mg/homeserver
1
0
Fork 0
Code Issues 1 Pull requests 3 Activity Actions

replace nforwardauth with authelia (#231)
All checks were successful
ansible-lint / gitleaks (push) Successful in 4s
Details
ansible-lint / Ansible Lint (push) Successful in 38s
Details

Browse source 
Reviewed-on: #231
Co-authored-by: Michael Grote <michael.grote@posteo.de>
Co-committed-by: Michael Grote <michael.grote@posteo.de>
This commit is contained in:
Michael Grote 2024-11-10 12:53:45 +01:00 committed by Michael Grote
parent eeadb455cb
commit 866952eb51
7 changed files with 154 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

80
docker-compose/traefik/configuration.yml.j2 Normal file
View file

@ -0,0 +1,80 @@
---
# geklaut von: https://ruanbekker.hashnode.dev/sso-with-authelia-using-traefik-on-docker + https://www.reddit.com/r/selfhosted/comments/158quyz/authelia_ldap_groups/
server.address: "0.0.0.0:9091"
log:
level: debug
identity_validation:
reset_password:
jwt_secret: {{ lookup('viczem.keepass.keepass', 'authelia_jwt_secret', 'password') }}
totp:
issuer: totp.mgrote.net
access_control:
default_policy: deny
rules:
- domain: wiki.mgrote.net
policy: one_factor
subject:
- 'group:authelia_wiki'
session:
name: authelia_session
secret: {{ lookup('viczem.keepass.keepass', 'authelia_session_secret', 'password') }}
expiration: 3600
inactivity: 300
cookies:
- name: mgrote.net
domain: mgrote.net
authelia_url: https://auth.mgrote.net
redis:
host: authelia-redis
port: 6379
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
encryption_key: {{ lookup('viczem.keepass.keepass', 'authelia_storage_encryption_key', 'password') }}
mysql:
database: authelia
address: 'tcp://authelia-db:3306'
username: authelia
password: {{ lookup('viczem.keepass.keepass', 'authelia_mysql_password', 'password') }}
notifier:
smtp:
address: postfix:25
sender: no-reply-authelia@mgrote.net
disable_require_tls: true
# ldap
# https://github.com/lldap/lldap/blob/main/example_configs/authelia_config.yml
authentication_backend:
password_reset:
disable: true
refresh_interval: 1m
ldap:
implementation: custom
address: ldap://ldap.mgrote.net:3890
timeout: 5s
start_tls: false
base_dn: dc=mgrote,dc=net
additional_users_dn: ou=people
users_filter: "(&({username_attribute}={input})(objectClass=person))"
additional_groups_dn: ou=groups
groups_filter: "(&(member={dn})(objectclass=groupOfUniqueNames))"
attributes:
display_name: displayName
username: uid
group_name: cn
mail: mail
user: uid=authelia_bind_user,ou=people,dc=mgrote,dc=net
password: '{{ lookup('viczem.keepass.keepass', 'lldap_authelia_bind_user', 'password') }}'
# Details/Doku: https://wiki.mgrote.net/pages/_Technik/hardware/rest/fpv/software/rest/ldap/

95
docker-compose/traefik/docker-compose.yml.j2
View file

@ -1,3 +1,5 @@
# Details/Doku: https://wiki.mgrote.net/pages/_Technik/hardware/rest/fpv/software/rest/ldap/
services:
######## traefik ########
traefik:
@ -25,43 +27,90 @@ services:
timeout: 10s
retries: 3
######## nforwardauth ########
nforwardauth:
######## authelia ########
authelia:
image: authelia/authelia:4.38.17
container_name: authelia
restart: unless-stopped
pull_policy: missing
image: "nosduco/nforwardauth:v1.4.0"
container_name: traefik-nforwardauth
environment:
TOKEN_SECRET: "{{ lookup('viczem.keepass.keepass', 'nforwardauth_token_secret', 'password') }}"
AUTH_HOST: auth.mgrote.net
TZ: Europe/Berlin
volumes:
- ./configuration.yml:/config/configuration.yml
- ./users_database.yml:/config/users_database.yml
- authelia_data:/data
labels:
traefik.enable: true
traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`)
traefik.http.middlewares.nforwardauth.forwardauth.address: http://nforwardauth:3000
traefik.http.services.nforwardauth.loadbalancer.server.port: 3000
traefik.http.routers.nforwardauth.tls: true
traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt
traefik.http.routers.nforwardauth.entrypoints: entry_https
volumes:
- "./passwd:/passwd:ro" # Mount local passwd file at /passwd as read only
traefik.http.routers.authelia.rule: Host(`auth.mgrote.net`)
traefik.http.services.authelia.loadbalancer.server.port: 9091
traefik.http.routers.authelia.tls: true
traefik.http.routers.authelia.tls.certresolver: resolver_letsencrypt
traefik.http.routers.authelia.entrypoints: entry_https
traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/verify?rd=https://auth.mgrote.net
traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: true
traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email
depends_on:
- authelia-redis
networks:
- traefik
- postfix
- authelia
healthcheck:
test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://127.0.0.1:3000/login"]
interval: 10s
timeout: 5s
test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://authelia:9091"]
interval: 30s
timeout: 10s
retries: 3
authelia-redis:
image: "redis:7.4.1"
container_name: authelia-redis
restart: unless-stopped
pull_policy: missing
environment:
TZ: Europe/Berlin
networks:
- authelia
healthcheck:
test: ["CMD", "redis-cli", "--no-auth-warning", "ping"]
interval: 5s
timeout: 2s
retries: 3
######## Datenbank ########
authelia-db:
image: "mariadb:11.5.2"
container_name: authelia-db
command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
restart: unless-stopped
pull_policy: missing
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- db:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'authelia_mysql_root_password', 'password') }}"
MYSQL_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'authelia_mysql_password', 'password') }}"
MYSQL_DATABASE: authelia
MYSQL_USER: authelia
MYSQL_INITDB_SKIP_TZINFO: 1
networks:
- authelia
healthcheck:
test: ["CMD", "mariadb-show", "authelia", "-h", "localhost", "-u", "authelia", "-p{{ lookup('viczem.keepass.keepass', 'authelia_mysql_password', 'password') }}"]
interval: 30s
timeout: 10s
retries: 3
######## Networks ########
networks:
authelia:
traefik:
external: true
postfix:
external: true
######## Volumes ########
volumes:
acme_data:
# passwd
# echo "<user>:$(mkpasswd -m sha-512 <password>)"
authelia_data:
db:

1
docker-compose/traefik/passwd.j2
View file

@ -1 +0,0 @@
{{ lookup('viczem.keepass.keepass', 'nforwardauth-mg-hash', 'password') }}

6
docker-compose/traefik/traefik.yml
View file

@ -40,9 +40,3 @@ api:
dashboard: true # unter Port 8081 erreichbar
ping: {} # für healthcheck
#experimental:
# plugins:
# ldapAuth:
# moduleName: "github.com/wiltonsr/ldapAuth"
# version: "v0.1.4"

2
docker-compose/wiki/docker-compose.yml.j2
View file

@ -26,7 +26,7 @@ services:
traefik.http.routers.wiki.entrypoints: entry_https
traefik.http.services.wiki.loadbalancer.server.port: 80
traefik.http.routers.wiki.middlewares: nforwardauth
traefik.http.routers.wiki.middlewares: authelia
######## Networks ########
networks:

2
group_vars/munin.yml
View file

@ -104,7 +104,7 @@ munin_node_plugins:
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/http/http_response
config: |
[http_response]
env.sites https://git.mgrote.net http://ldap.mgrote.net:17170 https://docker10.mgrote.net:8443 https://registry.mgrote.net/ui/ http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://s3.mgrote.net
env.sites https://git.mgrote.net http://ldap.mgrote.net:17170 https://docker10.mgrote.net:8443 https://registry.mgrote.net/ui/ http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://s3.mgrote.net https://auth.mgrote.net
env.max_time 20
env.short_label true
env.follow_redirect true

BIN
keepass_db.kdbx
View file

Binary file not shown.