Adding lldap and authelia.
This commit is contained in:
5
all-apps/authelia/4/Caddyfile
Normal file
5
all-apps/authelia/4/Caddyfile
Normal file
@@ -0,0 +1,5 @@
|
||||
{$authelia_SUBDOMAIN}.{$ROOT_DOMAIN} {
|
||||
import maintenance_intercept
|
||||
|
||||
reverse_proxy authelia:9091
|
||||
}
|
||||
15
all-apps/authelia/4/Makefile
Normal file
15
all-apps/authelia/4/Makefile
Normal file
@@ -0,0 +1,15 @@
|
||||
IMAGE_DEPS := $(IMAGE_DEPS) \
|
||||
app/authelia/postgres_db \
|
||||
app/authelia/postgres_user \
|
||||
app/authelia/postgres_password \
|
||||
app/authelia/authelia-config/configuration.yml
|
||||
|
||||
app/authelia/postgres_db: $(apps_config)
|
||||
bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_DB" > $@'
|
||||
app/authelia/postgres_user: $(apps_config)
|
||||
bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_USER" > $@'
|
||||
app/authelia/postgres_password: $(apps_config)
|
||||
bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_PASSWORD" > $@'
|
||||
app/authelia/authelia-config/configuration.yml: $(apps_config) app/authelia/authelia-config/configuration.yml.tmpl \
|
||||
app/authelia/make-authelia-config.sh
|
||||
./app/authelia/make-authelia-config.sh $(apps_config)
|
||||
118
all-apps/authelia/4/authelia-config/configuration.yml.tmpl
Normal file
118
all-apps/authelia/4/authelia-config/configuration.yml.tmpl
Normal file
@@ -0,0 +1,118 @@
|
||||
---
|
||||
###############################################################
|
||||
# Authelia configuration #
|
||||
###############################################################
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091/authelia'
|
||||
endpoints:
|
||||
authz:
|
||||
forward-auth:
|
||||
implementation: 'ForwardAuth'
|
||||
|
||||
log:
|
||||
level: 'debug'
|
||||
|
||||
totp:
|
||||
issuer: 'authelia.com'
|
||||
|
||||
identity_validation:
|
||||
reset_password:
|
||||
jwt_secret: '$AUTHELIA_JWT_SECRET'
|
||||
|
||||
# lldap service account user should instead
|
||||
# use an account with lldap_password_manager group
|
||||
# since that can't be used to change an admin password
|
||||
authentication_backend:
|
||||
ldap:
|
||||
address: 'ldap://lldap:3890'
|
||||
implementation: 'lldap'
|
||||
timeout: '5s'
|
||||
pooling:
|
||||
enable: false
|
||||
count: 5
|
||||
retries: 2
|
||||
timeout: '10 seconds'
|
||||
base_dn: 'DC=nassella,DC=org'
|
||||
# additional_users_dn: 'OU=users'
|
||||
# additional_groups_dn: 'OU=groups'
|
||||
# group_search_mode: 'filter'
|
||||
# permit_referrals: false
|
||||
permit_unauthenticated_bind: false
|
||||
permit_feature_detection_failure: false
|
||||
user: 'uid=admin,ou=people,dc=nassella,dc=org'
|
||||
password: '$LLDAP_ADMIN_PASSWORD'
|
||||
# attributes:
|
||||
# distinguished_name: 'distinguishedName'
|
||||
# username: 'uid'
|
||||
# display_name: 'displayName'
|
||||
# family_name: 'sn'
|
||||
# given_name: 'givenName'
|
||||
# middle_name: 'middleName'
|
||||
# nickname: ''
|
||||
# gender: ''
|
||||
# birthdate: ''
|
||||
# website: 'wWWHomePage'
|
||||
# profile: ''
|
||||
# picture: ''
|
||||
# zoneinfo: ''
|
||||
# locale: ''
|
||||
# phone_number: 'telephoneNumber'
|
||||
# phone_extension: ''
|
||||
# street_address: 'streetAddress'
|
||||
# locality: 'l'
|
||||
# region: 'st'
|
||||
# postal_code: 'postalCode'
|
||||
# country: 'c'
|
||||
# mail: 'mail'
|
||||
# member_of: 'memberOf'
|
||||
# group_name: 'cn'
|
||||
# extra:
|
||||
# extra_example:
|
||||
# name: ''
|
||||
# multi_valued: false
|
||||
# value_type: 'string'
|
||||
|
||||
access_control:
|
||||
default_policy: 'deny'
|
||||
rules:
|
||||
# - domain: 'public.x.localhost'
|
||||
# policy: 'bypass'
|
||||
# - domain: 'app.nassella.org'
|
||||
# policy: 'one_factor'
|
||||
- domain: '$DOZZLE_FULL_DOMAIN'
|
||||
policy: 'two_factor'
|
||||
|
||||
session:
|
||||
secret: '$AUTHELIA_SESSION_SECRET'
|
||||
|
||||
cookies:
|
||||
- name: 'authelia_session'
|
||||
domain: '$ROOT_DOMAIN' # Should match whatever your root protected domain is
|
||||
authelia_url: 'https://$AUTHELIA_FULL_DOMAIN'
|
||||
expiration: '1 hour' # 1 hour
|
||||
inactivity: '5 minutes' # 5 minutes
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: '2 minutes'
|
||||
ban_time: '5 minutes'
|
||||
|
||||
storage:
|
||||
encryption_key: '$AUTHELIA_ENCRYPTION_KEY'
|
||||
postgres:
|
||||
address: 'tcp://authelia_db:5432'
|
||||
servers: []
|
||||
database: '$AUTHELIA_POSTGRES_DB'
|
||||
schema: 'public'
|
||||
username: '$AUTHELIA_POSTGRES_USER'
|
||||
password: '$AUTHELIA_POSTGRES_PASSWORD'
|
||||
timeout: '5s'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'submission://$SMTP_HOST:$SMTP_PORT'
|
||||
username: '$SMTP_AUTH_USER'
|
||||
password: '$SMTP_AUTH_PASSWORD'
|
||||
sender: '$SMTP_FROM'
|
||||
...
|
||||
58
all-apps/authelia/4/docker-compose.yaml
Normal file
58
all-apps/authelia/4/docker-compose.yaml
Normal file
@@ -0,0 +1,58 @@
|
||||
secrets:
|
||||
authelia_postgres_db:
|
||||
file: ./authelia/postgres_db
|
||||
authelia_postgres_password:
|
||||
file: ./authelia/postgres_password
|
||||
authelia_postgres_user:
|
||||
file: ./authelia/postgres_user
|
||||
|
||||
services:
|
||||
authelia_db:
|
||||
image: postgres:18-trixie
|
||||
environment:
|
||||
- POSTGRES_DB_FILE=/run/secrets/authelia_postgres_db
|
||||
- POSTGRES_USER_FILE=/run/secrets/authelia_postgres_user
|
||||
- POSTGRES_PASSWORD_FILE=/run/secrets/authelia_postgres_password
|
||||
shm_size: 128mb
|
||||
restart: always
|
||||
volumes:
|
||||
- /nassella/authelia/var-lib-postgresql:/var/lib/postgresql
|
||||
networks:
|
||||
- authelia_internal_db
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`"]
|
||||
start_period: 15s
|
||||
interval: 30s
|
||||
retries: 3
|
||||
timeout: 5s
|
||||
secrets:
|
||||
- authelia_postgres_db
|
||||
- authelia_postgres_password
|
||||
- authelia_postgres_user
|
||||
|
||||
authelia:
|
||||
image: 'authelia/authelia'
|
||||
volumes:
|
||||
- ./authelia/authelia-config/configuration.yml:/config/configuration.yml:ro
|
||||
networks:
|
||||
- lb
|
||||
- authelia_internal_db
|
||||
- lldap_internal
|
||||
depends_on:
|
||||
lldap:
|
||||
condition: service_healthy
|
||||
authelia_db:
|
||||
condition: service_healthy
|
||||
restart: 'unless-stopped'
|
||||
healthcheck:
|
||||
## In production the healthcheck section should be commented.
|
||||
disable: true
|
||||
|
||||
networks:
|
||||
lb:
|
||||
lldap_internal:
|
||||
driver: bridge
|
||||
internal: true
|
||||
authelia_internal_db:
|
||||
driver: bridge
|
||||
internal: true
|
||||
31
all-apps/authelia/4/make-authelia-config.sh
Executable file
31
all-apps/authelia/4/make-authelia-config.sh
Executable file
@@ -0,0 +1,31 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
set -a # export everything in the config for later use by envsubst
|
||||
|
||||
. $1 # source the apps.config file with then env vars
|
||||
|
||||
read -r -a APP_CONFIGS <<< "$APP_CONFIGS"
|
||||
|
||||
authelia_subdomain=
|
||||
dozzle_subdomain=
|
||||
|
||||
for config_string in ${APP_CONFIGS[@]}; do
|
||||
IFS=','
|
||||
read -r -a config <<< "$config_string"
|
||||
|
||||
app=${config[0]}
|
||||
subdomain=${config[1]}
|
||||
|
||||
if [ "$app" = "authelia" ]; then
|
||||
authelia_subdomain="$subdomain"
|
||||
fi
|
||||
|
||||
if [ "$app" = "dozzle" ]; then
|
||||
dozzle_subdomain="$subdomain"
|
||||
fi
|
||||
done
|
||||
|
||||
export AUTHELIA_FULL_DOMAIN="$authelia_subdomain.$ROOT_DOMAIN"
|
||||
export DOZZLE_FULL_DOMAIN="$dozzle_subdomain.$ROOT_DOMAIN"
|
||||
envsubst < app/authelia/authelia-config/configuration.yml.tmpl > app/authelia/authelia-config/configuration.yml
|
||||
7
all-apps/dozzle/20/Caddyfile
Normal file
7
all-apps/dozzle/20/Caddyfile
Normal file
@@ -0,0 +1,7 @@
|
||||
{$dozzle_SUBDOMAIN}.{$ROOT_DOMAIN} {
|
||||
forward_auth authelia:9091 {
|
||||
uri /api/authz/forward-auth
|
||||
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
|
||||
}
|
||||
reverse_proxy http://dozzle:8080
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
IMAGE_DEPS := $(IMAGE_DEPS) \
|
||||
app/dozzle/Caddyfile
|
||||
|
||||
app/dozzle/Caddyfile: $(apps_config) app/dozzle/make-caddyfile.sh
|
||||
./app/dozzle/make-caddyfile.sh $(apps_config) > $@
|
||||
@@ -1,15 +0,0 @@
|
||||
#/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
. $1 # source the apps.config file with then env vars
|
||||
|
||||
host_admin_password_encoded=`echo "$HOST_ADMIN_PASSWORD" | docker run --rm -i caddy:2 caddy hash-password`
|
||||
|
||||
echo '{$dozzle_SUBDOMAIN}.{$ROOT_DOMAIN} {'
|
||||
echo " basic_auth {"
|
||||
echo " $HOST_ADMIN_USER $host_admin_password_encoded"
|
||||
echo " }"
|
||||
echo " reverse_proxy http://dozzle:8080"
|
||||
echo "}"
|
||||
echo ""
|
||||
@@ -57,6 +57,14 @@ services:
|
||||
retries: 120
|
||||
networks:
|
||||
- ghost_network
|
||||
command:
|
||||
- --performance-schema=OFF
|
||||
- --innodb-buffer-pool-size=64M
|
||||
- --max-connections=10
|
||||
- --table-open-cache=128
|
||||
- --table-definition-cache=128
|
||||
- --thread-cache-size=2
|
||||
- --innodb-log-buffer-size=8M
|
||||
|
||||
ghost_traffic-analytics:
|
||||
image: ghost/traffic-analytics:1.0
|
||||
|
||||
4
all-apps/lldap/0.6.3/Caddyfile
Normal file
4
all-apps/lldap/0.6.3/Caddyfile
Normal file
@@ -0,0 +1,4 @@
|
||||
{$lldap_SUBDOMAIN}.{$ROOT_DOMAIN} {
|
||||
import maintenance_intercept
|
||||
reverse_proxy http://lldap:17170
|
||||
}
|
||||
21
all-apps/lldap/0.6.3/Makefile
Normal file
21
all-apps/lldap/0.6.3/Makefile
Normal file
@@ -0,0 +1,21 @@
|
||||
IMAGE_DEPS := $(IMAGE_DEPS) \
|
||||
app/lldap/postgres_db \
|
||||
app/lldap/postgres_user \
|
||||
app/lldap/postgres_password \
|
||||
app/lldap/admin_password \
|
||||
app/lldap/jwt_secret \
|
||||
app/lldap/lldap-config/lldap_config.toml
|
||||
|
||||
app/lldap/postgres_db: $(apps_config)
|
||||
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_POSTGRES_DB" > $@'
|
||||
app/lldap/postgres_user: $(apps_config)
|
||||
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_POSTGRES_USER" > $@'
|
||||
app/lldap/postgres_password: $(apps_config)
|
||||
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_POSTGRES_PASSWORD" > $@'
|
||||
app/lldap/admin_password: $(apps_config)
|
||||
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_ADMIN_PASSWORD" > $@'
|
||||
app/lldap/jwt_secret: $(apps_config)
|
||||
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_JWT_SECRET" > $@'
|
||||
app/lldap/lldap-config/lldap_config.toml: $(apps_config) app/lldap/lldap-config/lldap_config.toml.tmpl \
|
||||
app/lldap/make-lldap-config.sh
|
||||
./app/lldap/make-lldap-config.sh $(apps_config)
|
||||
65
all-apps/lldap/0.6.3/docker-compose.yaml
Normal file
65
all-apps/lldap/0.6.3/docker-compose.yaml
Normal file
@@ -0,0 +1,65 @@
|
||||
secrets:
|
||||
lldap_postgres_db:
|
||||
file: ./lldap/postgres_db
|
||||
lldap_postgres_password:
|
||||
file: ./lldap/postgres_password
|
||||
lldap_postgres_user:
|
||||
file: ./lldap/postgres_user
|
||||
lldap_admin_password:
|
||||
file: ./lldap/admin_password
|
||||
lldap_jwt_secret:
|
||||
file: ./lldap/jwt_secret
|
||||
|
||||
services:
|
||||
lldap_db:
|
||||
image: postgres:18-trixie
|
||||
environment:
|
||||
- POSTGRES_DB_FILE=/run/secrets/lldap_postgres_db
|
||||
- POSTGRES_USER_FILE=/run/secrets/lldap_postgres_user
|
||||
- POSTGRES_PASSWORD_FILE=/run/secrets/lldap_postgres_password
|
||||
shm_size: 128mb
|
||||
restart: always
|
||||
volumes:
|
||||
- /nassella/lldap/var-lib-postgresql:/var/lib/postgresql
|
||||
networks:
|
||||
- lldap_db_internal
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`"]
|
||||
start_period: 15s
|
||||
interval: 30s
|
||||
retries: 3
|
||||
timeout: 5s
|
||||
secrets:
|
||||
- lldap_postgres_db
|
||||
- lldap_postgres_password
|
||||
- lldap_postgres_user
|
||||
|
||||
lldap:
|
||||
image: lldap/lldap:stable
|
||||
environment:
|
||||
- LLDAP_JWT_SECRET_FILE=/run/secrets/lldap_jwt_secret
|
||||
- LLDAP_LDAP_USER_PASS_FILE=/run/secrets/lldap_admin_password
|
||||
volumes:
|
||||
- ./lldap/lldap-config/:/data
|
||||
networks:
|
||||
- lb
|
||||
- lldap_internal
|
||||
- lldap_db_internal
|
||||
depends_on:
|
||||
lldap_db:
|
||||
condition: service_healthy
|
||||
secrets:
|
||||
- lldap_postgres_db
|
||||
- lldap_postgres_password
|
||||
- lldap_postgres_user
|
||||
- lldap_jwt_secret
|
||||
- lldap_admin_password
|
||||
|
||||
networks:
|
||||
lb:
|
||||
lldap_internal:
|
||||
driver: bridge
|
||||
internal: true
|
||||
lldap_db_internal:
|
||||
driver: bridge
|
||||
internal: true
|
||||
161
all-apps/lldap/0.6.3/lldap-config/lldap_config.toml.tmpl
Normal file
161
all-apps/lldap/0.6.3/lldap-config/lldap_config.toml.tmpl
Normal file
@@ -0,0 +1,161 @@
|
||||
## Default configuration for Docker.
|
||||
## All the values can be overridden through environment variables, prefixed
|
||||
## with "LLDAP_". For instance, "ldap_port" can be overridden with the
|
||||
## "LLDAP_LDAP_PORT" variable.
|
||||
|
||||
## Tune the logging to be more verbose by setting this to be true.
|
||||
## You can set it with the LLDAP_VERBOSE environment variable.
|
||||
# verbose=false
|
||||
|
||||
## The host address that the LDAP server will be bound to.
|
||||
## To enable IPv6 support, simply switch "ldap_host" to "::":
|
||||
## To only allow connections from localhost (if you want to restrict to local self-hosted services),
|
||||
## change it to "127.0.0.1" ("::1" in case of IPv6).
|
||||
## If LLDAP server is running in docker, set it to "0.0.0.0" ("::" for IPv6) to allow connections
|
||||
## originating from outside the container.
|
||||
ldap_host = "0.0.0.0"
|
||||
|
||||
## The port on which to have the LDAP server.
|
||||
#ldap_port = 3890
|
||||
|
||||
## The host address that the HTTP server will be bound to.
|
||||
## To enable IPv6 support, simply switch "http_host" to "::".
|
||||
## To only allow connections from localhost (if you want to restrict to local self-hosted services),
|
||||
## change it to "127.0.0.1" ("::1" in case of IPv6).
|
||||
## If LLDAP server is running in docker, set it to "0.0.0.0" ("::" for IPv6) to allow connections
|
||||
## originating from outside the container.
|
||||
http_host = "0.0.0.0"
|
||||
|
||||
## The port on which to have the HTTP server, for user login and
|
||||
## administration.
|
||||
#http_port = 17170
|
||||
|
||||
## The public URL of the server, for password reset links.
|
||||
http_url = "https://$LLDAP_FULL_DOMAIN"
|
||||
|
||||
## The path to the front-end assets (relative to the working directory).
|
||||
#assets_path = "./app"
|
||||
|
||||
## Random secret for JWT signature.
|
||||
## This secret should be random, and should be shared with application
|
||||
## servers that need to consume the JWTs.
|
||||
## Changing this secret will invalidate all user sessions and require
|
||||
## them to re-login.
|
||||
## You should probably set it through the LLDAP_JWT_SECRET environment
|
||||
## variable from a secret ".env" file.
|
||||
## This can also be set from a file's contents by specifying the file path
|
||||
## in the LLDAP_JWT_SECRET_FILE environment variable
|
||||
## You can generate it with (on linux):
|
||||
## LC_ALL=C tr -dc 'A-Za-z0-9!#%&'\''()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32; echo ''
|
||||
# jwt_secret = "$NASSELLA_LLDAP_JWT_SECRET"
|
||||
|
||||
## Base DN for LDAP.
|
||||
## This is usually your domain name, and is used as a
|
||||
## namespace for your users. The choice is arbitrary, but will be needed
|
||||
## to configure the LDAP integration with other services.
|
||||
## The sample value is for "example.com", but you can extend it with as
|
||||
## many "dc" as you want, and you don't actually need to own the domain
|
||||
## name.
|
||||
ldap_base_dn = "dc=nassella,dc=org"
|
||||
|
||||
## Admin username.
|
||||
## For the LDAP interface, a value of "admin" here will create the LDAP
|
||||
## user "cn=admin,ou=people,dc=example,dc=com" (with the base DN above).
|
||||
## For the administration interface, this is the username.
|
||||
#ldap_user_dn = "admin"
|
||||
|
||||
## Admin email.
|
||||
## Email for the admin account. It is only used when initially creating
|
||||
## the admin user, and can safely be omitted.
|
||||
ldap_user_email = "$LLDAP_USER_EMAIL"
|
||||
|
||||
## Admin password.
|
||||
## Password for the admin account, both for the LDAP bind and for the
|
||||
## administration interface. It is only used when initially creating
|
||||
## the admin user.
|
||||
## It should be minimum 8 characters long.
|
||||
## You can set it with the LLDAP_LDAP_USER_PASS environment variable.
|
||||
## This can also be set from a file's contents by specifying the file path
|
||||
## in the LLDAP_LDAP_USER_PASS_FILE environment variable
|
||||
## Note: you can create another admin user for user administration, this
|
||||
## is just the default one.
|
||||
# ldap_user_pass = ""
|
||||
|
||||
## Force reset of the admin password.
|
||||
## Break glass in case of emergency: if you lost the admin password, you
|
||||
## can set this to true to force a reset of the admin password to the value
|
||||
## of ldap_user_pass above.
|
||||
## Alternatively, you can set it to "always" to reset every time the server starts.
|
||||
# force_ldap_user_pass_reset = false
|
||||
|
||||
## Database URL.
|
||||
## This encodes the type of database (SQlite, MySQL, or PostgreSQL)
|
||||
## , the path, the user, password, and sometimes the mode (when
|
||||
## relevant).
|
||||
## Note: SQlite should come with "?mode=rwc" to create the DB
|
||||
## if not present.
|
||||
## Example URLs:
|
||||
## - "postgres://postgres-user:password@postgres-server/my-database"
|
||||
## - "mysql://mysql-user:password@mysql-server/my-database"
|
||||
##
|
||||
## This can be overridden with the LLDAP_DATABASE_URL env variable.
|
||||
database_url = "postgres://lldap:$LLDAP_POSTGRES_PASSWORD@lldap_db/lldap"
|
||||
|
||||
## Private key file.
|
||||
## Not recommended, use key_seed instead.
|
||||
## Contains the secret private key used to store the passwords safely.
|
||||
## Note that even with a database dump and the private key, an attacker
|
||||
## would still have to perform an (expensive) brute force attack to find
|
||||
## each password.
|
||||
## Randomly generated on first run if it doesn't exist.
|
||||
## Env variable: LLDAP_KEY_FILE
|
||||
#key_file = "/data/private_key"
|
||||
|
||||
## Seed to generate the server private key, see key_file above.
|
||||
## This can be any random string, the recommendation is that it's at least 12
|
||||
## characters long.
|
||||
## Env variable: LLDAP_KEY_SEED
|
||||
key_seed = "$LLDAP_KEY_SEED"
|
||||
|
||||
## Ignored attributes.
|
||||
## Some services will request attributes that are not present in LLDAP. When it
|
||||
## is the case, LLDAP will warn about the attribute being unknown. If you want
|
||||
## to ignore the attribute and the service works without, you can add it to this
|
||||
## list to silence the warning.
|
||||
#ignored_user_attributes = [ "sAMAccountName" ]
|
||||
#ignored_group_attributes = [ "mail", "userPrincipalName" ]
|
||||
|
||||
## Options to configure SMTP parameters, to send password reset emails.
|
||||
## To set these options from environment variables, use the following format
|
||||
## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
|
||||
[smtp_options]
|
||||
## Whether to enabled password reset via email, from LLDAP.
|
||||
enable_password_reset=true
|
||||
## The SMTP server.
|
||||
server="$SMTP_HOST"
|
||||
## The SMTP port.
|
||||
port=$SMTP_PORT
|
||||
## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
|
||||
smtp_encryption = "TLS"
|
||||
## The SMTP user, usually your email address.
|
||||
user="$SMTP_AUTH_USER"
|
||||
## The SMTP password.
|
||||
password="$SMTP_AUTH_PASSSWORD"
|
||||
## The header field, optional: how the sender appears in the email. The first
|
||||
## is a free-form name, followed by an email between <>.
|
||||
from="$SMTP_FROM"
|
||||
## Same for reply-to, optional.
|
||||
#reply_to="Do not reply <noreply@localhost>"
|
||||
|
||||
## Options to configure LDAPS.
|
||||
## To set these options from environment variables, use the following format
|
||||
## (example with "port"): LLDAP_LDAPS_OPTIONS__PORT
|
||||
[ldaps_options]
|
||||
## Whether to enable LDAPS.
|
||||
#enabled=true
|
||||
## Port on which to listen.
|
||||
#port=6360
|
||||
## Certificate file.
|
||||
#cert_file="/data/cert.pem"
|
||||
## Certificate key file.
|
||||
#key_file="/data/key.pem"
|
||||
25
all-apps/lldap/0.6.3/make-lldap-config.sh
Executable file
25
all-apps/lldap/0.6.3/make-lldap-config.sh
Executable file
@@ -0,0 +1,25 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
set -a # export everything in the config for later use by envsubst
|
||||
|
||||
. $1 # source the apps.config file with then env vars
|
||||
|
||||
read -r -a APP_CONFIGS <<< "$APP_CONFIGS"
|
||||
|
||||
lldap_subdomain=
|
||||
|
||||
for config_string in ${APP_CONFIGS[@]}; do
|
||||
IFS=','
|
||||
read -r -a config <<< "$config_string"
|
||||
|
||||
app=${config[0]}
|
||||
subdomain=${config[1]}
|
||||
|
||||
if [ "$app" = "lldap" ]; then
|
||||
lldap_subdomain="$subdomain"
|
||||
fi
|
||||
done
|
||||
|
||||
export LLDAP_FULL_DOMAIN="$lldap_subdomain.$ROOT_DOMAIN"
|
||||
envsubst < app/lldap/lldap-config/lldap_config.toml.tmpl > app/lldap/lldap-config/lldap_config.toml
|
||||
@@ -65,6 +65,14 @@ services:
|
||||
secrets:
|
||||
- wordpress_db_password
|
||||
- wordpress_db_root_password
|
||||
command:
|
||||
- --performance-schema=OFF
|
||||
- --innodb-buffer-pool-size=64M
|
||||
- --max-connections=10
|
||||
- --table-open-cache=128
|
||||
- --table-definition-cache=128
|
||||
- --thread-cache-size=2
|
||||
- --innodb-log-buffer-size=8M
|
||||
|
||||
# wordpress_init:
|
||||
# image: wordpress:cli-php8.4
|
||||
|
||||
@@ -626,7 +626,9 @@ where user_id=$1;"
|
||||
(2 . "adding-deployments-instance-backup")
|
||||
(3 . "normalizing-apps")
|
||||
(4 . "fixing-app-normalization")
|
||||
(5 . "adding-wordpress-app")))
|
||||
(5 . "adding-wordpress-app")
|
||||
(6 . "adding-lldap-app")
|
||||
(7 . "adding-authelia-app")))
|
||||
|
||||
(define (run-pending-migrations conn)
|
||||
(let* ((migration-ids (sort (map car *migrations*) <))
|
||||
|
||||
1
src/migrations/6-adding-lldap-app-up.sql
Normal file
1
src/migrations/6-adding-lldap-app-up.sql
Normal file
@@ -0,0 +1 @@
|
||||
insert into apps(app_name) values('lldap');
|
||||
1
src/migrations/7-adding-authelia-app-up.sql
Normal file
1
src/migrations/7-adding-authelia-app-up.sql
Normal file
@@ -0,0 +1 @@
|
||||
insert into apps(app_name) values('authelia');
|
||||
@@ -947,12 +947,13 @@ chmod -R 777 /opt/keys")))
|
||||
(input (@ (type "hidden") (name "sid") (value ,(alist-ref 'sid (current-params) equal?))))
|
||||
(Button (@ (type "submit")) "Create Account"))))))
|
||||
|
||||
;; https://app.nassella.org/unsecured/account/create?sid={CHECKOUT_SESSION_ID}
|
||||
(post "/unsecured/account/create-submit"
|
||||
(let ((email (stripe-session-email (alist-ref 'sid (current-params))))
|
||||
(username (alist-ref 'username (current-params))))
|
||||
(create-lldap-user username email)
|
||||
(with-db/transaction (lambda (db) (create-user db email username))))
|
||||
(redirect "/authelia/reset-password"))
|
||||
(let ((email (stripe-session-email (alist-ref 'sid (current-params))))
|
||||
(username (alist-ref 'username (current-params))))
|
||||
(create-lldap-user username email)
|
||||
(with-db/transaction (lambda (db) (create-user db email username))))
|
||||
(redirect "/authelia/reset-password"))
|
||||
|
||||
;;; REQUIRES AUTHED USER
|
||||
(post "/config/wizard/create-instance"
|
||||
@@ -1112,6 +1113,8 @@ chmod -R 777 /opt/keys")))
|
||||
(else
|
||||
'()))
|
||||
(Field (@ (name "wordpress") (type "checkbox") (label ("wordpress")) (checked ,(member 'wordpress (alist-ref 'selected-apps results)))))
|
||||
(Field (@ (name "lldap") (type "checkbox") (label ("lldap")) (checked ,(member 'lldap (alist-ref 'selected-apps results)))))
|
||||
(Field (@ (name "authelia") (type "checkbox") (label ("authelia")) (checked ,(member 'authelia (alist-ref 'selected-apps results)))))
|
||||
(Field (@ (name "log-viewer") (type "checkbox") (label ("Log Viewer")) (checked #t) (disabled "disabled"))))
|
||||
;; TODO add config for when automatic upgrades are scheduled for?
