ldap

docker-compose/traefik/configuration.yml

@@ -1,55 +0,0 @@
----
-server.address: "0.0.0.0:9091"
-
-log:
-  level: debug
-
-identity_validation:
-  reset_password:
-    jwt_secret: c50498e29383564cd50bdeda9b74a3bf
-
-totp:
-  issuer: totp.mgrote.net
-
-authentication_backend:
-  file:
-    path: /config/users_database.yml
-
-access_control:
-  default_policy: deny
-  rules:
-    - domain: wiki.mgrote.net
-      policy: one_factor
-
-session:
-  name: authelia_session
-  secret: unsecure_session_secret
-  expiration: 3600                     # 1 hour
-  inactivity: 300                      # 5 minutes
-  domain: mgrote.net                   # Should match whatever your root protected domain is
-
-  redis:
-    host: authelia-redis
-    port: 6379
-
-regulation:
-  max_retries: 3
-  find_time: 120
-  ban_time: 300
-
-storage:
-  encryption_key: f30ebde68b2c85c1b3fe2d16d9884190
-  local:
-    path: /data/db.sqlite3
-    # db auf mariadb ändern
-
-notifier:
-  smtp:
-    address: postfix:25
-    sender: no-reply-authelia@mgrote.net
-    disable_require_tls: true
-
-#mg@docker10 /docker/wiki
-#> docker run --rm -it authelia/authelia:4 authelia crypto hash generate
-#Digest: $argon2id$v=19$m=65536,t=3,p=4$QFNGrAPRPposUASpU2l4hw$pNthSP2DS1r2QoGT0k3QpU28vbsty6dNemTI+hJhPec
-# == hallowelt

docker-compose/traefik/configuration.yml.j2

@@ -0,0 +1,78 @@
+---
+server.address: "0.0.0.0:9091"
+
+log:
+  level: debug
+
+identity_validation:
+  reset_password:
+    jwt_secret: c50498e29383564cd50bdeda9b74a3bf
+
+totp:
+  issuer: totp.mgrote.net
+
+access_control:
+  default_policy: deny
+  rules:
+    - domain: wiki.mgrote.net
+      policy: one_factor
+
+session:
+  name: authelia_session
+  secret: unsecure_session_secret
+  expiration: 3600                     # 1 hour
+  inactivity: 300                      # 5 minutes
+  domain: mgrote.net                   # Should match whatever your root protected domain is
+
+  redis:
+    host: authelia-redis
+    port: 6379
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+storage:
+  encryption_key: f30ebde68b2c85c1b3fe2d16d9884190 # verschlüsseln
+  local:
+    path: /data/db.sqlite3
+    # db auf mariadb ändern
+
+notifier:
+  smtp:
+    address: postfix:25
+    sender: no-reply-authelia@mgrote.net
+    disable_require_tls: true
+
+#mg@docker10 /docker/wiki
+#> docker run --rm -it authelia/authelia:4 authelia crypto hash generate
+#Digest: $argon2id$v=19$m=65536,t=3,p=4$QFNGrAPRPposUASpU2l4hw$pNthSP2DS1r2QoGT0k3QpU28vbsty6dNemTI+hJhPec
+# == hallowelt
+
+# ldap
+# https://github.com/lldap/lldap/blob/main/example_configs/authelia_config.yml
+authentication_backend:
+  password_reset:
+    disable: false
+  refresh_interval: 1m
+  ldap:
+    implementation: custom
+    address: ldap://lldap.mgrote.net:3890
+    timeout: 5s
+    start_tls: false
+    base_dn: dc=mgrote,dc=net
+    additional_users_dn: ou=people
+    users_filter: "(&({username_attribute}={input})(objectClass=person))"
+    additional_groups_dn: ou=groups
+    groups_filter: "(member={dn})"
+    attributes:
+      display_name: displayName
+      username: uid
+      group_name: cn
+      mail: mail
+    # The username and password of the bind user.
+    # "bind_user" should be the username you created for authentication with the "lldap_strict_readonly" permission. It is not recommended to use an actual admin account here.
+    # If you are configuring Authelia to change user passwords, then the account used here needs the "lldap_password_manager" permission instead.
+    user: uid=authelia_bind_user,ou=people,dc=mgrote,dc=net
+    password: '{{ lookup('viczem.keepass.keepass', 'lldap_authelia_bind_user', 'password') }}'

docker-compose/traefik/users_database.yml

@@ -1,8 +0,0 @@
----
-users:
-  authelia:
-    displayname: "mg"
-    password: "$argon2id$v=19$m=65536,t=3,p=4$QFNGrAPRPposUASpU2l4hw$pNthSP2DS1r2QoGT0k3QpU28vbsty6dNemTI+hJhPec"
-    email: michael.grote@posteo.de
-    groups:
-      - admins