From 8cd14ac9e64d198444dc8b6efd983e51b14bb6fe Mon Sep 17 00:00:00 2001 From: Viyurz Date: Sat, 6 Jul 2024 10:29:57 +0200 Subject: [PATCH] Replace Authelia & LLDAP by Keycloak --- env.yml | 16 +--- roles/authelia/tasks/setup.yml | 25 ----- roles/authelia/templates/configuration.yml | 96 ------------------- roles/authelia/templates/docker-compose.yaml | 16 ---- roles/hedgedoc/templates/.env | 14 +-- roles/{authelia => keycloak}/tasks/backup.yml | 2 +- roles/{authelia => keycloak}/tasks/main.yml | 0 roles/keycloak/tasks/setup.yml | 19 ++++ roles/{authelia => keycloak}/tasks/update.yml | 8 +- roles/keycloak/templates/.env | 12 +++ roles/keycloak/templates/Dockerfile | 15 +++ roles/keycloak/templates/docker-compose.yaml | 9 ++ roles/lldap/tasks/backup.yml | 25 ----- roles/lldap/tasks/main.yml | 14 --- roles/lldap/tasks/setup.yml | 27 ------ roles/lldap/tasks/update.yml | 24 ----- roles/lldap/templates/.env | 7 -- roles/lldap/templates/docker-compose.yaml | 17 ---- .../templates/sites-enabled/authelia.conf | 10 -- .../templates/sites-enabled/keycloak.conf | 13 +++ .../nginx/templates/sites-enabled/lldap.conf | 14 --- .../templates/sites-enabled/syncthing.conf | 14 --- .../snippets/authelia-authrequest.conf | 15 --- .../templates/snippets/authelia-location.conf | 18 ---- roles/synapse/templates/homeserver.yaml | 19 ++-- secrets.yml.example | 35 +------ 26 files changed, 97 insertions(+), 387 deletions(-) delete mode 100644 roles/authelia/tasks/setup.yml delete mode 100644 roles/authelia/templates/configuration.yml delete mode 100644 roles/authelia/templates/docker-compose.yaml rename roles/{authelia => keycloak}/tasks/backup.yml (92%) rename roles/{authelia => keycloak}/tasks/main.yml (100%) create mode 100644 roles/keycloak/tasks/setup.yml rename roles/{authelia => keycloak}/tasks/update.yml (73%) create mode 100644 roles/keycloak/templates/.env create mode 100644 roles/keycloak/templates/Dockerfile create mode 100644 roles/keycloak/templates/docker-compose.yaml delete mode 100644 roles/lldap/tasks/backup.yml delete mode 100644 roles/lldap/tasks/main.yml delete mode 100644 roles/lldap/tasks/setup.yml delete mode 100644 roles/lldap/tasks/update.yml delete mode 100644 roles/lldap/templates/.env delete mode 100644 roles/lldap/templates/docker-compose.yaml delete mode 100644 roles/nginx/templates/sites-enabled/authelia.conf create mode 100644 roles/nginx/templates/sites-enabled/keycloak.conf delete mode 100644 roles/nginx/templates/sites-enabled/lldap.conf delete mode 100644 roles/nginx/templates/sites-enabled/syncthing.conf delete mode 100644 roles/nginx/templates/snippets/authelia-authrequest.conf delete mode 100644 roles/nginx/templates/snippets/authelia-location.conf diff --git a/env.yml b/env.yml index 0d5e57c..f3a3313 100644 --- a/env.yml +++ b/env.yml @@ -1,5 +1,4 @@ domain: viyurz.fr -ldap_base_dn: dc=viyurz,dc=fr timezone: "Europe/Paris" host_uid: 1000 project_dir: "{{ ansible_env['HOME'] }}/docker-projects/{{ role_name }}" @@ -39,13 +38,12 @@ cifs_mounts: projects: - - authelia - coturn - element - etebase - hedgedoc - homepage - - lldap + - keycloak - mailserver - postgres - searxng @@ -57,10 +55,9 @@ projects: projects_to_backup: - - authelia - etebase - hedgedoc - - lldap + - keycloak - mailserver - postgres - stump @@ -81,7 +78,6 @@ borg_prune_options: | # Ports exposed to host ports: - authelia: 9091 coturn_listening: 3478 coturn_tls_listening: 5349 coturn_relay_min: 49152 @@ -90,7 +86,7 @@ ports: etebase: 3735 hedgedoc: 8086 homepage: 8686 - lldap: 17170 + keycloak: 8444 mailserver_smtp: 1025 mailserver_smtps: 1465 mailserver_imaps: 1993 @@ -112,12 +108,11 @@ ports: # UID in containers users: - authelia: 1008 coturn: 666 etebase: 373 hedgedoc: 1004 homepage: 8686 - lldap: 1007 + keycloak: 1000 mailserver: 8 postgres: 70 searxng: 977 @@ -128,7 +123,7 @@ users: syncthing_discosrv: 1002 syncthing_relaysrv: 1003 uptime_kuma: 1006 - vaultwarden: 1000 + vaultwarden: 1010 wireguard: 1009 @@ -137,7 +132,6 @@ volumes: coturn_tls_certificate_key_file: "/etc/letsencrypt/live/turn.{{ domain }}/privkey.pem" etebase_datadir: /mnt/etebasedata hedgedoc_uploadsdir: /mnt/hedgedocuploads - lldap_datadir: /mnt/lldapdata mailserver_datadir: /mnt/mailserver mailserver_tls_certificate_file: "/etc/letsencrypt/live/mail.{{ domain }}/fullchain.pem" mailserver_tls_certificate_key_file: "/etc/letsencrypt/live/mail.{{ domain }}/privkey.pem" diff --git a/roles/authelia/tasks/setup.yml b/roles/authelia/tasks/setup.yml deleted file mode 100644 index 4f94937..0000000 --- a/roles/authelia/tasks/setup.yml +++ /dev/null @@ -1,25 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template docker-compose.yaml & configuration.yml to project directory - template: - src: "{{ item }}" - dest: "{{ project_dir }}/{{ item }}" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '640' - loop: - - docker-compose.yaml - - configuration.yml - -# Separate task because template module cannot chown/chgrp to a non-existing user/group -- name: "Change group of homeserver.yaml to Authelia GID ({{ users['authelia'] + uid_shift }})" - file: - path: "{{ project_dir }}/configuration.yml" - group: "{{ users['authelia'] + uid_shift }}" - become: true diff --git a/roles/authelia/templates/configuration.yml b/roles/authelia/templates/configuration.yml deleted file mode 100644 index 7f95011..0000000 --- a/roles/authelia/templates/configuration.yml +++ /dev/null @@ -1,96 +0,0 @@ -theme: 'auto' - -totp: - issuer: '{{ domain }}' - -identity_validation: - reset_password: - jwt_secret: '{{ authelia_secrets["jwt_secret"] }}' - -authentication_backend: - refresh_interval: '1m' - ldap: - implementation: 'custom' - address: 'ldap://lldap:3890' - base_dn: '{{ ldap_base_dn }}' - users_filter: '(&({username_attribute}={input})(objectClass=person))' - groups_filter: '(member={dn})' - user: '{{ authelia_secrets["ldap_user"] }}' - password: '{{ authelia_secrets["ldap_password"] }}' - attributes: - distinguished_name: 'distinguishedName' - username: 'uid' - mail: 'mail' - member_of: 'memberOf' - group_name: 'cn' - -password_policy: - standard: - enabled: true - min_length: 12 - max_length: 128 - require_uppercase: true - require_lowercase: true - require_number: true - require_special: true - -access_control: - default_policy: 'deny' - rules: - - domain: 'auth.{{ domain }}' - policy: 'bypass' - - - domain: 'ldap.{{ domain }}' - policy: 'two_factor' - subject: 'group:lldap_admin' - - - domain: 'syncthing.{{ domain }}' - policy: 'two_factor' - subject: 'user:viyurz' - -session: - cookies: - - name: 'authelia_session' - domain: '{{ domain }}' - authelia_url: 'https://auth.{{ domain }}' - -storage: - encryption_key: '{{ authelia_secrets["encryption_key"] }}' - postgres: - address: postgres.{{ domain }} - database: authelia - username: '{{ authelia_secrets["postgres_user"] }}' - password: '{{ authelia_secrets["postgres_password"] }}' - -notifier: - smtp: - address: 'submissions://mail.{{ domain }}:{{ ports["mailserver_smtps"] }}' - username: '{{ authelia_secrets["smtp_user"] }}' - password: '{{ authelia_secrets["smtp_password"] }}' - sender: 'Authelia ' - -identity_providers: - oidc: - hmac_secret: '{{ authelia_secrets["hmac_secret"] }}' - jwks: - - key: | - {{ authelia_secrets["jwks_key"] | indent(width=10) }} - clients: - - client_id: '{{ authelia_secrets["hedgedoc_client_id"] }}' - client_name: HedgeDoc - client_secret: '{{ authelia_secrets["hedgedoc_client_secret_hash"] }}' - redirect_uris: 'https://hedgedoc.{{ domain }}/auth/oauth2/callback' - scopes: - - 'openid' - - 'profile' - - 'email' - token_endpoint_auth_method: client_secret_post - - - client_id: '{{ authelia_secrets["synapse_client_id"] }}' - client_name: Synapse - client_secret: '{{ authelia_secrets["synapse_client_secret_hash"] }}' - redirect_uris: 'https://matrix.{{ domain }}/_synapse/client/oidc/callback' - scopes: - - 'openid' - - 'profile' - - 'email' diff --git a/roles/authelia/templates/docker-compose.yaml b/roles/authelia/templates/docker-compose.yaml deleted file mode 100644 index 47ab3df..0000000 --- a/roles/authelia/templates/docker-compose.yaml +++ /dev/null @@ -1,16 +0,0 @@ -services: - authelia: - container_name: authelia - image: docker.io/authelia/authelia:4 - restart: always - user: {{ users['authelia'] }}:{{ users['authelia'] }} - networks: - - authelia - ports: - - 127.0.0.1:{{ ports['authelia'] }}:9091 - volumes: - - ./configuration.yml:/config/configuration.yml - -networks: - authelia: - name: authelia diff --git a/roles/hedgedoc/templates/.env b/roles/hedgedoc/templates/.env index 4806509..c840db7 100644 --- a/roles/hedgedoc/templates/.env +++ b/roles/hedgedoc/templates/.env @@ -6,14 +6,14 @@ CMD_DB_PASSWORD='{{ hedgedoc_secrets["postgres_password"] }}' CMD_DOMAIN='hedgedoc.{{ domain }}' CMD_PROTOCOL_USESSL=true CMD_SESSION_SECRET='{{ hedgedoc_secrets["session_secret"] }}' -CMD_ALLOW_EMAIL_REGISTER=false +CMD_EMAIL=false -CMD_OAUTH2_PROVIDERNAME=Authelia -CMD_OAUTH2_CLIENT_ID='{{ authelia_secrets["hedgedoc_client_id"] }}' -CMD_OAUTH2_CLIENT_SECRET='{{ authelia_secrets["hedgedoc_client_secret"] }}' -CMD_OAUTH2_AUTHORIZATION_URL=https://auth.{{ domain }}/api/oidc/authorization -CMD_OAUTH2_TOKEN_URL=https://auth.{{ domain }}/api/oidc/token -CMD_OAUTH2_USER_PROFILE_URL=https://auth.{{ domain }}/api/oidc/userinfo +CMD_OAUTH2_PROVIDERNAME=Keycloak +CMD_OAUTH2_CLIENT_ID='{{ hedgedoc_secrets["client_id"] }}' +CMD_OAUTH2_CLIENT_SECRET='{{ hedgedoc_secrets["client_secret"] }}' +CMD_OAUTH2_AUTHORIZATION_URL=https://kc.{{ domain }}/realms/master/protocol/openid-connect/auth +CMD_OAUTH2_TOKEN_URL=https://kc.{{ domain }}/realms/master/protocol/openid-connect/token +CMD_OAUTH2_USER_PROFILE_URL=https://kc.{{ domain }}/realms/master/protocol/openid-connect/userinfo CMD_OAUTH2_SCOPE=openid email profile CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name diff --git a/roles/authelia/tasks/backup.yml b/roles/keycloak/tasks/backup.yml similarity index 92% rename from roles/authelia/tasks/backup.yml rename to roles/keycloak/tasks/backup.yml index 69f1c50..02fe380 100644 --- a/roles/authelia/tasks/backup.yml +++ b/roles/keycloak/tasks/backup.yml @@ -1,4 +1,4 @@ -- name: "Backup PostgreSQL authelia database" +- name: "Backup PostgreSQL keycloak database" shell: > docker exec postgres pg_dump -c {{ role_name }} | diff --git a/roles/authelia/tasks/main.yml b/roles/keycloak/tasks/main.yml similarity index 100% rename from roles/authelia/tasks/main.yml rename to roles/keycloak/tasks/main.yml diff --git a/roles/keycloak/tasks/setup.yml b/roles/keycloak/tasks/setup.yml new file mode 100644 index 0000000..3d3eea0 --- /dev/null +++ b/roles/keycloak/tasks/setup.yml @@ -0,0 +1,19 @@ +- name: "(Re)Create {{ project_dir }} project directory" + file: + path: "{{ project_dir }}" + state: "{{ item }}" + loop: + - absent + - directory + +- name: Template Dockerfile, docker-compose.yaml & .env to project directory + template: + src: "{{ item }}" + dest: "{{ project_dir }}/{{ item }}" + owner: "{{ host_uid }}" + group: "{{ host_uid }}" + mode: '640' + loop: + - Dockerfile + - docker-compose.yaml + - .env diff --git a/roles/authelia/tasks/update.yml b/roles/keycloak/tasks/update.yml similarity index 73% rename from roles/authelia/tasks/update.yml rename to roles/keycloak/tasks/update.yml index f721456..57d2cc8 100644 --- a/roles/authelia/tasks/update.yml +++ b/roles/keycloak/tasks/update.yml @@ -5,18 +5,18 @@ pull: true debug: true when: docker_pull_images | bool - register: authelia_docker_compose_pull_result + register: keycloak_docker_compose_pull_result - name: Display pulled image(s) name set_fact: - authelia_pulled_images: "{{ authelia_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ authelia_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" + keycloak_pulled_images: "{{ keycloak_pulled_images | default([]) + [item.pulled_image.name] }}" + loop: "{{ keycloak_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - name: Include backup tasks include_tasks: file: backup.yml # Make a backup if we didn't already make one and we pulled a new image - when: not run_backup | default(false) and authelia_pulled_images is defined + when: not run_backup | default(false) and keycloak_pulled_images is defined - name: Create/Restart project services community.docker.docker_compose: diff --git a/roles/keycloak/templates/.env b/roles/keycloak/templates/.env new file mode 100644 index 0000000..22c8339 --- /dev/null +++ b/roles/keycloak/templates/.env @@ -0,0 +1,12 @@ +QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY=true + +#KEYCLOAK_ADMIN= +#KEYCLOAK_ADMIN_PASSWORD= + +KC_DB_URL_HOST=postgres.{{ domain }} +KC_DB_URL_DATABASE=keycloak +KC_DB_USERNAME={{ keycloak_secrets['postgres_user'] }} +KC_DB_PASSWORD='{{ keycloak_secrets["postgres_password"] }}' + +KC_PROXY_HEADERS=xforwarded +KC_HOSTNAME=https://kc.{{ domain }} diff --git a/roles/keycloak/templates/Dockerfile b/roles/keycloak/templates/Dockerfile new file mode 100644 index 0000000..a0f415d --- /dev/null +++ b/roles/keycloak/templates/Dockerfile @@ -0,0 +1,15 @@ +FROM quay.io/keycloak/keycloak:25.0 as builder + +ENV KC_DB=postgres + +WORKDIR /opt/keycloak + +RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=IP:127.0.0.1" -keystore conf/server.keystore +RUN /opt/keycloak/bin/kc.sh build + + +FROM quay.io/keycloak/keycloak:25.0 +COPY --from=builder /opt/keycloak/ /opt/keycloak/ + +ENTRYPOINT ["/opt/keycloak/bin/kc.sh"] +CMD ["start", "--optimized"] diff --git a/roles/keycloak/templates/docker-compose.yaml b/roles/keycloak/templates/docker-compose.yaml new file mode 100644 index 0000000..e4d12a9 --- /dev/null +++ b/roles/keycloak/templates/docker-compose.yaml @@ -0,0 +1,9 @@ +services: + keycloak: + container_name: keycloak + build: . + restart: always + user: {{ users['keycloak'] }}:{{ users['keycloak'] }} + env_file: .env + ports: + - 127.0.0.1:{{ ports['keycloak'] }}:8443 diff --git a/roles/lldap/tasks/backup.yml b/roles/lldap/tasks/backup.yml deleted file mode 100644 index d1ef4e3..0000000 --- a/roles/lldap/tasks/backup.yml +++ /dev/null @@ -1,25 +0,0 @@ -- name: "Backup PostgreSQL lldap database & {{ volumes['lldap_datadir'] }} directory" - shell: > - docker exec postgres - pg_dump -c {{ role_name }} | - borg create - --compression lzma - "{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}" - "{{ volumes['lldap_datadir'] }}" - - - --stdin-name dump_{{ role_name }}.sql - environment: - DOCKER_HOST: "{{ docker_host }}" - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - become: true - -- name: Prune borg repository - command: - cmd: | - borg prune - --glob-archives='{{ role_name }}-*' - {{ borg_prune_options }} - {{ borg_repodir }} - environment: - BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}" - become: true diff --git a/roles/lldap/tasks/main.yml b/roles/lldap/tasks/main.yml deleted file mode 100644 index 89bf793..0000000 --- a/roles/lldap/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Include backup tasks - include_tasks: - file: backup.yml - when: run_backup | default(false) | bool - -- name: Include setup tasks - include_tasks: - file: setup.yml - when: run_setup | default(false) | bool - -- name: Include update tasks - include_tasks: - file: update.yml - when: run_update | default(false) | bool diff --git a/roles/lldap/tasks/setup.yml b/roles/lldap/tasks/setup.yml deleted file mode 100644 index aa456e1..0000000 --- a/roles/lldap/tasks/setup.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: "(Re)Create {{ project_dir }} project directory" - file: - path: "{{ project_dir }}" - state: "{{ item }}" - loop: - - absent - - directory - -- name: Template docker-compose.yaml & .env to project directory - template: - src: "{{ item }}" - dest: "{{ project_dir }}/{{ item }}" - owner: "{{ host_uid }}" - group: "{{ host_uid }}" - mode: '600' - loop: - - docker-compose.yaml - - .env - -- name: "Create (if not exists) directory {{ volumes['lldap_datadir'] }} & set permissions" - file: - path: "{{ volumes['lldap_datadir'] }}" - state: directory - owner: "{{ users['lldap'] + uid_shift }}" - group: "{{ users['lldap'] + uid_shift }}" - mode: '700' - become: true diff --git a/roles/lldap/tasks/update.yml b/roles/lldap/tasks/update.yml deleted file mode 100644 index 9768820..0000000 --- a/roles/lldap/tasks/update.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: Pull project services - community.docker.docker_compose: - project_src: "{{ project_dir }}" - recreate: never - pull: true - debug: true - when: docker_pull_images | bool - register: lldap_docker_compose_pull_result - -- name: Display pulled image(s) name - set_fact: - lldap_pulled_images: "{{ lldap_pulled_images | default([]) + [item.pulled_image.name] }}" - loop: "{{ lldap_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}" - -- name: Include backup tasks - include_tasks: - file: backup.yml - # Make a backup if we didn't already make one and we pulled a new image - when: not run_backup | default(false) and lldap_pulled_images is defined - -- name: Create/Restart project services - community.docker.docker_compose: - project_src: "{{ project_dir }}" - restarted: "{{ run_setup | default(false) | bool }}" diff --git a/roles/lldap/templates/.env b/roles/lldap/templates/.env deleted file mode 100644 index 68ac836..0000000 --- a/roles/lldap/templates/.env +++ /dev/null @@ -1,7 +0,0 @@ -UID={{ users['lldap'] }} -GID={{ users['lldap'] }} -TZ={{ timezone }} -LLDAP_LDAP_BASE_DN={{ ldap_base_dn }} -LLDAP_JWT_SECRET='{{ lldap_secrets["jwt_secret"] }}' -LLDAP_KEY_SEED='{{ lldap_secrets["key_seed"] }}' -LLDAP_DATABASE_URL='postgres://{{ lldap_secrets["postgres_user"] }}:{{ lldap_secrets["postgres_password"] }}@postgres.{{ domain }}/lldap' diff --git a/roles/lldap/templates/docker-compose.yaml b/roles/lldap/templates/docker-compose.yaml deleted file mode 100644 index ca22f95..0000000 --- a/roles/lldap/templates/docker-compose.yaml +++ /dev/null @@ -1,17 +0,0 @@ -services: - lldap: - container_name: lldap - image: docker.io/lldap/lldap:2024-06-13-alpine-rootless - restart: always - user: {{ users['lldap'] }}:{{ users['lldap'] }} - env_file: .env - networks: - - authelia - ports: - - {{ ports['lldap'] }}:17170 - volumes: - - {{ volumes['lldap_datadir'] }}:/data - -networks: - authelia: - name: authelia diff --git a/roles/nginx/templates/sites-enabled/authelia.conf b/roles/nginx/templates/sites-enabled/authelia.conf deleted file mode 100644 index fcc3dff..0000000 --- a/roles/nginx/templates/sites-enabled/authelia.conf +++ /dev/null @@ -1,10 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name auth.{{ domain }}; - - location / { - proxy_pass http://127.0.0.1:{{ ports['authelia'] }}; - } -} diff --git a/roles/nginx/templates/sites-enabled/keycloak.conf b/roles/nginx/templates/sites-enabled/keycloak.conf new file mode 100644 index 0000000..764444c --- /dev/null +++ b/roles/nginx/templates/sites-enabled/keycloak.conf @@ -0,0 +1,13 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name kc.{{ domain }}; + + location / { + proxy_pass https://127.0.0.1:{{ ports['keycloak'] }}; + + #include /etc/nginx/snippets/websocket.conf; + #include /etc/nginx/snippets/proxy.conf; + } +} diff --git a/roles/nginx/templates/sites-enabled/lldap.conf b/roles/nginx/templates/sites-enabled/lldap.conf deleted file mode 100644 index 9a97e1b..0000000 --- a/roles/nginx/templates/sites-enabled/lldap.conf +++ /dev/null @@ -1,14 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name ldap.{{ domain }}; - - include /etc/nginx/snippets/authelia-location.conf; - - location / { - proxy_pass http://127.0.0.1:{{ ports['lldap'] }}; - - include /etc/nginx/snippets/authelia-authrequest.conf; - } -} diff --git a/roles/nginx/templates/sites-enabled/syncthing.conf b/roles/nginx/templates/sites-enabled/syncthing.conf deleted file mode 100644 index d78f19b..0000000 --- a/roles/nginx/templates/sites-enabled/syncthing.conf +++ /dev/null @@ -1,14 +0,0 @@ -server { - listen 443 ssl; - listen [::]:443 ssl; - - server_name syncthing.{{ domain }}; - - include /etc/nginx/snippets/authelia-location.conf; - - location / { - proxy_pass http://127.0.0.1:{{ ports['syncthing_webui'] }}; - - include /etc/nginx/snippets/authelia-authrequest.conf; - } -} diff --git a/roles/nginx/templates/snippets/authelia-authrequest.conf b/roles/nginx/templates/snippets/authelia-authrequest.conf deleted file mode 100644 index 7d2f293..0000000 --- a/roles/nginx/templates/snippets/authelia-authrequest.conf +++ /dev/null @@ -1,15 +0,0 @@ -auth_request /internal/authelia/authz; - -auth_request_set $user $upstream_http_remote_user; -auth_request_set $groups $upstream_http_remote_groups; -auth_request_set $name $upstream_http_remote_name; -auth_request_set $email $upstream_http_remote_email; - -proxy_set_header Remote-User $user; -proxy_set_header Remote-Groups $groups; -proxy_set_header Remote-Email $email; -proxy_set_header Remote-Name $name; - -auth_request_set $redirection_url $upstream_http_location; - -error_page 401 =302 $redirection_url; diff --git a/roles/nginx/templates/snippets/authelia-location.conf b/roles/nginx/templates/snippets/authelia-location.conf deleted file mode 100644 index 57d149c..0000000 --- a/roles/nginx/templates/snippets/authelia-location.conf +++ /dev/null @@ -1,18 +0,0 @@ -location /internal/authelia/authz { - internal; - - proxy_pass http://127.0.0.1:{{ ports['authelia'] }}/api/authz/auth-request; - - proxy_set_header X-Original-Method $request_method; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Content-Length ""; - proxy_set_header Connection ""; - - proxy_pass_request_body off; - proxy_http_version 1.1; - proxy_cache_bypass $cookie_session; - proxy_no_cache $cookie_session; - proxy_buffers 4 32k; - client_body_buffer_size 128k; -} diff --git a/roles/synapse/templates/homeserver.yaml b/roles/synapse/templates/homeserver.yaml index 7cb0cc8..bb880e9 100644 --- a/roles/synapse/templates/homeserver.yaml +++ b/roles/synapse/templates/homeserver.yaml @@ -108,17 +108,12 @@ suppress_key_server_warning: true # Single sign-on integration oidc_providers: - - idp_id: authelia - idp_name: "Authelia" - idp_icon: "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI" - discover: false - issuer: "https://auth.{{ domain }}" - client_id: '{{ authelia_secrets["synapse_client_id"] }}' - client_secret: '{{ authelia_secrets["synapse_client_secret"] }}' + - idp_id: keycloak + idp_name: "Keycloak" + issuer: "https://kc.{{ domain }}/realms/master" + client_id: '{{ synapse_secrets["client_id"] }}' + client_secret: '{{ synapse_secrets["client_secret"] }}' scopes: ["openid", "profile", "email"] - authorization_endpoint: 'https://auth.{{ domain }}/api/oidc/authorization' - token_endpoint: 'https://auth.{{ domain }}/api/oidc/token' - jwks_uri: 'https://auth.{{ domain }}/jwks.json' allow_existing_users: true user_mapping_provider: config: @@ -126,3 +121,7 @@ oidc_providers: localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" display_name_template: "{% raw %}{{ user.name }}{% endraw %}" email_template: "{% raw %}{{ user.email }}{% endraw %}" + backchannel_logout_enabled: true + +password_config: + enabled: false diff --git a/secrets.yml.example b/secrets.yml.example index 334663b..1168e04 100644 --- a/secrets.yml.example +++ b/secrets.yml.example @@ -8,46 +8,17 @@ cifs_credentials: username: password: - -authelia_secrets: - # Encryption key for the database, must be saved - encryption_key: - - # Generate random client id : docker run --rm authelia/authelia:4 authelia crypto rand --length 72 --charset rfc3986 - # Generate random secret + hash : docker run --rm authelia/authelia:4 authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - hedgedoc_client_id: - hedgedoc_client_secret: - hedgedoc_client_secret_hash: - synapse_client_id: - synapse_client_secret: - synapse_client_secret_hash: - - hmac_secret: - jwks_key: | # openssl genrsa 4096 - jwt_secret: - - # LDAP bind dn - ldap_user: - ldap_password: - - postgres_user: - postgres_password: - - smtp_user: - smtp_password: - - coturn_secrets: static_auth_secret: hedgedoc_secrets: + client_id: + client_secret: postgres_user: postgres_password: session_secret: -lldap_secrets: - jwt_secret: - key_seed: +keycloak_secerts: postgres_user: postgres_password: