Merge branch 'refactor-docker-compose'

2025-07-26 00:10:37 +02:00 · 2025-07-26 00:10:37 +02:00 · 810d7e0cb9
commit 810d7e0cb9
parent cb16fa06b4 e356e4cf16
11 changed files with 291 additions and 634 deletions
--- a/README.md
+++ b/README.md
@ -1,15 +1,13 @@
-# `sso.base23.de` - Base23 SSO for all services
+# `sso.s1q.dev` - Base23 SSO for all services

 [Authentik](https://goauthentik.io/) based SSO for our sevices.

 ## Table of Contents

- [`sso.base23.de` - Base23 SSO for all services](#ssobase23de---base23-sso-for-all-services)
+- [`sso.s1q.dev` - Base23 SSO for all services](#ssos1qdev---base23-sso-for-all-services)
  - [Table of Contents](#table-of-contents)
  - [Prerequisites](#prerequisites)
-    - [Server Setup](#server-setup)
    - [Tailscale](#tailscale)
-    - [Base23 Docker registry login](#base23-docker-registry-login)
    - [CrowdSec](#crowdsec)
      - [Setup CrowdSec Repo](#setup-crowdsec-repo)
      - [Install CrowdSec](#install-crowdsec)
@ -25,32 +23,7 @@

 ## Prerequisites

-### Server Setup
-
-```shell
-apt update \
-  && apt upgrade -y \
-  && for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt remove $pkg; done \
-  && apt install ca-certificates curl \
-  && install -m 0755 -d /etc/apt/keyrings \
-  && curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \
-  && chmod a+r /etc/apt/keyrings/docker.asc \
-  && echo \
-  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
-  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
-  tee /etc/apt/sources.list.d/docker.list > /dev/null \
-  && apt update \
-  && apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin \
-  && mkdir -p /var/lib/apps \
-  && ln -s /var/lib/apps \
-  && apt install -y git vim \
-  && TEMP_DIR=$(mktemp -d) \
-  && curl -fsSL https://github.com/go-acme/lego/releases/download/v4.20.2/lego_v4.20.2_linux_amd64.tar.gz -o ${TEMP_DIR}/lego_v4.20.2_linux_amd64.tar.gz \
-  && tar xzvf ${TEMP_DIR}/lego_v4.20.2_linux_amd64.tar.gz --directory=${TEMP_DIR} \
-  && install -m 755 -o root -g root "${TEMP_DIR}/lego" "/usr/local/bin" \
-  && rm -rf ${TEMP_DIR} \
-  && unset TEMP_DIR
-```
+- dokploy

 ### Tailscale

@ -61,18 +34,12 @@ printf "Enter preauthkey for Tailscale: " \
  && curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list \
  && apt-get update \
  && apt-get install tailscale \
-  && tailscale up --login-server https://vpn.base23.de --authkey ${TAILSCALE_PREAUTHKEY} --advertise-tags=tag:prod-servers \
+  && tailscale up --login-server https://vpn.s1q.dev --authkey ${TAILSCALE_PREAUTHKEY} \
  && sleep 2 \
  && tailscale status \
  && unset TAILSCALE_PREAUTHKEY
 ```

-### Base23 Docker registry login
-
-```shell
-docker login -u gitlab+deploy-token-5 registry.git.base23.de
-```
-
 ### CrowdSec

 #### Setup CrowdSec Repo
@ -116,9 +83,9 @@ systemctl restart crowdsec; systemctl status crowdsec.service
 Whitelist Tailscale IPs:

 ```shell
-cat << EOF > /etc/crowdsec/parsers/s02-enrich/01-base23-tailscale.yaml \
+cat << EOF > /etc/crowdsec/parsers/s02-enrich/01-s1q-dev-tailscale.yaml \
  && systemctl restart crowdsec; journalctl -xef -u crowdsec.service
-name: base23/tailscale ## Must be unqiue
+name: s1q-dev/tailscale ## Must be unqiue
 description: "Whitelist events from Tailscale Subnet"
 whitelist:
  reason: "Tailscale clients"
@ -127,18 +94,18 @@ whitelist:
 EOF
 ```

-Whitelist our current Public IPs:
+Whitelist my current Public IPs:

 ```shell
 mkdir -p /etc/crowdsec/postoverflows/s01-whitelist/ \
-  && cat << EOF > /etc/crowdsec/postoverflows/s01-whitelist/01-base23-public-ips.yaml \
+  && cat << EOF > /etc/crowdsec/postoverflows/s01-whitelist/01-s1q-dev-public-ips.yaml \
  && crowdsec -t && systemctl restart crowdsec; systemctl status crowdsec.service
-name: base23/public-ips ## Must be unqiue
-description: "Whitelist events from base23 public IPs"
+name: s1q-dev/public-ips ## Must be unqiue
+description: "Whitelist events from s1q-dev public IPs"
 whitelist:
-  reason: "Base23 Public IPs"
+  reason: "s1q-dev Public IPs"
  expression:
-    - evt.Overflow.Alert.Source.IP in LookupHost("asterix.ddns.base23.de")
+    - evt.Overflow.Alert.Source.IP in LookupHost("r3w.de")
 EOF
 ```

@ -151,8 +118,8 @@ cscli collections install firix/authentik \
 ---
 source: docker
 container_name_regexp:
-  - sso-base23-de-server-*
-  - sso-base23-de-worker-*
+  - sso-s1q-dev-de-server-*
+  - sso-s1q-dev-de-worker-*
 labels:
  type: authentik
 EOF
@ -177,8 +144,8 @@ Setup notifications:

 ```shell
 cd /root/apps \
-  && git clone ssh://git@git.base23.de:222/base23/sso.base23.de.git \
-  && cd sso.base23.de \
+  && git clone ssh://git@git.base23.de:222/base23/sso.s1q.dev.git \
+  && cd sso.s1q.dev \
  && ./scripts/init.sh
 ```

@ -202,10 +169,10 @@ TARGET_IPV6=$(dig +short "${TARGET_DOMAIN}" AAAA | grep -E '^(([0-9a-fA-F]{1,4}:
 ### Fist run

 ```shell
-docker compose build --no-cache \
+./scripts/compose.sh build --no-cache \
    --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
    --build-arg SRC_REV=$(git rev-parse --short HEAD) \
-  && docker compose up -d; docker compose logs -f
+  && ./scripts/compose.sh up -d; ./scripts/compose.sh logs -f
 ```

 ## Upgrade
@ -213,31 +180,36 @@ docker compose build --no-cache \
 ### Test
 This is intended for testing the upgrades before rollout on prod. 

-1. Check if the backups are up to date: `docker compose run --rm restore-cli /usr/local/bin/restic snapshots`
-2. Update `AUTHENTIK_TAG` to the desired tag in `env.test.template`.
-3. Check the upstream `docker-compose.yml` file against ours for changes made in the configuration. Check the Postgresql and Redis docker tags. Minor revisions of Postgresql *should be fine*, check the changelogs for any issues and if none are present raise to the latest Minor version (e.g. 16.6 -> 16.9). Redis should be less problematic for upgrades, check nonetheless.
-4. Run `diff --color='auto' env.test.template .env` to display the diff between
-`env.test.template` and `.env`.
-5. Port the changes made to `.env`.
-6. `docker-compose-2.32.4 pull`
-7. `docker-compose-2.32.4 down`
-8. `docker-compose-2.32.4 up -d; docker-compose-2.32.4 logs -f`
+1. Check if the backups are up to date: `./scripts/compose.sh run --rm restore-cli /usr/local/bin/restic snapshots`
+2. Create a new branch `git checkout -b <version>`.
+3. Download the the docker compose for the version you want to update:
+   `curl -fsSL -o docker-compose.yml https://goauthentik.io/version/<version>/docker-compose.yml`
+4. Update `AUTHENTIK_TAG` to the desired tag in `env.test.template`.
+5. Check the upstream `docker-compose.yml` file against ours for changes made in the configuration. Check the Postgresql and Redis docker tags. Minor revisions of Postgresql *should be fine*, check the changelogs for any issues and if none are present raise to the latest Minor version (e.g. 16.6 -> 16.9). Redis should be less problematic for upgrades, check nonetheless.
+6. Run `diff --color='auto' env.test.template .env` to display the diff between
+   `env.test.template` and `.env`.
+7. Port the changes made to `.env`.
+8. `./scripts/compose.sh pull`
+9. `./scripts/compose.sh down`
+10. `./scripts/compose.sh up -d; ./scripts/compose.sh logs -f`
 9. Check the logs for any issues during during startup. Check if https://sso.test.base23.de is available and test the sso login (e.g https://whoami.test.base23.de) 
 10. Apply changes for test to prod files (`docker-compose.<stage>.yml`,  `env.<stage>.template`), commit & push changes to the Repo in a new branch and create a merge request in preparation for the prod upgrade

 ### Prod
 It is expected that the Upgrade has already been performed and tested on https://sso.test.base23.de, and the changes have been merged into main

-0. Perform the Upgrade on test first. 
-1. Check if the backups are up to date: `docker compose run --rm restore-cli /usr/local/bin/restic snapshots`
-2. Perform a git pull
-4. Run `diff --color='auto' env.prod.template .env` to display the diff between `env.prod.template` and `.env`.
-5. Run `diff --color='auto' docker-compose.prod.yml docker-compose.yml` to display the diff between `docker-compose.prod.yml`and  docker-compose.yml`
-6. Port the changes made to `.env` and `docker-compose.yml`
-7. `docker compose pull`
-8. `docker compose down`
-9. `docker compose up -d; docker compose logs -f`
-10.  Check the logs for any issues during during startup. Check if https://sso.base23.de is available and test the sso login (e.g https://vpn.base23.de/admin). 
+1. Check if the backups are up to date: `./scripts/compose.sh run --rm restore-cli /usr/local/bin/restic snapshots`
+2. Create a new branch `git checkout -b <version>`.
+3. Download the the docker compose for the version you want to update:
+   `curl -fsSL -o docker-compose.yml https://goauthentik.io/version/<version>/docker-compose.yml`
+4. Update `AUTHENTIK_TAG` to the desired tag in `env.prod.template`.
+5. Commit & push changes to the Repo.
+6. Run `diff --color='auto' env.prod.template .env` to display the diff between
+   `env.prod.template` and `.env`.
+7. Port the made changes to `.env`.
+8. `./scripts/compose.sh pull`
+9. `./scripts/compose.sh down`
+10. `./scripts/compose.sh up -d; ./scripts/compose.sh logs -f`

 ## Disaster recovery / restore