diff --git a/ansible/inventory/group_vars/all.yaml b/ansible/inventory/group_vars/all.yaml index 6145f29..bcb06e0 100644 --- a/ansible/inventory/group_vars/all.yaml +++ b/ansible/inventory/group_vars/all.yaml @@ -2,50 +2,122 @@ # Global vars ansible_ssh_private_key_file: "/etc/secrets/{{ hostvars['console']['node']['uid'] }}/id_console" -# URL infromation, you can use {{ infra_uri['services'] | split(':') | first|last }} to seperate domain and ports -infra_uri: +# CA +root_cert_filename: "ilnmors_root_ca.crt" +intermediate_cert_filename: "ilnmors_intermediate_ca.crt" +intermediate_key_filename: "ilnmors_intermediate_ca.key" + + +# local SAN and SSH SAN should be updated manually on host_vars +domain: + public: "ilnmors.com" + internal: "ilnmors.internal" + dc: "dc=ilnmors,dc=internal" + org: "ilnmors" + +# DNS configuration including bind and blocky should be set manually. +# named.conf.j2 is also set manually. +# Check the hosts.j2 when cname records are fixed + +services: crowdsec: - domain: "crowdsec.ilnmors.internal" + domain: "crowdsec" ports: https: "8080" bind: - domain: "bind.ilnmors.internal" + domain: "bind" ports: dns: "53" blocky: - domain: "blocky.ilnmors.internal" + domain: "blocky" ports: https: "443" dns: "53" postgresql: - domain: "postgresql.ilnmors.internal" + domain: "postgresql" ports: tcp: "5432" # postgresql db connection port ldap: - domain: "ldap.ilnmors.internal" + domain: "ldap" ports: http: "17170" - ldaps: "636" + ldaps: "6360" ca: - domain: "ca.ilnmors.internal" + domain: "ca" ports: https: "9000" + x509-exporter: + ports: + http: "9793" prometheus: - domain: "prometheus.ilnmors.internal" + domain: "prometheus" ports: https: "9090" loki: - domain: "loki.ilnmors.internal" + domain: "loki" ports: https: "3100" + grafana: + domain: "grafana" + ports: + http: "3000" + caddy: + ports: + http: "2080" + https: "2443" nas: - domain: "nas.ilnmors.internal" + domain: "nas" ports: https: "5001" kopia: - domain: "nas.ilnmors.internal" + domain: "nas" ports: https: "51515" + authelia: + domain: "authelia" + ports: + http: "9091" + vaultwarden: + domain: + public: "vault" + internal: "vault.app" + ports: + http: "8000" + gitea: + domain: + public: "gitea" + internal: "gitea.app" + ports: + http: "3000" + immich: + domain: + public: "immich" + internal: "immich.app" + ports: + http: "2283" + redis: "6379" + immich-ml: + ports: + http: "3003" + actualbudget: + domain: + public: "budget" + internal: "budget.app" + ports: + http: "5006" + paperless: + domain: + public: "paperless" + internal: "paperless.app" + ports: + http: "8001" + redis: "6380" + vikunja: + domain: + public: "vikunja" + internal: "vikunja.app" + ports: + http: "3456" version: packages: @@ -54,7 +126,6 @@ version: kopia: "0.22.3" blocky: "0.28.2" alloy: "1.13.0" - # telegraf: "1.37.1" containers: # common caddy: "2.10.2" diff --git a/ansible/inventory/host_vars/app.yaml b/ansible/inventory/host_vars/app.yaml index 2f3662e..13e4f51 100644 --- a/ansible/inventory/host_vars/app.yaml +++ b/ansible/inventory/host_vars/app.yaml @@ -39,7 +39,3 @@ storage: label: "APP_DATA" level: "raid10" mount_point: "/home/app/data" - -redis: - immich: "6379" - paperless: "6380" diff --git a/ansible/roles/app/tasks/services/set_gitea.yaml b/ansible/roles/app/tasks/services/set_gitea.yaml index 5cd1890..1bc7a7e 100644 --- a/ansible/roles/app/tasks/services/set_gitea.yaml +++ b/ansible/roles/app/tasks/services/set_gitea.yaml @@ -20,7 +20,7 @@ ansible.builtin.copy: content: | {{ hostvars['console']['ca']['root']['crt'] }} - dest: "{{ node['home_path'] }}/containers/gitea/ssl/ilnmors_root_ca.crt" + dest: "{{ node['home_path'] }}/containers/gitea/ssl/{{ root_cert_filename }}" owner: "{{ gitea_subuid }}" group: "svadmins" mode: "0440" diff --git a/ansible/roles/app/tasks/services/set_immich.yaml b/ansible/roles/app/tasks/services/set_immich.yaml index 85f6340..7c4e881 100644 --- a/ansible/roles/app/tasks/services/set_immich.yaml +++ b/ansible/roles/app/tasks/services/set_immich.yaml @@ -70,7 +70,7 @@ ansible.builtin.copy: content: | {{ hostvars['console']['ca']['root']['crt'] }} - dest: "{{ node['home_path'] }}/containers/immich/ssl/ilnmors_root_ca.crt" + dest: "{{ node['home_path'] }}/containers/immich/ssl/{{ root_cert_filename }}" owner: "{{ ansible_user }}" group: "svadmins" mode: "0440" diff --git a/ansible/roles/app/tasks/services/set_paperless.yaml b/ansible/roles/app/tasks/services/set_paperless.yaml index a55984f..d9f1c6e 100644 --- a/ansible/roles/app/tasks/services/set_paperless.yaml +++ b/ansible/roles/app/tasks/services/set_paperless.yaml @@ -69,7 +69,7 @@ ansible.builtin.copy: content: | {{ hostvars['console']['ca']['root']['crt'] }} - dest: "{{ node['home_path'] }}/containers/paperless/ssl/ilnmors_root_ca.crt" + dest: "{{ node['home_path'] }}/containers/paperless/ssl/{{ root_cert_filename }}" owner: "{{ paperless_subuid }}" group: "svadmins" mode: "0440" @@ -101,7 +101,7 @@ "client_id": "paperless", "secret": "{{ hostvars['console']['paperless']['oidc']['secret'] }}", "settings": { - "server_url": "https://authelia.ilnmors.com/.well-known/openid-configuration", + "server_url": "https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}/.well-known/openid-configuration", "token_auth_method": "client_secret_post" } } diff --git a/ansible/roles/app/tasks/services/set_vaultwarden.yaml b/ansible/roles/app/tasks/services/set_vaultwarden.yaml index b0054ab..392bb9c 100644 --- a/ansible/roles/app/tasks/services/set_vaultwarden.yaml +++ b/ansible/roles/app/tasks/services/set_vaultwarden.yaml @@ -15,7 +15,7 @@ ansible.builtin.copy: content: | {{ hostvars['console']['ca']['root']['crt'] }} - dest: "{{ node['home_path'] }}/containers/vaultwarden/ssl/ilnmors_root_ca.crt" + dest: "{{ node['home_path'] }}/containers/vaultwarden/ssl/{{ root_cert_filename }}" owner: "{{ ansible_user }}" group: "svadmins" mode: "0440" @@ -34,7 +34,8 @@ value: "{{ hostvars['console']['vaultwarden']['admin']['hash'] }}" - name: "VW_DATABASE_URL" value: "postgresql://vaultwarden:{{ hostvars['console']['postgresql']['password']['vaultwarden'] | urlencode | replace('/', '%2F') }}\ - @{{ infra_uri['postgresql']['domain'] }}/vaultwarden_db?sslmode=verify-full&sslrootcert=/etc/ssl/vaultwarden/ilnmors_root_ca.crt" + @{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}/vaultwarden_db?sslmode=verify-full&\ + sslrootcert=/etc/ssl/vaultwarden/{{ root_cert_filename }}" notify: "notification_restart_vaultwarden" no_log: true diff --git a/ansible/roles/app/tasks/services/set_vikunja.yaml b/ansible/roles/app/tasks/services/set_vikunja.yaml index aaa9497..45d9ca7 100644 --- a/ansible/roles/app/tasks/services/set_vikunja.yaml +++ b/ansible/roles/app/tasks/services/set_vikunja.yaml @@ -20,7 +20,7 @@ ansible.builtin.copy: content: | {{ hostvars['console']['ca']['root']['crt'] }} - dest: "{{ node['home_path'] }}/containers/vikunja/ssl/ilnmors_root_ca.crt" + dest: "{{ node['home_path'] }}/containers/vikunja/ssl/{{ root_cert_filename }}" owner: "{{ vikunja_subuid }}" group: "svadmins" mode: "0440" diff --git a/ansible/roles/auth/tasks/services/set_authelia.yaml b/ansible/roles/auth/tasks/services/set_authelia.yaml index adbdcf6..43b428f 100644 --- a/ansible/roles/auth/tasks/services/set_authelia.yaml +++ b/ansible/roles/auth/tasks/services/set_authelia.yaml @@ -27,7 +27,7 @@ ansible.builtin.copy: content: | {{ hostvars['console']['ca']['root']['crt'] }} - dest: "{{ node['home_path'] }}/containers/authelia/certs/ilnmors_root_ca.crt" + dest: "{{ node['home_path'] }}/containers/authelia/certs/{{ root_cert_filename }}" owner: "{{ ansible_user }}" group: "svadmins" mode: "0440" diff --git a/ansible/roles/common/tasks/node/deploy_root_ca.yaml b/ansible/roles/common/tasks/node/deploy_root_ca.yaml index 87e793d..46af3ba 100644 --- a/ansible/roles/common/tasks/node/deploy_root_ca.yaml +++ b/ansible/roles/common/tasks/node/deploy_root_ca.yaml @@ -2,7 +2,7 @@ - name: Deploy root_ca.crt ansible.builtin.copy: content: "{{ hostvars['console']['ca']['root']['crt'] }}" - dest: "/usr/local/share/ca-certificates/ilnmors_root_ca.crt" + dest: "/usr/local/share/ca-certificates/{{ root_cert_filename }}" owner: "root" group: "root" mode: "0644" diff --git a/ansible/roles/common/tasks/services/set_caddy.yaml b/ansible/roles/common/tasks/services/set_caddy.yaml index 75b8c44..e182af0 100644 --- a/ansible/roles/common/tasks/services/set_caddy.yaml +++ b/ansible/roles/common/tasks/services/set_caddy.yaml @@ -54,7 +54,7 @@ - name: Deploy root crt for build ansible.builtin.copy: content: "{{ hostvars['console']['ca']['root']['crt'] }}" - dest: "{{ node['home_path'] }}/containers/caddy/build/ilnmors_root_ca.crt" + dest: "{{ node['home_path'] }}/containers/caddy/build/{{ root_cert_filename }}" owner: "{{ ansible_user }}" group: "svadmins" mode: "0640" @@ -62,7 +62,7 @@ - name: Build caddy container image containers.podman.podman_image: - name: "ilnmors.internal/{{ node['name'] }}/caddy" + name: "{{ domain['internal'] }}/{{ node['name'] }}/caddy" # check tags from container file tag: "{{ version['containers']['caddy'] }}" state: "build" diff --git a/ansible/roles/common/tasks/services/set_kopia.yaml b/ansible/roles/common/tasks/services/set_kopia.yaml index 643d3fc..d17c81e 100644 --- a/ansible/roles/common/tasks/services/set_kopia.yaml +++ b/ansible/roles/common/tasks/services/set_kopia.yaml @@ -37,9 +37,9 @@ KOPIA_PASSWORD: "{{ hostvars['console']['kopia']['user']['console'] }}" ansible.builtin.shell: | /usr/bin/kopia repository connect server \ - --url=https://{{ infra_uri['kopia']['domain'] }}:{{ infra_uri['kopia']['ports']['https'] }} \ + --url=https://{{ services['kopia']['domain'] }}.{{ domain['internal'] }}:{{ services['kopia']['ports']['https'] }} \ --override-username=console \ - --override-hostname=console.ilnmors.internal + --override-hostname=console.{{ domain['internal'] }} changed_when: false failed_when: is_kopia_connected.rc != 0 register: "is_kopia_connected" diff --git a/ansible/roles/console/tasks/node/set_ssh_client.yaml b/ansible/roles/console/tasks/node/set_ssh_client.yaml index 87312f3..d63095a 100644 --- a/ansible/roles/console/tasks/node/set_ssh_client.yaml +++ b/ansible/roles/console/tasks/node/set_ssh_client.yaml @@ -23,7 +23,7 @@ become: true ansible.builtin.copy: content: | - @cert-authority *.ilnmors.internal {{ hostvars['console']['ssh']['ca']['pub'] }} + @cert-authority *.{{ domain['internal'] }} {{ hostvars['console']['ssh']['ca']['pub'] }} dest: "/etc/ssh/ssh_known_hosts" owner: "root" group: "root" diff --git a/ansible/roles/fw/tasks/services/set_ddns.yaml b/ansible/roles/fw/tasks/services/set_ddns.yaml index 83ca96e..a8b07d0 100644 --- a/ansible/roles/fw/tasks/services/set_ddns.yaml +++ b/ansible/roles/fw/tasks/services/set_ddns.yaml @@ -21,8 +21,8 @@ become: true - name: Deploy ddns service files - ansible.builtin.copy: - src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/ddns/{{ item }}" + ansible.builtin.template: + src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/fw/ddns/{{ item }}.j2" dest: "{{ node['home_path'] }}/.config/systemd/user/{{ item }}" owner: "{{ ansible_user }}" group: "svadmins" diff --git a/ansible/roles/infra/tasks/services/set_ca_server.yaml b/ansible/roles/infra/tasks/services/set_ca_server.yaml index 22435bd..5e3df71 100644 --- a/ansible/roles/infra/tasks/services/set_ca_server.yaml +++ b/ansible/roles/infra/tasks/services/set_ca_server.yaml @@ -50,15 +50,15 @@ group: "svadmins" mode: "{{ item.mode }}" loop: - - name: "ilnmors_root_ca.crt" + - name: "{{ root_cert_filename }}" value: "{{ hostvars['console']['ca']['root']['crt'] }}" path: "{{ node['home_path'] }}/containers/ca/certs" mode: "0440" - - name: "ilnmors_intermediate_ca.crt" + - name: "{{ intermediate_cert_filename }}" value: "{{ hostvars['console']['ca']['intermediate']['crt'] }}" path: "{{ node['home_path'] }}/containers/ca/certs" mode: "0440" - - name: "ilnmors_intermediate_ca.key" + - name: "{{ intermediate_key_filename }}" value: "{{ hostvars['console']['ca']['intermediate']['key'] }}" path: "{{ node['home_path'] }}/containers/ca/secrets" mode: "0400" diff --git a/ansible/roles/infra/tasks/services/set_grafana.yaml b/ansible/roles/infra/tasks/services/set_grafana.yaml index 4bfd735..a2ca8be 100644 --- a/ansible/roles/infra/tasks/services/set_grafana.yaml +++ b/ansible/roles/infra/tasks/services/set_grafana.yaml @@ -23,7 +23,7 @@ ansible.builtin.copy: content: | {{ hostvars['console']['ca']['root']['crt'] }} - dest: "{{ node['home_path'] }}/containers/grafana/ssl/ilnmors_root_ca.crt" + dest: "{{ node['home_path'] }}/containers/grafana/ssl/{{ root_cert_filename }}" owner: "{{ grafana_subuid }}" group: "svadmins" mode: "0400" @@ -61,10 +61,10 @@ notify: "notification_restart_grafana" no_log: true -- name: Deploy provisioing and dashboard files - ansible.builtin.copy: - src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/grafana/etc/provisioning/" - dest: "{{ node['home_path'] }}/containers/grafana/etc/provisioning/" +- name: Deploy provisioing file + ansible.builtin.template: + src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/grafana/etc/provisioning/datasources/datasources.yaml.j2" + dest: "{{ node['home_path'] }}/containers/grafana/etc/provisioning/datasources/datasources.yaml" owner: "{{ grafana_subuid }}" group: "svadmins" mode: "0400" diff --git a/ansible/roles/infra/tasks/services/set_ldap.yaml b/ansible/roles/infra/tasks/services/set_ldap.yaml index 16a1002..52b9929 100644 --- a/ansible/roles/infra/tasks/services/set_ldap.yaml +++ b/ansible/roles/infra/tasks/services/set_ldap.yaml @@ -25,7 +25,7 @@ group: "svadmins" mode: "{{ item.mode }}" loop: - - name: "ilnmors_root_ca.crt" + - name: "{{ root_cert_filename }}" value: "{{ hostvars['console']['ca']['root']['crt'] }}" mode: "0440" - name: "ldap.crt" @@ -50,7 +50,7 @@ # urlencode doesn't fix `/` as `%2F`. It needs replace - name: "LLDAP_DATABASE_URL" value: "postgres://ldap:{{ hostvars['console']['postgresql']['password']['ldap'] | urlencode | replace('/', '%2F') }}\ - @{{ infra_uri['postgresql']['domain'] }}/ldap_db?sslmode=verify-full&sslrootcert=/etc/ssl/ldap/ilnmors_root_ca.crt" + @{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}/ldap_db?sslmode=verify-full&sslrootcert=/etc/ssl/ldap/{{ root_cert_filename }}" - name: "LLDAP_KEY_SEED" value: "{{ hostvars['console']['ldap']['seed_key'] }}" - name: "LLDAP_JWT_SECRET" @@ -78,7 +78,7 @@ detach: false env: TZ: "Asia/Seoul" - LLDAP_LDAP_BASE_DN: "dc=ilnmors,dc=internal" + LLDAP_LDAP_BASE_DN: "{{ domain['dc'] }}" secrets: - "LLDAP_DATABASE_URL,type=env" - "LLDAP_KEY_SEED,type=env" diff --git a/ansible/roles/infra/tasks/services/set_loki.yaml b/ansible/roles/infra/tasks/services/set_loki.yaml index 2d0f29e..48a597c 100644 --- a/ansible/roles/infra/tasks/services/set_loki.yaml +++ b/ansible/roles/infra/tasks/services/set_loki.yaml @@ -18,8 +18,8 @@ become: true - name: Deploy loki configuration file - ansible.builtin.copy: - src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/loki/etc/loki.yaml" + ansible.builtin.template: + src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/infra/loki/etc/loki.yaml.j2" dest: "{{ node['home_path'] }}/containers/loki/etc/loki.yaml" owner: "{{ loki_subuid }}" group: "svadmins" @@ -37,7 +37,7 @@ group: "svadmins" mode: "{{ item.mode }}" loop: - - name: "ilnmors_root_ca.crt" + - name: "{{ root_cert_filename }}" value: "{{ hostvars['console']['ca']['root']['crt'] }}" mode: "0440" - name: "loki.crt" diff --git a/ansible/roles/infra/tasks/services/set_postgresql.yaml b/ansible/roles/infra/tasks/services/set_postgresql.yaml index bdf7702..8e3593d 100644 --- a/ansible/roles/infra/tasks/services/set_postgresql.yaml +++ b/ansible/roles/infra/tasks/services/set_postgresql.yaml @@ -42,7 +42,7 @@ - name: Build postgresql container image containers.podman.podman_image: - name: "ilnmors.internal/{{ node['name'] }}/postgres" + name: "{{ domain['internal'] }}/{{ node['name'] }}/postgres" # check tags from container file tag: "pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }}" state: "build" @@ -75,7 +75,7 @@ group: "svadmins" mode: "{{ item.mode }}" loop: - - name: "ilnmors_root_ca.crt" + - name: "{{ root_cert_filename }}" value: "{{ hostvars['console']['ca']['root']['crt'] }}" mode: "0440" - name: "postgresql.crt" diff --git a/ansible/roles/infra/tasks/services/set_prometheus.yaml b/ansible/roles/infra/tasks/services/set_prometheus.yaml index 0edf970..74cbc11 100644 --- a/ansible/roles/infra/tasks/services/set_prometheus.yaml +++ b/ansible/roles/infra/tasks/services/set_prometheus.yaml @@ -41,7 +41,7 @@ group: "svadmins" mode: "{{ item.mode }}" loop: - - name: "ilnmors_root_ca.crt" + - name: "{{ root_cert_filename }}" value: "{{ hostvars['console']['ca']['root']['crt'] }}" mode: "0440" - name: "prometheus.crt" diff --git a/config/node/common/hosts.j2 b/config/node/common/hosts.j2 index 00f79e0..b38ccb8 100644 --- a/config/node/common/hosts.j2 +++ b/config/node/common/hosts.j2 @@ -3,32 +3,32 @@ ::1 {{ node['local_san'] }} {% if node['name'] == 'console' %} # Hosts IPv4 -{{ hostvars['fw']['network4']['firewall']['server'] }} fw.ilnmors.internal -{{ hostvars['fw']['network4']['vmm']['client'] }} init.vmm.ilnmors.internal -{{ hostvars['fw']['network4']['vmm']['server'] }} vmm.ilnmors.internal -{{ hostvars['fw']['network4']['infra']['server'] }} infra.ilnmors.internal -{{ hostvars['fw']['network4']['auth']['server'] }} auth.ilnmors.internal -{{ hostvars['fw']['network4']['app']['server'] }} app.ilnmors.internal +{{ hostvars['fw']['network4']['firewall']['server'] }} fw.{{ domain['internal'] }} +{{ hostvars['fw']['network4']['vmm']['client'] }} init.vmm.{{ domain['internal'] }} +{{ hostvars['fw']['network4']['vmm']['server'] }} vmm.{{ domain['internal'] }} +{{ hostvars['fw']['network4']['infra']['server'] }} infra.{{ domain['internal'] }} +{{ hostvars['fw']['network4']['auth']['server'] }} auth.{{ domain['internal'] }} +{{ hostvars['fw']['network4']['app']['server'] }} app.{{ domain['internal'] }} # Hosts IPv6 -{{ hostvars['fw']['network6']['firewall']['server'] }} fw.ilnmors.internal -{{ hostvars['fw']['network6']['vmm']['client'] }} init.vmm.ilnmors.internal -{{ hostvars['fw']['network6']['vmm']['server'] }} vmm.ilnmors.internal -{{ hostvars['fw']['network6']['infra']['server'] }} infra.ilnmors.internal -{{ hostvars['fw']['network6']['auth']['server'] }} auth.ilnmors.internal -{{ hostvars['fw']['network6']['app']['server'] }} app.ilnmors.internal +{{ hostvars['fw']['network6']['firewall']['server'] }} fw.{{ domain['internal'] }} +{{ hostvars['fw']['network6']['vmm']['client'] }} init.vmm.{{ domain['internal'] }} +{{ hostvars['fw']['network6']['vmm']['server'] }} vmm.{{ domain['internal'] }} +{{ hostvars['fw']['network6']['infra']['server'] }} infra.{{ domain['internal'] }} +{{ hostvars['fw']['network6']['auth']['server'] }} auth.{{ domain['internal'] }} +{{ hostvars['fw']['network6']['app']['server'] }} app.{{ domain['internal'] }} {% else %} # IPv4 # Crowdsec, blocky, bind(fw) -{{ hostvars['fw']['network4']['firewall']['server'] }} ntp.ilnmors.internal crowdsec.ilnmors.internal -{{ hostvars['fw']['network4']['blocky']['server'] }} blocky.ilnmors.internal -{{ hostvars['fw']['network4']['bind']['server'] }} bind.ilnmors.internal +{{ hostvars['fw']['network4']['firewall']['server'] }} ntp.{{ domain['internal'] }} crowdsec.{{ domain['internal'] }} +{{ hostvars['fw']['network4']['blocky']['server'] }} blocky.{{ domain['internal'] }} +{{ hostvars['fw']['network4']['bind']['server'] }} bind.{{ domain['internal'] }} # DB, LDAP, CA, Prometheus, Loki, mail (infra) -{{ hostvars['fw']['network4']['infra']['server'] }} postgresql.ilnmors.internal ldap.ilnmors.internal prometheus.ilnmors.internal loki.ilnmors.internal mail.ilnmors.internal ca.ilnmors.internal +{{ hostvars['fw']['network4']['infra']['server'] }} postgresql.{{ domain['internal'] }} ldap.{{ domain['internal'] }} prometheus.{{ domain['internal'] }} loki.{{ domain['internal'] }} mail.{{ domain['internal'] }} ca.{{ domain['internal'] }} # IPv6 # Crowdsec, blocky, bind(fw) -{{ hostvars['fw']['network6']['firewall']['server'] }} ntp.ilnmors.internal crowdsec.ilnmors.internal -{{ hostvars['fw']['network6']['blocky']['server'] }} blocky.ilnmors.internal -{{ hostvars['fw']['network6']['bind']['server'] }} bind.ilnmors.internal +{{ hostvars['fw']['network6']['firewall']['server'] }} ntp.{{ domain['internal'] }} crowdsec.{{ domain['internal'] }} +{{ hostvars['fw']['network6']['blocky']['server'] }} blocky.{{ domain['internal'] }} +{{ hostvars['fw']['network6']['bind']['server'] }} bind.{{ domain['internal'] }} # DB, LDAP, CA, Prometheus, Loki, mail (infra) -{{ hostvars['fw']['network6']['infra']['server'] }} postgresql.ilnmors.internal ldap.ilnmors.internal prometheus.ilnmors.internal loki.ilnmors.internal mail.ilnmors.internal ca.ilnmors.internal +{{ hostvars['fw']['network6']['infra']['server'] }} postgresql.{{ domain['internal'] }} ldap.{{ domain['internal'] }} prometheus.{{ domain['internal'] }} loki.{{ domain['internal'] }} mail.{{ domain['internal'] }} ca.{{ domain['internal'] }} {% endif %} diff --git a/config/node/common/timesyncd/local-ntp.conf b/config/node/common/timesyncd/local-ntp.conf index 8aae667..f9cfcc2 100644 --- a/config/node/common/timesyncd/local-ntp.conf +++ b/config/node/common/timesyncd/local-ntp.conf @@ -1,3 +1,3 @@ [Time] -NTP=ntp.ilnmors.internal +NTP=ntp.{{ domain['internal'] }} FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org diff --git a/config/services/containers/app/actual-budget/actual-budget.container.j2 b/config/services/containers/app/actual-budget/actual-budget.container.j2 index b52ca8e..a9995fb 100644 --- a/config/services/containers/app/actual-budget/actual-budget.container.j2 +++ b/config/services/containers/app/actual-budget/actual-budget.container.j2 @@ -9,14 +9,14 @@ Image=ghcr.io/actualbudget/actual-server:{{ version['containers']['actualbudget' ContainerName=actual-budget HostName=actual-budget -PublishPort=5006:5006 +PublishPort={{ services['actualbudget']['ports']['http'] }}:5006 Volume=%h/data/containers/actual-budget:/data:rw Environment="TZ=Asia/Seoul" -Environment="ACTUAL_OPENID_DISCOVERY_URL=https://authelia.ilnmors.com/.well-known/openid-configuration" +Environment="ACTUAL_OPENID_DISCOVERY_URL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}/.well-known/openid-configuration" Environment="ACTUAL_OPENID_CLIENT_ID=actual-budget" -Environment="ACTUAL_OPENID_SERVER_HOSTNAME=https://budget.ilnmors.com" +Environment="ACTUAL_OPENID_SERVER_HOSTNAME=https://{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}" Environment="ACTUAL_OPENID_AUTH_METHOD=oauth2" Secret=ACTUAL_OPENID_CLIENT_SECRET,type=env diff --git a/config/services/containers/app/gitea/gitea.container.j2 b/config/services/containers/app/gitea/gitea.container.j2 index ed369ea..483aa66 100644 --- a/config/services/containers/app/gitea/gitea.container.j2 +++ b/config/services/containers/app/gitea/gitea.container.j2 @@ -23,18 +23,18 @@ Environment="TZ=Asia/Seoul" Environment="GITEA__server__DISABLE_SSH=true" # Database Environment="GITEA__database__DB_TYPE=postgres" -Environment="GITEA__database__HOST={{ infra_uri['postgresql']['domain'] }}:{{ infra_uri['postgresql']['ports']['tcp'] }}" +Environment="GITEA__database__HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}" Environment="GITEA__database__NAME=gitea_db" Environment="GITEA__database__USER=gitea" Secret=GITEA__database__PASSWD,type=env Environment="GITEA__database__SSL_MODE=verify-full" -Environment="PGSSLROOTCERT=/etc/ssl/gitea/ilnmors_root_ca.crt" +Environment="PGSSLROOTCERT=/etc/ssl/gitea/{{ root_cert_filename }}" # OAuth2 client Environment="GITEA__oauth2_client__ACCOUNT_LINKING=auto" # OIDC configuration Environment="GITEA__openid__ENABLE_OPENID_SIGNIN=false" Environment="GITEA__openid__ENABLE_OPENID_SIGNUP=true" -Environment="GITEA__openid__WHITELISTED_URIS=authelia.ilnmors.com" +Environment="GITEA__openid__WHITELISTED_URIS={{ services['authelia']['domain'] }}.{{ domain['public'] }}" # automatic create user via authelia Environment="GITEA__service__DISABLE_REGISTRATION=false" Environment="GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true" @@ -42,7 +42,7 @@ Environment="GITEA__service__SHOW_REGISTRATION_BUTTON=false" [Service] -ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }} +ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }} Restart=always RestartSec=10s TimeoutStopSec=120 diff --git a/config/services/containers/app/immich/immich-ml.container.j2 b/config/services/containers/app/immich/immich-ml.container.j2 index f41c09b..5afd142 100644 --- a/config/services/containers/app/immich/immich-ml.container.j2 +++ b/config/services/containers/app/immich/immich-ml.container.j2 @@ -13,7 +13,7 @@ Image=ghcr.io/immich-app/immich-machine-learning:{{ version['containers']['immic ContainerName=immich-ml HostName=immich-ml -PublishPort=3003:3003 +PublishPort={{ services['immich-ml']['ports']['http'] }}:3003 # iGPU access for OpenVINO AddDevice=/dev/dri:/dev/dri diff --git a/config/services/containers/app/immich/immich.container.j2 b/config/services/containers/app/immich/immich.container.j2 index 5a228c3..a37d863 100644 --- a/config/services/containers/app/immich/immich.container.j2 +++ b/config/services/containers/app/immich/immich.container.j2 @@ -13,7 +13,7 @@ Image=ghcr.io/immich-app/immich-server:{{ version['containers']['immich'] }} ContainerName=immich HostName=immich -PublishPort=2283:2283 +PublishPort={{ services['immich']['ports']['http'] }}:2283 # iGPU access AddDevice=/dev/dri:/dev/dri @@ -26,21 +26,21 @@ Volume=%h/containers/immich/ssl:/etc/ssl/immich:ro # Environment Environment="TZ=Asia/Seoul" Environment="REDIS_HOSTNAME=host.containers.internal" -Environment="REDIS_PORT={{ hostvars['app']['redis']['immich'] }}" +Environment="REDIS_PORT={{ services['immich']['ports']['redis'] }}" Environment="REDIS_DBINDEX=0" # Database -Environment="DB_HOSTNAME={{ infra_uri['postgresql']['domain'] }}" -Environment="DB_PORT={{ infra_uri['postgresql']['ports']['tcp'] }}" +Environment="DB_HOSTNAME={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}" +Environment="DB_PORT={{ services['postgresql']['ports']['tcp'] }}" Environment="DB_USERNAME=immich" Environment="DB_DATABASE_NAME=immich_db" Environment="DB_PASSWORD_FILE=/run/secrets/DB_PASSWORD" Environment="DB_SSL_MODE=verify-full" -Environment="NODE_EXTRA_CA_CERTS=/etc/ssl/immich/ilnmors_root_ca.crt" +Environment="NODE_EXTRA_CA_CERTS=/etc/ssl/immich/{{ root_cert_filename }}" Secret=IMMICH_DB_PASSWORD,target=/run/secrets/DB_PASSWORD [Service] -ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }} +ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }} Restart=always RestartSec=10s TimeoutStopSec=120 diff --git a/config/services/containers/app/paperless/paperless.container.j2 b/config/services/containers/app/paperless/paperless.container.j2 index caab4ec..d4ae7fd 100644 --- a/config/services/containers/app/paperless/paperless.container.j2 +++ b/config/services/containers/app/paperless/paperless.container.j2 @@ -11,7 +11,7 @@ Wants=redis_paperless.service Image=ghcr.io/paperless-ngx/paperless-ngx:{{ version['containers']['paperless'] }} ContainerName=paperless HostName=paperless -PublishPort=8001:8000/tcp +PublishPort={{ services['paperless']['ports']['http'] }}:8000/tcp # Volumes Volume=%h/data/containers/paperless/data:/usr/src/paperless/data:rw @@ -22,7 +22,7 @@ Volume=%h/containers/paperless/ssl:/etc/ssl/paperless:ro # General Environment="TZ=Asia/Seoul" Environment="PAPERLESS_TIME_ZONE=Asia/Seoul" -Environment="PAPERLESS_URL=https://paperless.ilnmors.com" +Environment="PAPERLESS_URL=https://{{ services['paperless']['domain']['public'] }}.