feat: Move authentik to stingray

2025-02-05 20:59:09 -08:00 · 2025-02-05 20:59:09 -08:00 · e9a79e27ab
commit e9a79e27ab
parent 29aa7f3d27
9 changed files with 105 additions and 102 deletions
--- a/ansible/roles/swarm-bootstrap/templates/docker-stack.yml.j2
+++ b/ansible/roles/swarm-bootstrap/templates/docker-stack.yml.j2
@ -60,6 +60,8 @@ services:
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.address=:{{traefik_secure_listen_port}}"
      # TLS
+      - "--entrypoints.websecure.http.tls.domains[0].main=stingray.mnke.org"
+      - "--entrypoints.websecure.http.tls.domains[0].sans=*.stingray.mnke.org"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.letsencrypt.acme.caserver={{'https://acme-v02.api.letsencrypt.org/directory' if traefik_tls_mode == 'production' else 'https://acme-staging-v02.api.letsencrypt.org/directory'}}"
@ -83,10 +85,10 @@ services:
      labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`traefik.{{app_domain_name}}`)"
+      - "traefik.http.routers.api.entrypoints=websecure"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.middlewares=auth"
-      # TODO: Store this in a secret
-      # It's not thaaat big of a deal cuz it's hashed anyway though.
+      - "traefik.http.routers.api.tls.certresolver=letsencrypt"
      - "traefik.http.middlewares.auth.basicauth.users={{traefik_htpasswd}}"
      # Dummy service for Swarm port detection. The port can be any valid integer value.
      - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
--- a/docker/stacks/authentik/docker-stack.yml
+++ b/docker/stacks/authentik/docker-stack.yml
@ -0,0 +1,100 @@
+---
+version: '3.0'
+
+networks:
+  traefik:
+    external: true
+  authentik:
+
+volumes:
+  authentik_media:
+    driver: local
+    driver_opts:
+      o: bind
+      type: none
+      device: ${AUTHENTIK_MEDIA_DIRECTORY:-/mnt/gfs/authentik/media}
+  authentik_certs:
+    driver: local
+    driver_opts:
+      o: bind
+      type: none
+      device: ${AUTHENTIK_CERTS_DIRECTORY:-/mnt/gfs/authentik/certs}
+  authentik_templates:
+    driver: local
+    driver_opts:
+      o: bind
+      type: none
+      device: ${AUTHENTIK_TEMPLATES_DIRECTORY:-/mnt/gfs/authentik/custom-templates}
+  redis_data:
+    driver: local
+    driver_opts:
+      o: bind
+      type: none
+      device: ${REDIS_DATA:-/mnt/gfs/authentik/redis/data}
+
+services:
+  redis:
+    image: docker.io/library/redis:alpine
+    command: --save 60 1 --loglevel warning
+    networks:
+      - authentik
+    volumes:
+      - redis_data:/data
+
+  server:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.3}
+    restart: unless-stopped
+    command: server
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: ${PG_HOST:-db.home.mnke.org}
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:-password}
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:-supersecretkey}
+    volumes:
+      - authentik_media:/media
+      - authentik_certs:/templates
+    networks:
+      - authentik
+      - traefik
+    depends_on:
+      - redis
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.authentik.rule=Host(`${AUTHENTIK_HOST:-authentik.mnke.org}`) || Host(`${AUTHENTIK_SECONDARY_HOST:-authentik.stingray.mnke.org}`)"
+        - "traefik.http.routers.authentik.entrypoints=websecure"
+        - "traefik.http.routers.authentik.tls.certresolver=letsencrypt"
+        - "traefik.http.services.authentik.loadbalancer.server.port=9000"
+        - "traefik.swarm.network=traefik"
+      mode: replicated
+      replicas: 1
+
+  worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.3}
+    restart: unless-stopped
+    command: worker
+    environment:
+      AUTHENTIK_REDIS__HOST: redis
+      AUTHENTIK_POSTGRESQL__HOST: ${PG_HOST:-db.home.mnke.org}
+      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
+      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS:-password}
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:-supersecretkey}
+    # `user: root` and the docker socket volume are optional.
+    # See more for the docker socket integration here:
+    # https://goauthentik.io/docs/outposts/integrations/docker
+    # Removing `user: root` also prevents the worker from fixing the permissions
+    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
+    # (1000:1000 by default)
+    user: root
+    networks:
+      - authentik
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - authentik_media:/media
+      - authentik_certs:/certs
+      - authentik_templates:/templates
+    depends_on:
+      - redis
--- a/k8s/apps/authentik/kustomization.yaml
+++ b/k8s/apps/authentik/kustomization.yaml
@ -1,9 +0,0 @@
---
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - namespace.yaml
-  - repository.yaml
-  - secret.yaml
-  - release.yaml
-
--- a/k8s/apps/authentik/namespace.yaml
+++ b/k8s/apps/authentik/namespace.yaml
@ -1,6 +0,0 @@
---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: authentik
-
--- a/k8s/apps/authentik/release.yaml
+++ b/k8s/apps/authentik/release.yaml
@ -1,58 +0,0 @@
---
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: authentik
-  namespace: authentik
-spec:
-  interval: 10m0s
-  chart:
-    spec:
-      chart: authentik
-      reconcileStrategy: ChartVersion
-      sourceRef:
-        kind: HelmRepository
-        name: authentik
-        namespace: authentik
-  valuesFrom:
-    - kind: Secret
-      name: authentik-creds
-      valuesKey: ak-pg-username
-      targetPath: authentik.postgresql.user
-      optional: false
-    - kind: Secret
-      name: authentik-creds
-      valuesKey: ak-pg-password
-      targetPath: authentik.postgresql.password
-      optional: false
-    - kind: Secret
-      name: authentik-creds
-      valuesKey: ak-secret-key
-      targetPath: authentik.secret_key
-      optional: false
-  values:
-    authentik:
-      postgresql:
-        host: db.home.mnke.org
-        name: authentik
-        # user: ""
-        # password: ""
-        port: 5432
-      # secret_key: ""
-
-    server:
-      ingress:
-        enabled: true
-        annotations:
-          cert-manager.io/cluster-issuer: le-cf-issuer
-          kubernetes.io/ingress.class: traefik
-        hosts:
-          - authentik.mnke.org
-          - authentik.dolo.mnke.org
-        ingressClassName: traefik
-
-    postgresql:
-      enabled: false
-
-    redis:
-      enabled: true
--- a/k8s/apps/authentik/repository.yaml
+++ b/k8s/apps/authentik/repository.yaml
@ -1,9 +0,0 @@
---
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: authentik
-  namespace: authentik
-spec:
-  interval: 10m0s
-  url: https://charts.goauthentik.io
--- a/k8s/apps/authentik/secret.yaml
+++ b/k8s/apps/authentik/secret.yaml
@ -1,17 +0,0 @@
---
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: authentik-creds
-  namespace: authentik
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: infisical
-
-  target:
-    name: authentik-creds
-
-  dataFrom:
-    - find:
-        path: ak-
--- a/k8s/apps/kustomization.yaml
+++ b/k8s/apps/kustomization.yaml
@ -4,4 +4,3 @@ resources:
  - kube-prometheus-stack
  - uptime-kuma
  - rancher
-  # - authentik
--- a/k8s/infrastructure/traefik/traefik.yaml
+++ b/k8s/infrastructure/traefik/traefik.yaml
@ -75,6 +75,7 @@ spec:
        enabled: true
        ingressClass: traefik
        allowExternalNameServices: true
+        allowCrossNamespace: true
      kubernetesIngress:
        enabled: true
        ingressClass: traefik