feat: create authelia job

2024-04-12 08:59:20 +02:00 · 2024-04-12 08:59:20 +02:00 · 5fe61223c3
commit 5fe61223c3
parent 452ab3611a
7 changed files with 213 additions and 1 deletions
--- a/nomad-job/authelia.nomad.hcl
+++ b/nomad-job/authelia.nomad.hcl
@ -0,0 +1,161 @@
 job "authelia" {
  datacenters = ["homelab"]
  priority    = 80
  type        = "service"
  meta {
    forcedeploy = "0"
  }
  constraint {
    attribute = "${attr.cpu.arch}"
    value     = "amd64"
  }
  group "authelia" {
    network {
      mode = "host"
      port "authelia" {
        to = 9091
      }
    }
    volume "authelia-config" {
      type            = "csi"
      source          = "authelia-config"
      access_mode     = "multi-node-multi-writer"
      attachment_mode = "file-system"
    }
    vault {
      policies = ["authelia"]
    }
    task "authelia" {
      driver = "docker"
      service {
        name = "authelia"
        port = "authelia"
        tags = [
          "traefik.enable=true",
          "traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`auth.ducamps.eu`)",
          "traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=auth.ducamps.eu",
          "traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
          "traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
        ]
      }
      config {
        image = "authelia/authelia"
        ports = ["authelia"]
        args = [
          "--config",
          "/local/configuration.yml",
        ]
      }
      volume_mount {
          volume      = "authelia-config"
          destination = "/config"
      }
      env {
        AUTHELIA_SESSION_SECRET = uuidv4()
        AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET = uuidv4()
      }
      template {
        data        = <<EOH
 ---
 ###############################################################
 #                   Authelia configuration                    #
 ###############################################################
 server:
  address: 'tcp://:9091'
  endpoints:
    authz:
      forward-auth:
        implementation: 'ForwardAuth'
      legacy:
        implementation: 'Legacy'
 log:
  level: 'debug'
 totp:
  issuer: 'authelia.com'
 {{ with secret "secrets/data/nomad/authelia"}}
 authentication_backend:
  ldap:
    address: 'ldaps://ldap.ducamps.eu'
    implementation: 'custom'
    timeout: '5s'
    start_tls: false
    tls:
      skip_verify: true
      minimum_version: 'TLS1.2'
    base_dn: 'DC=ducamps,DC=eu'
    additional_users_dn: 'OU=users'
    users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))'
    additional_groups_dn: 'OU=groups'
    groups_filter: '(&(member=UID={input},OU=users,DC=ducamps,DC=eu)(objectClass=groupOfNames))'
    user: 'uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu'
    password: '{{ .Data.data.ldapPassword }}'
    attributes:
      distinguished_name: 'distinguishedname'
      username: 'uid'
      mail: 'mail'
      member_of: 'memberOf'
      group_name: 'cn'
 access_control:
  default_policy: 'deny'
  rules:
    # Rules applied to everyone
    - domain: '*.ducamps.eu'
      policy: 'one_factor'
 session:
  cookies:
    - name: 'authelia_session'
      domain: 'ducamps.eu'  # Should match whatever your root protected domain is
      authelia_url: 'https://auth.ducamps.eu'
      expiration: '1 hour'
      inactivity: '5 minutes'
 regulation:
  max_retries: 3
  find_time: '2 minutes'
  ban_time: '5 minutes'
 storage:
  encryption_key: '{{.Data.data.encryptionKeys }}'
  local:
    path: '/config/db.sqlite3'
 notifier:
  smtp:
    username: 'authelia@ducamps.eu'
 #    # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
    password: '{{ .Data.data.mailPassword}}'
    host: 'mail.ducamps.eu'
    port: 465
    disable_require_tls: true
    sender: 'authelia@ducamps.eu'
