colin/nas-compose
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Set up authelia

Browse Source
This commit is contained in:
Colin Hebert
2023-01-10 14:57:43 +01:00
parent 77aad358f6
commit 4f387906c5
8 changed files with 150 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
authentication.docker-compose.yml
View File

@@ -1,97 +1,28 @@
name: authentication
services:
postgresql:
image: postgres:12-alpine
authelia:
image: authelia/authelia
environment:
- POSTGRES_USER=authentik
- POSTGRES_DB=authentik
- POSTGRES_PASSWORD_FILE=/run/secrets/postgres_passwd
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
secrets:
- postgres_passwd
restart: unless-stopped
redis:
image: redis:alpine
command: --save 60 1 --loglevel warning
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- redis:/data
restart: unless-stopped
authentik:
image: ghcr.io/goauthentik/server:2022.12.2
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/postgres_passwd
AUTHENTIK_SECRET_KEY: file:///run/secrets/secret_key
expose:
- 9000
NASCOMPOSE_TRAEFIK_DOMAINS: ${NASCOMPOSE_TRAEFIK_DOMAINS?}
AUTHELIA_DEFAULT_REDIRECTION_URL: "" #Heimdall
AUTHELIA_JWT_SECRET_FILE: /run/secret/jwt_secret
networks:
- default
- traefik
- macvlan
restart: unless-stopped
volumes:
- media:/media
- custom-templates:/templates
- config:/config
secrets:
- postgres_passwd
- secret_key
- jwt_secret
labels:
traefik.enable: true
worker:
image: ghcr.io/goauthentik/server:2022.12.2
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: file:///run/secrets/postgres_passwd
AUTHENTIK_SECRET_KEY: file:///run/secrets/secret_key
volumes:
- media:/media
- certs:/certs
- custom-templates:/templates
secrets:
- postgres_passwd
- secret_key
restart: unless-stopped
networks:
macvlan:
external: true
traefik:
external: true
volumes:
database:
redis:
media:
certs:
custom-templates:
config:
secrets:
postgres_passwd:
file: ${NASCOMPOSE_SERVICES?}/secrets/authentik/postgres_passwd
secret_key:
file: ${NASCOMPOSE_SERVICES?}/secrets/authentik/secret_key
jwt_secret:
file: ${NASCOMPOSE_SERVICES?}/secrets/authelia/jwt_secret

12
bootstrap.docker-compose.yml
View File

@@ -17,8 +17,8 @@ services:
traefik:
image: traefik
environment:
- NASCOMPOSE_TRAEFIK_DOMAINS=${NASCOMPOSE_TRAEFIK_DOMAINS?}
- NASCOMPOSE_MACVLAN_HOST_IP=${NASCOMPOSE_MACVLAN_HOST_IP}
NASCOMPOSE_TRAEFIK_DOMAINS: ${NASCOMPOSE_TRAEFIK_DOMAINS?}
NASCOMPOSE_MACVLAN_HOST_IP: ${NASCOMPOSE_MACVLAN_HOST_IP}
ports:
- 8080:80
- 8443:443
@@ -37,8 +37,8 @@ services:
target: /etc/traefik/dynamic/tls.yml
- source: traefik_hsts
target: /etc/traefik/dynamic/hsts.yml
- source: traefik_authentik
target: /etc/traefik/dynamic/authentik.yml
- source: traefik_authelia
target: /etc/traefik/dynamic/authelia.yml
secrets:
- traefik_password # TODO: Replace with SSO
- traefik_tls_cert
@@ -106,8 +106,8 @@ configs:
file: ${NASCOMPOSE_SERVICES?}/configs/traefik/dynamic/tls.yml
traefik_hsts:
file: ${NASCOMPOSE_SERVICES?}/configs/traefik/dynamic/hsts.yml
traefik_authentik:
file: ${NASCOMPOSE_SERVICES?}/configs/traefik/dynamic/authentik.yml
traefik_authelia:
file: ${NASCOMPOSE_SERVICES?}/configs/traefik/dynamic/authelia.yml
secrets:
traefik_password:

