Working nassella deployment.

all-apps/nassella/authelia-config/configuration.yml.tmpl

@@ -0,0 +1,119 @@
+---
+###############################################################
+#                   Authelia configuration                    #
+###############################################################
+
+server:
+  address: 'tcp://:9091/authelia'
+  endpoints:
+    authz:
+      forward-auth:
+        implementation: 'ForwardAuth'
+
+log:
+  level: 'debug'
+
+totp:
+  issuer: 'authelia.com'
+
+identity_validation:
+  reset_password:
+    jwt_secret: '$NASSELLA_AUTHELIA_JWT_SECRET'
+
+# lldap service account user should instead
+# use an account with lldap_password_manager group
+# since that can't be used to change an admin password
+authentication_backend:
+  ldap:
+    address: 'ldap://nassella_lldap:3890'
+    implementation: 'lldap'
+    timeout: '5s'
+    pooling:
+      enable: false
+      count: 5
+      retries: 2
+      timeout: '10 seconds'
+    base_dn: 'DC=nassella,DC=org'
+#    additional_users_dn: 'OU=users'
+#    additional_groups_dn: 'OU=groups'
+#    group_search_mode: 'filter'
+#    permit_referrals: false
+    permit_unauthenticated_bind: false
+    permit_feature_detection_failure: false
+    user: 'uid=admin,ou=people,dc=nassella,dc=org'
+    password: '$NASSELLA_LLDAP_ADMIN_PASSWORD'
+    # attributes:
+    #   distinguished_name: 'distinguishedName'
+    #   username: 'uid'
+    #   display_name: 'displayName'
+    #   family_name: 'sn'
+    #   given_name: 'givenName'
+    #   middle_name: 'middleName'
+    #   nickname: ''
+    #   gender: ''
+    #   birthdate: ''
+    #   website: 'wWWHomePage'
+    #   profile: ''
+    #   picture: ''
+    #   zoneinfo: ''
+    #   locale: ''
+    #   phone_number: 'telephoneNumber'
+    #   phone_extension: ''
+    #   street_address: 'streetAddress'
+    #   locality: 'l'
+    #   region: 'st'
+    #   postal_code: 'postalCode'
+    #   country: 'c'
+    #   mail: 'mail'
+    #   member_of: 'memberOf'
+    #   group_name: 'cn'
+    #   extra:
+    #     extra_example:
+    #       name: ''
+    #       multi_valued: false
+    #       value_type: 'string'
+
+access_control:
+  default_policy: 'deny'
+  rules:
+    # - domain: 'public.x.localhost'
+    #   policy: 'bypass'
+    # - domain: 'app.nassella.org'
+    #   policy: 'one_factor'
+    - domain: '$NASSELLA_FULL_DOMAIN'
+      policy: 'two_factor'
+
+session:
+  secret: 'insecure_session_secret'
+
+  cookies:
+    - name: 'authelia_session'
+      domain: '$NASSELLA_FULL_DOMAIN'  # Should match whatever your root protected domain is
+      authelia_url: 'https://$NASSELLA_FULL_DOMAIN/authelia'
+      expiration: '1 hour'  # 1 hour
+      inactivity: '5 minutes'  # 5 minutes
+      default_redirection_url: 'https://$NASSELLA_FULL_DOMAIN/dashboard'
+
+regulation:
+  max_retries: 3
+  find_time: '2 minutes'
+  ban_time: '5 minutes'
+
+storage:
+  encryption_key: '$NASSELLA_AUTHELIA_KEY_SEED'
+  postgres:
+    address: 'tcp://nassella_authelia_db:5432'
+    servers: []
+    database: 'authelia'
+    schema: 'public'
+    username: 'authelia'
+    password: '$NASSELLA_AUTHELIA_POSTGRES_PASSWORD'
+    timeout: '5s'
+
+notifier:
+  smtp:
+    address: 'submission://$SMTP_HOST:$SMTP_PORT'
+    username: '$SMTP_AUTH_USER'
+    password: '$SMTP_AUTH_PASSWORD'
+    sender: '$SMTP_FROM'
+...

all-apps/nassella/authelia_postgres_db

@@ -0,0 +1 @@
+authelia

all-apps/nassella/authelia_postgres_user

@@ -0,0 +1 @@
+authelia

all-apps/nassella/docker-compose.yaml

@@ -7,8 +7,100 @@ secrets:
     file: ./nassella/postgres_password
   nassella_postgres_user:
     file: ./nassella/postgres_user
+  nassella_lldap_postgres_db:
+    file: ./nassella/lldap_postgres_db
+  nassella_lldap_postgres_password:
+    file: ./nassella/lldap_postgres_password
+  nassella_lldap_postgres_user:
+    file: ./nassella/lldap_postgres_user
+  nassella_authelia_postgres_db:
+    file: ./nassella/authelia_postgres_db
+  nassella_authelia_postgres_password:
+    file: ./nassella/authelia_postgres_password
+  nassella_authelia_postgres_user:
+    file: ./nassella/authelia_postgres_user
+  nassella_lldap_admin_password:
+    file: ./nassella/lldap_admin_password
 
 services:
+  nassella_lldap_db:
+    image: postgres:17.6-trixie
+    environment:
+      - POSTGRES_DB_FILE=/run/secrets/nassella_lldap_postgres_db
+      - POSTGRES_USER_FILE=/run/secrets/nassella_lldap_postgres_user
+      - POSTGRES_PASSWORD_FILE=/run/secrets/nassella_lldap_postgres_password
+    shm_size: 128mb
+    restart: always
+    volumes:
+      - /nassella/nassella/lldap-var-lib-postgresql-data:/var/lib/postgresql/data
+    networks:
+      - nassella_internal
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`"]
+      start_period: 15s
+      interval: 30s
+      retries: 3
+      timeout: 5s
+    secrets:
+      - nassella_lldap_postgres_db
+      - nassella_lldap_postgres_password
+      - nassella_lldap_postgres_user
+
+  nassella_lldap:
+    image: lldap/lldap:stable
+    volumes:
+      - ./nassella/lldap-config/:/data
+    networks:
+      - lb
+      - nassella_internal
+    depends_on:
+      nassella_lldap_db:
+        condition: service_healthy
+    secrets:
+      - nassella_lldap_postgres_db
+      - nassella_lldap_postgres_password
+      - nassella_lldap_postgres_user
+
+  nassella_authelia_db:
+    image: postgres:17.6-trixie
+    environment:
+      - POSTGRES_DB_FILE=/run/secrets/nassella_authelia_postgres_db
+      - POSTGRES_USER_FILE=/run/secrets/nassella_authelia_postgres_user
+      - POSTGRES_PASSWORD_FILE=/run/secrets/nassella_authelia_postgres_password
+    shm_size: 128mb
+    restart: always
+    volumes:
+      - /nassella/nassella/authelia-var-lib-postgresql-data:/var/lib/postgresql/data
+    networks:
+      - nassella_internal
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d `cat $$POSTGRES_DB_FILE` -U `cat $$POSTGRES_USER_FILE`"]
+      start_period: 15s
+      interval: 30s
+      retries: 3
+      timeout: 5s
+    secrets:
+      - nassella_authelia_postgres_db
+      - nassella_authelia_postgres_password
+      - nassella_authelia_postgres_user
+
+  nassella_authelia:
+    image: 'authelia/authelia'
+    volumes:
+      - ./nassella/authelia-config/:/config
+    networks:
+      - lb
+      - nassella_internal
+    depends_on:
+      nassella_lldap:
+        condition: service_healthy
+      nassella_authelia_db:
+        condition: service_healthy
+    restart: 'unless-stopped'
+    healthcheck:
+      ## In production the healthcheck section should be commented.
+      disable: true
+
   nassella_db:
     image: postgres:17.6-trixie
     env_file:
@@ -40,6 +132,7 @@ services:
       - nassella_postgres_db
       - nassella_postgres_password
       - nassella_postgres_user
+      - nassella_lldap_admin_password
     networks:
       - lb
       - nassella_internal

all-apps/nassella/lldap-config/lldap_config.toml.tmpl

@@ -0,0 +1,161 @@
+## Default configuration for Docker.
+## All the values can be overridden through environment variables, prefixed
+## with "LLDAP_". For instance, "ldap_port" can be overridden with the
+## "LLDAP_LDAP_PORT" variable.
+
+## Tune the logging to be more verbose by setting this to be true.
+## You can set it with the LLDAP_VERBOSE environment variable.
+# verbose=false
+
+## The host address that the LDAP server will be bound to.
+## To enable IPv6 support, simply switch "ldap_host" to "::":
+## To only allow connections from localhost (if you want to restrict to local self-hosted services),
+## change it to "127.0.0.1" ("::1" in case of IPv6).
+## If LLDAP server is running in docker, set it to "0.0.0.0" ("::" for IPv6) to allow connections
+## originating from outside the container.
+ldap_host = "0.0.0.0"
+
+## The port on which to have the LDAP server.
+#ldap_port = 3890
+
+## The host address that the HTTP server will be bound to.
+## To enable IPv6 support, simply switch "http_host" to "::".
+## To only allow connections from localhost (if you want to restrict to local self-hosted services),
+## change it to "127.0.0.1" ("::1" in case of IPv6).
+## If LLDAP server is running in docker, set it to "0.0.0.0" ("::" for IPv6) to allow connections
+## originating from outside the container.
+http_host = "0.0.0.0"
+
+## The port on which to have the HTTP server, for user login and
+## administration.
+#http_port = 17170
+
+## The public URL of the server, for password reset links.
+http_url = "https://$NASSELLA_FULL_LLDAP_DOMAIN"
+
+## The path to the front-end assets (relative to the working directory).
+#assets_path = "./app"
+
+## Random secret for JWT signature.
+## This secret should be random, and should be shared with application
+## servers that need to consume the JWTs.
+## Changing this secret will invalidate all user sessions and require
+## them to re-login.
+## You should probably set it through the LLDAP_JWT_SECRET environment
+## variable from a secret ".env" file.
+## This can also be set from a file's contents by specifying the file path
+## in the LLDAP_JWT_SECRET_FILE environment variable
+## You can generate it with (on linux):
+## LC_ALL=C tr -dc 'A-Za-z0-9!#%&'\''()*+,-./:;<=>?@[\]^_{|}~' </dev/urandom | head -c 32; echo ''
+jwt_secret = "$NASSELLA_LLDAP_JWT_SECRET"
+
+## Base DN for LDAP.
+## This is usually your domain name, and is used as a
+## namespace for your users. The choice is arbitrary, but will be needed
+## to configure the LDAP integration with other services.
+## The sample value is for "example.com", but you can extend it with as
+## many "dc" as you want, and you don't actually need to own the domain
+## name.
+ldap_base_dn = "dc=nassella,dc=org"
+
+## Admin username.
+## For the LDAP interface, a value of "admin" here will create the LDAP
+## user "cn=admin,ou=people,dc=example,dc=com" (with the base DN above).
+## For the administration interface, this is the username.
+#ldap_user_dn = "admin"
+
+## Admin email.
+## Email for the admin account. It is only used when initially creating
+## the admin user, and can safely be omitted.
+#ldap_user_email = "admin@example.com"
+
+## Admin password.
+## Password for the admin account, both for the LDAP bind and for the
+## administration interface. It is only used when initially creating
+## the admin user.
+## It should be minimum 8 characters long.
+## You can set it with the LLDAP_LDAP_USER_PASS environment variable.
+## This can also be set from a file's contents by specifying the file path
+## in the LLDAP_LDAP_USER_PASS_FILE environment variable
+## Note: you can create another admin user for user administration, this
+## is just the default one.
+ldap_user_pass = "$NASSELLA_LLDAP_ADMIN_PASSWORD"
+
+## Force reset of the admin password.
+## Break glass in case of emergency: if you lost the admin password, you
+## can set this to true to force a reset of the admin password to the value
+## of ldap_user_pass above.
+## Alternatively, you can set it to "always" to reset every time the server starts.
+# force_ldap_user_pass_reset = false
+
+## Database URL.
+## This encodes the type of database (SQlite, MySQL, or PostgreSQL)
+## , the path, the user, password, and sometimes the mode (when
+## relevant).
+## Note: SQlite should come with "?mode=rwc" to create the DB
+## if not present.
+## Example URLs:
+##  - "postgres://postgres-user:password@postgres-server/my-database"
+##  - "mysql://mysql-user:password@mysql-server/my-database"
+##
+## This can be overridden with the LLDAP_DATABASE_URL env variable.
+database_url = "postgres://lldap:$NASSELLA_LLDAP_POSTGRES_PASSWORD@nassella_lldap_db/lldap"
+
+## Private key file.
+## Not recommended, use key_seed instead.
+## Contains the secret private key used to store the passwords safely.
+## Note that even with a database dump and the private key, an attacker
+## would still have to perform an (expensive) brute force attack to find
+## each password.
+## Randomly generated on first run if it doesn't exist.
+## Env variable: LLDAP_KEY_FILE
+#key_file = "/data/private_key"
+
+## Seed to generate the server private key, see key_file above.
+## This can be any random string, the recommendation is that it's at least 12
+## characters long.
+## Env variable: LLDAP_KEY_SEED
+key_seed = "$NASSELLA_LLDAP_KEY_SEED"
+
+## Ignored attributes.
+## Some services will request attributes that are not present in LLDAP. When it
+## is the case, LLDAP will warn about the attribute being unknown. If you want
+## to ignore the attribute and the service works without, you can add it to this
+## list to silence the warning.
+#ignored_user_attributes = [ "sAMAccountName" ]
+#ignored_group_attributes = [ "mail", "userPrincipalName" ]
+
+## Options to configure SMTP parameters, to send password reset emails.
+## To set these options from environment variables, use the following format
+## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
+[smtp_options]
+## Whether to enabled password reset via email, from LLDAP.
+enable_password_reset=true
+## The SMTP server.
+server="$SMTP_HOST"
+## The SMTP port.
+port=$SMTP_PORT
+## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
+smtp_encryption = "TLS"
+## The SMTP user, usually your email address.
+user="$SMTP_AUTH_USER"
+## The SMTP password.
+password="$SMTP_AUTH_PASSSWORD"
+## The header field, optional: how the sender appears in the email. The first
+## is a free-form name, followed by an email between <>.
+from="$SMTP_FROM"
+## Same for reply-to, optional.
+#reply_to="Do not reply <noreply@localhost>"
+
+## Options to configure LDAPS.
+## To set these options from environment variables, use the following format
+## (example with "port"): LLDAP_LDAPS_OPTIONS__PORT
+[ldaps_options]
+## Whether to enable LDAPS.
+#enabled=true
+## Port on which to listen.
+#port=6360
+## Certificate file.
+#cert_file="/data/cert.pem"
+## Certificate key file.
+#key_file="/data/key.pem"

all-apps/nassella/lldap_postgres_db

@@ -0,0 +1 @@
+lldap

all-apps/nassella/lldap_postgres_user

@@ -0,0 +1 @@
+lldap