settle on volume mounts for secrets generation and file backups

2 years ago · e05a45afe7
parent 7853e29727
commit e05a45afe7
12 changed files with 100 additions and 67 deletions
--- a/base.yaml
+++ b/base.yaml
@ -0,0 +1,7 @@
+version: "3.8"
+
+include:
+  - services/secrets.yaml
+  - services/caddy.yaml
+  - services/backup.yaml
+  - services/authelia.yaml
--- a/readme.md
+++ b/readme.md
@ -9,8 +9,7 @@ Hosted on https://git.woodbine.nyc/micro/woodbine.nyc
 To enable additional services, add their compose file to the following command

    podman compose --env-file env.production \
-      --file services/caddy.yaml \
-      --file services/authelia.yaml \
+      --file base.yaml \
      --file services/web.yaml \
      up --build

@ -27,11 +26,10 @@ One simple way is to allow unprivileged users access to these low ports

 - [x] caddy for homepage
 - [x] webdav for personal home pages
- [?] authelia sso
+- [?] ~~zitadel~~ authelia single sign-on
 - [x] mount caddy files from service compose files
 - [ ] backup using duplicity uploaded to backblaze b2
 - [ ] restore using duplicity downloaded from backblaze b2
- [ ] ~~zitadel sso~~
 - [ ] wiki
 - [ ] dendrite matrix server
 - [ ] gitea
--- a/services/authelia.yaml
+++ b/services/authelia.yaml
@ -1,4 +1,5 @@
 version: "3.8"
+
 secrets:
  JWT_SECRET:
    file: ../secrets/authelia/JWT_SECRET
@ -17,11 +18,11 @@ services:
    depends_on:
      - postgres
      - authelia_setup
+      - secrets
    restart: unless-stopped
    expose:
      - 9091
    secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
-    #user: 8000:9000
    environment:
      PUID: 1000
      PGID: 1000
@ -45,18 +46,24 @@ services:
    volumes:
      - postgres-data:/var/lib/postgresql/data

-  authelia_setup:
-      image: docker.io/authelia/authelia:4.37
-      volumes:
-        - ../secrets/authelia:/secrets
-        - ./authelia/generate-secrets.sh:/generate-secrets.sh
-      restart: no
-      entrypoint: [ "/generate-secrets.sh", "/secrets" ]
-
+  # setup a reverse proxy for caddy
  caddy:
    volumes:
      - ./authelia/Proxyfile:/etc/caddy.d/authelia:ro

+  # backup the authelia config
+  backup:
+    volumes:
+      - ../data/authelia/config:/mnt/backup/src/authelia/config:ro
+
+  # generate all these secrets if they are empty on start
+  secrets:
+    volumes:
+      - ../secrets/authelia/JWT_SECRET:/secrets/authelia/JWT_SECRET
+      - ../secrets/authelia/SESSION_SECRET:/secrets/authelia/SESSION_SECRET
+      - ../secrets/authelia/STORAGE_PASSWORD:/secrets/authelia/STORAGE_PASSWORD
+      - ../secrets/authelia/STORAGE_ENCRYPTION_KEY:/secrets/authelia/STORAGE_ENCRYPTION_KEY
+
 volumes:
  postgres-data:
  authelia-config:
--- a/services/authelia/Proxyfile
+++ b/services/authelia/Proxyfile
@ -0,0 +1,3 @@
+login.{$DOMAIN} {
+	reverse_proxy authelia:9091
+}
--- a/services/backup.yaml
+++ b/services/backup.yaml
@ -0,0 +1,25 @@
+version: "3.8"
+
+secrets:
+  B2_APPLICATION_KEY:
+    file: ../secrets/backup/B2_APPLICATION_KEY
+  B2_APPLICATION_KEY_ID:
+    file: ../secrets/backup/B2_APPLICATION_KEY_ID
+  BUCKET_NAME:
+    file: ../secrets/backup/BUCKET_NAME
+  PASSPHRASE:
+    file: ../secrets/backup/PASSPHRASE
+
+services:
+  backup:
+    container_name: backup
+    image: Tecnativa/docker-duplicity:latest
+    restart: unless-stopped
+    depends_on: [secrets]
+    secrets: [B2_APPLICATION_KEY, B2_APPLICATION_KEY_ID, BUCKET_NAME, PASSPHRASE]
+    environment:
+      DESTINATION: b2://${B2_APPLICATION_KEY_ID}:${B2_APPLICATION_KEY}@${BUCKET_NAME}
+
+  secrets:
+    volumes:
+      - ../secrets/backup:/secrets/backup
--- a/services/caddy.yaml
+++ b/services/caddy.yaml
@ -17,5 +17,9 @@ services:
    environment:
      - DOMAIN

+  backup:
+    volumes:
+      - ../data/caddy:/mnt/backup/src/caddy:ro
+
 volumes:
  caddy_config:
--- a/services/generate-secrets
+++ b/services/generate-secrets
@ -1,11 +0,0 @@
-#!/usr/bin/env sh
-set -o errexit
-set -o nounset
-set -o pipefail
-
-cd ${1:-../secrets/authelia}
-
-for secret in JWT_SECRET SESSION_SECRET STORAGE_PASSWORD STORAGE_ENCRYPTION_KEY; do
-  test -s $secret && continue 
-  authelia crypto rand --length 64 --charset alphanumeric | cut -d':' -f2 | tr -d ' ' > $secret
-done
--- a/services/readme.md
+++ b/services/readme.md
@ -16,9 +16,9 @@ we have a backup script that uses duplicity, this should be moved into a contain

 caddy is the web server, and handles https certificates, and proxying to all the services.

-#### [Zitadel](https://zitadel.com/docs) **WIP**
+#### [Authelia](https://www.authelia.com/overview/prologue/introduction/) **WIP**

-zitadel lets you have a single username and password to sign on to all your services.
+authelia lets you have a single username and password to sign on to all your services.

 ### Optional Services

@ -31,9 +31,9 @@ without having to sync anything.

 There are three things to think about when adding a service:

-1. How to enable sign-in with zitadel?
+1. How to enable sign-on?

-Generally, zitadel has some cli commands that we have put in scripts in the zitadel folder.
+Look at https://www.authelia.com/integration/openid-connect/introduction/ for integration guides.

 2. How to expose as a subdomain?

@ -53,4 +53,26 @@ Add a volume mount of your reverse proxy config to your compose file.

 3. How will this be backed up and restored?

-We backup all files in the data/ directory, but if your service interacts with a database like postgres, will need additional work.
+For plain files, add the appropriate volume mount like so:
+
+    # in the services: part of your compose file
+    backup:
+      volumes:
+        - ../data/some-service:/mnt/backup/src/some-service:ro
+
+This will be backed up according to the plan in [the backup service](./backup.yaml)
+
+For postgres databases, we are figuring out the best way
+
+4. How do we manage secrets?
+
+If your service requires secrets, you can use docker secrets, and have them generated on startup as follows:
+
+    # in the services: part of your compose file
+    some-service:
+      depends_on:
+        - generate-secrets
+        
+    generate-secrets:
+      volumes:
+        - ../secrets/some-service/SECRET_TO_INITIALIZE_IF_EMPTY:/secrets/some-service/SECRET_TO_INITIALIZE_IF_EMPTY
--- a/services/secrets.yaml
+++ b/services/secrets.yaml
@ -0,0 +1,9 @@
+version: "3.8"
+
+services:
+  generate-secrets:
+    image: alpine/openssl
+    restart: no
+    volumes:
+      - ./secrets/generate-secrets:/generate-secrets:ro
+    entrypoint: ["/generate-secrets"]
--- a/services/web.yaml
+++ b/services/web.yaml
@ -15,12 +15,14 @@ services:
      - ../data/web/site:/site
      - ../data/web/data:/data
      - caddy_config:/config
-    environment:
-      - DOMAIN

  caddy:
    volumes:
      - ./web/Proxyfile:/etc/caddy.d/web:ro

+  backup:
+    volumes:
+      - ../data/web:/mnt/backup/src/web:ro
+
 volumes:
  caddy_config:
--- a/services/web/Proxyfile
+++ b/services/web/Proxyfile
@ -0,0 +1,3 @@
+web.{$DOMAIN} {
+	reverse_proxy web:4431
+}
--- a/services/zitadel.yaml
+++ b/services/zitadel.yaml
@ -1,36 +0,0 @@
-version: '3.8'
-
-services:
-  zitadel:
-    restart: 'always'
-    networks:
-      - 'zitadel'
-    image: 'ghcr.io/zitadel/zitadel:latest'
-    command: 'start-from-init --masterkey "6cd52ccbc4da912319f0fdc016d68575dd391bd932ebdc045c89b2dce9e90315" --tlsMode disabled'
-    environment:
-      - 'ZITADEL_DATABASE_COCKROACH_HOST=crdb'
-      - 'ZITADEL_EXTERNALSECURE=false'
-    depends_on:
-      crdb:
-        condition: 'service_healthy'
-    ports:
-      - '8123:8080'
-
-  crdb:
-    restart: 'always'
-    networks:
-      - 'zitadel'
-    image: 'cockroachdb/cockroach:v22.2.2'
-    command: 'start-single-node --insecure'
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080/health?ready=1"]
-      interval: '10s'
-      timeout: '30s'
-      retries: 5
-      start_period: '20s'
-    ports:
-      - '9090:8080'
-      - '26257:26257'
-
-networks:
-  zitadel: