chore: refactor

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-29 12:04:18 +00:00
parent 1aa2852885
commit 8160c1a7f7
5 changed files with 91 additions and 80 deletions
--- a/support/manifest.yaml
+++ b/support/manifest.yaml
@@ -0,0 +1,221 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: veil
+spec:
+  containers:
+    - name: veil
+      image: registry.karaolidis.com/karaolidis/veil:latest
+      volumeMounts:
+        - name: veil-config
+          mountPath: /etc/veil
+      command:
+        [
+          "veil",
+          "--config",
+          "/etc/veil/default.yml",
+          --log-config,
+          "/etc/veil/log4rs.yml",
+        ]
+      securityContext:
+        capabilities:
+          add:
+            - NET_ADMIN
+            - NET_RAW
+
+    - name: postgresql
+      image: docker.io/library/postgres:latest
+      env:
+        - name: POSTGRES_DB
+          value: veil
+        - name: POSTGRES_USER
+          value: veil
+        - name: POSTGRES_PASSWORD
+          value: veil
+      ports:
+        - containerPort: 5432
+          hostPort: 5432
+
+    - name: authelia
+      image: docker.io/authelia/authelia:latest
+      volumeMounts:
+        - name: authelia-config
+          mountPath: /config
+
+    - name: traefik
+      image: docker.io/library/traefik:latest
+      args:
+        - "--api.insecure=true"
+        - "--providers.file.directory=/etc/traefik/dynamic"
+        - "--providers.file.watch=true"
+        - "--entrypoints.websecure.address=:443"
+      ports:
+        - containerPort: 8080
+          hostPort: 8080
+        - containerPort: 443
+          hostPort: 443
+      volumeMounts:
+        - name: traefik-config
+          mountPath: /etc/traefik/dynamic
+
+  volumes:
+    - name: veil-config
+      configMap:
+        name: veil-config
+    - name: authelia-config
+      configMap:
+        name: authelia-config
+    - name: traefik-config
+      configMap:
+        name: traefik-config
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: veil-config
+data:
+  default.yml: |
+    server:
+      host: https://app.veil.local
+
+    database:
+      host: postgresql
+      port: 5432
+      user: veil
+      password: veil
+      database: veil
+
+    oauth:
+      issuer_url: "https://id.veil.local"
+      client_id: "veil"
+      client_secret: "insecure_secret"
+      admin_group: "admins"
+      insecure: true
+  log4rs.yml: |
+    appenders:
+      stdout:
+        kind: console
+        encoder:
+          pattern: "{d} {h({l})} {M}::{L} - {m}{n}"
+
+    root:
+      level: info
+      appenders:
+        - stdout
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: authelia-config
+data:
+  configuration.yml: |
+    log:
+      level: "debug"
+
+    identity_validation:
+      reset_password:
+        jwt_secret: "jwt_secret"
+
+    authentication_backend:
+      file:
+        path: "/config/users.yml"
+
+    session:
+      secret: "session_secret"
+      cookies:
+        - domain: "veil.local"
+          authelia_url: "https://id.veil.local"
+
+    storage:
+      encryption_key: "very_very_very_long_encryption_key"
+
+      local:
+        path: "/config/db.sqlite3"
+
+    notifier:
+      filesystem:
+        filename: "/config/notification.txt"
+
+    access_control:
+      default_policy: "one_factor"
+
+    identity_providers:
+      oidc:
+        hmac_secret: "this_is_a_secret_abc123abc123abc"
+        jwks:
+          - key: |
+              -----BEGIN PRIVATE KEY-----
+              MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC5T/dW/Sd2xhkM
+              viVbr1SeNHWq2VdioIbWSwn3rX3O3qJ/QhyXF7rRKW1iGkocPgl+IPxhabW7GbUx
+              3J35i9q9m8g+hk0M5Ob5eSHD7LX1VJ2arTSpYyjS70ZrSKbeAmgrMeCVkX1cqdD2
+              qPTXii4/fhQ0MLazh1Donrdi4dq8GUETu6eHTJ3oeWuAxNSxTlQmBrK+/k43oSYY
+              wq2WSQmzHHequVsP6UXKvbkX688FobrKfnwTZ+vzIUF3JvfYNKweaEDYaZebcCbe
+              qpiIAcVBzNuZQZkV+gtlVqPSjWsN05O4NWi7xME/NwJmfyesA2VZ3Nf5VtaYdc8S
+              /TPSC/+3AgMBAAECggEAFhmce1IsoIRxMgJZQo0Z5SuHdEKATUGsuFDHAF6UmD/C
+              lwpY44dlHxMMOadopY6bzjV73oLfX/q/D70U//uhsNGBI5JxDPPIPKypY2F5tSeM
+              C4l9iXf1w0Ddn+d7CGi2vfQFqdYUjSEEIUPhaJ/Q8n8u71HMmtjX7tjC28w+AbGN
+              X1KrYk36cqFpZSQATdbkDYfQJWxBhsgEb1VpzwdmhZC5MERhZ/uK6Xykxt0MTAhx
+              ITSxW4wBKYDEMXkOQUuVqirNDdkYA/Eue7HTFsN9Xxl79p/qaP60BOiFJ8Tmq9cc
+              RzZW0dkBeuOyyQOWOEX7XNivGrN44I4l9AYHsFYMpQKBgQD/36d5Ur/vTwpP+/pZ
+              gU1W+KwQuEnodlF03t4kR75uMHGt+D38m1WxiCRO6kf6VEa4aVtNFwUuTUCbGHIs
+              c2XuuZ5pTQyhKlt3U+YDoQXbEVrjOOZhyZ93AwG1hksYs5n6xXAn5RVCa0UHrgLQ
+              pLJxgc7f9uE9aGx735PGLK/EywKBgQC5Z2RgnVQmtzkSzIlc0DmGpJaqTiOSXs6+
+              V/MTERDySbHEX/59Eu7V1pSDzXgOJtCFG1mRzAM09EmdWWtR3AE1qefw7ejhpEkH
+              cm639mtmTV8pcZ2+Zo8NFaGnsrIH/5R1bUtFUd5DTQfw0QcyzT9luXMp+WOzgpNj
+              bia5Jfo/RQKBgQD6jVkC9kK35R/l/onBB1piJZLntG260dElre68e/w/DfTjM8gP
+              CVQ6SWO0WrksqUWu4oviyv3pvv/aX2+9kypnPx+dYTNSxZVXHbKILy76ut3Szi7Z
+              5oLeGPWdeOkkQQowgxE2H55XsY6g3IYpJH0PpNqceLVKWmyQR/f+AFgFTQKBgQCw
+              AvjnQ9Uk4CK9txHc3A0QxuYGDiJ1Da6GQ6aO/k+xRMcP3/YQtU2qEolxyzljbfPd
+              ucZBxIVy20ubps1crFk1ofSA5MuGk1mFSVzVJop1V5S1Gpifrmu2B0gtlVawgzFk
+              fXrM91jjWZjlRPvpfbLnFrS/L3Q4cgkMhwEaGnTFZQKBgCXvH8sKsGPH0LpCJimL
+              Z6MrWcdbCBBKwYucAYb11FphmoEY7DOUZwtyABOotkg0k7cLdIMCyKlCOz/2PMZX
+              WW298aPi6K4zL1CnDUcIb8tS6j5IeHcCOa1pjBO+DfIqv8vK2YG/887alRnzvf6y
+              zzwIoNbKdEh838UReLyyMT6j
+              -----END PRIVATE KEY-----
+
+        clients:
+          - client_id: "veil"
+            client_secret: "$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng" # The digest of 'insecure_secret'.
+            redirect_uris:
+              - "https://app.veil.local/api/auth/callback"
+            authorization_policy: "one_factor"
+  users.yml: |
+    users:
+      veil:
+        displayname: "veil"
+        password: "$argon2id$v=19$m=65536,t=3,p=4$Ei7nv1Nl5hZ7sVBYQXJHNA$e8DIs8UM2SSNofsaq5gtXULP2bB6xiE9EVFtlcFqmNk" # The digest of 'veil'.
+        groups:
+          - "admins"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: traefik-config
+data:
+  traefik.yml: |
+    http:
+      routers:
+        authelia:
+          rule: "Host(`id.veil.local`)"
+          entryPoints:
+            - websecure
+          service: authelia-service
+          tls: {}
+
+        veil:
+          rule: "Host(`app.veil.local`)"
+          entryPoints:
+            - websecure
+          service: veil-service
+          tls: {}
+
+      services:
+        authelia-service:
+          loadBalancer:
+            servers:
+              - url: "http://authelia:9091"
+
+        veil-service:
+          loadBalancer:
+            servers:
+              - url: "http://veil:51821"