docker-compose/authentik
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update restic image

Browse source
This commit is contained in:
Philip Henning 2024-11-26 17:51:47 +01:00
parent f6ae23c51a
commit 9cf4d822c3
2 changed files with 81 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

73
README.md
View file

@ -9,6 +9,10 @@
- [Prerequisites](#prerequisites) - [Prerequisites](#prerequisites)
- [Server Setup](#server-setup) - [Server Setup](#server-setup)
- [Base23 Docker registry login](#base23-docker-registry-login) - [Base23 Docker registry login](#base23-docker-registry-login)
- [CrowdSec](#crowdsec)
- [Setup CrowdSec Repo](#setup-crowdsec-repo)
- [Install CrowdSec](#install-crowdsec)
- [Configure CrowdSec](#configure-crowdsec)
- [Installation](#installation) - [Installation](#installation)
- [Clone \& configure initially](#clone--configure-initially) - [Clone \& configure initially](#clone--configure-initially)
- [Fist run](#fist-run) - [Fist run](#fist-run)
@ -50,6 +54,75 @@ apt update \
docker login -u gitlab+deploy-token-5 registry.git.base23.de docker login -u gitlab+deploy-token-5 registry.git.base23.de
``` ```
### CrowdSec
#### Setup CrowdSec Repo
```shell
apt update \
&& apt upgrade -y \
&& apt install -y debian-archive-keyring \
&& apt install -y curl gnupg apt-transport-https \
&& mkdir -p /etc/apt/keyrings/ \
&& curl -fsSL https://packagecloud.io/crowdsec/crowdsec/gpgkey | gpg --dearmor > /etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg \
&& cat << EOF > /etc/apt/sources.list.d/crowdsec_crowdsec.list \
&& apt update
deb [signed-by=/etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg] https://packagecloud.io/crowdsec/crowdsec/any any main
deb-src [signed-by=/etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg] https://packagecloud.io/crowdsec/crowdsec/any any main
EOF
```
#### Install CrowdSec
```shell
apt install -y crowdsec crowdsec-firewall-bouncer-iptables \
&& cscli completion bash | tee /etc/bash_completion.d/cscli \
&& source ~/.bashrc
```
#### Configure CrowdSec
Whitelist Tailscale IPs:
```shell
cat << EOF > /etc/crowdsec/parsers/s02-enrich/01-base23-tailscale.yaml \
&& systemctl restart crowdsec; journalctl -xef -u crowdsec.service
name: base23/tailscale ## Must be unqiue
description: "Whitelist Tailscale"
whitelist:
reason: "Tailscale clients"
cidr:
- "100.64.0.0/10"
EOF
```
Add Authentik integration:
```shell
cscli collections install firix/authentik \
&& cat << EOF > /etc/crowdsec/acquis.d/authentik.yaml \
&& crowdsec -t && systemctl restart crowdsec
---
source: docker
container_name_regexp:
- sso-base23-de-server-*
- sso-base23-de-worker-*
labels:
type: authentik
EOF
```
Enable increasing ban time:
```shell
sed -i -e 's/^#duration_expr/duration_expr/g' /etc/crowdsec/profiles.yaml \
&& crowdsec -t && systemctl restart crowdsec
```
Setup notifications:
## Installation ## Installation
### Clone & configure initially ### Clone & configure initially

16
docker-compose.yml
View file

@ -145,7 +145,7 @@ services:
- frontend - frontend
backup: backup:
image: registry.git.base23.de/base23/backup/resticker:0.11.0 image: registry.git.base23.de/base23/backup/resticker:0.17.0
environment: environment:
PRE_COMMANDS: |- PRE_COMMANDS: |-
docker exec sso-base23-de-postgresql-1 pg_dump -U ${PG_USER:-authentik} -d ${PG_DB:-authentik} -f /var/lib/postgresql/backups/${PG_DB:-authentik}.sql docker exec sso-base23-de-postgresql-1 pg_dump -U ${PG_USER:-authentik} -d ${PG_DB:-authentik} -f /var/lib/postgresql/backups/${PG_DB:-authentik}.sql
@ -153,7 +153,7 @@ services:
BACKUP_CRON: "32 2 * * *" BACKUP_CRON: "32 2 * * *"
RESTIC_REPOSITORY: sftp://${RESTIC_REPO_USER:?Restic repository user is required}@${RESTIC_REPO_ADDRESS:?Restic repository address is requried}:${RESTIC_REPO_PORT:?Restic repository port is required}//backup RESTIC_REPOSITORY: sftp://${RESTIC_REPO_USER:?Restic repository user is required}@${RESTIC_REPO_ADDRESS:?Restic repository address is requried}:${RESTIC_REPO_PORT:?Restic repository port is required}//backup
RESTIC_PASSWORD: ${RESTIC_REPO_PASSWORD:?Restic repository password is required} RESTIC_PASSWORD: ${RESTIC_REPO_PASSWORD:?Restic repository password is required}
RESTIC_BACKUP_SOURCES: /var/lib/backups RESTIC_BACKUP_SOURCES: /var/lib/postgresql/backups /var/lib/authentik/backups /var/lib/lego/backups
RESTIC_BACKUP_ARGS: >- RESTIC_BACKUP_ARGS: >-
--tag ${RESTIC_TAG:?Restic tag is required} --tag ${RESTIC_TAG:?Restic tag is required}
--verbose --verbose
@ -164,14 +164,14 @@ services:
--keep-monthly 12 --keep-monthly 12
TZ: Europe/Berlin TZ: Europe/Berlin
volumes: volumes:
- ./data/restic/ssh/:/tmp/.ssh/:ro - ./data/restic/ssh/:/run/secrets/.ssh:ro
- /var/run/docker.sock:/var/run/docker.sock - /var/run/docker.sock:/var/run/docker.sock
- ./docker-compose.yml:/sso.base23.de/docker-compose.yml:ro - ./docker-compose.yml:/sso.base23.de/docker-compose.yml:ro
- backups_db:/var/lib/backups/postgresql:ro - backups_db:/var/lib/postgresql/backups:ro
- ./data/authentik/certs:/var/lib/backups/authentik/certs:ro - ./data/authentik/certs:/var/lib/authentik/backups/certs:ro
- ./data/authentik/custom-templates:/var/lib/backups/authentik/templates:ro - ./data/authentik/custom-templates:/var/lib/authentik/backups/templates:ro
- ./data/authentik/media:/var/lib/backups/authentik/media:ro - ./data/authentik/media:/var/lib/authentik/backups/media:ro
- ./data/.lego:/var/lib/backups/lego:ro - ./data/.lego:/var/lib/lego/backups:ro
prune-backup: prune-backup:
image: registry.git.base23.de/base23/backup/resticker:0.11.0 image: registry.git.base23.de/base23/backup/resticker:0.11.0