From 259cb76cc1415d97f5ab16d7b2ba2a455a855f8a Mon Sep 17 00:00:00 2001 From: test Date: Fri, 31 Jan 2025 21:33:45 +0100 Subject: [PATCH] transition to seperate templates for prod and test; update script to add ssh-key deployment --- env.template => env.prod.template | 11 ++--- env.test.template | 48 ++++++++++++++++++++ scripts/init.sh | 75 +++++++++++++++++++++---------- 3 files changed, 105 insertions(+), 29 deletions(-) rename env.template => env.prod.template (76%) create mode 100644 env.test.template diff --git a/env.template b/env.prod.template similarity index 76% rename from env.template rename to env.prod.template index ebcbf2c..033427d 100644 --- a/env.template +++ b/env.prod.template @@ -1,10 +1,10 @@ # SETTINGS from env.template # Misc configuration -PUBLIC_DOMAIN=replace-me +PUBLIC_DOMAIN=sso.base23.de COMPOSE_PROJECT_NAME=sso-base23-de # Auhtentik version -AUTHENTIK_TAG=2024.10.4 +AUTHENTIK_TAG=2024.12.3 # Error reporting & Logging AUTHENTIK_ERROR_REPORTING__ENABLED=true @@ -48,14 +48,15 @@ NGINX_SERVERNAME=sso.base23.de # NGINX SSL Config for nginx 1.27.2, intermediate config, OpenSSL 3.0.14 NGINX_SSL_SESSION_TIMEOUT=1d -NGINX_SSL_SESSION_CACHE=shared:MozSSL:10m # about 40000 sessions -NGINX_SSL_PROTOCOLS=TLSv1.2 TLSv1.3 -NGINX_SSL_CIPHERS=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 +NGINX_SSL_SESSION_CACHE='shared:MozSSL:10m' # about 40000 sessions +NGINX_SSL_PROTOCOLS='TLSv1.2 TLSv1.3' +NGINX_SSL_CIPHERS='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305' NGINX_SSL_PREFER_SERVER_CIPHERS=off NGINX_HEADER_STRICT_TRANSPORT_SECURITY='"max-age=63072000" always' NGINX_SSL_STAPLING=on NGINX_SSL_STAPLING_VERIFY=on + # Restic configuration RESTIC_REPO_USER=u291924-sub4 RESTIC_REPO_ADDRESS=cloud.backup.base23.de diff --git a/env.test.template b/env.test.template new file mode 100644 index 0000000..66e2396 --- /dev/null +++ b/env.test.template @@ -0,0 +1,48 @@ +# SETTINGS from env.template +# Misc configuration +PUBLIC_DOMAIN=sso.test.base23.de +COMPOSE_PROJECT_NAME=sso-base23-de + +# Auhtentik version +AUTHENTIK_TAG=2024.12.3 + +# Error reporting & Logging +AUTHENTIK_ERROR_REPORTING__ENABLED=true +AUTHENTIK_LOG_LEVEL=warning + +# Email configuration +# SMTP Host Emails are sent to +AUTHENTIK_EMAIL__HOST=mail.base23.de +AUTHENTIK_EMAIL__PORT=25 +AUTHENTIK_EMAIL__USERNAME=sso@base23.de +# Use StartTLS +AUTHENTIK_EMAIL__USE_TLS=true +# Use SSL +AUTHENTIK_EMAIL__USE_SSL=false +AUTHENTIK_EMAIL__TIMEOUT=10 +# Email address authentik will send from, should have a correct @domain +AUTHENTIK_EMAIL__FROM=sso@base23.de + +# Exposed ports for Authentik -- Ports are note exposed due to traefik setup +# COMPOSE_PORT_HTTP=80 +# COMPOSE_PORT_HTTPS=443 + +# Liste settings +AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS="172.18.0.0/16" + + +# MaxMind GeoIP +GEOIPUPDATE_ACCOUNT_ID=1093308 + + +# PostgreSQL configuration +PG_USER=authentik +PG_DB=authentik + + +# Restic configuration +RESTIC_REPO_USER=u291924-sub5 +RESTIC_REPO_ADDRESS=cloud.backup.base23.de +RESTIC_REPO_PORT=22 +RESTIC_TAG=sso.test.base23.de + diff --git a/scripts/init.sh b/scripts/init.sh index a7e4656..43be8ef 100755 --- a/scripts/init.sh +++ b/scripts/init.sh @@ -1,6 +1,33 @@ #!/usr/bin/env bash set -euf -o pipefail +# Ask if initialized for production or test +while true; do + read -p "Do you want to init a [P]roduction or [T]est environment? (P/T): " DEPLOYMENT_ENVIRONMENT + case "$DEPLOYMENT_ENVIRONMENT" in + [Pp]* ) + DEPLOYMENT_ENVIRONMENT="PRODUCTION" + ENV_TEMPLATE="env.prod.template" + break + ;; + [Tt]* ) + DEPLOYMENT_ENVIRONMENT="TEST" + ENV_TEMPLATE="env.test.template" + break + ;; + * ) + echo "Please answer with P or T." + ;; + esac +done + +source $(dirname "$(readlink -f "$0")")/../${ENV_TEMPLATE} + +SERVICE_DOMAIN="${RESTIC_TAG:?Restic backup tag is missing -- RESTIC_TAG}" +BACKUP_TARGET_DOMAIN="${RESTIC_REPO_ADDRESS:?Restic backup target domain is missing -- RESTIC_REPO_ADDRESS}" +BACKUP_TARGET_USER="${RESTIC_REPO_USER:?Restic backup target user is missing -- RESTIC_REPO_USER}" +HOSTNAME=$(hostname -f) + # Function to securely query user for a password, verify it, and return it for further use prompt_password() { local purpose="$1" @@ -30,26 +57,6 @@ trap 'printf "\nOperation aborted by user.\n" >&2; exit 1' SIGINT cd "$(dirname "$(realpath "$0")")/../" AUTHENTIK_DOCKER_COMPOSE_PATH="$(realpath "$(pwd)")" -# Ask if initialized for production or test -while true; do - read -p "Do you want to init a [P]roduction or [T]est environment? (P/T): " DEPLOYMENT_ENVIRONMENT - case "$DEPLOYMENT_ENVIRONMENT" in - [Pp]* ) - DEPLOYMENT_ENVIRONMENT="PRODUCTION" - PUBLIC_DOMAIN="sso.base23.de" - break - ;; - [Tt]* ) - DEPLOYMENT_ENVIRONMENT="TEST" - PUBLIC_DOMAIN="sso.test.base23.de" - break - ;; - * ) - echo "Please answer with P or T." - ;; - esac -done - if [[ ! -f ./docker-compose.yml ]]; then [[ "${DEPLOYMENT_ENVIRONMENT}" == "PRODUCTION" ]] && ln -s ./docker-compose.prod.yml ./docker-compose.yml [[ "${DEPLOYMENT_ENVIRONMENT}" == "TEST" ]] && ln -s ./docker-compose.test.yml ./docker-compose.yml @@ -57,8 +64,7 @@ fi # Check if .env exists and exit if it is if [[ ! -f ./.env ]]; then - cat ./env.template >> ./.env - sed -i "s/\(PUBLIC_DOMAIN=\).*/\1${PUBLIC_DOMAIN}/" ./.env + cat ./${ENV_TEMPLATE} >> ./.env echo "# SECRETS" >> ./.env prompt_password "PG_PASS (leave empty to generate a password)"; echo "PG_PASS=$([[ -n ${RETURNED_PASSWORD} ]] && echo -n "${RETURNED_PASSWORD}" || openssl rand -base64 36 | tr -d '\n')" >> ./.env; unset RETURNED_PASSWORD prompt_password "AUTHENTIK_SECRET_KEY (leave empty to generate a password)"; echo "AUTHENTIK_SECRET_KEY=$([[ -n ${RETURNED_PASSWORD} ]] && echo -n "${RETURNED_PASSWORD}" || openssl rand -base64 60 | tr -d '\n')" >> ./.env; unset RETURNED_PASSWORD @@ -75,9 +81,30 @@ if [[ ! -f ./lego.env && "${DEPLOYMENT_ENVIRONMENT}" == "PRODUCTION" ]]; then echo "" >> ./.env fi +BACKUP_TARGET_KEY_TYPES="ed25519,rsa" +BACKUP_TARGET_IPV4=$(dig +short "${BACKUP_TARGET_DOMAIN}" A | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$') +BACKUP_TARGET_IPV6=$(dig +short "${BACKUP_TARGET_DOMAIN}" AAAA | grep -E '^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$') + # Check if ssh key already exists, otherwise generate one -[[ ! -d ./data/restic/ssh/ ]] && mkdir -p ./data/restic/ssh/ -[[ ! -f ./data/restic/ssh/id_ed25519 ]] && ssh-keygen -t ed25519 -C "sso.base23.de" -f ./data/restic/ssh/id_ed25519 +[[ ! -d ./data/restic/ssh/ ]] && mkdir -p ./data/restic/ssh/ && chmod 700 ./data/restic/ssh/ +if [[ ! -f ./data/restic/ssh/id_ed25519 ]]; then + ssh-keygen -t ed25519 -C "${SERVICE_DOMAIN}" -f ./data/restic/ssh/id_ed25519 && chmod 600 ./data/restic/ssh/id_ed25519 + + # Copy SSH key to backup target + cat ./data/restic/ssh/id_ed25519.pub | ssh -p23 ${BACKUP_TARGET_USER}@${BACKUP_TARGET_DOMAIN} install-ssh-key +fi + +# Setup known_hosts for backup container +if [[ ! -f ./data/restic/ssh/known_hosts ]]; then + ssh-keyscan -p 23 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_DOMAIN} > ./data/restic/ssh/known_hosts + ssh-keyscan -p 23 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_IPV4} >> ./data/restic/ssh/known_hosts + ssh-keyscan -p 23 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_IPV6} >> ./data/restic/ssh/known_hosts + ssh-keyscan -p 22 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_DOMAIN} >> ./data/restic/ssh/known_hosts + ssh-keyscan -p 22 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_IPV4} >> ./data/restic/ssh/known_hosts + ssh-keyscan -p 22 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_IPV6} >> ./data/restic/ssh/known_hosts + chmod 600 ./data/restic/ssh/known_hosts +fi + if [[ "${DEPLOYMENT_ENVIRONMENT}" == "PRODUCTION" ]]; then # Generate dhparam, if not existing