main
Alpha Chen 1 year ago
parent 073ead5852
commit 0bdd9c40b2
Signed by: alpha
SSH Key Fingerprint: SHA256:3fOT8fiYQG/aK9ntivV3Bqtg8AYQ7q4nV6ZgihOA20g

@ -0,0 +1,48 @@
- name: Set up Authelia
hosts: lotus-land-story
vars_files:
- vars.yml
tasks:
- name: Create directories for volume mounting
ansible.builtin.file:
path: /mnt/lotus-land-story/authelia/{{ item }}
state: directory
mode: "0700"
loop:
- config
- secrets
- name: Copy configuration
ansible.builtin.template:
src: templates/authelia_{{ item }}.yml
dest: /mnt/lotus-land-story/authelia/config/{{ item }}.yml
mode: "0644"
loop:
- configuration
- users_database
- name: Get docker network
community.docker.docker_network:
name: lotus_land_story
register: docker_network
- name: Run Authelia
community.docker.docker_container:
restart: true
name: authelia
image: docker.io/authelia/authelia:4.37.5
env:
AUTHENTICATION_GUARD: remote_user_guard
volumes:
- /mnt/lotus-land-story/authelia/config:/config
- /mnt/lotus-land-story/authelia/secrets:/secrets
restart_policy: unless-stopped
networks:
- name: lotus_land_story
handlers:
- name: Import restarts
ansible.builtin.import_tasks: restarts.yml
# vim: ft=yaml.ansible

@ -13,11 +13,20 @@
- caddy - caddy
- caddy/data - caddy/data
- name: Get docker network for trusted proxies
community.docker.docker_network:
name: lotus_land_story
register: docker_network
# TODO Reload Caddy when this changes:
# docker exec -w /etc/caddy $caddy_container_id caddy reload
- name: Set up Caddyfile - name: Set up Caddyfile
ansible.builtin.template: ansible.builtin.template:
src: templates/Caddyfile src: templates/Caddyfile
dest: /mnt/lotus-land-story/caddy/Caddyfile dest: /mnt/lotus-land-story/caddy/Caddyfile
mode: "0644" mode: "0644"
vars:
trusted_proxies: "{{ docker_network.network.IPAM.Config[0].Subnet }}"
- name: Create Caddy volume - name: Create Caddy volume
community.docker.docker_volume: community.docker.docker_volume:

@ -22,6 +22,22 @@
[server] [server]
domain = grafana.{{ domain }} domain = grafana.{{ domain }}
http_addr = 0.0.0.0 http_addr = 0.0.0.0
root_url = https://grafana.{{ domain }}
[auth.generic_oauth]
enabled = true
name = Authelia
icon = signin
client_id = grafana
client_secret = {{ grafana.oauth_secret }}
scopes = openid profile email groups
empty_scopes = false
auth_url = https://auth.{{ domain }}/api/oidc/authorization
token_url = https://auth.{{ domain }}/api/oidc/token
api_url = https://auth.{{ domain }}/api/oidc/userinfo
login_attribute_path = preferred_username
groups_attribute_path = groups
name_attribute_path = name
use_pkce = true
mode: "0644" mode: "0644"
- name: Provision Prometheus - name: Provision Prometheus

@ -0,0 +1,32 @@
- name: Set up hledger
hosts: lotus-land-story
vars_files:
- vars.yml
tasks:
- name: Create directory for volume mounting
ansible.builtin.file:
path: /mnt/lotus-land-story/hledger
state: directory
mode: "0755"
- name: Run hledger
community.docker.docker_container:
restart: true
name: hledger
image: dastapov/hledger:1.31
env:
HLEDGER_JOURNAL_FILE: /data/all.journal
HLEDGER_BASE_URL: https://{{ hledger.subdomain }}.{{ domain }}
HLEDGER_ARGS: --capabilities=view,add,manage
volumes:
- /mnt/lotus-land-story/hledger:/data
restart_policy: unless-stopped
networks:
- name: lotus_land_story
handlers:
- name: Import restarts
ansible.builtin.import_tasks: restarts.yml
# vim: ft=yaml.ansible

@ -1,3 +1,8 @@
# https://www.authelia.com/integration/proxies/caddy/#forwarded-header-trust#trusted-proxies
(trusted_proxy_list) {
trusted_proxies {{ trusted_proxies }}
}
:2019 { :2019 {
metrics metrics
} }
@ -27,5 +32,35 @@ woodpecker.{{ domain }} {
} }
{{ firefly_iii.subdomain }}.{{ domain }} { {{ firefly_iii.subdomain }}.{{ domain }} {
reverse_proxy firefly-iii:8080 forward_auth authelia:9091 {
uri /api/verify?rd=https://auth.{{ domain }}
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
## This import needs to be included if you're relying on a trusted proxies configuration.
import trusted_proxy_list
}
reverse_proxy firefly-iii:8080 {
import trusted_proxy_list
}
}
auth.{{ domain }} {
reverse_proxy authelia:9091 {
import trusted_proxy_list
}
}
{{ hledger.subdomain }}.{{ domain }} {
forward_auth authelia:9091 {
uri /api/verify?rd=https://auth.{{ domain }}
# copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
## This import needs to be included if you're relying on a trusted proxies configuration.
import trusted_proxy_list
}
reverse_proxy hledger:5000 {
import trusted_proxy_list
}
} }

@ -0,0 +1,66 @@
theme: auto
jwt_secret: {{ authelia.jwt_secret }}
default_redirection_url: https://auth.{{ domain }}/
log:
level: debug
format: json
telemetry:
metrics:
enabled: true
authentication_backend:
file:
path: /config/users_database.yml
access_control:
default_policy: deny
rules:
- domain: "*.{{ domain }}"
policy: two_factor
session:
secret: {{ authelia.session_secret }}
domain: {{ domain }}
storage:
encryption_key: {{ authelia.storage_encryption_key }}
local:
path: /config/db.sqlite3
notifier:
smtp:
username: apikey
password: {{ authelia.smtp_password }}
host: smtp.sendgrid.net
port: 25
sender: authelia@kejadlen.dev
identity_providers:
oidc:
issuer_private_key: |
{{ authelia.oidc_private_key | indent(6) }}
clients:
- id: grafana
description: Grafana
secret: $argon2id$v=19$m=65536,t=3,p=4$bHcAAorVdHuZzuz53WfAQA$x+pIDTo6SsGyY9JD4OZ7dT6pkEcPf8Yh6Yb7DXco8aQ
public: false
authorization_policy: two_factor
redirect_uris:
- https://grafana.{{ domain }}/login/generic_oauth
scopes:
- openid
- profile
- groups
- email
userinfo_signing_algorithm: none
- id: tailscale
description: Tailscale
secret: $argon2id$v=19$m=65536,t=3,p=4$RivlSdV1WE/NLfd3Pzrubw$ljSvHj9sb0byolv7fk5G3nL415nS7Ze2RMASwPgfBX0
redirect_uris:
- https://login.tailscale.com/a/oauth_response
scopes:
- openid
- email
- profile

@ -0,0 +1,8 @@
users:
alpha:
disabled: false
displayname: "Alpha"
password: "$argon2id$v=19$m=65536,t=3,p=4$JHtyy/vVD+37neJUjy5Shw$6GODmDOXW/v7cfhqwuEp30bVSCWLT5R3OEe/Gi5FGX0" # yamllint disable-line rule:line-length
email: alpha@kejadlen.dev
groups:
- admins

@ -42,6 +42,10 @@ scrape_configs:
static_configs: static_configs:
- targets: ['woodpecker-server:8000'] - targets: ['woodpecker-server:8000']
- job_name: authelia
static_configs:
- targets: ['authelia:9959']
# - job_name: linode # - job_name: linode
# linode_sd_configs: # linode_sd_configs:
# - authorization: # - authorization:

Loading…
Cancel
Save