From b07ddc8596a7f1dcb519c7c3bcc6e1d88a4e6423 Mon Sep 17 00:00:00 2001 From: "Lockszmith (@avital)" Date: Fri, 17 Jan 2025 13:18:06 -0800 Subject: [PATCH] Ready for TrueNAS+runtipi hosting - adapt secretes via tipi-compose - add ix-dockge to runtipi-reverse-proxy as an example - added rt.dockge.yml(.bobo) as an example - bobo auth is now working --- .env.local.tmpl | 20 ++++++++--- _bin/rtpctl.d | 16 +++++++-- .../_templates/mw.fwd-auth-sysmgr.yml.bobo | 19 ++++++++++ .../dynamic/_templates/rt.dockge.yml.bobo | 23 ++++++++++++ szetup.sh | 36 ++++++++++++++++++- tipi-compose.yml | 21 ++++++++++- 6 files changed, 125 insertions(+), 10 deletions(-) create mode 100644 _traefik/dynamic/_templates/mw.fwd-auth-sysmgr.yml.bobo create mode 100644 _traefik/dynamic/_templates/rt.dockge.yml.bobo diff --git a/.env.local.tmpl b/.env.local.tmpl index 595b5b5..0533830 100644 --- a/.env.local.tmpl +++ b/.env.local.tmpl @@ -1,10 +1,20 @@ -ACME_EMAIL= -CF_DNS_API_TOKEN= +# user-config/.env..local.yml +ACME_EMAIL="" -SZ_USER_UID= -SZ_USER_GID= +HOST_UID="" +HOST_GID="" +INTERNAL_IP="192.168.1.11" + +# RUNTIPI's root on the docker host +# TIPI_VERSION="v3.8.0" +RUNTIPI_ROOT_FOL DER_HOST="/mnt/bobo/data/apps/runtipi" + +# ALT_ROOT_DOMAIN= # optional, alternative public domain ROOT_DOMAIN= -LEGACY_ROOT_DOMAIN= +DOMAIN= +LOCAL_DOMAIN=tipi.local + +TZ="America/New_York" # vi: ft=sh diff --git a/_bin/rtpctl.d b/_bin/rtpctl.d index 3cde351..7c0ffc7 100755 --- a/_bin/rtpctl.d +++ b/_bin/rtpctl.d @@ -15,7 +15,7 @@ BASE_NAME="$(basename -- "$0")" BASE_BASE_NAME="${BASE_NAME%.*}" RUNTIPI_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)" -RUNTIPI_CLI="${RUNTIPI_ROOT}/runtipi_cli" +RUNTIPI_CLI="${RUNTIPI_ROOT}/runtipi-cli" set -e cd "${RUNTIPI_ROOT}" > /dev/null @@ -46,6 +46,9 @@ runtipi-app-docker-compose() { echo --file apps/${APP}/docker-compose.yml append_file_param --file repos/29ca930bfdaffa1dfabf5726336380ede7066bc53297e3c0c868b27c97282903/apps/docker-compose.common.yml append_file_param --file "user-config/${APP}/docker-compose.yml" + else + append_file_param --file "docker-compose.yml" + append_file_param --file "user-config/tipi-compose.yml" fi) \ ${@:2} } @@ -68,7 +71,11 @@ case "${1}" in runtipi-cli start --env-file user-config/.env.local --no-permissions ;; update) - runtipi-cli update --env-file user-config/.env.local --no-permissions "${2:?Must supply version}" "${@:3}" + if [ -z "${2}" ]; then + ${SCRIPT_DIR}/checkver.sh + else + runtipi-cli update --env-file user-config/.env.local --no-permissions "${2:?Must supply version}" "${@:3}" + fi ;; docker) docker "${@:2}" @@ -83,6 +90,9 @@ case "${1}" in cd "${RUNTIPI_ROOT}/../dockge/stacks/${2:?Must supply stack name}" > /dev/null docker compose "${@:3}" ;; + shell) + runtipi-app-docker-compose "${2:?}" exec ${5:+"${@:5}"} -it "${4:-${2}}" "${3:-bash}" + ;; setup) ln -s $2 "$(cd -- "${SCRIPT_DIR}" && pwd)/${BASE_NAME}" "${3:-$HOME/.local/bin/}" ;; @@ -108,10 +118,10 @@ case "${1}" in "" "dls" "stylized docker ls" \ "" "docker" "docker" \ "" "dockge" "docker compose for dockge stacks" \ + "" "shell" "enter an insteractive shell" \ "" "" "" \ "misc." "" ""\ "" "exec" "execute within the shell, START_DIR env applies" \ - "" "shell" "enter an insteractive shell" \ "" "" "" \ "" "setup" "setup runtipictl in user's .local/bin dir" \ "" "" "${BASE_NAME} setup" \ diff --git a/_traefik/dynamic/_templates/mw.fwd-auth-sysmgr.yml.bobo b/_traefik/dynamic/_templates/mw.fwd-auth-sysmgr.yml.bobo new file mode 100644 index 0000000..2dd85be --- /dev/null +++ b/_traefik/dynamic/_templates/mw.fwd-auth-sysmgr.yml.bobo @@ -0,0 +1,19 @@ +http: + middlewares: + authentik_sysmgr: + forwardAuth: + address: https://auth.avital14.com/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeadersRegex: "^[Xx]-[Aa]uthentik" + # authResponseHeaders: + # - X-authentik-username + # - X-authentik-groups + # - X-authentik-email + # - X-authentik-name + # - X-authentik-uid + # - X-authentik-jwt + # - X-authentik-meta-jwks + # - X-authentik-meta-outpost + # - X-authentik-meta-provider + # - X-authentik-meta-app + # - X-authentik-meta-version diff --git a/_traefik/dynamic/_templates/rt.dockge.yml.bobo b/_traefik/dynamic/_templates/rt.dockge.yml.bobo new file mode 100644 index 0000000..7a9eaba --- /dev/null +++ b/_traefik/dynamic/_templates/rt.dockge.yml.bobo @@ -0,0 +1,23 @@ +# http routing section +http: + routers: + # Define a connection between requests and services + home-assistant: + rule: "Host(`dockge.toronto.avital14.com`)" + entrypoints: + - websecure + # # If the rule matches, applies the middleware + # middlewares: + # - test-user + # If the rule matches, forward to the whoami service (declared below) + service: home-assistant + tls: + certresolver: myresolver + + services: + # Define how to reach an existing service on our infrastructure + home-assistant: + loadBalancer: + servers: + - url: "http://dockge:31014" + #- address: "ha.lan:8123" diff --git a/szetup.sh b/szetup.sh index bbc4988..0789ee1 100755 --- a/szetup.sh +++ b/szetup.sh @@ -24,7 +24,6 @@ else echo "No matching symbolic links found to delete." fi - find "$TOP_DIR/_templates" -maxdepth 1 -mindepth 1 -type f -name "*.${SYS_NAME}" -print0 \ | while IFS= read -r -d '' file; do base=$(basename "$file" ".${SYS_NAME}") @@ -33,3 +32,38 @@ find "$TOP_DIR/_templates" -maxdepth 1 -mindepth 1 -type f -name "*.${SYS_NAME}" ln -vrs "${file}" "${TOP_DIR}/${base%${ext}}local.$ext" done +SECRET_BASE="${SCRIPT_DIR}/_secrets" +SECRETS=( + "tipi_jwt_secret" + "tipi_postgres_password" + "tipi_redis_password" +) +for file in "${SECRETS[@]}"; do + secret="${SECRET_BASE}/${file}.txt" + printf '%s secret ' "${file}" + if [ -s "${secret}" ]; then + printf 'exists.' + else + printf 'generating... ' + curl -s "https://makemeapassword.ligos.net/api/v1/passphrase/plain?pc=1&wc=6&sp=y&maxCh=64" \ + | sed -Ee 's/ /-/g;' > "${secret}" + printf 'ready.' + fi + printf '\n' +done + +SECRETS=( + "traefik_cf_dns_api_token" +) +for file in "${SECRETS[@]}"; do + secret="${SECRET_BASE}/${file}.txt" + printf '%s secret ' "${file}" + if [ -s "${secret}" ]; then + printf 'exists.' + else + printf 'missing!' + fi + printf '\n' +done + +# vim: set ft=sh expandtab tabstop=4 shiftwidth=4: diff --git a/tipi-compose.yml b/tipi-compose.yml index 71e87d0..d6a20ed 100644 --- a/tipi-compose.yml +++ b/tipi-compose.yml @@ -1,5 +1,19 @@ +secrets: +# tipi_jwt_secret: +# file: ${RUNTIPI_ROOT_FOLDER_HOST}/user-config/_secrets/tipi_jwt_secret.txt +# # JWT_SECRET: /run/secrets/tipi_jwt_secret +# tipi_postgres_password: +# file: ${RUNTIPI_ROOT_FOLDER_HOST}/user-config/_secrets/tipi_postgres_password.txt +# # POSTGRES_PASSWORD: /run/secrets/tipi_postgres_password +# tipi_redis_password: +# file: ${RUNTIPI_ROOT_FOLDER_HOST}/user-config/_secrets/tipi_redis_password.txt +# # REDIS_PASSWORD: /run/secrets/tipi_redis_password + traefik_cf_dns_api_token: + file: ${RUNTIPI_ROOT_FOLDER_HOST}/user-config/_secrets/traefik_cf_dns_api_token.txt services: runtipi-reverse-proxy: + secrets: + - traefik_cf_dns_api_token volumes: - type: bind source: ./traefik/shared @@ -30,15 +44,20 @@ services: - '--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}' environment: CF_API_EMAIL: "${ACME_EMAIL:?}" - CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN:?}" + CF_DNS_API_TOKEN_FILE: /run/secrets/traefik_cf_dns_api_token TRAEFIK_API_DISABLEDASHBOARDAD: "true" networks: - tipi_main_network - tipi_internal_network + - ix-dockge networks: tipi_internal_network: internal: true attachable: true name: runtipi_internal_network + ix-dockge: + external: true + name: ix-dockge_default +# vim: set ft=yaml expandtab tabstop=2 shiftwidth=2: