Merge pull request #41 from moan0s/authentik

Add Authentik
2023-04-22 15:03:40 +03:00 · 2023-04-22 15:03:40 +03:00 · 2dd7eebfcb
commit 2dd7eebfcb
parent 1cc8eadabc a447f82e60
7 changed files with 301 additions and 0 deletions
--- a/docs/services/authentik.md
+++ b/docs/services/authentik.md
@ -0,0 +1,191 @@
 # Authentik
 [authentik](https://goauthentik.io/) is an open-source Identity Provider focused on flexibility and versatility. MASH can install authentik with the [`mother-of-all-self-hosting/ansible-role-authentik`](https://github.com/mother-of-all-self-hosting/ansible-role-authentik) ansible role.
 **Warning:** SSO is pretty complex and while this role will install authentik for you we only tested OIDC and OAUTH integration. There is a high probability that using outposts/LDAP would need further configuration efforts. Make sure you test before using this in production and feel free to provide feedback!
 ## Dependencies
 This service requires the following other services:
 - a [Postgres](postgres.md) database
 - a [Redis](redis.md) data-store, installation details [below](#redis)
 - a [Traefik](traefik.md) reverse-proxy server
 ## Configuration
 To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
 ```yaml
 ########################################################################
 #                                                                      #
 # authentik                                                            #
 #                                                                      #
 ########################################################################
 authentik_enabled: true
 authentik_hostname: authentik.example.com
 authentik_secret_key: 'verysecret'
 ########################################################################
 #                                                                      #
 # /authentik                                                           #
 #                                                                      #
 ########################################################################
 ```
 ### Redis
 As described on the [Redis](redis.md) documentation page, if you're hosting additional services which require Redis on the same server, you'd better go for installing a separate Redis instance for each service. See [Creating a Redis instance dedicated to authentik](#creating-a-redis-instance-dedicated-to-authentik).
 If you're only running authentik on this server and don't need to use Redis for anything else, you can [use a single Redis instance](#using-the-shared-redis-instance-for-authentik).
 #### Using the shared Redis instance for authentik
 To install a single (non-dedicated) Redis instance (`mash-redis`) and hook authentik to it, add the following **additional** configuration:
 ```yaml
 ########################################################################
 #                                                                      #
 # redis                                                                #
 #                                                                      #
 ########################################################################
 redis_enabled: true
 ########################################################################
 #                                                                      #
 # /redis                                                               #
 #                                                                      #
 ########################################################################
 ########################################################################
 #                                                                      #
 # authentik                                                               #
 #                                                                      #
 ########################################################################
 # Base configuration as shown above
 # Point authentik to the shared Redis instance
 authentik_config_redis_hostname: "{{ redis_identifier }}"
 # Make sure the authentik service (mash-authentik.service) starts after the shared Redis service (mash-redis.service)
 authentik_systemd_required_services_list_custom:
  - "{{ redis_identifier }}.service"
 # Make sure the authentik container is connected to the container network of the shared Redis service (mash-redis)
 authentik_container_additional_networks_custom:
  - "{{ redis_identifier }}"
 ########################################################################
 #                                                                      #
 # /authentik                                                              #
 #                                                                      #
 ########################################################################
 ```
 This will create a `mash-redis` Redis instance on this host.
 This is only recommended if you won't be installing other services which require Redis. Alternatively, go for [Creating a Redis instance dedicated to authentik](#creating-a-redis-instance-dedicated-to-authentik).
 #### Creating a Redis instance dedicated to authentik
 The following instructions are based on the [Running multiple instances of the same service on the same host](../running-multiple-instances.md) documentation.
 Adjust your `inventory/hosts` file as described in [Re-do your inventory to add supplementary hosts](../running-multiple-instances.md#re-do-your-inventory-to-add-supplementary-hosts), adding a new supplementary host (e.g. if `authentik.example.com` is your main one, create `authentik.example.com-deps`).
 Then, create a new `vars.yml` file for the
 `inventory/host_vars/authentik.example.com-deps/vars.yml`:
 ```yaml
 ---
 ########################################################################
 #                                                                      #
 # Playbook                                                             #
 #                                                                      #
 ########################################################################
 # Put a strong secret below, generated with `pwgen -s 64 1` or in another way
 # Various other secrets will be derived from this secret automatically.
 mash_playbook_generic_secret_key: ''
 # Override service names and directory path prefixes
 mash_playbook_service_identifier_prefix: 'mash-authentik-'
 mash_playbook_service_base_directory_name_prefix: 'authentik-'
 ########################################################################
 #                                                                      #
 # /Playbook                                                            #
 #                                                                      #
 ########################################################################
 ########################################################################
 #                                                                      #
 # redis                                                                #
 #                                                                      #
 ########################################################################
 redis_enabled: true
 ########################################################################
 #                                                                      #
 # /redis                                                               #
 #                                                                      #
 ########################################################################
 ```
 This will create a `mash-authentik-redis` instance on this host with its data in `/mash/authentik-redis`.