|
||||
;; TODO add config for server timezone?
|
||||
@@ -1131,6 +1134,8 @@ chmod -R 777 /opt/keys")))
|
||||
(ghost . ,(or (and (alist-ref 'ghost (current-params)) "6") #f))
|
||||
(nassella . ,(or (and (alist-ref 'nassella (current-params)) "b0.0.1") #f))
|
||||
(wordpress . ,(or (and (alist-ref 'wordpress (current-params)) "8.4") #f))
|
||||
(lldap . ,(or (and (alist-ref 'lldap (current-params)) "0.6.3") #f))
|
||||
(authelia . ,(or (and (alist-ref 'authelia (current-params)) "4") #f))
|
||||
(instance-control . "b0.0.1")
|
||||
(log-viewer . "20"))))
|
||||
(update-root-domain db
|
||||
@@ -1194,6 +1199,20 @@ chmod -R 777 /opt/keys")))
|
||||
(@ (title "Wordpress"))
|
||||
(Field (@ (name "wordpress-subdomain") (label ("Subdomain")) (value ,(alist-ref 'subdomain (alist-ref 'wordpress app-config eq? '()) eq? "wordpress"))))))
|
||||
'())
|
||||
,@(if (member 'lldap selected-apps)
|
||||
`((Fieldset
|
||||
(@ (title "LLDAP"))
|
||||
(Field (@ (name "lldap-subdomain") (label ("Subdomain")) (value ,(alist-ref 'subdomain (alist-ref 'lldap app-config eq? '()) eq? "lldap"))))
|
||||
(Field (@ (name "lldap-user-email") (label ("Admin Email Address")) (type "email")
|
||||
(value ,(alist-ref 'user-email (alist-ref 'lldap app-config eq? '()) eq? ""))))
|
||||
(Field (@ (name "lldap-admin-password") (label ("Admin Password")) (type "password")
|
||||
(value ,(alist-ref 'admin-password (alist-ref 'lldap app-config eq? '()) eq? ""))))))
|
||||
'())
|
||||
,@(if (member 'authelia selected-apps)
|
||||
`((Fieldset
|
||||
(@ (title "Authelia"))
|
||||
(Field (@ (name "authelia-subdomain") (label ("Subdomain")) (value ,(alist-ref 'subdomain (alist-ref 'authelia app-config eq? '()) eq? "authelia"))))))
|
||||
'())
|
||||
(Fieldset
|
||||
(@ (title "Log Viewer"))
|
||||
(Field (@ (name "log-viewer-subdomain") (label ("Subdomain"))
|
||||
@@ -1202,7 +1221,7 @@ chmod -R 777 /opt/keys")))
|
||||
(value ,(alist-ref 'user (alist-ref 'log-viewer app-config eq? '()) eq? ""))))
|
||||
(Field (@ (name "log-viewer-password") (label ("Password")) (type "password")
|
||||
(value ,(alist-ref 'password (alist-ref 'log-viewer app-config eq? '()) eq? "")))))
|
||||
,@(if (or (member 'nextcloud selected-apps) (member 'ghost selected-apps) (member 'nassella selected-apps))
|
||||
,@(if (or (member 'nextcloud selected-apps) (member 'ghost selected-apps) (member 'nassella selected-apps) (member 'authelia selected-apps))
|
||||
`((Fieldset
|
||||
(@ (title "All Apps - Email - SMTP"))
|
||||
(Field (@ (name "smtp-host") (label ("Host"))
|
||||
@@ -1276,6 +1295,31 @@ chmod -R 777 /opt/keys")))
|
||||
(db-root-password . ,(or (alist-ref 'db-root-password
|
||||
(alist-ref 'wordpress config eq? '()))
|
||||
(generate-postgres-password)))))
|
||||
(lldap . ((subdomain . ,(alist-ref 'lldap-subdomain (current-params)))
|
||||
(db-password . ,(or (alist-ref 'db-password
|
||||
(alist-ref 'lldap config eq? '()))
|
||||
(generate-postgres-password)))
|
||||
(jwt-secret . ,(or (alist-ref 'jwt-secret
|
||||
(alist-ref 'lldap config eq? '()))
|
||||
(generate-jwt-secret)))
|
||||
(key-seed . ,(or (alist-ref 'key-seed
|
||||
(alist-ref 'lldap config eq? '()))
|
||||
(generate-key-seed)))
|
||||
(admin-password . ,(alist-ref 'lldap-admin-password (current-params)))
|
||||
(user-email . ,(alist-ref 'lldap-user-email (current-params)))))
|
||||
(authelia . ((subdomain . ,(alist-ref 'authelia-subdomain (current-params)))
|
||||
(db-password . ,(or (alist-ref 'db-password
|
||||
(alist-ref 'authelia config eq? '()))
|
||||
(generate-postgres-password)))
|
||||
(jwt-secret . ,(or (alist-ref 'jwt-secret
|
||||
(alist-ref 'authelia config eq? '()))
|
||||
(generate-jwt-secret)))
|
||||
(session-secret . ,(or (alist-ref 'session-secret
|
||||
(alist-ref 'authelia config eq? '()))
|
||||
(generate-authelia-key-seed)))
|
||||
(encryption-key . ,(or (alist-ref 'encryption-key
|
||||
(alist-ref 'authelia config eq? '()))
|
||||
(generate-authelia-key-seed)))))
|
||||
(log-viewer . ((subdomain . ,(alist-ref 'log-viewer-subdomain (current-params)))
|
||||
(user . ,(alist-ref 'log-viewer-user (current-params)))
|
||||
(password . ,(alist-ref 'log-viewer-password (current-params)))))
|
||||
@@ -1406,7 +1450,6 @@ chmod -R 777 /opt/keys")))
|
||||
(VStack
|
||||
(Form-Nav (@ (back-to ,(conc "/config/wizard/machine2/" instance-id)) (submit-button "Launch")))))))))
|
||||
|
||||
;; TODO should this perform a backup and then run the systemctl stop app command first?
|
||||
(post "/config/wizard/review-submit/:id"
|
||||
(let* ((instance-id (alist-ref "id" (current-params) equal?))
|
||||
(status (string->symbol
|
||||
@@ -1479,6 +1522,19 @@ chmod -R 777 /opt/keys")))
|
||||
("NASSELLA_AUTHELIA_KEY_SEED" . ,(alist-ref 'authelia-key-seed (alist-ref 'nassella config)))
|
||||
("WORDPRESS_DB_PASSWORD" . ,(alist-ref 'db-password (alist-ref 'wordpress config)))
|
||||
("WORDPRESS_DB_ROOT_PASSWORD" . ,(alist-ref 'db-root-password (alist-ref 'wordpress config)))
|
||||
("LLDAP_POSTGRES_DB" . "lldap")
|
||||
("LLDAP_POSTGRES_USER" . "lldap")
|
||||
("LLDAP_POSTGRES_PASSWORD" . ,(alist-ref 'db-password (alist-ref 'lldap config)))
|
||||
("LLDAP_JWT_SECRET" . ,(alist-ref 'jwt-secret (alist-ref 'lldap config)))
|
||||
("LLDAP_KEY_SEED" . ,(alist-ref 'key-seed (alist-ref 'lldap config)))
|
||||
("LLDAP_ADMIN_PASSWORD" . ,(alist-ref 'admin-password (alist-ref 'lldap config)))
|
||||
("LLDAP_USER_EMAIL" . ,(alist-ref 'user-email (alist-ref 'lldap config)))
|
||||
("AUTHELIA_POSTGRES_DB" . "authelia")
|
||||
("AUTHELIA_POSTGRES_USER" . "authelia")
|
||||
("AUTHELIA_POSTGRES_PASSWORD" . ,(alist-ref 'db-password (alist-ref 'authelia config)))
|
||||
("AUTHELIA_JWT_SECRET" . ,(alist-ref 'jwt-secret (alist-ref 'authelia config)))
|
||||
("AUTHELIA_SESSION_SECRET" . ,(alist-ref 'session-secret (alist-ref 'authelia config)))
|
||||
("AUTHELIA_ENCRYPTION_KEY" . ,(alist-ref 'encryption-key (alist-ref 'authelia config)))
|
||||
("SMTP_HOST" . ,(alist-ref 'smtp-host (alist-ref 'all-apps config)))
|
||||
("SMTP_PORT" . ,(alist-ref 'smtp-port (alist-ref 'all-apps config)))
|
||||
("SMTP_AUTH_USER" . ,(alist-ref 'smtp-auth-user (alist-ref 'all-apps config)))
|
||||
@@ -1518,6 +1574,7 @@ chmod -R 777 /opt/keys")))
|
||||
(with-db/transaction
|
||||
(lambda (db)
|
||||
(update-deployment-progress db deployment-id '((instance-backup . in-progress)))))
|
||||
;; ;; TODO does this handle new deployments? We should not do a back up if this is new!
|
||||
;; (handle-exceptions
|
||||
;; exn
|
||||
;; (with-db/transaction
|
||||
|
||||
Reference in New Issue
Block a user