cbalders/homelab-ansible-lxc-dawarich
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit: Dawarich LXC role (CT 459 on pve02, .159)

Browse Source 
Self-hosted location history. 4-container compose: Rails 8 app + Sidekiq
+ PostGIS 16-3.4 + Redis 7, plus watchtower. Authentik OIDC end-to-end.
Image pinned at freikin/dawarich:1.7.11 (OIDC support requires >= 1.7.8).

PostGIS DB lives in this LXC, not on the central DB VM (.172) — central
image is postgres:16-alpine without postgis, swapping it carries broader
blast radius than colocating here. Convention exception captured in
homelab-docs project_dawarich memory.

Roles:
  - dawarich: system + Docker + compose + weekly prune timer
  - alloy:    logs+journald → Loki, node metrics → Prometheus

Bring-up sequence proven 2026-06-01. README documents the 5-trap build
chain (image version, entrypoint scripts, solid_cache SQLite bind mount,
APPLICATION_HOSTS+localhost, force_ssl+healthcheck).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Your Name
2026-06-01 21:24:09 -04:00
commit e7b8d4df17
20 changed files with 1126 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/bootstrap-secrets.sh
Executable
+46
View File
@@ -0,0 +1,46 @@
#!/usr/bin/env bash
# ==============================================================================
# bootstrap-secrets.sh — Generate + push the 5 Dawarich app secrets to Infisical
#
# Run ONCE before the first deploy. Idempotent in the sense that re-running it
# rotates every key — which will invalidate existing Rails sessions + the OTP-
# encrypted columns. Do NOT re-run blindly on an existing install.
# ==============================================================================
set -euo pipefail
INF_PROJECT="50062d7c-06ff-4d5c-8ca3-6c0cdba9f270"
ENV="prod"
PATH_PREFIX="/dawarich"
command -v infisical >/dev/null || { echo "ERROR: infisical CLI not installed"; exit 1; }
command -v openssl >/dev/null || { echo "ERROR: openssl not installed"; exit 1; }
push() {
local name="$1" value="$2"
echo " -> $name"
infisical secrets set "${name}=${value}" \
--projectId "$INF_PROJECT" --env "$ENV" --path "$PATH_PREFIX" \
--type shared >/dev/null
}
echo "==> Generating + pushing 5 Dawarich secrets to ${PATH_PREFIX}/ ..."
push vault_dawarich_db_password "$(openssl rand -hex 32)"
push vault_dawarich_secret_key_base "$(openssl rand -hex 64)"
push vault_dawarich_otp_primary_key "$(openssl rand -hex 32)"
push vault_dawarich_otp_deterministic_key "$(openssl rand -hex 32)"
push vault_dawarich_otp_salt "$(openssl rand -hex 32)"
echo "==> Done."
echo
echo "Next steps:"
echo " 1) Apply terraform (module.dawarich) — provisions CT 459 on pve02 at .159."
echo " 2) Bootstrap cbalders user + SSH keys + NOPASSWD sudo on the new CT (see README)."
echo " 3) Generate + push 2 OIDC credentials (pi-auth uses these to CREATE the Authentik client — they are not fetched back):"
echo " infisical secrets set \"vault_dawarich_oidc_client_id=\$(openssl rand -hex 20)\" --projectId 50062d7c-06ff-4d5c-8ca3-6c0cdba9f270 --env prod --path /oidc --type shared"
echo " infisical secrets set \"vault_dawarich_oidc_client_secret=\$(openssl rand -hex 32)\" --projectId 50062d7c-06ff-4d5c-8ca3-6c0cdba9f270 --env prod --path /oidc --type shared"
echo " 4) Confirm homelab-ansible-pi-auth/site.yml has the dawarich_oidc_client_{id,secret} set_fact mapping."
echo " 5) First ./deploy.sh — picks up dawarich:1.7.11 (OIDC requires >= 1.7.8), runs migrations, comes up healthy."
echo " 6) cd ../homelab-ansible-pi-auth && ./deploy.sh — creates Authentik provider + application."
echo " 7) cd ../homelab-ansible-proxy && ./deploy.sh — adds Caddy vhost + Technitium CNAME."
echo " 8) cd ../homelab-ansible-pve && ./deploy.sh — adds CTID 459 to pbs-prod-daily."
echo " 9) Browser-test https://dawarich.balders.ca/users/sign_in → 'Sign in with Authentik'."