Add Authelia.
This commit is contained in:
parent
3852896273
commit
aca23d6af6
12 changed files with 266 additions and 10 deletions
4
env.yml
4
env.yml
|
@ -39,6 +39,7 @@ cifs_mounts:
|
||||||
|
|
||||||
|
|
||||||
projects:
|
projects:
|
||||||
|
- authelia
|
||||||
- coturn
|
- coturn
|
||||||
- element
|
- element
|
||||||
- etebase
|
- etebase
|
||||||
|
@ -56,6 +57,7 @@ projects:
|
||||||
|
|
||||||
|
|
||||||
projects_to_backup:
|
projects_to_backup:
|
||||||
|
- authelia
|
||||||
- etebase
|
- etebase
|
||||||
- hedgedoc
|
- hedgedoc
|
||||||
- lldap
|
- lldap
|
||||||
|
@ -79,6 +81,7 @@ borg_prune_options: |
|
||||||
|
|
||||||
# Ports exposed to host
|
# Ports exposed to host
|
||||||
ports:
|
ports:
|
||||||
|
authelia: 9091
|
||||||
coturn_listening: 3478
|
coturn_listening: 3478
|
||||||
coturn_tls_listening: 5349
|
coturn_tls_listening: 5349
|
||||||
coturn_relay_min: 49152
|
coturn_relay_min: 49152
|
||||||
|
@ -107,6 +110,7 @@ ports:
|
||||||
|
|
||||||
# UID in containers
|
# UID in containers
|
||||||
users:
|
users:
|
||||||
|
authelia: 1008
|
||||||
coturn: 666
|
coturn: 666
|
||||||
etebase: 373
|
etebase: 373
|
||||||
hedgedoc: 1004
|
hedgedoc: 1004
|
||||||
|
|
24
roles/authelia/tasks/backup.yml
Normal file
24
roles/authelia/tasks/backup.yml
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
- name: "Backup PostgreSQL authelia database"
|
||||||
|
shell: >
|
||||||
|
docker exec postgres
|
||||||
|
pg_dump -c {{ role_name }} |
|
||||||
|
borg create
|
||||||
|
--compression lzma
|
||||||
|
"{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}"
|
||||||
|
-
|
||||||
|
--stdin-name dump_{{ role_name }}.sql
|
||||||
|
environment:
|
||||||
|
DOCKER_HOST: "{{ docker_host }}"
|
||||||
|
BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}"
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Prune borg repository
|
||||||
|
command:
|
||||||
|
cmd: |
|
||||||
|
borg prune
|
||||||
|
--glob-archives='{{ role_name }}-*'
|
||||||
|
{{ borg_prune_options }}
|
||||||
|
{{ borg_repodir }}
|
||||||
|
environment:
|
||||||
|
BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}"
|
||||||
|
become: true
|
14
roles/authelia/tasks/main.yml
Normal file
14
roles/authelia/tasks/main.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
- name: Include backup tasks
|
||||||
|
include_tasks:
|
||||||
|
file: backup.yml
|
||||||
|
when: run_backup | default(false) | bool
|
||||||
|
|
||||||
|
- name: Include setup tasks
|
||||||
|
include_tasks:
|
||||||
|
file: setup.yml
|
||||||
|
when: run_setup | default(false) | bool
|
||||||
|
|
||||||
|
- name: Include update tasks
|
||||||
|
include_tasks:
|
||||||
|
file: update.yml
|
||||||
|
when: run_update | default(false) | bool
|
23
roles/authelia/tasks/setup.yml
Normal file
23
roles/authelia/tasks/setup.yml
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
- name: "Create {{ project_dir }} project directory"
|
||||||
|
file:
|
||||||
|
path: "{{ project_dir }}"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Template docker-compose.yaml & configuration.yml to project directory
|
||||||
|
template:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: "{{ project_dir }}/{{ item }}"
|
||||||
|
owner: "{{ host_uid }}"
|
||||||
|
group: "{{ host_uid }}"
|
||||||
|
mode: '640'
|
||||||
|
loop:
|
||||||
|
- docker-compose.yaml
|
||||||
|
- configuration.yml
|
||||||
|
register: authelia_template_configuration_result
|
||||||
|
|
||||||
|
# Separate task because template module cannot chown/chgrp to a non-existing user/group
|
||||||
|
- name: "Change group of homeserver.yaml to Authelia GID ({{ users['authelia'] + uid_shift }})"
|
||||||
|
file:
|
||||||
|
path: "{{ project_dir }}/configuration.yml"
|
||||||
|
group: "{{ users['authelia'] + uid_shift }}"
|
||||||
|
become: true
|
24
roles/authelia/tasks/update.yml
Normal file
24
roles/authelia/tasks/update.yml
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
- name: Pull project services
|
||||||
|
community.docker.docker_compose:
|
||||||
|
project_src: "{{ project_dir }}"
|
||||||
|
recreate: never
|
||||||
|
pull: true
|
||||||
|
debug: true
|
||||||
|
when: docker_pull_images | bool
|
||||||
|
register: authelia_docker_compose_pull_result
|
||||||
|
|
||||||
|
- name: Display pulled image(s) name
|
||||||
|
set_fact:
|
||||||
|
authelia_pulled_images: "{{ authelia_pulled_images | default([]) + [item.pulled_image.name] }}"
|
||||||
|
loop: "{{ authelia_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}"
|
||||||
|
|
||||||
|
- name: Include backup tasks
|
||||||
|
include_tasks:
|
||||||
|
file: backup.yml
|
||||||
|
# Make a backup if we didn't already make one and we pulled a new image
|
||||||
|
when: not run_backup and authelia_pulled_images is defined
|
||||||
|
|
||||||
|
- name: Create/Restart project services
|
||||||
|
community.docker.docker_compose:
|
||||||
|
project_src: "{{ project_dir }}"
|
||||||
|
restarted: "{{ authelia_template_configuration_result['changed'] | default(false) | bool }}"
|
72
roles/authelia/templates/configuration.yml
Normal file
72
roles/authelia/templates/configuration.yml
Normal file
|
@ -0,0 +1,72 @@
|
||||||
|
theme: 'auto'
|
||||||
|
|
||||||
|
totp:
|
||||||
|
issuer: '{{ domain }}'
|
||||||
|
|
||||||
|
identity_validation:
|
||||||
|
reset_password:
|
||||||
|
jwt_secret: '{{ authelia_secrets["jwt_secret"] }}'
|
||||||
|
|
||||||
|
authentication_backend:
|
||||||
|
refresh_interval: '1m'
|
||||||
|
ldap:
|
||||||
|
implementation: 'custom'
|
||||||
|
address: 'ldap://lldap:3890'
|
||||||
|
base_dn: '{{ ldap_base_dn }}'
|
||||||
|
users_filter: '(&({username_attribute}={input})(objectClass=person))'
|
||||||
|
groups_filter: '(member={dn})'
|
||||||
|
user: '{{ authelia_secrets["ldap_user"] }}'
|
||||||
|
password: '{{ authelia_secrets["ldap_password"] }}'
|
||||||
|
attributes:
|
||||||
|
distinguished_name: 'distinguishedName'
|
||||||
|
username: 'uid'
|
||||||
|
mail: 'mail'
|
||||||
|
member_of: 'memberOf'
|
||||||
|
group_name: 'cn'
|
||||||
|
|
||||||
|
password_policy:
|
||||||
|
standard:
|
||||||
|
enabled: true
|
||||||
|
min_length: 12
|
||||||
|
max_length: 128
|
||||||
|
require_uppercase: true
|
||||||
|
require_lowercase: true
|
||||||
|
require_number: true
|
||||||
|
require_special: true
|
||||||
|
|
||||||
|
access_control:
|
||||||
|
default_policy: 'deny'
|
||||||
|
rules:
|
||||||
|
- domain: 'auth.{{ domain }}'
|
||||||
|
policy: 'bypass'
|
||||||
|
|
||||||
|
- domain: 'ldap.{{ domain }}'
|
||||||
|
policy: 'two_factor'
|
||||||
|
subject: 'group:lldap_admin'
|
||||||
|
|
||||||
|
- domain: 'syncthing.{{ domain }}'
|
||||||
|
policy: 'two_factor'
|
||||||
|
subject: 'user:viyurz'
|
||||||
|
|
||||||
|
session:
|
||||||
|
cookies:
|
||||||
|
- name: 'authelia_session'
|
||||||
|
domain: '{{ domain }}'
|
||||||
|
authelia_url: 'https://auth.{{ domain }}'
|
||||||
|
|
||||||
|
storage:
|
||||||
|
encryption_key: '{{ authelia_secrets["encryption_key"] }}'
|
||||||
|
postgres:
|
||||||
|
address: postgres.{{ domain }}
|
||||||
|
database: authelia
|
||||||
|
username: '{{ authelia_secrets["postgres_user"] }}'
|
||||||
|
password: '{{ authelia_secrets["postgres_password"] }}'
|
||||||
|
|
||||||
|
notifier:
|
||||||
|
smtp:
|
||||||
|
address: 'submissions://mail.{{ domain }}:{{ ports["mailserver_smtps"] }}'
|
||||||
|
username: '{{ authelia_secrets["smtp_user"] }}'
|
||||||
|
password: '{{ authelia_secrets["smtp_password"] }}'
|
||||||
|
sender: 'Authelia <authelia@{{ domain }}>'
|
||||||
|
|
||||||
|
# identity_providers:
|
16
roles/authelia/templates/docker-compose.yaml
Normal file
16
roles/authelia/templates/docker-compose.yaml
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
services:
|
||||||
|
authelia:
|
||||||
|
container_name: authelia
|
||||||
|
image: docker.io/authelia/authelia:4.38
|
||||||
|
restart: always
|
||||||
|
user: {{ users['authelia'] }}:{{ users['authelia'] }}
|
||||||
|
networks:
|
||||||
|
- authelia
|
||||||
|
ports:
|
||||||
|
- 127.0.0.1:{{ ports['authelia'] }}:9091
|
||||||
|
volumes:
|
||||||
|
- ./configuration.yml:/config/configuration.yml
|
||||||
|
|
||||||
|
networks:
|
||||||
|
authelia:
|
||||||
|
name: authelia
|
|
@ -5,14 +5,17 @@
|
||||||
apt:
|
apt:
|
||||||
name: nginx
|
name: nginx
|
||||||
|
|
||||||
- name: Template nginx.conf to /etc/nginx/nginx.conf
|
- name: Template configuration files to /etc/nginx/
|
||||||
template:
|
template:
|
||||||
src: nginx.conf
|
src: "{{ item }}"
|
||||||
dest: /etc/nginx/nginx.conf
|
dest: "/etc/nginx/{{ item }}"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: '644'
|
mode: '644'
|
||||||
register: nginx_template_nginx_conf_result
|
loop:
|
||||||
|
- nginx.conf
|
||||||
|
- authelia-location.conf
|
||||||
|
- authelia-authrequest.conf
|
||||||
|
|
||||||
- name: Template reverse-proxy.conf to /etc/nginx/sites-available/reverse-proxy.conf
|
- name: Template reverse-proxy.conf to /etc/nginx/sites-available/reverse-proxy.conf
|
||||||
template:
|
template:
|
||||||
|
@ -21,7 +24,6 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: '644'
|
mode: '644'
|
||||||
register: nginx_template_reverse_proxy_conf_result
|
|
||||||
|
|
||||||
- name: Copy ssl-headers.conf to /etc/nginx/conf.d/ssl-headers.conf
|
- name: Copy ssl-headers.conf to /etc/nginx/conf.d/ssl-headers.conf
|
||||||
copy:
|
copy:
|
||||||
|
@ -30,7 +32,6 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: '644'
|
mode: '644'
|
||||||
register: nginx_copy_ssl_headers_conf_result
|
|
||||||
|
|
||||||
- name: Remove all enabled NGINX sites
|
- name: Remove all enabled NGINX sites
|
||||||
file:
|
file:
|
||||||
|
@ -74,6 +75,5 @@
|
||||||
- name: Start/Reload NGINX service
|
- name: Start/Reload NGINX service
|
||||||
service:
|
service:
|
||||||
name: nginx
|
name: nginx
|
||||||
# Reload if conf changed, if not make sure it is started
|
state: reloaded
|
||||||
state: "{{ (nginx_template_nginx_conf_result['changed'] or nginx_template_reverse_proxy_conf_result['changed'] or nginx_copy_ssl_headers_conf_result['changed']) | ternary('reloaded', 'started') }}"
|
|
||||||
enabled: yes
|
enabled: yes
|
||||||
|
|
15
roles/reverse-proxy/templates/authelia-authrequest.conf
Normal file
15
roles/reverse-proxy/templates/authelia-authrequest.conf
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
auth_request /internal/authelia/authz;
|
||||||
|
|
||||||
|
auth_request_set $user $upstream_http_remote_user;
|
||||||
|
auth_request_set $groups $upstream_http_remote_groups;
|
||||||
|
auth_request_set $name $upstream_http_remote_name;
|
||||||
|
auth_request_set $email $upstream_http_remote_email;
|
||||||
|
|
||||||
|
proxy_set_header Remote-User $user;
|
||||||
|
proxy_set_header Remote-Groups $groups;
|
||||||
|
proxy_set_header Remote-Email $email;
|
||||||
|
proxy_set_header Remote-Name $name;
|
||||||
|
|
||||||
|
auth_request_set $redirection_url $upstream_http_location;
|
||||||
|
|
||||||
|
error_page 401 =302 $redirection_url;
|
18
roles/reverse-proxy/templates/authelia-location.conf
Normal file
18
roles/reverse-proxy/templates/authelia-location.conf
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
location /internal/authelia/authz {
|
||||||
|
internal;
|
||||||
|
|
||||||
|
proxy_pass http://127.0.0.1:{{ ports['authelia'] }}/api/authz/auth-request;
|
||||||
|
|
||||||
|
proxy_set_header X-Original-Method $request_method;
|
||||||
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
proxy_set_header Content-Length "";
|
||||||
|
proxy_set_header Connection "";
|
||||||
|
|
||||||
|
proxy_pass_request_body off;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_cache_bypass $cookie_session;
|
||||||
|
proxy_no_cache $cookie_session;
|
||||||
|
proxy_buffers 4 32k;
|
||||||
|
client_body_buffer_size 128k;
|
||||||
|
}
|
|
@ -61,6 +61,19 @@ server {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Authelia
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name auth.{{ domain }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:{{ ports['authelia'] }};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# Element
|
# Element
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
|
@ -138,8 +151,11 @@ server {
|
||||||
|
|
||||||
server_name ldap.{{ domain }};
|
server_name ldap.{{ domain }};
|
||||||
|
|
||||||
|
include /etc/nginx/authelia-location.conf;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_pass http://127.0.0.1:{{ ports['lldap'] }};
|
proxy_pass http://127.0.0.1:{{ ports['lldap'] }};
|
||||||
|
include /etc/nginx/authelia-authrequest.conf;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -177,6 +193,22 @@ server {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Syncthihng
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name syncthing.{{ domain }};
|
||||||
|
|
||||||
|
include /etc/nginx/authelia-location.conf;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:{{ ports['syncthing_webui'] }};
|
||||||
|
include /etc/nginx/authelia-authrequest.conf;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# Syncthing Discovery
|
# Syncthing Discovery
|
||||||
upstream stdisco.{{ domain }} {
|
upstream stdisco.{{ domain }} {
|
||||||
# Local IP address:port for discovery server
|
# Local IP address:port for discovery server
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
# To generate random secret: openssl rand -base64 <length>
|
||||||
|
|
||||||
ansible_become_password:
|
ansible_become_password:
|
||||||
|
|
||||||
borg_passphrase:
|
borg_passphrase:
|
||||||
|
@ -6,7 +8,19 @@ cifs_credentials:
|
||||||
username:
|
username:
|
||||||
password:
|
password:
|
||||||
|
|
||||||
# To generate random secret: openssl rand -base64 50
|
|
||||||
|
authelia_secrets:
|
||||||
|
# Encryption key for the database, must be saved
|
||||||
|
encryption_key:
|
||||||
|
jwt_secret:
|
||||||
|
# LDAP bind dn
|
||||||
|
ldap_user:
|
||||||
|
ldap_password:
|
||||||
|
postgres_user:
|
||||||
|
postgres_password:
|
||||||
|
smtp_user:
|
||||||
|
smtp_password:
|
||||||
|
|
||||||
coturn_secrets:
|
coturn_secrets:
|
||||||
static_auth_secret:
|
static_auth_secret:
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue