homelab/nomad-job/platform/authelia.nomad.hcl

286 lines
7.9 KiB
HCL
Raw Normal View History

2024-04-12 06:59:20 +00:00
job "authelia" {
datacenters = ["homelab"]
priority = 80
type = "service"
meta {
forcedeploy = "0"
}
constraint {
attribute = "${attr.cpu.arch}"
value = "amd64"
}
group "authelia" {
network {
mode = "host"
port "authelia" {
to = 9091
}
}
volume "authelia-config" {
type = "csi"
source = "authelia-config"
access_mode = "multi-node-multi-writer"
attachment_mode = "file-system"
}
vault {
policies = ["authelia"]
}
task "authelia" {
driver = "docker"
service {
name = "authelia"
port = "authelia"
tags = [
"traefik.enable=true",
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`auth.ducamps.eu`)",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=auth.ducamps.eu",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
]
}
2024-04-24 19:23:39 +00:00
action "generate-client-secret" {
command = "authelia"
args = ["crypto",
"hash",
"generate",
"pbkdf2",
"--random",
"--random.length",
"72",
"--random.charset",
"rfc3986"
]
}
2024-04-12 06:59:20 +00:00
config {
image = "authelia/authelia"
ports = ["authelia"]
args = [
"--config",
"/local/configuration.yml",
]
}
volume_mount {
volume = "authelia-config"
destination = "/config"
}
env {
AUTHELIA_SESSION_SECRET = uuidv4()
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET = uuidv4()
}
template {
data = <<EOH
---
###############################################################
# Authelia configuration #
###############################################################
server:
address: 'tcp://:9091'
endpoints:
authz:
forward-auth:
implementation: 'ForwardAuth'
legacy:
implementation: 'Legacy'
2024-04-24 19:23:39 +00:00
identity_providers:
oidc:
hmac_secret: {{ with secret "secrets/data/nomad/authelia"}}{{ .Data.data.hmac}}{{end}}
jwks:
- key_id: 'key'
key: |
{{ with secret "secrets/data/nomad/authelia"}}{{ .Data.data.rsakey|indent 8 }}{{end}}
2024-04-28 14:10:43 +00:00
cors:
endpoints:
- userinfo
- authorization
- token
- revocation
- introspection
allowed_origins:
- https://mealie.ducamps.eu
allowed_origins_from_client_redirect_uris: true
2024-04-24 19:23:39 +00:00
clients:
- client_id: 'ttrss'
client_name: 'ttrss'
client_secret: {{ with secret "secrets/data/authelia/ttrss"}} {{ .Data.data.hash }} {{end}}
public: false
scopes:
- openid
- email
- profile
redirect_uris:
- 'https://www.ducamps.eu/tt-rss'
userinfo_signed_response_alg: none
authorization_policy: 'one_factor'
pre_configured_consent_duration: 3M
2024-04-28 14:10:43 +00:00
- client_id: 'mealie'
client_name: 'mealie'
client_secret: {{ with secret "secrets/data/authelia/mealie"}} {{ .Data.data.hash }} {{end}}
public: false
2024-04-28 14:10:43 +00:00
require_pkce: true
pkce_challenge_method: 'S256'
scopes:
- openid
- email
- profile
- groups
redirect_uris:
- 'https://mealie.ducamps.eu/login'
userinfo_signed_response_alg: none
authorization_policy: 'one_factor'
pre_configured_consent_duration: 3M
2024-05-10 12:49:50 +00:00
- client_id: 'immich'
client_name: 'immich'
client_secret: {{ with secret "secrets/data/authelia/immich"}} {{ .Data.data.hash }} {{end}}
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://immich.ducamps.eu/auth/login'
- 'https://immich.ducamps.eu/user-settings'
- 'app.immich:/'
scopes:
- 'openid'
- 'profile'
- 'email'
userinfo_signed_response_alg: 'none'
pre_configured_consent_duration: 3M
2024-05-10 13:50:45 +00:00
- client_id: 'grafana'
client_name: 'Grafana'
client_secret:{{ with secret "secrets/data/authelia/grafana"}} {{ .Data.data.hash }} {{end}}
public: false
authorization_policy: 'one_factor'
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'https://grafana.ducamps.eu/login/generic_oauth'
scopes:
- 'openid'
- 'profile'
- 'groups'
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
pre_configured_consent_duration: 3M
2024-05-20 10:14:40 +00:00
- client_id: 'vikunja'
client_name: 'vikunja'
client_secret:{{ with secret "secrets/data/authelia/vikunja"}} {{ .Data.data.hash }} {{end}}
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://vikunja.ducamps.eu/auth/openid/authelia'
scopes:
- 'openid'
- 'profile'
- 'email'
userinfo_signed_response_alg: 'none'
2024-10-19 14:28:25 +00:00
token_endpoint_auth_method: 'client_secret_basic'
pre_configured_consent_duration: 3M
2024-10-19 14:28:25 +00:00
- client_id: 'gitea'
client_name: 'gitea'
client_secret:{{ with secret "secrets/data/authelia/gitea"}} {{ .Data.data.hash }} {{end}}
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://git.ducamps.eu/user/oauth2/authelia/callback'
scopes:
- 'openid'
- 'profile'
- 'email'
userinfo_signed_response_alg: 'none'
2024-05-20 10:14:40 +00:00
token_endpoint_auth_method: 'client_secret_basic'
pre_configured_consent_duration: 3M
2024-04-24 19:23:39 +00:00
2024-04-12 06:59:20 +00:00
log:
2024-04-28 14:10:43 +00:00
level: 'trace'
2024-04-12 06:59:20 +00:00
totp:
issuer: 'authelia.com'
authentication_backend:
ldap:
2024-04-28 14:10:43 +00:00
address: 'ldaps://ldap.service.consul'
2024-04-12 06:59:20 +00:00
implementation: 'custom'
timeout: '5s'
start_tls: false
tls:
skip_verify: true
minimum_version: 'TLS1.2'
base_dn: 'DC=ducamps,DC=eu'
additional_users_dn: 'OU=users'
users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))'
additional_groups_dn: 'OU=groups'
2024-04-28 14:10:43 +00:00
#groups_filter: '(&(member=UID={input},OU=users,DC=ducamps,DC=eu)(objectClass=groupOfNames))'
groups_filter: '(&(|{memberof:rdn})(objectClass=groupOfNames))'
group_search_mode: 'memberof'
2024-04-12 06:59:20 +00:00
user: 'uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu'
2024-04-24 19:23:39 +00:00
password:{{ with secret "secrets/data/nomad/authelia"}} '{{ .Data.data.ldapPassword }}'{{ end }}
2024-04-12 06:59:20 +00:00
attributes:
2024-04-28 14:10:43 +00:00
distinguished_name: ''
2024-04-12 06:59:20 +00:00
username: 'uid'
mail: 'mail'
member_of: 'memberOf'
group_name: 'cn'
access_control:
default_policy: 'deny'
rules:
# Rules applied to everyone
- domain: '*.ducamps.eu'
policy: 'one_factor'
session:
cookies:
- name: 'authelia_session'
domain: 'ducamps.eu' # Should match whatever your root protected domain is
authelia_url: 'https://auth.ducamps.eu'
2024-04-24 19:23:39 +00:00
expiration: '12 hour'
2024-04-12 06:59:20 +00:00
inactivity: '5 minutes'
regulation:
max_retries: 3
find_time: '2 minutes'
ban_time: '5 minutes'
storage:
2024-04-24 19:23:39 +00:00
{{ with secret "secrets/data/nomad/authelia"}}
2024-04-12 06:59:20 +00:00
encryption_key: '{{.Data.data.encryptionKeys }}'
2024-04-24 19:23:39 +00:00
{{end}}
2024-04-12 06:59:20 +00:00
local:
path: '/config/db.sqlite3'
notifier:
2024-05-16 17:18:18 +00:00
disable_startup_check: true
2024-04-12 06:59:20 +00:00
smtp:
username: 'authelia@ducamps.eu'
2024-04-24 19:23:39 +00:00
{{ with secret "secrets/data/nomad/authelia"}}
2024-04-12 06:59:20 +00:00
password: '{{ .Data.data.mailPassword}}'
2024-04-24 19:23:39 +00:00
{{end}}
address: submissions://mail.ducamps.eu:465
2024-04-12 06:59:20 +00:00
disable_require_tls: true
sender: 'authelia@ducamps.eu'
tls:
server_name: 'mail.ducamps.eu'
skip_verify: true
EOH
destination = "local/configuration.yml"
}
resources {
memory = 100
}
}
}
}