make absent

docker-compose/authelia/config/configuration.yml.j2

@@ -0,0 +1,69 @@
+---
+default_redirection_url: https://mgrote.net
+jwt_secret: "{{ lookup('keepass', 'AUTHELIA_JWT_SECRET', 'password') }}"
+
+server:
+  host: 0.0.0.0
+  port: 9091
+
+log:
+  level: debug
+
+totp:
+  issuer: authelia.com
+
+access_control:
+  default_policy: deny
+  rules:
+    - domain: audio.mgrote.net
+      policy: bypass
+    - domain: munin.grote.lan
+      policy: one_factor
+
+session:
+  domain: mgrote.net
+  secret: "{{ lookup('keepass', 'AUTHELIA_SESSION_SECRET', 'password') }}"
+  redis:
+    host: authelia-redis
+    port: 6379
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+notifier:
+  smtp:
+    username: info@mgrote.net
+    password: "{{ lookup('keepass', 'postfix_absender_passwort', 'password') }}"
+    host: smtp.strato.de
+    port: 587
+    sender: info@mgrote.net
+
+authentication_backend:
+  password_reset:
+    disable: false
+  refresh_interval: 1m
+  ldap:
+    implementation: custom
+    url: ldap://lldap-app:3890
+    timeout: 5s
+    start_tls: false
+    base_dn: dc=grote,dc=lan
+    username_attribute: uid
+    additional_users_dn: ou=people
+    users_filter: (&({username_attribute}={input})(objectClass=person))
+    additional_groups_dn: ou=groups
+    groups_filter: (member={dn})
+    group_name_attribute: cn
+    mail_attribute: mail
+    display_name_attribute: displayName
+    user: uid=admin,ou=people,dc=grote,dc=lan
+    password: "{{ lookup('keepass', 'LLDAP_LDAP_USER_PASS', 'password') }}"
+
+storage:
+  postgres:
+    host: authelia-postgres
+    database: authelia
+    username: authelia
+    password: "{{ lookup('keepass', 'AUTHELIA_STORAGE_POSTGRES_PASSWORD', 'password') }}"

docker-compose/authelia/docker-compose.yaml.j2

@@ -0,0 +1,80 @@
+---
+version: "3.8"
+services:
+######## App ########
+  authelia:
+    container_name: authelia-app
+    image: docker.io/authelia/authelia:4
+    restart: always
+    networks:
+      - nw_aaa
+      - intern
+      - traefik
+    expose:
+      - 9091
+    ports:
+      - "9091:9091"
+    environment:
+      TZ: Europe/Berlin
+      AUTHELIA_STORAGE_ENCRYPTION_KEY: {{ lookup('keepass', 'AUTHELIA_STORAGE_ENCRYPTION_KEY', 'password') }}
+    volumes:
+      - ./config:/config
+    labels:
+      - com.centurylinklabs.watchtower.enable=true
+      - com.centurylinklabs.watchtower.depends-on=authelia-postgres,authelia-redis
+
+      - traefik.http.middlewares.authelia.forwardauth.address=http://authelia-app:9091/api/authz/forward-auth?authelia-url=http://auth.mgrote.net
+      - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
+      - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
+
+      - traefik.enable=true
+      - traefik.http.routers.authelia.rule=Host(`auth.mgrote.net`)
+      - traefik.http.routers.authelia.tls=true
+      - traefik.http.routers.authelia.tls.certresolver=resolver_letsencrypt
+      - traefik.http.routers.authelia.entrypoints=entry_https
+      - traefik.http.services.authelia.loadbalancer.server.port=9091
+
+
+######## PostGreSQL ########
+  db:
+    container_name: "authelia-postgres"
+    image: postgres:13
+    restart: always
+    environment:
+      - POSTGRES_USER=authelia
+      - POSTGRES_PASSWORD={{ lookup('keepass', 'AUTHELIA_STORAGE_POSTGRES_PASSWORD', 'password') }}
+      - TZ=Europe/Berlin
+    volumes:
+      - postgres:/var/lib/postgresql/data
+    networks:
+      - intern
+    labels:
+      - com.centurylinklabs.watchtower.enable=false
+      - com.centurylinklabs.watchtower.monitor-only=true
+######## Redis ########
+  redis:
+    image: redis:alpine
+    container_name: authelia-redis
+    volumes:
+      - redis:/data
+    networks:
+      - intern
+    expose:
+      - 6379
+    restart: always
+    environment:
+      - TZ=Europe/Berlin
+    labels:
+      - com.centurylinklabs.watchtower.enable=true
+
+
+networks:
+  nw_aaa:
+    external: true
+  intern:
+  traefik:
+    external: true
+
+volumes:
+  postgres:
+  redis:

docker-compose/homer/assets/mgmt.yml

@@ -33,7 +33,7 @@ services:
         target: "_blank"
         subtitle: "Modem"
 
-  - name: "Infra"
+  - name: "Infra - Apps"
     icon: "fas fa-cloud"
     items:
       - name: "Apt-Cacher-NG"
@@ -67,7 +67,7 @@ services:
         target: "_blank"
         subtitle: "Package-Registry"
 
-  - name: "Infra"
+  - name: "Infra - OS"
     icon: "fas fa-cloud"
     items:
       - name: "ProxMox Virtual Environment - Production"
@@ -95,6 +95,15 @@ services:
         target: "_blank"
         subtitle: "network device configuration backup tool"
 
+  - name: "AAA"
+    icon: "fas fa-cloud"
+    items:
+      - name: "lldap"
+        logo: "assets/icons/lldap.png"
+        url: "http://docker10.grote.lan:17170"
+        target: "_blank"
+        subtitle: "LDAP"
+
   - name: "Internet-MGMT"
     icon: "fas fa-cloud"
     items:

docker-compose/lldap/docker-compose.yml.j2

@@ -0,0 +1,77 @@
+version: "3"
+services:
+######## App ########
+  lldap:
+    image: nitnelave/lldap:stable
+    container_name: lldap-app
+    restart: always
+    ports:
+      # For LDAP
+      - "3890:3890"
+      # For the web front-end
+      - "17170:17170"
+    networks:
+      - intern
+      - nw_aaa
+      - traefik
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - "lldap:/data"
+    environment:
+      - UID=1000
+      - GID=1000
+      - LLDAP_JWT_SECRET={{ lookup('keepass', 'LLDAP_JWT_SECRET', 'password') }}
+      - LLDAP_LDAP_USER_PASS={{ lookup('keepass', 'LLDAP_LDAP_USER_PASS', 'password') }}
+      #- LLDAP_USER_DN="LLDAP-ADMIN"
+      - LLDAP_LDAP_BASE_DN=dc=grote,dc=lan
+      - LLDAP_DATABASE_URL=mysql://lldap-db-user:{{ lookup('keepass', 'LLDAP_MYSQL_PASSWORD', 'password') }}@lldap-db/lldap
+      - LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_reset=true
+      - LLDAP_SMTP_OPTIONS__SERVER=smtp.strato.de
+      - LLDAP_SMTP_OPTIONS__PORT=587
+      - LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=STARTTLS
+      - LLDAP_SMTP_OPTIONS__USER=info@mgrote.net
+      - LLDAP_SMTP_OPTIONS__PASSWORD={{ lookup('keepass', 'postfix_absender_passwort', 'password') }}
+      - LLDAP_SMTP_OPTIONS__FROM="LLDAP Admin <info@mgrote.net>"
+      - LLDAP_SMTP_OPTIONS__REPLY_TO="Do not reply <info@mgrote.net>"
+      #- LLDAP_KEY_FILE={{ lookup('keepass', 'LLDAP_KEY_FILE', 'password') }}
+      #- LLDAP_VERBOSE=true
+      - LLDAP_HTTP_URL="http://docker10.grote.lan:17170" # The public URL of the server, for password reset links.
+    labels:
+      - com.centurylinklabs.watchtower.enable=true
+      - com.centurylinklabs.watchtower.depends-on=lldap-db
+######## DB ########
+  nextcloud-db:
+    image: mariadb:10
+    container_name: lldap-db
+    restart: always
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - db:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD={{ lookup('keepass', 'LLDAP_MYSQL_ROOT_PASSWORD', 'password') }}
+      - MYSQL_PASSWORD={{ lookup('keepass', 'LLDAP_MYSQL_PASSWORD', 'password') }}
+      - MYSQL_DATABASE=lldap
+      - MYSQL_USER=lldap-db-user
+      - MYSQL_INITDB_SKIP_TZINFO=1
+    networks:
+      - intern
+    labels:
+      - com.centurylinklabs.watchtower.enable=true
+
+######## Volumes ########
+volumes:
+  lldap:
+  db:
+######## Networks ########
+networks:
+  nw_aaa:
+    external: true
+  intern:
+  traefik:
+    external: true
+
+
+## (example with "password"): - LLDAP_SMTP_OPTIONS__PASSWORD
+## Whether to enabled password reset via email, from LLDAP.

docker-compose/munin/docker-compose.yml.j2

@@ -36,6 +36,18 @@ services:
     labels:
       - com.centurylinklabs.watchtower.enable=true
 
+      - traefik.http.middlewares.authelia.forwardauth.address=http://authelia-app:9091/api/authz/forward-auth?authelia-url=http://auth.mgrote.net
+      - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
+      - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
+
+      - traefik.enable=true
+      - traefik.http.routers.authelia.rule=Host(`auth.mgrote.net`)
+      - traefik.http.routers.authelia.tls=true
+      - traefik.http.routers.authelia.tls.certresolver=resolver_letsencrypt
+      - traefik.http.routers.authelia.entrypoints=entry_https
+      - traefik.http.services.authelia.loadbalancer.server.port=9091
+
+
 volumes:
   db:
   logs:

docker-compose/watchtower/docker-compose.yml.j2

@@ -1,4 +1,3 @@
-version: "3"
 services:
   watchtower:
     restart: always
@@ -6,13 +5,12 @@ services:
     image: containrrr/watchtower
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
+      - /etc/localtime:/etc/localtime:ro
     environment:
-      - TZ=Europe/Berlin
       - WATCHTOWER_CLEANUP=true
       - WATCHTOWER_INCLUDE_RESTARTING=true
       - WATCHTOWER_INCLUDE_STOPPED=true
       - WATCHTOWER_REVIVE_STOPPED=false
-      - WATCHTOWER_POLL_INTERVAL=86400 # (24 hours)
       - WATCHTOWER_LABEL_ENABLE=true
       - WATCHTOWER_NOTIFICATIONS=email
       - WATCHTOWER_NOTIFICATION_EMAIL_FROM=info@mgrote.net
@@ -23,6 +21,7 @@ services:
       - WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD={{ lookup('keepass', 'postfix_absender_passwort', 'password') }}
       - WATCHTOWER_NOTIFICATION_EMAIL_DELAY=2
       - WATCHTOWER_NO_STARTUP_MESSAGE=true
+      - WATCHTOWER_SCHEDULE=0 20 3 * * * # jeden Tag um 03:20
     labels:
       - com.centurylinklabs.watchtower.enable=true
 

host_vars/docker10.grote.lan.yml

@@ -77,7 +77,12 @@
       state: present
     - name: blocky
       state: present
-
+    - name: lldap
+      state: absent
+      network: traefik
+    - name: authelia
+      state: absent
+      network: nw_aaa
   #### mgrote.set_permissions
   dir_permissions:
     - path: /mnt/httpd