small upadte

ansible/auth.yaml

@@ -0,0 +1,8 @@
+---
+# file: auth.yaml
+- hosts: auth
+  roles:
+    - common
+    - ldap_client
+    - docker
+    - pocketid

ansible/dns.yaml

@@ -4,3 +4,4 @@
   roles:
     - common
     - unbound
+    - netbird_peer

ansible/gitea.yaml

@@ -6,4 +6,5 @@
     - lego
     - nginx
     - gitea
+    - netbird_peer
     - ldap_client

ansible/inventories/production/host_vars/auth.home.jthan.io/vars.yaml

@@ -0,0 +1,3 @@
+pocket_id_encryption_key: "{{ lookup('bitwarden.secrets.lookup', '6a5549a9-0f64-4791-94d1-b43b00254c42') }}"
+pocket_id_version: 2.6.2
+pocket_id_sha256: "348c2cfb6457d31078327c203896c29509d0417982c78bfac185d07859dc5b86"

ansible/inventories/production/host_vars/git.jthan.io/vars.yaml

@@ -14,3 +14,8 @@ olm_secret: "{{ lookup('bitwarden.secrets.lookup', 'a9499a7f-4b3e-4c1b-97a0-b3de
 olm_loglevel: "INFO"
 olm_override_dns: "false"
 olm_tunnel_dns: "true"
+
+netbird_version: "0.68.3"
+netbird_arch: "amd64"
+netbird_sha256: "596adb7b74c6d9d2104bb517a4fa0353bcb1e889bd89aaf2b52a21ef58285ae9"
+netbird_setup_key: "{{ lookup('bitwarden.secrets.lookup', '4ba58bbe-e459-4978-894b-b43000561a2f') }}"

ansible/inventories/production/host_vars/netbird.jthan.io/vars.yaml

@@ -1 +1,6 @@
 root_pw: "{{ lookup('bitwarden.secrets.lookup', 'a3402c94-7082-4d70-8436-b42e002c8e18') }}"
+
+netbird_version: "0.68.3"
+netbird_arch: "amd64"
+netbird_sha256: "596adb7b74c6d9d2104bb517a4fa0353bcb1e889bd89aaf2b52a21ef58285ae9"
+netbird_setup_key: "{{ lookup('bitwarden.secrets.lookup', '88be4f9e-2558-455f-a34a-b436003684af') }}"

ansible/inventories/production/host_vars/rpi0.home.jthan.io/vars.yaml

@@ -1,3 +1,8 @@
+netbird_version: "0.68.3"
+netbird_arch: "arm64"
+netbird_sha256: "a3ba352f2b2bfbcd1bf157257b3b1fbe4c9d21dee2a7cb15e9c36b2a092563d9 "
+netbird_setup_key: "{{ lookup('bitwarden.secrets.lookup', 'ceda19a5-3efb-4bcf-ac84-b43000086ea4') }}"
+
 private_domains:
   - name: jthan.io
     records:
@@ -24,6 +29,9 @@ private_domains:
       - type: A
         name: "storage0.home.jthan.io"
         value: 192.168.1.3
+      - type: A
+        name: "auth.home.jthan.io"
+        value: 192.168.1.7
       - type: A
         name: "proxy0.home.jthan.io"
         value: 192.168.1.7
@@ -69,6 +77,9 @@ private_domains:
       - type: AAAA
         name: "docker.home.jthan.io"
         value: "2602:fb57:c20:b00:be24:11ff:fef4:1b8d"
+      - type: AAAA
+        name: "auth.home.jthan.io"
+        value: "2602:fb57:c20:b00:be24:11ff:fee6:8593"
       - type: CNAME
         name: "ha.home.jthan.io"
         value: "proxy0.home.jthan.io"

ansible/inventories/production/hosts.ini

@@ -4,9 +4,6 @@ git.jthan.io
 [dns]
 rpi0.home.jthan.io
 
-[pangolin_server]
-pangolin.jthan.io
-
 [authentik]
 authentik.home.jthan.io ansible_host=192.168.1.8
 
@@ -31,3 +28,6 @@ netbird.jthan.io
 
 [dockhand]
 docker.home.jthan.io
+
+[auth]
+auth.home.jthan.io ansible_host=192.168.1.5

ansible/netbird_server.yaml

@@ -4,3 +4,6 @@
   roles:
     - common
     - docker
+    - netbird_peer # can be server and peer to access internal resources
+    - ldap_client # which allows us to talk to ldap, authentik, etc.
+

ansible/roles/netbird_peer/handlers/main.yaml

@@ -0,0 +1,9 @@
+- name: restart netbird
+  service:
+    name: netbird
+    state: restarted
+
+- name: restart firewalld
+  service:
+    name: firewalld
+    state: restarted

ansible/roles/netbird_peer/tasks/main.yaml

@@ -0,0 +1,88 @@
+- name: Create temporary netbird unarchive directory
+  file: 
+    path: "/tmp/netbird_{{ netbird_version }}"
+    state: directory
+    mode: '0700'
+    owner: root
+    group: root
+
+- name: Download and verify the netbird archive
+  get_url:
+    url: "https://github.com/netbirdio/netbird/releases/download/v{{ netbird_version }}/netbird_{{ netbird_version }}_linux_{{ netbird_arch }}.tar.gz"
+    dest: "/tmp/netbird-{{ netbird_version }}.linux-{{ netbird_arch }}.tar.gz"
+    checksum: "sha256:{{ netbird_sha256 }}"
+  register: download_result
+
+- name: Unarchive netbird binary
+  unarchive:
+    src: "{{ download_result.dest }}"
+    dest: "/tmp/netbird_{{ netbird_version }}"
+    remote_src: true # Indicates the source file is on the remote host
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Copy netbird binary to /usr/local/bin
+  copy:
+    src: "/tmp/netbird_{{ netbird_version }}/netbird"
+    dest: "/usr/local/bin/netbird-{{ netbird_version }}"
+    owner: root
+    group: root
+    mode: '0755'
+    remote_src: yes
+
+- name: Create netbird binary symlink
+  file:
+    src: "/usr/local/bin/netbird-{{ netbird_version }}"
+    dest: "/usr/local/bin/netbird"
+    state: link
+    owner: root
+    group: root
+    mode: '0755' # Permissions for the target file
+    force: yes 
+
+- name: Run command to generate netbird systemd unit file
+  command: 
+    cmd: /usr/local/bin/netbird service install
+    creates: /etc/systemd/system/netbird.service
+  register: netbird_service
+
+- name: systemctl daemon-reload to pickup netbird service changes
+  systemd_service:
+    daemon_reload: true
+  when: netbird_service.changed
+  notify: restart netbird
+
+- name: Start and enable netbird service
+  service:
+    name: netbird
+    state: started
+    enabled: true
+    daemon_reload: true
+
+- name: Run netbird up with setup key
+  command:
+    cmd: /usr/local/bin/netbird up --setup-key {{ netbird_setup_key }} --management-url https://netbird.jthan.io:443
+
+- name: Create netbird firewalld zone
+  ansible.posix.firewalld:
+    zone: netbird
+    state: present
+    permanent: true
+  notify: restart firewalld
+
+- name: Set netbird zone target to ACCEPT
+  ansible.posix.firewalld:
+    zone: netbird
+    state: present
+    permanent: true
+    target: ACCEPT
+  notify: restart firewalld
+
+- name: Add netbird interface to netbird zone 
+  ansible.posix.firewalld:
+    zone: netbird
+    interface: wt0
+    permanent: true
+    state: enabled
+  notify: restart firewalld

ansible/roles/pocketid/tasks/main.yaml

@@ -0,0 +1,55 @@
+- name: Create a pocketid group
+  group:
+    name: pocketid
+    state: present
+    gid: 1050 
+
+- name: Create a pocketid user
+  user:
+    name: pocketid
+    uid: 1050
+    group: 1050
+    comment: "pocketid user"
+    shell: /bin/bash
+    state: present
+    create_home: yes
+
+- name: Create pocketid directory
+  file:
+    path: /home/pocketid/pocketid
+    state: directory
+    mode: '0755'
+    owner: pocketid
+    group: pocketid
+
+- name: Create encryption key file
+  template:
+    src: pocket_id_encryption_key.j2
+    dest: /home/pocketid/pocketid/pocket_id_encryption_key
+    owner: pocketid
+    group: pocketid
+    mode: '0600'  
+  no_log: true    # Prevents secret from appearing in logs
+
+- name: Create env file
+  template:
+    src: templates/pocketid.env.j2
+    dest: /home/pocketid/pocketid/.env
+    owner: pocketid
+    group: pocketid
+    mode: '0600'  
+  no_log: true    # Prevents secret from appearing in logs
+
+- name: Create or update docker-compose
+  template:
+    src: templates/docker-compose.yaml.j2
+    dest: /home/pocketid/pocketid/docker-compose.yaml
+    owner: pocketid
+    group: pocketid
+    mode: 0600
+
+- name: Create and start pocketid
+  community.docker.docker_compose_v2:
+    project_src: /home/pocketid/pocketid/
+    build: always
+  register: output

ansible/roles/pocketid/tasks/templates/docker-compose.yaml.j2

@@ -0,0 +1,21 @@
+secrets:
+  pocket_id_encryption_key:
+    file: ./pocket_id_encryption_key
+services:
+  pocket-id:
+    image: ghcr.io/pocket-id/pocket-id:v{{ pocket_id_version }}
+    restart: unless-stopped
+    env_file: .env
+    ports:
+      - 1411:1411
+    volumes:
+      - "./data:/app/data"
+    # Optional healthcheck
+    healthcheck:
+      test: [ "CMD", "/app/pocket-id", "healthcheck" ]
+      interval: 1m30s
+      timeout: 5s
+      retries: 2
+      start_period: 10s
+    secrets:
+      - pocket_id_encryption_key

ansible/roles/pocketid/tasks/templates/pocket_id_encryption_key.j2

@@ -0,0 +1 @@
+{{ pocket_id_encryption_key }}

ansible/roles/pocketid/tasks/templates/pocketid.env.j2

@@ -0,0 +1,18 @@
+# See the documentation for more information: https://pocket-id.org/docs/configuration/environment-variables
+
+# These variables must be configured for your deployment:
+APP_URL=https://{{ inventory_hostname }}
+
+# Encryption key (choose one method):
+# Method 1: Direct key (simple but less secure)
+# Generate with: openssl rand -base64 32
+# ENCRYPTION_KEY=
+# Method 2: File-based key (recommended)
+# Put the base64 key in a file and point to it here.
+ENCRYPTION_KEY_FILE=/run/secrets/pocket_id_encryption_key
+
+# These variables are optional but recommended to review:
+TRUST_PROXY=true
+MAXMIND_LICENSE_KEY=
+PUID=1050
+PGID=1050

ansible/site.yaml

@@ -10,5 +10,5 @@
 - import_playbook: irc.yaml
 - import_playbook: syncthing.yaml
 - import_playbook: dockhand.yaml
-#- import_playbook: authentik.yaml
+- import_playbook: auth.yaml