micro
/
woodbine.nyc
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases Wiki Activity

migrate authelia from yaml to env

Browse Source
authelia
Jonathan Dahan 2 years ago
parent 487ed7b64d
commit 1ddc1ac083
7 changed files with 152 additions and 1465 deletions
Show Stats Download Patch File Download Diff File

46
readme.md
Unescape View File

@ -4,6 +4,11 @@ Experiment in digital autonomy
Latest code is hosted on https://git.woodbine.nyc/micro/woodbine.nyc
In general, everything is orchestrated by the compose files.
Sometimes, you will see a -setup service in the compose file.
This usually runs a script that checks or generates secrets, and does initial configuration if needed.
## Goals
We hope this is understandable by a single individual, after learning a bit about docker compose and caddy.
@ -12,6 +17,8 @@ We hope this is understandable by a single individual, after learning a bit abou
Make a backblaze B2 account for backups. Add the secrets to ./secrets/backup/.
Fill out smtp secrets for the mail server
## running
To enable additional services, add their compose file to the following command
@ -19,6 +26,7 @@ To enable additional services, add their compose file to the following command
podman compose --env-file env.production \
--file services/secrets.yaml \
--file services/backup.yaml \
--file services/smtp.yaml \
--file services/caddy.yaml \
--file services/authelia.yaml \
--file services/web.yaml \
@ -33,18 +41,36 @@ One simple way is to allow unprivileged users access to these low ports
echo 'net.ipv4.ip_unprivileged_port_start=80' | sudo tee -a /etc/sysctl.conf
sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80
## beta release
## alpha
- [~] single sign-on (authelia)
- [ ] per-user webdav folders via authelia
- [ ] any OIDC service setup
- [~] file backup (duplicity)
- [ ] postgres backup (duplicity)
- [ ] decide on single postgres instance or multiple
- [x] reverse proxy (caddy)
- [x] personal home pages (caddy-webdav)
- [x] migrate from yaml to env for authelia config
- [x] setup notifications via smtp
## beta
- [x] caddy for homepage
- [x] webdav for personal home pages
- [?] ~~zitadel~~ authelia single sign-on
- [x] mount caddy files from service compose files
- [ ] backup using duplicity uploaded to backblaze b2
- [ ] restore using duplicity downloaded from backblaze b2
- [ ] file restore
- [ ] postgres restore
- [ ] wiki
- [ ] see if we can only expose 443
- [ ] dendrite matrix server
- [ ] gitea
- [ ] matrix server (dendrite)
- [ ] mail server (stalwart or maddy)
- [ ] mailing list (listmonk)
- [ ] code forge (gitea or forgejo)
## 0.1
- [ ] only expose 443, 587, 993
- [ ] running on betabasement-woodbine.nyc
- [ ] audit on secrets management
- [ ] audit on mail server
- [ ] audit on general architecture
## credits

40
services/authelia.yaml
Unescape View File

@ -9,6 +9,12 @@ secrets:
file: ../secrets/authelia/STORAGE_PASSWORD
STORAGE_ENCRYPTION_KEY:
file: ../secrets/authelia/STORAGE_ENCRYPTION_KEY
SMTP_PASSWORD:
file: ../secrets/smtp/SMTP_PASSWORD
SMTP_HOST:
file: ../secrets/smtp/SMTP_HOST
SMTP_PORT:
file: ../secrets/smtp/SMTP_PORT
services:
authelia:
@ -19,17 +25,33 @@ services:
- postgres
- secrets
- caddy
- smtp
restart: unless-stopped
expose:
- 9091
secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY, SMTP_PASSWORD, SMTP_HOST, SMTP_PORT]
environment:
PUID: 1000
PGID: 1000
AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET
AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY
AUTHELIA_STORAGE_POSTGRES_DATABASE: authelia
AUTHELIA_STORAGE_POSTGRES_ADDRESS: postgres
AUTHELIA_STORAGE_POSTGRES_USERNAME: authelia
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
AUTHELIA_DEFAULT_REDIRECTION_URL: https://${DOMAIN}
AUTHELIA_TOTP_ISSUER: ${DOMAIN}
AUTHELIA_WEBAUTHN_DISPLAY_NAME: ${DOMAIN}
AUTHELIA_ACCESS_CONTROL_DEFAULT_POLICY: two_factor
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/SMTP_PASSWORD
AUTHELIA_NOTIFIER_SMTP_HOST_FILE: /run/secrets/SMTP_HOST
AUTHELIA_NOTIFIER_SMTP_PORT_FILE: /run/secrets/SMTP_PORT
AUTHELIA_NOTIFIER_SMTP_USERNAME: "authelia@${DOMAIN}"
AUTHELIA_NOTIFIER_SMTP_SENDER: "Authelia <authelia@${DOMAIN}>"
volumes:
- ../data/authelia/config:/config
@ -57,6 +79,16 @@ services:
volumes:
- ../data/authelia/config:/mnt/backup/src/authelia/config:ro
# backup the postgres database
backup-postgres:
volumes:
- ../secrets/authelia/STORAGE_PASSWORD:/run/secrets/AUTHELIA_PGPASSWORD
environment:
- AUTHELIA_PGHOST: authelia
- AUTHELIA_PGUSER: authelia
- AUTHELIA_DBS_TO_INCLUDE: authelia
- AUTHELIA_PGPASSWORD_FILE: /run/secrets/AUTHELIA_PGPASSWORD
# generate all these secrets if they are empty on start
secrets:
volumes:

1438
services/authelia/config.template.yml
View File

File diff suppressed because it is too large Load Diff

19
services/backup.yaml
Unescape View File

@ -18,7 +18,24 @@ services:
depends_on: [secrets]
secrets: [B2_APPLICATION_KEY, B2_APPLICATION_KEY_ID, BUCKET_NAME, PASSPHRASE]
environment:
DESTINATION: b2://${B2_APPLICATION_KEY_ID}:${B2_APPLICATION_KEY}@${BUCKET_NAME}
HOSTNAME: ${DOMAIN}
TZ: America/New_York
entrypoint: ["/run"]
volumes:
- ./backup/run:/run:ro
backup-postgres:
container_name: backup-postgres
image: tecnativa/docker-duplicity-postgres:latest
restart: unless-stopped
depends_on: [secrets]
secrets: [B2_APPLICATION_KEY, B2_APPLICATION_KEY_ID, BUCKET_NAME, PASSPHRASE]
environment:
HOSTNAME: ${DOMAIN}
TZ: America/New_York
entrypoint: ["/run-postgres"]
volumes:
- ./backup/run-postgres:/run-postgres:ro
secrets:
volumes:

19
services/backup/run
Unescape View File

@ -1,14 +1,9 @@
. ../../env.production
read B2_APPLICATION_KEY_ID < /run/secrets/B2_APPLICATION_KEY_ID
read B2_APPLICATION_KEY < /run/secrets/B2_APPLICATION_KEY
read BUCKET_NAME < /run/secrets/BUCKET_NAME
export DST=b2://${B2_APPLICATION_KEY_ID}:${B2_APPLICATION_KEY}@${BUCKET_NAME}
service=$(basename $PWD)
secrets="../../secrets/$service"
read PASSPHRASE < /run/secrets/PASSPHRASE
export PASSPHRASE
read B2_APPLICATION_KEY_ID < $secrets/application-key-id
read B2_APPLICATION_KEY < $secrets/application-key
export BUCKET_NAME=${DOMAIN}-backup
export DESTINATION=b2://${B2_APPLICATION_KEY_ID}:${B2_APPLICATION_KEY}@${BUCKET_NAME}
read PASSPHRASE < $secrets/passphrase
env PASSPHRASE=$PASSPHRASE duplicity backup ../../data $DESTINATION >&2
env PASSPHRASE=$PASSPHRASE duplicity remove-older-than 28D $DESTINATION >&2
/usr/local/bin/entrypoint

14
services/backup/run-postgres
Unescape View File

@ -0,0 +1,14 @@
read B2_APPLICATION_KEY_ID < /run/secrets/B2_APPLICATION_KEY_ID
read B2_APPLICATION_KEY < /run/secrets/B2_APPLICATION_KEY
read BUCKET_NAME < /run/secrets/BUCKET_NAME
export DST=b2://${B2_APPLICATION_KEY_ID}:${B2_APPLICATION_KEY}@${BUCKET_NAME}
read PASSPHRASE < /run/secrets/PASSPHRASE
export PASSPHRASE
for environment in /backup/*; do
. $environment
export PGHOST PGPASSWORD PGUSER DBS_TO_INCLUDE DBS_TO_EXCLUDE
/usr/local/bin/entrypoint
unset PGHOST PGPASSWORD PGUSER DBS_TO_INCLUDE DBS_TO_EXCLUDE
done

41
services/smtp.yaml
Unescape View File

@ -0,0 +1,41 @@
version: "3.8"
secrets:
SMTP_HOST:
file: ../secrets/smtp/SMTP_HOST
SMTP_PORT:
file: ../secrets/smtp/SMTP_PORT
SMTP_USERNAME:
file: ../secrets/smtp/SMTP_USERNAME
SMTP_PASSWORD:
file: ../secrets/smtp/SMTP_PASSWORD
services:
smtp:
image: foxcpp/maddy:0.6
secrets: ["SMTP_HOST", "SMTP_PORT", "SMTP_USERNAME", "SMTP_PASSWORD"]
restart: unless-stopped
depends_on: ["smtp-setup"]
environment:
- MADDY_HOSTNAME=mx.${DOMAIN}
- MADDY_DOMAIN=${DOMAIN}
volumes:
- ../data/smtp/data:/data
# TODO: get from caddy?
- ../secrets/tls/fullchain.pem:/data/tls/fullchain.pem:ro
- ../secrets/tls/privkey.pem:/data/tls/privkey.pem:ro
ports:
- 25:25
- 143:143
- 587:587
- 993:993
smtp-setup:
container_name: smtp-setup
image: alpine
restart: no
secrets: ["SMTP_HOST", "SMTP_PORT", "SMTP_USERNAME", "SMTP_PASSWORD"]
volumes:
- ./secrets/check-secrets:/check-secrets:ro
entrypoint: ["/check-secrets"]
Write Preview
Loading…
Cancel
Save