feat: add authelia oidc authent

2024-04-24 21:23:39 +02:00 · 2024-04-24 21:23:39 +02:00 · ab3c42cf8b
commit ab3c42cf8b
parent 992937c011
5 changed files with 99 additions and 22 deletions
--- a/nomad-job/authelia.nomad.hcl
+++ b/nomad-job/authelia.nomad.hcl
@ -43,6 +43,19 @@ job "authelia" {

        ]
      }
+      action "generate-client-secret" {
+        command = "authelia"
+        args = ["crypto",
+                "hash",
+                "generate",
+                "pbkdf2",
+                "--random",
+                "--random.length",
+                "72",
+                "--random.charset",
+                "rfc3986"
+              ]
+      }
      config {
        image = "authelia/authelia"
        ports = ["authelia"]
@ -79,6 +92,29 @@ server:
      legacy:
        implementation: 'Legacy'

+identity_providers:
+  oidc:
+    hmac_secret: {{ with secret "secrets/data/nomad/authelia"}}{{ .Data.data.hmac}}{{end}}
+    jwks:
+     - key_id: 'key'
+       key: |
+{{ with secret "secrets/data/nomad/authelia"}}{{ .Data.data.rsakey|indent 8 }}{{end}}
+    clients:
+      - client_id: 'ttrss'
+        client_name: 'ttrss'
+#        client_secret: $pbkdf2-sha512$310000$5igZ9BADDMeXml91wcIq3w$fNFeVMHDxXx758cYQe0kmgidZMedEgtN.zQd12xE9DzmSk8QRRUYx56zpjzLTO8PcKhDgR3qCdUPnO/XDdEDLg
+        client_secret: {{ with secret "secrets/data/authelia/ttrss"}} {{ .Data.data.hash }} {{end}}
+        public: false
+        scopes:
+          - openid
+          - email
+          - profile
+        redirect_uris:
+          - 'https://www.ducamps.eu/tt-rss'
+        userinfo_signed_response_alg: none
+        authorization_policy: 'one_factor'
+        pre_configured_consent_duration: 15d
+
 log:
  level: 'debug'

@ -86,7 +122,6 @@ totp:
  issuer: 'authelia.com'


-{{ with secret "secrets/data/nomad/authelia"}}
 authentication_backend:
  ldap:
    address: 'ldaps://ldap.ducamps.eu'
@ -102,7 +137,7 @@ authentication_backend:
    additional_groups_dn: 'OU=groups'
    groups_filter: '(&(member=UID={input},OU=users,DC=ducamps,DC=eu)(objectClass=groupOfNames))'
    user: 'uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu'
-    password: '{{ .Data.data.ldapPassword }}'
+    password:{{ with secret "secrets/data/nomad/authelia"}} '{{ .Data.data.ldapPassword }}'{{ end }}
    attributes:
      distinguished_name: 'distinguishedname'
      username: 'uid'
@ -122,7 +157,7 @@ session:
    - name: 'authelia_session'
      domain: 'ducamps.eu'  # Should match whatever your root protected domain is
      authelia_url: 'https://auth.ducamps.eu'
-      expiration: '1 hour'
+      expiration: '12 hour'
      inactivity: '5 minutes'


@ -132,23 +167,24 @@ regulation:
  ban_time: '5 minutes'

 storage:
+{{ with secret "secrets/data/nomad/authelia"}}
  encryption_key: '{{.Data.data.encryptionKeys }}'
+{{end}}
  local:
    path: '/config/db.sqlite3'

 notifier:
  smtp:
    username: 'authelia@ducamps.eu'
-#    # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
+{{ with secret "secrets/data/nomad/authelia"}}
    password: '{{ .Data.data.mailPassword}}'
-    host: 'mail.ducamps.eu'
-    port: 465
+{{end}}
+    address: submissions://mail.ducamps.eu:465
    disable_require_tls: true
    sender: 'authelia@ducamps.eu'
    tls:
      server_name: 'mail.ducamps.eu'
      skip_verify: true
-{{end}}
          EOH
        destination = "local/configuration.yml"
      }
--- a/nomad-job/rutorrent.nomad
+++ b/nomad-job/rutorrent.nomad
@ -6,9 +6,6 @@ job "torrent" {
  meta {
    forcedeploy = "0"
  }
-  vault {
-    policies= ["torrent"]
-  }
  group "bittorent" {
    network {
      mode = "host"
@ -57,13 +54,13 @@ job "torrent" {
          "ecoute"
        ]
        volumes = [
-          "/mnt/hetzner/storagebox/rutorrentConfig:/data",
+          "/opt/rutorrentConfig:/data",
          "/mnt/hetzner/storagebox/file:/downloads"
        ]

      }
      env {
-        PUID       = 100001
+        PUID       = 1000001
        PGID       = 10
        UMASK      = 002
        WEBUI_PORT = "8080"
--- a/nomad-job/tt-rss.nomad
+++ b/nomad-job/tt-rss.nomad
@ -55,7 +55,8 @@ job "tt-rss" {
          "appPort"
        ]
        volumes = [
-          "${NOMAD_ALLOC_DIR}/data:/var/www/html"
+          "${NOMAD_ALLOC_DIR}/data:/var/www/html",
+          "/mnt/diskstation/nomad/tt-rss/ttrss-auth-oidc:/var/www/html/tt-rss/plugins.local/auth_oidc"
        ]
      }
      env {
@ -64,16 +65,18 @@ job "tt-rss" {
        TTRSS_DB_NAME       = "ttrss"
        TTRSS_DB_USER       = "ttrss"
        TTRSS_SELF_URL_PATH = "https://www.ducamps.eu/tt-rss"
+        TTRSS_PLUGINS       = "auth_oidc, auth_internal"
+        TTRSS_AUTH_OIDC_NAME= "Authelia"
+        TTRSS_AUTH_OIDC_URL = "https://auth.ducamps.eu"
+        TTRSS_AUTH_OIDC_CLIENT_ID = "ttrss"
      }
      template {
        data        = <<EOH
-            {{ with secret "secrets/data/database/ttrss"}}
-            TTRSS_DB_PASS = "{{ .Data.data.password }}"
-            {{end}}
+            {{ with secret "secrets/data/database/ttrss"}}TTRSS_DB_PASS = "{{ .Data.data.password }}"{{end}} 
+            TTRSS_AUTH_OIDC_CLIENT_SECRET = {{ with secret "secrets/data/authelia/ttrss"}}"{{ .Data.data.password }}"{{end}}
          EOH
-        destination = "secrets/tt-rss.env"
+        destination = "secret/tt-rss.env"
        env         = true
-
      }
      resources {
        memory = 150
--- a/script/generate-vault-secret
+++ b/script/generate-vault-secret
@ -4,6 +4,9 @@ import requests
 import secrets
 import json
 import os
+import hashlib
+import string
+from passlib.hash import pbkdf2_sha512

 class VaultSecret:
    def __init__(self,path: str,data: dict) -> None:
@ -17,6 +20,17 @@ class VaultSecret:
                data[k]=secrets.token_urlsafe(16)
        return data

+class AutheliaSecret(VaultSecret):
+    def __init__(self,path: str) -> None:
+        self.path=path
+        self.data={
+            "password":"",
+            "hash":""
+        }
+        self.data["password"]=secrets.token_urlsafe(72)
+        self.data["hash"]=pbkdf2_sha512.using(rounds=310000, salt_size=16).hash(self.data["password"])
+
+


 class Vault:
@ -54,6 +68,9 @@ def main() -> None:
            "secret_key":""
        }
    }
+    listAutheliaSecret=[
+        "authelia/ttrss"
+    ]

    token=os.getenv('VAULT_TOKEN',"")
    vault_addr=os.getenv('VAULT_ADDR',"")
@ -61,6 +78,9 @@ def main() -> None:
    for k,v in listSecret.items():
        secret=VaultSecret(k,v)
        vault.create_vault_secret(secret)
-
+    for v in listAutheliaSecret:
+        autheliaSecret=AutheliaSecret(v)
+        print(autheliaSecret.data["hash"])
+        vault.create_vault_secret(autheliaSecret)
 if __name__ == '__main__':
    main()
--- a/terraform/vault/nomad.tf
+++ b/terraform/vault/nomad.tf
@ -1,9 +1,7 @@
 locals {
-  allowed_policies= concat(local.nomad_policy, [
-  ])
+  allowed_policies= concat(local.nomad_policy,local.nomad_custom_policy[*].name)
 
  nomad_policy=[
-    "authelia",
    "crowdsec",
    "dump",
    "dentrite",
@ -28,6 +26,19 @@ locals {
    "ldap",
    "borgmatic",
  ]
+nomad_custom_policy = [
+    {
+      name = "authelia",
+      policy=<<EOT
+path "secrets/data/nomad/authelia" {
+      capabilities = ["read"]
+      }
+path "secrets/data/authelia/*" {
+      capabilities = ["read"]
+      }
+      EOT
+    }
+  ]

 }
 resource "vault_token_auth_backend_role" "nomad-cluster" {
@ -54,6 +65,11 @@ data "vault_policy_document" "nomad_jobs" {
    path = "secrets/data/database/${each.key}"
    capabilities = ["read"]
  }
+  rule {
+    path = "secrets/data/authelia/${each.key}"
+    capabilities = ["read"]
+  }
+
 }
 resource "vault_policy" "nomad_jobs" {
    for_each = toset(local.nomad_policy)
@ -62,5 +78,10 @@ resource "vault_policy" "nomad_jobs" {
    policy = data.vault_policy_document.nomad_jobs[each.key].hcl
 }

+resource "vault_policy" "nomad_jobs_custom" {
+    for_each = {for policy in local.nomad_custom_policy: policy.name => policy}

+    name   = each.value.name
+    policy = each.value.policy
+}