add sso login

.env.sample

@@ -0,0 +1,2 @@
+HEADSCALE_PREAUTH_KEY=
+HEADSCALE_OIDC_SECRET=

README.md

@@ -0,0 +1,7 @@
+order:
+  - common.yml
+  - deploy-nameservers.yml
+  - deploy-webservers.yml
+  - deploy-authelia.yml
+  - deploy-vpn.yml
+  - deploy-vpn-tags.yml

deploy-authelia.yml

@@ -0,0 +1,4 @@
+- name: authelia setup
+  hosts: authelia
+  roles:
+    - authelia

deploy-vpn-tags.yml

@@ -0,0 +1,23 @@
+- name: prod headscale tags
+  hosts: prod
+  tasks:
+    - name: add prod tags to prod servers
+      include_role:
+        name: artis3n.tailscale
+      vars:
+        tailscale_args: "--login-server='https://headscale.simponic.xyz'"
+        tailscale_authkey: "{{ lookup('env', 'HEADSCALE_PREAUTH_KEY') }}"
+        tailscale_tags: 
+          - "prod"
+
+- name: private headscale tags
+  hosts: private
+  tasks:
+    - name: add private tags to private servers
+      include_role:
+        name: artis3n.tailscale
+      vars:
+        tailscale_args: "--login-server='https://headscale.simponic.xyz'"
+        tailscale_authkey: "{{ lookup('env', 'HEADSCALE_PREAUTH_KEY') }}"
+        tailscale_tags: 
+          - "private"

group_vars/vpn.yml

@@ -1,2 +1,4 @@
 ---
-headscale_users: ['simponic']
+headscale_oidc_secret: "{{ lookup('env', 'HEADSCALE_OIDC_SECRET') }}"
+headscale_allowed_users:
+  - "elizabeth.hunt@simponic.xyz"

inventory

@@ -25,6 +25,9 @@ nijika  ansible_user=root ansible_connection=ssh
 [vpn]
 nijika ansible_user=root ansible_connection=ssh
 
+[authelia]
+nijika  ansible_user=root ansible_connection=ssh
+
 [dnsinternal]
 johan ansible_user=root ansible_connection=ssh
 

roles/authelia/files/authelia/.gitignore

@@ -0,0 +1,2 @@
+users_database.yml
+configuration.yml

roles/authelia/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+- name: ensure authelia docker/compose exist
+  file:
+    path: /etc/docker/compose/authelia
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: copy authelia config
+  copy:
+    src: ../files/authelia
+    dest: /etc/docker/compose/authelia/
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: build authelia docker-compose.yml.j2
+  template:
+    src: ../templates/docker-compose.yml.j2
+    dest: /etc/docker/compose/authelia/docker-compose.yml
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: daemon-reload and enable authelia
+  ansible.builtin.systemd_service:
+    state: restarted
+    enabled: true
+    name: docker-compose@authelia

roles/authelia/templates/docker-compose.yml.j2

@@ -0,0 +1,17 @@
+version: '3.3'
+
+services:
+  authelia:
+    image: authelia/authelia
+    container_name: authelia
+    volumes:
+      - ./authelia:/config
+    ports:
+      - 9091:9091
+    restart: unless-stopped
+  redis:
+    image: redis:alpine
+    container_name: redis
+    volumes:
+      - ./redis:/data
+    restart: unless-stopped

roles/common/tasks/main.yml

@@ -1,5 +1,11 @@
 ---
 
+# set hostname
+- name: Set a hostname specifying strategy
+  ansible.builtin.hostname:
+    name: "{{ inventory_hostname }}"
+    use: systemd
+
 # docker
 - name: install dependencies
   apt:

roles/nameservers/tasks/main.yml

@@ -39,7 +39,8 @@
 
 - name: flush dns cache on replicas
   file: path={{ item }} state=absent
-  with_fileglob: /var/cache/bind/db.*
+  with_fileglob: "/var/cache/bind/db.*"
+  when: inventory_hostname in groups['dnsreplica']
 
 - name: restart bind9
   service:

roles/nameservers/templates/db.simponic.xyz.j2

@@ -30,7 +30,7 @@ www.simponic.xyz.	1	IN	CNAME	simponic.xyz.
 s1._domainkey.simponic.xyz.	1	IN	CNAME	s1.domainkey.u25709709.wl210.sendgrid.net.
 s2._domainkey.simponic.xyz.	1	IN	CNAME	s2.domainkey.u25709709.wl210.sendgrid.net.
 headscale.simponic.xyz.	1	IN	CNAME	nijika.simponic.xyz.
-authentik.simponic.xyz.	1	IN	CNAME	nijika.simponic.xyz.
+authelia.simponic.xyz.	1	IN	CNAME	nijika.simponic.xyz.
 
 ;; MX Records
 simponic.xyz.	1	IN	MX	10 mail.simponic.xyz.

roles/vpn/tasks/main.yml

@@ -23,6 +23,14 @@
     group: root
     mode: u=rw,g=r,o=r
 
+- name: build headscale config template
+  template:
+    src: ../templates/config.yml.j2
+    dest: /etc/docker/compose/headscale/config.yml
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
 - name: ensure headscale data volume exist
   file:
     path: /etc/docker/compose/headscale/data
@@ -31,12 +39,6 @@
     group: root
     mode: 0700
 
-- name: ensure headscale users
-  shell: |
-    docker exec headscale headscale user create "{{ item }}"
-  with_items:
-    - "{{ headscale_users }}"
-
 - name: daemon-reload and enable headscale
   ansible.builtin.systemd_service:
     state: restarted

roles/vpn/templates/config.yml.j2

@@ -234,52 +234,44 @@ unix_socket_permission: "0770"
 # it is still being tested and might have some bugs, please
 # help us test it.
 # OpenID Connect
-# oidc:
+oidc:
-#   only_start_if_oidc_is_available: true
+  # Block further startup until the OIDC provider is healthy and available
-#   issuer: "https://your-oidc.issuer.com/path"
+  only_start_if_oidc_is_available: true
-#   client_id: "your-oidc-client-id"
+  # Specified by your OIDC provider
-#   client_secret: "your-oidc-client-secret"
+  issuer: "https://authelia.simponic.xyz"
-#   # Alternatively, set `client_secret_path` to read the secret from the file.
+  # Specified/generated by your OIDC provider
-#   # It resolves environment variables, making integration to systemd's
+  client_id: "simponicheadscale"
-#   # `LoadCredential` straightforward:
+  client_secret: "{{ headscale_oidc_secret }}"
+  # alternatively, set `client_secret_path` to read the secret from the file.
+  # It resolves environment variables, making integration to systemd's
+  # `LoadCredential` straightforward:
   #client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
-#   # client_secret and client_secret_path are mutually exclusive.
+
-#
+  # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
-#   # The amount of time from a node is authenticated with OpenID until it
+  # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
-#   # expires and needs to reauthenticate.
+  scope: ["openid", "profile", "email"]
-#   # Setting the value to "0" will mean no expiry.
+  # Optional: Passed on to the browser login request – used to tweak behaviour for the OIDC provider
-#   expiry: 180d
+  extra_params:
-#
+    domain_hint: simponic.xyz
-#   # Use the expiry from the token received from OpenID when the user logged
+
-#   # in, this will typically lead to frequent need to reauthenticate and should
+  # Optional: List allowed principal domains and/or users. If an authenticated user's domain is not in this list,
-#   # only been enabled if you know what you are doing.
+  # the authentication request will be rejected.
-#   # Note: enabling this will cause `oidc.expiry` to be ignored.
+  allowed_domains:
-#   use_expiry_from_token: false
+    - simponic.xyz 
-#
+  # Optional. Note that groups from Keycloak have a leading '/'.
-#   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
-#   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
-#
-#   scope: ["openid", "profile", "email", "custom"]
-#   extra_params:
-#     domain_hint: example.com
-#
-#   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
-#   # authentication request will be rejected.
-#
-#   allowed_domains:
-#     - example.com
-#   # Note: Groups from keycloak have a leading '/'
   # allowed_groups:
-#     - /headscale
+  #   - /admins
-#   allowed_users:
+  #   - admins
-#     - alice@example.com
+  #   - people
-#
+  # Optional.
-#   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
+  allowed_users:
-#   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
+    - "{{ headscale_allowed_users }}"
-#   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
+
+  # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
+  # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
+  # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
   # user: `first-name.last-name.example.com`
-#
+  strip_email_domain: true
-#   strip_email_domain: true
 
 # Logtail configuration
 # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel

roles/webservers/files/nginx.conf

@@ -1,6 +1,8 @@
 user www-data;
 worker_processes 4;
 pid /run/nginx.pid;
+load_module modules/ndk_http_module.so;
+load_module modules/ngx_http_set_misc_module.so;
 
 events {
   worker_connections 768;

roles/webservers/files/nijika/http.authelia.simponic.xyz.conf

@@ -0,0 +1,13 @@
+server {
+  listen 80;
+  server_name authelia.simponic.xyz;
+
+  location /.well-known/acme-challenge {
+    root /var/www/letsencrypt;
+    try_files $uri $uri/ =404;
+  }
+
+  location / {
+    rewrite ^ https://authelia.simponic.xyz$request_uri? permanent;
+  }
+}

roles/webservers/files/nijika/http.headscale.simponic.xyz.conf

@@ -1,7 +1,5 @@
-server_tokens off;
-
 server {
-  listen 80 default_server;
+  listen 80;
   server_name headscale.simponic.xyz;
 
   location /.well-known/acme-challenge {

roles/webservers/files/nijika/https.authelia.simponic.xyz.conf

@@ -0,0 +1,57 @@
+server {
+  listen 443 ssl;
+  server_name authelia.simponic.xyz;
+
+  ssl_certificate         /etc/letsencrypt/live/authelia.simponic.xyz/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/authelia.simponic.xyz/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/authelia.simponic.xyz/fullchain.pem;
+
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_timeout 5m;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  ssl_prefer_server_ciphers on;
+
+  location / {
+    proxy_pass http://127.0.0.1:9091;
+
+    client_body_buffer_size 128k;
+
+    #Timeout if the real server is dead
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+
+    # Advanced Proxy Config
+    send_timeout 5m;
+    proxy_read_timeout 360;
+    proxy_send_timeout 360;
+    proxy_connect_timeout 360;
+
+    # Basic Proxy Config
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-Uri $request_uri;
+    proxy_set_header X-Forwarded-Ssl on;
+    proxy_redirect  http://  $scheme://;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 64 256k;
+
+    # If behind reverse proxy, forwards the correct IP
+    set_real_ip_from 10.0.0.0/8;
+    set_real_ip_from 172.0.0.0/8;
+    set_real_ip_from 192.168.0.0/16;
+    set_real_ip_from fc00::/7;
+    real_ip_header X-Forwarded-For;
+    real_ip_recursive on;
+  }
+}

roles/webservers/tasks/main.yml

@@ -17,6 +17,9 @@
 - name: install nginx
   apt: name=nginx state=latest
 
+- name: install libnginx-mod-http-set-misc
+  apt: name=libnginx-mod-http-set-misc state=latest
+
 - name: install letsencrypt
   apt: name=letsencrypt state=latest