_USERNAME
  SMTP_PASSWORD:
    file: ../secrets/smtp/SMTP_PASSWORD
 services:
  smtp:
    image: foxcpp/maddy:0.6
    secrets: ["SMTP_HOST", "SMTP_PORT", "SMTP_USERNAME", "SMTP_PASSWORD"]
    restart: unless-stopped
    depends_on: ["smtp-setup"]
    environment:
      - MADDY_HOSTNAME=mx.${DOMAIN}
      - MADDY_DOMAIN=${DOMAIN}
    volumes:
      - ../data/smtp/data:/data
      # TODO: get from caddy?
      - ../secrets/tls/fullchain.pem:/data/tls/fullchain.pem:ro
      - ../secrets/tls/privkey.pem:/data/tls/privkey.pem:ro
    ports:
      - 25:25
      - 143:143
      - 587:587
      - 993:993
  smtp-setup:
    container_name: smtp-setup
    image: alpine
    restart: no
    secrets: ["SMTP_HOST", "SMTP_PORT", "SMTP_USERNAME", "SMTP_PASSWORD"]
    volumes:
      - ./secrets/check-secrets:/check-secrets:ro
    entrypoint: ["/check-secrets"]