Finish Komodo setup

Add OIDC snippet to Caddyfile Add komodo to Caddyfile
2025-02-18 01:12:53 -08:00
parent 0dcd0c9823
commit 8a2240a43e
3 changed files with 93 additions and 59 deletions
--- a/caddy/config/Caddyfile
+++ b/caddy/config/Caddyfile
@@ -92,6 +92,24 @@
 		}
 	}
 }
 (oidc) {
 	{args[0]}.tremendousturtle.tools {
 		import ttt-log {args[0]}
 		import tls
 		@not_cf header !CF-Connecting-IP
 		@cf header CF-Connecting-IP *
 		reverse_proxy @not_cf {args[0]}-app-1:{args[1]} {
 			header_up X-Real-IP {remote_host}
 			header_up X-Forwarded-Port {server_port}
 		}
 		reverse_proxy @cf {args[0]}-app-1:{args[1]} {
 			header_up X-Real-IP {http.request.header.CF-Connecting-IP}
 			header_up X-Forwarded-Port {server_port}
 		}
 	}
 }
 (redirect) {
 	{args[0]}.tremendousturtle.tools {
 		import tls
@@ -174,6 +192,9 @@ import authentik dozzle
 import authentik tautulli
 #import authentik-test stash
 # Authentik OIDC Configs
 import oidc komodo 9120
 stash.tremendousturtle.tools {
 	import ttt-log stash
 	import tls
--- a/komodo/.env
+++ b/komodo/.env
@@ -12,14 +12,14 @@ COMPOSE_KOMODO_IMAGE_TAG=latest
 ## Note: 🚨 Podman does NOT support local logging driver 🚨. See Podman options here:
 ## `https://docs.podman.io/en/v4.6.1/markdown/podman-run.1.html#log-driver-driver`
-COMPOSE_LOGGING_DRIVER=local # Enable log rotation with the local driver.
+COMPOSE_LOGGING_DRIVER=journald # Enable log rotation with the local driver.
 ## DB credentials - Ignored for Sqlite
-DB_USERNAME=admin
+KOMODO_DB_USERNAME=admin
-DB_PASSWORD=admin
+KOMODO_DB_PASSWORD_FILE=/run/secrets/KOMODO_DB_PASSWORD
 ## Configure a secure passkey to authenticate between Core / Periphery.
-PASSKEY=a_random_passkey
+KOMODO_PASSKEY_FILE=/run/secrets/KOMODO_PASSKEY
 #=-------------------------=#
 #= Komodo Core Environment =#
@@ -32,7 +32,7 @@ PASSKEY=a_random_passkey
 ## Docs: https://docs.docker.com/compose/how-tos/use-secrets/#examples
 ## Used for Oauth / Webhook url suggestion / Caddy reverse proxy.
-KOMODO_HOST=https://demo.komo.do
+KOMODO_HOST=https://komodo.tremendousturtle.tools
 ## Displayed in the browser tab.
 KOMODO_TITLE=Komodo
 ## Create a server matching this address as the "first server".
@@ -45,22 +45,20 @@ KOMODO_DISABLE_CONFIRM_DIALOG=false
 ## status / container status / system stats / alerting.
 ## Options: 1-sec, 5-sec, 15-sec, 1-min, 5-min.
 ## Default: 15-sec
-KOMODO_MONITORING_INTERVAL="15-sec"
+KOMODO_MONITORING_INTERVAL="5-sec"
 ## Rate Komodo polls Resources for updates,
 ## like outdated commit hash.
 ## Options: 1-min, 5-min, 15-min, 30-min, 1-hr.
 ## Default: 5-min
-KOMODO_RESOURCE_POLL_INTERVAL="5-min"
+KOMODO_RESOURCE_POLL_INTERVAL="1-min"
 ## Used to auth against periphery. Alt: KOMODO_PASSKEY_FILE
 KOMODO_PASSKEY=${PASSKEY}
 ## Used to auth incoming webhooks. Alt: KOMODO_WEBHOOK_SECRET_FILE
-KOMODO_WEBHOOK_SECRET=a_random_secret
+KOMODO_WEBHOOK_SECRET_FILE=/run/secrets/KOMODO_WEBHOOK_SECRET
 ## Used to generate jwt. Alt: KOMODO_JWT_SECRET_FILE
-KOMODO_JWT_SECRET=a_random_jwt_secret
+KOMODO_JWT_SECRET_FILE=/run/secrets/KOMODO_JWT_SECRET
 ## Enable login with username + password.
-KOMODO_LOCAL_AUTH=true
+KOMODO_LOCAL_AUTH=false
 ## Disable new user signups.
 KOMODO_DISABLE_USER_REGISTRATION=false
 ## All new logins are auto enabled
@@ -72,18 +70,18 @@ KOMODO_TRANSPARENT_MODE=false
 ## Time to live for jwt tokens.
 ## Options: 1-hr, 12-hr, 1-day, 3-day, 1-wk, 2-wk
-KOMODO_JWT_TTL="1-day"
+KOMODO_JWT_TTL="1-wk"
 ## OIDC Login
-KOMODO_OIDC_ENABLED=false
+KOMODO_OIDC_ENABLED=true
 ## Must reachable from Komodo Core container
-# KOMODO_OIDC_PROVIDER=https://oidc.provider.internal/application/o/komodo
+KOMODO_OIDC_PROVIDER=https://authentik.tremendousturtle.tools/application/o/komodo/
 ## Change the host to one reachable be reachable by users (optional if it is the same as above).
 ## DO NOT include the `path` part of the URL.
-# KOMODO_OIDC_REDIRECT_HOST=https://oidc.provider.external
+KOMODO_OIDC_REDIRECT_HOST=https://authentik.tremendousturtle.tools
 ## Your client credentials
-# KOMODO_OIDC_CLIENT_ID= # Alt: KOMODO_OIDC_CLIENT_ID_FILE
+KOMODO_OIDC_CLIENT_ID_FILE=/run/secrets/KOMODO_OIDC_CLIENT_ID # Alt: KOMODO_OIDC_CLIENT_ID_FILE
-# KOMODO_OIDC_CLIENT_SECRET= # Alt: KOMODO_OIDC_CLIENT_SECRET_FILE
+KOMODO_OIDC_CLIENT_SECRET_FILE=/run/secrets/KOMODO_OIDC_CLIENT_SECRET # Alt: KOMODO_OIDC_CLIENT_SECRET_FILE
 ## Make usernames the full email.
 # KOMODO_OIDC_USE_FULL_EMAIL=true
 ## Add additional trusted audiences for token claims verification.
@@ -115,8 +113,11 @@ KOMODO_HETZNER_TOKEN= # Alt: KOMODO_HETZNER_TOKEN_FILE
 ## Full variable list + descriptions are available here:
 ## 🦎 https://github.com/mbecker20/komodo/blob/main/config/periphery.config.toml 🦎
-## Periphery passkeys must include KOMODO_PASSKEY to authenticate
+## Periphery passkeys must include KOMODO_PASSKEY to authenticate.
-PERIPHERY_PASSKEYS=${PASSKEY}
+PERIPHERY_PASSKEYS_FILE=${KOMODO_PASSKEY_FILE}
 ## Specify the root directory used by Periphery agent.
 PERIPHERY_ROOT_DIRECTORY=/etc/komodo
 ## Enable SSL using self signed certificates.
 ## Connect to Periphery at https://address:8120.
--- a/komodo/docker-compose.yml
+++ b/komodo/docker-compose.yml
@@ -6,7 +6,6 @@
 ##   1. MongoDB
 ##   2. Komodo Core
 ##   3. Komodo Periphery
 name: komodo
 services:
  db:
@@ -22,13 +21,15 @@ services:
    # ports:
    #   - 27017:27017
    volumes:
-      - mongo-data:/data/db
+      - ./data/mongo-data:/data/db
-      - mongo-config:/data/configdb
+      - ./config/mongo-config:/data/configdb
    environment:
-      MONGO_INITDB_ROOT_USERNAME: ${DB_USERNAME}
+      MONGO_INITDB_ROOT_USERNAME: ${KOMODO_DB_USERNAME}
-      MONGO_INITDB_ROOT_PASSWORD: ${DB_PASSWORD}
+      MONGO_INITDB_ROOT_PASSWORD_FILE: ${KOMODO_DB_PASSWORD_FILE}
    secrets:
      - KOMODO_DB_PASSWORD
-  core:
+  app:
    image: ghcr.io/mbecker20/komodo:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
    labels:
      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
@@ -39,24 +40,29 @@ services:
      driver: ${COMPOSE_LOGGING_DRIVER:-local}
    networks:
      - default
      - proxy-net
    ports:
      - 9120:9120
-    env_file: ./compose.env
+    env_file: ./.env
    environment:
      KOMODO_DATABASE_ADDRESS: db:27017
-      KOMODO_DATABASE_USERNAME: ${DB_USERNAME}
+      KOMODO_DATABASE_USERNAME: ${KOMODO_DB_USERNAME}
-      KOMODO_DATABASE_PASSWORD: ${DB_PASSWORD}
+      KOMODO_DATABASE_PASSWORD_FILE: ${KOMODO_DB_PASSWORD_FILE}
      KOMODO_LOGGING_LEVEL: info
    volumes:
      ## Core cache for repos for latest commit hash / contents
-      - repo-cache:/repo-cache
+      - ./data/repo-cache:/repo-cache
      ## Store sync files on server
-      # - /path/to/syncs:/syncs
+      - ./data/syncs:/syncs
      ## Optionally mount a custom core.config.toml
      # - /path/to/core.config.toml:/config/config.toml
-    ## Allows for systemd Periphery connection at 
+    secrets:
-    ## "http://host.docker.internal:8120"
+      - KOMODO_DB_PASSWORD
-    # extra_hosts:
+      - KOMODO_PASSKEY
-    #   - host.docker.internal:host-gateway
+      - KOMODO_WEBHOOK_SECRET
      - KOMODO_JWT_SECRET
      - KOMODO_OIDC_CLIENT_SECRET
      - KOMODO_OIDC_CLIENT_ID
  ## Deploy Periphery container using this block,
  ## or deploy the Periphery binary with systemd using 
@@ -70,34 +76,40 @@ services:
      driver: ${COMPOSE_LOGGING_DRIVER:-local}
    networks:
      - default
-    env_file: ./compose.env
+    env_file: ./.env
    environment:
      PERIPHERY_REPO_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/repos
      PERIPHERY_STACK_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/stacks
      PERIPHERY_SSL_KEY_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/key.pem
      PERIPHERY_SSL_CERT_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/cert.pem
    volumes:
      ## Mount external docker socket
      - /var/run/docker.sock:/var/run/docker.sock
      ## Allow Periphery to see processes outside of container
      - /proc:/proc
-      ## use self signed certs in docker volume, 
+      ## Specify the Periphery agent root directory.
-      ## or mount your own signed certs.
+      ## Must be the same inside and outside the container,
-      - ssl-certs:/etc/komodo/ssl
+      ## or docker will get confused. See https://github.com/mbecker20/komodo/discussions/180.
-      ## manage repos in a docker volume, 
+      ## Default: /etc/komodo.
-      ## or change it to an accessible host directory.
+      - ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}:${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}
-      - repos:/etc/komodo/repos
+    secrets:
-      ## manage stack files in a docker volume, 
+      - KOMODO_PASSKEY
      ## or change it to an accessible host directory.
      - stacks:/etc/komodo/stacks
      ## Optionally mount a path to store compose files
      # - /path/to/compose:/host/compose
 volumes:
  # Mongo
  mongo-data:
  mongo-config:
  # Core
  repo-cache:
  # Periphery
  ssl-certs:
  repos:
  stacks:
 networks:
  default: {}
  proxy-net:
    external: true
 secrets:
  KOMODO_DB_PASSWORD:
    file: ./secrets/KOMODO_DB_PASSWORD
  KOMODO_PASSKEY:
    file: ./secrets/KOMODO_PASSKEY
  KOMODO_WEBHOOK_SECRET:
    file: ./secrets/KOMODO_WEBHOOK_SECRET
  KOMODO_JWT_SECRET:
    file: ./secrets/KOMODO_JWT_SECRET
  KOMODO_OIDC_CLIENT_SECRET:
    file: ./secrets/KOMODO_OIDC_CLIENT_SECRET
  KOMODO_OIDC_CLIENT_ID:
    file: ./secrets/KOMODO_OIDC_CLIENT_ID