added postgres & made structure changes

2025-11-02 08:39:40 +01:00
parent f272c00ff3
commit 55a12e0fb7
10 changed files with 234 additions and 119 deletions
--- a/homelab/applications/authelia/compose.yaml
+++ b/homelab/applications/authelia/compose.yaml
@ -1,29 +0,0 @@
 secrets:
  STORAGE_ENCRYPTION_KEY:
    file: './secrets/authelia_db_encryption_key'
 services:
  authelia:
    image: authelia/authelia:latest
    container_name: authelia
    volumes:
      # Config files are still mounted as volumes
      - ./config/configuration.yml:/config/configuration.yml:ro
      - ./config/users_database.yml:/config/users_database.yml:ro
      # Persistent SQLite database directory
      - ./db:/config/db
    ports:
      - '9091:9091'
    secrets: ['STORAGE_ENCRYPTION_KEY']
    environment:
      TZ: 'Etc/UTC'
      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
    restart: always
    healthcheck:
      test: ["CMD", "authelia", "healthcheck"]
      interval: 5s
      timeout: 5s
      retries: 5
      start_period: 5s
--- a/homelab/applications/authelia/config/configuration.yml
+++ b/homelab/applications/authelia/config/configuration.yml
@ -1,59 +0,0 @@
 server:
  address: 0.0.0.0:9091
  endpoints:
    authz:
      forward-auth:
        implementation: 'ForwardAuth'
 log:
  level: info
 # --- Storage ---
 storage:
  local:
    path: /config/db/authelia.sqlite.db
 # --- Authentication ---
 authentication_backend:
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 1
      memory: 2097152
      parallelism: 4
      salt_length: 16
      key_length: 32
  password_reset:
    disable: true
  password_change:
    disable: false
 # --- Session ---
 session:
  cookies:
    - domain: 'saljic.me'
      authelia_url: 'https://auth.saljic.me'
      default_redirection_url: 'https://home.saljic.me'
 # --- Notifier (No Mail) ---
 notifier:
  filesystem:
    filename: /config/db/notifications.log
 # --- Access Control ---
 access_control:
  default_policy: deny
  rules:
    - domain: "*.saljic.me"
      policy: one_factor
 # --- Password policies ---
 password_policy:
  standard:
    enabled: true
    min_length: 8
    require_uppercase: true
    require_lowercase: true
    require_number: true
    require_special: true
--- a/homelab/applications/authelia/config/users_database.yml
+++ b/homelab/applications/authelia/config/users_database.yml
@ -1,9 +0,0 @@
 users:
  amar:
    disabled: false
    displayname: 'Amar Šaljić'
    password: '$argon2id$v=19$m=65536,t=3,p=4$5PaYrZOdJzg3SMIAqql/uA$EFH9v2DfJZw6ni8uup4BWMEFvMwIlM5HbH7MLX7F4g0' 
    email: 'amar@saljic.me'
    groups:
      - 'admins'
      - 'dev'
--- a/homelab/applications/caddy/Caddyfile
+++ b/homelab/applications/caddy/Caddyfile
@ -1,34 +1,48 @@
-# --- Authelia Portal ---
+# --- Home Assistant ---
-# This is the login page itself. It does NOT have forward_auth.
+(logging) {
-auth.saljic.me {
+    log {
-  # Proxy to the Authelia Docker container on port 9091
+        output file /var/log/caddy/access.log {
-  reverse_proxy localhost:9091
+            # Roll logs to save space
            roll_size     100mb
            roll_keep     10
            roll_keep_for 720h # 30 days
        }
        format json
        level  INFO  # This ensures all requests (INFO, WARN, ERROR) are logged
    }
 }
-# --- Home Assistant (Protected App) ---
+# --- top domain --- 
-ha.saljic.me {
+saljic.me {
-  # 1. Apply authentication using Caddy's 'forward_auth'
+  import logging
-  forward_auth localhost:9091 {
+  respond "Welcome! In the making..."
-      uri /api/authz/forward-auth
+}
      copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
  }
-  # 2. If auth is successful, proxy to your Home Assistant instance
+ha.saljic.me {
  import logging
  reverse_proxy 10.10.10.6:8123
 }
 # --- FreshRSS --- 
 feed.saljic.me {
  import logging
  reverse_proxy 10.10.10.6:8081
 }
 # --- Immich ---
 tagebuch.saljic.me {
  import logging
  reverse_proxy 10.10.10.6:2283
 }
-# --- default --- 
+# --- Gitea ---
-home.saljic.me {
+git.saljic.me {
-  header Content-Type text/html
+  import logging
-	respond <<HTML
+  reverse_proxy 10.10.10.6:8030
-		<html>
+}
-			<head><title>saljic.me</title></head>
+
-			<body>Hello there</body>
+# --- ntfy ---
-		</html>
+ntfy.saljic.me {
-		HTML 200
+  import logging
  reverse_proxy 10.10.10.6:8500
 }
--- a/homelab/applications/gitea/compose.yml
+++ b/homelab/applications/gitea/compose.yml
@ -0,0 +1,14 @@
  services:
   server:
     image: docker.gitea.com/gitea:latest
     container_name: gitea
     environment:
       - USER_UID=1000
       - USER_GID=1000
       - DISABLE_REGISTRATION=true
     restart: always
     volumes:
       - ./data:/data
     ports:
       - "8030:3000"
       - "222:22"
--- a/homelab/applications/homeassistant/config/configuration.yaml
+++ b/homelab/applications/homeassistant/config/configuration.yaml
@ -0,0 +1,19 @@
 # Loads default set of integrations. Do not remove.
 default_config:
 # Load frontend themes from the themes folder
 frontend:
  themes: !include_dir_merge_named themes
 automation: !include automations.yaml
 script: !include scripts.yaml
 scene: !include scenes.yaml
 http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.100.5
 homeassistant:
  external_url: "https://ha.saljic.me"
  internal_url: "http://10.10.10.6:8123"
 sensor: !include sensor.yaml
--- a/homelab/applications/postgres/README.md
+++ b/homelab/applications/postgres/README.md
@ -0,0 +1,28 @@
 # Postgres
 ## Set up non-root user for container
 We are providing a non-root user to the container to limit the attack surface for privilege escalations. In order for this to work in our setup, please make sure to check if you have a user called `postgres` set up. 
 1. Check if user `postgres` exists and if the UID is 1002
 ```
 cat /etc/passwd | grep postgres
 ```
 In case the `postgres` user exists but the UID is not 1002, please adjust it via 
 ```
 sudo usermod -u 1002 postgres
 ```
 In case the `postgres` user doesn't exist at all, please create the user incl. the right UID by running
 ```
 sudo useradd -u 1002 postgres
 ```
 ## About secrets
 In order to manage secrets centrally in 1Password and due to the need for secrets in Postgres, using `docker compose` directly in the terminal does not work. 
 ## Bring up/tear down container
 Please use the `start.sh` to spin up the container
 ### Prerequisites start.sh
 - User executing the script is part of the `docker` group
 - Env variable `OP_SERVICE_ACCOUNT_TOKEN` is set up \[check out top-level README.md for more information on how to set this up\]
--- a/homelab/applications/postgres/compose.yml
+++ b/homelab/applications/postgres/compose.yml
@ -0,0 +1,18 @@
 secrets:
    postgres_password:
        environment: POSTGRES_PASSWORD
    postgres_user:
        environment: POSTGRES_USER
 services:
    postgres:
        image: postgres:18
        container_name: postgres
        user: "1002"
        restart: always
        shm_size: 1024mb
        environment:
            POSTGRES_USER_FILE: /run/secrets/postgres_user
            POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
        secrets: ['postgres_password', 'postgres_user']
        ports: ['5432:5432']
        volumes: ['./data:/var/lib/postgresql']
--- a/homelab/applications/postgres/start.sh
+++ b/homelab/applications/postgres/start.sh
@ -0,0 +1,13 @@
 #!/bin/zsh
 # Exit immediately if a command exits with a non-zero status.
 set -e
 echo "--- Starting Docker Secret Management ---"
 # Mount secrets
 export POSTGRES_USER="$(op read 'op://NAxS Homelab/Postgres Homelab/username')"
 export POSTGRES_PASSWORD="$(op read 'op://NAxS Homelab/Postgres Homelab/password')"
 # Bring up container
 docker compose up -d
 echo "--- Docker Secret Management Complete ---"
--- a/homelab/ubuntu-server-setup.sh
+++ b/homelab/ubuntu-server-setup.sh
@ -0,0 +1,106 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # Simple installer for Ubuntu server:
 # - unattended-upgrades (security updates + automatic reboot)
 # - Docker (engine + compose plugin) per Docker docs steps 1-3
 # - zsh (set as default shell for original user)
 # - 1Password CLI for access to secrets
 # - secret-tools for storing tokens needed (i.e. for 1Password CLI)
 # Must be run as root
 if [ "$EUID" -ne 0 ]; then
  echo "Please run as root: sudo bash $0"
  exit 1
 fi
 # Detect target user to set default shell for
 TARGET_USER="${SUDO_USER:-$(whoami)}"
 apt-get update
 # 1) Enable automatic security updates and automatic reboot
 apt-get install -y unattended-upgrades
 # Enable periodic updates/unattended-upgrades
 cat > /etc/apt/apt.conf.d/20auto-upgrades <<'EOF'
 APT::Periodic::Update-Package-Lists "1";
 APT::Periodic::Unattended-Upgrade "1";
 APT::Periodic::AutocleanInterval "7";
 EOF
 # Ensure automatic reboot after unattended-upgrades (time adjustable)
 cat > /etc/apt/apt.conf.d/99auto-reboot <<'EOF'
 Unattended-Upgrade::Automatic-Reboot "true";
 Unattended-Upgrade::Automatic-Reboot-Time "04:00";
 EOF
 # Start/enable unattended-upgrades (if system uses service/timer)
 if systemctl list-unit-files | grep -q unattended-upgrades; then
  systemctl enable --now unattended-upgrades || true
 fi
 # 2) Install Docker (steps 1-3 from Docker docs)
 # Install prerequisites
 apt-get install -y ca-certificates curl gnupg lsb-release
 # Create keyrings dir and add Docker GPG key
 install -m 0755 -d /etc/apt/keyrings
 curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
 chmod a+r /etc/apt/keyrings/docker.asc
 # Add Docker apt repository
 ARCH=$(dpkg --print-architecture)
 . /etc/os-release
 UBU_CODENAME="${UBUNTU_CODENAME:-$VERSION_CODENAME}"
 echo "deb [arch=${ARCH} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu ${UBU_CODENAME} stable" \
  > /etc/apt/sources.list.d/docker.list
 apt-get update
 # Install Docker Engine + plugins including compose plugin
 apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
 # Verify Docker works by running hello-world (this will pull an image)
 if command -v docker >/dev/null 2>&1; then
  docker run --rm hello-world || true
 fi
 # 3) Install zsh and make it the default shell for the target user
 apt-get install -y zsh
 ZSH_PATH="$(which zsh)"
 if ! grep -q "^${ZSH_PATH}$" /etc/shells; then
  echo "${ZSH_PATH}" >> /etc/shells
 fi
 # Change shell for target user (if possible)
 if id "${TARGET_USER}" >/dev/null 2>&1; then
  chsh -s "${ZSH_PATH}" "${TARGET_USER}" || echo "chsh failed for ${TARGET_USER}; you may need to run 'chsh -s ${ZSH_PATH} ${TARGET_USER}' manually"
 else
  echo "User ${TARGET_USER} not found; skipping chsh"
 fi
 # 4) Install 1Password CLI for access to secrets
 curl -sS https://downloads.1password.com/linux/keys/1password.asc | \
 gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg && \
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/$(dpkg --print-architecture) stable main" | \
 tee /etc/apt/sources.list.d/1password.list && \
 mkdir -p /etc/debsig/policies/AC2D62742012EA22/ && \
 curl -sS https://downloads.1password.com/linux/debian/debsig/1password.pol | \
 tee /etc/debsig/policies/AC2D62742012EA22/1password.pol && \
 mkdir -p /usr/share/debsig/keyrings/AC2D62742012EA22 && \
 curl -sS https://downloads.1password.com/linux/keys/1password.asc | \
 gpg --dearmor --output /usr/share/debsig/keyrings/AC2D62742012EA22/debsig.gpg && \
 apt update && apt install 1password-cli
 # Check successful install
 op --version
 # 5) Install gnome-keyring secret-tool for securely storing tokens
 apt install pass gnupg2
 echo "Done. Recommended: log out and back in (or reboot) to start using zsh and ensure all services are active."