feat: create authelia job

This commit is contained in:
vincent 2024-04-12 08:59:20 +02:00
parent 452ab3611a
commit 5fe61223c3
7 changed files with 213 additions and 1 deletions

View File

@ -0,0 +1,161 @@
job "authelia" {
datacenters = ["homelab"]
priority = 80
type = "service"
meta {
forcedeploy = "0"
}
constraint {
attribute = "${attr.cpu.arch}"
value = "amd64"
}
group "authelia" {
network {
mode = "host"
port "authelia" {
to = 9091
}
}
volume "authelia-config" {
type = "csi"
source = "authelia-config"
access_mode = "multi-node-multi-writer"
attachment_mode = "file-system"
}
vault {
policies = ["authelia"]
}
task "authelia" {
driver = "docker"
service {
name = "authelia"
port = "authelia"
tags = [
"traefik.enable=true",
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`auth.ducamps.eu`)",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=auth.ducamps.eu",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
"traefik.http.routers.${NOMAD_JOB_NAME}.entrypoints=web,websecure",
]
}
config {
image = "authelia/authelia"
ports = ["authelia"]
args = [
"--config",
"/local/configuration.yml",
]
}
volume_mount {
volume = "authelia-config"
destination = "/config"
}
env {
AUTHELIA_SESSION_SECRET = uuidv4()
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET = uuidv4()
}
template {
data = <<EOH
---
###############################################################
# Authelia configuration #
###############################################################
server:
address: 'tcp://:9091'
endpoints:
authz:
forward-auth:
implementation: 'ForwardAuth'
legacy:
implementation: 'Legacy'
log:
level: 'debug'
totp:
issuer: 'authelia.com'
{{ with secret "secrets/data/nomad/authelia"}}
authentication_backend:
ldap:
address: 'ldaps://ldap.ducamps.eu'
implementation: 'custom'
timeout: '5s'
start_tls: false
tls:
skip_verify: true
minimum_version: 'TLS1.2'
base_dn: 'DC=ducamps,DC=eu'
additional_users_dn: 'OU=users'
users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))'
additional_groups_dn: 'OU=groups'
groups_filter: '(&(member=UID={input},OU=users,DC=ducamps,DC=eu)(objectClass=groupOfNames))'
user: 'uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu'
password: '{{ .Data.data.ldapPassword }}'
attributes:
distinguished_name: 'distinguishedname'
username: 'uid'
mail: 'mail'
member_of: 'memberOf'
group_name: 'cn'
access_control:
default_policy: 'deny'
rules:
# Rules applied to everyone
- domain: '*.ducamps.eu'
policy: 'one_factor'
session:
cookies:
- name: 'authelia_session'
domain: 'ducamps.eu' # Should match whatever your root protected domain is
authelia_url: 'https://auth.ducamps.eu'
expiration: '1 hour'
inactivity: '5 minutes'
regulation:
max_retries: 3
find_time: '2 minutes'
ban_time: '5 minutes'
storage:
encryption_key: '{{.Data.data.encryptionKeys }}'
local:
path: '/config/db.sqlite3'
notifier:
smtp:
username: 'authelia@ducamps.eu'
# # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
password: '{{ .Data.data.mailPassword}}'
host: 'mail.ducamps.eu'
port: 465
disable_require_tls: true
sender: 'authelia@ducamps.eu'
tls:
server_name: 'mail.ducamps.eu'
skip_verify: true
{{end}}
EOH
destination = "local/configuration.yml"
}
resources {
memory = 100
}
}
}
}

View File

@ -158,6 +158,21 @@ shadowLastChange: 19437
shadowMax: 99999 shadowMax: 99999
shadowMin: 100000 shadowMin: 100000
shadowWarning: 7 shadowWarning: 7
dn: uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
cn: authelia
gidNumber: 1000001
sn: supysonicServiceAccount
uid: supysonicServiceAccount
uidNumber: 1000008
displayName: authelia
shadowExpire: -1 shadowExpire: -1
shadowFlag: 0 shadowFlag: 0
shadowInactive: 0 shadowInactive: 0

View File

@ -107,8 +107,14 @@ job "traefik-ingress" {
[entryPoints.web.http.redirections.entryPoint] [entryPoints.web.http.redirections.entryPoint]
to = "websecure" to = "websecure"
scheme = "https" scheme = "https"
[entryPoints.websecure] [entryPoints.websecure]
address = ":443" address = ":443"
[entryPoints.websecure.forwardedHeaders]
trustedIPs = ["127.0.0.1/32", "192.168.0.0/24" ,"10.0.0.0/8","172.16.0.0/12"]
[entryPoints.websecure.proxyProtocol]
trustedIPs = ["127.0.0.1/32", "192.168.0.0/24" ,"10.0.0.0/8","172.16.0.0/12"]
[entryPoints.traefik] [entryPoints.traefik]
address = ":9080" address = ":9080"
[entrypoints.smtp] [entrypoints.smtp]

View File

@ -29,7 +29,7 @@ job "traefik-local" {
static= 993 static= 993
} }
port "admin" { port "admin" {
static = 8080 static = 9080
} }
} }
vault { vault {
@ -56,6 +56,13 @@ job "traefik-local" {
"homer.logo=https://upload.wikimedia.org/wikipedia/commons/1/1b/Traefik.logo.png", "homer.logo=https://upload.wikimedia.org/wikipedia/commons/1/1b/Traefik.logo.png",
"homer.target=_blank", "homer.target=_blank",
"homer.url=http://${NOMAD_ADDR_admin}", "homer.url=http://${NOMAD_ADDR_admin}",
"traefik.enable=true",
"traefik.http.middlewares.authelia.forwardauth.address=https://auth.ducamps.eu/api/authz/forward-auth",
"traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
"traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true",
"traefik.http.middlewares.authelia-basic.forwardauth.address=https://auth.ducamps.eu/api/verify?auth=basic",
"traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true",
"traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
] ]
@ -103,6 +110,10 @@ job "traefik-local" {
[entryPoints.websecure] [entryPoints.websecure]
address = ":443" address = ":443"
[entryPoints.websecure.forwardedHeaders]
trustedIPs = ["127.0.0.1/32", "192.168.0.0/24" ,"10.0.0.0/8","172.16.0.0/12"]
[entryPoints.websecure.proxyProtocol]
trustedIPs = ["127.0.0.1/32", "192.168.0.0/24" ,"10.0.0.0/8","172.16.0.0/12"]
[entryPoints.traefik] [entryPoints.traefik]
address = ":9080" address = ":9080"
[entrypoints.ssh] [entrypoints.ssh]

View File

@ -0,0 +1,17 @@
type = "csi"
id = "authelia-config"
name = "authelia-config"
external_id = "authelia-config"
plugin_id = "nfs"
capability {
access_mode = "multi-node-multi-writer"
attachment_mode = "file-system"
}
context {
server = "nfs.service.consul"
share = "/nomad/authelia"
}
mount_options {
fs_type = "nfs"
mount_flags = [ "vers=4" ]
}

View File

@ -17,6 +17,7 @@ variable powerDnsURL {
variable cnameList{ variable cnameList{
type=list type=list
default= [ default= [
"auth",
"arch", "arch",
"dashboard", "dashboard",
"drone", "drone",

View File

@ -3,6 +3,7 @@ locals {
]) ])
nomad_policy=[ nomad_policy=[
"authelia",
"crowdsec", "crowdsec",
"dump", "dump",
"dentrite", "dentrite",