30
docker/configs/authelia/access.yml Normal file
View File

@@ -0,0 +1,30 @@
##
## Access Control Configuration
##
## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
##
## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
## to anyone. Otherwise restrictions follow the rules defined.
##
## Note: One can use the wildcard * to match any subdomain.
## It must stand at the beginning of the pattern. (example: *.example.com)
##
## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
##
## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
##
## - 'domain' defines which domain or set of domains the rule applies to.
##
## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
## provided. If provided, the parameter represents either a user or a group. It should be of the form
## 'user:<username>' or 'group:<groupname>'.
##
## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
##
## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
## is optional and matches any resource if not provided.
##
## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
access_control:
default_policy: two_factor

40
docker/configs/authelia/authentication.yaml Normal file
View File

@@ -0,0 +1,40 @@
##
## TOTP Configuration
##
## Parameters used for TOTP generation.
totp:
## The issuer name displayed in the Authenticator application of your choice.
issuer: authelia.com
##
## Authentication Backend Provider Configuration
##
## Used for verifying user passwords and retrieve information such as email address and groups users belong to.
##
## The available providers are: `file`, `ldap`. You must use only one of these providers.
authentication_backend:
##
## File (Authentication Provider)
##
## With this backend, the users database is stored in a file which is updated when users reset their passwords.
## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia
## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security
## implications it is highly recommended you leave the default values. Before considering changing these settings
## please read the docs page below:
## https://www.authelia.com/r/passwords#tuning
##
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
##
file:
path: /data/users_database.yml
watch: true
##
## Password Policy Configuration.
##
password_policy:
## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings.
zxcvbn:
enabled: true
## Configures the minimum score allowed.
min_score: 4

44
docker/configs/authelia/configuration.yml Normal file
View File

@@ -0,0 +1,44 @@
## Note: the container by default expects to find this file at /config/configuration.yml.
## The theme to display: light, dark, grey, auto.
theme: auto
## The secret used to generate JWT tokens when validating user identity by email confirmation. JWT Secret can also be
## set using a secret: https://www.authelia.com/c/secrets
jwt_secret: a_very_important_secret
##
## Storage Provider Configuration
##
## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
storage:
## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum
## length of 20. Please see the docs if you configure this with an undesirable key and need to change it, you MUST use
## the CLI to change this in the database if you want to change it from a previously configured value.
# encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
##
## Local (Storage Provider)
##
## This stores the data in a SQLite3 Database.
## This is only recommended for lightweight non-stateful installations.
##
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
##
local:
## Path to the SQLite3 Database.
path: /data/db.sqlite3
##
## Notification Provider
##
## Notifications are sent to users when they require a password reset, a Webauthn registration or a TOTP registration.
## The available providers are: filesystem, smtp. You must use only one of these providers.
notifier:
##
## File System (Notification Provider)
##
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
##
filesystem:
filename: /data/notification.txt

20
docker/configs/traefik/dynamic/authelia.yml Normal file
View File

@@ -0,0 +1,20 @@
http:
middlewares:
authelia:
forwardAuth:
address: 'http://authelia:9091/api/verify?rd=https%3A%2F%2Fauthelia.{{ ( env "NASCOMPOSE_TRAEFIK_DOMAINS" | split "," )._0 }}%2F'
trustForwardHeader: true
authResponseHeaders:
- Remote-User
- Remote-Groups
- Remote-Name
- Remote-Email
authelia-basic:
forwardAuth:
address: http://authelia:9091/api/verify?auth=basic
trustForwardHeader: true
authResponseHeaders:
- Remote-User
- Remote-Groups
- Remote-Name
- Remote-Email

25
docker/configs/traefik/dynamic/authentik.yml
View File

@@ -1,25 +0,0 @@
http:
middlewares:
authentik:
forwardAuth:
address: http://authentik:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
- Authorization
routers:
general-auth:
rule: PathPrefix(`/outpost.goauthentik.io/`)
service: authentik-authentication@docker
priority: 10000

0
docker/secrets/authentik/README.md → docker/secrets/authelia/README.md
View File