From fdd85fb7355d43cf185d79d1f35de9d7d647e0c5 Mon Sep 17 00:00:00 2001 From: Elizabeth Hunt Date: Thu, 4 Jan 2024 01:40:27 -0500 Subject: [PATCH] add sso login --- .env.sample | 2 + README.md | 7 ++ deploy-authelia.yml | 4 + deploy-vpn-tags.yml | 23 +++++ group_vars/vpn.yml | 4 +- inventory | 3 + roles/authelia/files/authelia/.gitignore | 2 + roles/authelia/tasks/main.yml | 30 +++++++ .../authelia/templates/docker-compose.yml.j2 | 17 ++++ roles/common/tasks/main.yml | 6 ++ roles/nameservers/tasks/main.yml | 3 +- .../nameservers/templates/db.simponic.xyz.j2 | 4 +- roles/vpn/tasks/main.yml | 14 ++-- .../config.yml => templates/config.yml.j2} | 84 +++++++++---------- roles/webservers/files/nginx.conf | 2 + .../nijika/http.authelia.simponic.xyz.conf | 13 +++ .../nijika/http.headscale.simponic.xyz.conf | 4 +- .../nijika/https.authelia.simponic.xyz.conf | 57 +++++++++++++ roles/webservers/tasks/main.yml | 3 + 19 files changed, 223 insertions(+), 59 deletions(-) create mode 100644 .env.sample create mode 100644 README.md create mode 100644 deploy-authelia.yml create mode 100644 deploy-vpn-tags.yml create mode 100644 roles/authelia/files/authelia/.gitignore create mode 100644 roles/authelia/tasks/main.yml create mode 100644 roles/authelia/templates/docker-compose.yml.j2 rename roles/vpn/{files/config/config.yml => templates/config.yml.j2} (80%) create mode 100644 roles/webservers/files/nijika/http.authelia.simponic.xyz.conf create mode 100644 roles/webservers/files/nijika/https.authelia.simponic.xyz.conf diff --git a/.env.sample b/.env.sample new file mode 100644 index 0000000..c3e0e81 --- /dev/null +++ b/.env.sample @@ -0,0 +1,2 @@ +HEADSCALE_PREAUTH_KEY= +HEADSCALE_OIDC_SECRET= diff --git a/README.md b/README.md new file mode 100644 index 0000000..c91b725 --- /dev/null +++ b/README.md @@ -0,0 +1,7 @@ +order: + - common.yml + - deploy-nameservers.yml + - deploy-webservers.yml + - deploy-authelia.yml + - deploy-vpn.yml + - deploy-vpn-tags.yml diff --git a/deploy-authelia.yml b/deploy-authelia.yml new file mode 100644 index 0000000..4942330 --- /dev/null +++ b/deploy-authelia.yml @@ -0,0 +1,4 @@ +- name: authelia setup + hosts: authelia + roles: + - authelia diff --git a/deploy-vpn-tags.yml b/deploy-vpn-tags.yml new file mode 100644 index 0000000..9e281ab --- /dev/null +++ b/deploy-vpn-tags.yml @@ -0,0 +1,23 @@ +- name: prod headscale tags + hosts: prod + tasks: + - name: add prod tags to prod servers + include_role: + name: artis3n.tailscale + vars: + tailscale_args: "--login-server='https://headscale.simponic.xyz'" + tailscale_authkey: "{{ lookup('env', 'HEADSCALE_PREAUTH_KEY') }}" + tailscale_tags: + - "prod" + +- name: private headscale tags + hosts: private + tasks: + - name: add private tags to private servers + include_role: + name: artis3n.tailscale + vars: + tailscale_args: "--login-server='https://headscale.simponic.xyz'" + tailscale_authkey: "{{ lookup('env', 'HEADSCALE_PREAUTH_KEY') }}" + tailscale_tags: + - "private" diff --git a/group_vars/vpn.yml b/group_vars/vpn.yml index eb264d0..ddf8081 100644 --- a/group_vars/vpn.yml +++ b/group_vars/vpn.yml @@ -1,2 +1,4 @@ --- -headscale_users: ['simponic'] +headscale_oidc_secret: "{{ lookup('env', 'HEADSCALE_OIDC_SECRET') }}" +headscale_allowed_users: + - "elizabeth.hunt@simponic.xyz" diff --git a/inventory b/inventory index d880d2a..1a1b4a1 100644 --- a/inventory +++ b/inventory @@ -25,6 +25,9 @@ nijika ansible_user=root ansible_connection=ssh [vpn] nijika ansible_user=root ansible_connection=ssh +[authelia] +nijika ansible_user=root ansible_connection=ssh + [dnsinternal] johan ansible_user=root ansible_connection=ssh diff --git a/roles/authelia/files/authelia/.gitignore b/roles/authelia/files/authelia/.gitignore new file mode 100644 index 0000000..53c78ad --- /dev/null +++ b/roles/authelia/files/authelia/.gitignore @@ -0,0 +1,2 @@ +users_database.yml +configuration.yml diff --git a/roles/authelia/tasks/main.yml b/roles/authelia/tasks/main.yml new file mode 100644 index 0000000..c9abe44 --- /dev/null +++ b/roles/authelia/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: ensure authelia docker/compose exist + file: + path: /etc/docker/compose/authelia + state: directory + owner: root + group: root + mode: 0700 + +- name: copy authelia config + copy: + src: ../files/authelia + dest: /etc/docker/compose/authelia/ + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: build authelia docker-compose.yml.j2 + template: + src: ../templates/docker-compose.yml.j2 + dest: /etc/docker/compose/authelia/docker-compose.yml + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: daemon-reload and enable authelia + ansible.builtin.systemd_service: + state: restarted + enabled: true + name: docker-compose@authelia diff --git a/roles/authelia/templates/docker-compose.yml.j2 b/roles/authelia/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..b60545f --- /dev/null +++ b/roles/authelia/templates/docker-compose.yml.j2 @@ -0,0 +1,17 @@ +version: '3.3' + +services: + authelia: + image: authelia/authelia + container_name: authelia + volumes: + - ./authelia:/config + ports: + - 9091:9091 + restart: unless-stopped + redis: + image: redis:alpine + container_name: redis + volumes: + - ./redis:/data + restart: unless-stopped diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 80aad48..3e00e6f 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,5 +1,11 @@ --- +# set hostname +- name: Set a hostname specifying strategy + ansible.builtin.hostname: + name: "{{ inventory_hostname }}" + use: systemd + # docker - name: install dependencies apt: diff --git a/roles/nameservers/tasks/main.yml b/roles/nameservers/tasks/main.yml index d52a3b0..c781ae7 100644 --- a/roles/nameservers/tasks/main.yml +++ b/roles/nameservers/tasks/main.yml @@ -39,7 +39,8 @@ - name: flush dns cache on replicas file: path={{ item }} state=absent - with_fileglob: /var/cache/bind/db.* + with_fileglob: "/var/cache/bind/db.*" + when: inventory_hostname in groups['dnsreplica'] - name: restart bind9 service: diff --git a/roles/nameservers/templates/db.simponic.xyz.j2 b/roles/nameservers/templates/db.simponic.xyz.j2 index db3b70b..5861870 100644 --- a/roles/nameservers/templates/db.simponic.xyz.j2 +++ b/roles/nameservers/templates/db.simponic.xyz.j2 @@ -1,6 +1,6 @@ $TTL 604800 @ IN SOA {{ dns_primary_hostname }}.simponic.xyz. admin.simponic.xyz. ( - {{ ansible_date_time.epoch }} ; Serial + {{ ansible_date_time.epoch }} ; Serial 86400 ; Refresh 86400 ; Retry 2419200 ; Expire @@ -30,7 +30,7 @@ www.simponic.xyz. 1 IN CNAME simponic.xyz. s1._domainkey.simponic.xyz. 1 IN CNAME s1.domainkey.u25709709.wl210.sendgrid.net. s2._domainkey.simponic.xyz. 1 IN CNAME s2.domainkey.u25709709.wl210.sendgrid.net. headscale.simponic.xyz. 1 IN CNAME nijika.simponic.xyz. -authentik.simponic.xyz. 1 IN CNAME nijika.simponic.xyz. +authelia.simponic.xyz. 1 IN CNAME nijika.simponic.xyz. ;; MX Records simponic.xyz. 1 IN MX 10 mail.simponic.xyz. diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 6ad0c57..60963f1 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -23,6 +23,14 @@ group: root mode: u=rw,g=r,o=r +- name: build headscale config template + template: + src: ../templates/config.yml.j2 + dest: /etc/docker/compose/headscale/config.yml + owner: root + group: root + mode: u=rw,g=r,o=r + - name: ensure headscale data volume exist file: path: /etc/docker/compose/headscale/data @@ -31,12 +39,6 @@ group: root mode: 0700 -- name: ensure headscale users - shell: | - docker exec headscale headscale user create "{{ item }}" - with_items: - - "{{ headscale_users }}" - - name: daemon-reload and enable headscale ansible.builtin.systemd_service: state: restarted diff --git a/roles/vpn/files/config/config.yml b/roles/vpn/templates/config.yml.j2 similarity index 80% rename from roles/vpn/files/config/config.yml rename to roles/vpn/templates/config.yml.j2 index 3942feb..926a84f 100644 --- a/roles/vpn/files/config/config.yml +++ b/roles/vpn/templates/config.yml.j2 @@ -234,52 +234,44 @@ unix_socket_permission: "0770" # it is still being tested and might have some bugs, please # help us test it. # OpenID Connect -# oidc: -# only_start_if_oidc_is_available: true -# issuer: "https://your-oidc.issuer.com/path" -# client_id: "your-oidc-client-id" -# client_secret: "your-oidc-client-secret" -# # Alternatively, set `client_secret_path` to read the secret from the file. -# # It resolves environment variables, making integration to systemd's -# # `LoadCredential` straightforward: -# client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret" -# # client_secret and client_secret_path are mutually exclusive. -# -# # The amount of time from a node is authenticated with OpenID until it -# # expires and needs to reauthenticate. -# # Setting the value to "0" will mean no expiry. -# expiry: 180d -# -# # Use the expiry from the token received from OpenID when the user logged -# # in, this will typically lead to frequent need to reauthenticate and should -# # only been enabled if you know what you are doing. -# # Note: enabling this will cause `oidc.expiry` to be ignored. -# use_expiry_from_token: false -# -# # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query -# # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email". -# -# scope: ["openid", "profile", "email", "custom"] -# extra_params: -# domain_hint: example.com -# -# # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the -# # authentication request will be rejected. -# -# allowed_domains: -# - example.com -# # Note: Groups from keycloak have a leading '/' -# allowed_groups: -# - /headscale -# allowed_users: -# - alice@example.com -# -# # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. -# # This will transform `first-name.last-name@example.com` to the user `first-name.last-name` -# # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following -# user: `first-name.last-name.example.com` -# -# strip_email_domain: true +oidc: + # Block further startup until the OIDC provider is healthy and available + only_start_if_oidc_is_available: true + # Specified by your OIDC provider + issuer: "https://authelia.simponic.xyz" + # Specified/generated by your OIDC provider + client_id: "simponicheadscale" + client_secret: "{{ headscale_oidc_secret }}" + # alternatively, set `client_secret_path` to read the secret from the file. + # It resolves environment variables, making integration to systemd's + # `LoadCredential` straightforward: + #client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret" + + # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query + # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email". + scope: ["openid", "profile", "email"] + # Optional: Passed on to the browser login request – used to tweak behaviour for the OIDC provider + extra_params: + domain_hint: simponic.xyz + + # Optional: List allowed principal domains and/or users. If an authenticated user's domain is not in this list, + # the authentication request will be rejected. + allowed_domains: + - simponic.xyz + # Optional. Note that