From f49b26c6f0b016396051e44c7577ac9d91f24a37 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 18 Sep 2022 18:49:17 +0100 Subject: [PATCH] Deploy authentik Not integrated into other services quite yet. But it's there --- ansible/main.yml | 1 + .../roles/authentik/files/docker-compose.yml | 58 +++++++++++++++++++ ansible/roles/authentik/handlers/main.yml | 4 ++ ansible/roles/authentik/tasks/main.yml | 20 +++++++ ansible/roles/authentik/vars/main.yml | 1 + ansible/roles/authentik/vars/vault.yml | 9 +++ terraform/jakehoward.tech.tf | 8 +++ 7 files changed, 101 insertions(+) create mode 100644 ansible/roles/authentik/files/docker-compose.yml create mode 100644 ansible/roles/authentik/handlers/main.yml create mode 100644 ansible/roles/authentik/tasks/main.yml create mode 100644 ansible/roles/authentik/vars/main.yml create mode 100644 ansible/roles/authentik/vars/vault.yml diff --git a/ansible/main.yml b/ansible/main.yml index 3e674fa..5d8a7d9 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -67,6 +67,7 @@ - privatebin - vaultwarden - tandoor + - authentik - hosts: ingress roles: diff --git a/ansible/roles/authentik/files/docker-compose.yml b/ansible/roles/authentik/files/docker-compose.yml new file mode 100644 index 0000000..98c776d --- /dev/null +++ b/ansible/roles/authentik/files/docker-compose.yml @@ -0,0 +1,58 @@ +version: "2.3" + +x-authentik: &authentik + image: ghcr.io/goauthentik/server:2022.8.2 + restart: unless-stopped + environment: + - TIMEZONE={{ timezone }} + - AUTHENTIK_REDIS__HOST=redis + - AUTHENTIK_POSTGRESQL__HOST=db + - AUTHENTIK_POSTGRESQL__USER=authentik + - AUTHENTIK_POSTGRESQL__NAME=authentik + - AUTHENTIK_POSTGRESQL__PASSWORD=authentik + - AUTHENTIK_SECRET_KEY="{{ authentik_secret_key }}" + volumes: + - "{{ app_data_dir }}/authentik/media:/media" + - "{{ app_data_dir }}/authentik/custom-templates:/templates" + - "{{ app_data_dir }}/authentik/certs:/certs" + depends_on: + - db + - redis + +services: + authentik: + <<: *authentik + command: server + networks: + - default + - traefik + labels: + - traefik.enable=true + - traefik.http.routers.authentik.rule=Host(`auth.jakehoward.tech`) + - traefik.http.services.authentik-authentik.loadbalancer.server.port=9000 + - traefik.http.middlewares.authentik-ratelimit.ratelimit.average=5 + - traefik.http.middlewares.authentik-ratelimit.ratelimit.burst=1000 + - traefik.http.routers.authentik.middlewares=authentik-ratelimit + + worker: + <<: *authentik + command: worker + + db: + image: postgres:14-alpine + restart: unless-stopped + volumes: + - /mnt/tank/dbs/postgres/authentik/:/var/lib/postgresql/data + environment: + - POSTGRES_PASSWORD=authentik + - POSTGRES_USER=authentik + + redis: + image: redis:6-alpine + restart: unless-stopped + volumes: + - /mnt/tank/dbs/redis/authentik:/data + +networks: + traefik: + external: true diff --git a/ansible/roles/authentik/handlers/main.yml b/ansible/roles/authentik/handlers/main.yml new file mode 100644 index 0000000..3aa4d8d --- /dev/null +++ b/ansible/roles/authentik/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart authentik + shell: + chdir: /opt/authentik + cmd: "{{ docker_update_command }}" diff --git a/ansible/roles/authentik/tasks/main.yml b/ansible/roles/authentik/tasks/main.yml new file mode 100644 index 0000000..56122e2 --- /dev/null +++ b/ansible/roles/authentik/tasks/main.yml @@ -0,0 +1,20 @@ +- name: Include vault + include_vars: vault.yml + +- name: Create install directory + file: + path: /opt/authentik + state: directory + owner: "{{ docker_user.name }}" + mode: "{{ docker_compose_directory_mask }}" + become: true + +- name: Install compose file + template: + src: files/docker-compose.yml + dest: /opt/authentik/docker-compose.yml + mode: "{{ docker_compose_file_mask }}" + owner: "{{ docker_user.name }}" + validate: docker-compose -f %s config + notify: restart authentik + become: true diff --git a/ansible/roles/authentik/vars/main.yml b/ansible/roles/authentik/vars/main.yml new file mode 100644 index 0000000..70191a0 --- /dev/null +++ b/ansible/roles/authentik/vars/main.yml @@ -0,0 +1 @@ +authentik_secret_key: "{{ vault_authentik_secret_key }}" diff --git a/ansible/roles/authentik/vars/vault.yml b/ansible/roles/authentik/vars/vault.yml new file mode 100644 index 0000000..b150220 --- /dev/null +++ b/ansible/roles/authentik/vars/vault.yml @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +36393735346231366132626665313535323561383032343832363437313735646262356436336432 +3264356265333862373135653934633066656339373338650a326231363935623237303238616432 +64353361626637623934393032346338356266393332643038353936633832646333373065393733 +3133383063616163340a363663616564646265336535313265313731613939366364623164333138 +35616330393565643863393863306266386239393063373937303362393531373861626163643831 +30333035356230353139326263626265343631323532663664646565303530626164626464373162 +61373166373333363738363830356335653362383335303134323966363935366333383436386636 +62353535393366393638 diff --git a/terraform/jakehoward.tech.tf b/terraform/jakehoward.tech.tf index 0c5e91b..4b13713 100644 --- a/terraform/jakehoward.tech.tf +++ b/terraform/jakehoward.tech.tf @@ -147,3 +147,11 @@ resource "cloudflare_record" "jakehowardtech_tandoor" { type = "A" ttl = 1 } + +resource "cloudflare_record" "jakehowardtech_auth" { + zone_id = cloudflare_zone.jakehowardtech.id + name = "auth" + value = linode_instance.casey.ip_address + type = "A" + ttl = 1 +}