Enable redis for authelia

This also splits redis instances by service
2023-07-07 15:50:23 -07:00 · 2023-07-07 15:50:23 -07:00 · 0a7ad7a9dc
commit 0a7ad7a9dc
parent b0c1aca497
7 changed files with 30 additions and 24 deletions
--- a/.secrets-baseline
+++ b/.secrets-baseline
@ -158,7 +158,7 @@
        "filename": "core/authelia.yml",
        "hashed_secret": "a32b08d97b1615dc27f58b6b17f67624c04e2c4f",
        "is_verified": false,
-        "line_number": 187,
+        "line_number": 186,
        "is_secret": false
      }
    ],
@ -213,5 +213,5 @@
      }
    ]
  },
-  "generated_at": "2023-07-07T07:39:31Z"
+  "generated_at": "2023-07-07T22:48:34Z"
 }
--- a/core/authelia.yml
+++ b/core/authelia.yml
@ -178,16 +178,15 @@ session:
  inactivity: 5m
  remember_me_duration: 1M

-  # TODO: use redis when I figure out authentication and database indexes
-  # redis:
-  #   host:
-  #   port:
-  #
-  #   # username: authelia
-  #   # password: authelia
-  #   database_index: 0
-  #   maximum_active_connections: 8
-  #   minimum_idle_connections: 0
+  redis:
+    host: 127.0.0.1
+    port: 6379
+
+    # username: authelia
+    # password: authelia
+    # database_index: 0
+    maximum_active_connections: 8
+    minimum_idle_connections: 0

 regulation:
  max_retries: 3
--- a/core/blocky/blocky.nomad
+++ b/core/blocky/blocky.nomad
@ -150,7 +150,7 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
 [redis_client]
 client = yes
 accept = 127.0.0.1:6379
-{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis-tls" -}}
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis-blocky" -}}
 connect = {{ .Address }}:{{ .Port }}
 {{- end }}
 PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
--- a/core/main.tf
+++ b/core/main.tf
@ -78,6 +78,7 @@ module "authelia" {

  use_mysql = true
  use_ldap  = true
+  use_redis = true
  mysql_bootstrap = {
    enabled = true
  }
--- a/databases/main.tf
+++ b/databases/main.tf
@ -21,11 +21,17 @@ resource "nomad_job" "postgres-server" {
 }

 resource "nomad_job" "redis" {
+  for_each = toset(["blocky", "authelia"])
+
  hcl2 {
    enabled = true
  }

-  jobspec = file("${path.module}/redis.nomad")
+  jobspec = templatefile("${path.module}/redis.nomad",
+    {
+      name = each.key,
+    }
+  )

  # Block until deployed as there are servics dependent on this one
  detach = false
--- a/databases/redis.nomad
+++ b/databases/redis.nomad
@ -1,4 +1,4 @@
-job "redis" {
+job "redis-${name}" {
  datacenters = ["dc1"]
  type = "service"
  priority = 80
@ -19,7 +19,7 @@ job "redis" {
    }

    service {
-      name = "redis-tls"
+      name = "redis-${name}"
      provider = "nomad"
      port = "tls"
    }
@ -29,7 +29,7 @@ job "redis" {

      config {
        image = "redis:6"
-        args = ["redis-server", "--save", "60", "1", "--loglevel", "warning", "--dir", "${NOMAD_ALLOC_DIR}/data"]
+        args = ["redis-server", "--save", "60", "1", "--loglevel", "warning", "--dir", "$${NOMAD_ALLOC_DIR}/data"]
        ports = ["main"]
      }

@ -46,7 +46,7 @@ job "redis" {
      config {
        image = "alpine:3.17"
        ports = ["tls"]
-        args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
+        args = ["/bin/sh", "$${NOMAD_TASK_DIR}/start.sh"]
      }

      resources {
@ -58,9 +58,9 @@ job "redis" {
        data = <<EOF
 set -e
 apk add stunnel
-exec stunnel ${NOMAD_TASK_DIR}/stunnel.conf
+exec stunnel $${NOMAD_TASK_DIR}/stunnel.conf
        EOF
-        destination = "${NOMAD_TASK_DIR}/start.sh"
+        destination = "$${NOMAD_TASK_DIR}/start.sh"
      }

      template {
@ -76,16 +76,16 @@ connect = 127.0.0.1:6379
 ciphers = PSK
 PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
        EOF
-        destination = "${NOMAD_TASK_DIR}/stunnel.conf"
+        destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
      }

      template {
        data = <<EOF
-{{ with nomadVar "nomad/jobs/redis" -}}
+{{ with nomadVar "nomad/jobs/redis-${name}" -}}
 {{ .allowed_psks }}
 {{- end }}
        EOF
-        destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
+        destination = "$${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
      }
    }
  }
--- a/services/service/service_template.nomad
+++ b/services/service/service_template.nomad
@ -274,7 +274,7 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
 [redis_client]
 client = yes
 accept = 127.0.0.1:6379
-{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis-tls" -}}
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis-${name}" -}}
 connect = {{ .Address }}:{{ .Port }}
 {{- end }}
 PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/redis_stunnel_psk.txt