bero/test
1
0
Fork 0
Code Issues 52 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

Added authelia.sh

Browse Source
This commit is contained in:
root 2024-07-23 17:27:31 +00:00
parent 1e1ff52e3c
commit 8bb4f9a686
1 changed files with 248 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

248
lib/authelia.sh Normal file
View File

@ -0,0 +1,248 @@
#!/bin/bash
#
# Authelia Service
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
get_appvars
config_authelia() {
echo -ne "\n* Configuring /federated/apps/authelia container.."
if [ ! -d "/federated/apps/authelia" ]; then
mkdir -p /federated/apps/authelia/data/config
mkdir -p /federated/apps/authelia/data/secrets
fi
cat > /federated/apps/authelia/docker-compose.yml <<EOF
version: '3.7'
services:
authelia:
image: authelia/authelia:\${IMAGE_VERSION}
container_name: authelia
hostname: authelia.$DOMAIN
domainname: $DOMAIN
restart: always
networks:
federated:
ipv4_address: 172.99.0.90
env_file:
- ./.env
volumes:
- ./data/config:/config
- ./data/secrets:/secrets
labels:
- "traefik.enable=true"
- "traefik.http.routers.authelia.rule=Host(\`authelia.$DOMAIN\`)"
- "traefik.http.routers.authelia.entrypoints=websecure"
- "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
- "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia.$DOMAIN:9091/api/authz/forward-auth"
- "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
networks:
federated:
external: true
EOF
tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 > /federated/apps/authelia/data/secrets/JWT_SECRET
tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 > /federated/apps/authelia/data/secrets/SESSION_SECRET
tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 > /federated/apps/authelia/data/secrets/STORAGE_ENCRYPTION_KEY
echo "$LDAP_SECRET" > /federated/apps/authelia/data/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD
echo "$ADMINPASS" > /federated/apps/authelia/data/secrets/NOTIFIER_SMTP_PASSWORD
openssl genrsa -out /federated/apps/authelia/data/secrets/private.pem 4096
openssl rsa -in /federated/apps/authelia/data/secrets/private.pem -outform PEM -pubout -out /federated/apps/authelia/data/secrets/public.pem
POWERDNS_CLIENT_SECRET=$(create_password);
POWERDNS_CLIENT_SECRET_HASH=$(docker run -it --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --password $POWERDNS_CLIENT_SECRET | awk '{ print $2 }')
NEXTCLOUD_CLIENT_SECRET=$(create_password);
NEXTCLOUD_CLIENT_SECRET_HASH=$(docker run -it --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --password $NEXTCLOUD_CLIENT_SECRET | awk '{ print $2 }')
cat > /federated/apps/authelia/.env <<EOF
IMAGE_VERSION=4.38.8
X_AUTHELIA_CONFIG_FILTERS=template
X_AUTHELIA_CONFIG=/config/configuration.yml,/config/idproviders.yml
AUTHELIA_TOTP_ISSUER=$DOMAIN
AUTHELIA_WEBAUTHN_DISPLAY_NAME=home
AUTHELIA_NOTIFIER_SMTP_ADDRESS=submission://mail.$DOMAIN:587
AUTHELIA_NOTIFIER_SMTP_USERNAME=$SMTPUSER
AUTHELIA_NOTIFIER_SMTP_SENDER="Authelia <authelia@$DOMAIN>"
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDRESS=ldaps://ldap.$DOMAIN
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN=dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER=cn=admin,dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE=/secrets/JWT_SECRET
AUTHELIA_SESSION_SECRET_FILE=/secrets/SESSION_SECRET
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/secrets/STORAGE_ENCRYPTION_KEY
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/secrets/NOTIFIER_SMTP_PASSWORD
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD
EOF
chmod 600 /federated/apps/authelia/.env
cat > /federated/apps/authelia/data/config/configuration.yml <<EOF
---
theme: auto
default_2fa_method: totp
server:
address: tcp://0.0.0.0:9091/
log:
level: info
totp:
disable: false
issuer: 'authelia.$DOMAIN'
algorithm: sha1
digits: 6
period: 45
skew: 1
secret_size: 32
webauthn:
disable: false
timeout: 60s
attestation_conveyance_preference: indirect
user_verification: preferred
authentication_backend:
password_reset:
disable: false
refresh_interval: 5m
ldap:
implementation: custom
timeout: 5s
start_tls: false
attributes:
username: mail
display_name: cn
group_name: gidNumber
mail: mail
additional_users_dn: ou=people
users_filter: "(&({username_attribute}={input})(objectClass=person))"
additional_groups_dn: ou=groups
groups_filter: "(member={dn})"
password_policy:
standard:
enabled: false
min_length: 8
max_length: 0
require_uppercase: true
require_lowercase: true
require_number: true
require_special: false
access_control:
default_policy: one_factor
session:
name: 'authelia_session'
same_site: 'lax'
inactivity: '5m'
expiration: '1h'
remember_me: '1M'
cookies:
- domain: '$DOMAIN'
authelia_url: 'https://authelia.$DOMAIN'
regulation:
max_retries: 3
find_time: 2m
ban_time: 5m
storage:
local:
path: /config/db.sqlite3
notifier:
disable_startup_check: false
EOF
cat > /federated/apps/authelia/data/config/idproviders.yml <<EOF
identity_providers:
oidc:
jwks:
- key: {{ secret "/secrets/private.pem" | mindent 10 "|" | msquote }}
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
clients:
### PowerDNS
- client_id: 'powerdns'
client_name: 'PowerDNS Admin'
client_secret: $POWERDNS_CLIENT_SECRET_HASH
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://powerdns.$DOMAIN/oidc/authorized'
scopes:
- 'openid'
- 'profile'
- 'groups'
- 'email'
response_types:
- 'code'
grant_types:
- 'authorization_code'
userinfo_signed_response_alg: 'none'
### Nextcloud
- client_id: 'nextcloud'
client_name: 'NextCloud'
client_secret: $NEXTCLOUD_CLIENT_SECRET_HASH
public: false
authorization_policy: 'one_factor'
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'https://nextcloud.$DOMAIN/apps/user_oidc/code'
scopes:
- 'openid'
- 'profile'
- 'email'
- 'groups'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_post'
EOF
# Insert PowerDNS configuration because we need an initial
# config for Authelia to run
PDNS_MYSQL_COMMAND1="insert into setting (name, value) values (\"oidc_oauth_enabled\", \"True\");insert into setting (name, value) values (\"oidc_oauth_key\", \"powerdns\");"
PDNS_MYSQL_COMMAND2="insert into setting (name, value) values (\"oidc_oauth_scope\", \"openid profile groups email\");insert into setting (name, value) values (\"oidc_oauth_api_url\", \"https://authelia.$DOMAIN/api/oidc/userinfo\");"
PDNS_MYSQL_COMMAND3="insert into setting (name, value) values (\"oidc_oauth_auto_configure\", \"True\");insert into setting (name, value) values (\"oidc_oauth_metadata_url\", \"https://authelia.$DOMAIN/.well-known/openid-configuration\");"
PDNS_MYSQL_COMMAND4="insert into setting (name, value) values (\"oidc_oauth_token_url\", \"\");insert into setting (name, value) values (\"oidc_oauth_authorize_url\", \"\");"
PDNS_MYSQL_COMMAND5="insert into setting (name, value) values (\"oidc_oauth_logout_url\", \"https://authelia.$DOMAIN/logout\");insert into setting (name, value) values (\"oidc_oauth_username\", \"preferred_username\");"
PDNS_MYSQL_COMMAND6="insert into setting (name, value) values (\"oidc_oauth_email\", \"email\");insert into setting (name, value) values (\"oidc_oauth_firstname\", \"preferred_username\");"
PDNS_MYSQL_COMMAND7="insert into setting (name, value) values (\"oidc_oauth_last_name\", \"name\");insert into setting (name, value) values (\"oidc_oauth_account_name_property\", \"preferred_username\");"
PDNS_MYSQL_COMMAND8="insert into setting (name, value) values (\"oidc_oauth_account_description_property\", \"name\");insert into setting (name, value) values (\"oidc_oauth_secret\", \"$POWERDNS_CLIENT_SECRET\");"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND;'"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND1;'"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND2;'"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND3;'"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND4;'"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND5;'"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND6;'"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND7;'"
docker exec pdnsmysql bash -c "mysql -uroot -p$MYSQL_ROOTPASSWORD pdnsadmin -e '$PDNS_MYSQL_COMMAND8;'"
echo -ne "done."
}
start_authelia() {
# Start service with command to make sure it's up before proceeding
start_service "authelia" "nc -z 172.99.0.90 9091 &> /dev/null" "7"
docker exec pdns pdnsutil add-record $DOMAIN authelia A 86400 $EXTERNALIP &> /dev/null
[ $? -ne 0 ] && fail "Couldn't add dns record for authelia"
# Stop and start pdnsadmin for internal dns externalhosts to work
/federated/bin/stop pdnsadmin
/federated/bin/start pdnsadmin
echo -ne "done."
}
uninstall_authelia() {
echo -ne "* Uninstalling authelia container.."
spin &
SPINPID=$!
# First stop the service
cd /federated/apps/authelia && docker-compose -f docker-compose.yml -p authelia down &> /dev/null
# Delete the app directory
rm -rf /federated/apps/authelia
# Delete the image
docker image rm authelia/authelia:$IMAGE_VERSION &> /dev/null
# Delete the DNS record
docker exec pdns pdnsutil delete-rrset $DOMAIN authelia A
kill -9 $SPINPID &> /dev/null
echo -ne "done.\n"
}