feat: add authelia oidc authent

nomad-job/authelia.nomad.hcl

@@ -43,6 +43,19 @@ job "authelia" {
 
         ]
       }
+      action "generate-client-secret" {
+        command = "authelia"
+        args = ["crypto",
+                "hash",
+                "generate",
+                "pbkdf2",
+                "--random",
+                "--random.length",
+                "72",
+                "--random.charset",
+                "rfc3986"
+              ]
+      }
       config {
         image = "authelia/authelia"
         ports = ["authelia"]
@@ -79,6 +92,29 @@ server:
       legacy:
         implementation: 'Legacy'
 
+identity_providers:
+  oidc:
+    hmac_secret: {{ with secret "secrets/data/nomad/authelia"}}{{ .Data.data.hmac}}{{end}}
+    jwks:
+     - key_id: 'key'
+       key: |
+{{ with secret "secrets/data/nomad/authelia"}}{{ .Data.data.rsakey|indent 8 }}{{end}}
+    clients:
+      - client_id: 'ttrss'
+        client_name: 'ttrss'
+#        client_secret: $pbkdf2-sha512$310000$5igZ9BADDMeXml91wcIq3w$fNFeVMHDxXx758cYQe0kmgidZMedEgtN.zQd12xE9DzmSk8QRRUYx56zpjzLTO8PcKhDgR3qCdUPnO/XDdEDLg
+        client_secret: {{ with secret "secrets/data/authelia/ttrss"}} {{ .Data.data.hash }} {{end}}
+        public: false
+        scopes:
+          - openid
+          - email
+          - profile
+        redirect_uris:
+          - 'https://www.ducamps.eu/tt-rss'
+        userinfo_signed_response_alg: none
+        authorization_policy: 'one_factor'
+        pre_configured_consent_duration: 15d
+
 log:
   level: 'debug'
 
@@ -86,7 +122,6 @@ totp:
   issuer: 'authelia.com'
 
 
-{{ with secret "secrets/data/nomad/authelia"}}
 authentication_backend:
   ldap:
     address: 'ldaps://ldap.ducamps.eu'
@@ -102,7 +137,7 @@ authentication_backend:
     additional_groups_dn: 'OU=groups'
     groups_filter: '(&(member=UID={input},OU=users,DC=ducamps,DC=eu)(objectClass=groupOfNames))'
     user: 'uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu'
-    password: '{{ .Data.data.ldapPassword }}'
+    password:{{ with secret "secrets/data/nomad/authelia"}} '{{ .Data.data.ldapPassword }}'{{ end }}
     attributes:
       distinguished_name: 'distinguishedname'
       username: 'uid'
@@ -122,7 +157,7 @@ session:
     - name: 'authelia_session'
       domain: 'ducamps.eu'  # Should match whatever your root protected domain is
       authelia_url: 'https://auth.ducamps.eu'
-      expiration: '1 hour'
+      expiration: '12 hour'
       inactivity: '5 minutes'
 
 
@@ -132,23 +167,24 @@ regulation:
   ban_time: '5 minutes'
 
 storage:
+{{ with secret "secrets/data/nomad/authelia"}}
   encryption_key: '{{.Data.data.encryptionKeys }}'
+{{end}}
   local:
     path: '/config/db.sqlite3'
 
 notifier:
   smtp:
     username: 'authelia@ducamps.eu'
-#    # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
+{{ with secret "secrets/data/nomad/authelia"}}
     password: '{{ .Data.data.mailPassword}}'
-    host: 'mail.ducamps.eu'
+{{end}}
-    port: 465
+    address: submissions://mail.ducamps.eu:465
     disable_require_tls: true
     sender: 'authelia@ducamps.eu'
     tls:
       server_name: 'mail.ducamps.eu'
       skip_verify: true
-{{end}}
           EOH
         destination = "local/configuration.yml"
       }

nomad-job/rutorrent.nomad

@@ -6,9 +6,6 @@ job "torrent" {
   meta {
     forcedeploy = "0"
   }
-  vault {
-    policies= ["torrent"]
-  }
   group "bittorent" {
     network {
       mode = "host"
@@ -57,13 +54,13 @@ job "torrent" {
           "ecoute"
         ]
         volumes = [
-          "/mnt/hetzner/storagebox/rutorrentConfig:/data",
+          "/opt/rutorrentConfig:/data",
           "/mnt/hetzner/storagebox/file:/downloads"
         ]
 
       }
       env {
-        PUID       = 100001
+        PUID       = 1000001
         PGID       = 10
         UMASK      = 002
         WEBUI_PORT = "8080"

nomad-job/tt-rss.nomad

@@ -55,7 +55,8 @@ job "tt-rss" {
           "appPort"
         ]
         volumes = [
-          "${NOMAD_ALLOC_DIR}/data:/var/www/html"
+          "${NOMAD_ALLOC_DIR}/data:/var/www/html",
+          "/mnt/diskstation/nomad/tt-rss/ttrss-auth-oidc:/var/www/html/tt-rss/plugins.local/auth_oidc"
         ]
       }
       env {
@@ -64,16 +65,18 @@ job "tt-rss" {
         TTRSS_DB_NAME       = "ttrss"
         TTRSS_DB_USER       = "ttrss"
         TTRSS_SELF_URL_PATH = "https://www.ducamps.eu/tt-rss"
+        TTRSS_PLUGINS       = "auth_oidc, auth_internal"
+        TTRSS_AUTH_OIDC_NAME= "Authelia"
+        TTRSS_AUTH_OIDC_URL = "https://auth.ducamps.eu"
+        TTRSS_AUTH_OIDC_CLIENT_ID = "ttrss"
       }
       template {
         data        = <<EOH
-            {{ with secret "secrets/data/database/ttrss"}}
+            {{ with secret "secrets/data/database/ttrss"}}TTRSS_DB_PASS = "{{ .Data.data.password }}"{{end}} 
-            TTRSS_DB_PASS = "{{ .Data.data.password }}"
+            TTRSS_AUTH_OIDC_CLIENT_SECRET = {{ with secret "secrets/data/authelia/ttrss"}}"{{ .Data.data.password }}"{{end}}
-            {{end}}
           EOH
-        destination = "secrets/tt-rss.env"
+        destination = "secret/tt-rss.env"
         env         = true
-
       }
       resources {
         memory = 150

script/generate-vault-secret

@@ -4,6 +4,9 @@ import requests
 import secrets
 import json
 import os
+import hashlib
+import string
+from passlib.hash import pbkdf2_sha512
 
 class VaultSecret:
     def __init__(self,path: str,data: dict) -> None:
@@ -17,6 +20,17 @@ class VaultSecret:
                 data[k]=secrets.token_urlsafe(16)
         return data
 
+class AutheliaSecret(VaultSecret):
+    def __init__(self,path: str) -> None:
+        self.path=path
+        self.data={
+            "password":"",
+            "hash":""
+        }
+        self.data["password"]=secrets.token_urlsafe(72)
+        self.data["hash"]=pbkdf2_sha512.using(rounds=310000, salt_size=16).hash(self.data["password"])
+
+
 
 
 class Vault:
@@ -54,6 +68,9 @@ def main() -> None:
             "secret_key":""
         }
     }
+    listAutheliaSecret=[
+        "authelia/ttrss"
+    ]
 
     token=os.getenv('VAULT_TOKEN',"")
     vault_addr=os.getenv('VAULT_ADDR',"")
@@ -61,6 +78,9 @@ def main() -> None:
     for k,v in listSecret.items():
         secret=VaultSecret(k,v)
         vault.create_vault_secret(secret)
-
+    for v in listAutheliaSecret:
+        autheliaSecret=AutheliaSecret(v)
+        print(autheliaSecret.data["hash"])
+        vault.create_vault_secret(autheliaSecret)
 if __name__ == '__main__':
     main()

terraform/vault/nomad.tf

@@ -1,9 +1,7 @@
 locals {
-  allowed_policies= concat(local.nomad_policy, [
+  allowed_policies= concat(local.nomad_policy,local.nomad_custom_policy[*].name)
-  ])
  
   nomad_policy=[
-    "authelia",
     "crowdsec",
     "dump",
     "dentrite",
@@ -28,6 +26,19 @@ locals {
     "ldap",
     "borgmatic",
   ]
+nomad_custom_policy = [
+    {
+      name = "authelia",
+      policy=<<EOT
+path "secrets/data/nomad/authelia" {
+      capabilities = ["read"]
+      }
+path "secrets/data/authelia/*" {
+      capabilities = ["read"]
+      }
+      EOT
+    }
+  ]
 
 }
 resource "vault_token_auth_backend_role" "nomad-cluster" {
@@ -54,6 +65,11 @@ data "vault_policy_document" "nomad_jobs" {
     path = "secrets/data/database/${each.key}"
     capabilities = ["read"]
   }
+  rule {
+    path = "secrets/data/authelia/${each.key}"
+    capabilities = ["read"]
+  }
+
 }
 resource "vault_policy" "nomad_jobs" {
     for_each = toset(local.nomad_policy)
@@ -62,5 +78,10 @@ resource "vault_policy" "nomad_jobs" {
     policy = data.vault_policy_document.nomad_jobs[each.key].hcl
 }
 
+resource "vault_policy" "nomad_jobs_custom" {
+    for_each = {for policy in local.nomad_custom_policy: policy.name => policy}
 
+    name   = each.value.name
+    policy = each.value.policy
+}