Merge pull request #6 from ahembree/add-authentik

Add authentik

README.md

@@ -1,6 +1,6 @@
 # ansible-hms-docker
 
-Ansible Playbook to setup an automated Home Media Server stack running on Docker across a variety of platforms with support for GPUs, SSL, DDNS, and more.
+Ansible Playbook to setup an automated Home Media Server stack running on Docker across a variety of platforms with support for GPUs, SSL, SSO, DDNS, and more.
 
 ## Getting Started
 
@@ -9,6 +9,7 @@ Ansible Playbook to setup an automated Home Media Server stack running on Docker
 - [Configuration](#configuration)
 - [Connecting the containers](#connecting-the-containers)
 - [Only generate config files](#only-generate-config-files)
+- [Using Authentik](#using-authentik)
 
 ## Container List
 
@@ -26,6 +27,7 @@ Ansible Playbook to setup an automated Home Media Server stack running on Docker
 - Requestrr: chat client for requests
 - Watchtower: automatic container updates (if enabled)
 - Cloudflare-ddns: dynamic dns (if enabled)
+- Authentik: SSO
 
 ## Other Features
 
@@ -36,6 +38,7 @@ Ansible Playbook to setup an automated Home Media Server stack running on Docker
 - Dynamic DNS updates
 - Wildcard SSL certificate generation
 - Support for multiple network shares
+- Single Sign-On with Authentik
 
 ## Supported Platforms
 
@@ -54,7 +57,7 @@ Ansible Playbook to setup an automated Home Media Server stack running on Docker
 - `root` or `sudo` access
 - Supported Platform
 - 4 CPU Cores
-- Minimum 4GB RAM
+- Minimum 4GB RAM (2GB additional if using Authentik)
 - Minimum 8GB free disk space
 - Nvidia GPU drivers already installed (if using Nvidia GPU acceleration)
 - Python 3.8 (Recommended, minimum Python 3.6)
@@ -145,9 +148,11 @@ It is recommended to read and follow this guide entirely as there is a lot of co
 
 ## Configuration of the `vars/default.yml` file
 
+This is personal preference, but you may want to copy this `vars/default.yml` file to a `vars/custom.yml` file and then update the `vars_files` line in the `hms-docker.yml` file to point to your new custom file.
+
 - Settings to configure:
 
-  - `plex_claim_token` : (optional) your Plex claim code from https://plex.tv/claim
+  - `plex_claim_token` : (optional) your Plex claim code from [Plex's website](https://plex.tv/claim)
   - `hms_docker_domain` : the local domain name of the server to be used for proxy rules and SSL certificates (e.g. `home.local`)
   - `transmission_vpn_user` : the username of the VPN user
   - `transmission_vpn_pass` : the password of the VPN user
@@ -186,8 +191,9 @@ It is recommended to read and follow this guide entirely as there is a lot of co
   - `cloudflare_ddns_subdomain` : the subdomain record (e.g. `overseerr` would be created as `overseerr.example.com`) (default: `overseerr`)
   - `cloudflare_ddns_proxied` : `'true'` or `'false'` to enable/disable proxying the traffic through Cloudflare (default: `'true'`)
 
-- Optional settings to configure:
-  - If you with to use a more advanced configuration, you can run this command to replace the standard config with the default advanced config:
+### Optional settings to configure
+
+- If you with to use a more advanced configuration, you can run this command to replace the standard config with the default advanced config:
 
   ```bash
   cp roles/hmsdocker/defaults/main.yml vars/default.yml
@@ -211,7 +217,9 @@ If you do not already have a "wildcard" DNS record setup for the domain you used
 
 You can also create individual A records for each container listed in the table below.
 
-If the above DNS requirements are met, you can then access the containers by using the following URLs (substituting `{{ domain }}` for the domain you used):
+If the above DNS requirements are met, you can then access the containers by using the following URLs (substituting `{{ domain }}` for the domain you used).
+
+You can also change the subdomain of each application within the advanced `hms_docker_container_map` setting.
 
 Plex: `https://plex.{{ domain }}`
 
@@ -235,27 +243,30 @@ Traefik: `https://traefik.{{ domain }}`
 
 NZBGet: `https://nzbget.{{ domain }}`
 
+Authentik: `https://authentik.{{ domain }}`
+
 ## Connecting the Containers
 
 When connecting Prowlarr to Sonarr and Radarr and etc, you can use the name of the container (e.g. `prowlarr` or `radarr`) and then defining the container port to connect to (e.g. `prowlarr:9696` or `radarr:7878`).
 
 If you choose to expose the container ports on the host (by setting `container_expose_ports: yes` in the `vars/default.yml` file), see below for which ports are mapped to which container on the host.
 
-| Service Name       | Container Name       | Host Port (if enabled) | Container Port | Accessible via Traefik |
-| ------------------ | -------------------- | ---------------------- | -------------- | ---------------------- |
-| Plex               | `plex`               | `32400`                | `32400`        | ☑                |
-| Sonarr             | `sonarr`             | `8989`                 | `8989`         | ☑                |
-| Radarr             | `radarr`             | `7878`                 | `7878`         | ☑                |
-| Prowlarr           | `prowlarr`           | `9696`                 | `9696`         | ☑                |
-| Overseerr          | `Overseerr`          | `5055`                 | `5055`         | ☑                |
-| Requestrr          | `Requestrr`          | `4545`                 | `4545`         | ☑                |
-| Transmission       | `transmission`       | `9091`                 | `9091`         | ☑                |
-| Transmission Proxy | `transmission-proxy` | `8081`                 | `8080`         | ☐                |
-| Portainer          | `portainer`          | `9000`                 | `9000`         | ☑                |
-| Bazarr             | `bazarr`             | `6767`                 | `6767`         | ☑                |
-| Tautulli           | `tautulli`           | `8181`                 | `8181`         | ☑                |
-| Traefik            | `traefik`            | `8080`                 | `8080`         | ☑                |
-| NZBGet             | `nzbget`             | `6789`                 | `6789`         | ☑                |
+| Service Name       | Container Name       | Host Port (if enabled) | Container Port    | Accessible via Traefik |
+| ------------------ | -------------------- | ---------------------- | ----------------- | ---------------------- |
+| Plex               | `plex`               | `32400`                | `32400`           | ☑                |
+| Sonarr             | `sonarr`             | `8989`                 | `8989`            | ☑                |
+| Radarr             | `radarr`             | `7878`                 | `7878`            | ☑                |
+| Prowlarr           | `prowlarr`           | `9696`                 | `9696`            | ☑                |
+| Overseerr          | `Overseerr`          | `5055`                 | `5055`            | ☑                |
+| Requestrr          | `Requestrr`          | `4545`                 | `4545`            | ☑                |
+| Transmission       | `transmission`       | `9091`                 | `9091`            | ☑                |
+| Transmission Proxy | `transmission-proxy` | `8081`                 | `8080`            | ☐                |
+| Portainer          | `portainer`          | `9000`                 | `9000`            | ☑                |
+| Bazarr             | `bazarr`             | `6767`                 | `6767`            | ☑                |
+| Tautulli           | `tautulli`           | `8181`                 | `8181`            | ☑                |
+| Traefik            | `traefik`            | `8080`                 | `8080`            | ☑                |
+| NZBGet             | `nzbget`             | `6789`                 | `6789`            | ☑                |
+| Authentik          | `authentic-server`   | `9000` and `9443`      | `9000` and `9443` | ☑                |
 
 ## Only generate config files
 
@@ -266,3 +277,77 @@ ansible-playbook -i inventory --connection local generate-configs.yml
 ```
 
 By default, it will output these configs into `/opt/hms-docker/`
+
+## Using Authentik
+
+In order to use Authentik, you must be using the [advanced configuration outlined above](#optional-settings-to-configure).
+
+This Authentik installation is based on the [single application](https://goauthentik.io/docs/providers/proxy/forward_auth#single-application) proxy provider configuration.
+
+There are no authentik proxy containers defined in the `docker-compose.yml` file. This is because authentik will auto-detect the Docker socket and be able to start/stop its own proxy containers by using the configurations below.
+
+Authentik is able to be controlled on a per-container basis, but requires a bit of configuration as outlined below:
+
+1. Within the advanced variable settings (as outlined in the [optional settings setup](#optional-settings-to-configure)), enable the authentik container and enable authentik for the containers you want using the `hms_docker_container_map` variable
+
+2. Run the playbook as normal
+
+3. Once all containers are started, go to `https://authentik.{{ domain }}/if/flow/initial-setup/` to create the initial user and password to continue Authentik setup
+
+4. **Configure an Application Provider within Authentik**
+
+    a. Login
+
+    b. Go to the Admin panel
+
+    c. Expand `Applications` on the left
+
+    d. Click `Providers`
+
+    e. Create a new `Proxy Provider`
+
+    f. Give it the same name as the application (such as Sonarr)
+
+    g. Select `Forward auth (single application)`
+
+    h. Set the `External host` to the URL of the application (such as `sonarr.{{ domain }}`)
+
+    i. Click finish
+
+5. **Configure an Application**
+
+    a. Do a-c again
+
+    b. Click `Applications`
+
+    c. Create a new Application with its name, slug (lowercase name for it), and select the provider created for the application
+
+    d. Click `Create` and now you should have Authentik in front of the application!
+
+6. **Configure an Application Outpost**
+
+    a. Do a-c above
+
+    b. Click `Outposts`
+
+    c. Give it a name, the `type` is `Proxy` and integration should be the `Local Docker connection`
+
+    d. Select the application to associate it to
+
+    e. IMPORTANT: copy the correct configuration generated in: `{{ hms_docker_apps_path }}/authentik/outposts/authentik-{{ container_name }}-output.yml` (so by default: `/opt/hms-docker/authentik/...`)
+
+    * If a configuration does not exist for the container you want, ensure you've enabled authentik and have enabled authentik for that specific container
+
+    f. Replace the configuration in the authentik webpage with this generated configuration, otherwise stuff will not work correctly.
+
+    g. Once you click create, it will automatically create a new authentik-proxy container that will handle authentication.
+
+    h. Note: it will take some time to setup the proxy, be patient
+
+7. **Troubleshooting**
+
+    a. Using the Traefik and Portainer dashboards help a LOT during the troubleshooting process
+
+    b. If you're getting a `404 not found` error, this is likely due to the `authentik-proxy` containers not working, running, or not being configured correctly. If you just configured a new application output, wait a couple more minutes.
+
+    c. If you're getting a `500` server error, this is possibly due to having duplicate Traefik routes for the same host rules

hms-docker.yml

@@ -8,6 +8,7 @@
 
   vars_files:
     - vars/default.yml
+    - vars/._computed.yml
 
   roles:
     - docker

roles/hmsdocker/defaults/main.yml

@@ -345,62 +345,92 @@ hms_docker_compose_container_state: present
 hms_docker_container_map:
   traefik:
     enabled: yes
+    proxy_host_rule: traefik
     directory: yes
     traefik: yes
+    authentik: no
   sonarr:
     enabled: yes
+    proxy_host_rule: sonarr
     directory: yes
     traefik: yes
+    authentik: no
     expose_to_public: no
   radarr:
     enabled: yes
+    proxy_host_rule: radarr
     directory: yes
     traefik: yes
+    authentik: no
     expose_to_public: no
   bazarr:
     enabled: yes
+    proxy_host_rule: bazarr
     directory: yes
     traefik: yes
+    authentik: no
     expose_to_public: no
   transmission:
     enabled: yes
+    proxy_host_rule: transmission
     directory: yes
     traefik: yes
+    authentik: no
     expose_to_public: no
   portainer:
     enabled: yes
+    proxy_host_rule: portainer
     directory: yes
     traefik: yes
+    authentik: no
     expose_to_public: no
   overseerr:
     enabled: yes
+    proxy_host_rule: overseerr
     directory: yes
     traefik: yes
+    authentik: no
     expose_to_public: no
   prowlarr:
     enabled: yes
+    proxy_host_rule: prowlarr
     directory: yes
     traefik: yes
+    authentik: no
     expose_to_public: no
   requestrr:
     enabled: yes
+    proxy_host_rule: requestrr
     directory: yes
     traefik: yes
+    authentik: no
     expose_to_public: no
   plex:
     enabled: yes
+    proxy_host_rule: plex
     directory: yes
     traefik: yes
+    authentik: no
     expose_to_public: no
   tautulli:
     enabled: yes
+    proxy_host_rule: tautulli
     directory: yes
     traefik: yes
+    authentik: no
     expose_to_public: no
   nzbget:
     enabled: yes
+    proxy_host_rule: nzbget
     directory: yes
     traefik: yes
+    authentik: no
+  authentik:
+    enabled: no
+    proxy_host_rule: authentik
+    directory: yes
+    traefik: yes
+    authentik: no
     expose_to_public: no
 
 plex_transcode_folder: "{{ hms_docker_apps_path }}/plex/transcode_temp" # default: "{{ hms_docker_apps_path }}/plex/transcode_temp"
@@ -410,6 +440,17 @@ plex_transcode_folder: "{{ hms_docker_apps_path }}/plex/transcode_temp" # defaul
 
 
 
+#######################################################################
+### Authentik settings
+# This OR the option in the container map will enable or disable the Authentik container
+authentik_enabled: no
+authentik_host: "http://authentik-server:9000" # leave this as default if you're using the default hms-docker configuration (really only used if you have a separate authentik server) default: "http://authentik-server:9000"
+authentik_external_host: 'https://{{ hms_docker_container_map["authentik"]["proxy_host_rule"] }}.{{ hms_docker_domain }}' # This needs to match the host rule that routes traffic to the Authentik container
+### End of authentik settings
+#######################################################################
+
+
+
 #######################################################################
 ### Advanced Ansible settings
 # Overrides the family to 'redhat' if running Alma Linux

roles/hmsdocker/tasks/authelia.yml

@@ -0,0 +1,10 @@
+---
+- name: Ensure Authelia config
+  template:
+    src: authelia.j2
+    dest: "{{ hms_docker_apps_path }}/authelia/configuration.yml"
+    mode: 0600
+    owner: root
+    group: root
+    backup: yes
+    force: no

roles/hmsdocker/tasks/authentik.yml

@@ -0,0 +1,26 @@
+---
+- name: Ensure authentik env
+  template:
+    src: authentik_env.j2
+    dest: "{{ hms_docker_data_path }}/.authentik.env"
+    mode: 0600
+    owner: root
+    group: root
+    backup: yes
+    force: no
+
+- name: Ensure Outposts directory
+  file:
+    path: "{{ hms_docker_apps_path }}/authentik/outposts"
+    state: directory
+    mode: 0755
+    owner: root
+    group: root
+
+- name: Ensure authentik Outpost configs
+  template:
+    src: authentik_outpost.j2
+    dest: "{{ hms_docker_apps_path }}/authentik/outposts/authentik-{{ item.key }}.outpost.yml"
+    mode: 0644
+  with_dict: "{{ hms_docker_container_map }}"
+  when: item.value.enabled and (item.value.authentik is defined and item.value.authentik)

roles/hmsdocker/tasks/main.yml

@@ -43,6 +43,12 @@
   import_tasks: "traefik.yml"
   when: hms_docker_container_map.traefik.enabled is defined and hms_docker_container_map.traefik.enabled
 
+- name: Ensure Authentik
+  import_tasks: "authentik.yml"
+  when: ((hms_docker_container_map.authentik.enabled is defined and hms_docker_container_map.authentik.enabled) or 
+        (authentik_enabled)) and 
+        (traefik_ssl_enabled)
+
 - name: Ensure docker-compose.yml file.
   template:
     src: docker-compose.yml.j2