Adding lldap and authelia.

This commit is contained in:
2026-07-08 14:48:54 -07:00
parent e62593bf44
commit b8605f02ab
19 changed files with 595 additions and 28 deletions

View File

@@ -0,0 +1,5 @@
{$authelia_SUBDOMAIN}.{$ROOT_DOMAIN} {
import maintenance_intercept
reverse_proxy authelia:9091
}

View File

@@ -0,0 +1,15 @@
IMAGE_DEPS := $(IMAGE_DEPS) \
app/authelia/postgres_db \
app/authelia/postgres_user \
app/authelia/postgres_password \
app/authelia/authelia-config/configuration.yml
app/authelia/postgres_db: $(apps_config)
bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_DB" > $@'
app/authelia/postgres_user: $(apps_config)
bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_USER" > $@'
app/authelia/postgres_password: $(apps_config)
bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_PASSWORD" > $@'
app/authelia/authelia-config/configuration.yml: $(apps_config) app/authelia/authelia-config/configuration.yml.tmpl \
app/authelia/make-authelia-config.sh
./app/authelia/make-authelia-config.sh $(apps_config)

View File

@@ -0,0 +1,118 @@
---
###############################################################
# Authelia configuration #
###############################################################
server:
address: 'tcp://:9091/authelia'
endpoints:
authz:
forward-auth:
implementation: 'ForwardAuth'
log:
level: 'debug'
totp:
issuer: 'authelia.com'
identity_validation:
reset_password:
jwt_secret: '$AUTHELIA_JWT_SECRET'
# lldap service account user should instead
# use an account with lldap_password_manager group
# since that can't be used to change an admin password
authentication_backend:
ldap:
address: 'ldap://lldap:3890'
implementation: 'lldap'
timeout: '5s'
pooling:
enable: false
count: 5
retries: 2
timeout: '10 seconds'
base_dn: 'DC=nassella,DC=org'
# additional_users_dn: 'OU=users'
# additional_groups_dn: 'OU=groups'
# group_search_mode: 'filter'
# permit_referrals: false
permit_unauthenticated_bind: false
permit_feature_detection_failure: false
user: 'uid=admin,ou=people,dc=nassella,dc=org'
password: '$LLDAP_ADMIN_PASSWORD'
# attributes:
# distinguished_name: 'distinguishedName'
# username: 'uid'
# display_name: 'displayName'
# family_name: 'sn'
# given_name: 'givenName'
# middle_name: 'middleName'
# nickname: ''
# gender: ''
# birthdate: ''
# website: 'wWWHomePage'
# profile: ''
# picture: ''
# zoneinfo: ''
# locale: ''
# phone_number: 'telephoneNumber'
# phone_extension: ''
# street_address: 'streetAddress'
# locality: 'l'
# region: 'st'
# postal_code: 'postalCode'
# country: 'c'
# mail: 'mail'
# member_of: 'memberOf'
# group_name: 'cn'
# extra:
# extra_example:
# name: ''
# multi_valued: false
# value_type: 'string'
access_control:
default_policy: 'deny'
rules:
# - domain: 'public.x.localhost'
# policy: 'bypass'
# - domain: 'app.nassella.org'
# policy: 'one_factor'
- domain: '$DOZZLE_FULL_DOMAIN'
policy: 'two_factor'
session:
secret: '$AUTHELIA_SESSION_SECRET'
cookies:
- name: 'authelia_session'
domain: '$ROOT_DOMAIN' # Should match whatever your root protected domain is
authelia_url: 'https://$AUTHELIA_FULL_DOMAIN'
expiration: '1 hour' # 1 hour
inactivity: '5 minutes' # 5 minutes
regulation:
max_retries: 3
find_time: '2 minutes'
ban_time: '5 minutes'
storage:
encryption_key: '$AUTHELIA_ENCRYPTION_KEY'
postgres:
address: 'tcp://authelia_db:5432'
servers: []
database: '$AUTHELIA_POSTGRES_DB'
schema: 'public'
username: '$AUTHELIA_POSTGRES_USER'
password: '$AUTHELIA_POSTGRES_PASSWORD'
timeout: '5s'
notifier:
smtp:
address: 'submission://$SMTP_HOST:$SMTP_PORT'
username: '$SMTP_AUTH_USER'
password: '$SMTP_AUTH_PASSWORD'
sender: '$SMTP_FROM'
...

View File

@@ -0,0 +1,58 @@
secrets:
authelia_postgres_db:
file: ./authelia/postgres_db
authelia_postgres_password:
file: ./authelia/postgres_password
authelia_postgres_user:
file: ./authelia/postgres_user
services:
authelia_db:
image: postgres:18-trixie
environment:
- POSTGRES_DB_FILE=/run/secrets/authelia_postgres_db
- POSTGRES_USER_FILE=/run/secrets/authelia_postgres_user
- POSTGRES_PASSWORD_FILE=/run/secrets/authelia_postgres_password
shm_size: 128mb
restart: always
volumes:
- /nassella/authelia/var-lib-postgresql:/var/lib/postgresql
networks:
- authelia_internal_db
healthcheck:
test: ["CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`"]
start_period: 15s
interval: 30s
retries: 3
timeout: 5s
secrets:
- authelia_postgres_db
- authelia_postgres_password
- authelia_postgres_user
authelia:
image: 'authelia/authelia'
volumes:
- ./authelia/authelia-config/configuration.yml:/config/configuration.yml:ro
networks:
- lb
- authelia_internal_db
- lldap_internal
depends_on:
lldap:
condition: service_healthy
authelia_db:
condition: service_healthy
restart: 'unless-stopped'
healthcheck:
## In production the healthcheck section should be commented.
disable: true
networks:
lb:
lldap_internal:
driver: bridge
internal: true
authelia_internal_db:
driver: bridge
internal: true

View File

@@ -0,0 +1,31 @@
#!/bin/bash
set -e
set -a # export everything in the config for later use by envsubst
. $1 # source the apps.config file with then env vars
read -r -a APP_CONFIGS <<< "$APP_CONFIGS"
authelia_subdomain=
dozzle_subdomain=
for config_string in ${APP_CONFIGS[@]}; do
IFS=','
read -r -a config <<< "$config_string"
app=${config[0]}
subdomain=${config[1]}
if [ "$app" = "authelia" ]; then
authelia_subdomain="$subdomain"
fi
if [ "$app" = "dozzle" ]; then
dozzle_subdomain="$subdomain"
fi
done
export AUTHELIA_FULL_DOMAIN="$authelia_subdomain.$ROOT_DOMAIN"
export DOZZLE_FULL_DOMAIN="$dozzle_subdomain.$ROOT_DOMAIN"
envsubst < app/authelia/authelia-config/configuration.yml.tmpl > app/authelia/authelia-config/configuration.yml