docker-compose/authentik
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

transition to seperate templates for prod and test; update script to add ssh-key deployment

Browse source
This commit is contained in:
test 2025-01-31 21:33:45 +01:00
parent fe3da3dc3a
commit 259cb76cc1
3 changed files with 105 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

11
env.template → env.prod.template
View file

@ -1,10 +1,10 @@
# SETTINGS from env.template # SETTINGS from env.template
# Misc configuration # Misc configuration
PUBLIC_DOMAIN=replace-me PUBLIC_DOMAIN=sso.base23.de
COMPOSE_PROJECT_NAME=sso-base23-de COMPOSE_PROJECT_NAME=sso-base23-de
# Auhtentik version # Auhtentik version
AUTHENTIK_TAG=2024.10.4 AUTHENTIK_TAG=2024.12.3
# Error reporting & Logging # Error reporting & Logging
AUTHENTIK_ERROR_REPORTING__ENABLED=true AUTHENTIK_ERROR_REPORTING__ENABLED=true
@ -48,14 +48,15 @@ NGINX_SERVERNAME=sso.base23.de
# NGINX SSL Config for nginx 1.27.2, intermediate config, OpenSSL 3.0.14 # NGINX SSL Config for nginx 1.27.2, intermediate config, OpenSSL 3.0.14
NGINX_SSL_SESSION_TIMEOUT=1d NGINX_SSL_SESSION_TIMEOUT=1d
NGINX_SSL_SESSION_CACHE=shared:MozSSL:10m # about 40000 sessions NGINX_SSL_SESSION_CACHE='shared:MozSSL:10m' # about 40000 sessions
NGINX_SSL_PROTOCOLS=TLSv1.2 TLSv1.3 NGINX_SSL_PROTOCOLS='TLSv1.2 TLSv1.3'
NGINX_SSL_CIPHERS=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 NGINX_SSL_CIPHERS='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305'
NGINX_SSL_PREFER_SERVER_CIPHERS=off NGINX_SSL_PREFER_SERVER_CIPHERS=off
NGINX_HEADER_STRICT_TRANSPORT_SECURITY='"max-age=63072000" always' NGINX_HEADER_STRICT_TRANSPORT_SECURITY='"max-age=63072000" always'
NGINX_SSL_STAPLING=on NGINX_SSL_STAPLING=on
NGINX_SSL_STAPLING_VERIFY=on NGINX_SSL_STAPLING_VERIFY=on
# Restic configuration # Restic configuration
RESTIC_REPO_USER=u291924-sub4 RESTIC_REPO_USER=u291924-sub4
RESTIC_REPO_ADDRESS=cloud.backup.base23.de RESTIC_REPO_ADDRESS=cloud.backup.base23.de

48
env.test.template Normal file
View file

@ -0,0 +1,48 @@
# SETTINGS from env.template
# Misc configuration
PUBLIC_DOMAIN=sso.test.base23.de
COMPOSE_PROJECT_NAME=sso-base23-de
# Auhtentik version
AUTHENTIK_TAG=2024.12.3
# Error reporting & Logging
AUTHENTIK_ERROR_REPORTING__ENABLED=true
AUTHENTIK_LOG_LEVEL=warning
# Email configuration
# SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST=mail.base23.de
AUTHENTIK_EMAIL__PORT=25
AUTHENTIK_EMAIL__USERNAME=sso@base23.de
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS=true
# Use SSL
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM=sso@base23.de
# Exposed ports for Authentik -- Ports are note exposed due to traefik setup
# COMPOSE_PORT_HTTP=80
# COMPOSE_PORT_HTTPS=443
# Liste settings
AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS="172.18.0.0/16"
# MaxMind GeoIP
GEOIPUPDATE_ACCOUNT_ID=1093308
# PostgreSQL configuration
PG_USER=authentik
PG_DB=authentik
# Restic configuration
RESTIC_REPO_USER=u291924-sub5
RESTIC_REPO_ADDRESS=cloud.backup.base23.de
RESTIC_REPO_PORT=22
RESTIC_TAG=sso.test.base23.de

