summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.gitignore1
-rw-r--r--stacks/.template/.container.env13
-rw-r--r--stacks/.template/compose.template.yml54
-rw-r--r--stacks/auth/compose.cache.yml18
-rw-r--r--stacks/auth/compose.yml33
-rw-r--r--stacks/codex/.codex.env.template6
-rw-r--r--stacks/codex/.env.template13
-rw-r--r--stacks/codex/.gitignore4
-rw-r--r--stacks/codex/compose.yml26
-rw-r--r--stacks/iam/.gitignore (renamed from stacks/auth/.gitignore)4
-rw-r--r--stacks/iam/TODO1
-rw-r--r--stacks/iam/auth.env.example12
-rw-r--r--stacks/iam/compose.yml54
-rw-r--r--stacks/iam/env.example (renamed from stacks/.template/.env)5
-rwxr-xr-xstacks/iam/util/gen-oidc-client.sh7
-rwxr-xr-xstacks/iam/util/gen-oidc-jwk.sh5
-rwxr-xr-xstacks/iam/util/gen-secrets.sh (renamed from stacks/auth/secrets.sh)8
-rwxr-xr-x[-rw-r--r--]stacks/iam/util/gen-user-passwd.sh (renamed from stacks/auth/util/genhash.sh)0
18 files changed, 90 insertions, 174 deletions
diff --git a/.gitignore b/.gitignore
index 7f4b696..ea4ca75 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
.editorconfig
+srv/
diff --git a/stacks/.template/.container.env b/stacks/.template/.container.env
deleted file mode 100644
index 511f12d..0000000
--- a/stacks/.template/.container.env
+++ /dev/null
@@ -1,13 +0,0 @@
-#
-#
-# Stack Runtime Variables
-
-# Auth
-USERNAME=
-PASSWORD=
-
-SECRET=
-
-# Database
-DB_USER=
-ET_CETERA=
diff --git a/stacks/.template/compose.template.yml b/stacks/.template/compose.template.yml
deleted file mode 100644
index 65895df..0000000
--- a/stacks/.template/compose.template.yml
+++ /dev/null
@@ -1,54 +0,0 @@
-## Template compose used for each stack.
-name: ${_STACK_X} # Explicit project name (do not rely on directory name)
-
-networks:
- net:
- name: ${_NET_X}
- external: true # All networks SHOULD be external in production.
- net2:
- name: ${_NET_Y}
- external: true
-
-volumes:
- data:
- name: ${_VOLUME_X} # Naming Convention: _[PURPOSE]_VOLUME
- external: true # All volumes SHOULD be external in production.
- config:
- name: ${_VOLUME_Y}
- external: true
- custom:
- name: ${_VOLUME_Z} # Custom volumes may not be external depending on the stack.
- # External volumes are not required for local stack testing.
-
-services:
- servicename:
- container_name: ${_CONTAINER_X} # Explicitly named containers.
- image: ${_IMAGE_X}
- restart: unless-stopped
- env_file:
- # NOTE: .compose.env WILL override .env if there are overlapping values.
- - .compose.env # Compose wiring defaults go here
- - .env # Service env vars
- # Uncomment if bind mounting should not belong to root
- # UID and GID MUST be set in .env
- # user: '${UID}:${GID}'
- volumes:
- # Directory Bind Mounting
- # - ./conf:/etc/service:ro
-
- # External Docker Volume Mount
- - type: volume
- source: data # Must exist if external; overridden in local dev
- target: /data
- - type: volume
- source: config # Must exist if external; overridden in local dev
- target: /config
- - type: volume
- source: custom # Must exist if external; overridden in local dev
- target: /custom
- networks:
- - net
- expose:
- - 80
- - 9001
- - 67
diff --git a/stacks/auth/compose.cache.yml b/stacks/auth/compose.cache.yml
deleted file mode 100644
index 4c7727a..0000000
--- a/stacks/auth/compose.cache.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-name: ${_STACK_1}
-
-networks:
- net:
- name: ${_NET_0}
- external: true
-
-services:
- servicename:
- container_name: ${_CONTAINER_1}
- image: redis:latest
- restart: unless-stopped
- env_file:
- - .env
- networks:
- - net
- expose:
- - 6379
diff --git a/stacks/auth/compose.yml b/stacks/auth/compose.yml
deleted file mode 100644
index e935946..0000000
--- a/stacks/auth/compose.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-name: ${_STACK_0}
-
-networks:
- net:
- name: ${_NET_0}
- external: true
-
-secrets:
- JWT_SECRET:
- file: './secrets/JWT_SECRET'
- SESSION_SECRET:
- file: './secrets/SESSION_SECRET'
- STORAGE_ENCRYPTION:
- file: './secrets/STORAGE_ENCRYPTION'
- OIDC_HMAC_SECRET:
- file: './secrets/OIDC_HMAC_SECRET'
-
-services:
- auth:
- container_name: ${_CONTAINER_0}
- image: authelia/authelia:latest
- restart: unless-stopped
- user: '${UID}:${GID}'
- secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_ENCRYPTION', OIDC_HMAC_SECRET]
- env_file:
- - .auth.env # Runtime Vars
- - .env # Stack Vars
- volumes:
- - ./config/:/config
- networks:
- - net
- expose:
- - 9091
diff --git a/stacks/codex/.codex.env.template b/stacks/codex/.codex.env.template
deleted file mode 100644
index 9f373a5..0000000
--- a/stacks/codex/.codex.env.template
+++ /dev/null
@@ -1,6 +0,0 @@
-#
-#
-# Stack Runtime Variables
-SB_USER=
-SB_NAME=
-SB_DESCRIPTION=
diff --git a/stacks/codex/.env.template b/stacks/codex/.env.template
deleted file mode 100644
index fa0eaba..0000000
--- a/stacks/codex/.env.template
+++ /dev/null
@@ -1,13 +0,0 @@
-#
-#
-# Stack Compose Variables
-
-# Namespace
-_STACK=
-_CONTAINER=
-
-# Network
-_NET=
-
-# Volumes
-_DATA_VOLUME=
diff --git a/stacks/codex/.gitignore b/stacks/codex/.gitignore
deleted file mode 100644
index 8507661..0000000
--- a/stacks/codex/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-*.env
-space/
-space/**
-compose.local.yml
diff --git a/stacks/codex/compose.yml b/stacks/codex/compose.yml
deleted file mode 100644
index d144cb4..0000000
--- a/stacks/codex/compose.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-name: ${_STACK}
-
-networks:
- net:
- name: ${_NET}
- external: true
-
-volumes:
- data:
- name: ${_DATA_VOLUME}
- external: true
-
-services:
- silverbullet:
- container_name: ${_CONTAINER}
- image: ghcr.io/silverbulletmd/silverbullet
- restart: unless-stopped
- env_file:
- - .env
- - .codex.env
- networks:
- - net
- expose:
- - 3000
- volumes:
- - data:/space
diff --git a/stacks/auth/.gitignore b/stacks/iam/.gitignore
index 52db271..4dfeb35 100644
--- a/stacks/auth/.gitignore
+++ b/stacks/iam/.gitignore
@@ -3,5 +3,5 @@ config/
config/*
secrets/
secrets/*
-compose.local.yml
-compose.cache.local.yml
+compose.test.yml
+compose.cache.test.yml
diff --git a/stacks/iam/TODO b/stacks/iam/TODO
new file mode 100644
index 0000000..dba0e14
--- /dev/null
+++ b/stacks/iam/TODO
@@ -0,0 +1 @@
+1. Make a script to initialize Authelia with an admin user and streamline prod setup.
diff --git a/stacks/iam/auth.env.example b/stacks/iam/auth.env.example
new file mode 100644
index 0000000..b5275ab
--- /dev/null
+++ b/stacks/iam/auth.env.example
@@ -0,0 +1,12 @@
+#
+#
+# Stack Runtime Variables
+
+# Authelia secrets
+AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE=/run/secrets/JWT_SECRET
+AUTHELIA_SESSION_SECRET_FILE=/run/secrets/SESSION_SECRET
+AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/STORAGE_ENCRYPTION
+AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE=/run/secrets/OIDC_HMAC_SECRET
+
+# Use Authelia's file filter in config.
+X_AUTHELIA_CONFIG_FILTERS=template
diff --git a/stacks/iam/compose.yml b/stacks/iam/compose.yml
new file mode 100644
index 0000000..af25bb9
--- /dev/null
+++ b/stacks/iam/compose.yml
@@ -0,0 +1,54 @@
+name: ${_STACK_0}
+
+networks:
+ net_0:
+ name: ${_NET_0}
+ external: true
+ net_1:
+ name: ${_NET_1}
+
+volumes:
+ volume_0:
+ name: ${_VOLUME_0}
+ external: true
+
+secrets:
+ JWT_SECRET:
+ file: '/srv/secrets/auth/JWT_SECRET'
+ SESSION_SECRET:
+ file: '/srv/secrets/auth/SESSION_SECRET'
+ STORAGE_ENCRYPTION:
+ file: '/srv/secrets/auth/STORAGE_ENCRYPTION'
+ OIDC_HMAC_SECRET:
+ file: '/srv/secrets/auth/OIDC_HMAC_SECRET'
+
+services:
+ auth:
+ container_name: ${_CONTAINER_0}
+ image: authelia/authelia:latest
+ restart: unless-stopped
+ secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_ENCRYPTION', 'OIDC_HMAC_SECRET']
+ env_file:
+ - .auth.env # Runtime Vars
+ - .env # Stack Vars
+ volumes:
+ - volume_0:/config/db
+ - /srv/secrets/auth/configuration.yml:/config/configuration.yml
+ - /srv/secrets/auth/users.yml:/config/users.yml
+ - /srv/secrets/auth/jwks/oidc-jwk.pem:/config/jwks/oidc-jwk.pem
+ - /srv/secrets/auth/jwks/oidc-jwk-pub.pem:/config/jwks/oidc-jwk-pub.pem
+ networks:
+ - net_0
+ - net_1
+ expose:
+ - 9091
+ auth-cache:
+ container_name: ${_CONTAINER_1}
+ image: redis:latest
+ restart: unless-stopped
+ env_file:
+ - .env
+ networks:
+ - net_1
+ expose:
+ - 6379
diff --git a/stacks/.template/.env b/stacks/iam/env.example
index d8fd2d5..913a774 100644
--- a/stacks/.template/.env
+++ b/stacks/iam/env.example
@@ -4,9 +4,9 @@
# Namespace
_STACK_0=
-_CONTAINER_0=
-_STACK_1=
+# Containers
+_CONTAINER_0=
_CONTAINER_1=
# Network
@@ -15,4 +15,3 @@ _NET_1=
# Volumes
_VOLUME_0=
-_VOLUME_1=
diff --git a/stacks/iam/util/gen-oidc-client.sh b/stacks/iam/util/gen-oidc-client.sh
new file mode 100755
index 0000000..ee6d79a
--- /dev/null
+++ b/stacks/iam/util/gen-oidc-client.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+
+docker run --rm authelia/authelia:latest authelia crypto rand --length 72 --charset rfc3986
+docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
+
+printf "\n"
diff --git a/stacks/iam/util/gen-oidc-jwk.sh b/stacks/iam/util/gen-oidc-jwk.sh
new file mode 100755
index 0000000..48747fb
--- /dev/null
+++ b/stacks/iam/util/gen-oidc-jwk.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+set -euo pipefail
+
+openssl genrsa -out oidc-jwk.pem 2048
+openssl genrsa -in oidc-jwk.pem -outform PEM -pubout -out oidc-jwk-pub.pem
diff --git a/stacks/auth/secrets.sh b/stacks/iam/util/gen-secrets.sh
index 19031da..832f5d8 100755
--- a/stacks/auth/secrets.sh
+++ b/stacks/iam/util/gen-secrets.sh
@@ -8,10 +8,14 @@ SECRET_DIR=$PWD/secrets
# Generate secrets
for filename in "${SECRETS[@]}"; do
- openssl rand -hex 64 > "$SECRET_DIR"/"$filename"
+ if [ ! -f "$SECRET_DIR"/"$filename" ]; then
+ openssl rand -hex 64 > "$SECRET_DIR"/"$filename"
+ fi
done
# Generate admin passwords
for filename in "${USERS[@]}"; do
- openssl rand -hex 12 > "$SECRET_DIR"/"$filename"
+ if [ ! -f "$SECRET_DIR"/"$filename" ]; then
+ openssl rand -hex 12 > "$SECRET_DIR"/"$filename"
+ fi
done
diff --git a/stacks/auth/util/genhash.sh b/stacks/iam/util/gen-user-passwd.sh
index d8202ee..d8202ee 100644..100755
--- a/stacks/auth/util/genhash.sh
+++ b/stacks/iam/util/gen-user-passwd.sh