From e05a45afe7f8e69b48dc9c45a5221245b742ccd0 Mon Sep 17 00:00:00 2001
From: Jonathan Dahan <git@jonathan.is>
Date: Wed, 1 Nov 2023 14:22:02 -0400
Subject: [PATCH] settle on volume mounts for secrets generation and file
 backups

---
 base.yaml                   |  7 +++++++
 readme.md                   |  6 ++----
 services/authelia.yaml      | 25 ++++++++++++++++---------
 services/authelia/Proxyfile |  3 +++
 services/backup.yaml        | 25 +++++++++++++++++++++++++
 services/caddy.yaml         |  4 ++++
 services/generate-secrets   | 11 -----------
 services/readme.md          | 32 +++++++++++++++++++++++++++-----
 services/secrets.yaml       |  9 +++++++++
 services/web.yaml           |  6 ++++--
 services/web/Proxyfile      |  3 +++
 services/zitadel.yaml       | 36 ------------------------------------
 12 files changed, 100 insertions(+), 67 deletions(-)
 create mode 100644 base.yaml
 create mode 100644 services/authelia/Proxyfile
 create mode 100644 services/backup.yaml
 delete mode 100755 services/generate-secrets
 create mode 100644 services/secrets.yaml
 create mode 100644 services/web/Proxyfile
 delete mode 100644 services/zitadel.yaml

diff --git a/base.yaml b/base.yaml
new file mode 100644
index 0000000..2eb10c3
--- /dev/null
+++ b/base.yaml
@@ -0,0 +1,7 @@
+version: "3.8"
+
+include:
+  - services/secrets.yaml
+  - services/caddy.yaml
+  - services/backup.yaml
+  - services/authelia.yaml
diff --git a/readme.md b/readme.md
index 71b7ad7..7d75c1c 100644
--- a/readme.md
+++ b/readme.md
@@ -9,8 +9,7 @@ Hosted on https://git.woodbine.nyc/micro/woodbine.nyc
 To enable additional services, add their compose file to the following command
 
     podman compose --env-file env.production \
-      --file services/caddy.yaml \
-      --file services/authelia.yaml \
+      --file base.yaml \
       --file services/web.yaml \
       up --build
 
@@ -27,11 +26,10 @@ One simple way is to allow unprivileged users access to these low ports
 
 - [x] caddy for homepage
 - [x] webdav for personal home pages
-- [?] authelia sso
+- [?] ~~zitadel~~ authelia single sign-on
 - [x] mount caddy files from service compose files
 - [ ] backup using duplicity uploaded to backblaze b2
 - [ ] restore using duplicity downloaded from backblaze b2
-- [ ] ~~zitadel sso~~
 - [ ] wiki
 - [ ] dendrite matrix server
 - [ ] gitea
diff --git a/services/authelia.yaml b/services/authelia.yaml
index ce3ea7f..644665a 100644
--- a/services/authelia.yaml
+++ b/services/authelia.yaml
@@ -1,4 +1,5 @@
 version: "3.8"
+
 secrets:
   JWT_SECRET:
     file: ../secrets/authelia/JWT_SECRET
@@ -17,11 +18,11 @@ services:
     depends_on:
       - postgres
       - authelia_setup
+      - secrets
     restart: unless-stopped
     expose:
       - 9091
     secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
-    #user: 8000:9000
     environment:
       PUID: 1000
       PGID: 1000
@@ -45,18 +46,24 @@ services:
     volumes:
       - postgres-data:/var/lib/postgresql/data
 
-  authelia_setup:
-      image: docker.io/authelia/authelia:4.37
-      volumes:
-        - ../secrets/authelia:/secrets
-        - ./authelia/generate-secrets.sh:/generate-secrets.sh
-      restart: no
-      entrypoint: [ "/generate-secrets.sh", "/secrets" ]
-
+  # setup a reverse proxy for caddy
   caddy:
     volumes:
       - ./authelia/Proxyfile:/etc/caddy.d/authelia:ro
 
+  # backup the authelia config
+  backup:
+    volumes:
+      - ../data/authelia/config:/mnt/backup/src/authelia/config:ro
+
+  # generate all these secrets if they are empty on start
+  secrets:
+    volumes:
+      - ../secrets/authelia/JWT_SECRET:/secrets/authelia/JWT_SECRET
+      - ../secrets/authelia/SESSION_SECRET:/secrets/authelia/SESSION_SECRET
+      - ../secrets/authelia/STORAGE_PASSWORD:/secrets/authelia/STORAGE_PASSWORD
+      - ../secrets/authelia/STORAGE_ENCRYPTION_KEY:/secrets/authelia/STORAGE_ENCRYPTION_KEY
+
 volumes:
   postgres-data:
   authelia-config:
diff --git a/services/authelia/Proxyfile b/services/authelia/Proxyfile
new file mode 100644
index 0000000..4432146
--- /dev/null
+++ b/services/authelia/Proxyfile
@@ -0,0 +1,3 @@
+login.{$DOMAIN} {
+	reverse_proxy authelia:9091
+}
diff --git a/services/backup.yaml b/services/backup.yaml
new file mode 100644
index 0000000..e6eaed7
--- /dev/null
+++ b/services/backup.yaml
@@ -0,0 +1,25 @@
+version: "3.8"
+
+secrets:
+  B2_APPLICATION_KEY:
+    file: ../secrets/backup/B2_APPLICATION_KEY
+  B2_APPLICATION_KEY_ID:
+    file: ../secrets/backup/B2_APPLICATION_KEY_ID
+  BUCKET_NAME:
+    file: ../secrets/backup/BUCKET_NAME
+  PASSPHRASE:
+    file: ../secrets/backup/PASSPHRASE
+
+services:
+  backup:
+    container_name: backup
+    image: Tecnativa/docker-duplicity:latest
+    restart: unless-stopped
+    depends_on: [secrets]
+    secrets: [B2_APPLICATION_KEY, B2_APPLICATION_KEY_ID, BUCKET_NAME, PASSPHRASE]
+    environment:
+      DESTINATION: b2://${B2_APPLICATION_KEY_ID}:${B2_APPLICATION_KEY}@${BUCKET_NAME}
+
+  secrets:
+    volumes:
+      - ../secrets/backup:/secrets/backup
diff --git a/services/caddy.yaml b/services/caddy.yaml
index d803e37..e49e0d6 100644
--- a/services/caddy.yaml
+++ b/services/caddy.yaml
@@ -17,5 +17,9 @@ services:
     environment:
       - DOMAIN
 
+  backup:
+    volumes:
+      - ../data/caddy:/mnt/backup/src/caddy:ro
+
 volumes:
   caddy_config:
diff --git a/services/generate-secrets b/services/generate-secrets
deleted file mode 100755
index 298428b..0000000
--- a/services/generate-secrets
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/usr/bin/env sh
-set -o errexit
-set -o nounset
-set -o pipefail
-
-cd ${1:-../secrets/authelia}
-
-for secret in JWT_SECRET SESSION_SECRET STORAGE_PASSWORD STORAGE_ENCRYPTION_KEY; do
-  test -s $secret && continue 
-  authelia crypto rand --length 64 --charset alphanumeric | cut -d':' -f2 | tr -d ' ' > $secret
-done
diff --git a/services/readme.md b/services/readme.md
index 6d7b232..1ec7729 100644
--- a/services/readme.md
+++ b/services/readme.md
@@ -16,9 +16,9 @@ we have a backup script that uses duplicity, this should be moved into a contain
 
 caddy is the web server, and handles https certificates, and proxying to all the services.
 
-#### [Zitadel](https://zitadel.com/docs) **WIP**
+#### [Authelia](https://www.authelia.com/overview/prologue/introduction/) **WIP**
 
-zitadel lets you have a single username and password to sign on to all your services.
+authelia lets you have a single username and password to sign on to all your services.
 
 ### Optional Services
 
@@ -31,9 +31,9 @@ without having to sync anything.
 
 There are three things to think about when adding a service:
 
-1. How to enable sign-in with zitadel?
+1. How to enable sign-on?
 
-Generally, zitadel has some cli commands that we have put in scripts in the zitadel folder.
+Look at https://www.authelia.com/integration/openid-connect/introduction/ for integration guides.
 
 2. How to expose as a subdomain?
 
@@ -53,4 +53,26 @@ Add a volume mount of your reverse proxy config to your compose file.
 
 3. How will this be backed up and restored?
 
-We backup all files in the data/ directory, but if your service interacts with a database like postgres, will need additional work.
+For plain files, add the appropriate volume mount like so:
+
+    # in the services: part of your compose file
+    backup:
+      volumes:
+        - ../data/some-service:/mnt/backup/src/some-service:ro
+
+This will be backed up according to the plan in [the backup service](./backup.yaml)
+
+For postgres databases, we are figuring out the best way
+
+4. How do we manage secrets?
+
+If your service requires secrets, you can use docker secrets, and have them generated on startup as follows:
+
+    # in the services: part of your compose file
+    some-service:
+      depends_on:
+        - generate-secrets
+        
+    generate-secrets:
+      volumes:
+        - ../secrets/some-service/SECRET_TO_INITIALIZE_IF_EMPTY:/secrets/some-service/SECRET_TO_INITIALIZE_IF_EMPTY
diff --git a/services/secrets.yaml b/services/secrets.yaml
new file mode 100644
index 0000000..aeeed63
--- /dev/null
+++ b/services/secrets.yaml
@@ -0,0 +1,9 @@
+version: "3.8"
+
+services:
+  generate-secrets:
+    image: alpine/openssl
+    restart: no
+    volumes:
+      - ./secrets/generate-secrets:/generate-secrets:ro
+    entrypoint: ["/generate-secrets"]
diff --git a/services/web.yaml b/services/web.yaml
index cbc0972..cb1c680 100644
--- a/services/web.yaml
+++ b/services/web.yaml
@@ -15,12 +15,14 @@ services:
       - ../data/web/site:/site
       - ../data/web/data:/data
       - caddy_config:/config
-    environment:
-      - DOMAIN
 
   caddy:
     volumes:
       - ./web/Proxyfile:/etc/caddy.d/web:ro
 
+  backup:
+    volumes:
+      - ../data/web:/mnt/backup/src/web:ro
+
 volumes:
   caddy_config:
diff --git a/services/web/Proxyfile b/services/web/Proxyfile
new file mode 100644
index 0000000..28dcb4b
--- /dev/null
+++ b/services/web/Proxyfile
@@ -0,0 +1,3 @@
+web.{$DOMAIN} {
+	reverse_proxy web:4431
+}
diff --git a/services/zitadel.yaml b/services/zitadel.yaml
deleted file mode 100644
index 39b1c02..0000000
--- a/services/zitadel.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
-version: '3.8'
-
-services:
-  zitadel:
-    restart: 'always'
-    networks:
-      - 'zitadel'
-    image: 'ghcr.io/zitadel/zitadel:latest'
-    command: 'start-from-init --masterkey "6cd52ccbc4da912319f0fdc016d68575dd391bd932ebdc045c89b2dce9e90315" --tlsMode disabled'
-    environment:
-      - 'ZITADEL_DATABASE_COCKROACH_HOST=crdb'
-      - 'ZITADEL_EXTERNALSECURE=false'
-    depends_on:
-      crdb:
-        condition: 'service_healthy'
-    ports:
-      - '8123:8080'
-
-  crdb:
-    restart: 'always'
-    networks:
-      - 'zitadel'
-    image: 'cockroachdb/cockroach:v22.2.2'
-    command: 'start-single-node --insecure'
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080/health?ready=1"]
-      interval: '10s'
-      timeout: '30s'
-      retries: 5
-      start_period: '20s'
-    ports:
-      - '9090:8080'
-      - '26257:26257'
-
-networks:
-  zitadel: