feat: add authelia oidc authent
Some checks failed
continuous-integration/drone/push Build is failing

This commit is contained in:
vincent 2024-04-24 21:23:39 +02:00
parent 992937c011
commit ab3c42cf8b
5 changed files with 99 additions and 22 deletions

View File

@ -43,6 +43,19 @@ job "authelia" {
] ]
} }
action "generate-client-secret" {
command = "authelia"
args = ["crypto",
"hash",
"generate",
"pbkdf2",
"--random",
"--random.length",
"72",
"--random.charset",
"rfc3986"
]
}
config { config {
image = "authelia/authelia" image = "authelia/authelia"
ports = ["authelia"] ports = ["authelia"]
@ -79,6 +92,29 @@ server:
legacy: legacy:
implementation: 'Legacy' implementation: 'Legacy'
identity_providers:
oidc:
hmac_secret: {{ with secret "secrets/data/nomad/authelia"}}{{ .Data.data.hmac}}{{end}}
jwks:
- key_id: 'key'
key: |
{{ with secret "secrets/data/nomad/authelia"}}{{ .Data.data.rsakey|indent 8 }}{{end}}
clients:
- client_id: 'ttrss'
client_name: 'ttrss'
# client_secret: $pbkdf2-sha512$310000$5igZ9BADDMeXml91wcIq3w$fNFeVMHDxXx758cYQe0kmgidZMedEgtN.zQd12xE9DzmSk8QRRUYx56zpjzLTO8PcKhDgR3qCdUPnO/XDdEDLg
client_secret: {{ with secret "secrets/data/authelia/ttrss"}} {{ .Data.data.hash }} {{end}}
public: false
scopes:
- openid
- email
- profile
redirect_uris:
- 'https://www.ducamps.eu/tt-rss'
userinfo_signed_response_alg: none
authorization_policy: 'one_factor'
pre_configured_consent_duration: 15d
log: log:
level: 'debug' level: 'debug'
@ -86,7 +122,6 @@ totp:
issuer: 'authelia.com' issuer: 'authelia.com'
{{ with secret "secrets/data/nomad/authelia"}}
authentication_backend: authentication_backend:
ldap: ldap:
address: 'ldaps://ldap.ducamps.eu' address: 'ldaps://ldap.ducamps.eu'
@ -102,7 +137,7 @@ authentication_backend:
additional_groups_dn: 'OU=groups' additional_groups_dn: 'OU=groups'
groups_filter: '(&(member=UID={input},OU=users,DC=ducamps,DC=eu)(objectClass=groupOfNames))' groups_filter: '(&(member=UID={input},OU=users,DC=ducamps,DC=eu)(objectClass=groupOfNames))'
user: 'uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu' user: 'uid=authelia,ou=serviceAccount,ou=users,dc=ducamps,dc=eu'
password: '{{ .Data.data.ldapPassword }}' password:{{ with secret "secrets/data/nomad/authelia"}} '{{ .Data.data.ldapPassword }}'{{ end }}
attributes: attributes:
distinguished_name: 'distinguishedname' distinguished_name: 'distinguishedname'
username: 'uid' username: 'uid'
@ -122,7 +157,7 @@ session:
- name: 'authelia_session' - name: 'authelia_session'
domain: 'ducamps.eu' # Should match whatever your root protected domain is domain: 'ducamps.eu' # Should match whatever your root protected domain is
authelia_url: 'https://auth.ducamps.eu' authelia_url: 'https://auth.ducamps.eu'
expiration: '1 hour' expiration: '12 hour'
inactivity: '5 minutes' inactivity: '5 minutes'
@ -132,23 +167,24 @@ regulation:
ban_time: '5 minutes' ban_time: '5 minutes'
storage: storage:
{{ with secret "secrets/data/nomad/authelia"}}
encryption_key: '{{.Data.data.encryptionKeys }}' encryption_key: '{{.Data.data.encryptionKeys }}'
{{end}}
local: local:
path: '/config/db.sqlite3' path: '/config/db.sqlite3'
notifier: notifier:
smtp: smtp:
username: 'authelia@ducamps.eu' username: 'authelia@ducamps.eu'
# # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE {{ with secret "secrets/data/nomad/authelia"}}
password: '{{ .Data.data.mailPassword}}' password: '{{ .Data.data.mailPassword}}'
host: 'mail.ducamps.eu' {{end}}
port: 465 address: submissions://mail.ducamps.eu:465
disable_require_tls: true disable_require_tls: true
sender: 'authelia@ducamps.eu' sender: 'authelia@ducamps.eu'
tls: tls:
server_name: 'mail.ducamps.eu' server_name: 'mail.ducamps.eu'
skip_verify: true skip_verify: true
{{end}}
EOH EOH
destination = "local/configuration.yml" destination = "local/configuration.yml"
} }

View File

@ -6,9 +6,6 @@ job "torrent" {
meta { meta {
forcedeploy = "0" forcedeploy = "0"
} }
vault {
policies= ["torrent"]
}
group "bittorent" { group "bittorent" {
network { network {
mode = "host" mode = "host"
@ -57,13 +54,13 @@ job "torrent" {
"ecoute" "ecoute"
] ]
volumes = [ volumes = [
"/mnt/hetzner/storagebox/rutorrentConfig:/data", "/opt/rutorrentConfig:/data",
"/mnt/hetzner/storagebox/file:/downloads" "/mnt/hetzner/storagebox/file:/downloads"
] ]
} }
env { env {
PUID = 100001 PUID = 1000001
PGID = 10 PGID = 10
UMASK = 002 UMASK = 002
WEBUI_PORT = "8080" WEBUI_PORT = "8080"

View File

@ -55,7 +55,8 @@ job "tt-rss" {
"appPort" "appPort"
] ]
volumes = [ volumes = [
"${NOMAD_ALLOC_DIR}/data:/var/www/html" "${NOMAD_ALLOC_DIR}/data:/var/www/html",
"/mnt/diskstation/nomad/tt-rss/ttrss-auth-oidc:/var/www/html/tt-rss/plugins.local/auth_oidc"
] ]
} }
env { env {
@ -64,16 +65,18 @@ job "tt-rss" {
TTRSS_DB_NAME = "ttrss" TTRSS_DB_NAME = "ttrss"
TTRSS_DB_USER = "ttrss" TTRSS_DB_USER = "ttrss"
TTRSS_SELF_URL_PATH = "https://www.ducamps.eu/tt-rss" TTRSS_SELF_URL_PATH = "https://www.ducamps.eu/tt-rss"
TTRSS_PLUGINS = "auth_oidc, auth_internal"
TTRSS_AUTH_OIDC_NAME= "Authelia"
TTRSS_AUTH_OIDC_URL = "https://auth.ducamps.eu"
TTRSS_AUTH_OIDC_CLIENT_ID = "ttrss"
} }
template { template {
data = <<EOH data = <<EOH
{{ with secret "secrets/data/database/ttrss"}} {{ with secret "secrets/data/database/ttrss"}}TTRSS_DB_PASS = "{{ .Data.data.password }}"{{end}}
TTRSS_DB_PASS = "{{ .Data.data.password }}" TTRSS_AUTH_OIDC_CLIENT_SECRET = {{ with secret "secrets/data/authelia/ttrss"}}"{{ .Data.data.password }}"{{end}}
{{end}}
EOH EOH
destination = "secrets/tt-rss.env" destination = "secret/tt-rss.env"
env = true env = true
} }
resources { resources {
memory = 150 memory = 150

View File

@ -4,6 +4,9 @@ import requests
import secrets import secrets
import json import json
import os import os
import hashlib
import string
from passlib.hash import pbkdf2_sha512
class VaultSecret: class VaultSecret:
def __init__(self,path: str,data: dict) -> None: def __init__(self,path: str,data: dict) -> None:
@ -17,6 +20,17 @@ class VaultSecret:
data[k]=secrets.token_urlsafe(16) data[k]=secrets.token_urlsafe(16)
return data return data
class AutheliaSecret(VaultSecret):
def __init__(self,path: str) -> None:
self.path=path
self.data={
"password":"",
"hash":""
}
self.data["password"]=secrets.token_urlsafe(72)
self.data["hash"]=pbkdf2_sha512.using(rounds=310000, salt_size=16).hash(self.data["password"])
class Vault: class Vault:
@ -54,6 +68,9 @@ def main() -> None:
"secret_key":"" "secret_key":""
} }
} }
listAutheliaSecret=[
"authelia/ttrss"
]
token=os.getenv('VAULT_TOKEN',"") token=os.getenv('VAULT_TOKEN',"")
vault_addr=os.getenv('VAULT_ADDR',"") vault_addr=os.getenv('VAULT_ADDR',"")
@ -61,6 +78,9 @@ def main() -> None:
for k,v in listSecret.items(): for k,v in listSecret.items():
secret=VaultSecret(k,v) secret=VaultSecret(k,v)
vault.create_vault_secret(secret) vault.create_vault_secret(secret)
for v in listAutheliaSecret:
autheliaSecret=AutheliaSecret(v)
print(autheliaSecret.data["hash"])
vault.create_vault_secret(autheliaSecret)
if __name__ == '__main__': if __name__ == '__main__':
main() main()

View File

@ -1,9 +1,7 @@
locals { locals {
allowed_policies= concat(local.nomad_policy, [ allowed_policies= concat(local.nomad_policy,local.nomad_custom_policy[*].name)
])
nomad_policy=[ nomad_policy=[
"authelia",
"crowdsec", "crowdsec",
"dump", "dump",
"dentrite", "dentrite",
@ -28,6 +26,19 @@ locals {
"ldap", "ldap",
"borgmatic", "borgmatic",
] ]
nomad_custom_policy = [
{
name = "authelia",
policy=<<EOT
path "secrets/data/nomad/authelia" {
capabilities = ["read"]
}
path "secrets/data/authelia/*" {
capabilities = ["read"]
}
EOT
}
]
} }
resource "vault_token_auth_backend_role" "nomad-cluster" { resource "vault_token_auth_backend_role" "nomad-cluster" {
@ -54,6 +65,11 @@ data "vault_policy_document" "nomad_jobs" {
path = "secrets/data/database/${each.key}" path = "secrets/data/database/${each.key}"
capabilities = ["read"] capabilities = ["read"]
} }
rule {
path = "secrets/data/authelia/${each.key}"
capabilities = ["read"]
}
} }
resource "vault_policy" "nomad_jobs" { resource "vault_policy" "nomad_jobs" {
for_each = toset(local.nomad_policy) for_each = toset(local.nomad_policy)
@ -62,5 +78,10 @@ resource "vault_policy" "nomad_jobs" {
policy = data.vault_policy_document.nomad_jobs[each.key].hcl policy = data.vault_policy_document.nomad_jobs[each.key].hcl
} }
resource "vault_policy" "nomad_jobs_custom" {
for_each = {for policy in local.nomad_custom_policy: policy.name => policy}
name = each.value.name
policy = each.value.policy
}