75
scripts/init.sh
View file

@ -1,6 +1,33 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -euf -o pipefail set -euf -o pipefail
# Ask if initialized for production or test
while true; do
read -p "Do you want to init a [P]roduction or [T]est environment? (P/T): " DEPLOYMENT_ENVIRONMENT
case "$DEPLOYMENT_ENVIRONMENT" in
[Pp]* )
DEPLOYMENT_ENVIRONMENT="PRODUCTION"
ENV_TEMPLATE="env.prod.template"
break
;;
[Tt]* )
DEPLOYMENT_ENVIRONMENT="TEST"
ENV_TEMPLATE="env.test.template"
break
;;
* )
echo "Please answer with P or T."
;;
esac
done
source $(dirname "$(readlink -f "$0")")/../${ENV_TEMPLATE}
SERVICE_DOMAIN="${RESTIC_TAG:?Restic backup tag is missing -- RESTIC_TAG}"
BACKUP_TARGET_DOMAIN="${RESTIC_REPO_ADDRESS:?Restic backup target domain is missing -- RESTIC_REPO_ADDRESS}"
BACKUP_TARGET_USER="${RESTIC_REPO_USER:?Restic backup target user is missing -- RESTIC_REPO_USER}"
HOSTNAME=$(hostname -f)
# Function to securely query user for a password, verify it, and return it for further use # Function to securely query user for a password, verify it, and return it for further use
prompt_password() { prompt_password() {
local purpose="$1" local purpose="$1"
@ -30,26 +57,6 @@ trap 'printf "\nOperation aborted by user.\n" >&2; exit 1' SIGINT
cd "$(dirname "$(realpath "$0")")/../" cd "$(dirname "$(realpath "$0")")/../"
AUTHENTIK_DOCKER_COMPOSE_PATH="$(realpath "$(pwd)")" AUTHENTIK_DOCKER_COMPOSE_PATH="$(realpath "$(pwd)")"
# Ask if initialized for production or test
while true; do
read -p "Do you want to init a [P]roduction or [T]est environment? (P/T): " DEPLOYMENT_ENVIRONMENT
case "$DEPLOYMENT_ENVIRONMENT" in
[Pp]* )
DEPLOYMENT_ENVIRONMENT="PRODUCTION"
PUBLIC_DOMAIN="sso.base23.de"
break
;;
[Tt]* )
DEPLOYMENT_ENVIRONMENT="TEST"
PUBLIC_DOMAIN="sso.test.base23.de"
break
;;
* )
echo "Please answer with P or T."
;;
esac
done
if [[ ! -f ./docker-compose.yml ]]; then if [[ ! -f ./docker-compose.yml ]]; then
[[ "${DEPLOYMENT_ENVIRONMENT}" == "PRODUCTION" ]] && ln -s ./docker-compose.prod.yml ./docker-compose.yml [[ "${DEPLOYMENT_ENVIRONMENT}" == "PRODUCTION" ]] && ln -s ./docker-compose.prod.yml ./docker-compose.yml
[[ "${DEPLOYMENT_ENVIRONMENT}" == "TEST" ]] && ln -s ./docker-compose.test.yml ./docker-compose.yml [[ "${DEPLOYMENT_ENVIRONMENT}" == "TEST" ]] && ln -s ./docker-compose.test.yml ./docker-compose.yml
@ -57,8 +64,7 @@ fi
# Check if .env exists and exit if it is # Check if .env exists and exit if it is
if [[ ! -f ./.env ]]; then if [[ ! -f ./.env ]]; then
cat ./env.template >> ./.env cat ./${ENV_TEMPLATE} >> ./.env
sed -i "s/\(PUBLIC_DOMAIN=\).*/\1${PUBLIC_DOMAIN}/" ./.env
echo "# SECRETS" >> ./.env echo "# SECRETS" >> ./.env
