il/ilnmors-homelab
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

inventory, roles, config, docs: update all files to refactor the ansible variables structure

Browse Source
This commit is contained in:
Il Lee
2026-04-01 21:30:56 +09:00
parent d1e0eb30c0
commit 84d961c7e3
62 changed files with 321 additions and 254 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
config/services/containers/app/actual-budget/actual-budget.container.j2
View File

@@ -9,14 +9,14 @@ Image=ghcr.io/actualbudget/actual-server:{{ version['containers']['actualbudget'
ContainerName=actual-budget
HostName=actual-budget
PublishPort=5006:5006
PublishPort={{ services['actualbudget']['ports']['http'] }}:5006
Volume=%h/data/containers/actual-budget:/data:rw
Environment="TZ=Asia/Seoul"
Environment="ACTUAL_OPENID_DISCOVERY_URL=https://authelia.ilnmors.com/.well-known/openid-configuration"
Environment="ACTUAL_OPENID_DISCOVERY_URL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}/.well-known/openid-configuration"
Environment="ACTUAL_OPENID_CLIENT_ID=actual-budget"
Environment="ACTUAL_OPENID_SERVER_HOSTNAME=https://budget.ilnmors.com"
Environment="ACTUAL_OPENID_SERVER_HOSTNAME=https://{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}"
Environment="ACTUAL_OPENID_AUTH_METHOD=oauth2"
Secret=ACTUAL_OPENID_CLIENT_SECRET,type=env

8
config/services/containers/app/gitea/gitea.container.j2
View File

@@ -23,18 +23,18 @@ Environment="TZ=Asia/Seoul"
Environment="GITEA__server__DISABLE_SSH=true"
# Database
Environment="GITEA__database__DB_TYPE=postgres"
Environment="GITEA__database__HOST={{ infra_uri['postgresql']['domain'] }}:{{ infra_uri['postgresql']['ports']['tcp'] }}"
Environment="GITEA__database__HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}"
Environment="GITEA__database__NAME=gitea_db"
Environment="GITEA__database__USER=gitea"
Secret=GITEA__database__PASSWD,type=env
Environment="GITEA__database__SSL_MODE=verify-full"
Environment="PGSSLROOTCERT=/etc/ssl/gitea/ilnmors_root_ca.crt"
Environment="PGSSLROOTCERT=/etc/ssl/gitea/{{ root_cert_filename }}"
# OAuth2 client
Environment="GITEA__oauth2_client__ACCOUNT_LINKING=auto"
# OIDC configuration
Environment="GITEA__openid__ENABLE_OPENID_SIGNIN=false"
Environment="GITEA__openid__ENABLE_OPENID_SIGNUP=true"
Environment="GITEA__openid__WHITELISTED_URIS=authelia.ilnmors.com"
Environment="GITEA__openid__WHITELISTED_URIS={{ services['authelia']['domain'] }}.{{ domain['public'] }}"
# automatic create user via authelia
Environment="GITEA__service__DISABLE_REGISTRATION=false"
Environment="GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true"
@@ -42,7 +42,7 @@ Environment="GITEA__service__SHOW_REGISTRATION_BUTTON=false"
[Service]
ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
Restart=always
RestartSec=10s
TimeoutStopSec=120

2
config/services/containers/app/immich/immich-ml.container.j2
View File

@@ -13,7 +13,7 @@ Image=ghcr.io/immich-app/immich-machine-learning:{{ version['containers']['immic
ContainerName=immich-ml
HostName=immich-ml
PublishPort=3003:3003
PublishPort={{ services['immich-ml']['ports']['http'] }}:3003
# iGPU access for OpenVINO
AddDevice=/dev/dri:/dev/dri

12
config/services/containers/app/immich/immich.container.j2
View File

@@ -13,7 +13,7 @@ Image=ghcr.io/immich-app/immich-server:{{ version['containers']['immich'] }}
ContainerName=immich
HostName=immich
PublishPort=2283:2283
PublishPort={{ services['immich']['ports']['http'] }}:2283
# iGPU access
AddDevice=/dev/dri:/dev/dri
@@ -26,21 +26,21 @@ Volume=%h/containers/immich/ssl:/etc/ssl/immich:ro
# Environment
Environment="TZ=Asia/Seoul"
Environment="REDIS_HOSTNAME=host.containers.internal"
Environment="REDIS_PORT={{ hostvars['app']['redis']['immich'] }}"
Environment="REDIS_PORT={{ services['immich']['ports']['redis'] }}"
Environment="REDIS_DBINDEX=0"
# Database
Environment="DB_HOSTNAME={{ infra_uri['postgresql']['domain'] }}"
Environment="DB_PORT={{ infra_uri['postgresql']['ports']['tcp'] }}"
Environment="DB_HOSTNAME={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}"
Environment="DB_PORT={{ services['postgresql']['ports']['tcp'] }}"
Environment="DB_USERNAME=immich"
Environment="DB_DATABASE_NAME=immich_db"
Environment="DB_PASSWORD_FILE=/run/secrets/DB_PASSWORD"
Environment="DB_SSL_MODE=verify-full"
Environment="NODE_EXTRA_CA_CERTS=/etc/ssl/immich/ilnmors_root_ca.crt"
Environment="NODE_EXTRA_CA_CERTS=/etc/ssl/immich/{{ root_cert_filename }}"
Secret=IMMICH_DB_PASSWORD,target=/run/secrets/DB_PASSWORD
[Service]
ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
Restart=always
RestartSec=10s
TimeoutStopSec=120

14
config/services/containers/app/paperless/paperless.container.j2
View File

@@ -11,7 +11,7 @@ Wants=redis_paperless.service
Image=ghcr.io/paperless-ngx/paperless-ngx:{{ version['containers']['paperless'] }}
ContainerName=paperless
HostName=paperless
PublishPort=8001:8000/tcp
PublishPort={{ services['paperless']['ports']['http'] }}:8000/tcp
# Volumes
Volume=%h/data/containers/paperless/data:/usr/src/paperless/data:rw
@@ -22,7 +22,7 @@ Volume=%h/containers/paperless/ssl:/etc/ssl/paperless:ro
# General
Environment="TZ=Asia/Seoul"
Environment="PAPERLESS_TIME_ZONE=Asia/Seoul"
Environment="PAPERLESS_URL=https://paperless.ilnmors.com"
Environment="PAPERLESS_URL=https://{{ services['paperless']['domain']['public'] }}.{{ domain['public'] }}"
Environment="PAPERLESS_OCR_LANGUAGE=kor+eng"
Environment="PAPERLESS_OCR_LANGUAGES=kor"
# Environment="PAPERLESS_OCR_MODE=force"
@@ -32,15 +32,15 @@ Environment="PAPERLESS_WORKER_TIMEOUT=7200"
Secret=PAPERLESS_SECRET_KEY,type=env
# Redis
Environment="PAPERLESS_REDIS=redis://host.containers.internal:{{ hostvars['app']['redis']['paperless'] }}"
Environment="PAPERLESS_REDIS=redis://host.containers.internal:{{ services['paperless']['ports']['redis'] }}"
# Database
Environment="PAPERLESS_DBHOST={{ infra_uri['postgresql']['domain'] }}"
Environment="PAPERLESS_DBPORT={{ infra_uri['postgresql']['ports']['tcp'] }}"
Environment="PAPERLESS_DBHOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}"
Environment="PAPERLESS_DBPORT={{ services['postgresql']['ports']['tcp'] }}"
Environment="PAPERLESS_DBNAME=paperless_db"
Environment="PAPERLESS_DBUSER=paperless"
Environment="PAPERLESS_DBSSLMODE=verify-full"
Environment="PAPERLESS_DBSSLROOTCERT=/etc/ssl/paperless/ilnmors_root_ca.crt"
Environment="PAPERLESS_DBSSLROOTCERT=/etc/ssl/paperless/{{ root_cert_filename }}"
Secret=PAPERLESS_DBPASS,type=env
# OIDC
@@ -50,7 +50,7 @@ Environment="PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS=true"
Secret=PAPERLESS_SOCIALACCOUNT_PROVIDERS,type=env
[Service]
ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
Restart=always
RestartSec=10s
TimeoutStopSec=120

2
config/services/containers/app/redis/redis.conf.j2
View File

@@ -1,4 +1,4 @@
databases 16
bind 0.0.0.0
port {{ hostvars['app']['redis'][redis_service] }}
port 6379
protected-mode no

2
config/services/containers/app/redis/redis.container.j2
View File

@@ -13,7 +13,7 @@ Image=docker.io/library/redis:{{ version['containers']['redis'] }}
ContainerName=redis_{{ redis_service }}
HostName=redis_{{ redis_service }}
PublishPort={{ hostvars['app']['redis'][redis_service] }}:{{ hostvars['app']['redis'][redis_service] }}
PublishPort={{ services[redis_service]['ports']['redis'] }}:6379
Volume=%h/containers/redis/{{ redis_service }}/data:/data:rw
Volume=%h/containers/redis/{{ redis_service }}/redis.conf:/usr/local/etc/redis/redis.conf:ro

6
config/services/containers/app/vaultwarden/vaultwarden.container.j2
View File

@@ -13,19 +13,19 @@ Image=docker.io/vaultwarden/server:{{ version['containers']['vaultwarden'] }}
ContainerName=vaultwarden
HostName=vaultwarden
PublishPort=8000:80/tcp
PublishPort={{ services['vaultwarden']['ports']['http'] }}:80/tcp
Volume=%h/data/containers/vaultwarden:/data:rw
Volume=%h/containers/vaultwarden/ssl:/etc/ssl/vaultwarden:ro
Environment="TZ=Asia/Seoul"
Environment="DOMAIN=https://vault.ilnmors.com"
Environment="DOMAIN=https://{{ services['vaultwarden']['domain']['public'] }}.{{ domain['public'] }}"
Environment="SIGNUPS_ALLOWED=false"
Secret=VW_ADMIN_TOKEN,type=env,target=ADMIN_TOKEN
Secret=VW_DATABASE_URL,type=env,target=DATABASE_URL
[Service]
ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
Restart=always
RestartSec=10s
TimeoutStopSec=120

12
config/services/containers/app/vikunja/vikunja.container.j2
View File

@@ -11,7 +11,7 @@ Wants=network-online.target
Image=docker.io/vikunja/vikunja:{{ version['containers']['vikunja'] }}
ContainerName=vikunja
HostName=vikunja
PublishPort=3456:3456/tcp
PublishPort={{ services['vikunja']['ports']['http'] }}:3456/tcp
# Volumes
Volume=%h/data/containers/vikunja:/app/vikunja/files:rw
@@ -21,25 +21,25 @@ Volume=%h/containers/vikunja/ssl:/etc/ssl/vikunja:ro
Environment="TZ=Asia/Seoul"
Environment="VIKUNJA_DEFAULTSETTINGS_TIMEZONE=Asia/Seoul"
Environment="VIKUNJA_SERVICE_TIMEZONE=Asia/Seoul"
Environment="VIKUNJA_SERVICE_PUBLICURL=https://vikunja.ilnmors.com"
Environment="VIKUNJA_SERVICE_PUBLICURL=https://{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }}"
Environment="VIKUNJA_SERVICE_ENABLEREGISTRATION=false"
Secret=VIKUNJA_SERVICE_JWTSECRET,type=env
# Database
Environment="VIKUNJA_DATABASE_TYPE=postgres"
Environment="VIKUNJA_DATABASE_HOST={{ infra_uri['postgresql']['domain'] }}"
Environment="VIKUNJA_DATABASE_HOST={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}"
Environment="VIKUNJA_DATABASE_USER=vikunja"
Environment="VIKUNJA_DATABASE_DATABASE=vikunja_db"
Environment="VIKUNJA_DATABASE_SSLMODE=verify-full"
Environment="VIKUNJA_DATABASE_SSLROOTCERT=/etc/ssl/vikunja/ilnmors_root_ca.crt"
Environment="VIKUNJA_DATABASE_SSLROOTCERT=/etc/ssl/vikunja/{{ root_cert_filename }}"
Secret=VIKUNJA_DATABASE_PASSWORD,type=env
# OIDC
Environment="VIKUNJA_AUTH_OPENID_ENABLED=true"
Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_NAME=Authelia"
Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_AUTHURL=https://authelia.ilnmors.com"
Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_AUTHURL=https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}"
Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTID=vikunja"
# Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_SCOPE=" default value = openid email profile
# Vikunja doesn't support OIDC and local dual login.
@@ -48,7 +48,7 @@ Environment="VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTID=vikunja"
Secret=VIKUNJA_AUTH_OPENID_PROVIDERS_authelia_CLIENTSECRET,type=env
[Service]
ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
Restart=always
RestartSec=10s
TimeoutStopSec=120

7
config/services/containers/auth/authelia/authelia.container.j2
View File

@@ -15,7 +15,7 @@ ContainerName=authelia
HostName=authelia
# Web UI
PublishPort=9091:9091/tcp
PublishPort={{ services['authelia']['ports']['http'] }}:9091/tcp
Volume=%h/containers/authelia/config:/config:rw
@@ -56,8 +56,9 @@ Exec=--config /config/authelia.yaml
# Wait for dependency
# They run as rootless podman container, so their port is not opened until they are normaly running
# Check their ports with nc command
ExecStartPre=/usr/bin/nc -zv {{ infra_uri['postgresql']['domain'] }} {{ infra_uri['postgresql']['ports']['tcp'] }}
ExecStartPre=/usr/bin/nc -zv {{ infra_uri['ldap']['domain'] }} {{ infra_uri['ldap']['ports']['ldaps'] }}
ExecStartPre=/usr/bin/nc -zv {{ services['postgresql']['domain'] }}.{{ domain['internal'] }} {{ services['postgresql']['ports']['tcp'] }}
# services['ldap']['ports']['ldaps'] is 6360, but nftables works on 636 the original port
ExecStartPre=/usr/bin/nc -zv {{ services['ldap']['domain'] }}.{{ domain['internal'] }} 636
ExecStartPre=sleep 5
Restart=always
RestartSec=10s

46
config/services/containers/auth/authelia/config/authelia.yaml.j2
View File

@@ -20,7 +20,7 @@ log:
# TOTP configuration
totp:
# issure option is for 2FA app. It works as identifier. "My homelab' or 'ilnmors.internal', 'Authelia - ilnmors'
issuer: 'ilnmors.internal'
issuer: '{{ domain['internal'] }}'
# Identity validation confituration
identity_validation:
@@ -31,21 +31,21 @@ identity_validation:
authentication_backend:
ldap:
# ldaps uses 636 -> NAT automatically change port 636 in output packet -> 2636 which lldap server uses.
address: 'ldaps://ldap.ilnmors.internal'
address: 'ldaps://{{ services['ldap']['domain'] }}.{{ domain['internal'] }}'
implementation: 'lldap'
# tls configruation, it uses certificates_directory's /etc/ssl/authelia/ilnmors_root_ca.crt
# tls configruation, it uses certificates_directory's /etc/ssl/authelia/{{ root_cert_filename }}
tls:
server_name: 'ldap.ilnmors.internal'
server_name: '{{ services['ldap']['domain'] }}.{{ domain['internal'] }}'
skip_verify: false
# LLDAP base DN
base_dn: 'dc=ilnmors,dc=internal'
base_dn: '{{ domain['dc'] }}'
additional_users_dn: 'ou=people'
additional_groups_dn: 'ou=groups'
# LLDAP filters
users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))'
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
# LLDAP bind account configuration
user: 'uid=authelia,ou=people,dc=ilnmors,dc=internal'
user: 'uid=authelia,ou=people,{{ domain['dc'] }}'
password: '' # $AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE option is designated in container file
# Access control configuration
@@ -53,14 +53,12 @@ access_control:
default_policy: 'deny'
rules:
# authelia portal
- domain: 'authelia.ilnmors.internal'
- domain: '{{ services['authelia']['domain'] }}.{{ domain['public'] }}'
policy: 'bypass'
- domain: 'authelia.ilnmors.com'
policy: 'bypass'
- domain: 'test.ilnmors.com'
policy: 'one_factor'
subject:
- 'group:admins'
# - domain: 'test.ilnmors.com'
# policy: 'one_factor'
# subject:
# - 'group:admins'
# Session provider configuration
session:
secret: '' # $AUTHELIA_SESSION_SECRET_FILE is designated in container file
@@ -68,8 +66,8 @@ session:
inactivity: '24 hours' # Session maintains for 24 hours without actions
cookies:
- name: 'authelia_public_session'
domain: 'ilnmors.com'
authelia_url: 'https://authelia.ilnmors.com'
domain: '{{ domain['public'] }}'
authelia_url: 'https://{{ services['authelia']['domain'] }}.{{ domain['public'] }}'
same_site: 'lax'
# This authelia doesn't use Redis.
@@ -78,12 +76,12 @@ session:
storage:
encryption_key: '' # $AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE is designated in container file
postgres:
address: 'tcp://{{ infra_uri['postgresql']['domain'] }}:{{ infra_uri['postgresql']['ports']['tcp'] }}'
address: 'tcp://{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}'
database: 'authelia_db'
username: 'authelia'
password: '' # $AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE is designated in container file
tls:
server_name: '{{ infra_uri['postgresql']['domain'] }}'
server_name: '{{ services['postgresql']['domain'] }}.{{ domain['internal'] }}'
skip_verify: false
# Notification provider
@@ -117,7 +115,7 @@ identity_providers:
require_pkce: false
pkce_challenge_method: ''
redirect_uris:
- 'https://{{ infra_uri['nas']['domain'] }}:{{ infra_uri['nas']['ports']['https'] }}'
- 'https://{{ services['nas']['domain'] }}.{{ domain['internal'] }}:{{ services['nas']['ports']['https'] }}'
scopes:
- 'openid'
- 'profile'
@@ -140,7 +138,7 @@ identity_providers:
require_pkce: false
pkce_challenge_method: ''
redirect_uris:
- 'https://gitea.ilnmors.com/user/oauth2/authelia/callback'
- 'https://{{ services['gitea']['domain']['public'] }}.{{ domain['public'] }}/user/oauth2/authelia/callback'
scopes:
- 'openid'
- 'email'
@@ -161,8 +159,8 @@ identity_providers:
require_pkce: false
pkce_challenge_method: ''
redirect_uris:
- 'https://immich.ilnmors.com/auth/login'
- 'https://immich.ilnmors.com/user-settings'
- 'https://{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}/auth/login'
- 'https://{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}/user-settings'
- 'app.immich:///oauth-callback'
scopes:
- 'openid'
@@ -184,7 +182,7 @@ identity_providers:
require_pkce: false
pkce_challenge_method: ''
redirect_uris:
- 'https://budget.ilnmors.com/openid/callback'
- 'https://{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }}/openid/callback'
scopes:
- 'openid'
- 'profile'
@@ -206,7 +204,7 @@ identity_providers:
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'https://paperless.ilnmors.com/accounts/oidc/authelia/login/callback/'
- 'https://{{ services['paperless']['domain']['public'] }}.{{ domain['public'] }}/accounts/oidc/authelia/login/callback/'
scopes:
- 'openid'
- 'profile'
@@ -228,7 +226,7 @@ identity_providers:
require_pkce: false
pkce_challenge_method: ''
redirect_uris:
- 'https://vikunja.ilnmors.com/auth/openid/authelia'
- 'https://{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }}/auth/openid/authelia'
scopes:
- 'openid'
- 'profile'

2
config/services/containers/common/caddy/build/caddy.containerfile.j2
View File

@@ -12,6 +12,6 @@ RUN xcaddy build \
FROM docker.io/library/caddy:{{ version['containers']['caddy'] }}
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
COPY ./ilnmors_root_ca.crt /usr/local/share/ca-certificates/ilnmors_root_ca.crt
COPY ./{{ root_cert_filename }} /usr/local/share/ca-certificates/{{ root_cert_filename }}
RUN update-ca-certificates

12
config/services/containers/common/caddy/caddy.container.j2
View File

@@ -14,18 +14,18 @@ Wants=network-online.target
[Container]
Image=ilnmors.internal/{{ node['name'] }}/caddy:{{ version['containers']['caddy'] }}
Image={{ domain['internal'] }}/{{ node['name'] }}/caddy:{{ version['containers']['caddy'] }}
ContainerName=caddy_{{ node['name'] }}
HostName=caddy_{{ node['name'] }}
{% if node['name'] == 'infra' %}
AddHost={{ infra_uri['ca']['domain'] }}:host-gateway
AddHost={{ infra_uri['prometheus']['domain'] }}:host-gateway
AddHost={{ infra_uri['loki']['domain'] }}:host-gateway
AddHost={{ services['ca']['domain'] }}.{{ domain['internal'] }}:host-gateway
AddHost={{ services['prometheus']['domain'] }}.{{ domain['internal'] }}:host-gateway
AddHost={{ services['loki']['domain'] }}.{{ domain['internal'] }}:host-gateway
{% endif %}
PublishPort=2080:80/tcp
PublishPort=2443:443/tcp
PublishPort={{ services['caddy']['ports']['http'] }}:80/tcp
PublishPort={{ services['caddy']['ports']['https'] }}:443/tcp
Volume=%h/containers/caddy/etc:/etc/caddy:ro
Volume=%h/containers/caddy/data:/data:rw

