deploy kanidm

16 files changed, 131 insertions, 1 deletions

diff --git a/deploy.yml b/deploy.yml
index b91f9b7..fff39f3 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -29,3 +29,9 @@
 
 - name: Pihole
   ansible.builtin.import_playbook: playbooks/pihole.yml
+
+- name: Traextor
+  ansible.builtin.import_playbook: playbooks/traextor.yml
+
+- name: Kanidm
+  ansible.builtin.import_playbook: playbooks/kanidm.yml
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 197662f..40d888c 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -8,4 +8,6 @@ rfc1918_cgnat_networks:
   - 100.64.0.0/10
 
 timezone: "America/Los_Angeles"
-traefik_domain: "sips.liz.coffee"
+
+# first deployment
+homelab_build: true
diff --git a/group_vars/kanidm.yml b/group_vars/kanidm.yml
new file mode 100644
index 0000000..0e871a9
--- /dev/null
+++ b/group_vars/kanidm.yml
@@ -0,0 +1,5 @@
+---
+
+kanidm_base: "{{ swarm_base }}/kanidm"
+kanidm_host: "idm.liz.coffee"
+
diff --git a/group_vars/traextor.yml b/group_vars/traextor.yml
new file mode 100644
index 0000000..0f463f7
--- /dev/null
+++ b/group_vars/traextor.yml
@@ -0,0 +1,3 @@
+---
+
+traextor_base: "{{ swarm_base }}/traextor"
diff --git a/inventory b/inventory
index d1abb62..b2fbd18 100644
--- a/inventory
+++ b/inventory
@@ -37,3 +37,9 @@ swarm-one ansible_host=10.128.0.201  ansible_user=serve ansible_connection=ssh a
 
 [pihole]
 swarm-one ansible_host=10.128.0.201  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+
+[traextor]
+swarm-one ansible_host=10.128.0.201  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
+
+[kanidm]
+swarm-one ansible_host=10.128.0.201  ansible_user=serve ansible_connection=ssh ansible_become_password='{{ swarm_become_password }}'
diff --git a/playbooks/kanidm.yml b/playbooks/kanidm.yml
new file mode 100644
index 0000000..0e1c35f
--- /dev/null
+++ b/playbooks/kanidm.yml
@@ -0,0 +1,7 @@
+---
+
+- name: Kanidm setup
+  hosts: kanidm
+  become: true
+  roles:
+    - kanidm
diff --git a/playbooks/roles/kanidm/tasks/main.yml b/playbooks/roles/kanidm/tasks/main.yml
new file mode 100644
index 0000000..a004910
--- /dev/null
+++ b/playbooks/roles/kanidm/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Build kanidm compose dirs
+  ansible.builtin.file:
+    state: directory
+    dest: '{{ kanidm_base }}/{{ item.path }}'
+  with_filetree: '../templates'
+  when: item.state == 'directory'
+
+- name: Build kanidm compose files
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '{{ kanidm_base }}/{{ item.path }}'
+  with_filetree: '../templates'
+  when: item.state == 'file'
+
+- name: Deploy Kanidm stack
+  ansible.builtin.command:
+    cmd: "docker stack deploy -c {{ kanidm_base }}/stacks/docker-compose.yml kanidm"
diff --git a/playbooks/roles/kanidm/templates/stacks/docker-compose.yml b/playbooks/roles/kanidm/templates/stacks/docker-compose.yml
new file mode 100644
index 0000000..4ce98d2
--- /dev/null
+++ b/playbooks/roles/kanidm/templates/stacks/docker-compose.yml
@@ -0,0 +1,34 @@
+services:
+  kanidm:
+    image: kanidm/server
+    volumes:
+      - {{ kanidm_base }}/volumes/data:/data
+      - {{ traextor_base }}/volumes/certs/letsencrypt:/certs:ro
+    networks:
+      - proxy
+{% if homelab_build %}
+    command:
+      - /bin/sh
+      - -c
+      - |
+        [ ! -f "/certs/{{ kanidm_host }}.pem" ] && sleep 60
+        /sbin/kanidmd server -c /data/server.toml
+    healthcheck:
+      disable: true
+{% endif %}
+    deploy:
+      mode: replicated
+      replicas: 1
+      labels:
+        - traefik.enable=true
+        - traefik.swarm.network=proxy
+        - traefik.http.routers.kanidm.tls=true
+        - traefik.http.routers.kanidm.tls.certResolver=letsencrypt
+        - traefik.http.routers.kanidm.rule=Host(`{{ kanidm_host }}`)
+        - traefik.http.routers.kanidm.entrypoints=websecure
+        - traefik.http.services.kanidm.loadbalancer.server.port=8443
+        - traefik.http.services.kanidm.loadbalancer.server.scheme=https
+
+networks:
+  proxy:
+    external: true
diff --git a/playbooks/roles/kanidm/templates/volumes/data/.gitkeep b/playbooks/roles/kanidm/templates/volumes/data/.gitkeep
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/playbooks/roles/kanidm/templates/volumes/data/.gitkeep
diff --git a/playbooks/roles/kanidm/templates/volumes/data/server.toml b/playbooks/roles/kanidm/templates/volumes/data/server.toml
new file mode 100644
index 0000000..5e42bc8
--- /dev/null
+++ b/playbooks/roles/kanidm/templates/volumes/data/server.toml
@@ -0,0 +1,10 @@
+bindaddress = "0.0.0.0:8443"
+ldapbindaddress = "0.0.0.0:3636"
+trust_x_forward_for = true
+db_path = "/data/kanidm.db"
+tls_chain = "/certs/{{ kanidm_host }}.pem"
+tls_key = "/certs/{{ kanidm_host }}.key"
+log_level = "info"
+
+domain = "{{ kanidm_host }}"
+origin = "https://{{ kanidm_host }}"
diff --git a/playbooks/roles/traextor/tasks/main.yml b/playbooks/roles/traextor/tasks/main.yml
new file mode 100644
index 0000000..19074fe
--- /dev/null
+++ b/playbooks/roles/traextor/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Build traextor compose dirs
+  ansible.builtin.file:
+    state: directory
+    dest: '{{ traextor_base }}/{{ item.path }}'
+  with_filetree: '../templates'
+  when: item.state == 'directory'
+
+- name: Build traextor compose files
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '{{ traextor_base }}/{{ item.path }}'
+  with_filetree: '../templates'
+  when: item.state == 'file'
+
+- name: Deploy Traextor stack
+  ansible.builtin.command:
+    cmd: "docker stack deploy -c {{ traextor_base }}/stacks/docker-compose.yml traextor"
diff --git a/playbooks/roles/traextor/templates/stacks/docker-compose.yml b/playbooks/roles/traextor/templates/stacks/docker-compose.yml
new file mode 100644
index 0000000..9012365
--- /dev/null
+++ b/playbooks/roles/traextor/templates/stacks/docker-compose.yml
@@ -0,0 +1,12 @@
+services:
+  traextor:
+    image: djarbz/traextor
+    volumes:
+      - {{ traextor_base }}/volumes/shared:/shared
+      - {{ traefik_base }}/volumes/certs/acme.json:/acme.json
+      - {{ traextor_base }}/volumes/certs:/certs
+      - /var/run/docker.sock:/var/run/docker.sock
+    command: -H unix:///var/run/docker.sock
+    environment:
+      TZ: {{ timezone }}
+      OUTPUT_DIR: /certs
diff --git a/playbooks/roles/traextor/templates/volumes/certs/.gitkeep b/playbooks/roles/traextor/templates/volumes/certs/.gitkeep
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/playbooks/roles/traextor/templates/volumes/certs/.gitkeep
diff --git a/playbooks/roles/traextor/templates/volumes/shared/.gitkeep b/playbooks/roles/traextor/templates/volumes/shared/.gitkeep
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/playbooks/roles/traextor/templates/volumes/shared/.gitkeep
diff --git a/playbooks/roles/traextor/templates/volumes/traextor/.gitkeep b/playbooks/roles/traextor/templates/volumes/traextor/.gitkeep
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/playbooks/roles/traextor/templates/volumes/traextor/.gitkeep
diff --git a/playbooks/traextor.yml b/playbooks/traextor.yml
new file mode 100644
index 0000000..b9a11ea
--- /dev/null
+++ b/playbooks/traextor.yml
@@ -0,0 +1,7 @@
+---
+
+- name: traextor setup
+  hosts: traextor
+  become: true
+  roles:
+    - traextor