prompt_password "PG_PASS (leave empty to generate a password)"; echo "PG_PASS=$([[ -n ${RETURNED_PASSWORD} ]] && echo -n "${RETURNED_PASSWORD}" || openssl rand -base64 36 | tr -d '\n')" >> ./.env; unset RETURNED_PASSWORD prompt_password "PG_PASS (leave empty to generate a password)"; echo "PG_PASS=$([[ -n ${RETURNED_PASSWORD} ]] && echo -n "${RETURNED_PASSWORD}" || openssl rand -base64 36 | tr -d '\n')" >> ./.env; unset RETURNED_PASSWORD
prompt_password "AUTHENTIK_SECRET_KEY (leave empty to generate a password)"; echo "AUTHENTIK_SECRET_KEY=$([[ -n ${RETURNED_PASSWORD} ]] && echo -n "${RETURNED_PASSWORD}" || openssl rand -base64 60 | tr -d '\n')" >> ./.env; unset RETURNED_PASSWORD prompt_password "AUTHENTIK_SECRET_KEY (leave empty to generate a password)"; echo "AUTHENTIK_SECRET_KEY=$([[ -n ${RETURNED_PASSWORD} ]] && echo -n "${RETURNED_PASSWORD}" || openssl rand -base64 60 | tr -d '\n')" >> ./.env; unset RETURNED_PASSWORD
@ -75,9 +81,30 @@ if [[ ! -f ./lego.env && "${DEPLOYMENT_ENVIRONMENT}" == "PRODUCTION" ]]; then
echo "" >> ./.env echo "" >> ./.env
fi fi
BACKUP_TARGET_KEY_TYPES="ed25519,rsa"
BACKUP_TARGET_IPV4=$(dig +short "${BACKUP_TARGET_DOMAIN}" A | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$')
BACKUP_TARGET_IPV6=$(dig +short "${BACKUP_TARGET_DOMAIN}" AAAA | grep -E '^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$')
# Check if ssh key already exists, otherwise generate one # Check if ssh key already exists, otherwise generate one
[[ ! -d ./data/restic/ssh/ ]] && mkdir -p ./data/restic/ssh/ [[ ! -d ./data/restic/ssh/ ]] && mkdir -p ./data/restic/ssh/ && chmod 700 ./data/restic/ssh/
[[ ! -f ./data/restic/ssh/id_ed25519 ]] && ssh-keygen -t ed25519 -C "sso.base23.de" -f ./data/restic/ssh/id_ed25519 if [[ ! -f ./data/restic/ssh/id_ed25519 ]]; then
ssh-keygen -t ed25519 -C "${SERVICE_DOMAIN}" -f ./data/restic/ssh/id_ed25519 && chmod 600 ./data/restic/ssh/id_ed25519
# Copy SSH key to backup target
cat ./data/restic/ssh/id_ed25519.pub | ssh -p23 ${BACKUP_TARGET_USER}@${BACKUP_TARGET_DOMAIN} install-ssh-key
fi
# Setup known_hosts for backup container
if [[ ! -f ./data/restic/ssh/known_hosts ]]; then
ssh-keyscan -p 23 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_DOMAIN} > ./data/restic/ssh/known_hosts
ssh-keyscan -p 23 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_IPV4} >> ./data/restic/ssh/known_hosts
ssh-keyscan -p 23 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_IPV6} >> ./data/restic/ssh/known_hosts
ssh-keyscan -p 22 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_DOMAIN} >> ./data/restic/ssh/known_hosts
ssh-keyscan -p 22 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_IPV4} >> ./data/restic/ssh/known_hosts
ssh-keyscan -p 22 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_IPV6} >> ./data/restic/ssh/known_hosts
chmod 600 ./data/restic/ssh/known_hosts
fi
if [[ "${DEPLOYMENT_ENVIRONMENT}" == "PRODUCTION" ]]; then if [[ "${DEPLOYMENT_ENVIRONMENT}" == "PRODUCTION" ]]; then
# Generate dhparam, if not existing # Generate dhparam, if not existing