diff options
| -rw-r--r-- | .gitignore | 12 | ||||
| -rw-r--r-- | stacks/.template/.env | 15 | ||||
| -rw-r--r-- | stacks/.template/compose.template.yml | 31 | ||||
| -rw-r--r-- | stacks/auth/.gitignore | 7 | ||||
| -rw-r--r-- | stacks/auth/compose.cache.yml | 18 | ||||
| -rw-r--r-- | stacks/auth/compose.yml | 33 | ||||
| -rwxr-xr-x | stacks/auth/secrets.sh | 17 | ||||
| -rw-r--r-- | stacks/auth/util/genhash.sh | 8 |
8 files changed, 114 insertions, 27 deletions
@@ -1,11 +1 @@ -# Ignore everything. -* -.* - -# Permissable files. -!.gitignore -!.bashrc -!stacks/ -!stacks/** -!ops/ -!ops/** +.editorconfig diff --git a/stacks/.template/.env b/stacks/.template/.env index 4c7f7d8..d8fd2d5 100644 --- a/stacks/.template/.env +++ b/stacks/.template/.env @@ -3,13 +3,16 @@ # Stack Compose Variables # Namespace -_STACK= -_CONTAINER= +_STACK_0= +_CONTAINER_0= + +_STACK_1= +_CONTAINER_1= # Network -_NET= +_NET_0= +_NET_1= # Volumes -_DATA_VOLUME= -_CONFIG_VOLUME= -_CUSTOM_VOLUME= +_VOLUME_0= +_VOLUME_1= diff --git a/stacks/.template/compose.template.yml b/stacks/.template/compose.template.yml index 593c968..65895df 100644 --- a/stacks/.template/compose.template.yml +++ b/stacks/.template/compose.template.yml @@ -1,40 +1,51 @@ ## Template compose used for each stack. -name: ${_STACK} # Explicit project name (do not rely on directory name) +name: ${_STACK_X} # Explicit project name (do not rely on directory name) networks: net: - name: ${_NET} + name: ${_NET_X} external: true # All networks SHOULD be external in production. + net2: + name: ${_NET_Y} + external: true volumes: data: - name: ${_DATA_VOLUME} + name: ${_VOLUME_X} # Naming Convention: _[PURPOSE]_VOLUME external: true # All volumes SHOULD be external in production. config: - name: ${_CONFIG_VOLUME} + name: ${_VOLUME_Y} external: true custom: - name: ${_CUSTOM_VOLUME} # Custom volumes may not be external depending on the stack. + name: ${_VOLUME_Z} # Custom volumes may not be external depending on the stack. # External volumes are not required for local stack testing. services: servicename: - container_name: ${_CONTAINER} # Remove if a swarm is needed. - image: somewhere/someone/container:latest + container_name: ${_CONTAINER_X} # Explicitly named containers. + image: ${_IMAGE_X} restart: unless-stopped env_file: # NOTE: .compose.env WILL override .env if there are overlapping values. - .compose.env # Compose wiring defaults go here - .env # Service env vars + # Uncomment if bind mounting should not belong to root + # UID and GID MUST be set in .env + # user: '${UID}:${GID}' volumes: - # Example bind mount (read-only) + # Directory Bind Mounting # - ./conf:/etc/service:ro + + # External Docker Volume Mount - type: volume - source: ${_DATA_VOLUME:-data} # Must exist if external; overridden in local dev + source: data # Must exist if external; overridden in local dev target: /data - type: volume - source: ${_CONFIG_VOLUME:-config} # Must exist if external; overridden in local dev + source: config # Must exist if external; overridden in local dev target: /config + - type: volume + source: custom # Must exist if external; overridden in local dev + target: /custom networks: - net expose: diff --git a/stacks/auth/.gitignore b/stacks/auth/.gitignore new file mode 100644 index 0000000..52db271 --- /dev/null +++ b/stacks/auth/.gitignore @@ -0,0 +1,7 @@ +*.env +config/ +config/* +secrets/ +secrets/* +compose.local.yml +compose.cache.local.yml diff --git a/stacks/auth/compose.cache.yml b/stacks/auth/compose.cache.yml new file mode 100644 index 0000000..4c7727a --- /dev/null +++ b/stacks/auth/compose.cache.yml @@ -0,0 +1,18 @@ +name: ${_STACK_1} + +networks: + net: + name: ${_NET_0} + external: true + +services: + servicename: + container_name: ${_CONTAINER_1} + image: redis:latest + restart: unless-stopped + env_file: + - .env + networks: + - net + expose: + - 6379 diff --git a/stacks/auth/compose.yml b/stacks/auth/compose.yml new file mode 100644 index 0000000..e935946 --- /dev/null +++ b/stacks/auth/compose.yml @@ -0,0 +1,33 @@ +name: ${_STACK_0} + +networks: + net: + name: ${_NET_0} + external: true + +secrets: + JWT_SECRET: + file: './secrets/JWT_SECRET' + SESSION_SECRET: + file: './secrets/SESSION_SECRET' + STORAGE_ENCRYPTION: + file: './secrets/STORAGE_ENCRYPTION' + OIDC_HMAC_SECRET: + file: './secrets/OIDC_HMAC_SECRET' + +services: + auth: + container_name: ${_CONTAINER_0} + image: authelia/authelia:latest + restart: unless-stopped + user: '${UID}:${GID}' + secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_ENCRYPTION', OIDC_HMAC_SECRET] + env_file: + - .auth.env # Runtime Vars + - .env # Stack Vars + volumes: + - ./config/:/config + networks: + - net + expose: + - 9091 diff --git a/stacks/auth/secrets.sh b/stacks/auth/secrets.sh new file mode 100755 index 0000000..19031da --- /dev/null +++ b/stacks/auth/secrets.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +USERS=(RATDAD) +SECRETS=(SESSION_SECRET STORAGE_ENCRYPTION JWT_SECRET OIDC_HMAC_SECRET) +SECRET_DIR=$PWD/secrets + +[ ! -d "$SECRET_DIR" ] && mkdir -p "$SECRET_DIR" + +# Generate secrets +for filename in "${SECRETS[@]}"; do + openssl rand -hex 64 > "$SECRET_DIR"/"$filename" +done + +# Generate admin passwords +for filename in "${USERS[@]}"; do + openssl rand -hex 12 > "$SECRET_DIR"/"$filename" +done diff --git a/stacks/auth/util/genhash.sh b/stacks/auth/util/genhash.sh new file mode 100644 index 0000000..d8202ee --- /dev/null +++ b/stacks/auth/util/genhash.sh @@ -0,0 +1,8 @@ +#!/bin/bash +set -euo pipefail + +read -rp "Enter a password for the new user: " PASSWORD +HASHED=$(docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password "${PASSWORD}") + +printf "Password: %s\n" "${PASSWORD}" +printf "Hash: %s\n" "${HASHED}" |