From 5fe61223c346c300ceb0aee3123aa65e07a530d3 Mon Sep 17 00:00:00 2001
From: vincent <vincent@ducamps.win>
Date: Fri, 12 Apr 2024 08:59:20 +0200
Subject: [PATCH] feat: create authelia job

---
 nomad-job/authelia.nomad.hcl         | 161 +++++++++++++++++++++++++++
 nomad-job/openldap/tree.ldif         |  15 +++
 nomad-job/traefik-ingress.nomad      |   6 +
 nomad-job/traefik-local.nomad        |  13 ++-
 nomad-job/volume/authelia-config.hcl |  17 +++
 terraform/dns/variable.tf            |   1 +
 terraform/vault/nomad.tf             |   1 +
 7 files changed, 213 insertions(+), 1 deletion(-)
 create mode 100644 nomad-job/authelia.nomad.hcl
 create mode 100644 nomad-job/volume/authelia-config.hcl

diff --git a/nomad-job/authelia.nomad.hcl b/nomad-job/authelia.nomad.hcl
new file mode 100644
index 0000000..870a0cd
--- /dev/null
+++ b/nomad-job/authelia.nomad.hcl
@@ -0,0 +1,161 @@
+
+job "authelia" {
+  datacenters = ["homelab"]
+  priority    = 80
+  type        = "service"
+  meta {
+    forcedeploy = "0"
+  }
+  constraint {
+    attribute = "${attr.cpu.arch}"
+    value     = "amd64"
+  }
+
+  group "authelia" {
+    network {
+      mode = "host"
+      port "authelia" {
+        to = 9091
+      }
+    }
+    volume "authelia-config" {
+      type            = "csi"
+      source          = "authelia-config"
+      access_mode     = "multi-node-multi-writer"
+      attachment_mode = "file-system"
+    }
+    vault {
+      policies = ["authelia"]
+
+    }
+    task "authelia" {
+      driver = "docker"
+      service {
+        name = "authelia"
+        port = "authelia"
+        tags = [
+          "traefik.enable=true",
+          "traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`auth.ducamps.eu`)",
+          "traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=auth.ducamps.eu",
+          "traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
+          "traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
+
+
+        ]
+      }
+      config {
+        image = "authelia/authelia"
+        ports = ["authelia"]
+        args = [
+          "--config",
+          "/local/configuration.yml",
+        ]
+
+
+      }
+      volume_mount {
+          volume      = "authelia-config"
+          destination = "/config"
+      }
+      env {
+        AUTHELIA_SESSION_SECRET = uuidv4()
+        AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET = uuidv4()
+      }
+
+      template {
+        data        = <<EOH
+
+---
+###############################################################
+#                   Authelia configuration                    #
+###############################################################
+
+server:
+  address: 'tcp://:9091'
+  endpoints:
+    authz:
+      forward-auth:
+        implementation: 'ForwardAuth'
+      legacy:
+        implementation: 'Legacy'
+
+log:
+  level: 'debug'
+
+totp:
+  issuer: 'authelia.com'
+
+
+{{ with secret "secrets/data/nomad/authelia"}}
+authentication_backend:
+  ldap:
+    address: 'ldaps://ldap.ducamps.eu'
+    implementation: 'custom'
+    timeout: '5s'
+    start_tls: false
+    tls:
+      skip_verify: true
+      minimum_version: 'TLS1.2'
+    base_dn: 'DC=ducamps,DC=eu'
+    additional_users_dn: 'OU=users'
+    users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))'
+    additional_groups_dn: 'OU=groups'
+    groups_filter: '(&(member=UID={input},OU=users,DC=ducamps,DC=eu)(objectClass=groupOfNames))'
+    user: 'uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu'
+    password: '{{ .Data.data.ldapPassword }}'
+    attributes:
+      distinguished_name: 'distinguishedname'
+      username: 'uid'
+      mail: 'mail'
+      member_of: 'memberOf'
+      group_name: 'cn'
+
+access_control:
+  default_policy: 'deny'
+  rules:
+    # Rules applied to everyone
+    - domain: '*.ducamps.eu'
+      policy: 'one_factor'
+
+session:
+  cookies:
+    - name: 'authelia_session'
+      domain: 'ducamps.eu'  # Should match whatever your root protected domain is
+      authelia_url: 'https://auth.ducamps.eu'
+      expiration: '1 hour'
+      inactivity: '5 minutes'
+
+
+regulation:
+  max_retries: 3
+  find_time: '2 minutes'
+  ban_time: '5 minutes'
+
+storage:
+  encryption_key: '{{.Data.data.encryptionKeys }}'
+  local:
+    path: '/config/db.sqlite3'
+
+notifier:
+  smtp:
+    username: 'authelia@ducamps.eu'
+#    # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
+    password: '{{ .Data.data.mailPassword}}'
+    host: 'mail.ducamps.eu'
+    port: 465
+    disable_require_tls: true
+    sender: 'authelia@ducamps.eu'
+    tls:
+      server_name: 'mail.ducamps.eu'
+      skip_verify: true
+{{end}}
+          EOH
+        destination = "local/configuration.yml"
+      }
+      resources {
+        memory = 100
+      }
+    }
+
+  }
+}
diff --git a/nomad-job/openldap/tree.ldif b/nomad-job/openldap/tree.ldif
index 6ac559a..88eae99 100644
--- a/nomad-job/openldap/tree.ldif
+++ b/nomad-job/openldap/tree.ldif
@@ -158,6 +158,21 @@ shadowLastChange: 19437
 shadowMax: 99999
 shadowMin: 100000
 shadowWarning: 7
+
+dn: uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu
+objectClass: extensibleObject
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: posixAccount
+objectClass: shadowAccount
+objectClass: top
+cn: authelia
+gidNumber: 1000001
+sn: supysonicServiceAccount
+uid: supysonicServiceAccount
+uidNumber: 1000008
+displayName: authelia
 shadowExpire: -1
 shadowFlag: 0
 shadowInactive: 0
diff --git a/nomad-job/traefik-ingress.nomad b/nomad-job/traefik-ingress.nomad
index 8300efd..a56cc2b 100644
--- a/nomad-job/traefik-ingress.nomad
+++ b/nomad-job/traefik-ingress.nomad
@@ -107,8 +107,14 @@ job "traefik-ingress" {
                 [entryPoints.web.http.redirections.entryPoint]
                   to = "websecure"
                   scheme = "https"
+
           [entryPoints.websecure]
+
             address = ":443"
+            [entryPoints.websecure.forwardedHeaders]
+              trustedIPs = ["127.0.0.1/32", "192.168.0.0/24" ,"10.0.0.0/8","172.16.0.0/12"]
+            [entryPoints.websecure.proxyProtocol] 
+              trustedIPs = ["127.0.0.1/32", "192.168.0.0/24" ,"10.0.0.0/8","172.16.0.0/12"]
           [entryPoints.traefik]
             address = ":9080"
           [entrypoints.smtp]
diff --git a/nomad-job/traefik-local.nomad b/nomad-job/traefik-local.nomad
index bb7d287..67f49a6 100644
--- a/nomad-job/traefik-local.nomad
+++ b/nomad-job/traefik-local.nomad
@@ -29,7 +29,7 @@ job "traefik-local" {
         static= 993
       }
       port "admin" {
-        static = 8080
+        static = 9080
       }
     }
     vault {
@@ -56,6 +56,13 @@ job "traefik-local" {
           "homer.logo=https://upload.wikimedia.org/wikipedia/commons/1/1b/Traefik.logo.png",
           "homer.target=_blank",
           "homer.url=http://${NOMAD_ADDR_admin}",
+          "traefik.enable=true",
+          "traefik.http.middlewares.authelia.forwardauth.address=https://auth.ducamps.eu/api/authz/forward-auth",
+          "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
+          "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true",
+          "traefik.http.middlewares.authelia-basic.forwardauth.address=https://auth.ducamps.eu/api/verify?auth=basic",
+          "traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true",
+          "traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
 
 
         ]
@@ -103,6 +110,10 @@ job "traefik-local" {
 
           [entryPoints.websecure]
             address = ":443"
+            [entryPoints.websecure.forwardedHeaders]
+              trustedIPs = ["127.0.0.1/32", "192.168.0.0/24" ,"10.0.0.0/8","172.16.0.0/12"]
+            [entryPoints.websecure.proxyProtocol] 
+              trustedIPs = ["127.0.0.1/32", "192.168.0.0/24" ,"10.0.0.0/8","172.16.0.0/12"]
           [entryPoints.traefik]
             address = ":9080"
           [entrypoints.ssh]
diff --git a/nomad-job/volume/authelia-config.hcl b/nomad-job/volume/authelia-config.hcl
new file mode 100644
index 0000000..18e7069
--- /dev/null
+++ b/nomad-job/volume/authelia-config.hcl
@@ -0,0 +1,17 @@
+type = "csi"
+id = "authelia-config"
+name = "authelia-config"
+external_id = "authelia-config"
+plugin_id = "nfs"
+capability {
+	access_mode = "multi-node-multi-writer"
+	attachment_mode = "file-system"
+}
+context {
+  server = "nfs.service.consul"
+  share = "/nomad/authelia"
+}
+mount_options {
+  fs_type = "nfs"
+  mount_flags = [ "vers=4" ]
+}
diff --git a/terraform/dns/variable.tf b/terraform/dns/variable.tf
index e534f4b..8436870 100644
--- a/terraform/dns/variable.tf
+++ b/terraform/dns/variable.tf
@@ -17,6 +17,7 @@ variable powerDnsURL {
 variable cnameList{
   type=list
   default= [
+    "auth",
     "arch",
     "dashboard",
     "drone",
diff --git a/terraform/vault/nomad.tf b/terraform/vault/nomad.tf
index a708f24..cb90b51 100644
--- a/terraform/vault/nomad.tf
+++ b/terraform/vault/nomad.tf
@@ -3,6 +3,7 @@ locals {
   ])
  
   nomad_policy=[
+    "authelia",
     "crowdsec",
     "dump",
     "dentrite",