Add Authelia.
This commit is contained in:
parent
3852896273
commit
aca23d6af6
12 changed files with 266 additions and 10 deletions
4
env.yml
4
env.yml
|
@ -39,6 +39,7 @@ cifs_mounts:
|
|||
|
||||
|
||||
projects:
|
||||
- authelia
|
||||
- coturn
|
||||
- element
|
||||
- etebase
|
||||
|
@ -56,6 +57,7 @@ projects:
|
|||
|
||||
|
||||
projects_to_backup:
|
||||
- authelia
|
||||
- etebase
|
||||
- hedgedoc
|
||||
- lldap
|
||||
|
@ -79,6 +81,7 @@ borg_prune_options: |
|
|||
|
||||
# Ports exposed to host
|
||||
ports:
|
||||
authelia: 9091
|
||||
coturn_listening: 3478
|
||||
coturn_tls_listening: 5349
|
||||
coturn_relay_min: 49152
|
||||
|
@ -107,6 +110,7 @@ ports:
|
|||
|
||||
# UID in containers
|
||||
users:
|
||||
authelia: 1008
|
||||
coturn: 666
|
||||
etebase: 373
|
||||
hedgedoc: 1004
|
||||
|
|
24
roles/authelia/tasks/backup.yml
Normal file
24
roles/authelia/tasks/backup.yml
Normal file
|
@ -0,0 +1,24 @@
|
|||
- name: "Backup PostgreSQL authelia database"
|
||||
shell: >
|
||||
docker exec postgres
|
||||
pg_dump -c {{ role_name }} |
|
||||
borg create
|
||||
--compression lzma
|
||||
"{{ borg_repodir }}::{{ role_name }}-{now:%Y-%m-%d_%H-%M-%S}"
|
||||
-
|
||||
--stdin-name dump_{{ role_name }}.sql
|
||||
environment:
|
||||
DOCKER_HOST: "{{ docker_host }}"
|
||||
BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}"
|
||||
become: true
|
||||
|
||||
- name: Prune borg repository
|
||||
command:
|
||||
cmd: |
|
||||
borg prune
|
||||
--glob-archives='{{ role_name }}-*'
|
||||
{{ borg_prune_options }}
|
||||
{{ borg_repodir }}
|
||||
environment:
|
||||
BORG_PASSCOMMAND: "cat {{ borg_passphrase_file }}"
|
||||
become: true
|
14
roles/authelia/tasks/main.yml
Normal file
14
roles/authelia/tasks/main.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
- name: Include backup tasks
|
||||
include_tasks:
|
||||
file: backup.yml
|
||||
when: run_backup | default(false) | bool
|
||||
|
||||
- name: Include setup tasks
|
||||
include_tasks:
|
||||
file: setup.yml
|
||||
when: run_setup | default(false) | bool
|
||||
|
||||
- name: Include update tasks
|
||||
include_tasks:
|
||||
file: update.yml
|
||||
when: run_update | default(false) | bool
|
23
roles/authelia/tasks/setup.yml
Normal file
23
roles/authelia/tasks/setup.yml
Normal file
|
@ -0,0 +1,23 @@
|
|||
- name: "Create {{ project_dir }} project directory"
|
||||
file:
|
||||
path: "{{ project_dir }}"
|
||||
state: directory
|
||||
|
||||
- name: Template docker-compose.yaml & configuration.yml to project directory
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: "{{ project_dir }}/{{ item }}"
|
||||
owner: "{{ host_uid }}"
|
||||
group: "{{ host_uid }}"
|
||||
mode: '640'
|
||||
loop:
|
||||
- docker-compose.yaml
|
||||
- configuration.yml
|
||||
register: authelia_template_configuration_result
|
||||
|
||||
# Separate task because template module cannot chown/chgrp to a non-existing user/group
|
||||
- name: "Change group of homeserver.yaml to Authelia GID ({{ users['authelia'] + uid_shift }})"
|
||||
file:
|
||||
path: "{{ project_dir }}/configuration.yml"
|
||||
group: "{{ users['authelia'] + uid_shift }}"
|
||||
become: true
|
24
roles/authelia/tasks/update.yml
Normal file
24
roles/authelia/tasks/update.yml
Normal file
|
@ -0,0 +1,24 @@
|
|||
- name: Pull project services
|
||||
community.docker.docker_compose:
|
||||
project_src: "{{ project_dir }}"
|
||||
recreate: never
|
||||
pull: true
|
||||
debug: true
|
||||
when: docker_pull_images | bool
|
||||
register: authelia_docker_compose_pull_result
|
||||
|
||||
- name: Display pulled image(s) name
|
||||
set_fact:
|
||||
authelia_pulled_images: "{{ authelia_pulled_images | default([]) + [item.pulled_image.name] }}"
|
||||
loop: "{{ authelia_docker_compose_pull_result['actions'] | default([]) | selectattr('pulled_image', 'defined') }}"
|
||||
|
||||
- name: Include backup tasks
|
||||
include_tasks:
|
||||
file: backup.yml
|
||||
# Make a backup if we didn't already make one and we pulled a new image
|
||||
when: not run_backup and authelia_pulled_images is defined
|
||||
|
||||
- name: Create/Restart project services
|
||||
community.docker.docker_compose:
|
||||
project_src: "{{ project_dir }}"
|
||||
restarted: "{{ authelia_template_configuration_result['changed'] | default(false) | bool }}"
|
72
roles/authelia/templates/configuration.yml
Normal file
72
roles/authelia/templates/configuration.yml
Normal file
|
@ -0,0 +1,72 @@
|
|||
theme: 'auto'
|
||||
|
||||
totp:
|
||||
issuer: '{{ domain }}'
|
||||
|
||||
identity_validation:
|
||||
reset_password:
|
||||
jwt_secret: '{{ authelia_secrets["jwt_secret"] }}'
|
||||
|
||||
authentication_backend:
|
||||
refresh_interval: '1m'
|
||||
ldap:
|
||||
implementation: 'custom'
|
||||
address: 'ldap://lldap:3890'
|
||||
base_dn: '{{ ldap_base_dn }}'
|
||||
users_filter: '(&({username_attribute}={input})(objectClass=person))'
|
||||
groups_filter: '(member={dn})'
|
||||
user: '{{ authelia_secrets["ldap_user"] }}'
|
||||
password: '{{ authelia_secrets["ldap_password"] }}'
|
||||
attributes:
|
||||
distinguished_name: 'distinguishedName'
|
||||
username: 'uid'
|
||||
mail: 'mail'
|
||||
member_of: 'memberOf'
|
||||
group_name: 'cn'
|
||||
|
||||
password_policy:
|
||||
standard:
|
||||
enabled: true
|
||||
min_length: 12
|
||||
max_length: 128
|
||||
require_uppercase: true
|
||||
require_lowercase: true
|
||||
require_number: true
|
||||
require_special: true
|
||||
|
||||
access_control:
|
||||
default_policy: 'deny'
|
||||
rules:
|
||||
- domain: 'auth.{{ domain }}'
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: 'ldap.{{ domain }}'
|
||||
policy: 'two_factor'
|
||||
subject: 'group:lldap_admin'
|
||||
|
||||
- domain: 'syncthing.{{ domain }}'
|
||||
policy: 'two_factor'
|
||||
subject: 'user:viyurz'
|
||||
|
||||
session:
|
||||
cookies:
|
||||
- name: 'authelia_session'
|
||||
domain: '{{ domain }}'
|
||||
authelia_url: 'https://auth.{{ domain }}'
|
||||
|
||||
storage:
|
||||
encryption_key: '{{ authelia_secrets["encryption_key"] }}'
|
||||
postgres:
|
||||
address: postgres.{{ domain }}
|
||||
database: authelia
|
||||
username: '{{ authelia_secrets["postgres_user"] }}'
|
||||
password: '{{ authelia_secrets["postgres_password"] }}'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'submissions://mail.{{ domain }}:{{ ports["mailserver_smtps"] }}'
|
||||
username: '{{ authelia_secrets["smtp_user"] }}'
|
||||
password: '{{ authelia_secrets["smtp_password"] }}'
|
||||
sender: 'Authelia <authelia@{{ domain }}>'
|
||||
|
||||
# identity_providers:
|
16
roles/authelia/templates/docker-compose.yaml
Normal file
16
roles/authelia/templates/docker-compose.yaml
Normal file
|
@ -0,0 +1,16 @@
|
|||
services:
|
||||
authelia:
|
||||
container_name: authelia
|
||||
image: docker.io/authelia/authelia:4.38
|
||||
restart: always
|
||||
user: {{ users['authelia'] }}:{{ users['authelia'] }}
|
||||
networks:
|
||||
- authelia
|
||||
ports:
|
||||
- 127.0.0.1:{{ ports['authelia'] }}:9091
|
||||
volumes:
|
||||
- ./configuration.yml:/config/configuration.yml
|
||||
|
||||
networks:
|
||||
authelia:
|
||||
name: authelia
|
|
@ -5,14 +5,17 @@
|
|||
apt:
|
||||
name: nginx
|
||||
|
||||
- name: Template nginx.conf to /etc/nginx/nginx.conf
|
||||
- name: Template configuration files to /etc/nginx/
|
||||
template:
|
||||
src: nginx.conf
|
||||
dest: /etc/nginx/nginx.conf
|
||||
src: "{{ item }}"
|
||||
dest: "/etc/nginx/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '644'
|
||||
register: nginx_template_nginx_conf_result
|
||||
loop:
|
||||
- nginx.conf
|
||||
- authelia-location.conf
|
||||
- authelia-authrequest.conf
|
||||
|
||||
- name: Template reverse-proxy.conf to /etc/nginx/sites-available/reverse-proxy.conf
|
||||
template:
|
||||
|
@ -21,7 +24,6 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: '644'
|
||||
register: nginx_template_reverse_proxy_conf_result
|
||||
|
||||
- name: Copy ssl-headers.conf to /etc/nginx/conf.d/ssl-headers.conf
|
||||
copy:
|
||||
|
@ -30,7 +32,6 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: '644'
|
||||
register: nginx_copy_ssl_headers_conf_result
|
||||
|
||||
- name: Remove all enabled NGINX sites
|
||||
file:
|
||||
|
@ -74,6 +75,5 @@
|
|||
- name: Start/Reload NGINX service
|
||||
service:
|
||||
name: nginx
|
||||
# Reload if conf changed, if not make sure it is started
|
||||
state: "{{ (nginx_template_nginx_conf_result['changed'] or nginx_template_reverse_proxy_conf_result['changed'] or nginx_copy_ssl_headers_conf_result['changed']) | ternary('reloaded', 'started') }}"
|
||||
state: reloaded
|
||||
enabled: yes
|
||||
|
|
15
roles/reverse-proxy/templates/authelia-authrequest.conf
Normal file
15
roles/reverse-proxy/templates/authelia-authrequest.conf
Normal file
|
@ -0,0 +1,15 @@
|
|||
auth_request /internal/authelia/authz;
|
||||
|
||||
auth_request_set $user $upstream_http_remote_user;
|
||||
auth_request_set $groups $upstream_http_remote_groups;
|
||||
auth_request_set $name $upstream_http_remote_name;
|
||||
auth_request_set $email $upstream_http_remote_email;
|
||||
|
||||
proxy_set_header Remote-User $user;
|
||||
proxy_set_header Remote-Groups $groups;
|
||||
proxy_set_header Remote-Email $email;
|
||||
proxy_set_header Remote-Name $name;
|
||||
|
||||
auth_request_set $redirection_url $upstream_http_location;
|
||||
|
||||
error_page 401 =302 $redirection_url;
|
18
roles/reverse-proxy/templates/authelia-location.conf
Normal file
18
roles/reverse-proxy/templates/authelia-location.conf
Normal file
|
@ -0,0 +1,18 @@
|
|||
location /internal/authelia/authz {
|
||||
internal;
|
||||
|
||||
proxy_pass http://127.0.0.1:{{ ports['authelia'] }}/api/authz/auth-request;
|
||||
|
||||
proxy_set_header X-Original-Method $request_method;
|
||||
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Content-Length "";
|
||||
proxy_set_header Connection "";
|
||||
|
||||
proxy_pass_request_body off;
|
||||
proxy_http_version 1.1;
|
||||
proxy_cache_bypass $cookie_session;
|
||||
proxy_no_cache $cookie_session;
|
||||
proxy_buffers 4 32k;
|
||||
client_body_buffer_size 128k;
|
||||
}
|
|
@ -61,6 +61,19 @@ server {
|
|||
}
|
||||
|
||||
|
||||
# Authelia
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name auth.{{ domain }};
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['authelia'] }};
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# Element
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
|
@ -138,8 +151,11 @@ server {
|
|||
|
||||
server_name ldap.{{ domain }};
|
||||
|
||||
include /etc/nginx/authelia-location.conf;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['lldap'] }};
|
||||
include /etc/nginx/authelia-authrequest.conf;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -177,6 +193,22 @@ server {
|
|||
}
|
||||
|
||||
|
||||
# Syncthihng
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name syncthing.{{ domain }};
|
||||
|
||||
include /etc/nginx/authelia-location.conf;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:{{ ports['syncthing_webui'] }};
|
||||
include /etc/nginx/authelia-authrequest.conf;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
# Syncthing Discovery
|
||||
upstream stdisco.{{ domain }} {
|
||||
# Local IP address:port for discovery server
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
# To generate random secret: openssl rand -base64 <length>
|
||||
|
||||
ansible_become_password:
|
||||
|
||||
borg_passphrase:
|
||||
|
@ -6,7 +8,19 @@ cifs_credentials:
|
|||
username:
|
||||
password:
|
||||
|
||||
# To generate random secret: openssl rand -base64 50
|
||||
|
||||
authelia_secrets:
|
||||
# Encryption key for the database, must be saved
|
||||
encryption_key:
|
||||
jwt_secret:
|
||||
# LDAP bind dn
|
||||
ldap_user:
|
||||
ldap_password:
|
||||
postgres_user:
|
||||
postgres_password:
|
||||
smtp_user:
|
||||
smtp_password:
|
||||
|
||||
coturn_secrets:
|
||||
static_auth_secret:
|
||||
|
||||
|
|
Loading…
Reference in a new issue