CaZzzer/alpina
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: CaZzzer:feature/auth
Branches Tags
CaZzzer:master CaZzzer:feature/bws CaZzzer:feature/obsidian-livesync CaZzzer:feature/auth CaZzzer:feature/monitoring-1 CaZzzer:feature/monitoring CaZzzer:feature/db CaZzzer:feature/docker-volumes-zfs CaZzzer:feature/zfs-backups
...
compare: CaZzzer:57db54a3e016cb7b09a076a0a7aaa04cb5bc4787
Branches Tags
CaZzzer:master CaZzzer:feature/bws CaZzzer:feature/obsidian-livesync CaZzzer:feature/auth CaZzzer:feature/monitoring-1 CaZzzer:feature/monitoring CaZzzer:feature/db CaZzzer:feature/docker-volumes-zfs CaZzzer:feature/zfs-backups

6 Commits
feature/au ... 57db54a3e0

Author SHA1 Message Date
Yuri Tatishchev
57db54a3e0 apps: add vpgen 2024-12-24 15:58:09 -08:00
Yuri Tatishchev
9b1ff29ce1 traefik: updates and logs to stdout instead of files 2024-12-23 22:26:20 -08:00
Yuri Tatishchev
4c9955b104 fix: grafana admin group to match authentik 2024-12-23 22:25:52 -08:00
Yuri Tatishchev
74eaf94c7e authentik, minio: initial integration with blueprints for admin policy 2024-12-21 01:21:57 -08:00
Yuri Tatishchev
1a23928109 authentik: refactor oauth2 app blueprints, add group policies 2024-12-21 01:21:57 -08:00
Yuri Tatishchev
010c108f6a authentik: add default groups, refactor proxied apps blueprints 2024-12-21 01:21:56 -08:00
18 changed files with 375 additions and 265 deletions
Expand all files Collapse all files

2
.idea/jsonSchemas.xml generated
View File

@@ -31,7 +31,7 @@
<list> <list>
<Item> <Item>
<option name="directory" value="true" /> <option name="directory" value="true" />
<option name="path" value="roles/alpina/collections/services/authentik/templates/blueprints" /> <option name="path" value="roles/alpina/templates/services/authentik/blueprints" />
<option name="mappingKind" value="Directory" /> <option name="mappingKind" value="Directory" />
</Item> </Item>
</list> </list>

18
group_vars/alpina/vars.yml
View File

@@ -14,13 +14,17 @@ authentik_secret_key: "{{ vault_authentik_secret_key }}"
authentik_sendgrid_api_key: "{{ vault_authentik_sendgrid_api_key }}" authentik_sendgrid_api_key: "{{ vault_authentik_sendgrid_api_key }}"
auth_grafana_client_secret: "{{ vault_auth_grafana_client_secret }}" auth_grafana_client_secret: "{{ vault_auth_grafana_client_secret }}"
auth_minio_client_secret: "{{ vault_auth_minio_client_secret }}"
auth_gitea_client_secret: "{{ vault_auth_gitea_client_secret }}"
auth_nextcloud_client_secret: "{{ vault_auth_nextcloud_client_secret }}"
arrstack_password: "{{ vault_arrstack_password }}" arrstack_password: "{{ vault_arrstack_password }}"
auth_vpgen_client_id: "vpgen"
auth_vpgen_client_secret: "{{ vault_auth_vpgen_client_secret }}"
# Minio # Minio
minio_password: "{{ vault_minio_password }}" minio_password: "{{ vault_minio_password }}"
# Monitoring # Monitoring
## auth_grafana_client_secret:
influxdb_admin_password: "{{ vault_influxdb_admin_password }}" influxdb_admin_password: "{{ vault_influxdb_admin_password }}"
influxdb_admin_token: "{{ vault_influxdb_admin_token }}" influxdb_admin_token: "{{ vault_influxdb_admin_token }}"
@@ -46,3 +50,15 @@ jwt_secret: "{{ vault_jwt_secret }}"
nextcloud_db_password: "{{ vault_nextcloud_db_password }}" nextcloud_db_password: "{{ vault_nextcloud_db_password }}"
redis_password: "{{ vault_redis_password }}" redis_password: "{{ vault_redis_password }}"
nextcloud_sendgrid_api_key: "{{ vault_nextcloud_sendgrid_api_key }}" nextcloud_sendgrid_api_key: "{{ vault_nextcloud_sendgrid_api_key }}"
# VPGen
vpgen_opnsense_api_url: https://opnsense.cazzzer.com
vpgen_opnsense_api_key: "{{ vault_vpgen_opnsense_api_key }}"
vpgen_opnsense_api_secret: "{{ vault_vpgen_opnsense_api_secret }}"
vpgen_opnsense_wg_ifname: wg2
vpgen_ipv6_client_prefix_size: 112
vpgen_ip_max_index: 100
vpgen_vpn_endpoint: "{{ vault_vpgen_vpn_endpoint }}"
vpgen_vpn_dns: "{{ vault_vpgen_vpn_dns }}"
vpgen_max_clients_per_user: 20

224
group_vars/alpina/vault.yml
View File

@@ -1,88 +1,138 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
36636236366435333738633465323539336231393239656538643863643233346563333836623335 38376439643766303237356563616337663731366435613930393135383962666435313530663632
3136393936656261396434316232356338313838373666660a653464613833306133343232623864 3432326162343632613565393737363335306263653032300a643539393562376162333761376631
61666561336462376664363463313533353238623031613664353063396236343663643936303730 62343731316430316638363338343966326635383930623339383339653936343765316439393233
6235646336306636360a653238633038306532613436633132363231613862383636313838623461 6562323634383363300a323233346338393764623363346139313661386433656337363332656230
32633366326136346435613232396632396365656138643361643139353430663637353565383664 31306233643735333033316139363165373062363334363933396563366234316330646230353261
36623961663030653639316131376535363138343965636437653139646233613765323439393030 62326539663337323036346533303031333730373061656563613535376162633138306634626462
31666137346339663162393836636638636431326232323461353661613062623032306130393965 37313038356466336138643834643863393333373939616362636365366231383762633030313831
38313931313935666633343835303232333961633232623538383138366262663335323764323939 33393139313336623437396161623437323163633362363137626262653462633737373062643735
32373333663834626633363265373632356439633862316562323565646530383534653338353165 63353561313639393166306466346134623933323532636438656263663338376337376434356163
38396434353332623164346137383238343536303130616666643065306431656137303263323135 64343239616632313566656664393136363337386464613932383961343134363233653039336137
34316662353031653932396239623733313037383935383762623136346636323434363231623161 65656566306463313264646163646130323533666464323464643433313030346535346535323264
30393864353466643637316566663366363231373335663331323932663837626239663633663965 34356433343739343166383034313935666139663239653662663734343139343035616134303730
66333531323861663130353531323339386566303630366236636135393439356634393732623033 39643136623735666333646234346239303337333961343261383834393963386633633030633962
31336231363935633436363962316666666336303338313636386163313666636336343464336133 61376132313532643730633865326130666565303631386262396366306565613665363934383335
33313730303961663632323435323963663530623265663664343735643061323332343265343431 37376139616165396436663135373932653064656136356662363137653036383537613665393634
61363039333730623562363233373537633138663239313132336666313237373137353663326538 38313063656637353630373634316564383362663335356364626161663163323362333937316461
32366130326635366433393434653735616132366264386461363063393265623765666461626366 64336636386234623438613766316430353261346339313863306462393335636131363966363038
38636239376534653230663932393930343162333262643130633835343363613061623932363761 66393561323335393063663838393466656331323433376461653838313638303564666662636438
64643164323335376565646137643763316562343565366462376162333633313737303465373362 38663735616261656338626437336433613730353236636266316536656165303534353538316232
63343734633536353661353165346632666230616138396461336332623365366432313734343837 62363063376464323932383261663537393263333266633461326536656533653661303335646431
30613736313961663334326335333834336634373338326631313739363765303036303132346166 36616436396137343634373563386439653833306537373735353764346430616231313538636362
37313030373264383564383936396339623061616134356663333733653838393537306336313135 30363430613839373761363032316137636432643339383561313637376339323836353161343639
32336261356437653863653839373130323035346538343938646265653239376236373932646433 36316665656164396236383538346561306432333637393431393566333566633434393961663330
35373932326535643763396563373138626239393661373231393066323335336264373835336635 32383833396238633966393837336564626135653733383863346161663364353062303931303931
38393732643630336364363834303534663334396363623261383339313939663461303236646237 39653662373734643037393832643439653437353935666430373337643532346161376661633738
36393330373534383836373065373239353836653137306338336638396662363434303839363466 61643431633431666535333463636461613166363238373138306565643533623039353031646634
37303332343464663733653632363239366337656364333532313237633935616637333361383763 62383662663435346635373865633731393362623761313834393964623930646364366534333236
62363063323362323565363837333264346161353032643039323839336666656333336433376231 35393138346433366435313066633436393561643263343534393034373161343834633261363933
36363335626137366135373230613436653232663138343862623562306331336330356630316166 65376636393263663566653436633762643331336139653565663334373561353130653065653935
30613264353165343634663461373630653632366333313837373237613339336638396338376465 31616337313764313532303934376236623833363433336335303262643135643339613839623231
64633638373263376330343561303664666139663237326637663964386133623164626339346635 37343730616166323239653537313137373136626337333665633134363830626131353030393662
66636365366562343636653362656133306164353761346661343430356633613063656466316262 31643366386365353336326133636434303636343637643539653131316133306132643133643364
31633932313532663930303837353863333664393563646566396164666236633832633235653362 64636464373564383938663838613031626563613362626435383832346661306562343165643539
63663931353436623034653733313766393465363466363831643130643939356335643166356436 66353431393032313262393566353833343632366139656234306561366139633431653133356165
38386530333264313263636438376134666235646636316233653330613735323234313036356639 32363332636433626132666462626137653337646234646565303831646330333133353964626461
61316164376434616239646235326661323363333835393430646462323234356138653163616530 37333265623865376562663365336339353036346135363062663534643537353331623630356264
65623233636435396462343437626130353735643530376538633762346332653162353563386366 66386665333633383534313062623533383239383231333163663565633531666236306465633135
32656633633935626238323431643631633434633032303435383037353834653964326336616530 36363164636165343863363866343437636630353863316633623761373232643262623762316162
30363765663133313239373664383830393238303439653531316664636532363135636563356666 32613665306535626139366564616362393536336364666663333761383362393631316134373138
34376636373033353665373261363536393562653638306661663832326139383565613862333831 32616665363164363639303538373539346239663261373731613464333734326436666433666539
38616238616332326532656430393331383161376237393365666639363732363164306332343336 31656264326535626134323231646535656563363231633434636337323538343038303233363765
37366638326464373261386431623731306663616262633837313965633530616265326536323136 61393164316237323533313336316530316431653731343261636265393361616464323536333130
62366365666461383535663637633332626464643062653139623333663038316536353930653266 65346538306664663566666435393738323832396365363764333637613331356661306535376332
37343830613062346533613762663738343138383537396435643765323237623130363564396462 62313533306365373737643835396364363737306631346161353031633531383364636563383237
61663063643135303539313062396338353061346336303938626361343238366366393533363638 64633432386565356137333730313736393737303665326531356265376333663636393430386233
31313437623631626437393761366537636664393863306164373431653133316639623630353336 33666532616632373061633063656136646533363034363330366231653936396166663134396139
65313037636533393362363266366231393334613264343331623531393666336336626265366163 66393131653963386365656364666263666362316136333561326566626562616138383739346139
34663161396633666162326564313735373137303337386538633866653331646635633532336465 62343035646435393136656434646138376331346164663562306166646132363230333538323536
34386166373436386566656135313438363733353139663630613430363332656239356139393532 38643934613633373734653337666261356639353235326539356264633232343834633062336539
35626337666639376664346631323938316538333066353363646562323266353165366632656137 31616536663730656163626437653932313564633938643163313765393731386533323465303831
66366162376165626564363230353062666364646363366637666433636333316536623435623836 34353663363862363761643565633635373834623665653131613531373637386361636661376532
62346566363362363939353038396566653238666138666531396338323262323965383031336362 64386435643966343034643763393461373961626134346539653865636161333962333463393734
34613332363334653531383231363539343133333531666564386133346562323338366139663438 62343838363432396133326235323636613239326139376365353930373835313531326433326234
31613466366438643566333632326239653662636464373337326537313234393038306132343730 66396537636162363865663433626230316362343334653735646637613130636436633132663538
36633136366162643966396362643165313336383862653435343630646431306366656636353230 64623230303266373965616533346464373661363233613837613765343463306136623063313139
64326633346561613662383863356531306563623439363566643733336535303335303164633535 31383039343462363536646636653736316362356565326538636331646235373162663332313961
36356463616162313039386434323637383937613133623131373033373462363365643730666166 64623061636638666234623336656365383165626461323561343930316432313632316332306334
65383166346638313533326366346433656461346439343838306564393336383536633732343965 61376430303835383934396266303564363230313735366464386134393265326334663633663632
39306231386130303433616361366363366163646534316138623362393063663438313165643762 38643034393737303963643733656333316137646435653666353239373738373632383561646333
39393332653564333762663762366633386135353865366338396138666265653662373535666366 65363865353362383832643238363332613931343038366563316163303764323936316466666364
35613937613366323064316561643435353830316239396464393737613835373964626437316464 31373439383661656336653431666164393833643266656133383137376133636134643137663532
39643664656565633966393832643033323130636562383233323636363361353430353062323439 33353531663336346562653339616430333133363232336461353937303435346337363932306133
39396464633336623963633963326461316562333162333766613064336462613235336531623437 37623164343462363830323263323664303334633563313439376232303031633633316636383164
30383063653666633839646533386239366637346230363033306161386537303039376465303535 66306238333432333635653435383138383339343837346134613630353335656335663062326132
34643162323065326264343662303138313063303834353832393663616239383739313133393532 65323638343963623062663638366538363162343230323262616138373239653163623832313366
62393766343037666564326132386139346661383564366366646530346434373366326531356138 65323834383631646164316363383636643437346435313030656362653332653635343066666232
31323531653338653130303733363764636430336563336439666132626434363463306631363334 39346235383265326262306434383861653138393835663863383032363664323565316165646566
39623332376334383338633132653262653735346563626365613336623435396539383630366332 61646238393062373131346536343533663839313831383335316363343465663130633133393436
31316638393562376131363166633163333332633332393062393962613132366538653865663264 66333465633636353639663836376561353839613533346164366238353833636534633338313262
38313237393436353333323431336361653938343034346164353335366535396265633961333138 30656433376362346333303630643639353262323532666238633764363132303161326638643761
65386137356161643732636531613166633464326163303336303439383435376331373935333563 36616131636538613539383935613337643930333334613566393031646630383330656164363361
64633961623761393131333234656530653737346563643963643833383262383434653266343362 37306536356164633831626362653364313164356235653464333633313263383032333439626434
35623832643032346133346363646136646438663761363330666231316434306232623339656535 65376531396661636661303831393062666362623966353739303330393631323963373564353265
34393337666237656262313439386336336466373466663663616139353463316265396135626366 61343862323737336238356231626561396333386264666563356235333339653538626130623936
62313562306334343831616364633933343463386233323637313832316635346235623830333461 63326431316538346534313764356333396565666431633833613337323136643137306166623238
33663530343966383739643261653736363865323438363430653661653964643339633833386438 66393561333137373964353935323930636237366433613038383761643665363330323865386133
36333331366334366461346636636462343335313234663864613864366134356161396662383632 37623339613733353366656637383030623663313639363334656361623035643232626633313864
36663538373761353937313666363262626435623537646665646364353934373638366261333234 36346564653766646333613763616163363462613937656534363461376235613064373039326165
36353439303663656531666637376364313838386130343966316138356338643135316139363630 32666265383065636232613632333830633439653066653666663261646536663434393535613131
30386635376565363931333331336431303562346431323534643238333337386264616161356163 30373062313765663038313534623165653833623330383032363063393239373234636630646561
35663766306635626235373663643064393233346364666663393236353561653362373361666164 38633962363530666638666630316434613462656335613236363831313863613030636539356133
65653566666234626464356338613834323332383939643935323337376162316163333034643062 66386133383433663964306661636131633236633935633236623530373864646363383534383735
63646237646234636561313038383636373936656164333735323461626233633337623764383830 63633165626464333332303331333338313838393832626637626137316338643136336333633930
66383161346336633962643032376662656566396666343662656337306333313836613335643961 61346436336635656639616261383666336330333862303139633137373362303033653432613039
64323961663032373239636430306430383639306333363938303837386139643230353061623937 35623663353538323761623839623438646363313164356631386364356533346133333334326565
36373733636337616264313432643230303935626666633533666135666538626266626266643864 32303837663261386463313535373765356166376165386535623838326431616564346632363732
376430653461346366626432636336653437 62373231356530346632373134343865303532326136653731633038353066623435336462303138
37363039343433613939363663623135396636396433653362666164323237393664623564393532
61376463336564396537366365373936333666373432376566323864343735636264643139643063
66396230303336633438666234336434353866323637316334313162363734623763666338336234
39303330343035333864396631323231363134646238323065356138633131323135613133356237
34373562633430613062313261363939373632313838333934303165336562663839663833383763
39316632656561653033613933373861366361353761346539306234366538373461373930306535
66623430343336333033306135303639646566393336663538313430616364653933663536386535
64323962353734356134656361663131376564626461386233643731393664353038626464313763
64396265373737313134613962376334373965353338303363303935353538643561336461393032
37356434343837376534663938366434343063643966643965346465636166363235643635333466
38323664366366663363616664336165653264633437393636363866316262303432356461386330
63326539626363333331366162363230626462656633653866383331333164663734633630353265
63303832376230646136346261383965626633613739616330666232376366613332663839336531
32343031336363663865643165666435623462376130326433316562363530343662366432313031
63626538656633346563663735323030363231643933326337613634376531636235333339373633
66353362333265343964353966383363613336636536393734363363623363316532653533633434
39333162303834353362323362656630343733653336613065333462626637303264653361393462
32336238326535383662636465383832346438333230666662633430303964343236626331623536
65383666316431646538396661386332323037383666336138666135613763363633343934663836
32656362323631303732613235663135633939643165626231373162643963613637626235613365
32326266323431636434633234333730373836373039666137663232323539396364373061393232
30646432666365333336333836313333363537363163383034656136383164663331373632313564
34353731363338323438366464663938393632626530323537306233613866356234323364373766
34326662656263383864613538326536626133386532303932326362376632363631356535393937
33346462336636656165316166363364343330383337636361656438383661333366633532616131
37313033623430663039626131303933316561666233613666636433363537373264653331323136
66663532653233373735326333333738663931343735306262353831303330633136623966316431
39316462313066336536623438626163383139343532313932316435356431323865373035343465
30346237393531353833616136323431376530333635633632666431313938643539363831313539
38396338336136363165323135663836336139623865666631663237616664636233653663383965
39623665656563316334323738323730306631636565393662313536353565383033653365663461
38326432353166376438356238386161396638666131636536356333393563613461373263346538
36656138353762323662363061613764633466303566353338626666646533616137393336333333
30393733316636353266653039346237363830333831383535646531616130353534633062643135
64373533646462313035383236333866313866366130663863363162613234393762646662666233
30653666353333366365343036643462346361303536363935396133343166303339623461376563
39333163636466646534356337656431376663623833303235303534633634386665636162346634
34646665633639663763316339663539663261333436363935316334656330313835616138626237
35623363393532633937653132303635396536646635633062393661616538303631663136363038
35623539303963383063343338653130643233636537356264323238633839303337383665393333
36303330393638643464646535653833626531343634626531396261363139326336623765623039
32613237636366376463343766303964336661363432646436373963626537373137396661633766
63633830663035663764303634643662333464353234646232343066306131336533396435313239
66366630643564313665306130656463633065646430373334336664633264353336376439666137
65366537366462623136353539373961333238373733663837373430663865643334393565333861
35363035343561633164613631633532623164376339633630393633396437333034376339656538
32653030626434326632386635383739663932393331333062656565303939373566653031613839
31363162666330393232646562333833633266643165316464623533623539356339333365623966
65323638396531346261303835373138333262323466656263643737343734303237303638353036
3733

4
inventories/prod/group_vars/alpina/vars.yml
View File

@@ -12,3 +12,7 @@ fw_vpn_input_ports: "{{ vault_fw_vpn_input_ports }}"
# Authentik GitHub OAuth # Authentik GitHub OAuth
github_consumer_key: 32d5cae58d744c56fcc9 github_consumer_key: 32d5cae58d744c56fcc9
github_consumer_secret: "{{ vault_github_consumer_secret }}" github_consumer_secret: "{{ vault_github_consumer_secret }}"
# VPGen
vpgen_ipv4_starting_addr: 10.18.11.100
vpgen_ipv6_starting_addr: "{{ vault_vpgen_ipv6_starting_addr }}"

43
inventories/prod/group_vars/alpina/vault.yml
View File

@@ -1,21 +1,24 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
61656162363565633436373135333536623561663136303736393865623830633539376362363363 63353634643462306366336162646431616335613961343464626166303837363565393136373433
3938333137343336626634346262363964316563643261310a366538363037343965363766646535 3663373337303837353564383531393462343064353534370a666333363166636137396634613139
61636239326464373039333462653562373933396665393039633266326234663335363337666439 62313762373332303334666530333731653231663263663930633265333665383661643037303737
6137323332303533640a383062383135633762323561313666636566306531306636633466316536 3239666139623937390a373066376363663865373266623831653964366565623138643138353866
66623731626266333731303336323733343336626366343833633365616330343565363035323039 35343633323032326331393263316434396335643732363337643262373663646339663836623235
35313961383131616133386663376331336639633137383137346164353632653939363266613562 61356534393435303336313636646665366238303539343835343761633230383261333864396465
36316631366661353632386230306532633862393963663465383862653964646462666334396666 34336166346261613061616336633166383338623561626662333665323462623064666531633833
66626636353539316266343937623662613336616331626439306538363764636366656635356639 34333735343934356365306135386430646539366561666334393065363532393636653031393237
30663535393366383261333832356237373230663037373638303161303534636230616464636265 38633437383961376162366430393761366231636437316139373334623964396236643761306363
37623938303638646233346338616239393838396433313063343065386666323264646461373032 33653761356632643334333932346664353037366638363835663435363162396333616535363730
63376661646139316430303533643063336634333364643231336130613638626431623732646434 61623539363130633330303462613861393965643066303338353531346433363962373761623235
63643833353164313465633333646232653761356333323933396666323837656334343866363762 36313838323830333966326331656435653837363530353837636465333434666266373639626534
39646263653137356632323534356631366531636530613736343438393136363835373435636230 37663633353962336237316433653763616333333165343630346637346137613338333363653231
30313163386335353935663432323033326235653963653930396235373863373232666334326661 36326163343839363936613334373430326531646464626230616634663530343265356166346165
34336632666365666563326366376461386130343965363832343430396537323734363533353065 61306263613937626565626165616336626131636234643062306530326235646532313962626438
64313837623366356261383437306465633730353332636561333462356363326132313933653234 61363333373034313563373831633339653365663831376463663839333233616635656137333561
66363634333664333433613466396639306436353035346134373430663532373934343861323262 36396639393835316133393737313164353939336134623666396265396535353861643263366235
30666664336336393835346234316238613839326436363162626439376530306133343530303365 62323137306235633061386630636235613636393033333631633231316337393430383438643462
65393030633237333166336637363435646435323736353461333932366638333264333239373733 63343630353134363633383331373437623631333532663536643937616636666433623861643639
30623062643336643431 63653532626337333136313932396164393733333038396235313133326338356234363363633962
34336562396138333535363165343764363336316238323364326539343738633831636536306139
38653766656430353035396166616133343666303231363039386635363536306531343932656261
623162633233343566376630303538636664

4
inventories/staging/group_vars/alpina/vars.yml
View File

@@ -12,3 +12,7 @@ fw_vpn_input_ports: "{{ vault_fw_vpn_input_ports }}"
# Authentik GitHub OAuth # Authentik GitHub OAuth
github_consumer_key: dbacb8621c37320eb745 github_consumer_key: dbacb8621c37320eb745
github_consumer_secret: "{{ vault_github_consumer_secret }}" github_consumer_secret: "{{ vault_github_consumer_secret }}"
# VPGen
vpgen_ipv4_starting_addr: 10.18.11.50
vpgen_ipv6_starting_addr: "{{ vault_vpgen_ipv6_starting_addr }}"

43
inventories/staging/group_vars/alpina/vault.yml
View File

@@ -1,21 +1,24 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
63633535633462326534626562373461373363643166383961303861623531663263323534366537 63633035373836396362626539323363363132366230343762366437326339343535663361633430
3263633238646439306430356365623233313838326639350a386633363434623737313565316535 3039646662343464303663313631313361306136613461340a313836363237376238343232613463
33393734633937333637373432366132323366343836393538366339626235613937323066613666 36633962613233386261366536333664346132396266383064353065353936653038346534343433
3737393262646333390a623331333461373563313166323232343234616538623433376166313532 3734333932666436660a346539643637316432343761393635333265656165313464656631653236
32323834346336336164343938303062336438643566343866316164643535663039326331646465 37303637333564383036623664616237313466643836663632363461353462386638326361396535
36666162393365323633646635333666613030386265306238633434303234336439646663356363 34353639303734323633306266356134393832366132633132383361336138643961663362616132
63323638373035326465633934326363316364616539613462653232393465633233366666373664 65356338353837623531383566363666633565646537353937656463343832613031633630306462
66616361646564303530356331323864343966633736643434653237316236363063613634646438 62313335353065323939366536356161653339316265373362376138396636626361643435386234
35303238646632616465643264316164363139393834626362326538613033656464323435396638 61633732383963653935363137346466623163396231303430346338323761643237383461303932
31346631653764303332386331663361623766333332366537313634636333346538653537346631 36663263633730346362386366663135653735303161383166633631333862303261356132303461
62363438303036386530633236376633326162336434343861346261373835653735323161323965 34633432633663623136303337613335643636356530626336366361373736333336366230346265
62353965373164616537346134303232363033323134323130316439386339613966646330666533 31396463363639303431386439303163643037376262616437643438323162653134643837363430
65346239383230646565346133663530613462363532663562326136376233303638323332326630 66336331636466383063656632306566346531336161653136623938616564333333326566616364
35656432363563653663616236393932663637323139666664636237336136366438656666633865 62383935616637656132373664343730653239396634313530633665633736653365366136656265
66353162656364356638313236643131613830393838636264663833343461373963613431656364 39343833333836323133376465376164323530643438353234353938663733323433373531636335
32303331623033303433333631313038316336653638656638373031653234356164333363336532 64366232613637636537626139656130303663353266363064666464373665336238383763616436
37316334353463376562643138346633613633353536653939376564333166323931353634333736 30303032393830333730353837656237666564346430613531653466646534613536353433613634
63616133663266383339323562343265613461623865623263623139396163343065623264366230 62653538366638366565633261346431396639663435356531366537353737363761356530643635
32633362336335396562366563363830636133376238646433386236666461333731353337386333 61653438346434363834653131646661366338633431303862333732326262626366633034323137
61323931643766326338 30323636616333356430346365643630366162323133376135366663343265346234346161306431
35383736336664636561623262643162636130366162326536656231653165386230333562383466
66323863656566396639316263376233613162396265373235306662663665613663626565623761
663938383964623436306662666663303330

1
roles/alpina/tasks/main.yml
View File

@@ -31,4 +31,5 @@
- nextcloud - nextcloud
- jellyfin - jellyfin
- arrstack - arrstack
- vpgen
import_tasks: deploy_collection.yml import_tasks: deploy_collection.yml

21
roles/alpina/templates/apps/vpgen/.env.vpgen.j2 Normal file
View File

@@ -0,0 +1,21 @@
DATABASE_URL=file:/data/vpgen.db
AUTH_DOMAIN=auth.{{ domain }}
AUTH_CLIENT_ID={{ auth_vpgen_client_id }}
AUTH_CLIENT_SECRET={{ auth_vpgen_client_secret }}
AUTH_REDIRECT_URL=https://vpgen.{{ domain }}/auth/authentik/callback
OPNSENSE_API_URL={{ vpgen_opnsense_api_url }}
OPNSENSE_API_KEY={{ vpgen_opnsense_api_key }}
OPNSENSE_API_SECRET={{ vpgen_opnsense_api_secret }}
OPNSENSE_WG_IFNAME={{ vpgen_opnsense_wg_ifname }}
IPV4_STARTING_ADDR={{ vpgen_ipv4_starting_addr }}
IPV6_STARTING_ADDR={{ vpgen_ipv6_starting_addr }}
IPV6_CLIENT_PREFIX_SIZE={{ vpgen_ipv6_client_prefix_size }}
IP_MAX_INDEX={{ vpgen_ip_max_index }}
VPN_ENDPOINT={{ vpgen_vpn_endpoint }}
VPN_DNS={{ vpgen_vpn_dns }}
MAX_CLIENTS_PER_USER={{ vpgen_max_clients_per_user }}
ORIGIN=https://vpgen.{{ domain }}

16
roles/alpina/templates/apps/vpgen/docker-compose.yml.j2 Normal file
View File

@@ -0,0 +1,16 @@
{% import 'contrib/compose_helpers.j2' as helpers with context %}
networks:
{{ helpers.default_network(196) | indent(2) }}
services:
vpgen:
image: gitea.cazzzer.com/cazzzer/vpgen:develop
container_name: vpgen
labels:
- {{ helpers.traefik_labels('vpgen', port='3000') | indent(6) }}
restart: unless-stopped
env_file:
- .env.vpgen
volumes:
- {{ base_volume_path }}/vpgen:/data

60
roles/alpina/templates/services/authentik/blueprints/apps-oauth2.yaml.j2
View File

@@ -5,46 +5,80 @@ metadata:
name: Alpina - OAuth2 Apps name: Alpina - OAuth2 Apps
entries: entries:
{% set apps = { {% set apps = {
"Grafana": {
"redirect_uri": "https://grafana."~ domain ~"/login/generic_oauth",
"icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
"client_secret": auth_grafana_client_secret,
"ui_group": "Services",
"allowed_for_groups": ["admins"],
},
"Minio": {
"redirect_uri": "https://minio."~ domain ~"/oauth_callback",
"icon": "https://minio."~ domain ~"/logo192.png",
"client_secret": auth_minio_client_secret,
"ui_group": "Services",
"allowed_for_groups": ["admins"],
},
"Gitea": { "Gitea": {
"redirect_uris": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback", "redirect_uri": "https://gitea."~ domain ~"/user/oauth2/Authentik/callback",
"icon": "https://gitea."~ domain ~"/assets/img/logo.svg", "icon": "https://gitea."~ domain ~"/assets/img/logo.svg",
"client_secret": auth_gitea_client_secret,
"ui_group": "Apps",
"allowed_for_groups": ["admins", "users"],
}, },
"Nextcloud": { "Nextcloud": {
"redirect_uris": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik", "redirect_uri": "https://nc."~ domain ~"/apps/sociallogin/custom_oidc/authentik",
"icon": "https://nc."~ domain ~"/apps/theming/favicon", "icon": "https://nc."~ domain ~"/apps/theming/favicon",
"client_secret": auth_nextcloud_client_secret,
"ui_group": "Apps",
"allowed_for_groups": ["admins", "users"],
}, },
} -%} } -%}
{% for app in apps.keys() -%} {% for app in apps.keys() -%}
- identifiers: - identifiers:
name: {{ app }} name: {{ app }}
model: authentik_providers_oauth2.oauth2provider model: authentik_providers_oauth2.oauth2provider
id: {{ app | lower }} id: {{ app }}
attrs: attrs:
access_code_validity: minutes=1
access_token_validity: minutes=5
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
client_type: confidential client_type: confidential
issuer_mode: per_provider client_id: {{ app | lower }}
sub_mode: hashed_user_id client_secret: {{ apps[app]["client_secret"] }}
property_mappings: property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
redirect_uris: {{ apps[app]["redirect_uris"] }} {% if app == "Minio" -%}
refresh_token_validity: days=30 - !Find [authentik_providers_oauth2.scopemapping, [scope_name, minio]]
{%- endif %}
redirect_uris:
- matching_mode: strict
url: {{ apps[app]["redirect_uri"] }}
# Necessary for JWKS to be generated correctly
signing_key: !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]] signing_key: !Find [authentik_crypto.certificatekeypair, [name, "authentik Self-signed Certificate"]]
- identifiers: - identifiers:
slug: {{ app | lower }} slug: {{ app | lower }}
model: authentik_core.application model: authentik_core.application
id: {{ app | lower }} id: app-{{ app }}
attrs: attrs:
name: {{ app }} name: {{ app }}
group: "Apps" group: "{{ apps[app]["ui_group"] }}"
meta_description: "Hello, I'm {{ app }}!" meta_description: "Hello, I'm {{ app }}!"
meta_publisher: Alpina meta_publisher: Alpina
icon: "{{ apps[app]["icon"] }}" icon: "{{ apps[app]["icon"] }}"
open_in_new_tab: true open_in_new_tab: true
policy_engine_mode: any provider: !KeyOf {{ app }}
provider: !KeyOf {{ app | lower }}
{% for group in apps[app]["allowed_for_groups"] -%}
- identifiers:
group: !Find [authentik_core.group, [name, {{ group }}]]
target: !KeyOf app-{{ app }}
model: authentik_policies.policybinding
attrs:
order: 10
{% endfor %}
{% endfor %} {% endfor %}

81
roles/alpina/templates/services/authentik/blueprints/apps-proxy.yaml.j2
View File

@@ -4,61 +4,47 @@ metadata:
blueprints.goauthentik.io/instantiate: "true" blueprints.goauthentik.io/instantiate: "true"
name: Alpina - Proxied Apps name: Alpina - Proxied Apps
entries: entries:
- identifiers: # TODO: Possibly refactor this into a jinja macro (?)
name: arrstack
model: authentik_core.group
id: arrstack
attrs:
arrstack_username: "arr"
arrstack_password: "{{ arrstack_password }}"
# TODO: Probably refactor this into a jinja macro
{% set apps = { {% set apps = {
"uptime-kuma": { "Uptime Kuma": {
"host": "uptime", "host": "uptime",
"name": "Uptime Kuma",
"icon": "https://uptime."~ domain ~"/icon.svg", "icon": "https://uptime."~ domain ~"/icon.svg",
"unauthenticated_paths": "^/icon.svg$", "unauthenticated_paths": "^/icon.svg$",
"group": "Services", "ui_group": "Services",
"create_admin_group": true, "allowed_for_groups": ["admins"],
}, },
"qbit": { "qBit": {
"host": "qbit", "host": "qbit",
"name": "qBit",
"icon": "https://qbit."~ domain ~"/images/qbittorrent-tray.svg", "icon": "https://qbit."~ domain ~"/images/qbittorrent-tray.svg",
"unauthenticated_paths": "^/images/qbittorrent-tray.svg$", "unauthenticated_paths": "^/images/qbittorrent-tray.svg$",
"group": "Arrstack", "ui_group": "Arrstack",
"create_admin_group": false, "allowed_for_groups": ["arrstack"],
}, },
"prowlarr": { "Prowlarr": {
"host": "prowlarr", "host": "prowlarr",
"name": "Prowlarr",
"icon": "https://prowlarr."~ domain ~"/Content/Images/logo.svg", "icon": "https://prowlarr."~ domain ~"/Content/Images/logo.svg",
"unauthenticated_paths": "^/Content/Images/logo.svg$", "unauthenticated_paths": "^/Content/Images/logo.svg$",
"group": "Arrstack", "ui_group": "Arrstack",
"create_admin_group": false, "allowed_for_groups": ["arrstack"],
}, },
"sonarr": { "Sonarr": {
"host": "sonarr", "host": "sonarr",
"name": "Sonarr",
"icon": "https://sonarr."~ domain ~"/Content/Images/logo.svg", "icon": "https://sonarr."~ domain ~"/Content/Images/logo.svg",
"unauthenticated_paths": "^/Content/Images/logo.svg$", "unauthenticated_paths": "^/Content/Images/logo.svg$",
"group": "Arrstack", "ui_group": "Arrstack",
"create_admin_group": false, "allowed_for_groups": ["arrstack"],
}, },
"radarr": { "Radarr": {
"host": "radarr", "host": "radarr",
"name": "Radarr",
"icon": "https://radarr."~ domain ~"/Content/Images/logo.svg", "icon": "https://radarr."~ domain ~"/Content/Images/logo.svg",
"unauthenticated_paths": "^/Content/Images/logo.svg$", "unauthenticated_paths": "^/Content/Images/logo.svg$",
"group": "Arrstack", "ui_group": "Arrstack",
"create_admin_group": false, "allowed_for_groups": ["arrstack"],
}, },
} -%} } -%}
{% for app in apps.keys() -%} {% for app in apps.keys() -%}
- identifiers: - identifiers:
name: {{ apps[app]["name"] }} name: {{ app }}
model: authentik_providers_proxy.proxyprovider model: authentik_providers_proxy.proxyprovider
id: {{ app }} id: {{ app }}
attrs: attrs:
@@ -68,39 +54,26 @@ entries:
skip_path_regex: "{{ apps[app]["unauthenticated_paths"] }}" skip_path_regex: "{{ apps[app]["unauthenticated_paths"] }}"
- identifiers: - identifiers:
slug: {{ app }} slug: {{ app | lower | replace(" ", "-") }}
model: authentik_core.application model: authentik_core.application
id: app-{{ app }}
attrs: attrs:
name: {{ apps[app]["name"] }} name: {{ app }}
group: {{ apps[app]["group"] }} group: {{ apps[app]["ui_group"] }}
meta_description: "Hello, I'm {{ apps[app]["name"] }}!" meta_description: "Hello, I'm {{ app }}!"
meta_publisher: Alpina meta_publisher: Alpina
icon: "{{ apps[app]["icon"] }}" icon: "{{ apps[app]["icon"] }}"
open_in_new_tab: true open_in_new_tab: true
provider: !KeyOf {{ app }} provider: !KeyOf {{ app }}
{% if apps[app]["create_admin_group"] -%} {% for group in apps[app]["allowed_for_groups"] -%}
- identifiers: - identifiers:
name: "{{ apps[app]["name"] }} Admins" group: !Find [authentik_core.group, [name, {{ group }}]]
model: authentik_core.group target: !KeyOf app-{{ app }}
id: "{{ app }} Admins"
- identifiers:
group: !KeyOf "{{ app }} Admins"
target: !Find [authentik_core.application, [ slug, {{ app }}] ]
model: authentik_policies.policybinding model: authentik_policies.policybinding
attrs: attrs:
order: 0 order: 10
{% endif %} {% endfor %}
{% if apps[app]["group"] == "Arrstack" -%}
- identifiers:
group: !KeyOf arrstack
target: !Find [authentik_core.application, [slug, {{ app }}]]
model: authentik_policies.policybinding
attrs:
order: 0
{% endif %}
{% endfor %} {% endfor %}

40
roles/alpina/templates/services/authentik/blueprints/default-groups.yaml.j2 Normal file
View File

@@ -0,0 +1,40 @@
version: 1
metadata:
labels:
blueprints.goauthentik.io/instantiate: "true"
name: Alpina - Default Groups
entries:
- identifiers:
name: "admins"
model: authentik_core.group
id: "admins"
attrs:
is_superuser: true
- identifiers:
name: "users"
model: authentik_core.group
id: "users"
- identifiers:
name: "arrstack"
model: authentik_core.group
id: "arrstack"
attrs:
arrstack_username: "arr"
arrstack_password: "{{ arrstack_password }}"
- identifiers:
scope_name: "minio"
model: authentik_providers_oauth2.scopemapping
id: "scope-minio"
attrs:
name: "Minio Policy"
expression: |
policy = "default"
if ak_is_group_member(request.user, name="admins"):
policy = "consoleAdmin"
return {
"policy": policy,
}

56
roles/alpina/templates/services/authentik/blueprints/services-oauth2.yaml.j2
View File

@@ -1,56 +0,0 @@
version: 1
metadata:
labels:
blueprints.goauthentik.io/instantiate: "true"
name: Alpina - OAuth2 Services
entries:
{% set apps = {
"Grafana": {
"redirect_uris": "https://grafana."~ domain ~"/login/generic_oauth",
"icon": "https://grafana."~ domain ~"/public/img/grafana_icon.svg",
"client_secret": auth_grafana_client_secret,
},
} -%}
# TODO: Add Minio
{% for app in apps.keys() -%}
- identifiers:
name: {{ app }}
model: authentik_providers_oauth2.oauth2provider
id: {{ app | lower }}
attrs:
authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
client_type: confidential
client_id: {{ app | lower }}
client_secret: {{ apps[app]["client_secret"] }}
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
redirect_uris: {{ apps[app]["redirect_uris"] }}
- identifiers:
slug: {{ app | lower }}
model: authentik_core.application
attrs:
name: {{ app }}
group: "Services"
meta_description: "Hello, I'm {{ app }}!"
meta_publisher: Alpina
icon: "{{ apps[app]["icon"] }}"
open_in_new_tab: true
provider: !KeyOf {{ app | lower }}
- identifiers:
name: "{{ app }} Admins"
model: authentik_core.group
id: "{{ app }} Admins"
- identifiers:
group: !KeyOf "{{ app }} Admins"
target: !Find [authentik_core.application, [slug, {{ app | lower }}]]
model: authentik_policies.policybinding
attrs:
order: 0
{% endfor %}

19
roles/alpina/templates/services/minio/.env.minio.j2
View File

@@ -5,11 +5,16 @@ MINIO_DOMAIN=s3.{{ domain }}
MINIO_SERVER_URL=https://s3.{{ domain }} MINIO_SERVER_URL=https://s3.{{ domain }}
MINIO_BROWSER_REDIRECT_URL=https://minio.{{ domain }} MINIO_BROWSER_REDIRECT_URL=https://minio.{{ domain }}
#MINIO_IDENTITY_OPENID_CONFIG_URL=https://auth.{{ domain }}/application/o/minio/.well-known/openid-configuration # https://min.io/docs/minio/linux/reference/minio-server/settings/iam/openid.html
#MINIO_IDENTITY_OPENID_CLIENT_ID= MINIO_IDENTITY_OPENID_CONFIG_URL=https://auth.{{ domain }}/application/o/minio/.well-known/openid-configuration
#MINIO_IDENTITY_OPENID_CLIENT_SECRET= MINIO_IDENTITY_OPENID_CLIENT_ID=minio
#MINIO_IDENTITY_OPENID_CLAIM_NAME= MINIO_IDENTITY_OPENID_CLIENT_SECRET={{ auth_minio_client_secret }}
#MINIO_IDENTITY_OPENID_CLAIM_PREFIX= # defaults to "policy"
#MINIO_IDENTITY_OPENID_SCOPES= #MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
#MINIO_IDENTITY_OPENID_REDIRECT_URI= MINIO_IDENTITY_OPENID_DISPLAY_NAME=Authentik
# no need to specify scopes,
# as it defaults to the ones advertised at the discovery url
#MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email,minio
#MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC=off
#MINIO_IDENTITY_OPENID_CLAIM_USERINFO=on
#MINIO_IDENTITY_OPENID_COMMENT= #MINIO_IDENTITY_OPENID_COMMENT=

2
roles/alpina/templates/services/monitoring/grafana_config/grafana.ini.j2
View File

@@ -31,4 +31,4 @@ name_attribute_path = name
# Optionally map user groups to Grafana roles # Optionally map user groups to Grafana roles
allow_assign_grafana_admin = true allow_assign_grafana_admin = true
role_attribute_path = contains(groups[*], 'Grafana Admins') && 'GrafanaAdmin' || 'Viewer' role_attribute_path = contains(groups[*], 'admins') && 'GrafanaAdmin' || 'Viewer'

3
roles/alpina/templates/services/traefik/docker-compose.yml.j2
View File

@@ -12,7 +12,7 @@ networks:
services: services:
traefik: traefik:
image: traefik:v3.0 image: traefik:v3.2
container_name: traefik container_name: traefik
restart: unless-stopped restart: unless-stopped
env_file: env_file:
@@ -23,7 +23,6 @@ services:
- ./rules:/rules:ro - ./rules:/rules:ro
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro
- {{ base_volume_path }}/traefik/rules:/rules/extra:ro - {{ base_volume_path }}/traefik/rules:/rules/extra:ro
- {{ base_volume_path }}/traefik/logs:/logs
- {{ base_volume_path }}/traefik/acme:/acme - {{ base_volume_path }}/traefik/acme:/acme
# This is mostly just so that the traefik network gets created # This is mostly just so that the traefik network gets created

3
roles/alpina/templates/services/traefik/traefik.yml.j2
View File

@@ -2,11 +2,8 @@ api:
insecure: true insecure: true
log: log:
filePath: /logs/traefik.log
level: INFO level: INFO
accessLog: accessLog:
filePath: /logs/access.log
bufferingSize: 100
entryPoints: entryPoints:
web: web: