Skip to content
Snippets Groups Projects
Commit dea46c65 authored by jabertwo's avatar jabertwo
Browse files
parents ad2ca7e7 09a1fb00
No related branches found
No related tags found
No related merge requests found
......@@ -48,11 +48,20 @@
api_port: 5665,
mysql_port: 33306
}
- {
role: testserver/docker_gitlab, tags: [ test_gitlab, docker_services ],
servicename: "gitlab",
basedir: "/srv/{{ servicename }}",
domain: "gitlab.test-warpzone.de",
domain_registry: "gitlab-registry.test-warpzone.de",
git_ssh_port: 444
}
- {
role: testserver/docker_gitea, tags: [ test_gitea, docker_services ],
servicename: "gitea",
basedir: "/srv/{{ servicename }}",
domain: "verwaltung-git.test-warpzone.de"
domain: "verwaltung-git.test-warpzone.de",
git_ssh_port: 555
}
- {
role: testserver/docker_grafana, tags: [ test_grafana, docker_services ],
......
......@@ -6,14 +6,14 @@ services:
depends_on:
- db
ports:
- 444:444
- "{{ git_ssh_port }}:{{ git_ssh_port}}"
volumes:
- "{{ basedir }}/data:/data"
environment:
APP_NAME: "Warpzone Verwaltung"
RUN_MODE: "prod"
SSH_DOMAIN: "{{ domain }}"
SSH_PORT: "444"
SSH_PORT: "{{ git_ssh_port}}"
ROOT_URL: "https://{{ domain }}"
HTTP_PORT: "42001"
USER_UID: "1000"
......@@ -67,4 +67,4 @@ networks:
driver: default
config:
# must be a ULA range
- subnet: fd00:dead:beef:444::/64
- subnet: fd00:dead:beef:{{ git_ssh_port }}::/64
---
- include_tasks: ../functions/get_secret.yml
with_items:
- { path: /srv/shared/noreply_email_pass, length: -1 }
- { path: /srv/gitlab/oidc_client_secret, length: 32 }
- { path: /srv/gitlab/runner_registration_token, length: -1 }
# Benötigte Verzeichnisstrukturen erstellen
- name: create folder structur for gitlab
file:
path: "{{ item }}"
state: directory
owner: root
group: root
with_items:
- "/srv/gitlab/"
- "/srv/gitlab/conf/"
- "/srv/gitlab/data/"
- "/srv/gitlab/log"
- "/srv/gitlab/runner"
# Konfigurationsdateien erstellen
- name: Konfig-Datei Gitlab
template:
src: "{{ item }}"
dest: "/srv/gitlab/{{ item }}"
with_items:
- "conf/gitlab.rb"
- "docker-compose.yml"
register: configs
- name: stop gitlab docker
community.docker.docker_compose_v2:
project_src: /srv/gitlab/
state: absent
when: configs.changed
- name: start gitlab docker
community.docker.docker_compose_v2:
project_src: /srv/gitlab/
state: present
This diff is collapsed.
services:
app:
image: gitlab/gitlab-ce:latest
restart: always
ports:
- "{{ git_ssh_port }}:22"
volumes:
- /srv/gitlab/conf:/etc/gitlab
- /srv/gitlab/log:/var/log/gitlab
- /srv/gitlab/data:/var/opt/gitlab
labels:
- traefik.enable=true
- traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
- traefik.http.routers.{{ servicename }}.entrypoints=websecure
- traefik.http.routers.{{ servicename }}.service={{ servicename }}
- traefik.http.services.{{ servicename }}.loadbalancer.server.port=80
- traefik.http.routers.{{ servicename }}.middlewares={{ servicename }}-cors-headers
- traefik.http.middlewares.{{ servicename }}-cors-headers.headers.accesscontrolalloworiginlist=*
- traefik.http.routers.{{ servicename }}_registry.rule=Host(`{{ domain_registry }}`)
- traefik.http.routers.{{ servicename }}_registry.entrypoints=websecure
- traefik.http.routers.{{ servicename }}_registry.service={{ servicename }}_registry
- traefik.http.services.{{ servicename }}_registry.loadbalancer.server.port=5005
networks:
- default
- web
# Docker in Docker for Gitlab-Runner execution
# see https://forum.gitlab.com/t/example-gitlab-runner-docker-compose-configuration/67344
dind:
image: docker:25-dind
restart: always
privileged: true
environment:
DOCKER_TLS_CERTDIR: ""
command:
- --storage-driver=overlay2
networks:
- default
runner:
restart: always
image: registry.gitlab.com/gitlab-org/gitlab-runner:alpine
depends_on:
- dind
- app
environment:
- DOCKER_HOST=tcp://dind:2375
volumes:
- "/srv/gitlab/runner:/etc/gitlab-runner:z"
networks:
- default
# Runner Registration
# Excecute once when Gitlab is running
# register-runner:
# restart: 'no'
# image: registry.gitlab.com/gitlab-org/gitlab-runner:alpine
# depends_on:
# - dind
# - app
# environment:
# - CI_SERVER_URL=https://{{ domain }}
# - REGISTRATION_TOKEN={{ runner_registration_token }}
# command:
# - register
# - --non-interactive
# - --locked=false
# - --name=warpzone-webserver
# - --executor=docker
# - --docker-image=docker:20-dind
# - --docker-volumes=/var/run/docker.sock:/var/run/docker.sock
# volumes:
# - "/srv/gitlab/runner:/etc/gitlab-runner:z"
# networks:
# - default
networks:
web:
external: true
default:
driver: bridge
enable_ipv6: true
ipam:
driver: default
config:
# must be a ULA range
- subnet: fd00:dead:beef:444::/64
# Overview
* Anonymous Access is possible with Viewer permissions
* Authentication to Grafana is only possible with an account in uffd, regular authentication is disabled
* All users with group 'grafana_access' can access the Application and get Editor permissions
* Users with group 'grafana_admin' get administrative privileges in Grafana
# Setup OIDC Authentication via uffd
Uffd Reference: https://git.cccv.de/uffd
## Setup in Grafana
All setup is done in the grafana.ini
References:
* https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/
* https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/
## Setup in uffd
Create Groups:
- grafana_access: General Access to Grafana
- grafana_admin: Admin Access to Grafana
Create a Service / OAuth Client:
Only Users with goup grafana_access can access Wordpress
Client-ID: grafana
Client-Secret: from file oauth_client_secret on the server
Redirect-URIs:
* https://grafana.test-warpzone.de/login/generic_oauth
......@@ -3,6 +3,7 @@
- include_tasks: ../functions/get_secret.yml
with_items:
- { path: "{{ basedir }}/secrets/grafana_admin_pass", length: 12 }
- { path: "{{ basedir }}/secrets/oauth_client_secret", length: 32 }
# - { path: "/srv/mqtt/influxdb_token", length: -1 }
- name: create folder struct for grafana
......
......@@ -2,7 +2,7 @@ services:
app:
image: grafana/grafana:latest
image: grafana/grafana-oss:latest
restart: always
volumes:
- "{{ basedir }}/grafana.ini:/etc/grafana/grafana.ini"
......@@ -10,6 +10,8 @@ services:
environment:
GF_SERVER_ROOT_URL: "https://{{ domain }}"
GF_SECURITY_ADMIN_PASSWORD: "{{ grafana_admin_pass }}"
GF_AUTH_OAUTH_ALLOW_INSECURE_EMAIL_LOOKUP: "true"
GF_LOG_LEVEL: "debug"
labels:
- traefik.enable=true
- traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
......
......@@ -108,7 +108,7 @@ allow_org_create = false
auto_assign_org = true
# Default role new users will be automatically assigned (if disabled above is set to true)
auto_assign_org_role = Viewer
# auto_assign_org_role = Viewer
# Background text for the user field on the login page
login_hint = Fallback account
......@@ -119,7 +119,7 @@ default_theme = dark
[auth]
# Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
;disable_login_form = false
disable_login_form = false
disable_login_form = true
# Auto Login via OAuth
oauth_auto_login = true
......@@ -127,6 +127,7 @@ oauth_auto_login = true
# Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false
;disable_signout_menu = false
#################################### Anonymous Auth ##########################
[auth.anonymous]
# enable anonymous access
......@@ -135,6 +136,38 @@ enabled = true
# specify organization name that should be used for unauthenticated users
org_name = Main Org.
# Role for unauthenticated users, other valid values are `Editor` and `Admin`
org_role = Viewer
#################################### Generic OAuth ##########################
[auth.generic_oauth]
# Enable OAuth Authentication
enabled = true
name = OAuth
# Users cann be created by OAuth login
allow_sign_up = true
# OAuth Client Settings
client_id = grafana
client_secret = {{ oauth_client_secret}}
scopes = profile
auth_url = {{ oauth_global.authorize_url }}
token_url = {{ oauth_global.token_url }}
api_url = {{ oauth_global.userinfo_url }}
# Attribute Mappings
#login_attribute_path = nickname
#name_attribute_path = nickname
# Role Mapping
skip_org_role_sync = false
allow_assign_grafana_admin = true
role_attribute_path = contains(groups[*], 'grafana_admin') && 'GrafanaAdmin' || 'Editor'
#################################### Alerting ############################
[alerting]
# Disable alerting engine & UI features
......
......@@ -24,7 +24,7 @@ services:
CMD_OAUTH2_AUTHORIZATION_URL: "{{ oauth_global.authorize_url }}"
CMD_OAUTH2_CLIENT_ID: "hackmd"
CMD_OAUTH2_CLIENT_SECRET: "{{ oauth_client_secret }}"
CMD_OAUTH2_PROVIDERNAME: "Keycloak"
CMD_OAUTH2_PROVIDERNAME: "Login with uffd"
CMD_OAUTH2_SCOPE: "openid email profile"
labels:
- traefik.enable=true
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment