Adding lldap and authelia.
This commit is contained in:
5
all-apps/authelia/4/Caddyfile
Normal file
5
all-apps/authelia/4/Caddyfile
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
{$authelia_SUBDOMAIN}.{$ROOT_DOMAIN} {
|
||||||
|
import maintenance_intercept
|
||||||
|
|
||||||
|
reverse_proxy authelia:9091
|
||||||
|
}
|
||||||
15
all-apps/authelia/4/Makefile
Normal file
15
all-apps/authelia/4/Makefile
Normal file
@@ -0,0 +1,15 @@
|
|||||||
|
IMAGE_DEPS := $(IMAGE_DEPS) \
|
||||||
|
app/authelia/postgres_db \
|
||||||
|
app/authelia/postgres_user \
|
||||||
|
app/authelia/postgres_password \
|
||||||
|
app/authelia/authelia-config/configuration.yml
|
||||||
|
|
||||||
|
app/authelia/postgres_db: $(apps_config)
|
||||||
|
bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_DB" > $@'
|
||||||
|
app/authelia/postgres_user: $(apps_config)
|
||||||
|
bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_USER" > $@'
|
||||||
|
app/authelia/postgres_password: $(apps_config)
|
||||||
|
bash -c 'source ./$(apps_config); printf "%s\n" "$$AUTHELIA_POSTGRES_PASSWORD" > $@'
|
||||||
|
app/authelia/authelia-config/configuration.yml: $(apps_config) app/authelia/authelia-config/configuration.yml.tmpl \
|
||||||
|
app/authelia/make-authelia-config.sh
|
||||||
|
./app/authelia/make-authelia-config.sh $(apps_config)
|
||||||
118
all-apps/authelia/4/authelia-config/configuration.yml.tmpl
Normal file
118
all-apps/authelia/4/authelia-config/configuration.yml.tmpl
Normal file
@@ -0,0 +1,118 @@
|
|||||||
|
---
|
||||||
|
###############################################################
|
||||||
|
# Authelia configuration #
|
||||||
|
###############################################################
|
||||||
|
|
||||||
|
server:
|
||||||
|
address: 'tcp://:9091/authelia'
|
||||||
|
endpoints:
|
||||||
|
authz:
|
||||||
|
forward-auth:
|
||||||
|
implementation: 'ForwardAuth'
|
||||||
|
|
||||||
|
log:
|
||||||
|
level: 'debug'
|
||||||
|
|
||||||
|
totp:
|
||||||
|
issuer: 'authelia.com'
|
||||||
|
|
||||||
|
identity_validation:
|
||||||
|
reset_password:
|
||||||
|
jwt_secret: '$AUTHELIA_JWT_SECRET'
|
||||||
|
|
||||||
|
# lldap service account user should instead
|
||||||
|
# use an account with lldap_password_manager group
|
||||||
|
# since that can't be used to change an admin password
|
||||||
|
authentication_backend:
|
||||||
|
ldap:
|
||||||
|
address: 'ldap://lldap:3890'
|
||||||
|
implementation: 'lldap'
|
||||||
|
timeout: '5s'
|
||||||
|
pooling:
|
||||||
|
enable: false
|
||||||
|
count: 5
|
||||||
|
retries: 2
|
||||||
|
timeout: '10 seconds'
|
||||||
|
base_dn: 'DC=nassella,DC=org'
|
||||||
|
# additional_users_dn: 'OU=users'
|
||||||
|
# additional_groups_dn: 'OU=groups'
|
||||||
|
# group_search_mode: 'filter'
|
||||||
|
# permit_referrals: false
|
||||||
|
permit_unauthenticated_bind: false
|
||||||
|
permit_feature_detection_failure: false
|
||||||
|
user: 'uid=admin,ou=people,dc=nassella,dc=org'
|
||||||
|
password: '$LLDAP_ADMIN_PASSWORD'
|
||||||
|
# attributes:
|
||||||
|
# distinguished_name: 'distinguishedName'
|
||||||
|
# username: 'uid'
|
||||||
|
# display_name: 'displayName'
|
||||||
|
# family_name: 'sn'
|
||||||
|
# given_name: 'givenName'
|
||||||
|
# middle_name: 'middleName'
|
||||||
|
# nickname: ''
|
||||||
|
# gender: ''
|
||||||
|
# birthdate: ''
|
||||||
|
# website: 'wWWHomePage'
|
||||||
|
# profile: ''
|
||||||
|
# picture: ''
|
||||||
|
# zoneinfo: ''
|
||||||
|
# locale: ''
|
||||||
|
# phone_number: 'telephoneNumber'
|
||||||
|
# phone_extension: ''
|
||||||
|
# street_address: 'streetAddress'
|
||||||
|
# locality: 'l'
|
||||||
|
# region: 'st'
|
||||||
|
# postal_code: 'postalCode'
|
||||||
|
# country: 'c'
|
||||||
|
# mail: 'mail'
|
||||||
|
# member_of: 'memberOf'
|
||||||
|
# group_name: 'cn'
|
||||||
|
# extra:
|
||||||
|
# extra_example:
|
||||||
|
# name: ''
|
||||||
|
# multi_valued: false
|
||||||
|
# value_type: 'string'
|
||||||
|
|
||||||
|
access_control:
|
||||||
|
default_policy: 'deny'
|
||||||
|
rules:
|
||||||
|
# - domain: 'public.x.localhost'
|
||||||
|
# policy: 'bypass'
|
||||||
|
# - domain: 'app.nassella.org'
|
||||||
|
# policy: 'one_factor'
|
||||||
|
- domain: '$DOZZLE_FULL_DOMAIN'
|
||||||
|
policy: 'two_factor'
|
||||||
|
|
||||||
|
session:
|
||||||
|
secret: '$AUTHELIA_SESSION_SECRET'
|
||||||
|
|
||||||
|
cookies:
|
||||||
|
- name: 'authelia_session'
|
||||||
|
domain: '$ROOT_DOMAIN' # Should match whatever your root protected domain is
|
||||||
|
authelia_url: 'https://$AUTHELIA_FULL_DOMAIN'
|
||||||
|
expiration: '1 hour' # 1 hour
|
||||||
|
inactivity: '5 minutes' # 5 minutes
|
||||||
|
|
||||||
|
regulation:
|
||||||
|
max_retries: 3
|
||||||
|
find_time: '2 minutes'
|
||||||
|
ban_time: '5 minutes'
|
||||||
|
|
||||||
|
storage:
|
||||||
|
encryption_key: '$AUTHELIA_ENCRYPTION_KEY'
|
||||||
|
postgres:
|
||||||
|
address: 'tcp://authelia_db:5432'
|
||||||
|
servers: []
|
||||||
|
database: '$AUTHELIA_POSTGRES_DB'
|
||||||
|
schema: 'public'
|
||||||
|
username: '$AUTHELIA_POSTGRES_USER'
|
||||||
|
password: '$AUTHELIA_POSTGRES_PASSWORD'
|
||||||
|
timeout: '5s'
|
||||||
|
|
||||||
|
notifier:
|
||||||
|
smtp:
|
||||||
|
address: 'submission://$SMTP_HOST:$SMTP_PORT'
|
||||||
|
username: '$SMTP_AUTH_USER'
|
||||||
|
password: '$SMTP_AUTH_PASSWORD'
|
||||||
|
sender: '$SMTP_FROM'
|
||||||
|
...
|
||||||
58
all-apps/authelia/4/docker-compose.yaml
Normal file
58
all-apps/authelia/4/docker-compose.yaml
Normal file
@@ -0,0 +1,58 @@
|
|||||||
|
secrets:
|
||||||
|
authelia_postgres_db:
|
||||||
|
file: ./authelia/postgres_db
|
||||||
|
authelia_postgres_password:
|
||||||
|
file: ./authelia/postgres_password
|
||||||
|
authelia_postgres_user:
|
||||||
|
file: ./authelia/postgres_user
|
||||||
|
|
||||||
|
services:
|
||||||
|
authelia_db:
|
||||||
|
image: postgres:18-trixie
|
||||||
|
environment:
|
||||||
|
- POSTGRES_DB_FILE=/run/secrets/authelia_postgres_db
|
||||||
|
- POSTGRES_USER_FILE=/run/secrets/authelia_postgres_user
|
||||||
|
- POSTGRES_PASSWORD_FILE=/run/secrets/authelia_postgres_password
|
||||||
|
shm_size: 128mb
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- /nassella/authelia/var-lib-postgresql:/var/lib/postgresql
|
||||||
|
networks:
|
||||||
|
- authelia_internal_db
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`"]
|
||||||
|
start_period: 15s
|
||||||
|
interval: 30s
|
||||||
|
retries: 3
|
||||||
|
timeout: 5s
|
||||||
|
secrets:
|
||||||
|
- authelia_postgres_db
|
||||||
|
- authelia_postgres_password
|
||||||
|
- authelia_postgres_user
|
||||||
|
|
||||||
|
authelia:
|
||||||
|
image: 'authelia/authelia'
|
||||||
|
volumes:
|
||||||
|
- ./authelia/authelia-config/configuration.yml:/config/configuration.yml:ro
|
||||||
|
networks:
|
||||||
|
- lb
|
||||||
|
- authelia_internal_db
|
||||||
|
- lldap_internal
|
||||||
|
depends_on:
|
||||||
|
lldap:
|
||||||
|
condition: service_healthy
|
||||||
|
authelia_db:
|
||||||
|
condition: service_healthy
|
||||||
|
restart: 'unless-stopped'
|
||||||
|
healthcheck:
|
||||||
|
## In production the healthcheck section should be commented.
|
||||||
|
disable: true
|
||||||
|
|
||||||
|
networks:
|
||||||
|
lb:
|
||||||
|
lldap_internal:
|
||||||
|
driver: bridge
|
||||||
|
internal: true
|
||||||
|
authelia_internal_db:
|
||||||
|
driver: bridge
|
||||||
|
internal: true
|
||||||
31
all-apps/authelia/4/make-authelia-config.sh
Executable file
31
all-apps/authelia/4/make-authelia-config.sh
Executable file
@@ -0,0 +1,31 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
set -a # export everything in the config for later use by envsubst
|
||||||
|
|
||||||
|
. $1 # source the apps.config file with then env vars
|
||||||
|
|
||||||
|
read -r -a APP_CONFIGS <<< "$APP_CONFIGS"
|
||||||
|
|
||||||
|
authelia_subdomain=
|
||||||
|
dozzle_subdomain=
|
||||||
|
|
||||||
|
for config_string in ${APP_CONFIGS[@]}; do
|
||||||
|
IFS=','
|
||||||
|
read -r -a config <<< "$config_string"
|
||||||
|
|
||||||
|
app=${config[0]}
|
||||||
|
subdomain=${config[1]}
|
||||||
|
|
||||||
|
if [ "$app" = "authelia" ]; then
|
||||||
|
authelia_subdomain="$subdomain"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$app" = "dozzle" ]; then
|
||||||
|
dozzle_subdomain="$subdomain"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
export AUTHELIA_FULL_DOMAIN="$authelia_subdomain.$ROOT_DOMAIN"
|
||||||
|
export DOZZLE_FULL_DOMAIN="$dozzle_subdomain.$ROOT_DOMAIN"
|
||||||
|
envsubst < app/authelia/authelia-config/configuration.yml.tmpl > app/authelia/authelia-config/configuration.yml
|
||||||
7
all-apps/dozzle/20/Caddyfile
Normal file
7
all-apps/dozzle/20/Caddyfile
Normal file
@@ -0,0 +1,7 @@
|
|||||||
|
{$dozzle_SUBDOMAIN}.{$ROOT_DOMAIN} {
|
||||||
|
forward_auth authelia:9091 {
|
||||||
|
uri /api/authz/forward-auth
|
||||||
|
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
|
||||||
|
}
|
||||||
|
reverse_proxy http://dozzle:8080
|
||||||
|
}
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
IMAGE_DEPS := $(IMAGE_DEPS) \
|
|
||||||
app/dozzle/Caddyfile
|
|
||||||
|
|
||||||
app/dozzle/Caddyfile: $(apps_config) app/dozzle/make-caddyfile.sh
|
|
||||||
./app/dozzle/make-caddyfile.sh $(apps_config) > $@
|
|
||||||
@@ -1,15 +0,0 @@
|
|||||||
#/bin/bash
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
. $1 # source the apps.config file with then env vars
|
|
||||||
|
|
||||||
host_admin_password_encoded=`echo "$HOST_ADMIN_PASSWORD" | docker run --rm -i caddy:2 caddy hash-password`
|
|
||||||
|
|
||||||
echo '{$dozzle_SUBDOMAIN}.{$ROOT_DOMAIN} {'
|
|
||||||
echo " basic_auth {"
|
|
||||||
echo " $HOST_ADMIN_USER $host_admin_password_encoded"
|
|
||||||
echo " }"
|
|
||||||
echo " reverse_proxy http://dozzle:8080"
|
|
||||||
echo "}"
|
|
||||||
echo ""
|
|
||||||
@@ -57,6 +57,14 @@ services:
|
|||||||
retries: 120
|
retries: 120
|
||||||
networks:
|
networks:
|
||||||
- ghost_network
|
- ghost_network
|
||||||
|
command:
|
||||||
|
- --performance-schema=OFF
|
||||||
|
- --innodb-buffer-pool-size=64M
|
||||||
|
- --max-connections=10
|
||||||
|
- --table-open-cache=128
|
||||||
|
- --table-definition-cache=128
|
||||||
|
- --thread-cache-size=2
|
||||||
|
- --innodb-log-buffer-size=8M
|
||||||
|
|
||||||
ghost_traffic-analytics:
|
ghost_traffic-analytics:
|
||||||
image: ghost/traffic-analytics:1.0
|
image: ghost/traffic-analytics:1.0
|
||||||
|
|||||||
4
all-apps/lldap/0.6.3/Caddyfile
Normal file
4
all-apps/lldap/0.6.3/Caddyfile
Normal file
@@ -0,0 +1,4 @@
|
|||||||
|
{$lldap_SUBDOMAIN}.{$ROOT_DOMAIN} {
|
||||||
|
import maintenance_intercept
|
||||||
|
reverse_proxy http://lldap:17170
|
||||||
|
}
|
||||||
21
all-apps/lldap/0.6.3/Makefile
Normal file
21
all-apps/lldap/0.6.3/Makefile
Normal file
@@ -0,0 +1,21 @@
|
|||||||
|
IMAGE_DEPS := $(IMAGE_DEPS) \
|
||||||
|
app/lldap/postgres_db \
|
||||||
|
app/lldap/postgres_user \
|
||||||
|
app/lldap/postgres_password \
|
||||||
|
app/lldap/admin_password \
|
||||||
|
app/lldap/jwt_secret \
|
||||||
|
app/lldap/lldap-config/lldap_config.toml
|
||||||
|
|
||||||
|
app/lldap/postgres_db: $(apps_config)
|
||||||
|
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_POSTGRES_DB" > $@'
|
||||||
|
app/lldap/postgres_user: $(apps_config)
|
||||||
|
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_POSTGRES_USER" > $@'
|
||||||
|
app/lldap/postgres_password: $(apps_config)
|
||||||
|
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_POSTGRES_PASSWORD" > $@'
|
||||||
|
app/lldap/admin_password: $(apps_config)
|
||||||
|
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_ADMIN_PASSWORD" > $@'
|
||||||
|
app/lldap/jwt_secret: $(apps_config)
|
||||||
|
bash -c 'source ./$(apps_config); printf "%s\n" "$$LLDAP_JWT_SECRET" > $@'
|
||||||
|
app/lldap/lldap-config/lldap_config.toml: $(apps_config) app/lldap/lldap-config/lldap_config.toml.tmpl \
|
||||||
|
app/lldap/make-lldap-config.sh
|
||||||
|
./app/lldap/make-lldap-config.sh $(apps_config)
|
||||||
65
all-apps/lldap/0.6.3/docker-compose.yaml
Normal file
65
all-apps/lldap/0.6.3/docker-compose.yaml
Normal file
@@ -0,0 +1,65 @@
|
|||||||
|
secrets:
|
||||||
|
lldap_postgres_db:
|
||||||
|
file: ./lldap/postgres_db
|
||||||
|
lldap_postgres_password:
|
||||||
|
file: ./lldap/postgres_password
|
||||||
|
lldap_postgres_user:
|
||||||
|
file: ./lldap/postgres_user
|
||||||
|
lldap_admin_password:
|
||||||
|
file: ./lldap/admin_password
|
||||||
|
lldap_jwt_secret:
|
||||||
|
file: ./lldap/jwt_secret
|
||||||
|
|
||||||
|
services:
|
||||||
|
lldap_db:
|
||||||
|
image: postgres:18-trixie
|
||||||
|
environment:
|
||||||
|
- POSTGRES_DB_FILE=/run/secrets/lldap_postgres_db
|
||||||
|
- POSTGRES_USER_FILE=/run/secrets/lldap_postgres_user
|
||||||
|
- POSTGRES_PASSWORD_FILE=/run/secrets/lldap_postgres_password
|
||||||
|
shm_size: 128mb
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- /nassella/lldap/var-lib-postgresql:/var/lib/postgresql
|
||||||
|
networks:
|
||||||
|
- lldap_db_internal
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`"]
|
||||||
|
start_period: 15s
|
||||||
|
interval: 30s
|
||||||
|
retries: 3
|
||||||
|
timeout: 5s
|
||||||
|
secrets:
|
||||||
|
- lldap_postgres_db
|
||||||
|
- lldap_postgres_password
|
||||||
|
- lldap_postgres_user
|
||||||
|
|
||||||
|
lldap:
|
||||||
|
image: lldap/lldap:stable
|
||||||
|
environment:
|
||||||
|
- LLDAP_JWT_SECRET_FILE=/run/secrets/lldap_jwt_secret
|
||||||
|
- LLDAP_LDAP_USER_PASS_FILE=/run/secrets/lldap_admin_password
|
||||||
|
volumes:
|
||||||
|
- ./lldap/lldap-config/:/data
|
||||||
|
networks:
|
||||||
|
- lb
|
||||||
|
- lldap_internal
|
||||||
|
- lldap_db_internal
|
||||||
|
depends_on:
|
||||||
|
lldap_db:
|
||||||
|
condition: service_healthy
|
||||||
|
secrets:
|
||||||
|
- lldap_postgres_db
|
||||||
|
- lldap_postgres_password
|
||||||
|
- lldap_postgres_user
|
||||||
|
- lldap_jwt_secret
|
||||||
|
- lldap_admin_password
|
||||||
|
|
||||||
|
networks:
|
||||||
|
lb:
|
||||||
|
lldap_internal:
|
||||||
|
driver: bridge
|
||||||
|
internal: true
|
||||||
|
lldap_db_internal:
|
||||||
|
driver: bridge
|
||||||
|
internal: true
|
||||||
161
all-apps/lldap/0.6.3/lldap-config/lldap_config.toml.tmpl
Normal file
161
all-apps/lldap/0.6.3/lldap-config/lldap_config.toml.tmpl
Normal file
@@ -0,0 +1,161 @@
|
|||||||
|
## Default configuration for Docker.
|
||||||
|
## All the values can be overridden through environment variables, prefixed
|
||||||
|
## with "LLDAP_". For instance, "ldap_port" can be overridden with the
|
||||||
|
## "LLDAP_LDAP_PORT" variable.
|
||||||
|
|
||||||
|
## Tune the logging to be more verbose by setting this to be true.
|
||||||
|
## You can set it with the LLDAP_VERBOSE environment variable.
|
||||||
|
# verbose=false
|
||||||
|
|
||||||
|
## The host address that the LDAP server will be bound to.
|
||||||
|
## To enable IPv6 support, simply switch "ldap_host" to "::":
|
||||||
|
## To only allow connections from localhost (if you want to restrict to local self-hosted services),
|
||||||
|
## change it to "127.0.0.1" ("::1" in case of IPv6).
|
||||||
|
## If LLDAP server is running in docker, set it to "0.0.0.0" ("::" for IPv6) to allow connections
|
||||||
|
## originating from outside the container.
|
||||||
|
ldap_host = "0.0.0.0"
|
||||||
|
|
||||||
|
## The port on which to have the LDAP server.
|
||||||
|
#ldap_port = 3890
|
||||||
|
|
||||||
|
## The host address that the HTTP server will be bound to.
|
||||||
|
## To enable IPv6 support, simply switch "http_host" to "::".
|
||||||
|
## To only allow connections from localhost (if you want to restrict to local self-hosted services),
|
||||||
|
## change it to "127.0.0.1" ("::1" in case of IPv6).
|
||||||
|
## If LLDAP server is running in docker, set it to "0.0.0.0" ("::" for IPv6) to allow connections
|
||||||
|
## originating from outside the container.
|
||||||
|
http_host = "0.0.0.0"
|
||||||
|
|
||||||
|
## The port on which to have the HTTP server, for user login and
|
||||||
|
## administration.
|
||||||
|
#http_port = 17170
|
||||||
|
|
||||||
|
## The public URL of the server, for password reset links.
|
||||||
|
http_url = "https://$LLDAP_FULL_DOMAIN"
|
||||||
|
|
||||||
|
## The path to the front-end assets (relative to the working directory).
|
||||||
|
#assets_path = "./app"
|
||||||
|
|
||||||
|
## Random secret for JWT signature.
|
||||||
|
## This secret should be random, and should be shared with application
|
||||||
|
## servers that need to consume the JWTs.
|
||||||
|
## Changing this secret will invalidate all user sessions and require
|
||||||
|
## them to re-login.
|
||||||
|
## You should probably set it through the LLDAP_JWT_SECRET environment
|
||||||
|
## variable from a secret ".env" file.
|
||||||
|
## This can also be set from a file's contents by specifying the file path
|
||||||
|
## in the LLDAP_JWT_SECRET_FILE environment variable
|
||||||
|
## You can generate it with (on linux):
|
||||||
|
## LC_ALL=C tr -dc 'A-Za-z0-9!#%&'\''()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32; echo ''
|
||||||
|
# jwt_secret = "$NASSELLA_LLDAP_JWT_SECRET"
|
||||||
|
|
||||||
|
## Base DN for LDAP.
|
||||||
|
## This is usually your domain name, and is used as a
|
||||||
|
## namespace for your users. The choice is arbitrary, but will be needed
|
||||||
|
## to configure the LDAP integration with other services.
|
||||||
|
## The sample value is for "example.com", but you can extend it with as
|
||||||
|
## many "dc" as you want, and you don't actually need to own the domain
|
||||||
|
## name.
|
||||||
|
ldap_base_dn = "dc=nassella,dc=org"
|
||||||
|
|
||||||
|
## Admin username.
|
||||||
|
## For the LDAP interface, a value of "admin" here will create the LDAP
|
||||||
|
## user "cn=admin,ou=people,dc=example,dc=com" (with the base DN above).
|
||||||
|
## For the administration interface, this is the username.
|
||||||
|
#ldap_user_dn = "admin"
|
||||||
|
|
||||||
|
## Admin email.
|
||||||
|
## Email for the admin account. It is only used when initially creating
|
||||||
|
## the admin user, and can safely be omitted.
|
||||||
|
ldap_user_email = "$LLDAP_USER_EMAIL"
|
||||||
|
|
||||||
|
## Admin password.
|
||||||
|
## Password for the admin account, both for the LDAP bind and for the
|
||||||
|
## administration interface. It is only used when initially creating
|
||||||
|
## the admin user.
|
||||||
|
## It should be minimum 8 characters long.
|
||||||
|
## You can set it with the LLDAP_LDAP_USER_PASS environment variable.
|
||||||
|
## This can also be set from a file's contents by specifying the file path
|
||||||
|
## in the LLDAP_LDAP_USER_PASS_FILE environment variable
|
||||||
|
## Note: you can create another admin user for user administration, this
|
||||||
|
## is just the default one.
|
||||||
|
# ldap_user_pass = ""
|
||||||
|
|
||||||
|
## Force reset of the admin password.
|
||||||
|
## Break glass in case of emergency: if you lost the admin password, you
|
||||||
|
## can set this to true to force a reset of the admin password to the value
|
||||||
|
## of ldap_user_pass above.
|
||||||
|
## Alternatively, you can set it to "always" to reset every time the server starts.
|
||||||
|
# force_ldap_user_pass_reset = false
|
||||||
|
|
||||||
|
## Database URL.
|
||||||
|
## This encodes the type of database (SQlite, MySQL, or PostgreSQL)
|
||||||
|
## , the path, the user, password, and sometimes the mode (when
|
||||||
|
## relevant).
|
||||||
|
## Note: SQlite should come with "?mode=rwc" to create the DB
|
||||||
|
## if not present.
|
||||||
|
## Example URLs:
|
||||||
|
## - "postgres://postgres-user:password@postgres-server/my-database"
|
||||||
|
## - "mysql://mysql-user:password@mysql-server/my-database"
|
||||||
|
##
|
||||||
|
## This can be overridden with the LLDAP_DATABASE_URL env variable.
|
||||||
|
database_url = "postgres://lldap:$LLDAP_POSTGRES_PASSWORD@lldap_db/lldap"
|
||||||
|
|
||||||
|
## Private key file.
|
||||||
|
## Not recommended, use key_seed instead.
|
||||||
|
## Contains the secret private key used to store the passwords safely.
|
||||||
|
## Note that even with a database dump and the private key, an attacker
|
||||||
|
## would still have to perform an (expensive) brute force attack to find
|
||||||
|
## each password.
|
||||||
|
## Randomly generated on first run if it doesn't exist.
|
||||||
|
## Env variable: LLDAP_KEY_FILE
|
||||||
|
#key_file = "/data/private_key"
|
||||||
|
|
||||||
|
## Seed to generate the server private key, see key_file above.
|
||||||
|
## This can be any random string, the recommendation is that it's at least 12
|
||||||
|
## characters long.
|
||||||
|
## Env variable: LLDAP_KEY_SEED
|
||||||
|
key_seed = "$LLDAP_KEY_SEED"
|
||||||
|
|
||||||
|
## Ignored attributes.
|
||||||
|
## Some services will request attributes that are not present in LLDAP. When it
|
||||||
|
## is the case, LLDAP will warn about the attribute being unknown. If you want
|
||||||
|
## to ignore the attribute and the service works without, you can add it to this
|
||||||
|
## list to silence the warning.
|
||||||
|
#ignored_user_attributes = [ "sAMAccountName" ]
|
||||||
|
#ignored_group_attributes = [ "mail", "userPrincipalName" ]
|
||||||
|
|
||||||
|
## Options to configure SMTP parameters, to send password reset emails.
|
||||||
|
## To set these options from environment variables, use the following format
|
||||||
|
## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
|
||||||
|
[smtp_options]
|
||||||
|
## Whether to enabled password reset via email, from LLDAP.
|
||||||
|
enable_password_reset=true
|
||||||
|
## The SMTP server.
|
||||||
|
server="$SMTP_HOST"
|
||||||
|
## The SMTP port.
|
||||||
|
port=$SMTP_PORT
|
||||||
|
## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
|
||||||
|
smtp_encryption = "TLS"
|
||||||
|
## The SMTP user, usually your email address.
|
||||||
|
user="$SMTP_AUTH_USER"
|
||||||
|
## The SMTP password.
|
||||||
|
password="$SMTP_AUTH_PASSSWORD"
|
||||||
|
## The header field, optional: how the sender appears in the email. The first
|
||||||
|
## is a free-form name, followed by an email between <>.
|
||||||
|
from="$SMTP_FROM"
|
||||||
|
## Same for reply-to, optional.
|
||||||
|
#reply_to="Do not reply <noreply@localhost>"
|
||||||
|
|
||||||
|
## Options to configure LDAPS.
|
||||||
|
## To set these options from environment variables, use the following format
|
||||||
|
## (example with "port"): LLDAP_LDAPS_OPTIONS__PORT
|
||||||
|
[ldaps_options]
|
||||||
|
## Whether to enable LDAPS.
|
||||||
|
#enabled=true
|
||||||
|
## Port on which to listen.
|
||||||
|
#port=6360
|
||||||
|
## Certificate file.
|
||||||
|
#cert_file="/data/cert.pem"
|
||||||
|
## Certificate key file.
|
||||||
|
#key_file="/data/key.pem"
|
||||||
25
all-apps/lldap/0.6.3/make-lldap-config.sh
Executable file
25
all-apps/lldap/0.6.3/make-lldap-config.sh
Executable file
@@ -0,0 +1,25 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
set -a # export everything in the config for later use by envsubst
|
||||||
|
|
||||||
|
. $1 # source the apps.config file with then env vars
|
||||||
|
|
||||||
|
read -r -a APP_CONFIGS <<< "$APP_CONFIGS"
|
||||||
|
|
||||||
|
lldap_subdomain=
|
||||||
|
|
||||||
|
for config_string in ${APP_CONFIGS[@]}; do
|
||||||
|
IFS=','
|
||||||
|
read -r -a config <<< "$config_string"
|
||||||
|
|
||||||
|
app=${config[0]}
|
||||||
|
subdomain=${config[1]}
|
||||||
|
|
||||||
|
if [ "$app" = "lldap" ]; then
|
||||||
|
lldap_subdomain="$subdomain"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
export LLDAP_FULL_DOMAIN="$lldap_subdomain.$ROOT_DOMAIN"
|
||||||
|
envsubst < app/lldap/lldap-config/lldap_config.toml.tmpl > app/lldap/lldap-config/lldap_config.toml
|
||||||
@@ -65,6 +65,14 @@ services:
|
|||||||
secrets:
|
secrets:
|
||||||
- wordpress_db_password
|
- wordpress_db_password
|
||||||
- wordpress_db_root_password
|
- wordpress_db_root_password
|
||||||
|
command:
|
||||||
|
- --performance-schema=OFF
|
||||||
|
- --innodb-buffer-pool-size=64M
|
||||||
|
- --max-connections=10
|
||||||
|
- --table-open-cache=128
|
||||||
|
- --table-definition-cache=128
|
||||||
|
- --thread-cache-size=2
|
||||||
|
- --innodb-log-buffer-size=8M
|
||||||
|
|
||||||
# wordpress_init:
|
# wordpress_init:
|
||||||
# image: wordpress:cli-php8.4
|
# image: wordpress:cli-php8.4
|
||||||
|
|||||||
@@ -626,7 +626,9 @@ where user_id=$1;"
|
|||||||
(2 . "adding-deployments-instance-backup")
|
(2 . "adding-deployments-instance-backup")
|
||||||
(3 . "normalizing-apps")
|
(3 . "normalizing-apps")
|
||||||
(4 . "fixing-app-normalization")
|
(4 . "fixing-app-normalization")
|
||||||
(5 . "adding-wordpress-app")))
|
(5 . "adding-wordpress-app")
|
||||||
|
(6 . "adding-lldap-app")
|
||||||
|
(7 . "adding-authelia-app")))
|
||||||
|
|
||||||
(define (run-pending-migrations conn)
|
(define (run-pending-migrations conn)
|
||||||
(let* ((migration-ids (sort (map car *migrations*) <))
|
(let* ((migration-ids (sort (map car *migrations*) <))
|
||||||
|
|||||||
1
src/migrations/6-adding-lldap-app-up.sql
Normal file
1
src/migrations/6-adding-lldap-app-up.sql
Normal file
@@ -0,0 +1 @@
|
|||||||
|
insert into apps(app_name) values('lldap');
|
||||||
1
src/migrations/7-adding-authelia-app-up.sql
Normal file
1
src/migrations/7-adding-authelia-app-up.sql
Normal file
@@ -0,0 +1 @@
|
|||||||
|
insert into apps(app_name) values('authelia');
|
||||||
@@ -947,6 +947,7 @@ chmod -R 777 /opt/keys")))
|
|||||||
(input (@ (type "hidden") (name "sid") (value ,(alist-ref 'sid (current-params) equal?))))
|
(input (@ (type "hidden") (name "sid") (value ,(alist-ref 'sid (current-params) equal?))))
|
||||||
(Button (@ (type "submit")) "Create Account"))))))
|
(Button (@ (type "submit")) "Create Account"))))))
|
||||||
|
|
||||||
|
;; https://app.nassella.org/unsecured/account/create?sid={CHECKOUT_SESSION_ID}
|
||||||
(post "/unsecured/account/create-submit"
|
(post "/unsecured/account/create-submit"
|
||||||
(let ((email (stripe-session-email (alist-ref 'sid (current-params))))
|
(let ((email (stripe-session-email (alist-ref 'sid (current-params))))
|
||||||
(username (alist-ref 'username (current-params))))
|
(username (alist-ref 'username (current-params))))
|
||||||
@@ -1112,6 +1113,8 @@ chmod -R 777 /opt/keys")))
|
|||||||
(else
|
(else
|
||||||
'()))
|
'()))
|
||||||
(Field (@ (name "wordpress") (type "checkbox") (label ("wordpress")) (checked ,(member 'wordpress (alist-ref 'selected-apps results)))))
|
(Field (@ (name "wordpress") (type "checkbox") (label ("wordpress")) (checked ,(member 'wordpress (alist-ref 'selected-apps results)))))
|
||||||
|
(Field (@ (name "lldap") (type "checkbox") (label ("lldap")) (checked ,(member 'lldap (alist-ref 'selected-apps results)))))
|
||||||
|
(Field (@ (name "authelia") (type "checkbox") (label ("authelia")) (checked ,(member 'authelia (alist-ref 'selected-apps results)))))
|
||||||
(Field (@ (name "log-viewer") (type "checkbox") (label ("Log Viewer")) (checked #t) (disabled "disabled"))))
|
(Field (@ (name "log-viewer") (type "checkbox") (label ("Log Viewer")) (checked #t) (disabled "disabled"))))
|
||||||
;; TODO add config for when automatic upgrades are scheduled for?
|
;; TODO add config for when automatic upgrades are scheduled for?
|
||||||
;; TODO add config for server timezone?
|
;; TODO add config for server timezone?
|
||||||
@@ -1131,6 +1134,8 @@ chmod -R 777 /opt/keys")))
|
|||||||
(ghost . ,(or (and (alist-ref 'ghost (current-params)) "6") #f))
|
(ghost . ,(or (and (alist-ref 'ghost (current-params)) "6") #f))
|
||||||
(nassella . ,(or (and (alist-ref 'nassella (current-params)) "b0.0.1") #f))
|
(nassella . ,(or (and (alist-ref 'nassella (current-params)) "b0.0.1") #f))
|
||||||
(wordpress . ,(or (and (alist-ref 'wordpress (current-params)) "8.4") #f))
|
(wordpress . ,(or (and (alist-ref 'wordpress (current-params)) "8.4") #f))
|
||||||
|
(lldap . ,(or (and (alist-ref 'lldap (current-params)) "0.6.3") #f))
|
||||||
|
(authelia . ,(or (and (alist-ref 'authelia (current-params)) "4") #f))
|
||||||
(instance-control . "b0.0.1")
|
(instance-control . "b0.0.1")
|
||||||
(log-viewer . "20"))))
|
(log-viewer . "20"))))
|
||||||
(update-root-domain db
|
(update-root-domain db
|
||||||
@@ -1194,6 +1199,20 @@ chmod -R 777 /opt/keys")))
|
|||||||
(@ (title "Wordpress"))
|
(@ (title "Wordpress"))
|
||||||
(Field (@ (name "wordpress-subdomain") (label ("Subdomain")) (value ,(alist-ref 'subdomain (alist-ref 'wordpress app-config eq? '()) eq? "wordpress"))))))
|
(Field (@ (name "wordpress-subdomain") (label ("Subdomain")) (value ,(alist-ref 'subdomain (alist-ref 'wordpress app-config eq? '()) eq? "wordpress"))))))
|
||||||
'())
|
'())
|
||||||
|
,@(if (member 'lldap selected-apps)
|
||||||
|
`((Fieldset
|
||||||
|
(@ (title "LLDAP"))
|
||||||
|
(Field (@ (name "lldap-subdomain") (label ("Subdomain")) (value ,(alist-ref 'subdomain (alist-ref 'lldap app-config eq? '()) eq? "lldap"))))
|
||||||
|
(Field (@ (name "lldap-user-email") (label ("Admin Email Address")) (type "email")
|
||||||
|
(value ,(alist-ref 'user-email (alist-ref 'lldap app-config eq? '()) eq? ""))))
|
||||||
|
(Field (@ (name "lldap-admin-password") (label ("Admin Password")) (type "password")
|
||||||
|
(value ,(alist-ref 'admin-password (alist-ref 'lldap app-config eq? '()) eq? ""))))))
|
||||||
|
'())
|
||||||
|
,@(if (member 'authelia selected-apps)
|
||||||
|
`((Fieldset
|
||||||
|
(@ (title "Authelia"))
|
||||||
|
(Field (@ (name "authelia-subdomain") (label ("Subdomain")) (value ,(alist-ref 'subdomain (alist-ref 'authelia app-config eq? '()) eq? "authelia"))))))
|
||||||
|
'())
|
||||||
(Fieldset
|
(Fieldset
|
||||||
(@ (title "Log Viewer"))
|
(@ (title "Log Viewer"))
|
||||||
(Field (@ (name "log-viewer-subdomain") (label ("Subdomain"))
|
(Field (@ (name "log-viewer-subdomain") (label ("Subdomain"))
|
||||||
@@ -1202,7 +1221,7 @@ chmod -R 777 /opt/keys")))
|
|||||||
(value ,(alist-ref 'user (alist-ref 'log-viewer app-config eq? '()) eq? ""))))
|
(value ,(alist-ref 'user (alist-ref 'log-viewer app-config eq? '()) eq? ""))))
|
||||||
(Field (@ (name "log-viewer-password") (label ("Password")) (type "password")
|
(Field (@ (name "log-viewer-password") (label ("Password")) (type "password")
|
||||||
(value ,(alist-ref 'password (alist-ref 'log-viewer app-config eq? '()) eq? "")))))
|
(value ,(alist-ref 'password (alist-ref 'log-viewer app-config eq? '()) eq? "")))))
|
||||||
,@(if (or (member 'nextcloud selected-apps) (member 'ghost selected-apps) (member 'nassella selected-apps))
|
,@(if (or (member 'nextcloud selected-apps) (member 'ghost selected-apps) (member 'nassella selected-apps) (member 'authelia selected-apps))
|
||||||
`((Fieldset
|
`((Fieldset
|
||||||
(@ (title "All Apps - Email - SMTP"))
|
(@ (title "All Apps - Email - SMTP"))
|
||||||
(Field (@ (name "smtp-host") (label ("Host"))
|
(Field (@ (name "smtp-host") (label ("Host"))
|
||||||
@@ -1276,6 +1295,31 @@ chmod -R 777 /opt/keys")))
|
|||||||
(db-root-password . ,(or (alist-ref 'db-root-password
|
(db-root-password . ,(or (alist-ref 'db-root-password
|
||||||
(alist-ref 'wordpress config eq? '()))
|
(alist-ref 'wordpress config eq? '()))
|
||||||
(generate-postgres-password)))))
|
(generate-postgres-password)))))
|
||||||
|
(lldap . ((subdomain . ,(alist-ref 'lldap-subdomain (current-params)))
|
||||||
|
(db-password . ,(or (alist-ref 'db-password
|
||||||
|
(alist-ref 'lldap config eq? '()))
|
||||||
|
(generate-postgres-password)))
|
||||||
|
(jwt-secret . ,(or (alist-ref 'jwt-secret
|
||||||
|
(alist-ref 'lldap config eq? '()))
|
||||||
|
(generate-jwt-secret)))
|
||||||
|
(key-seed . ,(or (alist-ref 'key-seed
|
||||||
|
(alist-ref 'lldap config eq? '()))
|
||||||
|
(generate-key-seed)))
|
||||||
|
(admin-password . ,(alist-ref 'lldap-admin-password (current-params)))
|
||||||
|
(user-email . ,(alist-ref 'lldap-user-email (current-params)))))
|
||||||
|
(authelia . ((subdomain . ,(alist-ref 'authelia-subdomain (current-params)))
|
||||||
|
(db-password . ,(or (alist-ref 'db-password
|
||||||
|
(alist-ref 'authelia config eq? '()))
|
||||||
|
(generate-postgres-password)))
|
||||||
|
(jwt-secret . ,(or (alist-ref 'jwt-secret
|
||||||
|
(alist-ref 'authelia config eq? '()))
|
||||||
|
(generate-jwt-secret)))
|
||||||
|
(session-secret . ,(or (alist-ref 'session-secret
|
||||||
|
(alist-ref 'authelia config eq? '()))
|
||||||
|
(generate-authelia-key-seed)))
|
||||||
|
(encryption-key . ,(or (alist-ref 'encryption-key
|
||||||
|
(alist-ref 'authelia config eq? '()))
|
||||||
|
(generate-authelia-key-seed)))))
|
||||||
(log-viewer . ((subdomain . ,(alist-ref 'log-viewer-subdomain (current-params)))
|
(log-viewer . ((subdomain . ,(alist-ref 'log-viewer-subdomain (current-params)))
|
||||||
(user . ,(alist-ref 'log-viewer-user (current-params)))
|
(user . ,(alist-ref 'log-viewer-user (current-params)))
|
||||||
(password . ,(alist-ref 'log-viewer-password (current-params)))))
|
(password . ,(alist-ref 'log-viewer-password (current-params)))))
|
||||||
@@ -1406,7 +1450,6 @@ chmod -R 777 /opt/keys")))
|
|||||||
(VStack
|
(VStack
|
||||||
(Form-Nav (@ (back-to ,(conc "/config/wizard/machine2/" instance-id)) (submit-button "Launch")))))))))
|
(Form-Nav (@ (back-to ,(conc "/config/wizard/machine2/" instance-id)) (submit-button "Launch")))))))))
|
||||||
|
|
||||||
;; TODO should this perform a backup and then run the systemctl stop app command first?
|
|
||||||
(post "/config/wizard/review-submit/:id"
|
(post "/config/wizard/review-submit/:id"
|
||||||
(let* ((instance-id (alist-ref "id" (current-params) equal?))
|
(let* ((instance-id (alist-ref "id" (current-params) equal?))
|
||||||
(status (string->symbol
|
(status (string->symbol
|
||||||
@@ -1479,6 +1522,19 @@ chmod -R 777 /opt/keys")))
|
|||||||
("NASSELLA_AUTHELIA_KEY_SEED" . ,(alist-ref 'authelia-key-seed (alist-ref 'nassella config)))
|
("NASSELLA_AUTHELIA_KEY_SEED" . ,(alist-ref 'authelia-key-seed (alist-ref 'nassella config)))
|
||||||
("WORDPRESS_DB_PASSWORD" . ,(alist-ref 'db-password (alist-ref 'wordpress config)))
|
("WORDPRESS_DB_PASSWORD" . ,(alist-ref 'db-password (alist-ref 'wordpress config)))
|
||||||
("WORDPRESS_DB_ROOT_PASSWORD" . ,(alist-ref 'db-root-password (alist-ref 'wordpress config)))
|
("WORDPRESS_DB_ROOT_PASSWORD" . ,(alist-ref 'db-root-password (alist-ref 'wordpress config)))
|
||||||
|
("LLDAP_POSTGRES_DB" . "lldap")
|
||||||
|
("LLDAP_POSTGRES_USER" . "lldap")
|
||||||
|
("LLDAP_POSTGRES_PASSWORD" . ,(alist-ref 'db-password (alist-ref 'lldap config)))
|
||||||
|
("LLDAP_JWT_SECRET" . ,(alist-ref 'jwt-secret (alist-ref 'lldap config)))
|
||||||
|
("LLDAP_KEY_SEED" . ,(alist-ref 'key-seed (alist-ref 'lldap config)))
|
||||||
|
("LLDAP_ADMIN_PASSWORD" . ,(alist-ref 'admin-password (alist-ref 'lldap config)))
|
||||||
|
("LLDAP_USER_EMAIL" . ,(alist-ref 'user-email (alist-ref 'lldap config)))
|
||||||
|
("AUTHELIA_POSTGRES_DB" . "authelia")
|
||||||
|
("AUTHELIA_POSTGRES_USER" . "authelia")
|
||||||
|
("AUTHELIA_POSTGRES_PASSWORD" . ,(alist-ref 'db-password (alist-ref 'authelia config)))
|
||||||
|
("AUTHELIA_JWT_SECRET" . ,(alist-ref 'jwt-secret (alist-ref 'authelia config)))
|
||||||
|
("AUTHELIA_SESSION_SECRET" . ,(alist-ref 'session-secret (alist-ref 'authelia config)))
|
||||||
|
("AUTHELIA_ENCRYPTION_KEY" . ,(alist-ref 'encryption-key (alist-ref 'authelia config)))
|
||||||
("SMTP_HOST" . ,(alist-ref 'smtp-host (alist-ref 'all-apps config)))
|
("SMTP_HOST" . ,(alist-ref 'smtp-host (alist-ref 'all-apps config)))
|
||||||
("SMTP_PORT" . ,(alist-ref 'smtp-port (alist-ref 'all-apps config)))
|
("SMTP_PORT" . ,(alist-ref 'smtp-port (alist-ref 'all-apps config)))
|
||||||
("SMTP_AUTH_USER" . ,(alist-ref 'smtp-auth-user (alist-ref 'all-apps config)))
|
("SMTP_AUTH_USER" . ,(alist-ref 'smtp-auth-user (alist-ref 'all-apps config)))
|
||||||
@@ -1518,6 +1574,7 @@ chmod -R 777 /opt/keys")))
|
|||||||
(with-db/transaction
|
(with-db/transaction
|
||||||
(lambda (db)
|
(lambda (db)
|
||||||
(update-deployment-progress db deployment-id '((instance-backup . in-progress)))))
|
(update-deployment-progress db deployment-id '((instance-backup . in-progress)))))
|
||||||
|
;; ;; TODO does this handle new deployments? We should not do a back up if this is new!
|
||||||
;; (handle-exceptions
|
;; (handle-exceptions
|
||||||
;; exn
|
;; exn
|
||||||
;; (with-db/transaction
|
;; (with-db/transaction
|
||||||
|
|||||||
Reference in New Issue
Block a user