From c9a1def59e3e7f758a93b57edca1dec5e203e3c4 Mon Sep 17 00:00:00 2001 From: Ada Date: Sun, 24 Mar 2024 22:12:56 +0100 Subject: [PATCH 1/4] Add knot roles --- ansible/deploy.yml | 2 +- ansible/hosts.yml | 9 +++++++ ansible/roles/authentik/handlers/main.yml | 19 ++++++++++++++ ansible/roles/authentik/tasks/main.yml | 21 +++++++++++++++ .../roles/authentik/templates/kresd.conf.j2 | 26 +++++++++++++++++++ 5 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 ansible/roles/authentik/handlers/main.yml create mode 100644 ansible/roles/authentik/tasks/main.yml create mode 100644 ansible/roles/authentik/templates/kresd.conf.j2 diff --git a/ansible/deploy.yml b/ansible/deploy.yml index cc09b0b..c728576 100644 --- a/ansible/deploy.yml +++ b/ansible/deploy.yml @@ -12,7 +12,7 @@ - role: timesyncd when: ansible_facts['os_family'] == "Debian" - role: ufw - when: ansible_facts['os_family'] == "Debian" + when: ansible_facts['os_family'] == "Ubuntu" - name: Resolver hosts: resolver diff --git a/ansible/hosts.yml b/ansible/hosts.yml index ca71b3a..bdab6a3 100644 --- a/ansible/hosts.yml +++ b/ansible/hosts.yml @@ -1,19 +1,28 @@ +<<<<<<< HEAD --- +======= +>>>>>>> 2410885 (Add knot roles) all: hosts: resolver-1: ansible_host: 10.20.0.42 +<<<<<<< HEAD dhcp-1: ansible_host: 10.20.0.43 authoritative-1: ansible_host: 10.20.0.44 +======= +>>>>>>> 2410885 (Add knot roles) children: resolver: hosts: resolver-1: +<<<<<<< HEAD kea-dhcp: hosts: dhcp-1: dns-authoritative: hosts: authoritative-1: +======= +>>>>>>> 2410885 (Add knot roles) diff --git a/ansible/roles/authentik/handlers/main.yml b/ansible/roles/authentik/handlers/main.yml new file mode 100644 index 0000000..e40da42 --- /dev/null +++ b/ansible/roles/authentik/handlers/main.yml @@ -0,0 +1,19 @@ +--- +- name: Package cache update + become: true + ansible.builtin.package: + update_cache: true + +- name: Restart knot resolver + become: true + ansible.builtin.service: + state: restarted + name: kresd@{{ item }}.service + with_sequence: count={{ ansible_processor_vcpus }} + +- name: Enable knot resolver + become: true + ansible.builtin.service: + enabled: true + name: kresd@{{ item }}.service + with_sequence: count={{ ansible_processor_vcpus }} diff --git a/ansible/roles/authentik/tasks/main.yml b/ansible/roles/authentik/tasks/main.yml new file mode 100644 index 0000000..e798b06 --- /dev/null +++ b/ansible/roles/authentik/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: Install knot repository + ansible.builtin.apt: + deb: https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb + notify: + - Package cache update + +- name: Install knot resolver + ansible.builtin.apt: + name: knot-resolver + notify: + - Enable knot resolver + - Restart knot resolver + +- name: Configure + ansible.builtin.template: + src: kresd.conf.j2 + dest: /etc/knot-resolver/kresd.conf + mode: "0644" + notify: + - Restart knot resolver diff --git a/ansible/roles/authentik/templates/kresd.conf.j2 b/ansible/roles/authentik/templates/kresd.conf.j2 new file mode 100644 index 0000000..8754040 --- /dev/null +++ b/ansible/roles/authentik/templates/kresd.conf.j2 @@ -0,0 +1,26 @@ +net.listen('{{resolver_ip}}', 53, { kind = 'dns'}) +cache.size = 128 * MB +modules = { + 'hints > iterate', -- Allow loading /etc/hosts or custom root hints + 'predict', -- Prefetch expiring/frequent records +} + +modules.load('prefill') +prefill.config({ + ['.'] = { + url = 'https://www.internic.net/domain/root.zone', + interval = 86400, -- seconds + } +}) + +modules.load('view') +view:addr('127.0.0.0/8', policy.all(policy.PASS)) +view:addr('::1/128', policy.all(policy.PASS)) +{% for prefix in kresd_allow %} +view:addr('{{ prefix }}', policy.all(policy.PASS)) +{% endfor %} +view:addr('0.0.0.0/0', policy.all(policy.DROP)) +view:addr('::/0', policy.all(policy.DROP)) + +log_target('stdout') +log_level('debug') \ No newline at end of file -- 2.45.2 From c20f8e5df0cc0c174ee70dbcbcf06f7d4909273f Mon Sep 17 00:00:00 2001 From: Ada Date: Mon, 25 Mar 2024 00:32:09 +0100 Subject: [PATCH 2/4] WIP --- ansible/roles/authentik/tasks/build.yml | 32 ++++++++++ .../roles/authentik/tasks/dependencies.yml | 60 +++++++++++++++++++ ansible/roles/authentik/tasks/main.yml | 30 ++++------ 3 files changed, 103 insertions(+), 19 deletions(-) create mode 100644 ansible/roles/authentik/tasks/build.yml create mode 100644 ansible/roles/authentik/tasks/dependencies.yml diff --git a/ansible/roles/authentik/tasks/build.yml b/ansible/roles/authentik/tasks/build.yml new file mode 100644 index 0000000..a2b3bba --- /dev/null +++ b/ansible/roles/authentik/tasks/build.yml @@ -0,0 +1,32 @@ +--- +- name: Get authentik source + ansible.builtin.git: + repo: 'https://github.com/goauthentik/authentik.git' + dest: /opt/authentik/src + version: version/2024.2.2 + force: true + +- name: Build front + ansible.builtin.shell: | + cd /opt/authentik/src/website + npm i + npm run build-docs-only + cd /opt/authentik/src/web + npm i + npm run build + +- name: Create virtualenv + ansible.builtin.command: "python3.12 -m venv /opt/authentik/src/venv" + +- name: Installl poetry and dependencies + ansible.builtin.shell: | + cd /opt/authentik/src/ + venv/bin/pip install poetry + venv/bin/poetry install --only=main --no-ansi --no-interaction --no-root + + +- name: Build go proxy + ansible.builtin.shell: | + cd /opt/authentik/src/ + sed -i "s/c.Setup(\".\/authentik\/lib\/default.yml\", \".\/local.env.yml\")/c.Setup(\"\/etc\/authentik\/config.yml\", \".\/authentik\/lib\/default.yml\", \".\/local.env.yml\")/" /opt/authentik/src/internal/config/config.go + go build -o /opt/authentik/src/authentik-server ./cmd/server/ \ No newline at end of file diff --git a/ansible/roles/authentik/tasks/dependencies.yml b/ansible/roles/authentik/tasks/dependencies.yml new file mode 100644 index 0000000..1477107 --- /dev/null +++ b/ansible/roles/authentik/tasks/dependencies.yml @@ -0,0 +1,60 @@ +--- +- name: Install roles dependencies + ansible.builtin.apt: + name: "{{ item }}" + with_items: + - git + - libpq-dev + - libxmlsec1-dev + +- name: Add deadsnake ppa for python3.12 + ansible.builtin.apt_repository: + repo: 'ppa:deadsnakes/ppa' + +- name: Install python3.12 + ansible.builtin.apt: + name: "{{ item }}" + with_items: + - python3.12 + - python3.12-distutils + - python3.12-venv + - python3.12-dev + +- name: Add longsleep ppa for go 1.22 + ansible.builtin.apt_repository: + repo: 'ppa:longsleep/golang-backports' + +- name: Install go 1.22 + ansible.builtin.apt: + name: "golang-go" + +- name: Download node GPG key + ansible.builtin.get_url: + url: 'https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key' + dest: "/usr/share/keyrings/node-archive-keyring.asc" + mode: "0644" + validate_certs: true + checksum: sha512:36c77b2bddaea0523ab90962a38ebd3ee90c3d5cf17e525f02898aa8e7b14fd1026f6d659b99d931fe907e9142a98ff08075ebfc56f0f1e2001c6ba4791d3daa + changed_when: false + no_log: false + +- name: Add nodesource repo for node + ansible.builtin.apt_repository: + repo: 'deb [arch=amd64 signed-by=/usr/share/keyrings/node-archive-keyring.asc] https://deb.nodesource.com/node_21.x nodistro main' + +- name: Install nodejs + ansible.builtin.apt: + name: nodejs + +- name: Add authentik user + ansible.builtin.user: + name: "authentik" + system: true + +- name: Create /opt/authentik + ansible.builtin.file: + path: /opt/authentik + state: directory + mode: '0755' + owner: authentik + diff --git a/ansible/roles/authentik/tasks/main.yml b/ansible/roles/authentik/tasks/main.yml index e798b06..d809de1 100644 --- a/ansible/roles/authentik/tasks/main.yml +++ b/ansible/roles/authentik/tasks/main.yml @@ -1,21 +1,13 @@ --- -- name: Install knot repository - ansible.builtin.apt: - deb: https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb - notify: - - Package cache update +- name: Install dependencies + ansible.builtin.import_tasks: dependencies.yml + become: true + tags: + - install_dependencies -- name: Install knot resolver - ansible.builtin.apt: - name: knot-resolver - notify: - - Enable knot resolver - - Restart knot resolver - -- name: Configure - ansible.builtin.template: - src: kresd.conf.j2 - dest: /etc/knot-resolver/kresd.conf - mode: "0644" - notify: - - Restart knot resolver +- name: Build authentik + ansible.builtin.import_tasks: build.yml + become: true + tags: + - build + become_user: authentik -- 2.45.2 From 440ab26df6a245607a67bc0398f792becdad770f Mon Sep 17 00:00:00 2001 From: Ada Date: Mon, 25 Mar 2024 00:51:16 +0100 Subject: [PATCH 3/4] WIP --- ansible/roles/authentik/tasks/build.yml | 8 ++++---- .../roles/authentik/tasks/dependencies.yml | 19 +++++++++---------- ansible/roles/authentik/tasks/main.yml | 2 +- 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/ansible/roles/authentik/tasks/build.yml b/ansible/roles/authentik/tasks/build.yml index a2b3bba..128ba15 100644 --- a/ansible/roles/authentik/tasks/build.yml +++ b/ansible/roles/authentik/tasks/build.yml @@ -1,7 +1,7 @@ --- - name: Get authentik source ansible.builtin.git: - repo: 'https://github.com/goauthentik/authentik.git' + repo: https://github.com/goauthentik/authentik.git dest: /opt/authentik/src version: version/2024.2.2 force: true @@ -16,7 +16,7 @@ npm run build - name: Create virtualenv - ansible.builtin.command: "python3.12 -m venv /opt/authentik/src/venv" + ansible.builtin.command: python3.12 -m venv /opt/authentik/src/venv - name: Installl poetry and dependencies ansible.builtin.shell: | @@ -26,7 +26,7 @@ - name: Build go proxy - ansible.builtin.shell: | + ansible.builtin.shell: |- cd /opt/authentik/src/ sed -i "s/c.Setup(\".\/authentik\/lib\/default.yml\", \".\/local.env.yml\")/c.Setup(\"\/etc\/authentik\/config.yml\", \".\/authentik\/lib\/default.yml\", \".\/local.env.yml\")/" /opt/authentik/src/internal/config/config.go - go build -o /opt/authentik/src/authentik-server ./cmd/server/ \ No newline at end of file + go build -o /opt/authentik/src/authentik-server ./cmd/server/ diff --git a/ansible/roles/authentik/tasks/dependencies.yml b/ansible/roles/authentik/tasks/dependencies.yml index 1477107..b277a2d 100644 --- a/ansible/roles/authentik/tasks/dependencies.yml +++ b/ansible/roles/authentik/tasks/dependencies.yml @@ -9,7 +9,7 @@ - name: Add deadsnake ppa for python3.12 ansible.builtin.apt_repository: - repo: 'ppa:deadsnakes/ppa' + repo: ppa:deadsnakes/ppa - name: Install python3.12 ansible.builtin.apt: @@ -22,16 +22,16 @@ - name: Add longsleep ppa for go 1.22 ansible.builtin.apt_repository: - repo: 'ppa:longsleep/golang-backports' + repo: ppa:longsleep/golang-backports - name: Install go 1.22 ansible.builtin.apt: - name: "golang-go" + name: golang-go - name: Download node GPG key ansible.builtin.get_url: - url: 'https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key' - dest: "/usr/share/keyrings/node-archive-keyring.asc" + url: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key + dest: /usr/share/keyrings/node-archive-keyring.asc mode: "0644" validate_certs: true checksum: sha512:36c77b2bddaea0523ab90962a38ebd3ee90c3d5cf17e525f02898aa8e7b14fd1026f6d659b99d931fe907e9142a98ff08075ebfc56f0f1e2001c6ba4791d3daa @@ -40,7 +40,7 @@ - name: Add nodesource repo for node ansible.builtin.apt_repository: - repo: 'deb [arch=amd64 signed-by=/usr/share/keyrings/node-archive-keyring.asc] https://deb.nodesource.com/node_21.x nodistro main' + repo: deb [arch=amd64 signed-by=/usr/share/keyrings/node-archive-keyring.asc] https://deb.nodesource.com/node_21.x nodistro main - name: Install nodejs ansible.builtin.apt: @@ -48,13 +48,12 @@ - name: Add authentik user ansible.builtin.user: - name: "authentik" + name: authentik system: true - + - name: Create /opt/authentik ansible.builtin.file: path: /opt/authentik state: directory - mode: '0755' + mode: "0755" owner: authentik - diff --git a/ansible/roles/authentik/tasks/main.yml b/ansible/roles/authentik/tasks/main.yml index d809de1..1020310 100644 --- a/ansible/roles/authentik/tasks/main.yml +++ b/ansible/roles/authentik/tasks/main.yml @@ -3,7 +3,7 @@ ansible.builtin.import_tasks: dependencies.yml become: true tags: - - install_dependencies + - install_dependencies - name: Build authentik ansible.builtin.import_tasks: build.yml -- 2.45.2 From f4109954e175f74e57eec68b8325230912a49654 Mon Sep 17 00:00:00 2001 From: Ada Date: Wed, 17 Apr 2024 10:45:26 +0200 Subject: [PATCH 4/4] wip --- ansible/roles/authentik/tasks/build.yml | 47 ++++++++++++------- .../roles/authentik/tasks/dependencies.yml | 4 ++ ansible/roles/authentik/tasks/main.yml | 19 ++++++++ 3 files changed, 52 insertions(+), 18 deletions(-) diff --git a/ansible/roles/authentik/tasks/build.yml b/ansible/roles/authentik/tasks/build.yml index 128ba15..78f9780 100644 --- a/ansible/roles/authentik/tasks/build.yml +++ b/ansible/roles/authentik/tasks/build.yml @@ -7,26 +7,37 @@ force: true - name: Build front - ansible.builtin.shell: | - cd /opt/authentik/src/website - npm i - npm run build-docs-only - cd /opt/authentik/src/web - npm i - npm run build + ansible.builtin.shell: + executable: /bin/bash + cmd: | + export NODE_ENV=production + cd /opt/authentik/src/website + npm ci --include=dev + npm run build-docs-only + cd /opt/authentik/src/web + npm ci --include=dev + npm run build + +- name: Build go proxy + ansible.builtin.shell: + executable: /bin/bash + cmd: | + cd /opt/authentik/src/ + go mod download + CGO_ENABLED=0 go build -o /opt/authentik/server ./cmd/server - name: Create virtualenv ansible.builtin.command: python3.12 -m venv /opt/authentik/src/venv - name: Installl poetry and dependencies - ansible.builtin.shell: | - cd /opt/authentik/src/ - venv/bin/pip install poetry - venv/bin/poetry install --only=main --no-ansi --no-interaction --no-root - - -- name: Build go proxy - ansible.builtin.shell: |- - cd /opt/authentik/src/ - sed -i "s/c.Setup(\".\/authentik\/lib\/default.yml\", \".\/local.env.yml\")/c.Setup(\"\/etc\/authentik\/config.yml\", \".\/authentik\/lib\/default.yml\", \".\/local.env.yml\")/" /opt/authentik/src/internal/config/config.go - go build -o /opt/authentik/src/authentik-server ./cmd/server/ + ansible.builtin.shell: + executable: /bin/bash + cmd: | + cd /opt/authentik/src + source /opt/authentik/src/venv/bin/activate + export VENV_PATH=/opt/authentik/src/venv + export POETRY_VIRTUALENVS_CREATE=false + venv/bin/pip3 install --upgrade pip + venv/bin/pip3 install poetry + venv/bin/poetry venv use venv/python3.12 + venv/bin/poetry install --only=main --no-ansi --no-interaction --no-root diff --git a/ansible/roles/authentik/tasks/dependencies.yml b/ansible/roles/authentik/tasks/dependencies.yml index b277a2d..2e449ea 100644 --- a/ansible/roles/authentik/tasks/dependencies.yml +++ b/ansible/roles/authentik/tasks/dependencies.yml @@ -1,9 +1,13 @@ --- - name: Install roles dependencies ansible.builtin.apt: + install_recommends: false name: "{{ item }}" with_items: - git + - build-essential + - pkg-config + - zlib1g-dev - libpq-dev - libxmlsec1-dev diff --git a/ansible/roles/authentik/tasks/main.yml b/ansible/roles/authentik/tasks/main.yml index 1020310..1447498 100644 --- a/ansible/roles/authentik/tasks/main.yml +++ b/ansible/roles/authentik/tasks/main.yml @@ -11,3 +11,22 @@ tags: - build become_user: authentik + +- name: Create useful directory + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: "0755" + owner: authentik + with_items: + - /opt/authentik/certs + - /opt/authentik/media + - /etc/authentik + +- name: Test + ansible.builtin.copy: + remote_src: true + src: /opt/authentik/src/blueprints + dest: /opt/authentik/blueprints + owner: authentik + become: true -- 2.45.2