Compare commits

..

1 commit

Author SHA1 Message Date
c6281461f0 changed Files: docker-compose/authelia/configuration.yml.j2
All checks were successful
ansible-lint / gitleaks (pull_request) Successful in 4s
ansible-lint / Ansible Lint (pull_request) Successful in 35s
docker-compose/traefik/docker-compose.yml.j2
docker-compose/traefik/traefik.yml
group_vars/blocky.yml

Signed-off-by: Michael Grote <michael.grote@posteo.de>
2024-11-21 13:20:38 +00:00
31 changed files with 108 additions and 78 deletions

View file

@ -26,7 +26,7 @@ jobs:
uses: actions/checkout@v4
- name: Run Gitleaks
uses: docker://zricethezav/gitleaks:v8.22.0
uses: docker://zricethezav/gitleaks:v8.21.2
with:
args: detect --no-git --verbose --source ${{ github.workspace }}

View file

@ -21,6 +21,14 @@ access_control:
policy: one_factor
subject:
- 'group:authelia_wiki'
- domain: traefik.mgrote.net
policy: one_factor
subject:
- 'group:authelia_traefik'
- domain: rui.mgrote.net
policy: one_factor
subject:
- 'group:authelia_registry-ui'
session:
name: authelia_session
@ -59,7 +67,7 @@ notifier:
# https://github.com/lldap/lldap/blob/main/example_configs/authelia_config.yml
authentication_backend:
password_reset:
disable: false
disable: true
refresh_interval: 1m
ldap:
implementation: custom
@ -79,4 +87,4 @@ authentication_backend:
user: uid=authelia_bind_user,ou=people,dc=mgrote,dc=net
password: '{{ lookup('viczem.keepass.keepass', 'authelia/lldap_authelia_bind_user', 'password') }}'
# Details/Doku: https://wiki.mgrote.net/pages/_Technik/software/rest/ldap/
# Details/Doku: https://wiki.mgrote.net/pages/_Technik/hardware/rest/fpv/software/rest/ldap/

View file

@ -54,7 +54,7 @@ services:
######## Datenbank ########
authelia-db:
image: "mariadb:11.6.2"
image: "mariadb:11.5.2"
container_name: authelia-db
command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
restart: unless-stopped

View file

@ -1,7 +0,0 @@
# authelia function matrix
| App | User | Password Reset | Group |
| - | - | - | - |
| ``authelia_*`` | `authelia_bind_user` | yes | `lldap_strict_readonly` + `lldap_password_manager` |
| `forgejo` | `forgejo_bind_user` | no | `lldap_strict_readonly` |
| `nextcloud` | `nextcloud_bind_user` | yes | `lldap_strict_readonly` + `lldap_password_manager` |

View file

@ -2,7 +2,7 @@
services:
grampsweb: &grampsweb
container_name: grampsweb
image: ghcr.io/gramps-project/grampsweb:v24.12.1 # version
image: ghcr.io/gramps-project/grampsweb:v24.11.0 # version
restart: unless-stopped
pull_policy: missing
ports:
@ -36,7 +36,7 @@ services:
grampsweb_celery:
<<: *grampsweb # YAML merge key copying the entire grampsweb service config
ports: []
container_name: grampsweb-celery
container_name: grampsweb_celery
depends_on:
- grampsweb_redis
command: celery -A gramps_webapi.celery worker --loglevel=INFO
@ -44,7 +44,7 @@ services:
grampsweb_redis:
image: redis:7.4.1-alpine
container_name: grampsweb-redis
container_name: grampsweb_redis
restart: unless-stopped
pull_policy: missing
healthcheck:

View file

@ -1,6 +1,6 @@
services:
lldap:
image: lldap/lldap:v0.6.1-debian-rootless
image: lldap/lldap:v0.6.0-debian-rootless
container_name: lldap
restart: unless-stopped
pull_policy: missing
@ -22,7 +22,7 @@ services:
######## Postgres ########
lldap-db17:
container_name: "lldap-db"
image: "postgres:17.2"
image: "postgres:17.1"
restart: unless-stopped
pull_policy: missing
environment:

View file

@ -17,7 +17,6 @@ ldap_user_pass = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_admin_user',
database_url = "postgres://lldap:{{ lookup('viczem.keepass.keepass', 'lldap/lldap_db_pass', 'password') }}@lldap-db/lldap"
key_seed = "{{ lookup('viczem.keepass.keepass', 'lldap/lldap_key_seed', 'password') }}"
key_file = ""
force_ldap_user_pass_reset = "always"

View file

@ -2,7 +2,7 @@ services:
######## Miniflux ########
miniflux:
container_name: "mf-frontend"
image: "ghcr.io/miniflux/miniflux:2.2.4"
image: "ghcr.io/miniflux/miniflux:2.2.3"
restart: unless-stopped
pull_policy: missing
depends_on:
@ -34,7 +34,7 @@ services:
######## Postgres ########
mf-db17:
container_name: "mf-db"
image: "postgres:17.2"
image: "postgres:17.1"
restart: unless-stopped
pull_policy: missing
environment:

View file

@ -9,15 +9,11 @@ axios.com::PGA
axios.com::football
computerbase.de::Adrenalin 2020 Edition
computerbase.de::Adrenalin 2021 Edition
computerbase.de::Adrenalin 2022 Edition
computerbase.de::Adrenalin 2023 Edition
computerbase.de::Adrenalin 2024 Edition
computerbase.de::Adrenalin 2025 Edition
computerbase.de::CB-Funk
computerbase.de::Community-Hilfe
computerbase.de::CB-Funk-Podcast
computerbase.de::Community-Umfrage
computerbase.de::Community-Hilfe
computerbase.de::Community: Fotowettbewerb
computerbase.de::Computer-Hilfe
computerbase.de::Elon Musk
computerbase.de::Fotowettbewerb:
computerbase.de::Fussball
@ -55,8 +51,6 @@ hardwareluxx.de::Der Hardwareluxx-Webwatch:
hardwareluxx.de::Die Artikel unserer Partner
hardwareluxx.de::KW
hardwareluxx.de::Shopping Club
heise.de::Top 10:
heise.de::Top 5:
heise.de::"Passwort"
heise.de::#TGIQF
heise.de::#heiseshow
@ -67,7 +61,6 @@ heise.de::Bit-Rauschen, der Prozessor-Podcast
heise.de::Desinfec
heise.de::Die Bilder der Woche
heise.de::Die Highlights bei
heise.de::Die Produktwerker
heise.de::Dienstag
heise.de::Dienstag:
heise.de::Elon Musk
@ -75,8 +68,8 @@ heise.de::FIFA
heise.de::Ferris Talk
heise.de::Fotografie
heise.de::Fotografie-Wettbewerb
heise.de::Fotonews
heise.de::Fotowettbewerb
heise.de::Fotonews
heise.de::Freitag
heise.de::Fußball-WM
heise.de::Heise spielt
@ -91,6 +84,7 @@ heise.de::Mittwoch
heise.de::Montag
heise.de::Podcast
heise.de::Podcast "Die Hupe"
heise.de::Die Produktwerker
heise.de::SoftwareArchitekTOUR
heise.de::Sonderheft
heise.de::TGIQF
@ -101,7 +95,6 @@ heise.de::Twitter
heise.de::WM 2022
heise.de::Was war. Was wird.
heise.de::Zugriff auf alle Inhalte von heise+
heise.de::bestenlisten
heise.de::c't <webdev>
heise.de::ct-Webinar:
heise.de::die Fotonews der Woche
@ -293,12 +286,14 @@ tagesschau.de::Werders
tagesschau.de::Zukunftspodcast
tagesschau.de::Zweierbob:
taz.de::America's Cup
taz.de::Bahnrad
taz.de::Ski
taz.de::Dart
taz.de::America's Cup
taz.de::America's Cup
taz.de::Bahnrad
taz.de::Fussball
taz.de::Läufer
taz.de::NBA
taz.de::Ski
taz.de::Tischtennis
taz.de::bundesliga
taz.de::cricket

View file

@ -0,0 +1,9 @@
#!/bin/bash
FILTERFILE=./filter.txt
VORHER=$(wc -l < $FILTERFILE)
echo Sortiere und filtere doppelte Zeilen heraus.
sort filter.txt | uniq -u -i | cat > .tmp
NACHHER=$(wc -l < .tmp)
echo Es wurden $((VORHER-NACHHER)) Zeilen entfernt!
mv -f .tmp filter.txt

View file

@ -1,39 +1,32 @@
services:
######## navidrome ########
navidrome:
container_name: "navidrome"
image: "deluan/navidrome:0.54.2"
######## navidrome-mg ########
navidrome-mg:
container_name: "navidrome-mg"
image: "deluan/navidrome:0.53.3"
restart: unless-stopped
pull_policy: missing
environment:
ND_LOGLEVEL: info
ND_SESSIONTIMEOUT: 24h
ND_MUSICFOLDER: /music
ND_DATAFOLDER: /data
ND_SCANSCHEDULE: 0 1 * * *
ND_TRANSCODINGCACHESIZE: 500MB
ND_IMAGECACHESIZE: 100MB
ND_AUTOIMPORTPLAYLISTS: false
ND_BASEURL: /mg
ND_COVERARTPRIORITY: "embedded, cover.*, folder.*, front.*, external"
ND_DATAFOLDER: /data
ND_ENABLESTARRATING: false
ND_ENABLEGRAVATAR: false
ND_LASTFM_ENABLED: false
ND_ENABLETRANSCODINGCONFIG: true
ND_COVERARTPRIORITY: "embedded"
ND_ENABLEARTWORKPRECACHE: true
ND_ENABLECOVERANIMATION: false
ND_ENABLEEXTERNALSERVICES: false
ND_ENABLEFAVOURITES: true
ND_ENABLEGRAVATAR: false
ND_ENABLEINSIGHTSCOLLECTOR: false
ND_ENABLELOGREDACTING: true
ND_ENABLEMEDIAFILECOVERART: true
ND_ENABLEREPLAYGAIN: true
ND_ENABLESHARING: false
ND_ENABLESTARRATING: false
ND_ENABLETRANSCODINGCONFIG: true
ND_IMAGECACHESIZE: 100MB
ND_JUKEBOX_ENABLED: false
ND_LASTFM_ENABLED: false
ND_LISTENBRAINZ_ENABLED: false
ND_LOGLEVEL: info
ND_MUSICFOLDER: /music
ND_PLAYLISTSPATH: "_playlists"
ND_PROMETHEUS_ENABLED: false
ND_RECENTLYADDEDBYMODTIME: true
ND_SCANSCHEDULE: 0 1 * * *
ND_SESSIONTIMEOUT: 24h
ND_TRANSCODINGCACHESIZE: 500MB
PUID: 1000
PGID: 1000
TZ: Europe/Berlin

View file

@ -1,7 +1,7 @@
services:
######## Datenbank ########
nextcloud-db:
image: "mariadb:11.6.2"
image: "mariadb:11.5.2"
container_name: nextcloud-db
command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
restart: unless-stopped
@ -62,7 +62,7 @@ services:
######## Nextcloud ########
nextcloud-app:
image: "nextcloud:30.0.4"
image: "nextcloud:30.0.2"
container_name: nextcloud-app
restart: unless-stopped
pull_policy: missing

View file

@ -45,6 +45,5 @@ php occ ldap:set-config s01 ldapUuidGroupAttribute auto
php occ ldap:set-config s01 ldapUuidUserAttribute auto
php occ ldap:set-config s01 ldapExpertUsernameAttr user_id
php occ ldap:set-config s01 ldap_mark_remnants_as_disabled 1
php occ ldap:set-config s01 ldap_turn_on_pwd_change 1
# damit der Login über LDAP geht muss das Attribute "DisplayName" gesetzt sein!

View file

@ -66,10 +66,9 @@ services:
oci-registry-ui:
restart: unless-stopped
pull_policy: missing
# url: registry.mgrote.net/ui/index.html
image: "joxit/docker-registry-ui:2.5.7"
container_name: oci-registry-ui
ports:
- 5511:80
environment:
DELETE_IMAGES: true
SINGLE_REGISTRY: true
@ -87,6 +86,14 @@ services:
interval: 30s
timeout: 10s
retries: 3
labels:
traefik.http.routers.registry-ui.rule: Host(`rui.mgrote.net`)
traefik.http.routers.registry-ui.middlewares: allowlist_localnet@file,ratelimit40@file,authelia@docker
traefik.enable: true
traefik.http.routers.registry-ui.tls: true
traefik.http.routers.registry-ui.tls.certresolver: resolver_letsencrypt
traefik.http.routers.registry-ui.entrypoints: entry_https
traefik.http.services.registry-ui.loadbalancer.server.port: 80
######## Networks ########
networks:

View file

@ -1,10 +1,10 @@
# Details/Doku: https://wiki.mgrote.net/pages/_Technik/software/rest/ldap/?h=ldap
# Details/Doku: https:/wiki.mgrote.net/pages/_Technik/software/rest/ldap
services:
######## traefik ########
traefik:
container_name: traefik
image: "traefik:v3.2.3"
image: "traefik:v3.2.1"
restart: unless-stopped
pull_policy: missing
volumes:
@ -16,16 +16,23 @@ services:
- traefik
ports:
- "80:80" # HTTP
- "8081:8080" # Web-GUI
- "8081:8080" # Web-GUI # deaktiveiren, einkomentioeren wenn ldap oder middleware kapuutt !!!
- "443:443" # HTTPS
- "2222:2222" # SSH
environment:
TZ: Europe/Berlin
healthcheck:
test: ["CMD", "traefik", "healthcheck", "--ping"]
interval: 30s
interval: 10s
timeout: 10s
retries: 3
labels:
traefik.http.routers.traefik-dashboard.rule: Host(`traefik.mgrote.net`)
traefik.enable: true
traefik.http.routers.traefik-dashboard.entrypoints: entry_https
traefik.http.services.traefik-dashboard.loadbalancer.server.port: 8080
traefik.http.routers.traefik-dashboard.middlewares: authelia@docker
######## Networks ########
networks:
@ -37,3 +44,5 @@ networks:
######## Volumes ########
volumes:
acme_data:
# inscure mode aus

View file

@ -36,7 +36,7 @@ log:
accessLog: {}
api:
insecure: true
insecure: false
dashboard: true # unter Port 8081 erreichbar
ping: {} # für healthcheck

View file

@ -45,7 +45,7 @@ services:
# 1. mongosh
# 2. db.getSiblingDB("unifidb").createUser({user: "unifiuser", pwd: "GEHEIM", roles: [{role: "dbOwner", db: "unifidb"}, {role: "dbOwner", db: "unifidb_stat"}]});
# https://discourse.linuxserver.io/t/cant-connect-to-mongodb-for-unifi-network-application/8166
image: "docker.io/mongo:8.0.4"
image: "docker.io/mongo:8.0.3"
container_name: unifi-db
volumes:
- db-data:/data/db

View file

@ -88,6 +88,12 @@ blocky_custom_lookups: # optional
ip: 192.168.2.43
- name: munin.mgrote.net
ip: 192.168.2.40
- name: s3.mgrote.net
ip: 192.168.2.43
- name: rui.mgrote.net
ip: 192.168.2.43
- name: traefik.mgrote.net # kein oeffentlicher DNS-Record
ip: 192.168.2.43
### mgrote_munin_node
# kann git.mgrote.net nicht auflösen, deshalb hiermit IP

View file

@ -1,4 +1,17 @@
---
### mgrote_minio_configure
minio_url: https://s3.mgrote.net
minio_root_access_key: "{{ lookup('viczem.keepass.keepass', 'minio/minio_root_access_key', 'password') }}"
minio_root_secret_key: "{{ lookup('viczem.keepass.keepass', 'minio/minio_root_secret_key', 'password') }}"
minio_users:
- name: testuser
secret: "{{ lookup('viczem.keepass.keepass', 'minio/minio_testuser_secret_key', 'password') }}"
state: present
policy: testbucket_rw
minio_buckets:
- name: testbucket
state: present
### mrlesmithjr.manage_lvm
lvm_groups:
- vgname: vg_docker
@ -19,6 +32,7 @@ pvresize_to_max: true
pip_package: python3-pip
pip_install_packages:
- name: docker # für munin-plugin docker_
- name: minio # für ansible-minio_configure-Rolle
### mgrote.apt_manage_packages
apt_packages_extra:

View file

@ -101,7 +101,7 @@ munin_node_plugins:
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/http/http_response
config: |
[http_response]
env.sites https://git.mgrote.net https://docker10.mgrote.net:8443 http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://auth.mgrote.net http://docker10.mgrote.net:17170
env.sites https://git.mgrote.net https://docker10.mgrote.net:8443 https://rui.mgrote.net/ http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://s3.mgrote.net https://auth.mgrote.net http://docker10.mgrote.net:17170
env.max_time 20
env.short_label true
env.follow_redirect true

View file

@ -40,7 +40,7 @@ cv4pve_api_user: root@pam!cv4pve-autosnap
cv4pve_api_token: "{{ lookup('viczem.keepass.keepass', 'cv4pve_api_token', 'password') }}"
cv4pve_vmid: all,-107
cv4pve_keep_snapshots: 5
cv4pve_version: v1.15.0
cv4pve_version: v1.14.11
### mgrote_apt_manage_packages
apt_packages_extra:

View file

@ -53,6 +53,9 @@ compose_files:
- name: lldap
state: present
network: traefik
- name: minio
state: present
network: traefik
### oefenweb.ufw
ufw_rules:

View file

@ -230,6 +230,8 @@ pve_pbs_datastore:
### mgrote_sync
rsync_host_role: source
rsync_mirror_dirs: # bei Src+Dest KEIN "/" am Ende
- src: /hdd_data/tmp
dest: "{{ rsync_mirror_user }}@pbs.mgrote.net:/backup/pve5/tmp"
- src: /hdd_data/archiv
dest: "{{ rsync_mirror_user }}@pbs.mgrote.net:/backup/pve5/archiv"
- src: /hdd_data/backup

View file

@ -25,3 +25,6 @@
- role: mgrote_docker_housekeeping
tags: "housekeeping"
become: true
- role: mgrote_minio_configure
tags: "minio"
become: true

View file

@ -8,11 +8,9 @@
url: "{{ minio_url }}"
state: "{{ item.state | default('present') }}"
loop: "{{ minio_buckets }}"
delegate_to: localhost
- name: Deletion Info
ansible.builtin.debug:
msg: "Deletion only possible with empty bucket ({{ item.name }})"
when: '"absent" in item.state'
loop: "{{ minio_buckets }}"
delegate_to: localhost

View file

@ -12,7 +12,6 @@
access_key: "{{ minio_root_access_key }}"
secret_key: "{{ minio_root_secret_key }}"
state: present
delegate_to: localhost
- name: include policy tasks
ansible.builtin.include_tasks: policy.yml
@ -32,7 +31,6 @@
state: "{{ item.state | default('present') }}"
loop: "{{ minio_users }}"
no_log: "{{ no_debug | default('true') }}"
delegate_to: localhost
# Bug: delegate_to: localhost
# in ansible-devspace wird das Python Paket "minio" nicht gefunden

View file

@ -7,7 +7,6 @@
owner: root
group: root
mode: '0644'
delegate_to: localhost
- name: "prep: template policy files (ro)"
ansible.builtin.template:
@ -17,7 +16,6 @@
group: root
mode: '0644'
loop: "{{ minio_buckets }}"
delegate_to: localhost
- name: "prep: template policy files (rw)"
ansible.builtin.template:
@ -27,19 +25,16 @@
group: root
mode: '0644'
loop: "{{ minio_buckets }}"
delegate_to: localhost
- name: "setup policies (ro)"
ansible.builtin.command: "{{ minio_client_bin }} --disable-pager admin policy create {{ minio_root_alias }} {{ item.name }}_ro {{ minio_config_dir }}/{{ item.name }}_ro"
loop: "{{ minio_buckets }}"
changed_when: false # Befehl gibt immer "Created policy `testbucket3_ro` successfully." aus, unabhängig ob sie schon existiert oder nicht.
delegate_to: localhost
- name: "setup policies (rw)"
ansible.builtin.command: "{{ minio_client_bin }} --disable-pager admin policy create {{ minio_root_alias }} {{ item.name }}_rw {{ minio_config_dir }}/{{ item.name }}_rw"
loop: "{{ minio_buckets }}"
changed_when: false # Befehl gibt immer "Created policy `testbucket3_ro` successfully." aus, unabhängig ob sie schon existiert oder nicht.
delegate_to: localhost
- name: "remove old policy files"
ansible.builtin.file:
@ -47,4 +42,3 @@
state: absent
loop: "{{ minio_buckets }}"
when: '"absent" in item.state'
delegate_to: localhost