 Then, adjust your main inventory host's variables file (`inventory/host_vars/authentik.example.com/vars.yml`) like this:
 ```yaml
 ########################################################################
 #                                                                      #
 # authentik                                                               #
 #                                                                      #
 ########################################################################
 # Base configuration as shown above
 # Point authentik to its dedicated Redis instance
 authentik_environment_variable_redis_host: mash-authentik-redis
 authentik_environment_variable_redis_cache_host: mash-authentik-redis
 # Make sure the authentik service (mash-authentik.service) starts after its dedicated Redis service (mash-authentik-redis.service)
 authentik_systemd_required_services_list_custom:
  - "mash-authentik-redis.service"
 # Make sure the authentik container is connected to the container network of its dedicated Redis service (mash-authentik-redis)
 authentik_container_additional_networks_custom:
  - "mash-authentik-redis"
 ########################################################################
 #                                                                      #
 # /authentik                                                              #
 #                                                                      #
 ########################################################################
 ```
 ## Installation
 If you've decided to install a dedicated Redis instance for authentik, make sure to first do [installation](../installing.md) for the supplementary inventory host (e.g. `authentik.example.com-deps`), before running installation for the main one (e.g. `authentik.example.com`).
 ## Usage
 After installation, you can set the admin password at `https://<authentik_hostname>/if/flow/initial-setup/`. Set the admin password there and start adding applications and users! Refer to the [official documentation](https://goauthentik.io/docs/) to learn how to integrate services. For this playbook tested examples are described in the respective service documentation. See
 * [Grafana](./grafana.md)
 * [Nextcloud](./nextcloud.md)
--- a/docs/services/grafana.md
+++ b/docs/services/grafana.md
@ -82,6 +82,35 @@ grafana_dashboard_download_urls: |
 ```
 #### Single-Sign-On / Authentik
 Grafana supports Single-Sign-On (SSO) via OAUTH. To make use of this you'll need a Identity Provider like [authentik](./authentik.md) or [Keycloak](./keycloak.md). Using authentik you can connect and Authentik like this:
 * Create a new OAUTH provider in authentik called `grafana`
 * Create an application also named `grafana` in authentik using this provider
 * Add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process (make sure to adjust `authentik.example.com`)
 ```yaml
 grafana_environment_variables_additional_variables: |
  GF_AUTH_GENERIC_OAUTH_ENABLED=true
  GF_AUTH_GENERIC_OAUTH_NAME=authentik
  GF_AUTH_GENERIC_OAUTH_CLIENT_ID=COPIED-CLIENTID
  GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=COPIED-CLIENTSECRET
  GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email
  GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://authentik.example.com/application/o/authorize/
  GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://authentik.example.com/application/o/token/
  GF_AUTH_GENERIC_OAUTH_API_URL=https://authentik.example.com/application/o/userinfo/
  GF_AUTH_SIGNOUT_REDIRECT_URL=https://authentik.example.com/application/o/grafana/end-session/
  # Optionally enable auto-login (bypasses Grafana login screen)
  #GF_AUTH_OAUTH_AUTO_LOGIN="true"
  GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true
  # Optionally map user groups to Grafana roles
  GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
 ```
 Make sure the user you want to login as has an email address in authentik, otherwise there will be an error.
 ## Usage
 After installation, you should be able to access your new Gitea instance at the configured URL (see above).
--- a/docs/services/nextcloud.md
+++ b/docs/services/nextcloud.md
@ -198,6 +198,27 @@ nextcloud_container_additional_networks_custom:
 ########################################################################
 ```
 ###  Single-Sign-On / Authentik
 Nextcloud supports Single-Sign-On (SSO) via LDAP, SAML, and OIDC. To make use of this you'll need a Identity Provider like [authentik](./authentik.md) or [Keycloak](./keycloak.md). The following assumes you use authentik.
 **The official documentation of authentik to connect nextcloud via SAML seems broken**
 MASH can connect Nextcloud with authentik via OIDC. The setup is quite straightforward, refer to [this blogpost by Jack](https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/) for a full explanation.
 In short you should:
 * Create a new provider in authentik and trim the client secret to <64 characters
 * Create an application in authentik using this provider
 * Install the app `user_oidc` in Nextcloud
 * Fill in the details from authentik in the app settings
 **Troubleshooting**
 If you encounter problems during login check (error message containes `SHA1 mismatch`) that
 * Nextcloud users and authentik users do not have the same name -> if they do check `Use unique user ID` in the OIDC App settings
 ## Installation
 If you've decided to install a dedicated Redis instance for Nextcloud, make sure to first do [installation](../installing.md) for the supplementary inventory host (e.g. `nextcloud.example.com-deps`), before running installation for the main one (e.g. `nextcloud.example.com`).
--- a/docs/supported-services.md
+++ b/docs/supported-services.md
@ -5,6 +5,7 @@
 | [AUX](https://github.com/mother-of-all-self-hosting/ansible-role-aux) | Auxiliary file/directory management on your server via Ansible | [Link](services/auxiliary.md) |
 | [AdGuard Home](https://adguard.com/en/adguard-home/overview.html/) | A network-wide DNS software for blocking ads & tracking | [Link](services/adguard-home.md) |
 | [Appsmith](https://www.appsmith.com/) | Platform for building and deploying custom internal tools and applications without writing code | [Link](services/appsmith.md) |
 | [authentik](https://goauthentik.io/) |  An open-source Identity Provider focused on flexibility and versatility. | [Link](services/authentik.md) |
 | [Collabora Online](https://www.collaboraoffice.com/) | Your Private Office Suite In The Cloud | [Link](services/collabora-online.md) |
 | [Docker](https://www.docker.com/) | Open-source software for deploying containerized applications | [Link](services/docker.md) |
 | [Docker Registry](https://docs.docker.com/registry/) | A container image distribution registry | [Link](services/docker-registry.md) |
--- a/group_vars/mash_servers
+++ b/group_vars/mash_servers
@ -67,6 +67,10 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': (appsmith_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'appsmith']}] if appsmith_enabled else [])
    +
    ([{'name': (authentik_server_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'authentik']}] if authentik_enabled else [])
    +
    ([{'name': (authentik_worker_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'authentik']}] if authentik_enabled else [])
    +
    ([{'name': (collabora_online_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'collabora-online']}] if collabora_online_enabled else [])
    +
    ([{'name': (devture_postgres_identifier + '.service'), 'priority': 500, 'groups': ['mash', 'postgres']}] if devture_postgres_enabled else [])
@ -211,6 +215,11 @@ devture_postgres_systemd_services_to_stop_for_maintenance_list: |
 devture_postgres_managed_databases_auto: |
  {{
    ([{
      'name': authentik_database_name,
      'username': authentik_database_username,
      'password': authentik_database_password,
    }] if authentik_enabled and authentik_database_hostname == devture_postgres_identifier else [])
    +([{
      'name': focalboard_database_name,
      'username': focalboard_database_username,
      'password': focalboard_database_password,
@ -538,6 +547,51 @@ appsmith_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certReso
 ########################################################################
 #                                                                      #
 # authentik                                                            #
 #                                                                      #
 ########################################################################
 authentik_enabled: false
 authentik_identifier: "{{ mash_playbook_service_identifier_prefix }}authentik"
 authentik_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}authentik"
 authentik_uid: "{{ mash_playbook_uid }}"
 authentik_gid: "{{ mash_playbook_gid }}"
 authentik_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}"
 authentik_database_port: "{{ '5432' if devture_postgres_enabled else '' }}"
 authentik_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'db.authentik', rounds=655555) | to_uuid }}"
 authentik_database_username: "{{ authentik_identifier }}"
 authentik_server_systemd_required_services_list_auto: |
  {{
    ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier else [])
  }}
 authentik_server_container_additional_networks_auto: |
  {{
    ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
    +
    ([devture_postgres_container_network] if devture_postgres_enabled and authentik_database_hostname == devture_postgres_identifier and authentik_server_container_network != devture_postgres_container_network else [])
  }}
 authentik_server_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
 authentik_server_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
 authentik_server_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 authentik_server_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 ########################################################################
 #                                                                      #
 # /authentik                                                           #
 #                                                                      #
 ########################################################################
 ########################################################################
 #                                                                      #
 # collabora-online                                                     #
--- a/requirements.yml
+++ b/requirements.yml
@ -6,6 +6,9 @@
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-appsmith.git
  version: v1.9.16-0
  name: appsmith
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-authentik.git
  version: v2023.4.1-2
  name: authentik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
  version: v1.0.0-0
  name: aux
--- a/setup.yml
+++ b/setup.yml
@ -58,6 +58,8 @@
    - role: galaxy/appsmith
    - role: galaxy/authentik
    - role: galaxy/collabora_online
    - role: galaxy/docker_registry