feat: add authelia oidc authent
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
parent
992937c011
commit
ab3c42cf8b
@ -43,6 +43,19 @@ job "authelia" {
|
|||||||
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
action "generate-client-secret" {
|
||||||
|
command = "authelia"
|
||||||
|
args = ["crypto",
|
||||||
|
"hash",
|
||||||
|
"generate",
|
||||||
|
"pbkdf2",
|
||||||
|
"--random",
|
||||||
|
"--random.length",
|
||||||
|
"72",
|
||||||
|
"--random.charset",
|
||||||
|
"rfc3986"
|
||||||
|
]
|
||||||
|
}
|
||||||
config {
|
config {
|
||||||
image = "authelia/authelia"
|
image = "authelia/authelia"
|
||||||
ports = ["authelia"]
|
ports = ["authelia"]
|
||||||
@ -79,6 +92,29 @@ server:
|
|||||||
legacy:
|
legacy:
|
||||||
implementation: 'Legacy'
|
implementation: 'Legacy'
|
||||||
|
|
||||||
|
identity_providers:
|
||||||
|
oidc:
|
||||||
|
hmac_secret: {{ with secret "secrets/data/nomad/authelia"}}{{ .Data.data.hmac}}{{end}}
|
||||||
|
jwks:
|
||||||
|
- key_id: 'key'
|
||||||
|
key: |
|
||||||
|
{{ with secret "secrets/data/nomad/authelia"}}{{ .Data.data.rsakey|indent 8 }}{{end}}
|
||||||
|
clients:
|
||||||
|
- client_id: 'ttrss'
|
||||||
|
client_name: 'ttrss'
|
||||||
|
# client_secret: $pbkdf2-sha512$310000$5igZ9BADDMeXml91wcIq3w$fNFeVMHDxXx758cYQe0kmgidZMedEgtN.zQd12xE9DzmSk8QRRUYx56zpjzLTO8PcKhDgR3qCdUPnO/XDdEDLg
|
||||||
|
client_secret: {{ with secret "secrets/data/authelia/ttrss"}} {{ .Data.data.hash }} {{end}}
|
||||||
|
public: false
|
||||||
|
scopes:
|
||||||
|
- openid
|
||||||
|
- email
|
||||||
|
- profile
|
||||||
|
redirect_uris:
|
||||||
|
- 'https://www.ducamps.eu/tt-rss'
|
||||||
|
userinfo_signed_response_alg: none
|
||||||
|
authorization_policy: 'one_factor'
|
||||||
|
pre_configured_consent_duration: 15d
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: 'debug'
|
level: 'debug'
|
||||||
|
|
||||||
@ -86,7 +122,6 @@ totp:
|
|||||||
issuer: 'authelia.com'
|
issuer: 'authelia.com'
|
||||||
|
|
||||||
|
|
||||||
{{ with secret "secrets/data/nomad/authelia"}}
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
ldap:
|
ldap:
|
||||||
address: 'ldaps://ldap.ducamps.eu'
|
address: 'ldaps://ldap.ducamps.eu'
|
||||||
@ -102,7 +137,7 @@ authentication_backend:
|
|||||||
additional_groups_dn: 'OU=groups'
|
additional_groups_dn: 'OU=groups'
|
||||||
groups_filter: '(&(member=UID={input},OU=users,DC=ducamps,DC=eu)(objectClass=groupOfNames))'
|
groups_filter: '(&(member=UID={input},OU=users,DC=ducamps,DC=eu)(objectClass=groupOfNames))'
|
||||||
user: 'uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu'
|
user: 'uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu'
|
||||||
password: '{{ .Data.data.ldapPassword }}'
|
password:{{ with secret "secrets/data/nomad/authelia"}} '{{ .Data.data.ldapPassword }}'{{ end }}
|
||||||
attributes:
|
attributes:
|
||||||
distinguished_name: 'distinguishedname'
|
distinguished_name: 'distinguishedname'
|
||||||
username: 'uid'
|
username: 'uid'
|
||||||
@ -122,7 +157,7 @@ session:
|
|||||||
- name: 'authelia_session'
|
- name: 'authelia_session'
|
||||||
domain: 'ducamps.eu' # Should match whatever your root protected domain is
|
domain: 'ducamps.eu' # Should match whatever your root protected domain is
|
||||||
authelia_url: 'https://auth.ducamps.eu'
|
authelia_url: 'https://auth.ducamps.eu'
|
||||||
expiration: '1 hour'
|
expiration: '12 hour'
|
||||||
inactivity: '5 minutes'
|
inactivity: '5 minutes'
|
||||||
|
|
||||||
|
|
||||||
@ -132,23 +167,24 @@ regulation:
|
|||||||
ban_time: '5 minutes'
|
ban_time: '5 minutes'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
|
{{ with secret "secrets/data/nomad/authelia"}}
|
||||||
encryption_key: '{{.Data.data.encryptionKeys }}'
|
encryption_key: '{{.Data.data.encryptionKeys }}'
|
||||||
|
{{end}}
|
||||||
local:
|
local:
|
||||||
path: '/config/db.sqlite3'
|
path: '/config/db.sqlite3'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
username: 'authelia@ducamps.eu'
|
username: 'authelia@ducamps.eu'
|
||||||
# # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
|
{{ with secret "secrets/data/nomad/authelia"}}
|
||||||
password: '{{ .Data.data.mailPassword}}'
|
password: '{{ .Data.data.mailPassword}}'
|
||||||
host: 'mail.ducamps.eu'
|
{{end}}
|
||||||
port: 465
|
address: submissions://mail.ducamps.eu:465
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
sender: 'authelia@ducamps.eu'
|
sender: 'authelia@ducamps.eu'
|
||||||
tls:
|
tls:
|
||||||
server_name: 'mail.ducamps.eu'
|
server_name: 'mail.ducamps.eu'
|
||||||
skip_verify: true
|
skip_verify: true
|
||||||
{{end}}
|
|
||||||
EOH
|
EOH
|
||||||
destination = "local/configuration.yml"
|
destination = "local/configuration.yml"
|
||||||
}
|
}
|
||||||
|
@ -6,9 +6,6 @@ job "torrent" {
|
|||||||
meta {
|
meta {
|
||||||
forcedeploy = "0"
|
forcedeploy = "0"
|
||||||
}
|
}
|
||||||
vault {
|
|
||||||
policies= ["torrent"]
|
|
||||||
}
|
|
||||||
group "bittorent" {
|
group "bittorent" {
|
||||||
network {
|
network {
|
||||||
mode = "host"
|
mode = "host"
|
||||||
@ -57,13 +54,13 @@ job "torrent" {
|
|||||||
"ecoute"
|
"ecoute"
|
||||||
]
|
]
|
||||||
volumes = [
|
volumes = [
|
||||||
"/mnt/hetzner/storagebox/rutorrentConfig:/data",
|
"/opt/rutorrentConfig:/data",
|
||||||
"/mnt/hetzner/storagebox/file:/downloads"
|
"/mnt/hetzner/storagebox/file:/downloads"
|
||||||
]
|
]
|
||||||
|
|
||||||
}
|
}
|
||||||
env {
|
env {
|
||||||
PUID = 100001
|
PUID = 1000001
|
||||||
PGID = 10
|
PGID = 10
|
||||||
UMASK = 002
|
UMASK = 002
|
||||||
WEBUI_PORT = "8080"
|
WEBUI_PORT = "8080"
|
||||||
|
@ -55,7 +55,8 @@ job "tt-rss" {
|
|||||||
"appPort"
|
"appPort"
|
||||||
]
|
]
|
||||||
volumes = [
|
volumes = [
|
||||||
"${NOMAD_ALLOC_DIR}/data:/var/www/html"
|
"${NOMAD_ALLOC_DIR}/data:/var/www/html",
|
||||||
|
"/mnt/diskstation/nomad/tt-rss/ttrss-auth-oidc:/var/www/html/tt-rss/plugins.local/auth_oidc"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
env {
|
env {
|
||||||
@ -64,16 +65,18 @@ job "tt-rss" {
|
|||||||
TTRSS_DB_NAME = "ttrss"
|
TTRSS_DB_NAME = "ttrss"
|
||||||
TTRSS_DB_USER = "ttrss"
|
TTRSS_DB_USER = "ttrss"
|
||||||
TTRSS_SELF_URL_PATH = "https://www.ducamps.eu/tt-rss"
|
TTRSS_SELF_URL_PATH = "https://www.ducamps.eu/tt-rss"
|
||||||
|
TTRSS_PLUGINS = "auth_oidc, auth_internal"
|
||||||
|
TTRSS_AUTH_OIDC_NAME= "Authelia"
|
||||||
|
TTRSS_AUTH_OIDC_URL = "https://auth.ducamps.eu"
|
||||||
|
TTRSS_AUTH_OIDC_CLIENT_ID = "ttrss"
|
||||||
}
|
}
|
||||||
template {
|
template {
|
||||||
data = <<EOH
|
data = <<EOH
|
||||||
{{ with secret "secrets/data/database/ttrss"}}
|
{{ with secret "secrets/data/database/ttrss"}}TTRSS_DB_PASS = "{{ .Data.data.password }}"{{end}}
|
||||||
TTRSS_DB_PASS = "{{ .Data.data.password }}"
|
TTRSS_AUTH_OIDC_CLIENT_SECRET = {{ with secret "secrets/data/authelia/ttrss"}}"{{ .Data.data.password }}"{{end}}
|
||||||
{{end}}
|
|
||||||
EOH
|
EOH
|
||||||
destination = "secrets/tt-rss.env"
|
destination = "secret/tt-rss.env"
|
||||||
env = true
|
env = true
|
||||||
|
|
||||||
}
|
}
|
||||||
resources {
|
resources {
|
||||||
memory = 150
|
memory = 150
|
||||||
|
@ -4,6 +4,9 @@ import requests
|
|||||||
import secrets
|
import secrets
|
||||||
import json
|
import json
|
||||||
import os
|
import os
|
||||||
|
import hashlib
|
||||||
|
import string
|
||||||
|
from passlib.hash import pbkdf2_sha512
|
||||||
|
|
||||||
class VaultSecret:
|
class VaultSecret:
|
||||||
def __init__(self,path: str,data: dict) -> None:
|
def __init__(self,path: str,data: dict) -> None:
|
||||||
@ -17,6 +20,17 @@ class VaultSecret:
|
|||||||
data[k]=secrets.token_urlsafe(16)
|
data[k]=secrets.token_urlsafe(16)
|
||||||
return data
|
return data
|
||||||
|
|
||||||
|
class AutheliaSecret(VaultSecret):
|
||||||
|
def __init__(self,path: str) -> None:
|
||||||
|
self.path=path
|
||||||
|
self.data={
|
||||||
|
"password":"",
|
||||||
|
"hash":""
|
||||||
|
}
|
||||||
|
self.data["password"]=secrets.token_urlsafe(72)
|
||||||
|
self.data["hash"]=pbkdf2_sha512.using(rounds=310000, salt_size=16).hash(self.data["password"])
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
class Vault:
|
class Vault:
|
||||||
@ -54,6 +68,9 @@ def main() -> None:
|
|||||||
"secret_key":""
|
"secret_key":""
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
listAutheliaSecret=[
|
||||||
|
"authelia/ttrss"
|
||||||
|
]
|
||||||
|
|
||||||
token=os.getenv('VAULT_TOKEN',"")
|
token=os.getenv('VAULT_TOKEN',"")
|
||||||
vault_addr=os.getenv('VAULT_ADDR',"")
|
vault_addr=os.getenv('VAULT_ADDR',"")
|
||||||
@ -61,6 +78,9 @@ def main() -> None:
|
|||||||
for k,v in listSecret.items():
|
for k,v in listSecret.items():
|
||||||
secret=VaultSecret(k,v)
|
secret=VaultSecret(k,v)
|
||||||
vault.create_vault_secret(secret)
|
vault.create_vault_secret(secret)
|
||||||
|
for v in listAutheliaSecret:
|
||||||
|
autheliaSecret=AutheliaSecret(v)
|
||||||
|
print(autheliaSecret.data["hash"])
|
||||||
|
vault.create_vault_secret(autheliaSecret)
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
main()
|
main()
|
||||||
|
@ -1,9 +1,7 @@
|
|||||||
locals {
|
locals {
|
||||||
allowed_policies= concat(local.nomad_policy, [
|
allowed_policies= concat(local.nomad_policy,local.nomad_custom_policy[*].name)
|
||||||
])
|
|
||||||
|
|
||||||
nomad_policy=[
|
nomad_policy=[
|
||||||
"authelia",
|
|
||||||
"crowdsec",
|
"crowdsec",
|
||||||
"dump",
|
"dump",
|
||||||
"dentrite",
|
"dentrite",
|
||||||
@ -28,6 +26,19 @@ locals {
|
|||||||
"ldap",
|
"ldap",
|
||||||
"borgmatic",
|
"borgmatic",
|
||||||
]
|
]
|
||||||
|
nomad_custom_policy = [
|
||||||
|
{
|
||||||
|
name = "authelia",
|
||||||
|
policy=<<EOT
|
||||||
|
path "secrets/data/nomad/authelia" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
path "secrets/data/authelia/*" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
EOT
|
||||||
|
}
|
||||||
|
]
|
||||||
|
|
||||||
}
|
}
|
||||||
resource "vault_token_auth_backend_role" "nomad-cluster" {
|
resource "vault_token_auth_backend_role" "nomad-cluster" {
|
||||||
@ -54,6 +65,11 @@ data "vault_policy_document" "nomad_jobs" {
|
|||||||
path = "secrets/data/database/${each.key}"
|
path = "secrets/data/database/${each.key}"
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
rule {
|
||||||
|
path = "secrets/data/authelia/${each.key}"
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
resource "vault_policy" "nomad_jobs" {
|
resource "vault_policy" "nomad_jobs" {
|
||||||
for_each = toset(local.nomad_policy)
|
for_each = toset(local.nomad_policy)
|
||||||
@ -62,5 +78,10 @@ resource "vault_policy" "nomad_jobs" {
|
|||||||
policy = data.vault_policy_document.nomad_jobs[each.key].hcl
|
policy = data.vault_policy_document.nomad_jobs[each.key].hcl
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "vault_policy" "nomad_jobs_custom" {
|
||||||
|
for_each = {for policy in local.nomad_custom_policy: policy.name => policy}
|
||||||
|
|
||||||
|
name = each.value.name
|
||||||
|
policy = each.value.policy
|
||||||
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user