groups from Keycloak have a leading '/'. + # allowed_groups: + # - /admins + # - admins + # - people + # Optional. + allowed_users: + - "{{ headscale_allowed_users }}" + + # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. + # This will transform `first-name.last-name@example.com` to the user `first-name.last-name` + # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following + # user: `first-name.last-name.example.com` + strip_email_domain: true # Logtail configuration # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel diff --git a/roles/webservers/files/nginx.conf b/roles/webservers/files/nginx.conf index 6ddd8ab..4d8402d 100644 --- a/roles/webservers/files/nginx.conf +++ b/roles/webservers/files/nginx.conf @@ -1,6 +1,8 @@ user www-data; worker_processes 4; pid /run/nginx.pid; +load_module modules/ndk_http_module.so; +load_module modules/ngx_http_set_misc_module.so; events { worker_connections 768; diff --git a/roles/webservers/files/nijika/http.authelia.simponic.xyz.conf b/roles/webservers/files/nijika/http.authelia.simponic.xyz.conf new file mode 100644 index 0000000..e57fbc6 --- /dev/null +++ b/roles/webservers/files/nijika/http.authelia.simponic.xyz.conf @@ -0,0 +1,13 @@ +server { + listen 80; + server_name authelia.simponic.xyz; + + location /.well-known/acme-challenge { + root /var/www/letsencrypt; + try_files $uri $uri/ =404; + } + + location / { + rewrite ^ https://authelia.simponic.xyz$request_uri? permanent; + } +} diff --git a/roles/webservers/files/nijika/http.headscale.simponic.xyz.conf b/roles/webservers/files/nijika/http.headscale.simponic.xyz.conf index 7bfaf44..32b80b0 100644 --- a/roles/webservers/files/nijika/http.headscale.simponic.xyz.conf +++ b/roles/webservers/files/nijika/http.headscale.simponic.xyz.conf @@ -1,7 +1,5 @@ -server_tokens off; - server { - listen 80 default_server; + listen 80; server_name headscale.simponic.xyz; location /.well-known/acme-challenge { diff --git a/roles/webservers/files/nijika/https.authelia.simponic.xyz.conf b/roles/webservers/files/nijika/https.authelia.simponic.xyz.conf new file mode 100644 index 0000000..7034b0b --- /dev/null +++ b/roles/webservers/files/nijika/https.authelia.simponic.xyz.conf @@ -0,0 +1,57 @@ +server { + listen 443 ssl; + server_name authelia.simponic.xyz; + + ssl_certificate /etc/letsencrypt/live/authelia.simponic.xyz/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/authelia.simponic.xyz/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/authelia.simponic.xyz/fullchain.pem; + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_dhparam /etc/nginx/dhparams.pem; + ssl_prefer_server_ciphers on; + + location / { + proxy_pass http://127.0.0.1:9091; + + client_body_buffer_size 128k; + + #Timeout if the real server is dead + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + + # Advanced Proxy Config + send_timeout 5m; + proxy_read_timeout 360; + proxy_send_timeout 360; + proxy_connect_timeout 360; + + # Basic Proxy Config + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + + # If behind reverse proxy, forwards the correct IP + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.0.0.0/8; + set_real_ip_from 192.168.0.0/16; + set_real_ip_from fc00::/7; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + } +} diff --git a/roles/webservers/tasks/main.yml b/roles/webservers/tasks/main.yml index 03fba22..fccd34e 100644 --- a/roles/webservers/tasks/main.yml +++ b/roles/webservers/tasks/main.yml @@ -17,6 +17,9 @@ - name: install nginx apt: name=nginx state=latest +- name: install libnginx-mod-http-set-misc + apt: name=libnginx-mod-http-set-misc state=latest + - name: install letsencrypt apt: name=letsencrypt state=latest