settle on volume mounts for secrets generation and file backups

2 years ago · e05a45afe7
parent 7853e29727
commit e05a45afe7
12 changed files with 100 additions and 67 deletions
--- a/base.yaml
+++ b/base.yaml
@ -0,0 +1,7 @@
 version: "3.8"
 include:
  - services/secrets.yaml
  - services/caddy.yaml
  - services/backup.yaml
  - services/authelia.yaml
--- a/readme.md
+++ b/readme.md
@ -9,8 +9,7 @@ Hosted on https://git.woodbine.nyc/micro/woodbine.nyc
 To enable additional services, add their compose file to the following command
    podman compose --env-file env.production \
-      --file services/caddy.yaml \
+      --file base.yaml \
      --file services/authelia.yaml \
      --file services/web.yaml \
      up --build
@ -27,11 +26,10 @@ One simple way is to allow unprivileged users access to these low ports
 - [x] caddy for homepage
 - [x] webdav for personal home pages
- [?] authelia sso
+- [?] ~~zitadel~~ authelia single sign-on
 - [x] mount caddy files from service compose files
 - [ ] backup using duplicity uploaded to backblaze b2
 - [ ] restore using duplicity downloaded from backblaze b2
 - [ ] ~~zitadel sso~~
 - [ ] wiki
 - [ ] dendrite matrix server
 - [ ] gitea
--- a/services/authelia.yaml
+++ b/services/authelia.yaml
@ -1,4 +1,5 @@
 version: "3.8"
 secrets:
  JWT_SECRET:
    file: ../secrets/authelia/JWT_SECRET
@ -17,11 +18,11 @@ services:
    depends_on:
      - postgres
      - authelia_setup
      - secrets
    restart: unless-stopped
    expose:
      - 9091
    secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
    #user: 8000:9000
    environment:
      PUID: 1000
      PGID: 1000
@ -45,18 +46,24 @@ services:
    volumes:
      - postgres-data:/var/lib/postgresql/data
-  authelia_setup:
+  # setup a reverse proxy for caddy
      image: docker.io/authelia/authelia:4.37
      volumes:
        - ../secrets/authelia:/secrets
        - ./authelia/generate-secrets.sh:/generate-secrets.sh
      restart: no
      entrypoint: [ "/generate-secrets.sh", "/secrets" ]
  caddy:
    volumes:
      - ./authelia/Proxyfile:/etc/caddy.d/authelia:ro
  # backup the authelia config
  backup:
    volumes:
      - ../data/authelia/config:/mnt/backup/src/authelia/config:ro
  # generate all these secrets if they are empty on start
  secrets:
    volumes:
      - ../secrets/authelia/JWT_SECRET:/secrets/authelia/JWT_SECRET
      - ../secrets/authelia/SESSION_SECRET:/secrets/authelia/SESSION_SECRET
      - ../secrets/authelia/STORAGE_PASSWORD:/secrets/authelia/STORAGE_PASSWORD
      - ../secrets/authelia/STORAGE_ENCRYPTION_KEY:/secrets/authelia/STORAGE_ENCRYPTION_KEY
 volumes:
  postgres-data:
  authelia-config:
--- a/services/authelia/Proxyfile
+++ b/services/authelia/Proxyfile
@ -0,0 +1,3 @@
 login.{$DOMAIN} {
 	reverse_proxy authelia:9091
 }
--- a/services/backup.yaml
+++ b/services/backup.yaml
@ -0,0 +1,25 @@
 version: "3.8"
 secrets:
  B2_APPLICATION_KEY:
    file: ../secrets/backup/B2_APPLICATION_KEY
  B2_APPLICATION_KEY_ID:
    file: ../secrets/backup/B2_APPLICATION_KEY_ID
  BUCKET_NAME:
    file: ../secrets/backup/BUCKET_NAME
  PASSPHRASE:
    file: ../secrets/backup/PASSPHRASE
 services:
  backup:
    container_name: backup
    image: Tecnativa/docker-duplicity:latest
    restart: unless-stopped
    depends_on: [secrets]
    secrets: [B2_APPLICATION_KEY, B2_APPLICATION_KEY_ID, BUCKET_NAME, PASSPHRASE]
    environment:
      DESTINATION: b2://${B2_APPLICATION_KEY_ID}:${B2_APPLICATION_KEY}@${BUCKET_NAME}
  secrets:
    volumes:
      - ../secrets/backup:/secrets/backup
--- a/services/caddy.yaml
+++ b/services/caddy.yaml
@ -17,5 +17,9 @@ services:
    environment:
      - DOMAIN
  backup:
    volumes:
      - ../data/caddy:/mnt/backup/src/caddy:ro
 volumes:
  caddy_config:
--- a/services/generate-secrets
+++ b/services/generate-secrets
@ -1,11 +0,0 @@
 #!/usr/bin/env sh
 set -o errexit
 set -o nounset
 set -o pipefail
 cd ${1:-../secrets/authelia}
 for secret in JWT_SECRET SESSION_SECRET STORAGE_PASSWORD STORAGE_ENCRYPTION_KEY; do
  test -s $secret && continue 
  authelia crypto rand --length 64 --charset alphanumeric | cut -d':' -f2 | tr -d ' ' > $secret
 done
--- a/services/readme.md
+++ b/services/readme.md
@ -16,9 +16,9 @@ we have a backup script that uses duplicity, this should be moved into a contain
 caddy is the web server, and handles https certificates, and proxying to all the services.
-#### [Zitadel](https://zitadel.com/docs) **WIP**
+#### [Authelia](https://www.authelia.com/overview/prologue/introduction/) **WIP**
-zitadel lets you have a single username and password to sign on to all your services.
+authelia lets you have a single username and password to sign on to all your services.
 ### Optional Services
@ -31,9 +31,9 @@ without having to sync anything.
 There are three things to think about when adding a service:
-1. How to enable sign-in with zitadel?
+1. How to enable sign-on?
-Generally, zitadel has some cli commands that we have put in scripts in the zitadel folder.
+Look at https://www.authelia.com/integration/openid-connect/introduction/ for integration guides.
 2. How to expose as a subdomain?
@ -53,4 +53,26 @@ Add a volume mount of your reverse proxy config to your compose file.
 3. How will this be backed up and restored?
-We backup all files in the data/ directory, but if your service interacts with a database like postgres, will need additional work.
+For plain files, add the appropriate volume mount like so:
    # in the services: part of your compose file
    backup:
      volumes:
        - ../data/some-service:/mnt/backup/src/some-service:ro
 This will be backed up according to the plan in [the backup service](./backup.yaml)
 For postgres databases, we are figuring out the best way
 4. How do we manage secrets?
 If your service requires secrets, you can use docker secrets, and have them generated on startup as follows:
    # in the services: part of your compose file
    some-service:
      depends_on:
        - generate-secrets
    generate-secrets:
      volumes:
        - ../secrets/some-service/SECRET_TO_INITIALIZE_IF_EMPTY:/secrets/some-service/SECRET_TO_INITIALIZE_IF_EMPTY
--- a/services/secrets.yaml
+++ b/services/secrets.yaml
@ -0,0 +1,9 @@
 version: "3.8"
 services:
  generate-secrets:
    image: alpine/openssl
    restart: no
    volumes:
      - ./secrets/generate-secrets:/generate-secrets:ro
    entrypoint: ["/generate-secrets"]
--- a/services/web.yaml
+++ b/services/web.yaml
@ -15,12 +15,14 @@ services:
      - ../data/web/site:/site
      - ../data/web/data:/data
      - caddy_config:/config
    environment:
      - DOMAIN
  caddy:
    volumes:
      - ./web/Proxyfile:/etc/caddy.d/web:ro
  backup:
    volumes:
      - ../data/web:/mnt/backup/src/web:ro
 volumes:
  caddy_config:
--- a/services/web/Proxyfile
+++ b/services/web/Proxyfile
@ -0,0 +1,3 @@
 web.{$DOMAIN} {
 	reverse_proxy web:4431
 }
--- a/services/zitadel.yaml
+++ b/services/zitadel.yaml
@ -1,36 +0,0 @@
 version: '3.8'
 services:
  zitadel:
    restart: 'always'
    networks:
      - 'zitadel'
    image: 'ghcr.io/zitadel/zitadel:latest'
    command: 'start-from-init --masterkey "6cd52ccbc4da912319f0fdc016d68575dd391bd932ebdc045c89b2dce9e90315" --tlsMode disabled'
    environment:
      - 'ZITADEL_DATABASE_COCKROACH_HOST=crdb'
      - 'ZITADEL_EXTERNALSECURE=false'
    depends_on:
      crdb:
        condition: 'service_healthy'
    ports:
      - '8123:8080'
  crdb:
    restart: 'always'
    networks:
      - 'zitadel'
    image: 'cockroachdb/cockroach:v22.2.2'
    command: 'start-single-node --insecure'
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health?ready=1"]
      interval: '10s'
      timeout: '30s'
      retries: 5
      start_period: '20s'
    ports:
      - '9090:8080'
      - '26257:26257'
 networks:
  zitadel: