transition to seperate templates for prod and test; update script to add ssh-key deployment
This commit is contained in:
test
parent
fe3da3dc3a
commit
259cb76cc1
3 changed files with 105 additions and 29 deletions
|
|
@ -1,10 +1,10 @@
|
|||
# SETTINGS from env.template
|
||||
# Misc configuration
|
||||
PUBLIC_DOMAIN=replace-me
|
||||
PUBLIC_DOMAIN=sso.base23.de
|
||||
COMPOSE_PROJECT_NAME=sso-base23-de
|
||||
|
||||
# Auhtentik version
|
||||
AUTHENTIK_TAG=2024.10.4
|
||||
AUTHENTIK_TAG=2024.12.3
|
||||
|
||||
# Error reporting & Logging
|
||||
AUTHENTIK_ERROR_REPORTING__ENABLED=true
|
||||
|
|
@ -48,14 +48,15 @@ NGINX_SERVERNAME=sso.base23.de
|
|||
|
||||
# NGINX SSL Config for nginx 1.27.2, intermediate config, OpenSSL 3.0.14
|
||||
NGINX_SSL_SESSION_TIMEOUT=1d
|
||||
NGINX_SSL_SESSION_CACHE=shared:MozSSL:10m # about 40000 sessions
|
||||
NGINX_SSL_PROTOCOLS=TLSv1.2 TLSv1.3
|
||||
NGINX_SSL_CIPHERS=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
||||
NGINX_SSL_SESSION_CACHE='shared:MozSSL:10m' # about 40000 sessions
|
||||
NGINX_SSL_PROTOCOLS='TLSv1.2 TLSv1.3'
|
||||
NGINX_SSL_CIPHERS='ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305'
|
||||
NGINX_SSL_PREFER_SERVER_CIPHERS=off
|
||||
NGINX_HEADER_STRICT_TRANSPORT_SECURITY='"max-age=63072000" always'
|
||||
NGINX_SSL_STAPLING=on
|
||||
NGINX_SSL_STAPLING_VERIFY=on
|
||||
|
||||
|
||||
# Restic configuration
|
||||
RESTIC_REPO_USER=u291924-sub4
|
||||
RESTIC_REPO_ADDRESS=cloud.backup.base23.de
|
||||
48
env.test.template
Normal file
48
env.test.template
Normal file
|
|
@ -0,0 +1,48 @@
|
|||
# SETTINGS from env.template
|
||||
# Misc configuration
|
||||
PUBLIC_DOMAIN=sso.test.base23.de
|
||||
COMPOSE_PROJECT_NAME=sso-base23-de
|
||||
|
||||
# Auhtentik version
|
||||
AUTHENTIK_TAG=2024.12.3
|
||||
|
||||
# Error reporting & Logging
|
||||
AUTHENTIK_ERROR_REPORTING__ENABLED=true
|
||||
AUTHENTIK_LOG_LEVEL=warning
|
||||
|
||||
# Email configuration
|
||||
# SMTP Host Emails are sent to
|
||||
AUTHENTIK_EMAIL__HOST=mail.base23.de
|
||||
AUTHENTIK_EMAIL__PORT=25
|
||||
AUTHENTIK_EMAIL__USERNAME=sso@base23.de
|
||||
# Use StartTLS
|
||||
AUTHENTIK_EMAIL__USE_TLS=true
|
||||
# Use SSL
|
||||
AUTHENTIK_EMAIL__USE_SSL=false
|
||||
AUTHENTIK_EMAIL__TIMEOUT=10
|
||||
# Email address authentik will send from, should have a correct @domain
|
||||
AUTHENTIK_EMAIL__FROM=sso@base23.de
|
||||
|
||||
# Exposed ports for Authentik -- Ports are note exposed due to traefik setup
|
||||
# COMPOSE_PORT_HTTP=80
|
||||
# COMPOSE_PORT_HTTPS=443
|
||||
|
||||
# Liste settings
|
||||
AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS="172.18.0.0/16"
|
||||
|
||||
|
||||
# MaxMind GeoIP
|
||||
GEOIPUPDATE_ACCOUNT_ID=1093308
|
||||
|
||||
|
||||
# PostgreSQL configuration
|
||||
PG_USER=authentik
|
||||
PG_DB=authentik
|
||||
|
||||
|
||||
# Restic configuration
|
||||
RESTIC_REPO_USER=u291924-sub5
|
||||
RESTIC_REPO_ADDRESS=cloud.backup.base23.de
|
||||
RESTIC_REPO_PORT=22
|
||||
RESTIC_TAG=sso.test.base23.de
|
||||
|
||||
|
|
@ -1,6 +1,33 @@
|
|||
#!/usr/bin/env bash
|
||||
set -euf -o pipefail
|
||||
|
||||
# Ask if initialized for production or test
|
||||
while true; do
|
||||
read -p "Do you want to init a [P]roduction or [T]est environment? (P/T): " DEPLOYMENT_ENVIRONMENT
|
||||
case "$DEPLOYMENT_ENVIRONMENT" in
|
||||
[Pp]* )
|
||||
DEPLOYMENT_ENVIRONMENT="PRODUCTION"
|
||||
ENV_TEMPLATE="env.prod.template"
|
||||
break
|
||||
;;
|
||||
[Tt]* )
|
||||
DEPLOYMENT_ENVIRONMENT="TEST"
|
||||
ENV_TEMPLATE="env.test.template"
|
||||
break
|
||||
;;
|
||||
* )
|
||||
echo "Please answer with P or T."
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
source $(dirname "$(readlink -f "$0")")/../${ENV_TEMPLATE}
|
||||
|
||||
SERVICE_DOMAIN="${RESTIC_TAG:?Restic backup tag is missing -- RESTIC_TAG}"
|
||||
BACKUP_TARGET_DOMAIN="${RESTIC_REPO_ADDRESS:?Restic backup target domain is missing -- RESTIC_REPO_ADDRESS}"
|
||||
BACKUP_TARGET_USER="${RESTIC_REPO_USER:?Restic backup target user is missing -- RESTIC_REPO_USER}"
|
||||
HOSTNAME=$(hostname -f)
|
||||
|
||||
# Function to securely query user for a password, verify it, and return it for further use
|
||||
prompt_password() {
|
||||
local purpose="$1"
|
||||
|
|
@ -30,26 +57,6 @@ trap 'printf "\nOperation aborted by user.\n" >&2; exit 1' SIGINT
|
|||
cd "$(dirname "$(realpath "$0")")/../"
|
||||
AUTHENTIK_DOCKER_COMPOSE_PATH="$(realpath "$(pwd)")"
|
||||
|
||||
# Ask if initialized for production or test
|
||||
while true; do
|
||||
read -p "Do you want to init a [P]roduction or [T]est environment? (P/T): " DEPLOYMENT_ENVIRONMENT
|
||||
case "$DEPLOYMENT_ENVIRONMENT" in
|
||||
[Pp]* )
|
||||
DEPLOYMENT_ENVIRONMENT="PRODUCTION"
|
||||
PUBLIC_DOMAIN="sso.base23.de"
|
||||
break
|
||||
;;
|
||||
[Tt]* )
|
||||
DEPLOYMENT_ENVIRONMENT="TEST"
|
||||
PUBLIC_DOMAIN="sso.test.base23.de"
|
||||
break
|
||||
;;
|
||||
* )
|
||||
echo "Please answer with P or T."
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [[ ! -f ./docker-compose.yml ]]; then
|
||||
[[ "${DEPLOYMENT_ENVIRONMENT}" == "PRODUCTION" ]] && ln -s ./docker-compose.prod.yml ./docker-compose.yml
|
||||
[[ "${DEPLOYMENT_ENVIRONMENT}" == "TEST" ]] && ln -s ./docker-compose.test.yml ./docker-compose.yml
|
||||
|
|
@ -57,8 +64,7 @@ fi
|
|||
|
||||
# Check if .env exists and exit if it is
|
||||
if [[ ! -f ./.env ]]; then
|
||||
cat ./env.template >> ./.env
|
||||
sed -i "s/\(PUBLIC_DOMAIN=\).*/\1${PUBLIC_DOMAIN}/" ./.env
|
||||
cat ./${ENV_TEMPLATE} >> ./.env
|
||||
echo "# SECRETS" >> ./.env
|
||||
prompt_password "PG_PASS (leave empty to generate a password)"; echo "PG_PASS=$([[ -n ${RETURNED_PASSWORD} ]] && echo -n "${RETURNED_PASSWORD}" || openssl rand -base64 36 | tr -d '\n')" >> ./.env; unset RETURNED_PASSWORD
|
||||
prompt_password "AUTHENTIK_SECRET_KEY (leave empty to generate a password)"; echo "AUTHENTIK_SECRET_KEY=$([[ -n ${RETURNED_PASSWORD} ]] && echo -n "${RETURNED_PASSWORD}" || openssl rand -base64 60 | tr -d '\n')" >> ./.env; unset RETURNED_PASSWORD
|
||||
|
|
@ -75,9 +81,30 @@ if [[ ! -f ./lego.env && "${DEPLOYMENT_ENVIRONMENT}" == "PRODUCTION" ]]; then
|
|||
echo "" >> ./.env
|
||||
fi
|
||||
|
||||
BACKUP_TARGET_KEY_TYPES="ed25519,rsa"
|
||||
BACKUP_TARGET_IPV4=$(dig +short "${BACKUP_TARGET_DOMAIN}" A | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$')
|
||||
BACKUP_TARGET_IPV6=$(dig +short "${BACKUP_TARGET_DOMAIN}" AAAA | grep -E '^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$')
|
||||
|
||||
# Check if ssh key already exists, otherwise generate one
|
||||
[[ ! -d ./data/restic/ssh/ ]] && mkdir -p ./data/restic/ssh/
|
||||
[[ ! -f ./data/restic/ssh/id_ed25519 ]] && ssh-keygen -t ed25519 -C "sso.base23.de" -f ./data/restic/ssh/id_ed25519
|
||||
[[ ! -d ./data/restic/ssh/ ]] && mkdir -p ./data/restic/ssh/ && chmod 700 ./data/restic/ssh/
|
||||
if [[ ! -f ./data/restic/ssh/id_ed25519 ]]; then
|
||||
ssh-keygen -t ed25519 -C "${SERVICE_DOMAIN}" -f ./data/restic/ssh/id_ed25519 && chmod 600 ./data/restic/ssh/id_ed25519
|
||||
|
||||
# Copy SSH key to backup target
|
||||
cat ./data/restic/ssh/id_ed25519.pub | ssh -p23 ${BACKUP_TARGET_USER}@${BACKUP_TARGET_DOMAIN} install-ssh-key
|
||||
fi
|
||||
|
||||
# Setup known_hosts for backup container
|
||||
if [[ ! -f ./data/restic/ssh/known_hosts ]]; then
|
||||
ssh-keyscan -p 23 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_DOMAIN} > ./data/restic/ssh/known_hosts
|
||||
ssh-keyscan -p 23 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_IPV4} >> ./data/restic/ssh/known_hosts
|
||||
ssh-keyscan -p 23 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_IPV6} >> ./data/restic/ssh/known_hosts
|
||||
ssh-keyscan -p 22 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_DOMAIN} >> ./data/restic/ssh/known_hosts
|
||||
ssh-keyscan -p 22 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_IPV4} >> ./data/restic/ssh/known_hosts
|
||||
ssh-keyscan -p 22 -t ${BACKUP_TARGET_KEY_TYPES} ${BACKUP_TARGET_IPV6} >> ./data/restic/ssh/known_hosts
|
||||
chmod 600 ./data/restic/ssh/known_hosts
|
||||
fi
|
||||
|
||||
|
||||
if [[ "${DEPLOYMENT_ENVIRONMENT}" == "PRODUCTION" ]]; then
|
||||
# Generate dhparam, if not existing
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue