Set up authelia

authentication.docker-compose.yml

@@ -1,97 +1,28 @@
 name: authentication
 
 services:
-  postgresql:
+  authelia:
-    image: postgres:12-alpine
+    image: authelia/authelia
     environment:
-      - POSTGRES_USER=authentik
+      NASCOMPOSE_TRAEFIK_DOMAINS: ${NASCOMPOSE_TRAEFIK_DOMAINS?}
-      - POSTGRES_DB=authentik
+      AUTHELIA_DEFAULT_REDIRECTION_URL: "" #Heimdall
-      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_passwd
+      AUTHELIA_JWT_SECRET_FILE: /run/secret/jwt_secret
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
-      start_period: 20s
-      interval: 30s
-      retries: 5
-      timeout: 5s
-    volumes:
-      - database:/var/lib/postgresql/data
-    secrets:
-      - postgres_passwd
-    restart: unless-stopped
-
-  redis:
-    image: redis:alpine
-    command: --save 60 1 --loglevel warning
-    healthcheck:
-      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
-      start_period: 20s
-      interval: 30s
-      retries: 5
-      timeout: 3s
-    volumes:
-      - redis:/data
-    restart: unless-stopped
-
-  authentik:
-    image: ghcr.io/goauthentik/server:2022.12.2
-    command: server
-    environment:
-      AUTHENTIK_REDIS__HOST: redis
-      AUTHENTIK_POSTGRESQL__HOST: postgresql
-      AUTHENTIK_POSTGRESQL__USER: authentik
-      AUTHENTIK_POSTGRESQL__NAME: authentik
-      AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/postgres_passwd
-      AUTHENTIK_SECRET_KEY: file:///run/secrets/secret_key
-    expose:
-      - 9000
     networks:
-      - default
       - traefik
-      - macvlan
-    restart: unless-stopped
     volumes:
-      - media:/media
+      - config:/config
-      - custom-templates:/templates
     secrets:
-      - postgres_passwd
+      - jwt_secret
-      - secret_key
     labels:
       traefik.enable: true
 
-  worker:
-    image: ghcr.io/goauthentik/server:2022.12.2
-    command: worker
-    environment:
-      AUTHENTIK_REDIS__HOST: redis
-      AUTHENTIK_POSTGRESQL__HOST: postgresql
-      AUTHENTIK_POSTGRESQL__USER: authentik
-      AUTHENTIK_POSTGRESQL__NAME: authentik
-      AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/postgres_passwd
-      AUTHENTIK_SECRET_KEY: file:///run/secrets/secret_key
-    volumes:
-      - media:/media
-      - certs:/certs
-      - custom-templates:/templates
-    secrets:
-      - postgres_passwd
-      - secret_key
-    restart: unless-stopped
-
 networks:
-  macvlan:
-    external: true
   traefik:
     external: true
 
 volumes:
-  database:
+  config:
-  redis:
-  media:
-  certs:
-  custom-templates:
 
 secrets:
-  postgres_passwd:
+  jwt_secret:
-    file: ${NASCOMPOSE_SERVICES?}/secrets/authentik/postgres_passwd
+    file: ${NASCOMPOSE_SERVICES?}/secrets/authelia/jwt_secret
-  secret_key:
-    file: ${NASCOMPOSE_SERVICES?}/secrets/authentik/secret_key

bootstrap.docker-compose.yml

@@ -17,8 +17,8 @@ services:
   traefik:
     image: traefik
     environment:
-      - NASCOMPOSE_TRAEFIK_DOMAINS=${NASCOMPOSE_TRAEFIK_DOMAINS?}
+      NASCOMPOSE_TRAEFIK_DOMAINS: ${NASCOMPOSE_TRAEFIK_DOMAINS?}
-      - NASCOMPOSE_MACVLAN_HOST_IP=${NASCOMPOSE_MACVLAN_HOST_IP}
+      NASCOMPOSE_MACVLAN_HOST_IP: ${NASCOMPOSE_MACVLAN_HOST_IP}
     ports:
       - 8080:80
       - 8443:443
@@ -37,8 +37,8 @@ services:
         target: /etc/traefik/dynamic/tls.yml
       - source: traefik_hsts
         target: /etc/traefik/dynamic/hsts.yml
-      - source: traefik_authentik
+      - source: traefik_authelia
-        target: /etc/traefik/dynamic/authentik.yml
+        target: /etc/traefik/dynamic/authelia.yml
     secrets:
       - traefik_password # TODO: Replace with SSO
       - traefik_tls_cert
@@ -106,8 +106,8 @@ configs:
     file: ${NASCOMPOSE_SERVICES?}/configs/traefik/dynamic/tls.yml
   traefik_hsts:
     file: ${NASCOMPOSE_SERVICES?}/configs/traefik/dynamic/hsts.yml
-  traefik_authentik:
+  traefik_authelia:
-    file: ${NASCOMPOSE_SERVICES?}/configs/traefik/dynamic/authentik.yml
+    file: ${NASCOMPOSE_SERVICES?}/configs/traefik/dynamic/authelia.yml
 
 secrets:
   traefik_password:

docker/configs/authelia/access.yml

@@ -0,0 +1,30 @@
+
+##
+## Access Control Configuration
+##
+## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
+##
+## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
+## to anyone. Otherwise restrictions follow the rules defined.
+##
+## Note: One can use the wildcard * to match any subdomain.
+## It must stand at the beginning of the pattern. (example: *.example.com)
+##
+## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
+##
+## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
+##
+## - 'domain' defines which domain or set of domains the rule applies to.
+##
+## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
+##    provided. If provided, the parameter represents either a user or a group. It should be of the form
+##    'user:<username>' or 'group:<groupname>'.
+##
+## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
+##
+## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
+##   is optional and matches any resource if not provided.
+##
+## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
+access_control:
+  default_policy: two_factor

docker/configs/authelia/authentication.yaml

@@ -0,0 +1,40 @@
+##
+## TOTP Configuration
+##
+## Parameters used for TOTP generation.
+totp:
+  ## The issuer name displayed in the Authenticator application of your choice.
+  issuer: authelia.com
+
+##
+## Authentication Backend Provider Configuration
+##
+## Used for verifying user passwords and retrieve information such as email address and groups users belong to.
+##
+## The available providers are: `file`, `ldap`. You must use only one of these providers.
+authentication_backend:
+  ##
+  ## File (Authentication Provider)
+  ##
+  ## With this backend, the users database is stored in a file which is updated when users reset their passwords.
+  ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia
+  ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security
+  ## implications it is highly recommended you leave the default values. Before considering changing these settings
+  ## please read the docs page below:
+  ## https://www.authelia.com/r/passwords#tuning
+  ##
+  ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
+  ##
+  file:
+    path: /data/users_database.yml
+    watch: true
+
+##
+## Password Policy Configuration.
+##
+password_policy:
+  ## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings.
+  zxcvbn:
+    enabled: true
+    ## Configures the minimum score allowed.
+    min_score: 4

docker/configs/authelia/configuration.yml

@@ -0,0 +1,44 @@
+## Note: the container by default expects to find this file at /config/configuration.yml.
+
+## The theme to display: light, dark, grey, auto.
+theme: auto
+
+## The secret used to generate JWT tokens when validating user identity by email confirmation. JWT Secret can also be
+## set using a secret: https://www.authelia.com/c/secrets
+jwt_secret: a_very_important_secret
+
+##
+## Storage Provider Configuration
+##
+## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
+storage:
+  ## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum
+  ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it, you MUST use
+  ## the CLI to change this in the database if you want to change it from a previously configured value.
+  # encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
+
+  ##
+  ## Local (Storage Provider)
+  ##
+  ## This stores the data in a SQLite3 Database.
+  ## This is only recommended for lightweight non-stateful installations.
+  ##
+  ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
+  ##
+  local:
+    ## Path to the SQLite3 Database.
+    path: /data/db.sqlite3
+
+##
+## Notification Provider
+##
+## Notifications are sent to users when they require a password reset, a Webauthn registration or a TOTP registration.
+## The available providers are: filesystem, smtp. You must use only one of these providers.
+notifier:
+  ##
+  ## File System (Notification Provider)
+  ##
+  ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
+  ##
+  filesystem:
+    filename: /data/notification.txt

docker/configs/traefik/dynamic/authelia.yml

@@ -0,0 +1,20 @@
+http:
+  middlewares:
+    authelia:
+      forwardAuth:
+        address: 'http://authelia:9091/api/verify?rd=https%3A%2F%2Fauthelia.{{ ( env "NASCOMPOSE_TRAEFIK_DOMAINS" | split "," )._0 }}%2F'
+        trustForwardHeader: true
+        authResponseHeaders:
+          - Remote-User
+          - Remote-Groups
+          - Remote-Name
+          - Remote-Email
+    authelia-basic:
+      forwardAuth:
+        address: http://authelia:9091/api/verify?auth=basic
+        trustForwardHeader: true
+        authResponseHeaders:
+          - Remote-User
+          - Remote-Groups
+          - Remote-Name
+          - Remote-Email

docker/configs/traefik/dynamic/authentik.yml

@@ -1,25 +0,0 @@
-http:
-  middlewares:
-    authentik:
-      forwardAuth:
-        address: http://authentik:9000/outpost.goauthentik.io/auth/traefik
-        trustForwardHeader: true
-        authResponseHeaders:
-          - X-authentik-username
-          - X-authentik-groups
-          - X-authentik-email
-          - X-authentik-name
-          - X-authentik-uid
-          - X-authentik-jwt
-          - X-authentik-meta-jwks
-          - X-authentik-meta-outpost
-          - X-authentik-meta-provider
-          - X-authentik-meta-app
-          - X-authentik-meta-version
-          - Authorization
-
-  routers:
-    general-auth:
-      rule: PathPrefix(`/outpost.goauthentik.io/`)
-      service: authentik-authentication@docker
-      priority: 10000