    tls:
      server_name: 'mail.ducamps.eu'
      skip_verify: true
 {{end}}
          EOH
        destination = "local/configuration.yml"
      }
      resources {
        memory = 100
      }
    }
  }
 }
--- a/nomad-job/openldap/tree.ldif
+++ b/nomad-job/openldap/tree.ldif
@ -158,6 +158,21 @@ shadowLastChange: 19437
 shadowMax: 99999
 shadowMin: 100000
 shadowWarning: 7
 dn: uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu
 objectClass: extensibleObject
 objectClass: inetOrgPerson
 objectClass: organizationalPerson
 objectClass: person
 objectClass: posixAccount
 objectClass: shadowAccount
 objectClass: top
 cn: authelia
 gidNumber: 1000001
 sn: supysonicServiceAccount
 uid: supysonicServiceAccount
 uidNumber: 1000008
 displayName: authelia
 shadowExpire: -1
 shadowFlag: 0
 shadowInactive: 0
--- a/nomad-job/traefik-ingress.nomad
+++ b/nomad-job/traefik-ingress.nomad
@ -107,8 +107,14 @@ job "traefik-ingress" {
                [entryPoints.web.http.redirections.entryPoint]
                  to = "websecure"
                  scheme = "https"
          [entryPoints.websecure]
            address = ":443"
            [entryPoints.websecure.forwardedHeaders]
              trustedIPs = ["127.0.0.1/32", "192.168.0.0/24" ,"10.0.0.0/8","172.16.0.0/12"]
            [entryPoints.websecure.proxyProtocol] 
              trustedIPs = ["127.0.0.1/32", "192.168.0.0/24" ,"10.0.0.0/8","172.16.0.0/12"]
          [entryPoints.traefik]
            address = ":9080"
          [entrypoints.smtp]
--- a/nomad-job/traefik-local.nomad
+++ b/nomad-job/traefik-local.nomad
@ -29,7 +29,7 @@ job "traefik-local" {
        static= 993
      }
      port "admin" {
-        static = 8080
+        static = 9080
      }
    }
    vault {
@ -56,6 +56,13 @@ job "traefik-local" {
          "homer.logo=https://upload.wikimedia.org/wikipedia/commons/1/1b/Traefik.logo.png",
          "homer.target=_blank",
          "homer.url=http://${NOMAD_ADDR_admin}",
          "traefik.enable=true",
          "traefik.http.middlewares.authelia.forwardauth.address=https://auth.ducamps.eu/api/authz/forward-auth",
          "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
          "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true",
          "traefik.http.middlewares.authelia-basic.forwardauth.address=https://auth.ducamps.eu/api/verify?auth=basic",
          "traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true",
          "traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
        ]
@ -103,6 +110,10 @@ job "traefik-local" {
          [entryPoints.websecure]
            address = ":443"
            [entryPoints.websecure.forwardedHeaders]
              trustedIPs = ["127.0.0.1/32", "192.168.0.0/24" ,"10.0.0.0/8","172.16.0.0/12"]
            [entryPoints.websecure.proxyProtocol] 
              trustedIPs = ["127.0.0.1/32", "192.168.0.0/24" ,"10.0.0.0/8","172.16.0.0/12"]
          [entryPoints.traefik]
            address = ":9080"
          [entrypoints.ssh]
--- a/nomad-job/volume/authelia-config.hcl
+++ b/nomad-job/volume/authelia-config.hcl
@ -0,0 +1,17 @@
 type = "csi"
 id = "authelia-config"
 name = "authelia-config"
 external_id = "authelia-config"
 plugin_id = "nfs"
 capability {
 	access_mode = "multi-node-multi-writer"
 	attachment_mode = "file-system"
 }
 context {
  server = "nfs.service.consul"
  share = "/nomad/authelia"
 }
 mount_options {
  fs_type = "nfs"
  mount_flags = [ "vers=4" ]
 }
--- a/terraform/dns/variable.tf
+++ b/terraform/dns/variable.tf
@ -17,6 +17,7 @@ variable powerDnsURL {
 variable cnameList{
  type=list
  default= [
    "auth",
    "arch",
    "dashboard",
    "drone",
--- a/terraform/vault/nomad.tf
+++ b/terraform/vault/nomad.tf
@ -3,6 +3,7 @@ locals {
  ])
  nomad_policy=[
    "authelia",
    "crowdsec",
    "dump",
    "dentrite",