Finish Komodo setup

Add OIDC snippet to Caddyfile Add komodo to Caddyfile
2025-02-18 01:12:53 -08:00
parent 0dcd0c9823
commit 8a2240a43e
3 changed files with 93 additions and 59 deletions
--- a/caddy/config/Caddyfile
+++ b/caddy/config/Caddyfile
@@ -92,6 +92,24 @@
 		}
 	}
 }
+(oidc) {
+	{args[0]}.tremendousturtle.tools {
+		import ttt-log {args[0]}
+		import tls
+		@not_cf header !CF-Connecting-IP
+		@cf header CF-Connecting-IP *
+
+		reverse_proxy @not_cf {args[0]}-app-1:{args[1]} {
+			header_up X-Real-IP {remote_host}
+			header_up X-Forwarded-Port {server_port}
+		}
+
+		reverse_proxy @cf {args[0]}-app-1:{args[1]} {
+			header_up X-Real-IP {http.request.header.CF-Connecting-IP}
+			header_up X-Forwarded-Port {server_port}
+		}
+	}
+}
 (redirect) {
 	{args[0]}.tremendousturtle.tools {
 		import tls
@@ -174,6 +192,9 @@ import authentik dozzle
 import authentik tautulli
 #import authentik-test stash

+# Authentik OIDC Configs
+import oidc komodo 9120
+
 stash.tremendousturtle.tools {
 	import ttt-log stash
 	import tls
--- a/komodo/.env
+++ b/komodo/.env
@@ -12,14 +12,14 @@ COMPOSE_KOMODO_IMAGE_TAG=latest

 ## Note: 🚨 Podman does NOT support local logging driver 🚨. See Podman options here:
 ## `https://docs.podman.io/en/v4.6.1/markdown/podman-run.1.html#log-driver-driver`
-COMPOSE_LOGGING_DRIVER=local # Enable log rotation with the local driver.
+COMPOSE_LOGGING_DRIVER=journald # Enable log rotation with the local driver.

 ## DB credentials - Ignored for Sqlite
-DB_USERNAME=admin
-DB_PASSWORD=admin
+KOMODO_DB_USERNAME=admin
+KOMODO_DB_PASSWORD_FILE=/run/secrets/KOMODO_DB_PASSWORD

 ## Configure a secure passkey to authenticate between Core / Periphery.
-PASSKEY=a_random_passkey
+KOMODO_PASSKEY_FILE=/run/secrets/KOMODO_PASSKEY

 #=-------------------------=#
 #= Komodo Core Environment =#
@@ -32,7 +32,7 @@ PASSKEY=a_random_passkey
 ## Docs: https://docs.docker.com/compose/how-tos/use-secrets/#examples

 ## Used for Oauth / Webhook url suggestion / Caddy reverse proxy.
-KOMODO_HOST=https://demo.komo.do
+KOMODO_HOST=https://komodo.tremendousturtle.tools
 ## Displayed in the browser tab.
 KOMODO_TITLE=Komodo
 ## Create a server matching this address as the "first server".
@@ -45,22 +45,20 @@ KOMODO_DISABLE_CONFIRM_DIALOG=false
 ## status / container status / system stats / alerting.
 ## Options: 1-sec, 5-sec, 15-sec, 1-min, 5-min.
 ## Default: 15-sec
-KOMODO_MONITORING_INTERVAL="15-sec"
+KOMODO_MONITORING_INTERVAL="5-sec"
 ## Rate Komodo polls Resources for updates,
 ## like outdated commit hash.
 ## Options: 1-min, 5-min, 15-min, 30-min, 1-hr.
 ## Default: 5-min
-KOMODO_RESOURCE_POLL_INTERVAL="5-min"
+KOMODO_RESOURCE_POLL_INTERVAL="1-min"

-## Used to auth against periphery. Alt: KOMODO_PASSKEY_FILE
-KOMODO_PASSKEY=${PASSKEY}
 ## Used to auth incoming webhooks. Alt: KOMODO_WEBHOOK_SECRET_FILE
-KOMODO_WEBHOOK_SECRET=a_random_secret
+KOMODO_WEBHOOK_SECRET_FILE=/run/secrets/KOMODO_WEBHOOK_SECRET
 ## Used to generate jwt. Alt: KOMODO_JWT_SECRET_FILE
-KOMODO_JWT_SECRET=a_random_jwt_secret
+KOMODO_JWT_SECRET_FILE=/run/secrets/KOMODO_JWT_SECRET

 ## Enable login with username + password.
-KOMODO_LOCAL_AUTH=true
+KOMODO_LOCAL_AUTH=false
 ## Disable new user signups.
 KOMODO_DISABLE_USER_REGISTRATION=false
 ## All new logins are auto enabled
@@ -72,18 +70,18 @@ KOMODO_TRANSPARENT_MODE=false

 ## Time to live for jwt tokens.
 ## Options: 1-hr, 12-hr, 1-day, 3-day, 1-wk, 2-wk
-KOMODO_JWT_TTL="1-day"
+KOMODO_JWT_TTL="1-wk"

 ## OIDC Login
-KOMODO_OIDC_ENABLED=false
+KOMODO_OIDC_ENABLED=true
 ## Must reachable from Komodo Core container
-# KOMODO_OIDC_PROVIDER=https://oidc.provider.internal/application/o/komodo
+KOMODO_OIDC_PROVIDER=https://authentik.tremendousturtle.tools/application/o/komodo/
 ## Change the host to one reachable be reachable by users (optional if it is the same as above).
 ## DO NOT include the `path` part of the URL.
-# KOMODO_OIDC_REDIRECT_HOST=https://oidc.provider.external
+KOMODO_OIDC_REDIRECT_HOST=https://authentik.tremendousturtle.tools
 ## Your client credentials
-# KOMODO_OIDC_CLIENT_ID= # Alt: KOMODO_OIDC_CLIENT_ID_FILE
-# KOMODO_OIDC_CLIENT_SECRET= # Alt: KOMODO_OIDC_CLIENT_SECRET_FILE
+KOMODO_OIDC_CLIENT_ID_FILE=/run/secrets/KOMODO_OIDC_CLIENT_ID # Alt: KOMODO_OIDC_CLIENT_ID_FILE
+KOMODO_OIDC_CLIENT_SECRET_FILE=/run/secrets/KOMODO_OIDC_CLIENT_SECRET # Alt: KOMODO_OIDC_CLIENT_SECRET_FILE
 ## Make usernames the full email.
 # KOMODO_OIDC_USE_FULL_EMAIL=true
 ## Add additional trusted audiences for token claims verification.
@@ -115,8 +113,11 @@ KOMODO_HETZNER_TOKEN= # Alt: KOMODO_HETZNER_TOKEN_FILE
 ## Full variable list + descriptions are available here:
 ## 🦎 https://github.com/mbecker20/komodo/blob/main/config/periphery.config.toml 🦎

-## Periphery passkeys must include KOMODO_PASSKEY to authenticate
-PERIPHERY_PASSKEYS=${PASSKEY}
+## Periphery passkeys must include KOMODO_PASSKEY to authenticate.
+PERIPHERY_PASSKEYS_FILE=${KOMODO_PASSKEY_FILE}
+
+## Specify the root directory used by Periphery agent.
+PERIPHERY_ROOT_DIRECTORY=/etc/komodo

 ## Enable SSL using self signed certificates.
 ## Connect to Periphery at https://address:8120.
--- a/komodo/docker-compose.yml
+++ b/komodo/docker-compose.yml
@@ -6,7 +6,6 @@
 ##   1. MongoDB
 ##   2. Komodo Core
 ##   3. Komodo Periphery
-
 name: komodo
 services:
  db:
@@ -22,13 +21,15 @@ services:
    # ports:
    #   - 27017:27017
    volumes:
-      - mongo-data:/data/db
-      - mongo-config:/data/configdb
+      - ./data/mongo-data:/data/db
+      - ./config/mongo-config:/data/configdb
    environment:
-      MONGO_INITDB_ROOT_USERNAME: ${DB_USERNAME}
-      MONGO_INITDB_ROOT_PASSWORD: ${DB_PASSWORD}
+      MONGO_INITDB_ROOT_USERNAME: ${KOMODO_DB_USERNAME}
+      MONGO_INITDB_ROOT_PASSWORD_FILE: ${KOMODO_DB_PASSWORD_FILE}
+    secrets:
+      - KOMODO_DB_PASSWORD
  
-  core:
+  app:
    image: ghcr.io/mbecker20/komodo:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
    labels:
      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
@@ -39,24 +40,29 @@ services:
      driver: ${COMPOSE_LOGGING_DRIVER:-local}
    networks:
      - default
+      - proxy-net
    ports:
      - 9120:9120
-    env_file: ./compose.env
+    env_file: ./.env
    environment:
      KOMODO_DATABASE_ADDRESS: db:27017
-      KOMODO_DATABASE_USERNAME: ${DB_USERNAME}
-      KOMODO_DATABASE_PASSWORD: ${DB_PASSWORD}
+      KOMODO_DATABASE_USERNAME: ${KOMODO_DB_USERNAME}
+      KOMODO_DATABASE_PASSWORD_FILE: ${KOMODO_DB_PASSWORD_FILE}
+      KOMODO_LOGGING_LEVEL: info
    volumes:
      ## Core cache for repos for latest commit hash / contents
-      - repo-cache:/repo-cache
+      - ./data/repo-cache:/repo-cache
      ## Store sync files on server
-      # - /path/to/syncs:/syncs
+      - ./data/syncs:/syncs
      ## Optionally mount a custom core.config.toml
      # - /path/to/core.config.toml:/config/config.toml
-    ## Allows for systemd Periphery connection at 
-    ## "http://host.docker.internal:8120"
-    # extra_hosts:
-    #   - host.docker.internal:host-gateway
+    secrets:
+      - KOMODO_DB_PASSWORD
+      - KOMODO_PASSKEY
+      - KOMODO_WEBHOOK_SECRET
+      - KOMODO_JWT_SECRET
+      - KOMODO_OIDC_CLIENT_SECRET
+      - KOMODO_OIDC_CLIENT_ID

  ## Deploy Periphery container using this block,
  ## or deploy the Periphery binary with systemd using 
@@ -70,34 +76,40 @@ services:
      driver: ${COMPOSE_LOGGING_DRIVER:-local}
    networks:
      - default
-    env_file: ./compose.env
+    env_file: ./.env
+    environment:
+      PERIPHERY_REPO_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/repos
+      PERIPHERY_STACK_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/stacks
+      PERIPHERY_SSL_KEY_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/key.pem
+      PERIPHERY_SSL_CERT_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/cert.pem
    volumes:
      ## Mount external docker socket
      - /var/run/docker.sock:/var/run/docker.sock
      ## Allow Periphery to see processes outside of container
      - /proc:/proc
-      ## use self signed certs in docker volume, 
-      ## or mount your own signed certs.
-      - ssl-certs:/etc/komodo/ssl
-      ## manage repos in a docker volume, 
-      ## or change it to an accessible host directory.
-      - repos:/etc/komodo/repos
-      ## manage stack files in a docker volume, 
-      ## or change it to an accessible host directory.
-      - stacks:/etc/komodo/stacks
-      ## Optionally mount a path to store compose files
-      # - /path/to/compose:/host/compose
-
-volumes:
-  # Mongo
-  mongo-data:
-  mongo-config:
-  # Core
-  repo-cache:
-  # Periphery
-  ssl-certs:
-  repos:
-  stacks:
+      ## Specify the Periphery agent root directory.
+      ## Must be the same inside and outside the container,
+      ## or docker will get confused. See https://github.com/mbecker20/komodo/discussions/180.
+      ## Default: /etc/komodo.
+      - ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}:${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}
+    secrets:
+      - KOMODO_PASSKEY

 networks:
  default: {}
+  proxy-net:
+    external: true
+
+secrets:
+  KOMODO_DB_PASSWORD:
+    file: ./secrets/KOMODO_DB_PASSWORD
+  KOMODO_PASSKEY:
+    file: ./secrets/KOMODO_PASSKEY
+  KOMODO_WEBHOOK_SECRET:
+    file: ./secrets/KOMODO_WEBHOOK_SECRET
+  KOMODO_JWT_SECRET:
+    file: ./secrets/KOMODO_JWT_SECRET
+  KOMODO_OIDC_CLIENT_SECRET:
+    file: ./secrets/KOMODO_OIDC_CLIENT_SECRET
+  KOMODO_OIDC_CLIENT_ID:
+    file: ./secrets/KOMODO_OIDC_CLIENT_ID