replace nforwardauth with authelia (#231)

Reviewed-on: #231
Co-authored-by: Michael Grote <michael.grote@posteo.de>
Co-committed-by: Michael Grote <michael.grote@posteo.de>

docker-compose/traefik/configuration.yml.j2

@@ -0,0 +1,80 @@
+---
+# geklaut von: https://ruanbekker.hashnode.dev/sso-with-authelia-using-traefik-on-docker + https://www.reddit.com/r/selfhosted/comments/158quyz/authelia_ldap_groups/
+
+server.address: "0.0.0.0:9091"
+
+log:
+  level: debug
+
+identity_validation:
+  reset_password:
+    jwt_secret: {{ lookup('viczem.keepass.keepass', 'authelia_jwt_secret', 'password') }}
+totp:
+  issuer: totp.mgrote.net
+
+access_control:
+  default_policy: deny
+  rules:
+    - domain: wiki.mgrote.net
+      policy: one_factor
+      subject:
+        - 'group:authelia_wiki'
+
+session:
+  name: authelia_session
+  secret: {{ lookup('viczem.keepass.keepass', 'authelia_session_secret', 'password') }}
+  expiration: 3600
+  inactivity: 300
+  cookies:
+    - name: mgrote.net
+      domain: mgrote.net
+      authelia_url: https://auth.mgrote.net
+
+  redis:
+    host: authelia-redis
+    port: 6379
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+storage:
+  encryption_key: {{ lookup('viczem.keepass.keepass', 'authelia_storage_encryption_key', 'password') }}
+  mysql:
+    database: authelia
+    address: 'tcp://authelia-db:3306'
+    username: authelia
+    password: {{ lookup('viczem.keepass.keepass', 'authelia_mysql_password', 'password') }}
+
+notifier:
+  smtp:
+    address: postfix:25
+    sender: no-reply-authelia@mgrote.net
+    disable_require_tls: true
+
+# ldap
+# https://github.com/lldap/lldap/blob/main/example_configs/authelia_config.yml
+authentication_backend:
+  password_reset:
+    disable: true
+  refresh_interval: 1m
+  ldap:
+    implementation: custom
+    address: ldap://ldap.mgrote.net:3890
+    timeout: 5s
+    start_tls: false
+    base_dn: dc=mgrote,dc=net
+    additional_users_dn: ou=people
+    users_filter: "(&({username_attribute}={input})(objectClass=person))"
+    additional_groups_dn: ou=groups
+    groups_filter: "(&(member={dn})(objectclass=groupOfUniqueNames))"
+    attributes:
+      display_name: displayName
+      username: uid
+      group_name: cn
+      mail: mail
+    user: uid=authelia_bind_user,ou=people,dc=mgrote,dc=net
+    password: '{{ lookup('viczem.keepass.keepass', 'lldap_authelia_bind_user', 'password') }}'
+
+# Details/Doku: https://wiki.mgrote.net/pages/_Technik/hardware/rest/fpv/software/rest/ldap/

docker-compose/traefik/docker-compose.yml.j2

@@ -1,3 +1,5 @@
+# Details/Doku: https://wiki.mgrote.net/pages/_Technik/hardware/rest/fpv/software/rest/ldap/
+
 services:
 ######## traefik ########
   traefik:
@@ -25,43 +27,90 @@ services:
       timeout: 10s
       retries: 3
 
-######## nforwardauth ########
+######## authelia ########
-  nforwardauth:
+  authelia:
+    image: authelia/authelia:4.38.17
+    container_name: authelia
     restart: unless-stopped
     pull_policy: missing
-    image: "nosduco/nforwardauth:v1.4.0"
-    container_name: traefik-nforwardauth
     environment:
-      TOKEN_SECRET: "{{ lookup('viczem.keepass.keepass', 'nforwardauth_token_secret', 'password') }}"
+      TZ: Europe/Berlin
-      AUTH_HOST: auth.mgrote.net
+    volumes:
+      - ./configuration.yml:/config/configuration.yml
+      - ./users_database.yml:/config/users_database.yml
+      - authelia_data:/data
     labels:
       traefik.enable: true
-      traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`)
+      traefik.http.routers.authelia.rule: Host(`auth.mgrote.net`)
-
+      traefik.http.services.authelia.loadbalancer.server.port: 9091
-      traefik.http.middlewares.nforwardauth.forwardauth.address: http://nforwardauth:3000
+      traefik.http.routers.authelia.tls: true
-
+      traefik.http.routers.authelia.tls.certresolver: resolver_letsencrypt
-      traefik.http.services.nforwardauth.loadbalancer.server.port: 3000
+      traefik.http.routers.authelia.entrypoints: entry_https
-      traefik.http.routers.nforwardauth.tls: true
+      traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/verify?rd=https://auth.mgrote.net
-      traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt
+      traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: true
-      traefik.http.routers.nforwardauth.entrypoints: entry_https
+      traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email
-    volumes:
+    depends_on:
-      - "./passwd:/passwd:ro" # Mount local passwd file at /passwd as read only
+      - authelia-redis
     networks:
       - traefik
+      - postfix
+      - authelia
     healthcheck:
-      test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://127.0.0.1:3000/login"]
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://authelia:9091"]
-      interval: 10s
+      interval: 30s
-      timeout: 5s
+      timeout: 10s
       retries: 3
 
+  authelia-redis:
+    image: "redis:7.4.1"
+    container_name: authelia-redis
+    restart: unless-stopped
+    pull_policy: missing
+    environment:
+      TZ: Europe/Berlin
+    networks:
+      - authelia
+    healthcheck:
+      test: ["CMD", "redis-cli", "--no-auth-warning", "ping"]
+      interval: 5s
+      timeout: 2s
+      retries: 3
+
+######## Datenbank ########
+  authelia-db:
+    image: "mariadb:11.5.2"
+    container_name: authelia-db
+    command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
+    restart: unless-stopped
+    pull_policy: missing
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+      - db:/var/lib/mysql
+    environment:
+      MYSQL_ROOT_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'authelia_mysql_root_password', 'password') }}"
+      MYSQL_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'authelia_mysql_password', 'password') }}"
+      MYSQL_DATABASE: authelia
+      MYSQL_USER: authelia
+      MYSQL_INITDB_SKIP_TZINFO: 1
+    networks:
+      - authelia
+    healthcheck:
+      test: ["CMD", "mariadb-show", "authelia", "-h", "localhost", "-u", "authelia", "-p{{ lookup('viczem.keepass.keepass', 'authelia_mysql_password', 'password') }}"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+
 ######## Networks ########
 networks:
+  authelia:
   traefik:
     external: true
+  postfix:
+    external: true
 ######## Volumes ########
 volumes:
   acme_data:
-
+  authelia_data:
-
+  db:
-# passwd
-# echo "<user>:$(mkpasswd -m sha-512 <password>)"

docker-compose/traefik/passwd.j2

@@ -1 +0,0 @@
-{{ lookup('viczem.keepass.keepass', 'nforwardauth-mg-hash', 'password') }}

docker-compose/traefik/traefik.yml

@@ -40,9 +40,3 @@ api:
   dashboard: true # unter Port 8081 erreichbar
 
 ping: {} # für healthcheck
-
-#experimental:
-#  plugins:
-#    ldapAuth:
-#      moduleName: "github.com/wiltonsr/ldapAuth"
-#      version: "v0.1.4"

docker-compose/wiki/docker-compose.yml.j2

@@ -26,7 +26,7 @@ services:
       traefik.http.routers.wiki.entrypoints: entry_https
       traefik.http.services.wiki.loadbalancer.server.port: 80
 
-      traefik.http.routers.wiki.middlewares: nforwardauth
+      traefik.http.routers.wiki.middlewares: authelia
 
 ######## Networks ########
 networks:

group_vars/munin.yml

@@ -104,7 +104,7 @@ munin_node_plugins:
     src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/http/http_response
     config: |
       [http_response]
-      env.sites https://git.mgrote.net http://ldap.mgrote.net:17170 https://docker10.mgrote.net:8443 https://registry.mgrote.net/ui/ http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://s3.mgrote.net
+      env.sites https://git.mgrote.net http://ldap.mgrote.net:17170 https://docker10.mgrote.net:8443 https://registry.mgrote.net/ui/ http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://s3.mgrote.net https://auth.mgrote.net
       env.max_time 20
       env.short_label true
       env.follow_redirect true