Move authentication to new format
This commit is contained in:
Colin Hebert
63
authentication/authentication.docker-compose.yml
Normal file
63
authentication/authentication.docker-compose.yml
Normal file
@@ -0,0 +1,63 @@
|
||||
name: authentication
|
||||
|
||||
services:
|
||||
authelia:
|
||||
image: authelia/authelia
|
||||
command: --config /etc/authelia/configuration.yml,/etc/authelia/access.yml,/etc/authelia/authentication.yml
|
||||
environment:
|
||||
PUID: ${NASCOMPOSE_UID?}
|
||||
PGID: ${NASCOMPOSE_GID?}
|
||||
AUTHELIA_SESSION_DOMAIN: ${NASCOMPOSE_AUTHELIA_DOMAIN?} # Will be deprecated with newer versions of Authelia, which will support multiple domains
|
||||
AUTHELIA_DEFAULT_REDIRECTION_URL: "https://heimdall.${NASCOMPOSE_AUTHELIA_DOMAIN?}"
|
||||
AUTHELIA_JWT_SECRET_FILE: /run/secrets/jwt_secret
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/storage_key
|
||||
AUTHELIA_NOTIFIER_SMTP_HOST: ${NASCOMPOSE_AUTHELIA_SMTP_HOST?}
|
||||
AUTHELIA_NOTIFIER_SMTP_PORT: ${NASCOMPOSE_AUTHELIA_SMTP_PORT?}
|
||||
AUTHELIA_NOTIFIER_SMTP_USERNAME: ${NASCOMPOSE_AUTHELIA_SMTP_USERNAME?}
|
||||
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/smtp_password
|
||||
AUTHELIA_NOTIFIER_SMTP_SENDER: ${NASCOMPOSE_AUTHELIA_SMTP_SENDER?}
|
||||
networks:
|
||||
- traefik
|
||||
volumes:
|
||||
- config:/config
|
||||
configs:
|
||||
- source: authelia_configuration
|
||||
target: /etc/authelia/configuration.yml
|
||||
- source: authelia_access
|
||||
target: /etc/authelia/access.yml
|
||||
- source: authelia_authentication
|
||||
target: /etc/authelia/authentication.yml
|
||||
secrets:
|
||||
- jwt_secret
|
||||
- storage_key
|
||||
- smtp_password
|
||||
restart: unless-stopped
|
||||
labels:
|
||||
traefik.enable: true
|
||||
|
||||
networks:
|
||||
traefik:
|
||||
external: true
|
||||
|
||||
volumes:
|
||||
config:
|
||||
driver_opts:
|
||||
type: none
|
||||
o: bind
|
||||
device: ${NASCOMPOSE_SERVICES?}/authentication/volumes/authelia_config/
|
||||
|
||||
configs:
|
||||
authelia_configuration:
|
||||
file: ${NASCOMPOSE_SERVICES?}/authentication/configs/configuration.yml
|
||||
authelia_access:
|
||||
file: ${NASCOMPOSE_SERVICES?}/authentication/configs/access.yml
|
||||
authelia_authentication:
|
||||
file: ${NASCOMPOSE_SERVICES?}/authentication/configs/authentication.yml
|
||||
|
||||
secrets:
|
||||
jwt_secret:
|
||||
file: ${NASCOMPOSE_SERVICES?}/authentication/secrets/jwt_secret
|
||||
storage_key:
|
||||
file: ${NASCOMPOSE_SERVICES?}/authentication/secrets/storage_key
|
||||
smtp_password:
|
||||
file: ${NASCOMPOSE_SERVICES?}/authentication/secrets/smtp_password
|
||||
47
authentication/configs/access.yml
Normal file
47
authentication/configs/access.yml
Normal file
@@ -0,0 +1,47 @@
|
||||
##
|
||||
## Access Control Configuration
|
||||
##
|
||||
## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
|
||||
##
|
||||
## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
|
||||
## to anyone. Otherwise restrictions follow the rules defined.
|
||||
##
|
||||
## Note: One can use the wildcard * to match any subdomain.
|
||||
## It must stand at the beginning of the pattern. (example: *.example.com)
|
||||
##
|
||||
## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
|
||||
##
|
||||
## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
|
||||
##
|
||||
## - 'domain' defines which domain or set of domains the rule applies to.
|
||||
##
|
||||
## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
|
||||
## provided. If provided, the parameter represents either a user or a group. It should be of the form
|
||||
## 'user:<username>' or 'group:<groupname>'.
|
||||
##
|
||||
## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
|
||||
##
|
||||
## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
|
||||
## is optional and matches any resource if not provided.
|
||||
##
|
||||
## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
|
||||
access_control:
|
||||
default_policy: deny
|
||||
rules:
|
||||
# Support for one factor for transmission API
|
||||
# Only users in "transmission-basic" should be allowed to do so
|
||||
- domain_regex: '^transmission-api\..*'
|
||||
policy: one_factor
|
||||
subject:
|
||||
- 'group:transmission-basic'
|
||||
# Disable authentication on API protected by API keys
|
||||
- domain_regex: '^(bazarr|prowlarr|radarr|sonarr)\..*'
|
||||
policy: bypass
|
||||
resources:
|
||||
- '^/api$'
|
||||
- '^/api/'
|
||||
# Effective default policy, only allow admins with two-factor
|
||||
- domain_regex: '.*'
|
||||
policy: two_factor
|
||||
subject:
|
||||
- 'group:admins'
|
||||
32
authentication/configs/authentication.yml
Normal file
32
authentication/configs/authentication.yml
Normal file
@@ -0,0 +1,32 @@
|
||||
##
|
||||
## Authentication Backend Provider Configuration
|
||||
##
|
||||
## Used for verifying user passwords and retrieve information such as email address and groups users belong to.
|
||||
##
|
||||
## The available providers are: `file`, `ldap`. You must use only one of these providers.
|
||||
authentication_backend:
|
||||
##
|
||||
## File (Authentication Provider)
|
||||
##
|
||||
## With this backend, the users database is stored in a file which is updated when users reset their passwords.
|
||||
## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia
|
||||
## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security
|
||||
## implications it is highly recommended you leave the default values. Before considering changing these settings
|
||||
## please read the docs page below:
|
||||
## https://www.authelia.com/r/passwords#tuning
|
||||
##
|
||||
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
|
||||
##
|
||||
file:
|
||||
path: /config/users_database.yml
|
||||
watch: true
|
||||
|
||||
##
|
||||
## Password Policy Configuration.
|
||||
##
|
||||
password_policy:
|
||||
## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings.
|
||||
zxcvbn:
|
||||
enabled: true
|
||||
## Configures the minimum score allowed.
|
||||
min_score: 4
|
||||
21
authentication/configs/configuration.yml
Normal file
21
authentication/configs/configuration.yml
Normal file
@@ -0,0 +1,21 @@
|
||||
## Note: the container by default expects to find this file at /config/configuration.yml.
|
||||
|
||||
## The theme to display: light, dark, grey, auto.
|
||||
theme: auto
|
||||
|
||||
##
|
||||
## Storage Provider Configuration
|
||||
##
|
||||
## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
|
||||
storage:
|
||||
##
|
||||
## Local (Storage Provider)
|
||||
##
|
||||
## This stores the data in a SQLite3 Database.
|
||||
## This is only recommended for lightweight non-stateful installations.
|
||||
##
|
||||
## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
|
||||
##
|
||||
local:
|
||||
## Path to the SQLite3 Database.
|
||||
path: /config/db.sqlite3
|
||||
0
authentication/secrets/.gitkeep
Normal file
0
authentication/secrets/.gitkeep
Normal file
Reference in New Issue
Block a user