32
config/services/containers/common/caddy/etc/app/Caddyfile.j2
View File

@@ -8,19 +8,19 @@
(private_tls) {
tls {
issuer acme {
dir https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}/acme/acme@ilnmors.internal/directory
dir https://{{ services['ca']['domain'] }}.{{ domain['internal'] }}:{{ services['ca']['ports']['https'] }}/acme/acme@{{ domain['internal'] }}/directory
dns rfc2136 {
server {{ infra_uri['bind']['domain'] }}:{{ infra_uri['bind']['ports']['dns'] }}
server {{ services['bind']['domain'] }}.{{ domain['internal'] }}:{{ services['bind']['ports']['dns'] }}
key_name acme-key
key_alg hmac-sha256
key "{file./run/secrets/CADDY_ACME_KEY}"
}
resolvers {{ infra_uri['bind']['domain'] }}
resolvers {{ services['bind']['domain'] }}.{{ domain['internal'] }}
}
}
}
app.ilnmors.internal {
{{ node['name'] }}.{{ domain['internal'] }} {
import private_tls
metrics
}
@@ -29,39 +29,39 @@ app.ilnmors.internal {
# root * /usr/share/caddy
# file_server
# }
vault.app.ilnmors.internal {
{{ services['vaultwarden']['domain']['internal'] }}.{{ domain['internal'] }} {
import private_tls
reverse_proxy host.containers.internal:8000 {
reverse_proxy host.containers.internal:{{ services['vaultwarden']['ports']['http'] }} {
header_up Host {http.request.header.X-Forwarded-Host}
}
}
gitea.app.ilnmors.internal {
{{ services['gitea']['domain']['internal'] }}.{{ domain['internal'] }} {
import private_tls
reverse_proxy host.containers.internal:3000 {
reverse_proxy host.containers.internal:{{ services['gitea']['ports']['http'] }} {
header_up Host {http.request.header.X-Forwarded-Host}
}
}
immich.app.ilnmors.internal {
{{ services['immich']['domain']['internal'] }}.{{ domain['internal'] }} {
import private_tls
reverse_proxy host.containers.internal:2283 {
reverse_proxy host.containers.internal:{{ services['immich']['ports']['http'] }} {
header_up Host {http.request.header.X-Forwarded-Host}
}
}
budget.app.ilnmors.internal {
{{ services['actualbudget']['domain']['internal'] }}.{{ domain['internal'] }} {
import private_tls
reverse_proxy host.containers.internal:5006 {
reverse_proxy host.containers.internal:{{ services['actualbudget']['ports']['http'] }} {
header_up Host {http.request.header.X-Forwarded-Host}
}
}
paperless.app.ilnmors.internal {
{{ services['paperless']['domain']['internal'] }}.{{ domain['internal'] }} {
import private_tls
reverse_proxy host.containers.internal:8001 {
reverse_proxy host.containers.internal:{{ services['paperless']['ports']['http'] }} {
header_up Host {http.request.header.X-Forwarded-Host}
}
}
vikunja.app.ilnmors.internal {
{{ services['vikunja']['domain']['internal'] }}.{{ domain['internal'] }} {
import private_tls
reverse_proxy host.containers.internal:3456 {
reverse_proxy host.containers.internal:{{ services['vikunja']['ports']['http'] }} {
header_up Host {http.request.header.X-Forwarded-Host}
}
}

40
config/services/containers/common/caddy/etc/auth/Caddyfile.j2
View File

@@ -1,7 +1,7 @@
{
# CrowdSec LAPI connection
crowdsec {
api_url https://{{ infra_uri['crowdsec']['domain'] }}:{{ infra_uri['crowdsec']['ports']['https'] }}
api_url https://{{ services['crowdsec']['domain'] }}.{{ domain['internal'] }}:{{ services['crowdsec']['ports']['https'] }}
api_key "{file./run/secrets/CADDY_CROWDSEC_KEY}"
}
}
@@ -15,27 +15,27 @@
roll_size 100MiB
roll_keep 1
}
format json
format json
}
}
# Private TLS ACME with DNS-01-challenge
(private_tls) {
tls {
issuer acme {
dir https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}/acme/acme@ilnmors.internal/directory
dir https://{{ services['ca']['domain'] }}.{{ domain['internal'] }}:{{ services['ca']['ports']['https'] }}/acme/acme@{{ domain['internal'] }}/directory
dns rfc2136 {
server {{ infra_uri['bind']['domain'] }}:{{ infra_uri['bind']['ports']['dns'] }}
server {{ services['bind']['domain'] }}.{{ domain['internal'] }}:{{ services['bind']['ports']['dns'] }}
key_name acme-key
key_alg hmac-sha256
key "{file./run/secrets/CADDY_ACME_KEY}"
}
resolvers {{ infra_uri['bind']['domain'] }}
resolvers {{ services['bind']['domain'] }}.{{ domain['internal'] }}
}
}
}
# Public domain
authelia.ilnmors.com {
{{ services['authelia']['domain'] }}.{{ domain['public'] }} {
import crowdsec_log
route {
crowdsec
@@ -64,63 +64,63 @@ authelia.ilnmors.com {
# }
# }
# }
vault.ilnmors.com {
{{ services['vaultwarden']['domain']['public'] }}.{{ domain['public'] }} {
import crowdsec_log
route {
crowdsec
reverse_proxy https://vault.app.ilnmors.internal {
reverse_proxy https://{{ services['vaultwarden']['domain']['internal'] }}.{{ domain['internal'] }} {
header_up Host {http.reverse_proxy.upstream.host}
}
}
}
gitea.ilnmors.com {
{{ services['gitea']['domain']['public'] }}.{{ domain['public'] }} {
import crowdsec_log
route {
crowdsec
reverse_proxy https://gitea.app.ilnmors.internal {
reverse_proxy https://{{ services['gitea']['domain']['internal'] }}.{{ domain['internal'] }} {
header_up Host {http.reverse_proxy.upstream.host}
}
}
}
immich.ilnmors.com {
{{ services['immich']['domain']['public'] }}.{{ domain['public'] }} {
import crowdsec_log
route {
crowdsec
reverse_proxy https://immich.app.ilnmors.internal {
reverse_proxy https://{{ services['immich']['domain']['internal'] }}.{{ domain['internal'] }} {
header_up Host {http.reverse_proxy.upstream.host}
}
}
}
budget.ilnmors.com {
{{ services['actualbudget']['domain']['public'] }}.{{ domain['public'] }} {
import crowdsec_log
route {
crowdsec
reverse_proxy https://budget.app.ilnmors.internal {
reverse_proxy https://{{ services['actualbudget']['domain']['internal'] }}.{{ domain['internal'] }} {
header_up Host {http.reverse_proxy.upstream.host}
}
}
}
paperless.ilnmors.com {
{{ services['paperless']['domain']['public'] }}.{{ domain['public'] }} {
import crowdsec_log
route {
crowdsec
reverse_proxy https://paperless.app.ilnmors.internal {
reverse_proxy https://{{ services['paperless']['domain']['internal'] }}.{{ domain['internal'] }} {
header_up Host {http.reverse_proxy.upstream.host}
}
}
}
vikunja.ilnmors.com {
{{ services['vikunja']['domain']['public'] }}.{{ domain['public'] }} {
import crowdsec_log
route {
crowdsec
reverse_proxy https://vikunja.app.ilnmors.internal {
header_up HOST {http.reverse_proxy.upstream.host}
reverse_proxy https://{{ services['vikunja']['domain']['internal'] }}.{{ domain['internal'] }} {
header_up Host {http.reverse_proxy.upstream.host}
}
}
}
# Internal domain
auth.ilnmors.internal {
{{ node['name'] }}.{{ domain['internal'] }} {
import private_tls
metrics
}

