6.9 KiB
6.9 KiB
sso.base23.de - Base23 SSO for all services
Authentik based SSO for our sevices.
Table of Contents
Prerequisites
Server Setup
apt update \
&& apt upgrade -y \
&& for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt remove $pkg; done \
&& apt install ca-certificates curl \
&& install -m 0755 -d /etc/apt/keyrings \
&& curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \
&& chmod a+r /etc/apt/keyrings/docker.asc \
&& echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null \
&& apt update \
&& apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin \
&& mkdir -p /var/lib/apps \
&& ln -s /var/lib/apps \
&& apt install -y git vim \
&& TEMP_DIR=$(mktemp -d) \
&& curl -fsSL https://github.com/go-acme/lego/releases/download/v4.20.2/lego_v4.20.2_linux_amd64.tar.gz -o ${TEMP_DIR}/lego_v4.20.2_linux_amd64.tar.gz \
&& tar xzvf ${TEMP_DIR}/lego_v4.20.2_linux_amd64.tar.gz --directory=${TEMP_DIR} \
&& install -m 755 -o root -g root "${TEMP_DIR}/lego" "/usr/local/bin" \
&& rm -rf ${TEMP_DIR} \
&& unset TEMP_DIR
Base23 Docker registry login
docker login -u gitlab+deploy-token-5 registry.git.base23.de
CrowdSec
Setup CrowdSec Repo
apt update \
&& apt upgrade -y \
&& apt install -y debian-archive-keyring \
&& apt install -y curl gnupg apt-transport-https \
&& mkdir -p /etc/apt/keyrings/ \
&& curl -fsSL https://packagecloud.io/crowdsec/crowdsec/gpgkey | gpg --dearmor > /etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg \
&& cat << EOF > /etc/apt/sources.list.d/crowdsec_crowdsec.list \
&& apt update
deb [signed-by=/etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg] https://packagecloud.io/crowdsec/crowdsec/any any main
deb-src [signed-by=/etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg] https://packagecloud.io/crowdsec/crowdsec/any any main
EOF
Install CrowdSec
apt install -y crowdsec crowdsec-firewall-bouncer-iptables \
&& cscli completion bash | tee /etc/bash_completion.d/cscli \
&& source ~/.bashrc
Configure CrowdSec
Whitelist Tailscale IPs:
cat << EOF > /etc/crowdsec/parsers/s02-enrich/01-base23-tailscale.yaml \
&& systemctl restart crowdsec; journalctl -xef -u crowdsec.service
name: base23/tailscale ## Must be unqiue
description: "Whitelist Tailscale"
whitelist:
reason: "Tailscale clients"
cidr:
- "100.64.0.0/10"
EOF
Add Authentik integration:
cscli collections install firix/authentik \
&& cat << EOF > /etc/crowdsec/acquis.d/authentik.yaml \
&& crowdsec -t && systemctl restart crowdsec
---
source: docker
container_name_regexp:
- sso-base23-de-server-*
- sso-base23-de-worker-*
labels:
type: authentik
EOF
Enable increasing ban time:
sed -i -e 's/^#duration_expr/duration_expr/g' /etc/crowdsec/profiles.yaml \
&& crowdsec -t && systemctl restart crowdsec
Setup notifications:
Installation
Clone & configure initially
- Create a Storage Box sub account.
- Enter the username to
env.template. - Run the initial configuration script:
cd /root/apps \
&& git clone ssh://git@git.base23.de:222/base23/sso.base23.de.git \
&& cd sso.base23.de \
&& ./scripts/init.sh
- Use the generated SSH key and copy it to the Hetzner Storage box for backups:
STORAGE_BOX_DOMAIN=cloud.backup.base23.de \
STORAGE_BOX_IPV4=$(dig +short "${STORAGE_BOX_DOMAIN}" A | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$') \
STORAGE_BOX_IPV6=$(dig +short "${STORAGE_BOX_DOMAIN}" AAAA | grep -E '^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$') \
&& cat ./data/restic/ssh/id_ed25519.pub | ssh -p23 u291924-sub4@${STORAGE_BOX_DOMAIN} install-ssh-key \
&& ssh-keyscan -p 23 -t ecdsa-sha2-nistp521,ed25519,ed25519-sk,rsa,dsa,ecdsa,ecdsa-sk ${STORAGE_BOX_DOMAIN} > ./data/restic/ssh/known_hosts \
&& ssh-keyscan -p 23 -t ecdsa-sha2-nistp521,ed25519,ed25519-sk,rsa,dsa,ecdsa,ecdsa-sk ${STORAGE_BOX_IPV4} >> ./data/restic/ssh/known_hosts \
&& ssh-keyscan -p 23 -t ecdsa-sha2-nistp521,ed25519,ed25519-sk,rsa,dsa,ecdsa,ecdsa-sk ${STORAGE_BOX_IPV6} >> ./data/restic/ssh/known_hosts \
&& ssh-keyscan -p 22 -t ecdsa-sha2-nistp521,ed25519,ed25519-sk,rsa,dsa,ecdsa,ecdsa-sk ${STORAGE_BOX_DOMAIN} >> ./data/restic/ssh/known_hosts \
&& ssh-keyscan -p 22 -t ecdsa-sha2-nistp521,ed25519,ed25519-sk,rsa,dsa,ecdsa,ecdsa-sk ${STORAGE_BOX_IPV4} >> ./data/restic/ssh/known_hosts \
&& ssh-keyscan -p 22 -t ecdsa-sha2-nistp521,ed25519,ed25519-sk,rsa,dsa,ecdsa,ecdsa-sk ${STORAGE_BOX_IPV6} >> ./data/restic/ssh/known_hosts
Fist run
docker compose build --no-cache \
--build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
--build-arg SRC_REV=$(git rev-parse --short HEAD) \
&& docker compose up -d; docker compose logs -f
Upgrade
- Update
AUTHENTIK_TAGto the desired tag inenv.template. - Commit & push changes to the Repo.
- Run
diff --color='auto' env.template .envto display the diff betweenenv.templateand.env. - Port the made changes to
.env. docker compose downdocker compose up -d; docker compose logs -f
Rebuild containers locally
docker compose build --no-cache \
--build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
--build-arg SRC_REV=$(git rev-parse --short HEAD)