m/natelandau_ansible-homelab-config
1
0
Fork 0
mirror of https://github.com/natelandau/ansible-homelab-config.git synced 2025-11-17 09:23:40 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix indentation in authelia config

Browse Source
This commit is contained in:
Nathaniel Landau
2022-02-08 10:49:03 -05:00
parent e63cee00bc
commit fbbfd5c082
1 changed files with 373 additions and 372 deletions
Download Patch File Download Diff File Expand all files Collapse all files

745
templates/nomad_jobs/reverse-proxy.hcl
View File

@@ -4,327 +4,327 @@ job "reverse-proxy" {
type = "service" type = "service"
constraint { constraint {
attribute = "${node.unique.name}" attribute = "${node.unique.name}"
value = "rpi1" value = "rpi1"
} }
update { update {
max_parallel = 1 max_parallel = 1
health_check = "checks" health_check = "checks"
min_healthy_time = "10s" min_healthy_time = "10s"
healthy_deadline = "5m" healthy_deadline = "5m"
progress_deadline = "10m" progress_deadline = "10m"
auto_revert = true auto_revert = true
canary = 0 canary = 0
stagger = "30s" stagger = "30s"
} }
group "reverse-proxy-group" { group "reverse-proxy-group" {
restart { restart {
attempts = 0 attempts = 0
delay = "30s" delay = "30s"
}
network {
port "authelia-port" {
static = {{ authelia_port }}
to = 9091
}
port "whoami" {
to = 80
}
port "dashboard" {
static = 8080
to = 8080
}
port "web" {
static = 80
to = 80
}
port "websecure" {
static = 443
to = 443
}
port "externalwebsecure" {
static = 4430
to = 4430
}
}
task "authelia" {
env {
TZ = "America/New_York"
PUID = "${meta.PUID}"
PGID = "${meta.PGID}"
} }
driver = "docker" network {
config { port "authelia-port" {
image = "authelia/authelia" static = {{ authelia_port }}
hostname = "authelia" to = 9091
ports = ["authelia-port"] }
volumes = [ port "whoami" {
"${meta.nfsStorageRoot}/pi-cluster/authelia:/config" to = 80
] }
args = [ port "dashboard" {
"--config", static = 8080
"/local/authelia/config.yaml" to = 8080
] }
} // docker config port "web" {
static = 80
template { to = 80
destination = "local/authelia/config.yaml" }
env = false port "websecure" {
change_mode = "noop" static = 443
perms = "644" to = 443
data = <<-EOH }
--- port "externalwebsecure" {
## The theme to display: light, dark, grey, auto. static = 4430
theme: auto to = 4430
}
jwt_secret: {{ authelia_jwt_secret}}
default_redirection_url: https://authelia.{{ homelab_domain_name}}
server:
host: 0.0.0.0
port: 9091
path: ""
read_buffer_size: 4096
write_buffer_size: 4096
enable_pprof: false
enable_expvars: false
disable_healthcheck: false
log:
level: info
format: text
# file_path: "/config/log.txt"
keep_stdout: false
totp:
issuer: authelia.com
authentication_backend:
disable_reset_password: false
file:
path: /config/users.yml
password:
algorithm: argon2id
iterations: 1
salt_length: 16
parallelism: 8
memory: 64
access_control:
default_policy: deny
networks:
- name: internal
networks:
- 10.0.0.0/16
#- 172.16.0.0/12
#- 192.168.0.0/18
rules:
# Rules applied to everyone
- domain: "*.{{ homelab_domain_name }}"
policy: two_factor
networks:
- internal
session:
name: authelia_session
domain: {{ homelab_domain_name }}
same_site: lax
secret: {{ authelia_session_secret }}
expiration: 1h
inactivity: 15m
remember_me_duration: 1w
regulation:
max_retries: 5
find_time: 10m
ban_time: 15m
storage:
encryption_key: {{ authelia_sqlite_encryption_key}}
local:
path: /config/db.sqlite3
notifier:
smtp:
username: {{ email_smtp_account }}
password: {{ authelia_smtp_password }}
host: {{ email_smtp_host }}
port: {{ email_smtp_port }}
sender: "Authelia <{{ my_email_address }}>"
subject: "[Authelia] {title}"
startup_check_address: {{ my_email_address }}
EOH
} }
service { task "authelia" {
port = "authelia-port"
name = "${NOMAD_TASK_NAME}"
tags = [
"traefik.enable=true",
"traefik.http.routers.${NOMAD_TASK_NAME}.rule=Host(`authelia.{{ homelab_domain_name }}`)",
"traefik.http.routers.${NOMAD_TASK_NAME}.entryPoints=web,websecure",
"traefik.http.routers.${NOMAD_TASK_NAME}.service=${NOMAD_TASK_NAME}",
"traefik.http.routers.${NOMAD_TASK_NAME}.tls=true",
"traefik.http.routers.${NOMAD_TASK_NAME}.tls.certresolver=cloudflare",
"traefik.http.middlewares.authelia-headers.headers.customResponseHeaders.Cache-Control=no-store",
"traefik.http.middlewares.authelia-headers.headers.customResponseHeaders.Pragma=no-cache",
"traefik.http.routers.authelia.middlewares=authelia-headers"
]
check { env {
type = "tcp" TZ = "America/New_York"
port = "authelia-port" PUID = "${meta.PUID}"
interval = "30s" PGID = "${meta.PGID}"
timeout = "4s" }
}
check_restart { driver = "docker"
limit = 0 config {
grace = "1m" image = "authelia/authelia"
ignore_warnings = true hostname = "authelia"
} ports = ["authelia-port"]
} // service volumes = [
"${meta.nfsStorageRoot}/pi-cluster/authelia:/config"
]
args = [
"--config",
"/local/authelia/config.yaml"
]
} // docker config
resources { template {
cpu = 200 # MHz destination = "local/authelia/config.yaml"
memory = 110 # MB env = false
} change_mode = "noop"
perms = "644"
data = <<-EOH
---
## The theme to display: light, dark, grey, auto.
theme: auto
} // task authelia jwt_secret: {{ authelia_jwt_secret}}
default_redirection_url: https://authelia.{{ homelab_domain_name}}
task "whoami" { server:
driver = "docker" host: 0.0.0.0
config { port: 9091
image = "containous/whoami:latest" path: ""
hostname = "${NOMAD_TASK_NAME}" read_buffer_size: 4096
ports = ["whoami"] write_buffer_size: 4096
enable_pprof: false
enable_expvars: false
disable_healthcheck: false
} // /docker config log:
level: info
format: text
# file_path: "/config/log.txt"
keep_stdout: false
service { totp:
port = "whoami" issuer: authelia.com
name = "${NOMAD_TASK_NAME}"
tags = [
"traefik.enable=true",
"traefik.http.routers.${NOMAD_TASK_NAME}.rule=Host(`${NOMAD_TASK_NAME}.{{ homelab_domain_name }}`)",
"traefik.http.routers.${NOMAD_TASK_NAME}.entryPoints=web,websecure",
"traefik.http.routers.${NOMAD_TASK_NAME}.service=${NOMAD_TASK_NAME}",
"traefik.http.routers.${NOMAD_TASK_NAME}.tls=true",
"traefik.http.routers.${NOMAD_TASK_NAME}.tls.certresolver=cloudflare",
"traefik.http.routers.${NOMAD_TASK_NAME}.middlewares=authelia@file"
]
check {
type = "http"
path = "/"
interval = "90s"
timeout = "15s"
}
check_restart {
limit = 2
grace = "1m"
ignore_warnings = true
}
}
resources {
cpu = 25 # MHz
memory = 10 # MB
}
} // /task whoami authentication_backend:
disable_reset_password: false
file:
path: /config/users.yml
password:
algorithm: argon2id
iterations: 1
salt_length: 16
parallelism: 8
memory: 64
task "traefik" { access_control:
default_policy: deny
networks:
- name: internal
networks:
- 10.0.0.0/8
#- 172.16.0.0/12
#- 192.168.0.0/18
rules:
# Rules applied to everyone
- domain: "*.{{ homelab_domain_name }}"
policy: two_factor
networks:
- internal
env { session:
PUID = "${meta.PUID}" name: authelia_session
PGID = "${meta.PGID}" domain: {{ homelab_domain_name }}
TZ = "America/New_York" same_site: lax
CF_API_EMAIL = "{{ my_email_address }}" secret: {{ authelia_session_secret }}
CF_DNS_API_TOKEN = "{{ traefik_cf_api_token }}" expiration: 1h
} inactivity: 15m
remember_me_duration: 1w
driver = "docker" regulation:
config { max_retries: 5
image = "traefik:{{ traefik_version }}" find_time: 10m
hostname = "traefik" ban_time: 15m
ports = ["dashboard", "web", "websecure", "externalwebsecure"]
volumes = ["${meta.nfsStorageRoot}/pi-cluster/traefik/acme:/acme"]
args = [
"--global.sendAnonymousUsage=false",
"--global.checkNewVersion=false",
"--entryPoints.web.address=:80",
"--entryPoints.websecure.address=:443",
"--entryPoints.externalwebsecure.address=:4430",
"--entrypoints.web.http.redirections.entryPoint.to=websecure",
"--entrypoints.web.http.redirections.entryPoint.scheme=https",
"--entrypoints.web.http.redirections.entryPoint.permanent=true",
"--providers.file.filename=/local/traefik/siteconfigs.toml",
"--providers.file.watch=true",
"--providers.consulcatalog=true",
"--providers.consulcatalog.endpoint.address=http://consul.service.consul:8500",
"--providers.consulcatalog.prefix=traefik",
"--providers.consulcatalog.exposedbydefault=false",
"--metrics=true",
"--metrics.influxdb=true",
"--metrics.influxdb.address=influxdb.service.consul:{{ influxdb_port }}",
"--metrics.influxdb.protocol=http",
"--metrics.influxdb.pushinterval=10s",
"--metrics.influxdb.database=homelab",
"--metrics.influxdb.retentionpolicy=2day",
"--metrics.influxdb.addentrypointslabels=true",
"--metrics.influxdb.addserviceslabels=true",
"--accesslog=true",
"--log=true",
"--log.level=ERROR",
"--api=true",
"--api.dashboard=true",
"--api.insecure=true",
"--certificatesresolvers.cloudflare.acme.email={{ my_email_address }}",
"--certificatesresolvers.cloudflare.acme.storage=/acme/acme-${node.unique.name}.json",
"--certificatesresolvers.cloudflare.acme.dnschallenge=true",
"--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare",
"--certificatesresolvers.cloudflare.acme.dnschallenge.delaybeforecheck=10",
"--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
]
} // docker config
template { storage:
destination = "local/traefik/httpasswd" encryption_key: {{ authelia_sqlite_encryption_key}}
env = false local:
change_mode = "noop" path: /config/db.sqlite3
data = <<-EOH
notifier:
smtp:
username: {{ email_smtp_account }}
password: {{ authelia_smtp_password }}
host: {{ email_smtp_host }}
port: {{ email_smtp_port }}
sender: "Authelia <{{ my_email_address }}>"
subject: "[Authelia] {title}"
startup_check_address: {{ my_email_address }}
EOH
}
service {
port = "authelia-port"
name = "${NOMAD_TASK_NAME}"
tags = [
"traefik.enable=true",
"traefik.http.routers.${NOMAD_TASK_NAME}.rule=Host(`authelia.{{ homelab_domain_name }}`)",
"traefik.http.routers.${NOMAD_TASK_NAME}.entryPoints=web,websecure",
"traefik.http.routers.${NOMAD_TASK_NAME}.service=${NOMAD_TASK_NAME}",
"traefik.http.routers.${NOMAD_TASK_NAME}.tls=true",
"traefik.http.routers.${NOMAD_TASK_NAME}.tls.certresolver=cloudflare",
"traefik.http.middlewares.authelia-headers.headers.customResponseHeaders.Cache-Control=no-store",
"traefik.http.middlewares.authelia-headers.headers.customResponseHeaders.Pragma=no-cache",
"traefik.http.routers.authelia.middlewares=authelia-headers"
]
check {
type = "tcp"
port = "authelia-port"
interval = "30s"
timeout = "4s"
}
check_restart {
limit = 0
grace = "1m"
ignore_warnings = true
}
} // service
resources {
cpu = 200 # MHz
memory = 110 # MB
}
} // task authelia
task "whoami" {
driver = "docker"
config {
image = "containous/whoami:latest"
hostname = "${NOMAD_TASK_NAME}"
ports = ["whoami"]
} // /docker config
service {
port = "whoami"
name = "${NOMAD_TASK_NAME}"
tags = [
"traefik.enable=true",
"traefik.http.routers.${NOMAD_TASK_NAME}.rule=Host(`${NOMAD_TASK_NAME}.{{ homelab_domain_name }}`)",
"traefik.http.routers.${NOMAD_TASK_NAME}.entryPoints=web,websecure",
"traefik.http.routers.${NOMAD_TASK_NAME}.service=${NOMAD_TASK_NAME}",
"traefik.http.routers.${NOMAD_TASK_NAME}.tls=true",
"traefik.http.routers.${NOMAD_TASK_NAME}.tls.certresolver=cloudflare",
"traefik.http.routers.${NOMAD_TASK_NAME}.middlewares=authelia@file"
]
check {
type = "http"
path = "/"
interval = "90s"
timeout = "15s"
}
check_restart {
limit = 2
grace = "1m"
ignore_warnings = true
}
}
resources {
cpu = 25 # MHz
memory = 10 # MB
}
} // /task whoami
task "traefik" {
env {
PUID = "${meta.PUID}"
PGID = "${meta.PGID}"
TZ = "America/New_York"
CF_API_EMAIL = "{{ my_email_address }}"
CF_DNS_API_TOKEN = "{{ traefik_cf_api_token }}"
}
driver = "docker"
config {
image = "traefik:{{ traefik_version }}"
hostname = "traefik"
ports = ["dashboard", "web", "websecure","externalwebsecure"]
volumes = [ "${meta.nfsStorageRoot}/pi-cluster/traefik/acme:/acme" ]
args = [
"--global.sendAnonymousUsage=false",
"--global.checkNewVersion=false",
"--entryPoints.web.address=:80",
"--entryPoints.websecure.address=:443",
"--entryPoints.externalwebsecure.address=:4430",
"--entrypoints.web.http.redirections.entryPoint.to=websecure",
"--entrypoints.web.http.redirections.entryPoint.scheme=https",
"--entrypoints.web.http.redirections.entryPoint.permanent=true",
"--providers.file.filename=/local/traefik/siteconfigs.toml",
"--providers.file.watch=true",
"--providers.consulcatalog=true",
"--providers.consulcatalog.endpoint.address=http://consul.service.consul:8500",
"--providers.consulcatalog.prefix=traefik",
"--providers.consulcatalog.exposedbydefault=false",
"--metrics=true",
"--metrics.influxdb=true",
"--metrics.influxdb.address=influxdb.service.consul:{{ influxdb_port }}",
"--metrics.influxdb.protocol=http",
"--metrics.influxdb.pushinterval=10s",
"--metrics.influxdb.database=homelab",
"--metrics.influxdb.retentionpolicy=2day",
"--metrics.influxdb.addentrypointslabels=true",
"--metrics.influxdb.addserviceslabels=true",
"--accesslog=true",
"--log=true",
"--log.level=ERROR",
"--api=true",
"--api.dashboard=true",
"--api.insecure=true",
"--certificatesresolvers.cloudflare.acme.email={{ my_email_address }}",
"--certificatesresolvers.cloudflare.acme.storage=/acme/acme-${node.unique.name}.json",
"--certificatesresolvers.cloudflare.acme.dnschallenge=true",
"--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare",
"--certificatesresolvers.cloudflare.acme.dnschallenge.delaybeforecheck=10",
"--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
]
} // docker config
template {
destination = "local/traefik/httpasswd"
env = false
change_mode = "noop"
data = <<-EOH
{{ my_username }}:{{ traefik_http_pass_me }} {{ my_username }}:{{ traefik_http_pass_me }}
family:{{ traefik_http_pass_family }} family:{{ traefik_http_pass_family }}
EOH EOH
} }
template { template {
destination = "local/traefik/httpasswdFamily" destination = "local/traefik/httpasswdFamily"
env = false env = false
change_mode = "noop" change_mode = "noop"
data = <<-EOH data = <<-EOH
{{ my_username }}:{{ traefik_http_pass_me }} {{ my_username }}:{{ traefik_http_pass_me }}
family:{{ traefik_http_pass_family }} family:{{ traefik_http_pass_family }}
EOH EOH
} }
template { template {
destination = "local/traefik/siteconfigs.toml" destination = "local/traefik/siteconfigs.toml"
env = false env = false
change_mode = "noop" change_mode = "noop"
data = <<-EOH data = <<-EOH
[http] [http]
[http.middlewares] [http.middlewares]
[http.middlewares.compress.compress] [http.middlewares.compress.compress]
[http.middlewares.localIPOnly.ipWhiteList] [http.middlewares.localIPOnly.ipWhiteList]
sourceRange = ["10.0.0.0/16"] sourceRange = ["10.0.0.0/8"]
[http.middlewares.redirectScheme.redirectScheme] [http.middlewares.redirectScheme.redirectScheme]
scheme = "https" scheme = "https"
@@ -362,107 +362,108 @@ job "reverse-proxy" {
passHostHeader = true passHostHeader = true
[[http.services.consul.loadBalancer.servers]] [[http.services.consul.loadBalancer.servers]]
url = "http://consul.service.consul:8500" url = "http://consul.service.consul:8500"
EOH EOH
}
service {
port = "dashboard"
name = "${NOMAD_TASK_NAME}"
tags = [
"traefik.enable=true",
"traefik.http.routers.${NOMAD_TASK_NAME}.rule=Host(`${NOMAD_TASK_NAME}.{{ homelab_domain_name }}`)",
"traefik.http.routers.${NOMAD_TASK_NAME}.entryPoints=web,websecure",
"traefik.http.routers.${NOMAD_TASK_NAME}.service=${NOMAD_TASK_NAME}",
"traefik.http.routers.${NOMAD_TASK_NAME}.tls=true",
"traefik.http.routers.${NOMAD_TASK_NAME}.tls.certresolver=cloudflare",
"traefik.http.routers.${NOMAD_TASK_NAME}.middlewares=authelia@file,redirectScheme@file"
]
check {
type = "tcp"
port = "dashboard"
interval = "30s"
timeout = "4s"
} }
check_restart { service {
limit = 0 port = "dashboard"
grace = "1m" name = "${NOMAD_TASK_NAME}"
ignore_warnings = true tags = [
} "traefik.enable=true",
} // service "traefik.http.routers.${NOMAD_TASK_NAME}.rule=Host(`${NOMAD_TASK_NAME}.{{ homelab_domain_name }}`)",
"traefik.http.routers.${NOMAD_TASK_NAME}.entryPoints=web,websecure",
"traefik.http.routers.${NOMAD_TASK_NAME}.service=${NOMAD_TASK_NAME}",
"traefik.http.routers.${NOMAD_TASK_NAME}.tls=true",
"traefik.http.routers.${NOMAD_TASK_NAME}.tls.certresolver=cloudflare",
"traefik.http.routers.${NOMAD_TASK_NAME}.middlewares=authelia@file,redirectScheme@file"
]
resources { check {
//cpu = 40 # MHz type = "tcp"
memory = 64 # MB port = "dashboard"
} // resources interval = "30s"
timeout = "4s"
}
} // task traefik check_restart {
limit = 0
grace = "1m"
ignore_warnings = true
}
} // service
// task "promtail-traefik" { resources {
//cpu = 40 # MHz
memory = 64 # MB
} // resources
// driver = "docker" } // task traefik
// config {
// image = "grafana/promtail"
// hostname = "promtail-traefik"
// volumes = [
// "/mnt/pi-cluster/logs:/traefik"
// ]
// args = [
// "-config.file",
// "/local/promtail-config.yaml",
// "-print-config-stderr",
// ]
// } // docker config
// template { // task "promtail-traefik" {
// destination = "local/promtail-config.yaml"
// env = false
// data = <<-EOH
// server:
// http_listen_port: 9080
// grpc_listen_port: 0
// positions: // driver = "docker"
// filename: /alloc/positions.yaml // config {
// image = "grafana/promtail"
// hostname = "promtail-traefik"
// volumes = [
// "/mnt/pi-cluster/logs:/traefik"
// ]
// args = [
// "-config.file",
// "/local/promtail-config.yaml",
// "-print-config-stderr",
// ]
// } // docker config
// {% raw -%} // template {
// clients: // destination = "local/promtail-config.yaml"
// - url: http://{{ range service "loki" }}{{ .Address }}:{{ .Port }}{{ end }}/loki/api/v1/push // env = false
// {% endraw %} // data = <<-EOH
// server:
// http_listen_port: 9080
// grpc_listen_port: 0
// scrape_configs: // positions:
// - job_name: traefik // filename: /alloc/positions.yaml
// static_configs:
// - targets:
// - localhost
// labels:
// job: traefik_access
// {% raw %}host: {{ env "node.unique.name" }}{% endraw +%}
// __path__: "/alloc/logs/traefik.std*.0"
// pipeline_stages:
// - regex:
// expression: '^(?P<remote_addr>[\w\.]+) - (?P<remote_user>[^ ]*) \[(?P<time_local>.*)\] "(?P<method>[^ ]*) (?P<request>[^ ]*) (?P<protocol>[^ ]*)" (?P<status>[\d]+) (?P<body_bytes_sent>[\d]+) "(?P<http_referer>[^"]*)" "(?P<http_user_agent>[^"]*)" (?P<request_number>[^ ]+) "(?P<router>[^ ]+)" "(?P<server_URL>[^ ]+)" (?P<response_time_ms>[^ ]+)ms$'
// - labels:
// method:
// status:
// router:
// response_time_ms:
// EOH // {% raw -%}
// } // template // clients:
// - url: http://{{ range service "loki" }}{{ .Address }}:{{ .Port }}{{ end }}/loki/api/v1/push
// {% endraw %}
// lifecycle { // scrape_configs:
// hook = "poststart" // - job_name: traefik
// sidecar = true // static_configs:
// } // - targets:
// - localhost
// labels:
// job: traefik_access
// {% raw %}host: {{ env "node.unique.name" }}{% endraw +%}
// __path__: "/alloc/logs/traefik.std*.0"
// pipeline_stages:
// - regex:
// expression: '^(?P<remote_addr>[\w\.]+) - (?P<remote_user>[^ ]*) \[(?P<time_local>.*)\] "(?P<method>[^ ]*) (?P<request>[^ ]*) (?P<protocol>[^ ]*)" (?P<status>[\d]+) (?P<body_bytes_sent>[\d]+) "(?P<http_referer>[^"]*)" "(?P<http_user_agent>[^"]*)" (?P<request_number>[^ ]+) "(?P<router>[^ ]+)" "(?P<server_URL>[^ ]+)" (?P<response_time_ms>[^ ]+)ms$'
// - labels:
// method:
// status:
// router:
// response_time_ms:
// resources { // EOH
// cpu = 30 # MHz // } // template
// memory = 30 # MB
// } // resources
// } // promtail sidecar task // lifecycle {
// hook = "poststart"
// sidecar = true
// }
// resources {
// cpu = 30 # MHz
// memory = 30 # MB
// } // resources
// } // promtail sidecar task
} // reverse-proxy-group } // reverse-proxy-group
} }