Ready for TrueNAS+runtipi hosting

- adapt secretes via tipi-compose - add ix-dockge to runtipi-reverse-proxy as an example - added rt.dockge.yml(.bobo) as an example - bobo auth is now working
2025-01-17 13:18:06 -08:00 · 2025-01-17 13:18:06 -08:00 · b07ddc8596
parent a5e497b257
commit b07ddc8596
6 changed files with 125 additions and 10 deletions
--- a/.env.local.tmpl
+++ b/.env.local.tmpl
@ -1,10 +1,20 @@
-ACME_EMAIL=<acme admin mail>
-CF_DNS_API_TOKEN=<Cloudflare DNS API Token>
+# user-config/.env.<system name>.local.yml
+ACME_EMAIL="<acme admin mail>"

-SZ_USER_UID=<USER's UID>
-SZ_USER_GID=<USER's GID>
+HOST_UID="<USER's UID>"
+HOST_GID="<USER's GID>"

+INTERNAL_IP="192.168.1.11"
+
+# RUNTIPI's root on the docker host
+# TIPI_VERSION="v3.8.0"
+RUNTIPI_ROOT_FOL    DER_HOST="/mnt/bobo/data/apps/runtipi"
+
+# ALT_ROOT_DOMAIN=<alt domain> # optional, alternative public domain
 ROOT_DOMAIN=<root.fqdn>
-LEGACY_ROOT_DOMAIN=<legacy domain>
+DOMAIN=<root.fqdn>
+LOCAL_DOMAIN=tipi.local
+
+TZ="America/New_York"

 # vi: ft=sh
--- a/_bin/rtpctl.d
+++ b/_bin/rtpctl.d
@ -15,7 +15,7 @@ BASE_NAME="$(basename -- "$0")"
 BASE_BASE_NAME="${BASE_NAME%.*}"

 RUNTIPI_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
-RUNTIPI_CLI="${RUNTIPI_ROOT}/runtipi_cli"
+RUNTIPI_CLI="${RUNTIPI_ROOT}/runtipi-cli"
 set -e

 cd "${RUNTIPI_ROOT}" > /dev/null
@ -46,6 +46,9 @@ runtipi-app-docker-compose() {
          echo --file apps/${APP}/docker-compose.yml
          append_file_param --file repos/29ca930bfdaffa1dfabf5726336380ede7066bc53297e3c0c868b27c97282903/apps/docker-compose.common.yml
          append_file_param --file "user-config/${APP}/docker-compose.yml"
+        else
+          append_file_param --file "docker-compose.yml"
+          append_file_param --file "user-config/tipi-compose.yml"
        fi) \
        ${@:2}
 }
@ -68,7 +71,11 @@ case "${1}" in
        runtipi-cli start --env-file user-config/.env.local --no-permissions
        ;;
    update)
-        runtipi-cli update --env-file user-config/.env.local --no-permissions "${2:?Must supply version}" "${@:3}"
+        if [ -z "${2}" ]; then
+            ${SCRIPT_DIR}/checkver.sh
+        else
+            runtipi-cli update --env-file user-config/.env.local --no-permissions "${2:?Must supply version}" "${@:3}"
+        fi
        ;;
    docker)
        docker "${@:2}"
@ -83,6 +90,9 @@ case "${1}" in
        cd "${RUNTIPI_ROOT}/../dockge/stacks/${2:?Must supply stack name}" > /dev/null
        docker compose "${@:3}"
        ;;
+    shell)
+        runtipi-app-docker-compose "${2:?}" exec ${5:+"${@:5}"} -it "${4:-${2}}" "${3:-bash}"
+        ;;
    setup)
        ln -s $2 "$(cd -- "${SCRIPT_DIR}" && pwd)/${BASE_NAME}" "${3:-$HOME/.local/bin/}"
        ;;
@ -108,10 +118,10 @@ case "${1}" in
            "" "dls"        "stylized docker ls" \
            "" "docker"     "docker" \
            "" "dockge"     "docker compose for dockge stacks" \
+            "" "shell"      "enter an insteractive shell" \
            "" "" "" \
            "misc." "" ""\
            "" "exec"       "execute within the shell, START_DIR env applies" \
-            "" "shell"      "enter an insteractive shell" \
            "" "" "" \
            "" "setup"      "setup runtipictl in user's .local/bin dir" \
            "" "" "${BASE_NAME} setup" \
--- a/_traefik/dynamic/_templates/mw.fwd-auth-sysmgr.yml.bobo
+++ b/_traefik/dynamic/_templates/mw.fwd-auth-sysmgr.yml.bobo
@ -0,0 +1,19 @@
+http:
+  middlewares:
+    authentik_sysmgr:
+      forwardAuth:
+        address: https://auth.avital14.com/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeadersRegex: "^[Xx]-[Aa]uthentik"
+        # authResponseHeaders:
+        #   - X-authentik-username
+        #   - X-authentik-groups
+        #   - X-authentik-email
+        #   - X-authentik-name
+        #   - X-authentik-uid
+        #   - X-authentik-jwt
+        #   - X-authentik-meta-jwks
+        #   - X-authentik-meta-outpost
+        #   - X-authentik-meta-provider
+        #   - X-authentik-meta-app
+        #   - X-authentik-meta-version
--- a/_traefik/dynamic/_templates/rt.dockge.yml.bobo
+++ b/_traefik/dynamic/_templates/rt.dockge.yml.bobo
@ -0,0 +1,23 @@
+# http routing section
+http:
+  routers:
+    # Define a connection between requests and services
+    home-assistant:
+      rule: "Host(`dockge.toronto.avital14.com`)" 
+      entrypoints:
+      - websecure
+    # # If the rule matches, applies the middleware
+    # middlewares:
+    # - test-user
+      # If the rule matches, forward to the whoami service (declared below)
+      service: home-assistant
+      tls:
+        certresolver: myresolver
+
+  services:
+    # Define how to reach an existing service on our infrastructure
+    home-assistant:
+      loadBalancer:      
+        servers:
+        - url: "http://dockge:31014"
+        #- address: "ha.lan:8123"
--- a/szetup.sh
+++ b/szetup.sh
@ -24,7 +24,6 @@ else
    echo "No matching symbolic links found to delete."
 fi

-
 find "$TOP_DIR/_templates" -maxdepth 1 -mindepth 1 -type f -name "*.${SYS_NAME}" -print0 \
 | while IFS= read -r -d '' file; do
    base=$(basename "$file" ".${SYS_NAME}")
@ -33,3 +32,38 @@ find "$TOP_DIR/_templates" -maxdepth 1 -mindepth 1 -type f -name "*.${SYS_NAME}"
    ln -vrs "${file}" "${TOP_DIR}/${base%${ext}}local.$ext"
 done

+SECRET_BASE="${SCRIPT_DIR}/_secrets"
+SECRETS=(
+	"tipi_jwt_secret"
+	"tipi_postgres_password"
+	"tipi_redis_password"
+)
+for file in "${SECRETS[@]}"; do
+    secret="${SECRET_BASE}/${file}.txt"
+	printf '%s secret ' "${file}"
+    if [ -s "${secret}" ]; then
+		printf 'exists.'
+	else
+		printf 'generating... '
+		curl -s "https://makemeapassword.ligos.net/api/v1/passphrase/plain?pc=1&wc=6&sp=y&maxCh=64" \
+		| sed -Ee 's/ /-/g;' > "${secret}"
+		printf 'ready.'
+	fi
+	printf '\n'
+done
+
+SECRETS=(
+	"traefik_cf_dns_api_token"
+)
+for file in "${SECRETS[@]}"; do
+    secret="${SECRET_BASE}/${file}.txt"
+	printf '%s secret ' "${file}"
+    if [ -s "${secret}" ]; then
+		printf 'exists.'
+	else
+		printf 'missing!'
+	fi
+	printf '\n'
+done
+
+# vim: set ft=sh expandtab tabstop=4 shiftwidth=4:
--- a/tipi-compose.yml
+++ b/tipi-compose.yml
@ -1,5 +1,19 @@
+secrets:
+# tipi_jwt_secret:
+#   file: ${RUNTIPI_ROOT_FOLDER_HOST}/user-config/_secrets/tipi_jwt_secret.txt
+#   # JWT_SECRET: /run/secrets/tipi_jwt_secret
+# tipi_postgres_password:
+#   file: ${RUNTIPI_ROOT_FOLDER_HOST}/user-config/_secrets/tipi_postgres_password.txt
+#   # POSTGRES_PASSWORD: /run/secrets/tipi_postgres_password
+# tipi_redis_password:
+#   file: ${RUNTIPI_ROOT_FOLDER_HOST}/user-config/_secrets/tipi_redis_password.txt
+#   # REDIS_PASSWORD: /run/secrets/tipi_redis_password
+  traefik_cf_dns_api_token:
+    file: ${RUNTIPI_ROOT_FOLDER_HOST}/user-config/_secrets/traefik_cf_dns_api_token.txt
 services:
  runtipi-reverse-proxy:
+    secrets:
+      - traefik_cf_dns_api_token
    volumes:
    - type: bind
      source: ./traefik/shared
@ -30,15 +44,20 @@ services:
      - '--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}'
    environment:
      CF_API_EMAIL: "${ACME_EMAIL:?}"
-      CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN:?}"
+      CF_DNS_API_TOKEN_FILE: /run/secrets/traefik_cf_dns_api_token
      TRAEFIK_API_DISABLEDASHBOARDAD: "true"
    networks:
    - tipi_main_network
    - tipi_internal_network
+    - ix-dockge

 networks:
  tipi_internal_network:
    internal: true
    attachable: true
    name: runtipi_internal_network
+  ix-dockge:
+    external: true
+    name: ix-dockge_default

+# vim: set ft=yaml expandtab tabstop=2 shiftwidth=2: