Adding lldap and authelia.
This commit is contained in:
5
all-apps/authelia/4/Caddyfile
Normal file
5
all-apps/authelia/4/Caddyfile
Normal file
@@ -0,0 +1,5 @@
|
||||
{$authelia_SUBDOMAIN}.{$ROOT_DOMAIN} {
|
||||
import maintenance_intercept
|
||||
|
||||
reverse_proxy authelia:9091
|
||||
}
|
||||
15
all-apps/authelia/4/Makefile
Normal file
15
all-apps/authelia/4/Makefile
Normal file
@@ -0,0 +1,15 @@
|
||||
IMAGE_DEPS := $(IMAGE_DEPS) \
|
||||
app/authelia/postgres_db \
|
||||
app/authelia/postgres_user \
|
||||
app/authelia/postgres_password \
|
||||
app/authelia/authelia-config/configuration.yml
|
||||
|
||||
app/authelia/postgres_db: $(apps_config)
|
||||
bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_DB" > $@'
|
||||
app/authelia/postgres_user: $(apps_config)
|
||||
bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_USER" > $@'
|
||||
app/authelia/postgres_password: $(apps_config)
|
||||
bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_PASSWORD" > $@'
|
||||
app/authelia/authelia-config/configuration.yml: $(apps_config) app/authelia/authelia-config/configuration.yml.tmpl \
|
||||
app/authelia/make-authelia-config.sh
|
||||
./app/authelia/make-authelia-config.sh $(apps_config)
|
||||
118
all-apps/authelia/4/authelia-config/configuration.yml.tmpl
Normal file
118
all-apps/authelia/4/authelia-config/configuration.yml.tmpl
Normal file
@@ -0,0 +1,118 @@
|
||||
---
|
||||
###############################################################
|
||||
# Authelia configuration #
|
||||
###############################################################
|
||||
|
||||
server:
|
||||
address: 'tcp://:9091/authelia'
|
||||
endpoints:
|
||||
authz:
|
||||
forward-auth:
|
||||
implementation: 'ForwardAuth'
|
||||
|
||||
log:
|
||||
level: 'debug'
|
||||
|
||||
totp:
|
||||
issuer: 'authelia.com'
|
||||
|
||||
identity_validation:
|
||||
reset_password:
|
||||
jwt_secret: '$AUTHELIA_JWT_SECRET'
|
||||
|
||||
# lldap service account user should instead
|
||||
# use an account with lldap_password_manager group
|
||||
# since that can't be used to change an admin password
|
||||
authentication_backend:
|
||||
ldap:
|
||||
address: 'ldap://lldap:3890'
|
||||
implementation: 'lldap'
|
||||
timeout: '5s'
|
||||
pooling:
|
||||
enable: false
|
||||
count: 5
|
||||
retries: 2
|
||||
timeout: '10 seconds'
|
||||
base_dn: 'DC=nassella,DC=org'
|
||||
# additional_users_dn: 'OU=users'
|
||||
# additional_groups_dn: 'OU=groups'
|
||||
# group_search_mode: 'filter'
|
||||
# permit_referrals: false
|
||||
permit_unauthenticated_bind: false
|
||||
permit_feature_detection_failure: false
|
||||
user: 'uid=admin,ou=people,dc=nassella,dc=org'
|
||||
password: '$LLDAP_ADMIN_PASSWORD'
|
||||
# attributes:
|
||||
# distinguished_name: 'distinguishedName'
|
||||
# username: 'uid'
|
||||
# display_name: 'displayName'
|
||||
# family_name: 'sn'
|
||||
# given_name: 'givenName'
|
||||
# middle_name: 'middleName'
|
||||
# nickname: ''
|
||||
# gender: ''
|
||||
# birthdate: ''
|
||||
# website: 'wWWHomePage'
|
||||
# profile: ''
|
||||
# picture: ''
|
||||
# zoneinfo: ''
|
||||
# locale: ''
|
||||
# phone_number: 'telephoneNumber'
|
||||
# phone_extension: ''
|
||||
# street_address: 'streetAddress'
|
||||
# locality: 'l'
|
||||
# region: 'st'
|
||||
# postal_code: 'postalCode'
|
||||
# country: 'c'
|
||||
# mail: 'mail'
|
||||
# member_of: 'memberOf'
|
||||
# group_name: 'cn'
|
||||
# extra:
|
||||
# extra_example:
|
||||
# name: ''
|
||||
# multi_valued: false
|
||||
# value_type: 'string'
|
||||
|
||||
access_control:
|
||||
default_policy: 'deny'
|
||||
rules:
|
||||
# - domain: 'public.x.localhost'
|
||||
# policy: 'bypass'
|
||||
# - domain: 'app.nassella.org'
|
||||
# policy: 'one_factor'
|
||||
- domain: '$DOZZLE_FULL_DOMAIN'
|
||||
policy: 'two_factor'
|
||||
|
||||
session:
|
||||
secret: '$AUTHELIA_SESSION_SECRET'
|
||||
|
||||
cookies:
|
||||
- name: 'authelia_session'
|
||||
domain: '$ROOT_DOMAIN' # Should match whatever your root protected domain is
|
||||
authelia_url: 'https://$AUTHELIA_FULL_DOMAIN'
|
||||
expiration: '1 hour' # 1 hour
|
||||
inactivity: '5 minutes' # 5 minutes
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: '2 minutes'
|
||||
ban_time: '5 minutes'
|
||||
|
||||
storage:
|
||||
encryption_key: '$AUTHELIA_ENCRYPTION_KEY'
|
||||
postgres:
|
||||
address: 'tcp://authelia_db:5432'
|
||||
servers: []
|
||||
database: '$AUTHELIA_POSTGRES_DB'
|
||||
schema: 'public'
|
||||
username: '$AUTHELIA_POSTGRES_USER'
|
||||
password: '$AUTHELIA_POSTGRES_PASSWORD'
|
||||
timeout: '5s'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'submission://$SMTP_HOST:$SMTP_PORT'
|
||||
username: '$SMTP_AUTH_USER'
|
||||
password: '$SMTP_AUTH_PASSWORD'
|
||||
sender: '$SMTP_FROM'
|
||||
...
|
||||
58
all-apps/authelia/4/docker-compose.yaml
Normal file
58
all-apps/authelia/4/docker-compose.yaml
Normal file
@@ -0,0 +1,58 @@
|
||||
secrets:
|
||||
authelia_postgres_db:
|
||||
file: ./authelia/postgres_db
|
||||
authelia_postgres_password:
|
||||
file: ./authelia/postgres_password
|
||||
authelia_postgres_user:
|
||||
file: ./authelia/postgres_user
|
||||
|
||||
services:
|
||||
authelia_db:
|
||||
image: postgres:18-trixie
|
||||
environment:
|
||||
- POSTGRES_DB_FILE=/run/secrets/authelia_postgres_db
|
||||
- POSTGRES_USER_FILE=/run/secrets/authelia_postgres_user
|
||||
- POSTGRES_PASSWORD_FILE=/run/secrets/authelia_postgres_password
|
||||
shm_size: 128mb
|
||||
restart: always
|
||||
volumes:
|
||||
- /nassella/authelia/var-lib-postgresql:/var/lib/postgresql
|
||||
networks:
|
||||
- authelia_internal_db
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`"]
|
||||
start_period: 15s
|
||||
interval: 30s
|
||||
retries: 3
|
||||
timeout: 5s
|
||||
secrets:
|
||||
- authelia_postgres_db
|
||||
- authelia_postgres_password
|
||||
- authelia_postgres_user
|
||||
|
||||
authelia:
|
||||
image: 'authelia/authelia'
|
||||
volumes:
|
||||
- ./authelia/authelia-config/configuration.yml:/config/configuration.yml:ro
|
||||
networks:
|
||||
- lb
|
||||
- authelia_internal_db
|
||||
- lldap_internal
|
||||
depends_on:
|
||||
lldap:
|
||||
condition: service_healthy
|
||||
authelia_db:
|
||||
condition: service_healthy
|
||||
restart: 'unless-stopped'
|
||||
healthcheck:
|
||||
## In production the healthcheck section should be commented.
|
||||
disable: true
|
||||
|
||||
networks:
|
||||
lb:
|
||||
lldap_internal:
|
||||
driver: bridge
|
||||
internal: true
|
||||
authelia_internal_db:
|
||||
driver: bridge
|
||||
internal: true
|
||||
31
all-apps/authelia/4/make-authelia-config.sh
Executable file
31
all-apps/authelia/4/make-authelia-config.sh
Executable file
@@ -0,0 +1,31 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
set -a # export everything in the config for later use by envsubst
|
||||
|
||||
. $1 # source the apps.config file with then env vars
|
||||
|
||||
read -r -a APP_CONFIGS <<< "$APP_CONFIGS"
|
||||
|
||||
authelia_subdomain=
|
||||
dozzle_subdomain=
|
||||
|
||||
for config_string in ${APP_CONFIGS[@]}; do
|
||||
IFS=','
|
||||
read -r -a config <<< "$config_string"
|
||||
|
||||
app=${config[0]}
|
||||
subdomain=${config[1]}
|
||||
|
||||
if [ "$app" = "authelia" ]; then
|
||||
authelia_subdomain="$subdomain"
|
||||
fi
|
||||
|
||||
if [ "$app" = "dozzle" ]; then
|
||||
dozzle_subdomain="$subdomain"
|
||||
fi
|
||||
done
|
||||
|
||||
export AUTHELIA_FULL_DOMAIN="$authelia_subdomain.$ROOT_DOMAIN"
|
||||
export DOZZLE_FULL_DOMAIN="$dozzle_subdomain.$ROOT_DOMAIN"
|
||||
envsubst < app/authelia/authelia-config/configuration.yml.tmpl > app/authelia/authelia-config/configuration.yml
|
||||
Reference in New Issue
Block a user