CaZzzer/alpina
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: CaZzzer:531febffe2b81c7f5c677c22c991e0b1505c73a1
Branches Tags
CaZzzer:master CaZzzer:feature/bws CaZzzer:feature/obsidian-livesync CaZzzer:feature/auth CaZzzer:feature/monitoring-1 CaZzzer:feature/monitoring CaZzzer:feature/db CaZzzer:feature/docker-volumes-zfs CaZzzer:feature/zfs-backups
..
compare: CaZzzer:feature/auth
Branches Tags
CaZzzer:master CaZzzer:feature/bws CaZzzer:feature/obsidian-livesync CaZzzer:feature/auth CaZzzer:feature/monitoring-1 CaZzzer:feature/monitoring CaZzzer:feature/db CaZzzer:feature/docker-volumes-zfs CaZzzer:feature/zfs-backups

8 Commits
531febffe2 ... feature/au

Author SHA1 Message Date
Yuri Tatishchev
dbdd2cfe11 authentik, minio: initial integration with blueprints for admin policy 2024-12-21 00:42:22 -08:00
Yuri Tatishchev
1be4868f09 authentik: refactor oauth apps blueprints with group policies 2024-12-20 21:51:20 -08:00
Yuri Tatishchev
ee24d69906 authentik: refactor groups and proxied apps blueprints 2024-12-20 21:37:19 -08:00
Yuri Tatishchev
f0a10cc1d2 authentik: refactor oauth2 app blueprints 2024-12-20 19:57:59 -08:00
Yuri Tatishchev
263f7eea17 updates: nextcloud 2024-12-20 15:25:42 -08:00
Yuri Tatishchev
3006e3e424 monitoring: container, node dashboard improvements; separate common.py logic 2024-10-30 18:24:34 -07:00
Yuri Tatishchev
0e43a68754 monitoring: add grafanalib, containers dashboard 2024-10-30 18:24:28 -07:00
Yuri Tatishchev
fc6e485a61 refactor: separate templating for j2 and normal files 2024-10-30 18:11:26 -07:00
13 changed files with 243 additions and 307 deletions
Expand all files Collapse all files

21
.idea/jsonSchemas.xml generated
View File

@@ -31,7 +31,7 @@
<list> <list>
<Item> <Item>
<option name="directory" value="true" /> <option name="directory" value="true" />
<option name="path" value="roles/alpina/collections/services/authentik/templates/blueprints" /> <option name="path" value="roles/alpina/templates/services/authentik/blueprints" />
<option name="mappingKind" value="Directory" /> <option name="mappingKind" value="Directory" />
</Item> </Item>
</list> </list>
@@ -140,25 +140,6 @@
</SchemaInfo> </SchemaInfo>
</value> </value>
</entry> </entry>
<entry key="prometheus.rules.json">
<value>
<SchemaInfo>
<option name="name" value="prometheus.rules.json" />
<option name="relativePathToSchema" value="https://json.schemastore.org/prometheus.rules.json" />
<option name="applicationDefined" value="true" />
<option name="patterns">
<list>
<Item>
<option name="path" value="roles/alpina/templates/services/monitoring/prometheus_config/container-alerts.yml" />
</Item>
<Item>
<option name="path" value="roles/alpina/templates/services/monitoring/prometheus_config/container.alerts.yml" />
</Item>
</list>
</option>
</SchemaInfo>
</value>
</entry>
</map> </map>
</state> </state>
</component> </component>

5
group_vars/alpina/vars.yml
View File

@@ -14,6 +14,9 @@ authentik_secret_key: "{{ vault_authentik_secret_key }}"
authentik_sendgrid_api_key: "{{ vault_authentik_sendgrid_api_key }}" authentik_sendgrid_api_key: "{{ vault_authentik_sendgrid_api_key }}"
auth_grafana_client_secret: "{{ vault_auth_grafana_client_secret }}" auth_grafana_client_secret: "{{ vault_auth_grafana_client_secret }}"
auth_gitea_client_secret: "{{ vault_auth_gitea_client_secret }}"
auth_nextcloud_client_secret: "{{ vault_auth_nextcloud_client_secret }}"
auth_minio_client_secret: "{{ vault_auth_minio_client_secret }}"
arrstack_password: "{{ vault_arrstack_password }}" arrstack_password: "{{ vault_arrstack_password }}"
# Minio # Minio
@@ -24,8 +27,6 @@ minio_password: "{{ vault_minio_password }}"
influxdb_admin_password: "{{ vault_influxdb_admin_password }}" influxdb_admin_password: "{{ vault_influxdb_admin_password }}"
influxdb_admin_token: "{{ vault_influxdb_admin_token }}" influxdb_admin_token: "{{ vault_influxdb_admin_token }}"
alertmanager_discord_webhook: "{{ vault_alertmanager_discord_webhook }}"
# Traefik # Traefik
acme_email: "{{ vault_acme_email }}" acme_email: "{{ vault_acme_email }}"
cloudflare_api_token: "{{ vault_cloudflare_api_token }}" cloudflare_api_token: "{{ vault_cloudflare_api_token }}"

207
group_vars/alpina/vault.yml
View File

@@ -1,96 +1,113 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
32653863663065353431636364373163613536643238613961666561653663633530646165643766 62376365353162306161343336623464386634383663663165393632366666633530373636633032
3833323937353331313136633965393061616135366534660a333037383066303431623830313464 6536633438613664316163613236663334663635363665630a666135396430306536646534616535
65346431633238666534373033663138353438313762326361666233353866663534363536643034 65383432356339643063373232393861333366393038666134346363646130626130633861646536
3636323439316261630a623262336331663431633266336235653034323234383566323963623365 3134613738333465300a363031626561376533343730353361646462306434663564336538666565
32626363626164373536663464643632393761346137623866633237643038306265636362626561 38643166326439356138653163323030626539393265613833303661313036336562373938323663
61313634353634373530383061393364613461303132326335316566326436633635633131643433 39336533383636626464343461653836313734393430306238336561323038306238646236393835
31376539396639326464333233643933373737313064363262323639363964643862633035396161 62643638636137646162616239636561666432376561393338336663366438346530346666396662
35643037636535623966626131393538643432396536643365383736636262356135373434376433 63626432326263383561633532613039643862303135643262383636666161663539643465616566
32316361343330303431376234323632323932376635343964383733633761326639393966383039 66303364333133393932643666656263613063373162373265353433616337636337363363353938
35646131343034663962363335373661323065663764396631343461383661663738386163323633 31613638633462383031356433393765353439373434356366336234316361393862343763643333
36303464646532633235663662666663343238633465663334326463383133643239666634653739 61623233633664396564376462336131353061303831316466306632663261666161323137333633
35396130393961303230396236303766336666643930626161333338326137663235323066663032 39623938633861356136636532373139356339636334373137303034646431363438613936636438
33376564373563323635356233616264313663373534333636643236393866613062656338353864 38363463386664643439313564313364613962346631343663633837326532613933336462636265
66386132663362363832366661646462316139353132626662663934336530386534376538633235 32616161663065316661313335373234353161653732303965613731633665646532386139383732
62653131653835323261373435373631396466353738306362616266616532313435323633613933 32363834636532363262646433616563363232643864653365643736353434346130383963393564
61646132346536323632643865326234356535346566346532383162393265613931343962303463 34333861326633393763653639663666333061613161393864323165303638353962333531333661
31636334343736666434353835633734396465653862613234386431306463326134613931646232 36316534303365626562643366393836356337303533313237613534313565643832373438373530
32353535663133623434643866336165616232613662336533383432633338373763643337616637 32393065653538393762333232636235316439653935663437616236326162313464323037336630
38323237646461376433316164646366383438316639633162303739383263656265633364303565 39323262333530363230353334356461343866346438626533633339386162336337623137393366
36643339356136653332666230633939636264306431636562323864373037623138363739616561 32373361393231343134626237323062663634323939613461633866353561636334613234336532
37613364653737353638646564323439646138646536636564303866636233616264383466656439 61306235363037306466656463653836396434313830333031366630373364343637376662346663
33646232653061616437656162353036313834616162313936353533393833313432656534343363 65663132346239343937636261643238623364633062356163323364363466666661346364356239
35636638326236646163323463356634326534623165306461316530353936646162323435633862 32653266303837663237333136316464626161626136336333363964636461616138323962313166
64396464303363323837316162353734626663643962303534336637336632333463393734383532 64643930333964303639393439666432366435386464326561323165353333623765653132383636
66616534666466393333386337363238383432643764373864613461363766333932333862363332 34326633663331376563613766383734613762653834356561616461303361373662653337623863
61313364613031376334326635636432346532613462613265643462636436663963323862353733 37633135393861366137613137633265306137326536363632373962353233373735663065653534
38396261613332396633666130653262313234633132353264363266336231373535306532383661 37333038363330633931353233623236313332336234393333616238353137656363643230633966
65323530653531646339626537653433303332656535346639393466353133363833326236656231 32636336663762636130343933373834386465396536316439386465623130396266393438396262
33336265373463396135653730616266346331376461346433343464326238323034653330393732 63636561623533366166393831383035373935643037326265636634646339336264383937366334
36643432316662333633333036633761653031393433333338663633386264656535623534653463 37373961663330326131343531356238363632663861376362643561643966636364653235303032
36363565303333356361616539376532353066336137336134656465383364636361656664356439 33363861396336666332356130353638373135376336373236383730373665623336373830643137
65326334643631663665376530646433323439653864623964323363396561313663636538356536 35613234343966383264643834353162353533373939346561363438376339656239323364353036
63626336303862333364363166353437353163656238303765636662636137383337623563666264 63623630643930363739326236653435613538393438326331383366666332383763356631356533
66326633343230386638616438393436633431343264343231386563613935626430306337343533 39393363366261393231386239363161313939396431323630323062393962313933633462303439
66656366333332326131343661356236396430303832303834653530623639353036663436373862 35623831356638333431313430343832616438343134613538343064323535613539663431643830
61336437386338343965653563646664643438353232306231316564616462643236646239333062 32623363343733623837366236393136393864353332316538306463346337363264613763326463
38643461346639623964626438396631396139383332666130316635656530653136333662353566 65366536326463303062663262636563306565323861666661376338633334383138626364333039
36313261646330373963663032316662383137366436636534383366636362366435393036373264 34333734656331346334316465333339333535333632383963663633383361383661643235383866
34646537666462363531343335336638343038333633663862666163306662643634326533316561 32326634643633366566306137383066653334323935363066316366313934373663383234316438
61613235366233636530663462353066646530386265623534663336376364323237343936646134 35346139633239323431386536656464666161656434316238356333323665333661623364653865
31616563653864383565306439613932396562613835613562326264326535636630646666366335 33636139333866356630323031323162323834303062363637313430313164326636383436383465
36653631353961353933386236636534393636356334633336313333383238353838336335646630 35333434613632353265633935343164613266383463633631323763633565353039306134656431
63633365666530623562323634303935326362643762616532303531303139333565643835396163 37616430633736326139366438613666346434646363313032366231616436616535393334613264
36353130656365326435343130613234336637346461313639653133623933376163393935366266 34646132303061383034363139613362626235383938393535626339353438626635396561346166
66653337353732363038663164363663623266356366663637343466393836353965343730666362 36666530613634336666653638353734323336366639626465346135323838343565383335313233
38663636336265383331666666616535366334616431306164303738306436333364653765356662 62356631666135666434363061666234396337323838303866343839383164643939323862616632
37316433323563323431623164386337343563663538333435616333343433396236356363333262 34646433333031653939313434613435623036346631643265643663613537323061343733326534
61396664326234343136666331356465333233663135613839616334623033316362336162613731 64626663306338623533333132613333386562306162343438653266356666663535623036616666
38646530326538643337323838326563303130643934623939346635343331356531373235663937 64613866663261386233343236353931353766323833623631373438353664393137613032366461
62396530383365666439373632613633633233376139616138323033613135383330333132643839 63623164353435336564613739353863383037326465363462376536663934626362393132313465
65363833616337656662653462323436303531653635663739633366616532333761323238353764 66353965643763656564366630353131313465656265613434363538343331313666613564313036
39373836303735393165393435323139346661346135636138613731373165386533386333393364 35396436633233623261323432666237303335333339393363636362376536343837346264383935
32336265386334386338653734353565343733393931373436336233333031356531313739636666 30346163353338336661646536643536623262343762303766393438343666623063326463346566
61376234393631343236643137616631373564376132623534333939346162353662306661393438 34663538656133353639333830316562376137643666323832363666623766366131303830626531
32326566373934653463653737383131386431363664333535626361646637613632383132623533 62313832316533663261353365343733636236643333396561333636303065653732646665386136
32343465366562363765353366333330633631353936613930376631336538306230626632303966 31386535663732386165623037373763333731343461393431306339393634346130646462646661
31343936386535663165663066663862656439306363326337313561396132316338363930323632 61646539613964666437623631643333333435353039633531313364366338316365396131346331
33313061623534373338623931663934396339633564353533626639373837323832366132343538 30363963633236653364643061316237326362653462656563656165346134656338383738613932
63373862663137306665383732303863343564343830636233613139666631626532373938386663 65333432393534643331396563643865656435373563613939616234636533383731336561623037
35646331646462356639383964373732393866653963643832633661323430323430613330633364 61373839343132376465343332343165316361383831333538313531333063633632643832633536
35343262366362646165383032333236623863656264353964623136643631326135623538306261 33313464643239323963346338386566313031306233336562616638353365666237346262666134
37393839343331653665356131343063316232303963636462653238333466636334616435666463 33646134393531346637376133393039326638316334626333363162313239393239663865323730
65636662383930353238623130363834616137643830633261646338363435343839633565303562 30343731363031303565643833313135643036666461366666376132663433343662333730373137
37623231396163346464303464333962336261353634396236613132306464643764356265656137 65636236313561613637343262653833666135653832363466613138363332393061653032333933
32373263613964396430646332666235303634373431643939623963633334326135626565656662 66376263663830333937336566333461333431393336333161623233353332396437396664316137
30646166303732643562653166633232666635343665616665653566316632303861613861313333 64363737323036366635613938346261383634353237346337613933303334623434623439616533
38393636663137333231613239353661656338333536656563616237343234623031363535666637 32353465336237396133643039613730646661643039363836333733353033343236373864626634
61343662663965663161666436366630366432363733663537613064386130326466343366383232 37666562653233336464633337353963363361646334373863653032353137363738613561613135
32363662343561666665323565356163383932336361656132373263363239636666613461366339 66356132393630613031316466663837633633383033633064326565303837633062336531373866
31323264393866386239353333386161643330343262366666323533303737373163313262313766 34666537303033323362363163353666383962333536303135363666653930326166323637636266
61303638366263346232353134333431613730386431623235323537323962666133613939353762 34306537343238353833313635306663643737653531313435383064383133366364646331306261
63326361633630323937353163383930626336663365626532613031623532393932316138353335 66363763353534643833316533383364353632343439393032313437633734323031383438633333
32363262393764663135393466616639373965313238323935383531633434633038663437646662 31616362343332373333626135396435366235313465346639326564353265643133313339376639
31633265373937316533373332316132363061386133356231623230393739326464333761336338 63333233653833653333373162633033623035633832333566653536343832373035636664643839
38626234646164616265633061346239363164376532383834356435346232653065326362343363 38393864666430313162366337653836333135333738653763653261343233663666373865383366
39613532356166633133626563643238373661323937353635343464666339323561326136623366 65343038646166343934376633613337306436336130626363396339313236653731653265383661
62633637656462376136633963653263346565366563646533373431613761616231653739613537 34633332343639333533316631643763363664666563353137383639616132313363383137383132
32343332356435393635363837396463613165626337346235303363613764306132343539333836 33343635386139366230363464363731383166393430396533613438366661353439353537346530
63386633626332396339383165303166653334663239313066666632356165643161356262346230 62366461653534333834386637363364346432333964306639376339313531383431323930333530
32636365636364663466343939663538386439343336303537636230306263643534653339313538 37383665373937303732643636383539393039663363623337663938303139663039366536323031
31373165363962373337636138336561336638633762373363646139366339323031313664306534 66613036326263316239646535656163626232626130336465303166336336316435343262373631
30623130663037323839666166323162393065643535663866383062356330633137343239316436 39613536336366366435326230653339356635636432303862306636613935306432323966313234
32303132393739653363376138633430313832383165663366626436653033663637616664346632 65623938316162393931343337326334666235666362313739343564633339653962313062393431
63633439663734393236343265323533633639316133323336373064633138363266316135363335 35373338306332326133333638636137386337343261386663333261333030343635336532373134
31336637666331333139306537333565333064666433653730633430336261656665613263663937 38626136383936393339613534386539663035316335656566656639613837313239626431386362
64313230656333373838346439623061393164393239393934306336373063303934663334353532 62643733326636323635373363333964643132323562633430626666616531656639383231336432
31313637623466313835313566616161376230343532653561343364383133653736646338303631 61653439376663613161396465343638623639653135363863336363343230636336346434326234
36356164303630303433356332343630616465383831623036383833393330663566616333653161 32343962666337646435653035333431333632363239616535333835393761353366386561356366
63393361643266323336393962663263323338633634633033393762656139393665353630633637 37356530333763346137653566643134376136656638386334343038376439643037623338643333
39386462303731396261613961613238616237373332656361303139633763303837653765623464 66626537633931333465383062303766333436346433636434653139333966613865656234346539
64333565666532653864383861333433353731343161613231383836353966353636373762306132 36376239393632653536306363313633636464343366373862343039306235303766623462633932
35333536373939656638356333383135313231306433656536383933623634653263353434393238 32313537306530343032663365626330363838396566356534343766383865653231613538323461
32323037666135316337633465666335376332326633346665643333656139386465353134356636 37303439393733376539613061663937633665663963613236323764653835656563346565636531
36333434303538326135346539313734393939353163316666366438613133333464623732666438 30363239376139343166346664306234363031623031663266643966636265666163353536346132
663934323030303937623038343662646163 65623638323065633361373330386334636332306634636336613365663133373835666135396230
38373939366534663336376135646237633232646261383964383735353533303862623064313333
33633533653537376138623635663465336131383838663237653933623634343761623731366335
64653233366335656365656336303862656663303138643531356661373831633062633734363661
39306633323337356366383863643034656135393432386638353761323337373631353436383664
34623631306663636439376464383831323566666266613536613661633266343732646264306162
36353030343538316330313831626232353165323038363034666161336338316536353832353966
35336365393563643733363535393763613865663436616130343066303638353431653039356661
34393936363764393032646133326432656230353232623339646165663932366130363734663762
34303433376666383639663661356334653939663739643139363237623031666632623239343562
30656438623236616637643132613666343133393436346635316638633664316363323832393862
39643831363633643562323664613666393033656132333964643639333230353763383330343835
64383530373332343838666536303363313033303931646232343037303863343835366139326135
34336330343365663837396134653566633536643832373433393035366531323035616462363639
66336133346139336264346636643735383136343336303133313031653230366166396239303335
64656535326465363563396532376538336434643964336264303061393139656139376635633730
62326664613766393435383464363538393937313236363630656337356264633134353464393835
32653133383732656235

2
roles/alpina/templates/apps/nextcloud/.env.j2
View File

@@ -1 +1 @@
NEXTCLOUD_VERSION=29-apache NEXTCLOUD_VERSION=30-apache

0
roles/alpina/templates/apps/nextcloud/.env.notify_push → roles/alpina/templates/apps/nextcloud/.env.notify_push.j2
View File

60
roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
View File

@@ -5,46 +5,80 @@ metadata:
name: Alpina - OAuth2 Apps name: Alpina - OAuth2 Apps
entries: entries:
{% set apps = { {% set apps = {
"Grafana": {
"redirect_uri": "https://grafana."~ domain ~"/login/generic_oauth",
"icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
"client_secret": auth_grafana_client_secret,
"ui_group": "Services",
"allowed_for_groups": ["admins"],
},
"Minio": {
"redirect_uri": "https://minio."~ domain ~"/oauth_callback",
"icon": "https://minio."~ domain ~"/logo192.png",
"client_secret": auth_minio_client_secret,
"ui_group": "Services",
"allowed_for_groups": ["admins"],
},
"Gitea": { "Gitea": {
"redirect_uris": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback", "redirect_uri": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
"icon": "https://gitea."~ domain ~"/assets/img/logo.svg", "icon": "https://gitea."~ domain ~"/assets/img/logo.svg",
"client_secret": auth_gitea_client_secret,
"ui_group": "Apps",
"allowed_for_groups": ["admins", "users"],
}, },
"Nextcloud": { "Nextcloud": {
"redirect_uris": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik", "redirect_uri": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
"icon": "https://nc."~ domain ~"/apps/theming/favicon", "icon": "https://nc."~ domain ~"/apps/theming/favicon",
"client_secret": auth_nextcloud_client_secret,
"ui_group": "Apps",
"allowed_for_groups": ["admins", "users"],
}, },
} -%} } -%}
{% for app in apps.keys() -%} {% for app in apps.keys() -%}
- identifiers: - identifiers:
name: {{ app }} name: {{ app }}
model: authentik_providers_oauth2.oauth2provider model: authentik_providers_oauth2.oauth2provider
id: {{ app | lower }} id: {{ app }}
attrs: attrs:
access_code_validity: minutes=1
access_token_validity: minutes=5
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_type: confidential client_type: confidential
issuer_mode: per_provider client_id: {{ app | lower }}
sub_mode: hashed_user_id client_secret: {{ apps[app]["client_secret"] }}
property_mappings: property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
redirect_uris: {{ apps[app]["redirect_uris"] }} {% if app == "Minio" -%}
refresh_token_validity: days=30 - !Find [authentik_providers_oauth2.scopemapping, [scope_name, minio]]
{%- endif %}
redirect_uris:
- matching_mode: strict
url: {{ apps[app]["redirect_uri"] }}
# Necessary for JWKS to be generated correctly
signing_key: !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]] signing_key: !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
- identifiers: - identifiers:
slug: {{ app | lower }} slug: {{ app | lower }}
model: authentik_core.application model: authentik_core.application
id: {{ app | lower }} id: app-{{ app }}
attrs: attrs:
name: {{ app }} name: {{ app }}
group: "Apps" group: "{{ apps[app]["ui_group"] }}"
meta_description: "Hello, I'm {{ app }}!" meta_description: "Hello, I'm {{ app }}!"
meta_publisher: Alpina meta_publisher: Alpina
icon: "{{ apps[app]["icon"] }}" icon: "{{ apps[app]["icon"] }}"
open_in_new_tab: true open_in_new_tab: true
policy_engine_mode: any provider: !KeyOf {{ app }}
provider: !KeyOf {{ app | lower }}
{% for group in apps[app]["allowed_for_groups"] -%}
- identifiers:
group: !Find [authentik_core.group, [name, {{ group }}]]
target: !KeyOf app-{{ app }}
model: authentik_policies.policybinding
attrs:
order: 10
{% endfor %}
{% endfor %} {% endfor %}

81
roles/alpina/templates/services/authentik/blueprints/apps-proxy.yaml.j2
View File

@@ -4,61 +4,47 @@ metadata:
blueprints.goauthentik.io/instantiate: "true" blueprints.goauthentik.io/instantiate: "true"
name: Alpina - Proxied Apps name: Alpina - Proxied Apps
entries: entries:
- identifiers: # TODO: Possibly refactor this into a jinja macro (?)
name: arrstack
model: authentik_core.group
id: arrstack
attrs:
arrstack_username: "arr"
arrstack_password: "{{ arrstack_password }}"
# TODO: Probably refactor this into a jinja macro
{% set apps = { {% set apps = {
"uptime-kuma": { "Uptime Kuma": {
"host": "uptime", "host": "uptime",
"name": "Uptime Kuma",
"icon": "https://uptime."~ domain ~"/icon.svg", "icon": "https://uptime."~ domain ~"/icon.svg",
"unauthenticated_paths": "^/icon.svg$", "unauthenticated_paths": "^/icon.svg$",
"group": "Services", "ui_group": "Services",
"create_admin_group": true, "allowed_for_groups": ["admins"],
}, },
"qbit": { "qBit": {
"host": "qbit", "host": "qbit",
"name": "qBit",
"icon": "https://qbit."~ domain ~"/images/qbittorrent-tray.svg", "icon": "https://qbit."~ domain ~"/images/qbittorrent-tray.svg",
"unauthenticated_paths": "^/images/qbittorrent-tray.svg$", "unauthenticated_paths": "^/images/qbittorrent-tray.svg$",
"group": "Arrstack", "ui_group": "Arrstack",
"create_admin_group": false, "allowed_for_groups": ["arrstack"],
}, },
"prowlarr": { "Prowlarr": {
"host": "prowlarr", "host": "prowlarr",
"name": "Prowlarr",
"icon": "https://prowlarr."~ domain ~"/Content/Images/logo.svg", "icon": "https://prowlarr."~ domain ~"/Content/Images/logo.svg",
"unauthenticated_paths": "^/Content/Images/logo.svg$", "unauthenticated_paths": "^/Content/Images/logo.svg$",
"group": "Arrstack", "ui_group": "Arrstack",
"create_admin_group": false, "allowed_for_groups": ["arrstack"],
}, },
"sonarr": { "Sonarr": {
"host": "sonarr", "host": "sonarr",
"name": "Sonarr",
"icon": "https://sonarr."~ domain ~"/Content/Images/logo.svg", "icon": "https://sonarr."~ domain ~"/Content/Images/logo.svg",
"unauthenticated_paths": "^/Content/Images/logo.svg$", "unauthenticated_paths": "^/Content/Images/logo.svg$",
"group": "Arrstack", "ui_group": "Arrstack",
"create_admin_group": false, "allowed_for_groups": ["arrstack"],
}, },
"radarr": { "Radarr": {
"host": "radarr", "host": "radarr",
"name": "Radarr",
"icon": "https://radarr."~ domain ~"/Content/Images/logo.svg", "icon": "https://radarr."~ domain ~"/Content/Images/logo.svg",
"unauthenticated_paths": "^/Content/Images/logo.svg$", "unauthenticated_paths": "^/Content/Images/logo.svg$",
"group": "Arrstack", "ui_group": "Arrstack",
"create_admin_group": false, "allowed_for_groups": ["arrstack"],
}, },
} -%} } -%}
{% for app in apps.keys() -%} {% for app in apps.keys() -%}
- identifiers: - identifiers:
name: {{ apps[app]["name"] }} name: {{ app }}
model: authentik_providers_proxy.proxyprovider model: authentik_providers_proxy.proxyprovider
id: {{ app }} id: {{ app }}
attrs: attrs:
@@ -68,39 +54,26 @@ entries:
skip_path_regex: "{{ apps[app]["unauthenticated_paths"] }}" skip_path_regex: "{{ apps[app]["unauthenticated_paths"] }}"
- identifiers: - identifiers:
slug: {{ app }} slug: {{ app | lower | replace(" ", "-") }}
model: authentik_core.application model: authentik_core.application
id: app-{{ app }}
attrs: attrs:
name: {{ apps[app]["name"] }} name: {{ app }}
group: {{ apps[app]["group"] }} group: {{ apps[app]["ui_group"] }}
meta_description: "Hello, I'm {{ apps[app]["name"] }}!" meta_description: "Hello, I'm {{ app }}!"
meta_publisher: Alpina meta_publisher: Alpina
icon: "{{ apps[app]["icon"] }}" icon: "{{ apps[app]["icon"] }}"
open_in_new_tab: true open_in_new_tab: true
provider: !KeyOf {{ app }} provider: !KeyOf {{ app }}
{% if apps[app]["create_admin_group"] -%} {% for group in apps[app]["allowed_for_groups"] -%}
- identifiers: - identifiers:
name: "{{ apps[app]["name"] }} Admins" group: !Find [authentik_core.group, [name, {{ group }}]]
model: authentik_core.group target: !KeyOf app-{{ app }}
id: "{{ app }} Admins"
- identifiers:
group: !KeyOf "{{ app }} Admins"
target: !Find [authentik_core.application, [ slug, {{ app }}] ]
model: authentik_policies.policybinding model: authentik_policies.policybinding
attrs: attrs:
order: 0 order: 10
{% endif %} {% endfor %}
{% if apps[app]["group"] == "Arrstack" -%}
- identifiers:
group: !KeyOf arrstack
target: !Find [authentik_core.application, [slug, {{ app }}]]
model: authentik_policies.policybinding
attrs:
order: 0
{% endif %}
{% endfor %} {% endfor %}

40
roles/alpina/templates/services/authentik/blueprints/default-groups.yaml.j2 Normal file
View File

@@ -0,0 +1,40 @@
version: 1
metadata:
labels:
blueprints.goauthentik.io/instantiate: "true"
name: Alpina - Default Groups
entries:
- identifiers:
name: "admins"
model: authentik_core.group
id: "admins"
attrs:
is_superuser: true
- identifiers:
name: "users"
model: authentik_core.group
id: "users"
- identifiers:
name: "arrstack"
model: authentik_core.group
id: "arrstack"
attrs:
arrstack_username: "arr"
arrstack_password: "{{ arrstack_password }}"
- identifiers:
scope_name: "minio"
model: authentik_providers_oauth2.scopemapping
id: "scope-minio"
attrs:
name: "Minio Policy"
expression: |
policy = "default"
if ak_is_group_member(request.user, name="admins"):
policy = "consoleAdmin"
return {
"policy": policy,
}

56
roles/alpina/templates/services/authentik/blueprints/services-oauth2.yaml.j2
View File

@@ -1,56 +0,0 @@
version: 1
metadata:
labels:
blueprints.goauthentik.io/instantiate: "true"
name: Alpina - OAuth2 Services
entries:
{% set apps = {
"Grafana": {
"redirect_uris": "https://grafana."~ domain ~"/login/generic_oauth",
"icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
"client_secret": auth_grafana_client_secret,
},
} -%}
# TODO: Add Minio
{% for app in apps.keys() -%}
- identifiers:
name: {{ app }}
model: authentik_providers_oauth2.oauth2provider
id: {{ app | lower }}
attrs:
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
client_type: confidential
client_id: {{ app | lower }}
client_secret: {{ apps[app]["client_secret"] }}
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
redirect_uris: {{ apps[app]["redirect_uris"] }}
- identifiers:
slug: {{ app | lower }}
model: authentik_core.application
attrs:
name: {{ app }}
group: "Services"
meta_description: "Hello, I'm {{ app }}!"
meta_publisher: Alpina
icon: "{{ apps[app]["icon"] }}"
open_in_new_tab: true
provider: !KeyOf {{ app | lower }}
- identifiers:
name: "{{ app }} Admins"
model: authentik_core.group
id: "{{ app }} Admins"
- identifiers:
group: !KeyOf "{{ app }} Admins"
target: !Find [authentik_core.application, [slug, {{ app | lower }}]]
model: authentik_policies.policybinding
attrs:
order: 0
{% endfor %}

19
roles/alpina/templates/services/minio/.env.minio.j2
View File

@@ -5,11 +5,16 @@ MINIO_DOMAIN=s3.{{ domain }}
MINIO_SERVER_URL=https://s3.{{ domain }} MINIO_SERVER_URL=https://s3.{{ domain }}
MINIO_BROWSER_REDIRECT_URL=https://minio.{{ domain }} MINIO_BROWSER_REDIRECT_URL=https://minio.{{ domain }}
#MINIO_IDENTITY_OPENID_CONFIG_URL=https://auth.{{ domain }}/application/o/minio/.well-known/openid-configuration # https://min.io/docs/minio/linux/reference/minio-server/settings/iam/openid.html
#MINIO_IDENTITY_OPENID_CLIENT_ID= MINIO_IDENTITY_OPENID_CONFIG_URL=https://auth.{{ domain }}/application/o/minio/.well-known/openid-configuration
#MINIO_IDENTITY_OPENID_CLIENT_SECRET= MINIO_IDENTITY_OPENID_CLIENT_ID=minio
#MINIO_IDENTITY_OPENID_CLAIM_NAME= MINIO_IDENTITY_OPENID_CLIENT_SECRET={{ auth_minio_client_secret }}
#MINIO_IDENTITY_OPENID_CLAIM_PREFIX= # defaults to "policy"
#MINIO_IDENTITY_OPENID_SCOPES= #MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
#MINIO_IDENTITY_OPENID_REDIRECT_URI= MINIO_IDENTITY_OPENID_DISPLAY_NAME=Authentik
# no need to specify scopes,
# as it defaults to the ones advertised at the discovery url
#MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email,minio
#MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC=off
#MINIO_IDENTITY_OPENID_CLAIM_USERINFO=on
#MINIO_IDENTITY_OPENID_COMMENT= #MINIO_IDENTITY_OPENID_COMMENT=

1
roles/alpina/templates/services/monitoring/docker-compose.yml.j2
View File

@@ -66,7 +66,6 @@ services:
command: command:
- --config.file=/etc/prometheus/prometheus.yml - --config.file=/etc/prometheus/prometheus.yml
- --storage.tsdb.retention.time=30d - --storage.tsdb.retention.time=30d
- --web.external-url=https://prom.{{ domain }}/
volumes: volumes:
- ./prometheus_config:/etc/prometheus:ro - ./prometheus_config:/etc/prometheus:ro
- {{ base_volume_path }}/monitoring/prometheus_configs:/etc/prometheus/extra:ro - {{ base_volume_path }}/monitoring/prometheus_configs:/etc/prometheus/extra:ro

51
roles/alpina/templates/services/monitoring/grafana_config/dashboards/example.dashboard.py
View File

@@ -1,51 +0,0 @@
from grafanalib.core import (
Dashboard, TimeSeries, GaugePanel,
Target, GridPos,
OPS_FORMAT
)
dashboard = Dashboard(
title="Python generated example dashboard",
description="Example dashboard using the Random Walk and default Prometheus datasource",
tags=[
'example'
],
timezone="browser",
panels=[
TimeSeries(
title="Random Walk",
dataSource='default',
targets=[
Target(
datasource='grafana',
expr='example',
),
],
gridPos=GridPos(h=8, w=16, x=0, y=0),
),
GaugePanel(
title="Random Walk",
dataSource='default',
targets=[
Target(
datasource='grafana',
expr='example',
),
],
gridPos=GridPos(h=4, w=4, x=17, y=0),
),
TimeSeries(
title="Prometheus http requests",
dataSource='prometheus',
targets=[
Target(
expr='rate(prometheus_http_requests_total[5m])',
legendFormat="{{ handler }}",
refId='A',
),
],
unit=OPS_FORMAT,
gridPos=GridPos(h=8, w=16, x=0, y=10),
),
],
).auto_panel_ids()

7
roles/alpina/templates/services/monitoring/prometheus_config/prometheus.yml.j2
View File

@@ -30,13 +30,6 @@ scrape_configs:
static_configs: static_configs:
- targets: ["promtail:9080"] - targets: ["promtail:9080"]
- job_name: 'demo'
static_configs:
- targets:
- 'demo.promlabs.com:10000'
- 'demo.promlabs.com:10001'
- 'demo.promlabs.com:10002'
rule_files: rule_files:
- "/etc/prometheus/extra/rules/*.yml" - "/etc/prometheus/extra/rules/*.yml"
- "/etc/prometheus/extra/rules/*.json" - "/etc/prometheus/extra/rules/*.json"