20
config/services/containers/common/caddy/etc/infra/Caddyfile.j2
View File

@@ -2,40 +2,40 @@
(private_tls) {
tls {
issuer acme {
dir https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}/acme/acme@ilnmors.internal/directory
dir https://{{ services['ca']['domain'] }}.{{ domain['internal'] }}:{{ services['ca']['ports']['https'] }}/acme/acme@{{ domain['internal'] }}/directory
dns rfc2136 {
server {{ infra_uri['bind']['domain'] }}:{{ infra_uri['bind']['ports']['dns'] }}
server {{ services['bind']['domain'] }}.{{ domain['internal'] }}:{{ services['bind']['ports']['dns'] }}
key_name acme-key
key_alg hmac-sha256
key "{file./run/secrets/CADDY_ACME_KEY}"
}
resolvers {{ infra_uri['bind']['domain'] }}
resolvers {{ services['bind']['domain'] }}.{{ domain['internal'] }}
}
}
}
infra.ilnmors.internal {
{{ node['name'] }}.{{ domain['internal'] }} {
import private_tls
metrics
}
{{ infra_uri['ldap']['domain'] }} {
{{ services['ldap']['domain'] }}.{{ domain['internal'] }} {
import private_tls
route {
reverse_proxy host.containers.internal:{{ infra_uri['ldap']['ports']['http'] }}
reverse_proxy host.containers.internal:{{ services['ldap']['ports']['http'] }}
}
}
{{ infra_uri['prometheus']['domain'] }} {
{{ services['prometheus']['domain'] }}.{{ domain['internal'] }} {
import private_tls
route {
reverse_proxy https://{{ infra_uri['prometheus']['domain'] }}:{{ infra_uri['prometheus']['ports']['https'] }}
reverse_proxy https://{{ services['prometheus']['domain'] }}.{{ domain['internal'] }}:{{ services['prometheus']['ports']['https'] }}
}
}
grafana.ilnmors.internal {
{{ services['grafana']['domain'] }}.{{ domain['internal'] }} {
import private_tls
route {
reverse_proxy host.containers.internal:3000
reverse_proxy host.containers.internal:{{ services['grafana']['ports']['http'] }}
}
}

2
config/services/containers/infra/ca/ca.container.j2
View File

@@ -13,7 +13,7 @@ Image=docker.io/smallstep/step-ca:{{ version['containers']['step'] }}
ContainerName=ca
HostName=ca
PublishPort=9000:9000/tcp
PublishPort={{ services['ca']['ports']['https'] }}:9000/tcp
Volume=%h/containers/ca/certs:/home/step/certs:ro
Volume=%h/containers/ca/secrets:/home/step/secrets:ro

18
config/services/containers/infra/ca/config/ca.json.j2
View File

@@ -1,12 +1,12 @@
{
"root": "/home/step/certs/ilnmors_root_ca.crt",
"root": "/home/step/certs/{{ root_cert_filename }}",
"federatedRoots": null,
"crt": "/home/step/certs/ilnmors_intermediate_ca.crt",
"key": "/home/step/secrets/ilnmors_intermediate_ca.key",
"crt": "/home/step/certs/{{ intermediate_cert_filename }}",
"key": "/home/step/secrets/{{ intermediate_key_filename }}",
"address": ":9000",
"insecureAddress": "",
"dnsNames": [
"{{ infra_uri['ca']['domain'] }}"
"{{ services['ca']['domain'] }}.{{ domain['internal'] }}"
],
"logger": {
"format": "text"
@@ -21,9 +21,9 @@
"x509": {
"allow": {
"dns": [
"ilnmors.internal",
"*.ilnmors.internal",
"*.app.ilnmors.internal"
"{{ domain['internal'] }}",
"*.{{ domain['internal'] }}",
"*.app.{{ domain['internal'] }}"
]
},
"allowWildcardNames": true
@@ -32,7 +32,7 @@
"provisioners": [
{
"type": "ACME",
"name": "acme@ilnmors.internal",
"name": "acme@{{ domain['internal'] }}",
"claims": {
"defaultTLSCertDuration": "2160h0m0s",
"enableSSHCA": true,
@@ -58,5 +58,5 @@
"maxVersion": 1.3,
"renegotiation": false
},
"commonName": "ilnmors Online CA"
"commonName": "{{ domain['internal'] }} Online CA"
}

4
config/services/containers/infra/ca/config/defaults.json.j2
View File

@@ -1,6 +1,6 @@
{
"ca-url": "https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}",
"ca-url": "https://{{ services['ca']['domain'] }}.{{ domain['internal'] }}:{{ services['ca']['ports']['https'] }}",
"ca-config": "/home/step/config/ca.json",
"fingerprint": "215c851d2d0d2dbf90fc3507425207c29696ffd587c640c94a68dddb1d84d8e8",
"root": "/home/step/certs/ilnmors_root_ca.crt"
"root": "/home/step/certs/{{ root_cert_filename }}"
}

10
config/services/containers/infra/grafana/etc/grafana.ini.j2
View File

@@ -7,19 +7,19 @@ provisioning = /etc/grafana/provisioning
[server]
protocol = http
http_port = 3000
domain = grafana.ilnmors.internal
root_url = http://grafana.ilnmors.internal/
http_port = {{ services['grafana']['ports']['http'] }}
domain = {{ services['grafana']['domain'] }}.{{ domain['internal'] }}
root_url = http://{{ services['grafana']['domain'] }}.{{ domain['internal'] }}/
router_logging = false
[database]
type = postgres
host = {{ infra_uri['postgresql']['domain'] }}:{{ infra_uri['postgresql']['ports']['tcp'] }}
host = {{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:{{ services['postgresql']['ports']['tcp'] }}
name = grafana_db
user = grafana
password = $__file{/run/secrets/GF_DB_PASSWORD}
ssl_mode = verify-full
ca_cert_path = /etc/ssl/grafana/ilnmors_root_ca.crt
ca_cert_path = /etc/ssl/grafana/{{ root_cert_filename }}
[auth.ldap]
enabled = true

18
config/services/containers/infra/grafana/etc/ldap.toml.j2
View File

@@ -1,7 +1,7 @@
# https://github.com/lldap/lldap/blob/main/example_configs/grafana_ldap_config.toml
[[servers]]
host = "{{ infra_uri['ldap']['domain'] }}"
port = {{ infra_uri['ldap']['ports']['ldaps'] }}
host = "{{ services['ldap']['domain'] }}.{{ domain['internal'] }}"
port = {{ services['ldap']['ports']['ldaps'] }}
# Activate STARTTLS or LDAPS
use_ssl = true
# true = STARTTLS, false = LDAPS
@@ -9,16 +9,16 @@ start_tls = false
tls_ciphers = []
min_tls_version = ""
ssl_skip_verify = false
root_ca_cert = "/etc/ssl/grafana/ilnmors_root_ca.crt"
root_ca_cert = "/etc/ssl/grafana/{{ root_cert_filename }}"
# mTLS option, it is not needed
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"
bind_dn = "uid=grafana,ou=people,dc=ilnmors,dc=internal"
bind_dn = "uid=grafana,ou=people,{{ domain['dc'] }}"
bind_password = "$__file{/run/secrets/LDAP_BIND_PASSWORD}"
search_filter = "(|(uid=%s)(mail=%s))"
search_base_dns = ["dc=ilnmors,dc=internal"]
search_base_dns = ["{{ domain['dc'] }}"]
[servers.attributes]
member_of = "memberOf"
@@ -28,20 +28,20 @@ surname = "sn"
username = "uid"
group_search_filter = "(&(objectClass=groupOfUniqueNames)(uniqueMember=%s))"
group_search_base_dns = ["ou=groups,dc=ilnmors,dc=internal"]
group_search_base_dns = ["ou=groups,{{ domain['dc'] }}"]
group_search_filter_user_attribute = "uid"
[[servers.group_mappings]]
group_dn = "cn=lldap_admin,ou=groups,dc=ilnmors,dc=internal"
group_dn = "cn=lldap_admin,ou=groups,{{ domain['dc'] }}"
org_role = "Admin"
grafana_admin = true
[[servers.group_mappings]]
group_dn = "cn=admins,ou=groups,dc=ilnmors,dc=internal"
group_dn = "cn=admins,ou=groups,{{ domain['dc'] }}"
org_role = "Editor"
grafana_admin = false
[[servers.group_mappings]]
group_dn = "cn=users,ou=groups,dc=ilnmors,dc=internal"
group_dn = "cn=users,ou=groups,{{ domain['dc'] }}"
org_role = "Viewer"
grafana_admin = false

10
config/services/containers/infra/grafana/etc/provisioning/datasources/datasources.yaml → config/services/containers/infra/grafana/etc/provisioning/datasources/datasources.yaml.j2
View File

@@ -4,7 +4,7 @@ apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
url: https://prometheus.ilnmors.internal:9090
url: https://{{ services['prometheus']['domain'] }}.{{ domain['internal'] }}:{{ services['prometheus']['ports']['https'] }}
access: proxy
isDefault: true
jsonData:
@@ -12,11 +12,11 @@ datasources:
tlsAuthWithCACert: true
httpMethod: POST
secureJsonData:
tlsCACert: "$__file{/etc/ssl/grafana/ilnmors_root_ca.crt}"
tlsCACert: "$__file{/etc/ssl/grafana/{{ root_cert_filename }}}"
- name: Loki
type: loki
url: https://loki.ilnmors.internal:3100
url: https://{{ services['loki']['domain'] }}.{{ domain['internal'] }}:{{ services['loki']['ports']['https'] }}
access: proxy
jsonData:
tlsAuth: false
@@ -25,5 +25,5 @@ datasources:
httpHeaderName1: "X-Scope-OrgID"
maxLines: 1000
secureJsonData:
tlsCACert: "$__file{/etc/ssl/grafana/ilnmors_root_ca.crt}"
httpHeaderValue1: "ilnmors.internal"
tlsCACert: "$__file{/etc/ssl/grafana/{{ root_cert_filename }}}"
httpHeaderValue1: "{{ domain['internal'] }} "

10
config/services/containers/infra/grafana/grafana.container.j2
View File

@@ -13,12 +13,12 @@ Image=docker.io/grafana/grafana:{{ version['containers']['grafana'] }}
ContainerName=grafana
HostName=grafana
AddHost={{ infra_uri['postgresql']['domain'] }}:host-gateway
AddHost={{ infra_uri['ldap']['domain'] }}:host-gateway
AddHost={{ infra_uri['prometheus']['domain'] }}:host-gateway
AddHost={{ infra_uri['loki']['domain'] }}:host-gateway
AddHost={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:host-gateway
AddHost={{ services['ldap']['domain'] }}.{{ domain['internal'] }}:host-gateway
AddHost={{ services['prometheus']['domain'] }}.{{ domain['internal'] }}:host-gateway
AddHost={{ services['loki']['domain'] }}.{{ domain['internal'] }}:host-gateway
PublishPort=3000:3000/tcp
PublishPort={{ services['grafana']['ports']['http'] }}:3000/tcp
Volume=%h/containers/grafana/data:/var/lib/grafana:rw
Volume=%h/containers/grafana/etc:/etc/grafana:ro

8
config/services/containers/infra/ldap/ldap.container.j2
View File

@@ -13,11 +13,11 @@ Image=docker.io/lldap/lldap:{{ version['containers']['ldap'] }}
ContainerName=ldap
HostName=ldap
# They are at the same host (for Pasta, it is needed)
AddHost={{ infra_uri['postgresql']['domain'] }}:host-gateway
AddHost={{ services['postgresql']['domain'] }}.{{ domain['internal'] }}:host-gateway
# For LDAPS - 636 > 6360 nftables
PublishPort=6360:6360/tcp
PublishPort={{ services['ldap']['ports']['ldaps'] }}:6360/tcp
# Web UI
PublishPort=17170:17170/tcp
PublishPort={{ services['ldap']['ports']['http'] }}:17170/tcp
Volume=%h/containers/ldap/data:/data:rw
@@ -27,7 +27,7 @@ Volume=%h/containers/ldap/ssl:/etc/ssl/ldap:ro
Environment="TZ=Asia/Seoul"
# Domain
Environment="LLDAP_LDAP_BASE_DN=dc=ilnmors,dc=internal"
Environment="LLDAP_LDAP_BASE_DN={{ domain['dc'] }}"
# LDAPS
Environment="LLDAP_LDAPS_OPTIONS__ENABLED=true"

2
config/services/containers/infra/loki/etc/loki.yaml → config/services/containers/infra/loki/etc/loki.yaml.j2
View File

@@ -1,7 +1,7 @@
---
server:
http_listen_address: "::"
http_listen_port: 3100
http_listen_port: {{ services['loki']['ports']['https'] }}
http_tls_config:
cert_file: /etc/ssl/loki/loki.crt
key_file: /etc/ssl/loki/loki.key

2
config/services/containers/infra/loki/loki.container.j2
View File

@@ -13,7 +13,7 @@ Image=docker.io/grafana/loki:{{ version['containers']['loki'] }}
ContainerName=loki
HostName=loki
PublishPort=3100:3100/tcp
PublishPort={{ services['loki']['ports']['https'] }}:3100/tcp
Volume=%h/containers/loki/data:/loki:rw
Volume=%h/containers/loki/etc:/etc/loki:ro

2
config/services/containers/infra/postgresql/config/postgresql.conf.j2
View File

@@ -12,7 +12,7 @@ port = 5432
# SSL
ssl = on
ssl_ca_file = '/etc/ssl/postgresql/ilnmors_root_ca.crt'
ssl_ca_file = '/etc/ssl/postgresql/{{ root_cert_filename }}'
ssl_cert_file = '/etc/ssl/postgresql/postgresql.crt'
ssl_key_file = '/etc/ssl/postgresql/postgresql.key'
ssl_ciphers = 'HIGH:!aNULL:!MD5'

4
config/services/containers/infra/postgresql/postgresql.container.j2
View File

@@ -8,12 +8,12 @@ After=network-online.target
Wants=network-online.target
[Container]
Image=ilnmors.internal/{{ node['name'] }}/postgres:pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }}
Image={{ domain['internal'] }}/{{ node['name'] }}/postgres:pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }}
ContainerName=postgresql
HostName=postgresql
PublishPort=5432:5432/tcp
PublishPort={{ services['postgresql']['ports']['tcp'] }}:5432/tcp
Volume=%h/containers/postgresql/data:/var/lib/postgresql:rw
Volume=%h/containers/postgresql/config:/config:ro

4
config/services/containers/infra/prometheus/etc/prometheus.yaml.j2
View File

@@ -23,8 +23,8 @@ scrape_configs:
# metrics_path defaults to '/metrics'
scheme: "https"
tls_config:
ca_file: "/etc/ssl/prometheus/ilnmors_root_ca.crt"
server_name: "{{ infra_uri['prometheus']['domain'] }}"
ca_file: "/etc/ssl/prometheus/{{ root_cert_filename }}"
server_name: "{{ services['prometheus']['domain'] }}.{{ domain['internal'] }}"
static_configs:
- targets: ["localhost:9090"]
# The label name is added as a label `label_name=<label_value>` to any timeseries scraped from this config.

2
config/services/containers/infra/prometheus/prometheus.container.j2
View File

@@ -13,7 +13,7 @@ Image=docker.io/prom/prometheus:{{ version['containers']['prometheus'] }}
ContainerName=prometheus
HostName=prometheus
PublishPort=9090:9090/tcp
PublishPort={{ services['prometheus']['ports']['https'] }}:9090/tcp
Volume=%h/containers/prometheus/data:/prometheus:rw
Volume=%h/containers/prometheus/etc:/etc/prometheus:ro

2
config/services/containers/infra/x509-exporter/x509-exporter.container.j2
View File

@@ -13,7 +13,7 @@ HostName=X509-exporter
Volume=%h/containers/x509-exporter/certs:/certs:ro
PublishPort=9793:9793
PublishPort={{ services['x509-exporter']['ports']['http'] }}:9793
Exec=--listen-address :9793 --watch-dir=/certs