{{ domain['public'] }}" Environment="PAPERLESS_OCR_LANGUAGE=kor+eng" Environment="PAPERLESS_OCR_LANGUAGES=kor" # Environment="PAPERLESS_OCR_MODE=force" @@ -32,15 +32,15 @@ Environment="PAPERLESS_WORKER_TIMEOUT=7200" Secret=PAPERLESS_SECRET_KEY,type=env # Redis -Environment="PAPERLESS_REDIS=redis://host.containers.internal:{{ hostvars['app']['redis']['paperless'] }}" +Environment="PAPERLESS_REDIS=redis://host.containers.internal:{{ services['paperless']['ports']['redis'] }}" # Database -Environment="PAPERLESS_DBHOST={{ infra_uri['postgresql']['domain'] }}" -Environment="PAPERLESS_DBPORT={{ infra_uri['postgresql']['ports']['tcp'] }}" +Environment="PAPERLESS_DBHOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}" +Environment="PAPERLESS_DBPORT={{ services['postgresql']['ports']['tcp'] }}" Environment="PAPERLESS_DBNAME=paperless_db" Environment="PAPERLESS_DBUSER=paperless" Environment="PAPERLESS_DBSSLMODE=verify-full" -Environment="PAPERLESS_DBSSLROOTCERT=/etc/ssl/paperless/ilnmors_root_ca.crt" +Environment="PAPERLESS_DBSSLROOTCERT=/etc/ssl/paperless/{{ root_cert_filename }}" Secret=PAPERLESS_DBPASS,type=env # OIDC @@ -50,7 +50,7 @@ Environment="PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS=true" Secret=PAPERLESS_SOCIALACCOUNT_PROVIDERS,type=env [Service] -ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }} +ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }} Restart=always RestartSec=10s TimeoutStopSec=120 diff --git a/config/services/containers/app/redis/redis.conf.j2 b/config/services/containers/app/redis/redis.conf.j2 index 2895939..bad9c06 100644 --- a/config/services/containers/app/redis/redis.conf.j2 +++ b/config/services/containers/app/redis/redis.conf.j2 @@ -1,4 +1,4 @@ databases 16 bind 0.0.0.0 -port {{ hostvars['app']['redis'][redis_service] }} +port 6379 protected-mode no diff --git a/config/services/containers/app/redis/redis.container.j2 b/config/services/containers/app/redis/redis.container.j2 index 77edd00..eff53ae 100644 --- a/config/services/containers/app/redis/redis.container.j2 +++ b/config/services/containers/app/redis/redis.container.j2 @@ -13,7 +13,7 @@ Image=docker.io/library/redis:{{ version['containers']['redis'] }} ContainerName=redis_{{ redis_service }} HostName=redis_{{ redis_service }} -PublishPort={{ hostvars['app']['redis'][redis_service] }}:{{ hostvars['app']['redis'][redis_service] }} +PublishPort={{ services[redis_service]['ports']['redis'] }}:6379 Volume=%h/containers/redis/{{ redis_service }}/data:/data:rw Volume=%h/containers/redis/{{ redis_service }}/redis.conf:/usr/local/etc/redis/redis.conf:ro diff --git a/config/services/containers/app/vaultwarden/vaultwarden.container.j2 b/config/services/containers/app/vaultwarden/vaultwarden.container.j2 index ea68470..a5ac7da 100644 --- a/config/services/containers/app/vaultwarden/vaultwarden.container.j2 +++ b/config/services/containers/app/vaultwarden/vaultwarden.container.j2 @@ -13,19 +13,19 @@ Image=docker.io/vaultwarden/server:{{ version['containers']['vaultwarden'] }} ContainerName=vaultwarden HostName=vaultwarden -PublishPort=8000:80/tcp +PublishPort={{ services['vaultwarden']['ports']['http'] }}:80/tcp Volume=%h/data/containers/vaultwarden:/data:rw Volume=%h/containers/vaultwarden/ssl:/etc/ssl/vaultwarden:ro Environment="TZ=Asia/Seoul" -Environment="DOMAIN=https://vault.ilnmors.com" +Environment="DOMAIN=https://{{ services['vaultwarden']['domain']['public'] }}.{{ domain['public'] }}" Environment="SIGNUPS_ALLOWED=false" Secret=VW_ADMIN_TOKEN,type=env,target=ADMIN_TOKEN Secret=VW_DATABASE_URL,type=env,target=DATABASE_URL [Service] -ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }} +ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }} Restart=always RestartSec=10s TimeoutStopSec=120 diff --git a/config/services/containers/app/vikunja/vikunja.container.j2 b/config/services/containers/app/vikunja/vikunja.container.j2 index bdb9d44..07ecc8c 100644 --- a/config/services/containers/app/vikunja/vikunja.container.j2 +++ b/config/services/containers/app/vikunja/vikunja.container.j2 @@ -11,7 +11,7 @@ Wants=network-online.target Image=docker.io/vikunja/vikunja:{{ version['containers']['vikunja'] }} ContainerName=vikunja HostName=vikunja -PublishPort=3456:3456/tcp +PublishPort={{ services['vikunja']['ports']['http'] }}:3456/tcp # Volumes Volume=%h/data/containers/vikunja:/app/vikunja/files:rw @@ -21,25 +21,25 @@ Volume=%h/containers/vikunja/ssl:/etc/ssl/vikunja:ro Environment="TZ=Asia/Seoul" Environment="VIKUNJA_DEFAULTSETTINGS_TIMEZONE=Asia/Seoul" Environment="VIKUNJA_SERVICE_TIMEZONE=Asia/Seoul" -Environment="VIKUNJA_SERVICE_PUBLICURL=https://vikunja.ilnmors.com" +Environment="VIKUNJA_SERVICE_PUBLICURL=https://{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }}" Environment="VIKUNJA_SERVICE_ENABLEREGISTRATION=false" Secret=VIKUNJA_SERVICE_JWTSECRET,type=env # Database Environment="VIKUNJA_DATABASE_TYPE=postgres" -Environment="VIKUNJA_DATABASE_HOST={{ infra_uri['postgresql']['domain'] }}" +Environment="VIKUNJA_DATABASE_HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}" Environment="VIKUNJA_DATABASE_USER=vikunja" Environment="VIKUNJA_DATABASE_DATABASE=vikunja_db" Environment="VIKUNJA_DATABASE_SSLMODE=verify-full" -Environment="VIKUNJA_DATABASE_SSLROOTCERT=/etc/ssl/vikunja/ilnmors_root_ca.crt" +Environment="VIKUNJA_DATABASE_SSLROOTCERT=/etc/ssl/vikunja/{{ root_cert_filename }}" Secret=VIKUNJA_DATABASE_PASSWORD,type=env # OIDC Environment="VIKUNJA_AUTH_OPENID_ENABLED=true" Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_NAME=Authelia" -Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_AUTHURL=https://authelia.ilnmors.com" +Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_AUTHURL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}" Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTID=vikunja" # Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_SCOPE=" default value = openid email profile # Vikunja doesn't support OIDC and local dual login. @@ -48,7 +48,7 @@ Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTID=vikunja" Secret=VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTSECRET,type=env [Service] -ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }} +ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }} Restart=always RestartSec=10s TimeoutStopSec=120 diff --git a/config/services/containers/auth/authelia/authelia.container.j2 b/config/services/containers/auth/authelia/authelia.container.j2 index 03d0f8a..b47cadb 100644 --- a/config/services/containers/auth/authelia/authelia.container.j2 +++ b/config/services/containers/auth/authelia/authelia.container.j2 @@ -15,7 +15,7 @@ ContainerName=authelia HostName=authelia # Web UI -PublishPort=9091:9091/tcp +PublishPort={{ services['authelia']['ports']['http'] }}:9091/tcp Volume=%h/containers/authelia/config:/config:rw @@ -56,8 +56,9 @@ Exec=--config /config/authelia.yaml # Wait for dependency # They run as rootless podman container, so their port is not opened until they are normaly running # Check their ports with nc command -ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }} -ExecStartPre=/usr/bin/nc -zv {{ infra_uri['ldap']['domain'] }} {{ infra_uri['ldap']['ports']['ldaps'] }} +ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }} +# services['ldap']['ports']['ldaps'] is 6360, but nftables works on 636 the original port +ExecStartPre=/usr/bin/nc -zv {{ services['ldap']['domain'] }}.{{ domain['internal'] }} 636 ExecStartPre=sleep 5 Restart=always RestartSec=10s diff --git a/config/services/containers/auth/authelia/config/authelia.yaml.j2 b/config/services/containers/auth/authelia/config/authelia.yaml.j2 index 84b6acd..c0ac5e6 100644 --- a/config/services/containers/auth/authelia/config/authelia.yaml.j2 +++ b/config/services/containers/auth/authelia/config/authelia.yaml.j2 @@ -20,7 +20,7 @@ log: # TOTP configuration totp: # issure option is for 2FA app. It works as identifier. "My homelab' or 'ilnmors.internal', 'Authelia - ilnmors' - issuer: 'ilnmors.internal' + issuer: '{{ domain['internal'] }}' # Identity validation confituration identity_validation: @@ -31,21 +31,21 @@ identity_validation: authentication_backend: ldap: # ldaps uses 636 -> NAT automatically change port 636 in output packet -> 2636 which lldap server uses. - address: 'ldaps://ldap.ilnmors.internal' + address: 'ldaps://{{ services['ldap']['domain'] }}.{{ domain['internal'] }}' implementation: 'lldap' - # tls configruation, it uses certificates_directory's /etc/ssl/authelia/ilnmors_root_ca.crt + # tls configruation, it uses certificates_directory's /etc/ssl/authelia/{{ root_cert_filename }} tls: - server_name: 'ldap.ilnmors.internal' + server_name: '{{ services['ldap']['domain'] }}.{{ domain['internal'] }}' skip_verify: false # LLDAP base DN - base_dn: 'dc=ilnmors,dc=internal' + base_dn: '{{ domain['dc'] }}' additional_users_dn: 'ou=people' additional_groups_dn: 'ou=groups' # LLDAP filters users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))' groups_filter: '(&(member={dn})(objectClass=groupOfNames))' # LLDAP bind account configuration - user: 'uid=authelia,ou=people,dc=ilnmors,dc=internal' + user: 'uid=authelia,ou=people,{{ domain['dc'] }}' password: '' # $AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE option is designated in container file # Access control configuration @@ -53,14 +53,12 @@ access_control: default_policy: 'deny' rules: # authelia portal - - domain: 'authelia.ilnmors.internal' + - domain: '{{ services['authelia']['domain'] }}.{{ domain['public'] }}' policy: 'bypass' - - domain: 'authelia.ilnmors.com' - policy: 'bypass' - - domain: 'test.ilnmors.com' - policy: 'one_factor' - subject: - - 'group:admins' +# - domain: 'test.ilnmors.com' +# policy: 'one_factor' +# subject: +# - 'group:admins' # Session provider configuration session: secret: '' # $AUTHELIA_SESSION_SECRET_FILE is designated in container file @@ -68,8 +66,8 @@ session: inactivity: '24 hours' # Session maintains for 24 hours without actions cookies: - name: 'authelia_public_session' - domain: 'ilnmors.com' - authelia_url: 'https://authelia.ilnmors.com' + domain: '{{ domain['public'] }}' + authelia_url: 'https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}' same_site: 'lax' # This authelia doesn't use Redis. @@ -78,12 +76,12 @@ session: storage: encryption_key: '' # $AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE is designated in container file postgres: - address: 'tcp://{{ infra_uri['postgresql']['domain'] }}:{{ infra_uri['postgresql']['ports']['tcp'] }}' + address: 'tcp://{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}' database: 'authelia_db' username: 'authelia' password: '' # $AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE is designated in container file tls: - server_name: '{{ infra_uri['postgresql']['domain'] }}' + server_name: '{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}' skip_verify: false # Notification provider @@ -117,7 +115,7 @@ identity_providers: require_pkce: false pkce_challenge_method: '' redirect_uris: - - 'https://{{ infra_uri['nas']['domain'] }}:{{ infra_uri['nas']['ports']['https'] }}' + - 'https://{{ services['nas']['domain'] }}.{{ domain['internal'] }}:{{ services['nas']['ports']['https'] }}' scopes: - 'openid' - 'profile' @@ -140,7 +138,7 @@ identity_providers: require_pkce: false pkce_challenge_method: '' redirect_uris: - - 'https://gitea.ilnmors.com/user/oauth2/authelia/callback' + - 'https://{{ services['gitea']['domain']['public'] }}.{{ domain['public'] }}/user/oauth2/authelia/callback' scopes: - 'openid' - 'email' @@ -161,8 +159,8 @@ identity_providers: require_pkce: false pkce_challenge_method: '' redirect_uris: - - 'https://immich.ilnmors.com/auth/login' - - 'https://immich.ilnmors.com/user-settings' + - 'https://{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}/auth/login' + - 'https://{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}/user-settings' - 'app.immich:///oauth-callback' scopes: - 'openid' @@ -184,7 +182,7 @@ identity_providers: require_pkce: false pkce_challenge_method: '' redirect_uris: - - 'https://budget.ilnmors.com/openid/callback' + - 'https://{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}/openid/callback' scopes: - 'openid' - 'profile' @@ -206,7 +204,7 @@ identity_providers: require_pkce: true pkce_challenge_method: 'S256' redirect_uris: - - 'https://paperless.ilnmors.com/accounts/oidc/authelia/login/callback/' + - 'https://{{ services['paperless']['domain']['public'] }}.{{ domain['public'] }}/accounts/oidc/authelia/login/callback/' scopes: - 'openid' - 'profile' @@ -228,7 +226,7 @@ identity_providers: require_pkce: false pkce_challenge_method: '' redirect_uris: - - 'https://vikunja.ilnmors.com/auth/openid/authelia' + - 'https://{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }}/auth/openid/authelia' scopes: - 'openid' - 'profile' diff --git a/config/services/containers/common/caddy/build/caddy.containerfile.j2 b/config/services/containers/common/caddy/build/caddy.containerfile.j2 index b6eb133..79afe97 100644 --- a/config/services/containers/common/caddy/build/caddy.containerfile.j2 +++ b/config/services/containers/common/caddy/build/caddy.containerfile.j2 @@ -12,6 +12,6 @@ RUN xcaddy build \ FROM docker.io/library/caddy:{{ version['containers']['caddy'] }} COPY --from=builder /usr/bin/caddy /usr/bin/caddy -COPY ./ilnmors_root_ca.crt /usr/local/share/ca-certificates/ilnmors_root_ca.crt +COPY ./{{ root_cert_filename }} /usr/local/share/ca-certificates/{{ root_cert_filename }} RUN update-ca-certificates diff --git a/config/services/containers/common/caddy/caddy.container.j2 b/config/services/containers/common/caddy/caddy.container.j2 index 9cf0132..2e5cb38 100644 --- a/config/services/containers/common/caddy/caddy.container.j2 +++ b/config/services/containers/common/caddy/caddy.container.j2 @@ -14,18 +14,18 @@ Wants=network-online.target [Container] -Image=ilnmors.internal/{{ node['name'] }}/caddy:{{ version['containers']['caddy'] }} +Image={{ domain['internal'] }}/{{ node['name'] }}/caddy:{{ version['containers']['caddy'] }} ContainerName=caddy_{{ node['name'] }} HostName=caddy_{{ node['name'] }} {% if node['name'] == 'infra' %} -AddHost={{ infra_uri['ca']['domain'] }}:host-gateway -AddHost={{ infra_uri['prometheus']['domain'] }}:host-gateway -AddHost={{ infra_uri['loki']['domain'] }}:host-gateway +AddHost={{ services['ca']['domain'] }}.{{ domain['internal'] }}:host-gateway +AddHost={{ services['prometheus']['domain'] }}.{{ domain['internal'] }}:host-gateway +AddHost={{ services['loki']['domain'] }}.{{ domain['internal'] }}:host-gateway {% endif %} -PublishPort=2080:80/tcp -PublishPort=2443:443/tcp +PublishPort={{ services['caddy']['ports']['http'] }}:80/tcp +PublishPort={{ services['caddy']['ports']['https'] }}:443/tcp Volume=%h/containers/caddy/etc:/etc/caddy:ro Volume=%h/containers/caddy/data:/data:rw diff --git a/config/services/containers/common/caddy/etc/app/Caddyfile.j2 b/config/services/containers/common/caddy/etc/app/Caddyfile.j2 index 2217feb..ef524c5 100644 --- a/config/services/containers/common/caddy/etc/app/Caddyfile.j2 +++ b/config/services/containers/common/caddy/etc/app/Caddyfile.j2 @@ -8,19 +8,19 @@ (private_tls) { tls { issuer acme { - dir https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}/acme/acme@ilnmors.internal/directory + dir https://{{ services['ca']['domain'] }}.{{ domain['internal'] }}:{{ services['ca']['ports']['https'] }}/acme/acme@{{ domain['internal'] }}/directory dns rfc2136 { - server {{ infra_uri['bind']['domain'] }}:{{ infra_uri['bind']['ports']['dns'] }} + server {{ services['bind']['domain'] }}.{{ domain['internal'] }}:{{ services['bind']['ports']['dns'] }} key_name acme-key key_alg hmac-sha256 key "{file./run/secrets/CADDY_ACME_KEY}" } - resolvers {{ infra_uri['bind']['domain'] }} + resolvers {{ services['bind']['domain'] }}.{{ domain['internal'] }} } } } -app.ilnmors.internal { +{{ node['name'] }}.{{ domain['internal'] }} { import private_tls metrics } @@ -29,39 +29,39 @@ app.ilnmors.internal { # root * /usr/share/caddy # file_server # } -vault.app.ilnmors.internal { +{{ services['vaultwarden']['domain']['internal'] }}.{{ domain['internal'] }} { import private_tls - reverse_proxy host.containers.internal:8000 { + reverse_proxy host.containers.internal:{{ services['vaultwarden']['ports']['http'] }} { header_up Host {http.request.header.X-Forwarded-Host} } } -gitea.app.ilnmors.internal { +{{ services['gitea']['domain']['internal'] }}.{{ domain['internal'] }} { import private_tls - reverse_proxy host.containers.internal:3000 { + reverse_proxy host.containers.internal:{{ services['gitea']['ports']['http'] }} { header_up Host {http.request.header.X-Forwarded-Host} } } -immich.app.ilnmors.internal { +{{ services['immich']['domain']['internal'] }}.{{ domain['internal'] }} { import private_tls - reverse_proxy host.containers.internal:2283 { + reverse_proxy host.containers.internal:{{ services['immich']['ports']['http'] }} { header_up Host {http.request.header.X-Forwarded-Host} } } -budget.app.ilnmors.internal { +{{ services['actualbudget']['domain']['internal'] }}.{{ domain['internal'] }} { import private_tls - reverse_proxy host.containers.internal:5006 { + reverse_proxy host.containers.internal:{{ services['actualbudget']['ports']['http'] }} { header_up Host {http.request.header.X-Forwarded-Host} } } -paperless.app.ilnmors.internal { +{{ services['paperless']['domain']['internal'] }}.{{ domain['internal'] }} { import private_tls - reverse_proxy host.containers.internal:8001 { + reverse_proxy host.containers.internal:{{ services['paperless']['ports']['http'] }} { header_up Host {http.request.header.X-Forwarded-Host} } } -vikunja.app.ilnmors.internal { +{{ services['vikunja']['domain']['internal'] }}.{{ domain['internal'] }} { import private_tls - reverse_proxy host.containers.internal:3456 { + reverse_proxy host.containers.internal:{{ services['vikunja']['ports']['http'] }} { header_up Host {http.request.header.X-Forwarded-Host} } } diff --git a/config/services/containers/common/caddy/etc/auth/Caddyfile.j2 b/config/services/containers/common/caddy/etc/auth/Caddyfile.j2 index cea2ef1..2100ba7 100644 --- a/config/services/containers/common/caddy/etc/auth/Caddyfile.j2 +++ b/config/services/containers/common/caddy/etc/auth/Caddyfile.j2 @@ -1,7 +1,7 @@ { # CrowdSec LAPI connection crowdsec { - api_url https://{{ infra_uri['crowdsec']['domain'] }}:{{ infra_uri['crowdsec']['ports']['https'] }} + api_url https://{{ services['crowdsec']['domain'] }}.{{ domain['internal'] }}:{{ services['crowdsec']['ports']['https'] }} api_key "{file./run/secrets/CADDY_CROWDSEC_KEY}" } } @@ -15,27 +15,27 @@ roll_size 100MiB roll_keep 1 } - format json + format json } } # Private TLS ACME with DNS-01-challenge (private_tls) { tls { issuer acme { - dir https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}/acme/acme@ilnmors.internal/directory + dir https://{{ services['ca']['domain'] }}.{{ domain['internal'] }}:{{ services['ca']['ports']['https'] }}/acme/acme@{{ domain['internal'] }}/directory dns rfc2136 { - server {{ infra_uri['bind']['domain'] }}:{{ infra_uri['bind']['ports']['dns'] }} + server {{ services['bind']['domain'] }}.{{ domain['internal'] }}:{{ services['bind']['ports']['dns'] }} key_name acme-key key_alg hmac-sha256 key "{file./run/secrets/CADDY_ACME_KEY}" } - resolvers {{ infra_uri['bind']['domain'] }} + resolvers {{ services['bind']['domain'] }}.{{ domain['internal'] }} } } } # Public domain -authelia.ilnmors.com { +{{ services['authelia']['domain'] }}.{{ domain['public'] }} { import crowdsec_log route { crowdsec @@ -64,63 +64,63 @@ authelia.ilnmors.com { # } # } # } -vault.ilnmors.com { +{{ services['vaultwarden']['domain']['public'] }}.{{ domain['public'] }} { import crowdsec_log route { crowdsec - reverse_proxy https://vault.app.ilnmors.internal { + reverse_proxy https://{{ services['vaultwarden']['domain']['internal'] }}.{{ domain['internal'] }} { header_up Host {http.reverse_proxy.upstream.host} } } } -gitea.ilnmors.com { +{{ services['gitea']['domain']['public'] }}.{{ domain['public'] }} { import crowdsec_log route { crowdsec - reverse_proxy https://gitea.app.ilnmors.internal { + reverse_proxy https://{{ services['gitea']['domain']['internal'] }}.{{ domain['internal'] }} { header_up Host {http.reverse_proxy.upstream.host} } } } -immich.ilnmors.com { +{{ services['immich']['domain']['public'] }}.{{ domain['public'] }} { import crowdsec_log route { crowdsec - reverse_proxy https://immich.app.ilnmors.internal { + reverse_proxy https://{{ services['immich']['domain']['internal'] }}.{{ domain['internal'] }} { header_up Host {http.reverse_proxy.upstream.host} } } } -budget.ilnmors.com { +{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }} { import crowdsec_log route { crowdsec - reverse_proxy https://budget.app.ilnmors.internal { + reverse_proxy https://{{ services['actualbudget']['domain']['internal'] }}.{{ domain['internal'] }} { header_up Host {http.reverse_proxy.upstream.host} } } } -paperless.ilnmors.com { +{{ services['paperless']['domain']['public'] }}.{{ domain['public'] }} { import crowdsec_log route { crowdsec - reverse_proxy https://paperless.app.ilnmors.internal { + reverse_proxy https://{{ services['paperless']['domain']['internal'] }}.{{ domain['internal'] }} { header_up Host {http.reverse_proxy.upstream.host} } } } -vikunja.ilnmors.com { +{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }} { import crowdsec_log route { crowdsec - reverse_proxy https://vikunja.app.ilnmors.internal { - header_up HOST {http.reverse_proxy.upstream.host} + reverse_proxy https://{{ services['vikunja']['domain']['internal'] }}.{{ domain['internal'] }} { + header_up Host {http.reverse_proxy.upstream.host} } } } # Internal domain -auth.ilnmors.internal { +{{ node['name'] }}.{{ domain['internal'] }} { import private_tls metrics } diff --git a/config/services/containers/common/caddy/etc/infra/Caddyfile.j2 b/config/services/containers/common/caddy/etc/infra/Caddyfile.j2 index f6c37a7..6420833 100644 --- a/config/services/containers/common/caddy/etc/infra/Caddyfile.j2 +++ b/config/services/containers/common/caddy/etc/infra/Caddyfile.j2 @@ -2,40 +2,40 @@ (private_tls) { tls { issuer acme { - dir https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}/acme/acme@ilnmors.internal/directory + dir https://{{ services['ca']['domain'] }}.{{ domain['internal'] }}:{{ services['ca']['ports']['https'] }}/acme/acme@{{ domain['internal'] }}/directory dns rfc2136 { - server {{ infra_uri['bind']['domain'] }}:{{ infra_uri['bind']['ports']['dns'] }} + server {{ services['bind']['domain'] }}.{{ domain['internal'] }}:{{ services['bind']['ports']['dns'] }} key_name acme-key key_alg hmac-sha256 key "{file./run/secrets/CADDY_ACME_KEY}" } - resolvers {{ infra_uri['bind']['domain'] }} + resolvers {{ services['bind']['domain'] }}.{{ domain['internal'] }} } } } -infra.ilnmors.internal { +{{ node['name'] }}.{{ domain['internal'] }} { import private_tls metrics } -{{ infra_uri['ldap']['domain'] }} { +{{ services['ldap']['domain'] }}.{{ domain['internal'] }} { import private_tls route { - reverse_proxy host.containers.internal:{{ infra_uri['ldap']['ports']['http'] }} + reverse_proxy host.containers.internal:{{ services['ldap']['ports']['http'] }} } } -{{ infra_uri['prometheus']['domain'] }} { +{{ services['prometheus']['domain'] }}.{{ domain['internal'] }} { import private_tls route { - reverse_proxy https://{{ infra_uri['prometheus']['domain'] }}:{{ infra_uri['prometheus']['ports']['https'] }} + reverse_proxy https://{{ services['prometheus']['domain'] }}.{{ domain['internal'] }}:{{ services['prometheus']['ports']['https'] }} } } -grafana.ilnmors.internal { +{{ services['grafana']['domain'] }}.{{ domain['internal'] }} { import private_tls route { - reverse_proxy host.containers.internal:3000 + reverse_proxy host.containers.internal:{{ services['grafana']['ports']['http'] }} } } diff --git a/config/services/containers/infra/ca/ca.container.j2 b/config/services/containers/infra/ca/ca.container.j2 index 95fb817..584886b 100644 --- a/config/services/containers/infra/ca/ca.container.j2 +++ b/config/services/containers/infra/ca/ca.container.j2 @@ -13,7 +13,7 @@ Image=docker.io/smallstep/step-ca:{{ version['containers']['step'] }} ContainerName=ca HostName=ca -PublishPort=9000:9000/tcp +PublishPort={{ services['ca']['ports']['https'] }}:9000/tcp Volume=%h/containers/ca/certs:/home/step/certs:ro Volume=%h/containers/ca/secrets:/home/step/secrets:ro diff --git a/config/services/containers/infra/ca/config/ca.json.j2 b/config/services/containers/infra/ca/config/ca.json.j2 index 47b839f..1241cb7 100644 --- a/config/services/containers/infra/ca/config/ca.json.j2 +++ b/config/services/containers/infra/ca/config/ca.json.j2 @@ -1,12 +1,12 @@ { - "root": "/home/step/certs/ilnmors_root_ca.crt", + "root": "/home/step/certs/{{ root_cert_filename }}", "federatedRoots": null, - "crt": "/home/step/certs/ilnmors_intermediate_ca.crt", - "key": "/home/step/secrets/ilnmors_intermediate_ca.key", + "crt": "/home/step/certs/{{ intermediate_cert_filename }}", + "key": "/home/step/secrets/{{ intermediate_key_filename }}", "address": ":9000", "insecureAddress": "", "dnsNames": [ - "{{ infra_uri['ca']['domain'] }}" + "{{ services['ca']['domain'] }}.{{ domain['internal'] }}" ], "logger": { "format": "text" @@ -21,9 +21,9 @@ "x509": { "allow": { "dns": [ - "ilnmors.internal", - "*.ilnmors.internal", - "*.app.ilnmors.internal" + "{{ domain['internal'] }}", + "*.{{ domain['internal'] }}", + "*.app.{{ domain['internal'] }}" ] }, "allowWildcardNames": true @@ -32,7 +32,7 @@ "provisioners": [ { "type": "ACME", - "name": "acme@ilnmors.internal", + "name": "acme@{{ domain['internal'] }}", "claims": { "defaultTLSCertDuration": "2160h0m0s", "enableSSHCA": true, @@ -58,5 +58,5 @@ "maxVersion": 1.3, "renegotiation": false }, - "commonName": "ilnmors Online CA" + "commonName": "{{ domain['internal'] }} Online CA" } diff --git a/config/services/containers/infra/ca/config/defaults.json.j2 b/config/services/containers/infra/ca/config/defaults.json.j2 index b53c767..5525b2e 100644 --- a/config/services/containers/infra/ca/config/defaults.json.j2 +++ b/config/services/containers/infra/ca/config/defaults.json.j2 @@ -1,6 +1,6 @@ { - "ca-url": "https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}", + "ca-url": "https://{{ services['ca']['domain'] }}.{{ domain['internal'] }}:{{ services['ca']['ports']['https'] }}", "ca-config": "/home/step/config/ca.json", "fingerprint": "215c851d2d0d2dbf90fc3507425207c29696ffd587c640c94a68dddb1d84d8e8", - "root": "/home/step/certs/ilnmors_root_ca.crt" + "root": "/home/step/certs/{{ root_cert_filename }}" } diff --git a/config/services/containers/infra/grafana/etc/grafana.ini.j2 b/config/services/containers/infra/grafana/etc/grafana.ini.j2 index fed1a52..c1c3f7f 100644 --- a/config/services/containers/infra/grafana/etc/grafana.ini.j2 +++ b/config/services/containers/infra/grafana/etc/grafana.ini.j2 @@ -7,19 +7,19 @@ provisioning = /etc/grafana/provisioning [server] protocol = http -http_port = 3000 -domain = grafana.ilnmors.internal -root_url = http://grafana.ilnmors.internal/ +http_port = {{ services['grafana']['ports']['http'] }} +domain = {{ services['grafana']['domain'] }}.{{ domain['internal'] }} +root_url = http://{{ services['grafana']['domain'] }}.{{ domain['internal'] }}/ router_logging = false [database] type = postgres -host = {{ infra_uri['postgresql']['domain'] }}:{{ infra_uri['postgresql']['ports']['tcp'] }} +host = {{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }} name = grafana_db user = grafana password = $__file{/run/secrets/GF_DB_PASSWORD} ssl_mode = verify-full -ca_cert_path = /etc/ssl/grafana/ilnmors_root_ca.crt +ca_cert_path = /etc/ssl/grafana/{{ root_cert_filename }} [auth.ldap] enabled = true diff --git a/config/services/containers/infra/grafana/etc/ldap.toml.j2 b/config/services/containers/infra/grafana/etc/ldap.toml.j2 index 8834493..e9a14ea 100644 --- a/config/services/containers/infra/grafana/etc/ldap.toml.j2 +++ b/config/services/containers/infra/grafana/etc/ldap.toml.j2 @@ -1,7 +1,7 @@ # https://github.com/lldap/lldap/blob/main/example_configs/grafana_ldap_config.toml [[servers]] -host = "{{ infra_uri['ldap']['domain'] }}" -port = {{ infra_uri['ldap']['ports']['ldaps'] }} +host = "{{ services['ldap']['domain'] }}.{{ domain['internal'] }}" +port = {{ services['ldap']['ports']['ldaps'] }} # Activate STARTTLS or LDAPS use_ssl = true # true = STARTTLS, false = LDAPS @@ -9,16 +9,16 @@ start_tls = false tls_ciphers = [] min_tls_version = "" ssl_skip_verify = false -root_ca_cert = "/etc/ssl/grafana/ilnmors_root_ca.crt" +root_ca_cert = "/etc/ssl/grafana/{{ root_cert_filename }}" # mTLS option, it is not needed # client_cert = "/path/to/client.crt" # client_key = "/path/to/client.key" -bind_dn = "uid=grafana,ou=people,dc=ilnmors,dc=internal" +bind_dn = "uid=grafana,ou=people,{{ domain['dc'] }}" bind_password = "$__file{/run/secrets/LDAP_BIND_PASSWORD}" search_filter = "(|(uid=%s)(mail=%s))" -search_base_dns = ["dc=ilnmors,dc=internal"] +search_base_dns = ["{{ domain['dc'] }}"] [servers.attributes] member_of = "memberOf" @@ -28,20 +28,20 @@ surname = "sn" username = "uid" group_search_filter = "(&(objectClass=groupOfUniqueNames)(uniqueMember=%s))" -group_search_base_dns = ["ou=groups,dc=ilnmors,dc=internal"] +group_search_base_dns = ["ou=groups,{{ domain['dc'] }}"] group_search_filter_user_attribute = "uid" [[servers.group_mappings]] -group_dn = "cn=lldap_admin,ou=groups,dc=ilnmors,dc=internal" +group_dn = "cn=lldap_admin,ou=groups,{{ domain['dc'] }}" org_role = "Admin" grafana_admin = true [[servers.group_mappings]] -group_dn = "cn=admins,ou=groups,dc=ilnmors,dc=internal" +group_dn = "cn=admins,ou=groups,{{ domain['dc'] }}" org_role = "Editor" grafana_admin = false [[servers.group_mappings]] -group_dn = "cn=users,ou=groups,dc=ilnmors,dc=internal" +group_dn = "cn=users,ou=groups,{{ domain['dc'] }}" org_role = "Viewer" grafana_admin = false diff --git a/config/services/containers/infra/grafana/etc/provisioning/datasources/datasources.yaml b/config/services/containers/infra/grafana/etc/provisioning/datasources/datasources.yaml.j2 similarity index 55% rename from config/services/containers/infra/grafana/etc/provisioning/datasources/datasources.yaml rename to config/services/containers/infra/grafana/etc/provisioning/datasources/datasources.yaml.j2 index cd10a56..44630a3 100644 --- a/config/services/containers/infra/grafana/etc/provisioning/datasources/datasources.yaml +++ b/config/services/containers/infra/grafana/etc/provisioning/datasources/datasources.yaml.j2 @@ -4,7 +4,7 @@ apiVersion: 1 datasources: - name: Prometheus type: prometheus - url: https://prometheus.ilnmors.internal:9090 + url: https://{{ services['prometheus']['domain'] }}.{{ domain['internal'] }}:{{ services['prometheus']['ports']['https'] }} access: proxy isDefault: true jsonData: @@ -12,11 +12,11 @@ datasources: tlsAuthWithCACert: true httpMethod: POST secureJsonData: - tlsCACert: "$__file{/etc/ssl/grafana/ilnmors_root_ca.crt}" + tlsCACert: "$__file{/etc/ssl/grafana/{{ root_cert_filename }}}" - name: Loki type: loki - url: https://loki.ilnmors.internal:3100 + url: https://{{ services['loki']['domain'] }}.{{ domain['internal'] }}:{{ services['loki']['ports']['https'] }} access: proxy jsonData: tlsAuth: false @@ -25,5 +25,5 @@ datasources: httpHeaderName1: "X-Scope-OrgID" maxLines: 1000 secureJsonData: - tlsCACert: "$__file{/etc/ssl/grafana/ilnmors_root_ca.crt}" - httpHeaderValue1: "ilnmors.internal" + tlsCACert: "$__file{/etc/ssl/grafana/{{ root_cert_filename }}}" + httpHeaderValue1: "{{ domain['internal'] }} " diff --git a/config/services/containers/infra/grafana/grafana.container.j2 b/config/services/containers/infra/grafana/grafana.container.j2 index e71f224..440567b 100644 --- a/config/services/containers/infra/grafana/grafana.container.j2 +++ b/config/services/containers/infra/grafana/grafana.container.j2 @@ -13,12 +13,12 @@ Image=docker.io/grafana/grafana:{{ version['containers']['grafana'] }} ContainerName=grafana HostName=grafana -AddHost={{ infra_uri['postgresql']['domain'] }}:host-gateway -AddHost={{ infra_uri['ldap']['domain'] }}:host-gateway -AddHost={{ infra_uri['prometheus']['domain'] }}:host-gateway -AddHost={{ infra_uri['loki']['domain'] }}:host-gateway +AddHost={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:host-gateway +AddHost={{ services['ldap']['domain'] }}.{{ domain['internal'] }}:host-gateway +AddHost={{ services['prometheus']['domain'] }}.{{ domain['internal'] }}:host-gateway +AddHost={{ services['loki']['domain'] }}.{{ domain['internal'] }}:host-gateway -PublishPort=3000:3000/tcp +PublishPort={{ services['grafana']['ports']['http'] }}:3000/tcp Volume=%h/containers/grafana/data:/var/lib/grafana:rw Volume=%h/containers/grafana/etc:/etc/grafana:ro diff --git a/config/services/containers/infra/ldap/ldap.container.j2 b/config/services/containers/infra/ldap/ldap.container.j2 index 56414a7..23b49a6 100644 --- a/config/services/containers/infra/ldap/ldap.container.j2 +++ b/config/services/containers/infra/ldap/ldap.container.j2 @@ -13,11 +13,11 @@ Image=docker.io/lldap/lldap:{{ version['containers']['ldap'] }} ContainerName=ldap HostName=ldap # They are at the same host (for Pasta, it is needed) -AddHost={{ infra_uri['postgresql']['domain'] }}:host-gateway +AddHost={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:host-gateway # For LDAPS - 636 > 6360 nftables -PublishPort=6360:6360/tcp +PublishPort={{ services['ldap']['ports']['ldaps'] }}:6360/tcp # Web UI -PublishPort=17170:17170/tcp +PublishPort={{ services['ldap']['ports']['http'] }}:17170/tcp Volume=%h/containers/ldap/data:/data:rw @@ -27,7 +27,7 @@ Volume=%h/containers/ldap/ssl:/etc/ssl/ldap:ro Environment="TZ=Asia/Seoul" # Domain -Environment="LLDAP_LDAP_BASE_DN=dc=ilnmors,dc=internal" +Environment="LLDAP_LDAP_BASE_DN={{ domain['dc'] }}" # LDAPS Environment="LLDAP_LDAPS_OPTIONS__ENABLED=true" diff --git a/config/services/containers/infra/loki/etc/loki.yaml b/config/services/containers/infra/loki/etc/loki.yaml.j2 similarity index 93% rename from config/services/containers/infra/loki/etc/loki.yaml rename to config/services/containers/infra/loki/etc/loki.yaml.j2 index 95f93ab..5c00d0e 100644 --- a/config/services/containers/infra/loki/etc/loki.yaml +++ b/config/services/containers/infra/loki/etc/loki.yaml.j2 @@ -1,7 +1,7 @@ --- server: http_listen_address: "::" - http_listen_port: 3100 + http_listen_port: {{ services['loki']['ports']['https'] }} http_tls_config: cert_file: /etc/ssl/loki/loki.crt key_file: /etc/ssl/loki/loki.key diff --git a/config/services/containers/infra/loki/loki.container.j2 b/config/services/containers/infra/loki/loki.container.j2 index 456bb2c..3387a0c 100644 --- a/config/services/containers/infra/loki/loki.container.j2 +++ b/config/services/containers/infra/loki/loki.container.j2 @@ -13,7 +13,7 @@ Image=docker.io/grafana/loki:{{ version['containers']['loki'] }} ContainerName=loki HostName=loki -PublishPort=3100:3100/tcp +PublishPort={{ services['loki']['ports']['https'] }}:3100/tcp Volume=%h/containers/loki/data:/loki:rw Volume=%h/containers/loki/etc:/etc/loki:ro diff --git a/config/services/containers/infra/postgresql/config/postgresql.conf.j2 b/config/services/containers/infra/postgresql/config/postgresql.conf.j2 index eb87ce6..4f16475 100644 --- a/config/services/containers/infra/postgresql/config/postgresql.conf.j2 +++ b/config/services/containers/infra/postgresql/config/postgresql.conf.j2 @@ -12,7 +12,7 @@ port = 5432 # SSL ssl = on -ssl_ca_file = '/etc/ssl/postgresql/ilnmors_root_ca.crt' +ssl_ca_file = '/etc/ssl/postgresql/{{ root_cert_filename }}' ssl_cert_file = '/etc/ssl/postgresql/postgresql.crt' ssl_key_file = '/etc/ssl/postgresql/postgresql.key' ssl_ciphers = 'HIGH:!aNULL:!MD5' diff --git a/config/services/containers/infra/postgresql/postgresql.container.j2 b/config/services/containers/infra/postgresql/postgresql.container.j2 index 6c9bacd..abbee37 100644 --- a/config/services/containers/infra/postgresql/postgresql.container.j2 +++ b/config/services/containers/infra/postgresql/postgresql.container.j2 @@ -8,12 +8,12 @@ After=network-online.target Wants=network-online.target [Container] -Image=ilnmors.internal/{{ node['name'] }}/postgres:pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }} +Image={{ domain['internal'] }}/{{ node['name'] }}/postgres:pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }} ContainerName=postgresql HostName=postgresql -PublishPort=5432:5432/tcp +PublishPort={{ services['postgresql']['ports']['tcp'] }}:5432/tcp Volume=%h/containers/postgresql/data:/var/lib/postgresql:rw Volume=%h/containers/postgresql/config:/config:ro diff --git a/config/services/containers/infra/prometheus/etc/prometheus.yaml.j2 b/config/services/containers/infra/prometheus/etc/prometheus.yaml.j2 index d8ac2bc..f6cd455 100644 --- a/config/services/containers/infra/prometheus/etc/prometheus.yaml.j2 +++ b/config/services/containers/infra/prometheus/etc/prometheus.yaml.j2 @@ -23,8 +23,8 @@ scrape_configs: # metrics_path defaults to '/metrics' scheme: "https" tls_config: - ca_file: "/etc/ssl/prometheus/ilnmors_root_ca.crt" - server_name: "{{ infra_uri['prometheus']['domain'] }}" + ca_file: "/etc/ssl/prometheus/{{ root_cert_filename }}" + server_name: "{{ services['prometheus']['domain'] }}.{{ domain['internal'] }}" static_configs: - targets: ["localhost:9090"] # The label name is added as a label `label_name=` to any timeseries scraped from this config. diff --git a/config/services/containers/infra/prometheus/prometheus.container.j2 b/config/services/containers/infra/prometheus/prometheus.container.j2 index cc6821b..39fe4db 100644 --- a/config/services/containers/infra/prometheus/prometheus.container.j2 +++ b/config/services/containers/infra/prometheus/prometheus.container.j2 @@ -13,7 +13,7 @@ Image=docker.io/prom/prometheus:{{ version['containers']['prometheus'] }} ContainerName=prometheus HostName=prometheus -PublishPort=9090:9090/tcp +PublishPort={{ services['prometheus']['ports']['https'] }}:9090/tcp Volume=%h/containers/prometheus/data:/prometheus:rw Volume=%h/containers/prometheus/etc:/etc/prometheus:ro diff --git a/config/services/containers/infra/x509-exporter/x509-exporter.container.j2 b/config/services/containers/infra/x509-exporter/x509-exporter.container.j2 index 38f92c5..7b19a12 100644 --- a/config/services/containers/infra/x509-exporter/x509-exporter.container.j2 +++ b/config/services/containers/infra/x509-exporter/x509-exporter.container.j2 @@ -13,7 +13,7 @@ HostName=X509-exporter Volume=%h/containers/x509-exporter/certs:/certs:ro -PublishPort=9793:9793 +PublishPort={{ services['x509-exporter']['ports']['http'] }}:9793 Exec=--listen-address :9793 --watch-dir=/certs diff --git a/config/services/systemd/common/alloy/config.alloy.j2 b/config/services/systemd/common/alloy/config.alloy.j2 index 23db6dd..3f9edf8 100644 --- a/config/services/systemd/common/alloy/config.alloy.j2 +++ b/config/services/systemd/common/alloy/config.alloy.j2 @@ -6,7 +6,7 @@ //// Metric ouput prometheus.remote_write "prometheus" { endpoint { - url = "https://{{ infra_uri['prometheus']['domain'] }}:{{ infra_uri['prometheus']['ports']['https'] }}/api/v1/write" + url = "https://{{ services['prometheus']['domain'] }}.{{ domain['internal'] }}:{{ services['prometheus']['ports']['https'] }}/api/v1/write" } } @@ -71,8 +71,8 @@ prometheus.scrape "system" { ////// For Crowdsec metrics prometheus.scrape "crowdsec" { targets = [ - { "__address__" = "{{ infra_uri['crowdsec']['domain'] }}:6060", "job" = "crowdsec" }, - { "__address__" = "{{ infra_uri['crowdsec']['domain'] }}:60601", "job" = "crowdsec-bouncer" }, + { "__address__" = "{{ services['crowdsec']['domain'] }}.{{ domain['internal'] }}:6060", "job" = "crowdsec" }, + { "__address__" = "{{ services['crowdsec']['domain'] }}.{{ domain['internal'] }}:60601", "job" = "crowdsec-bouncer" }, ] honor_labels = true forward_to = [prometheus.relabel.default_label.receiver] @@ -83,7 +83,7 @@ prometheus.scrape "crowdsec" { ////// For postgresql metrics prometheus.exporter.postgres "postgresql" { data_source_names = [ - "postgres://alloy@{{ infra_uri['postgresql']['domain'] }}:{{ infra_uri['postgresql']['ports']['tcp'] }}/postgres?sslmode=verify-full", + "postgres://alloy@{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}/postgres?sslmode=verify-full", ] } prometheus.scrape "postgresql" { @@ -93,7 +93,7 @@ prometheus.scrape "postgresql" { ///// For certificates metrics prometheus.scrape "x509" { targets = [ - { "__address__" = "{{ node['name'] }}.ilnmors.internal:9793" }, + { "__address__" = "{{ node['name'] }}.{{ domain['internal'] }}:{{ services['x509-exporter']['ports']['http'] }}" }, ] forward_to = [prometheus.relabel.default_label.receiver] } @@ -103,7 +103,7 @@ prometheus.scrape "x509" { ////// For Input Caddy metrics prometheus.scrape "caddy" { targets = [ - { "__address__" = "{{ node['name'] }}.ilnmors.internal:443" }, + { "__address__" = "{{ node['name'] }}.{{ domain['internal'] }}:443" }, ] scheme = "https" forward_to = [prometheus.relabel.default_label.receiver] @@ -114,8 +114,8 @@ prometheus.scrape "caddy" { //// Logs output loki.write "loki" { endpoint { - url = "https://{{ infra_uri['loki']['domain'] }}:{{ infra_uri['loki']['ports']['https'] }}/loki/api/v1/push" - tenant_id = "ilnmors.internal" + url = "https://{{ services['loki']['domain'] }}.{{ domain['internal'] }}:{{ services['loki']['ports']['https'] }}/loki/api/v1/push" + tenant_id = "{{ domain['internal'] }}" } } //// Logs relabel diff --git a/config/services/systemd/common/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml.j2 b/config/services/systemd/common/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml.j2 index 1d4994c..f2201b6 100644 --- a/config/services/systemd/common/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml.j2 +++ b/config/services/systemd/common/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml.j2 @@ -8,7 +8,7 @@ log_compression: true log_max_size: 100 log_max_backups: 3 log_max_age: 30 -api_url: "https://{{ infra_uri['crowdsec']['domain'] }}:{{ infra_uri['crowdsec']['ports']['https'] }}" +api_url: "https://{{ services['crowdsec']['domain'] }}.{{ domain['internal'] }}:{{ services['crowdsec']['ports']['https'] }}" api_key: "{{ hostvars['console']['crowdsec']['bouncer']['fw'] }}" insecure_skip_verify: false disable_ipv6: false diff --git a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 index 56e2557..9c05374 100644 --- a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 +++ b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 @@ -13,7 +13,7 @@ whitelist: {% if node['name'] == 'auth' %} expression: # budget local-first sql scrap rule - - "evt.Meta.target_fqdn == 'budget.ilnmors.com' && evt.Meta.http_path contains '/data/migrations/'" + - "evt.Meta.target_fqdn == '{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/data/migrations/'" # immich thumbnail request 404 error false positive - - "evt.Meta.target_fqdn == 'immich.ilnmors.com' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'" + - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'" {% endif %} diff --git a/config/services/systemd/common/crowdsec/etc/local_api_credentials.yaml.j2 b/config/services/systemd/common/crowdsec/etc/local_api_credentials.yaml.j2 index 834dc95..752ba69 100644 --- a/config/services/systemd/common/crowdsec/etc/local_api_credentials.yaml.j2 +++ b/config/services/systemd/common/crowdsec/etc/local_api_credentials.yaml.j2 @@ -1,3 +1,3 @@ -url: https://{{ infra_uri['crowdsec']['domain'] }}:{{ infra_uri['crowdsec']['ports']['https'] }} +url: https://{{ services['crowdsec']['domain'] }}.{{ domain['internal'] }}:{{ services['crowdsec']['ports']['https'] }} login: {{ node['name'] }} password: {{ hostvars['console']['crowdsec']['machine'][node['name']] }} diff --git a/config/services/systemd/common/kopia/kopia-backup.service.j2 b/config/services/systemd/common/kopia/kopia-backup.service.j2 index 70cca85..19abeac 100644 --- a/config/services/systemd/common/kopia/kopia-backup.service.j2 +++ b/config/services/systemd/common/kopia/kopia-backup.service.j2 @@ -32,9 +32,9 @@ BindPaths=/var/cache/kopia EnvironmentFile=/etc/secrets/{{ kopia_uid }}/kopia.env ExecStartPre=/usr/bin/kopia repository connect server \ - --url=https://{{ infra_uri['kopia']['domain'] }}:{{ infra_uri['kopia']['ports']['https'] }} \ + --url=https://{{ services['kopia']['domain'] }}.{{ domain['internal'] }}:{{ services['kopia']['ports']['https'] }} \ --override-username={{ node['name'] }} \ - --override-hostname={{ node['name'] }}.ilnmors.internal + --override-hostname={{ node['name'] }}.{{ domain['internal'] }} {% if node['name'] == 'infra' %} ExecStart=/usr/bin/kopia snapshot create \ diff --git a/config/services/systemd/fw/ddns/ddns.service b/config/services/systemd/fw/ddns/ddns.service.j2 similarity index 78% rename from config/services/systemd/fw/ddns/ddns.service rename to config/services/systemd/fw/ddns/ddns.service.j2 index 8508db1..f2dcc12 100644 --- a/config/services/systemd/fw/ddns/ddns.service +++ b/config/services/systemd/fw/ddns/ddns.service.j2 @@ -12,4 +12,4 @@ StandardError=journal EnvironmentFile=/etc/secrets/%U/ddns.env # Run the script -ExecStart=/usr/local/bin/ddns.sh -d "ilnmors.com" +ExecStart=/usr/local/bin/ddns.sh -d "{{ domain['public'] }}" diff --git a/config/services/systemd/fw/ddns/ddns.timer b/config/services/systemd/fw/ddns/ddns.timer.j2 similarity index 100% rename from config/services/systemd/fw/ddns/ddns.timer rename to config/services/systemd/fw/ddns/ddns.timer.j2 diff --git a/config/services/systemd/fw/kea/kea-dhcp4.conf.j2 b/config/services/systemd/fw/kea/kea-dhcp4.conf.j2 index ada0f65..65e2952 100644 --- a/config/services/systemd/fw/kea/kea-dhcp4.conf.j2 +++ b/config/services/systemd/fw/kea/kea-dhcp4.conf.j2 @@ -19,7 +19,7 @@ }, { "name": "domain-name", - "data": "ilnmors.internal." + "data": "{{ domain['internal'] }}." } ], "reservations": [ @@ -65,7 +65,7 @@ }, { "name": "domain-name", - "data": "ilnmors.internal." + "data": "{{ domain['internal'] }}." } ], "id": 2, diff --git a/docs/runbook/05-hardwares.md b/docs/runbook/05-hardwares.md index 1ac82d8..0d09752 100644 --- a/docs/runbook/05-hardwares.md +++ b/docs/runbook/05-hardwares.md @@ -90,7 +90,7 @@ Kea in fw already reserved DSM's IP. However it is necessary to set IP address s ## Authelia OIDC - **!CAUTION!** It can be set after authelia is implemented -- Following [here](../../../config/containers/auth/authelia/config/authelia.yaml.j2) for Authelia configuration +- Following [here](../../config/services/containers/auth/authelia/config/authelia.yaml.j2) for Authelia configuration - Control Panel:Domain/LDAP:SSO Client - Login Settings: \[x\] Select SSO by default on the login page - Services @@ -192,9 +192,9 @@ BindPaths=/var/cache/kopia EnvironmentFile=/etc/secrets/{{ kopia_uid }}/kopia.env ExecStartPre=/usr/bin/kopia repository connect server \ - --url=https://{{ infra_uri['kopia']['domain'] }}:{{ infra_uri['kopia']['ports']['https'] }} \ + --url=https://{{ services['kopia']['domain'] }}.{{ domain['internal'] }}:{{ services['kopia']['ports']['https'] }} \ --override-username={{ node['name'] }} \ - --override-hostname={{ node['name'] }}.ilnmors.internal + --override-hostname={{ node['name'] }}.{{ domain['internal'] }} ExecStart=/usr/bin/kopia snapshot create \ /path/to/backup diff --git a/docs/services/app/igpu_firmware.md b/docs/services/app/igpu_firmware.md index 7d09dcb..8c9c80f 100644 --- a/docs/services/app/igpu_firmware.md +++ b/docs/services/app/igpu_firmware.md @@ -9,4 +9,4 @@ After reboot, check the render device. ```bash ls -l /dev/dri # crw-rw---- 1 root video 226, 0 ... card0 -# crw-rw---- 1 root render 226, 128 ... renderD128 \ No newline at end of file +# crw-rw---- 1 root render 226, 128 ... renderD128