From 8bb4f9a6860e9a764405e7d8894a0eebe5ac3159 Mon Sep 17 00:00:00 2001
From: root <root@f11391a1.federatedcomputer.cloud>
Date: Tue, 23 Jul 2024 17:27:31 +0000
Subject: [PATCH] Added authelia.sh

---
 lib/authelia.sh | 248 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 248 insertions(+)
 create mode 100644 lib/authelia.sh

diff --git a/lib/authelia.sh b/lib/authelia.sh
new file mode 100644
index 0000000..09c1f92
--- /dev/null
+++ b/lib/authelia.sh
@@ -0,0 +1,248 @@
+#!/bin/bash
+#
+# Authelia Service
+
+PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+get_appvars
+
+config_authelia() {
+  echo -ne "\n* Configuring /federated/apps/authelia container.."
+
+  if [ ! -d "/federated/apps/authelia" ]; then
+    mkdir -p /federated/apps/authelia/data/config
+    mkdir -p /federated/apps/authelia/data/secrets
+  fi
+
+cat > /federated/apps/authelia/docker-compose.yml <<EOF
+version: '3.7'
+
+services:
+  authelia:
+    image: authelia/authelia:\${IMAGE_VERSION}
+    container_name: authelia
+    hostname: authelia.$DOMAIN
+    domainname: $DOMAIN
+    restart: always
+    networks:
+      federated:
+        ipv4_address: 172.99.0.90
+    env_file:
+      - ./.env
+    volumes:
+      - ./data/config:/config
+      - ./data/secrets:/secrets
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.authelia.rule=Host(\`authelia.$DOMAIN\`)"
+      - "traefik.http.routers.authelia.entrypoints=websecure"
+      - "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
+      - "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia.$DOMAIN:9091/api/authz/forward-auth"
+      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
+
+networks:
+  federated:
+    external: true
+EOF
+
+tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 > /federated/apps/authelia/data/secrets/JWT_SECRET 
+tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 > /federated/apps/authelia/data/secrets/SESSION_SECRET 
+tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 > /federated/apps/authelia/data/secrets/STORAGE_ENCRYPTION_KEY
+echo "$LDAP_SECRET" > /federated/apps/authelia/data/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD
+echo "$ADMINPASS" > /federated/apps/authelia/data/secrets/NOTIFIER_SMTP_PASSWORD
+openssl genrsa -out /federated/apps/authelia/data/secrets/private.pem 4096
+openssl rsa -in /federated/apps/authelia/data/secrets/private.pem -outform PEM -pubout -out /federated/apps/authelia/data/secrets/public.pem
+POWERDNS_CLIENT_SECRET=$(create_password);
+POWERDNS_CLIENT_SECRET_HASH=$(docker run -it --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --password $POWERDNS_CLIENT_SECRET | awk '{ print $2 }')
+NEXTCLOUD_CLIENT_SECRET=$(create_password);
+NEXTCLOUD_CLIENT_SECRET_HASH=$(docker run -it --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --password $NEXTCLOUD_CLIENT_SECRET | awk '{ print $2 }')
+
+cat > /federated/apps/authelia/.env <<EOF
+IMAGE_VERSION=4.38.8
+X_AUTHELIA_CONFIG_FILTERS=template
+X_AUTHELIA_CONFIG=/config/configuration.yml,/config/idproviders.yml
+AUTHELIA_TOTP_ISSUER=$DOMAIN
+AUTHELIA_WEBAUTHN_DISPLAY_NAME=home
+AUTHELIA_NOTIFIER_SMTP_ADDRESS=submission://mail.$DOMAIN:587
+AUTHELIA_NOTIFIER_SMTP_USERNAME=$SMTPUSER
+AUTHELIA_NOTIFIER_SMTP_SENDER="Authelia <authelia@$DOMAIN>"
+AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDRESS=ldaps://ldap.$DOMAIN
+AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN=dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST
+AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER=cn=admin,dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST
+AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE=/secrets/JWT_SECRET
+AUTHELIA_SESSION_SECRET_FILE=/secrets/SESSION_SECRET
+AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/secrets/STORAGE_ENCRYPTION_KEY
+AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/secrets/NOTIFIER_SMTP_PASSWORD
+AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD
+EOF
+chmod 600 /federated/apps/authelia/.env
+
+cat > /federated/apps/authelia/data/config/configuration.yml <<EOF
+---
+theme: auto
+default_2fa_method: totp
+server:
+  address: tcp://0.0.0.0:9091/
+log:
+  level: info
+totp:
+  disable: false
+  issuer: 'authelia.$DOMAIN'
+  algorithm: sha1
+  digits: 6
+  period: 45
+  skew: 1
+  secret_size: 32
+webauthn:
+  disable: false
+  timeout: 60s
+  attestation_conveyance_preference: indirect
+  user_verification: preferred
+authentication_backend:
+  password_reset:
+    disable: false
+  refresh_interval: 5m
+  ldap:
+    implementation: custom
+    timeout: 5s
+    start_tls: false
+    attributes:
+      username: mail
+      display_name: cn
+      group_name: gidNumber
+      mail: mail
+    additional_users_dn: ou=people
+    users_filter: "(&({username_attribute}={input})(objectClass=person))"
+    additional_groups_dn: ou=groups
+    groups_filter: "(member={dn})"
+password_policy:
+  standard:
+    enabled: false
+    min_length: 8
+    max_length: 0
+    require_uppercase: true
+    require_lowercase: true
+    require_number: true
+    require_special: false
+access_control:
+  default_policy: one_factor
+session:
+  name: 'authelia_session'
+  same_site: 'lax'
+  inactivity: '5m'
+  expiration: '1h'
+  remember_me: '1M'
+  cookies:
+    - domain: '$DOMAIN'
+      authelia_url: 'https://authelia.$DOMAIN'
+regulation:
+  max_retries: 3
+  find_time: 2m
+  ban_time: 5m
+storage:
+  local:
+    path: /config/db.sqlite3
+notifier:
+  disable_startup_check: false
+EOF
+
+cat > /federated/apps/authelia/data/config/idproviders.yml <<EOF
+identity_providers:
+  oidc:
+    jwks:
+      - key: {{ secret "/secrets/private.pem" | mindent 10 "|" | msquote }}
+    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
+    ## See: https://www.authelia.com/c/oidc
+    clients:
+      ### PowerDNS
+      - client_id: 'powerdns'
+        client_name: 'PowerDNS Admin'
+        client_secret: $POWERDNS_CLIENT_SECRET_HASH
+        public: false
+        authorization_policy: 'one_factor'
+        redirect_uris:
+          - 'https://powerdns.$DOMAIN/oidc/authorized'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'groups'
+          - 'email'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        userinfo_signed_response_alg: 'none'
+      ### Nextcloud
+      - client_id: 'nextcloud'
+        client_name: 'NextCloud'
+        client_secret: $NEXTCLOUD_CLIENT_SECRET_HASH
+        public: false
+        authorization_policy: 'one_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'https://nextcloud.$DOMAIN/apps/user_oidc/code'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+          - 'groups'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_post'
+EOF
+
+# Insert PowerDNS configuration because we need an initial
+# config for Authelia to run
+PDNS_MYSQL_COMMAND1="insert into setting (name, value) values (\"oidc_oauth_enabled\", \"True\");insert into setting (name, value) values (\"oidc_oauth_key\", \"powerdns\");"
+PDNS_MYSQL_COMMAND2="insert into setting (name, value) values (\"oidc_oauth_scope\", \"openid profile groups email\");insert into setting (name, value) values (\"oidc_oauth_api_url\", \"https://authelia.$DOMAIN/api/oidc/userinfo\");"
+PDNS_MYSQL_COMMAND3="insert into setting (name, value) values (\"oidc_oauth_auto_configure\", \"True\");insert into setting (name, value) values (\"oidc_oauth_metadata_url\", \"https://authelia.$DOMAIN/.well-known/openid-configuration\");"
+PDNS_MYSQL_COMMAND4="insert into setting (name, value) values (\"oidc_oauth_token_url\", \"\");insert into setting (name, value) values (\"oidc_oauth_authorize_url\", \"\");"
+PDNS_MYSQL_COMMAND5="insert into setting (name, value) values (\"oidc_oauth_logout_url\", \"https://authelia.$DOMAIN/logout\");insert into setting (name, value) values (\"oidc_oauth_username\", \"preferred_username\");"
+PDNS_MYSQL_COMMAND6="insert into setting (name, value) values (\"oidc_oauth_email\", \"email\");insert into setting (name, value) values (\"oidc_oauth_firstname\", \"preferred_username\");"
+PDNS_MYSQL_COMMAND7="insert into setting (name, value) values (\"oidc_oauth_last_name\", \"name\");insert into setting (name, value) values (\"oidc_oauth_account_name_property\", \"preferred_username\");"
+PDNS_MYSQL_COMMAND8="insert into setting (name, value) values (\"oidc_oauth_account_description_property\", \"name\");insert into setting (name, value) values (\"oidc_oauth_secret\", \"$POWERDNS_CLIENT_SECRET\");"
+docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND;'"
+docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND1;'"
+docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND2;'"
+docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND3;'"
+docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND4;'"
+docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND5;'"
+docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND6;'"
+docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND7;'"
+docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND8;'"
+ 
+echo -ne "done."
+}
+start_authelia() {
+  # Start service with command to make sure it's up before proceeding
+  start_service "authelia" "nc -z 172.99.0.90 9091 &> /dev/null" "7"
+
+  docker exec pdns pdnsutil add-record $DOMAIN authelia A 86400 $EXTERNALIP &> /dev/null
+  [ $? -ne 0 ] && fail "Couldn't add dns record for authelia"
+
+  # Stop and start pdnsadmin for internal dns externalhosts to work
+  /federated/bin/stop pdnsadmin
+  /federated/bin/start pdnsadmin
+
+  echo -ne "done."
+}
+uninstall_authelia() {
+  echo -ne "* Uninstalling authelia container.."
+  spin &
+  SPINPID=$!
+
+  # First stop the service
+  cd /federated/apps/authelia && docker-compose -f docker-compose.yml -p authelia down &> /dev/null
+
+  # Delete the app directory
+  rm -rf /federated/apps/authelia
+
+  # Delete the image
+  docker image rm authelia/authelia:$IMAGE_VERSION &> /dev/null
+
+  # Delete the DNS record
+  docker exec pdns pdnsutil delete-rrset $DOMAIN authelia A
+
+  kill -9 $SPINPID &> /dev/null
+  echo -ne "done.\n"
+}