feat: create authelia job
This commit is contained in:
parent
452ab3611a
commit
5fe61223c3
161
nomad-job/authelia.nomad.hcl
Normal file
161
nomad-job/authelia.nomad.hcl
Normal file
@ -0,0 +1,161 @@
|
|||||||
|
|
||||||
|
job "authelia" {
|
||||||
|
datacenters = ["homelab"]
|
||||||
|
priority = 80
|
||||||
|
type = "service"
|
||||||
|
meta {
|
||||||
|
forcedeploy = "0"
|
||||||
|
}
|
||||||
|
constraint {
|
||||||
|
attribute = "${attr.cpu.arch}"
|
||||||
|
value = "amd64"
|
||||||
|
}
|
||||||
|
|
||||||
|
group "authelia" {
|
||||||
|
network {
|
||||||
|
mode = "host"
|
||||||
|
port "authelia" {
|
||||||
|
to = 9091
|
||||||
|
}
|
||||||
|
}
|
||||||
|
volume "authelia-config" {
|
||||||
|
type = "csi"
|
||||||
|
source = "authelia-config"
|
||||||
|
access_mode = "multi-node-multi-writer"
|
||||||
|
attachment_mode = "file-system"
|
||||||
|
}
|
||||||
|
vault {
|
||||||
|
policies = ["authelia"]
|
||||||
|
|
||||||
|
}
|
||||||
|
task "authelia" {
|
||||||
|
driver = "docker"
|
||||||
|
service {
|
||||||
|
name = "authelia"
|
||||||
|
port = "authelia"
|
||||||
|
tags = [
|
||||||
|
"traefik.enable=true",
|
||||||
|
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`auth.ducamps.eu`)",
|
||||||
|
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=auth.ducamps.eu",
|
||||||
|
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
|
||||||
|
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
|
||||||
|
|
||||||
|
|
||||||
|
]
|
||||||
|
}
|
||||||
|
config {
|
||||||
|
image = "authelia/authelia"
|
||||||
|
ports = ["authelia"]
|
||||||
|
args = [
|
||||||
|
"--config",
|
||||||
|
"/local/configuration.yml",
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
volume_mount {
|
||||||
|
volume = "authelia-config"
|
||||||
|
destination = "/config"
|
||||||
|
}
|
||||||
|
env {
|
||||||
|
AUTHELIA_SESSION_SECRET = uuidv4()
|
||||||
|
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET = uuidv4()
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = <<EOH
|
||||||
|
|
||||||
|
---
|
||||||
|
###############################################################
|
||||||
|
# Authelia configuration #
|
||||||
|
###############################################################
|
||||||
|
|
||||||
|
server:
|
||||||
|
address: 'tcp://:9091'
|
||||||
|
endpoints:
|
||||||
|
authz:
|
||||||
|
forward-auth:
|
||||||
|
implementation: 'ForwardAuth'
|
||||||
|
legacy:
|
||||||
|
implementation: 'Legacy'
|
||||||
|
|
||||||
|
log:
|
||||||
|
level: 'debug'
|
||||||
|
|
||||||
|
totp:
|
||||||
|
issuer: 'authelia.com'
|
||||||
|
|
||||||
|
|
||||||
|
{{ with secret "secrets/data/nomad/authelia"}}
|
||||||
|
authentication_backend:
|
||||||
|
ldap:
|
||||||
|
address: 'ldaps://ldap.ducamps.eu'
|
||||||
|
implementation: 'custom'
|
||||||
|
timeout: '5s'
|
||||||
|
start_tls: false
|
||||||
|
tls:
|
||||||
|
skip_verify: true
|
||||||
|
minimum_version: 'TLS1.2'
|
||||||
|
base_dn: 'DC=ducamps,DC=eu'
|
||||||
|
additional_users_dn: 'OU=users'
|
||||||
|
users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))'
|
||||||
|
additional_groups_dn: 'OU=groups'
|
||||||
|
groups_filter: '(&(member=UID={input},OU=users,DC=ducamps,DC=eu)(objectClass=groupOfNames))'
|
||||||
|
user: 'uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu'
|
||||||
|
password: '{{ .Data.data.ldapPassword }}'
|
||||||
|
attributes:
|
||||||
|
distinguished_name: 'distinguishedname'
|
||||||
|
username: 'uid'
|
||||||
|
mail: 'mail'
|
||||||
|
member_of: 'memberOf'
|
||||||
|
group_name: 'cn'
|
||||||
|
|
||||||
|
access_control:
|
||||||
|
default_policy: 'deny'
|
||||||
|
rules:
|
||||||
|
# Rules applied to everyone
|
||||||
|
- domain: '*.ducamps.eu'
|
||||||
|
policy: 'one_factor'
|
||||||
|
|
||||||
|
session:
|
||||||
|
cookies:
|
||||||
|
- name: 'authelia_session'
|
||||||
|
domain: 'ducamps.eu' # Should match whatever your root protected domain is
|
||||||
|
authelia_url: 'https://auth.ducamps.eu'
|
||||||
|
expiration: '1 hour'
|
||||||
|
inactivity: '5 minutes'
|
||||||
|
|
||||||
|
|
||||||
|
regulation:
|
||||||
|
max_retries: 3
|
||||||
|
find_time: '2 minutes'
|
||||||
|
ban_time: '5 minutes'
|
||||||
|
|
||||||
|
storage:
|
||||||
|
encryption_key: '{{.Data.data.encryptionKeys }}'
|
||||||
|
local:
|
||||||
|
path: '/config/db.sqlite3'
|
||||||
|
|
||||||
|
notifier:
|
||||||
|
smtp:
|
||||||
|
username: 'authelia@ducamps.eu'
|
||||||
|
# # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
|
||||||
|
password: '{{ .Data.data.mailPassword}}'
|
||||||
|
host: 'mail.ducamps.eu'
|
||||||
|
port: 465
|
||||||
|
disable_require_tls: true
|
||||||
|
sender: 'authelia@ducamps.eu'
|
||||||
|
tls:
|
||||||
|
server_name: 'mail.ducamps.eu'
|
||||||
|
skip_verify: true
|
||||||
|
{{end}}
|
||||||
|
EOH
|
||||||
|
destination = "local/configuration.yml"
|
||||||
|
}
|
||||||
|
resources {
|
||||||
|
memory = 100
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
@ -158,6 +158,21 @@ shadowLastChange: 19437
|
|||||||
shadowMax: 99999
|
shadowMax: 99999
|
||||||
shadowMin: 100000
|
shadowMin: 100000
|
||||||
shadowWarning: 7
|
shadowWarning: 7
|
||||||
|
|
||||||
|
dn: uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu
|
||||||
|
objectClass: extensibleObject
|
||||||
|
objectClass: inetOrgPerson
|
||||||
|
objectClass: organizationalPerson
|
||||||
|
objectClass: person
|
||||||
|
objectClass: posixAccount
|
||||||
|
objectClass: shadowAccount
|
||||||
|
objectClass: top
|
||||||
|
cn: authelia
|
||||||
|
gidNumber: 1000001
|
||||||
|
sn: supysonicServiceAccount
|
||||||
|
uid: supysonicServiceAccount
|
||||||
|
uidNumber: 1000008
|
||||||
|
displayName: authelia
|
||||||
shadowExpire: -1
|
shadowExpire: -1
|
||||||
shadowFlag: 0
|
shadowFlag: 0
|
||||||
shadowInactive: 0
|
shadowInactive: 0
|
||||||
|
@ -107,8 +107,14 @@ job "traefik-ingress" {
|
|||||||
[entryPoints.web.http.redirections.entryPoint]
|
[entryPoints.web.http.redirections.entryPoint]
|
||||||
to = "websecure"
|
to = "websecure"
|
||||||
scheme = "https"
|
scheme = "https"
|
||||||
|
|
||||||
[entryPoints.websecure]
|
[entryPoints.websecure]
|
||||||
|
|
||||||
address = ":443"
|
address = ":443"
|
||||||
|
[entryPoints.websecure.forwardedHeaders]
|
||||||
|
trustedIPs = ["127.0.0.1/32", "192.168.0.0/24" ,"10.0.0.0/8","172.16.0.0/12"]
|
||||||
|
[entryPoints.websecure.proxyProtocol]
|
||||||
|
trustedIPs = ["127.0.0.1/32", "192.168.0.0/24" ,"10.0.0.0/8","172.16.0.0/12"]
|
||||||
[entryPoints.traefik]
|
[entryPoints.traefik]
|
||||||
address = ":9080"
|
address = ":9080"
|
||||||
[entrypoints.smtp]
|
[entrypoints.smtp]
|
||||||
|
@ -29,7 +29,7 @@ job "traefik-local" {
|
|||||||
static= 993
|
static= 993
|
||||||
}
|
}
|
||||||
port "admin" {
|
port "admin" {
|
||||||
static = 8080
|
static = 9080
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
vault {
|
vault {
|
||||||
@ -56,6 +56,13 @@ job "traefik-local" {
|
|||||||
"homer.logo=https://upload.wikimedia.org/wikipedia/commons/1/1b/Traefik.logo.png",
|
"homer.logo=https://upload.wikimedia.org/wikipedia/commons/1/1b/Traefik.logo.png",
|
||||||
"homer.target=_blank",
|
"homer.target=_blank",
|
||||||
"homer.url=http://${NOMAD_ADDR_admin}",
|
"homer.url=http://${NOMAD_ADDR_admin}",
|
||||||
|
"traefik.enable=true",
|
||||||
|
"traefik.http.middlewares.authelia.forwardauth.address=https://auth.ducamps.eu/api/authz/forward-auth",
|
||||||
|
"traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
|
||||||
|
"traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true",
|
||||||
|
"traefik.http.middlewares.authelia-basic.forwardauth.address=https://auth.ducamps.eu/api/verify?auth=basic",
|
||||||
|
"traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true",
|
||||||
|
"traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
|
||||||
|
|
||||||
|
|
||||||
]
|
]
|
||||||
@ -103,6 +110,10 @@ job "traefik-local" {
|
|||||||
|
|
||||||
[entryPoints.websecure]
|
[entryPoints.websecure]
|
||||||
address = ":443"
|
address = ":443"
|
||||||
|
[entryPoints.websecure.forwardedHeaders]
|
||||||
|
trustedIPs = ["127.0.0.1/32", "192.168.0.0/24" ,"10.0.0.0/8","172.16.0.0/12"]
|
||||||
|
[entryPoints.websecure.proxyProtocol]
|
||||||
|
trustedIPs = ["127.0.0.1/32", "192.168.0.0/24" ,"10.0.0.0/8","172.16.0.0/12"]
|
||||||
[entryPoints.traefik]
|
[entryPoints.traefik]
|
||||||
address = ":9080"
|
address = ":9080"
|
||||||
[entrypoints.ssh]
|
[entrypoints.ssh]
|
||||||
|
17
nomad-job/volume/authelia-config.hcl
Normal file
17
nomad-job/volume/authelia-config.hcl
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
type = "csi"
|
||||||
|
id = "authelia-config"
|
||||||
|
name = "authelia-config"
|
||||||
|
external_id = "authelia-config"
|
||||||
|
plugin_id = "nfs"
|
||||||
|
capability {
|
||||||
|
access_mode = "multi-node-multi-writer"
|
||||||
|
attachment_mode = "file-system"
|
||||||
|
}
|
||||||
|
context {
|
||||||
|
server = "nfs.service.consul"
|
||||||
|
share = "/nomad/authelia"
|
||||||
|
}
|
||||||
|
mount_options {
|
||||||
|
fs_type = "nfs"
|
||||||
|
mount_flags = [ "vers=4" ]
|
||||||
|
}
|
@ -17,6 +17,7 @@ variable powerDnsURL {
|
|||||||
variable cnameList{
|
variable cnameList{
|
||||||
type=list
|
type=list
|
||||||
default= [
|
default= [
|
||||||
|
"auth",
|
||||||
"arch",
|
"arch",
|
||||||
"dashboard",
|
"dashboard",
|
||||||
"drone",
|
"drone",
|
||||||
|
@ -3,6 +3,7 @@ locals {
|
|||||||
])
|
])
|
||||||
|
|
||||||
nomad_policy=[
|
nomad_policy=[
|
||||||
|
"authelia",
|
||||||
"crowdsec",
|
"crowdsec",
|
||||||
"dump",
|
"dump",
|
||||||
"dentrite",
|
"dentrite",
|
||||||
|
Loading…
Reference in New Issue
Block a user