#!/bin/bash
#
# Authelia Service
PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
get_appvars
config_authelia() {
echo -ne "* Configuring authelia container.."
if [ ! -d "/federated/apps/authelia" ]; then
mkdir -p /federated/apps/authelia/data/config
mkdir -p /federated/apps/authelia/data/secrets
fi
cat > /federated/apps/authelia/docker-compose.yml <<EOF
services:
authelia:
image: authelia/authelia:\${IMAGE_VERSION}
container_name: authelia
hostname: authelia.$DOMAIN
restart: always
networks:
core:
ipv4_address: 192.168.0.42
env_file:
- ./.env
volumes:
- ./data/config:/config
- ./data/secrets:/secrets
labels:
- "traefik.enable=true"
- "traefik.http.routers.authelia.rule=Host(\`authelia.$DOMAIN\`)"
- "traefik.http.routers.authelia.entrypoints=websecure"
- "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
- "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia.$DOMAIN:9091/api/authz/forward-auth"
- "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
networks:
core:
external: true
EOF
tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 > /federated/apps/authelia/data/secrets/JWT_SECRET
tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 > /federated/apps/authelia/data/secrets/SESSION_SECRET
tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 > /federated/apps/authelia/data/secrets/STORAGE_ENCRYPTION_KEY
echo "$LDAP_SECRET" > /federated/apps/authelia/data/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD
echo "$ADMINPASS" > /federated/apps/authelia/data/secrets/NOTIFIER_SMTP_PASSWORD
openssl genrsa -out /federated/apps/authelia/data/secrets/private.pem 4096 2>/dev/null
openssl rsa -in /federated/apps/authelia/data/secrets/private.pem -outform PEM -pubout -out /federated/apps/authelia/data/secrets/public.pem 2>/dev/null
POWERDNS_CLIENT_SECRET=$(create_password);
POWERDNS_CLIENT_SECRET_HASH=$(docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --password $POWERDNS_CLIENT_SECRET 2>/dev/null | awk '{ print $2 }')
[[ -d "/federated/apps/pdnsmysql/data/var/lib/mysql/pdnsadmin" ]] && POWERDNS_DB="pdnsadmin" || POWERDNS_DB="pdns"
cat > /federated/apps/authelia/.env <<EOF
IMAGE_VERSION=$(current_version authelia)
X_AUTHELIA_CONFIG_FILTERS=template
X_AUTHELIA_CONFIG=/config/configuration.yml,/config/idproviders.yml
AUTHELIA_TOTP_ISSUER=$DOMAIN
AUTHELIA_WEBAUTHN_DISPLAY_NAME=home
AUTHELIA_NOTIFIER_SMTP_ADDRESS=submission://mail.$DOMAIN:587
AUTHELIA_NOTIFIER_SMTP_USERNAME=$SMTPUSER
AUTHELIA_NOTIFIER_SMTP_SENDER="Authelia <authelia@$DOMAIN>"
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDRESS=ldaps://ldap.$DOMAIN
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN=dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER=cn=admin,dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE=/secrets/JWT_SECRET
AUTHELIA_SESSION_SECRET_FILE=/secrets/SESSION_SECRET
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/secrets/STORAGE_ENCRYPTION_KEY
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/secrets/NOTIFIER_SMTP_PASSWORD
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD
EOF
chmod 600 /federated/apps/authelia/.env
# Set the ldap configuration up for subdomain if we need to
if [ "${#LDAP_DOMAIN_ARRAY[@]}" -eq "3" ]; then
sed -i "s#dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_LAST#dc=$LDAP_DOMAIN_FIRST,dc=$LDAP_DOMAIN_MIDDLE,dc=$LDAP_DOMAIN_LAST#g" /federated/apps/authelia/.env
fi
cat > /federated/apps/authelia/data/config/configuration.yml <<EOF
---
theme: auto
default_2fa_method: totp
server:
address: tcp://0.0.0.0:9091/
log:
level: info
totp:
disable: false
issuer: 'authelia.$DOMAIN'
algorithm: sha1
digits: 6
period: 45
skew: 1
secret_size: 32
webauthn:
disable: false
timeout: 60s
attestation_conveyance_preference: indirect
user_verification: preferred
authentication_backend:
password_reset:
disable: false
refresh_interval: 5m
ldap:
implementation: custom
timeout: 5s
start_tls: false
attributes:
username: mail
display_name: uid
group_name: gidNumber
mail: mail
additional_users_dn: ou=people
users_filter: "(&({username_attribute}={input})(objectClass=person))"
additional_groups_dn: ou=groups
groups_filter: "(member={dn})"
password_policy:
standard:
enabled: false
min_length: 8
max_length: 0
require_uppercase: true
require_lowercase: true
require_number: true
require_special: false
access_control:
default_policy: one_factor
session:
name: 'authelia_session'
same_site: 'lax'
inactivity: '5m'
expiration: '1h'
remember_me: '1M'
cookies:
- domain: '$DOMAIN'
authelia_url: 'https://authelia.$DOMAIN'
regulation:
max_retries: 3
find_time: 2m
ban_time: 5m
storage:
local:
path: /config/db.sqlite3
notifier:
disable_startup_check: false
EOF
cat > /federated/apps/authelia/data/config/idproviders.yml <<EOF
identity_providers:
oidc:
jwks:
- key: {{ secret "/secrets/private.pem" | mindent 10 "|" | msquote }}
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
clients:
### PowerDNS
- client_id: 'powerdns'
client_name: 'PowerDNS Admin'
client_secret: $POWERDNS_CLIENT_SECRET_HASH
consent_mode: 'implicit'
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://powerdns.$DOMAIN/oidc/authorized'
scopes:
- 'openid'
- 'profile'
- 'groups'
- 'email'
response_types:
- 'code'
grant_types:
- 'authorization_code'
userinfo_signed_response_alg: 'none'
EOF
# Insert PowerDNS configuration because we need an initial
# config for Authelia to run
PDNS_MYSQL_COMMAND1="insert into setting (name, value) values (\"oidc_oauth_enabled\", \"True\");insert into setting (name, value) values (\"oidc_oauth_key\", \"powerdns\");"
PDNS_MYSQL_COMMAND2="insert into setting (name, value) values (\"oidc_oauth_scope\", \"openid profile groups email\");insert into setting (name, value) values (\"oidc_oauth_api_url\", \"https://authelia.$DOMAIN/api/oidc/userinfo\");"
PDNS_MYSQL_COMMAND3="insert into setting (name, value) values (\"oidc_oauth_auto_configure\", \"True\");insert into setting (name, value) values (\"oidc_oauth_metadata_url\", \"https://authelia.$DOMAIN/.well-known/openid-configuration\");"
PDNS_MYSQL_COMMAND4="insert into setting (name, value) values (\"oidc_oauth_token_url\", \"\");insert into setting (name, value) values (\"oidc_oauth_authorize_url\", \"\");"
PDNS_MYSQL_COMMAND5="insert into setting (name, value) values (\"oidc_oauth_logout_url\", \"https://authelia.$DOMAIN/logout?rd=https://dashboard.$DOMAIN\");insert into setting (name, value) values (\"oidc_oauth_username\", \"preferred_username\");"
PDNS_MYSQL_COMMAND6="insert into setting (name, value) values (\"oidc_oauth_email\", \"email\");insert into setting (name, value) values (\"oidc_oauth_firstname\", \"preferred_username\");"
PDNS_MYSQL_COMMAND7="insert into setting (name, value) values (\"oidc_oauth_last_name\", \"name\");insert into setting (name, value) values (\"oidc_oauth_account_name_property\", \"preferred_username\");"
PDNS_MYSQL_COMMAND8="insert into setting (name, value) values (\"oidc_oauth_account_description_property\", \"name\");insert into setting (name, value) values (\"oidc_oauth_secret\", \"$POWERDNS_CLIENT_SECRET\");"
docker exec pdnsmysql bash -c "mariadb -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND;'"
docker exec pdnsmysql bash -c "mariadb -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND1;'"
docker exec pdnsmysql bash -c "mariadb -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND2;'"
docker exec pdnsmysql bash -c "mariadb -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND3;'"
docker exec pdnsmysql bash -c "mariadb -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND4;'"
docker exec pdnsmysql bash -c "mariadb -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND5;'"
docker exec pdnsmysql bash -c "mariadb -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND6;'"
docker exec pdnsmysql bash -c "mariadb -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND7;'"
docker exec pdnsmysql bash -c "mariadb -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e '$PDNS_MYSQL_COMMAND8;'"
echo -ne "done.\n"
}
start_authelia() {
# Start service with command to make sure it's up before proceeding
start_service "authelia" "nc -z 192.168.0.42 9091 &> /dev/null" "7"
docker exec pdns pdnsutil add-record $DOMAIN authelia A 86400 $EXTERNALIP &> /dev/null
[ $? -ne 0 ] && fail "Couldn't add dns record for authelia"
# If extra_hosts doesn't exist then insert extra_host configuration in pdnsadmin docker compose
add_authelia_config_to_dockercompose "pdnsadmin" "$EXTERNALIP"
# Stop and start pdnsadmin for internal dns externalhosts to work
/federated/bin/stop pdnsadmin &> /dev/null
[ $? -ne 0 ] && fail "Couldn't stop pdnsadmin"
/federated/bin/start pdnsadmin &> /dev/null
[ $? -ne 0 ] && fail "Couldn't start pdnsadmin"
echo -ne "done.\n"
}
email_authelia() {
echo -ne "* Sending email to customer.."
cat > /federated/apps/mail/data/root/certs/mailfile <<EOF
<html>
<img src="https://www.federated.computer/wp-content/uploads/2023/11/logo.png" alt="" /><br>
<p>
<h4>Authelia (SSO) is now installed on $DOMAIN, Your Federated Computer Single Sign On</h4>
<p>
Dear Customer,<br>
We’re excited to introduce your new Single Sign-On (SSO) for Federated Core.
<br>
<br>
Your Single Sign On is called Authelia. With Authelia, a single login grants you seamless access to multiple Federated applications.<br>
Authelia provides single sign-on (SSO) access to the following Federated applications:<br>
Nextcloud, Element/Matrix, Bookstack, Jitsi, Gitea, RoundCube (Web Mail), EspoCRM, PowerDNS, and WordPress<br>
<br>
How to use Authelia<br>
• Click on any application in your Federated Dashboard and login by clicking, “Login with Authelia”<br>
• Look for a pop up that will be labeled “https://authelia.YOUR.DOMAIN”<br>
• Enter your panel user@domain.com and password, then click, “Sign In”<br>
• That’s It! You can now access all of the Applications listed above.<br>
<br>
IMPORTANT: When logging into Nextcloud through traditional login (Not Authelia) use only your 'user' and not 'user@domain.com'.<br>
<br>
Using EspoCRM or Gitea?<br>
These applications need extra configuration to work with SSO.<br>
Reply to support@federated.computer, and we’ll send you step-by-step instructions to set up SSO for them.<br>
<br>
As always, We are here to make the process simple and straightforward. Reply now if you have any questions about Authelia and we will respond promptly.
<br>
Thank you for choosing Federated Computer. We’re committed to improving your experience every step of the way.
<br>
<br>
Best regards,<br>
Federated Computer Support Team
<br>
EOF
# Send out e-mail from mail container with details
docker exec mail bash -c "mail -r admin@$DOMAIN -a \"Content-type: text/html\" -s \"Authelia (SSO) is now installed on $DOMAIN\" $EMAIL < /root/certs/mailfile"
rm /federated/apps/mail/data/root/certs/mailfile
echo -ne "done.\n"
}
uninstall_authelia() {
echo -ne "* Uninstalling authelia container.."
# First stop the service
cd /federated/apps/authelia && docker compose -f docker-compose.yml -p authelia down &> /dev/null
# Delete the entries in the settings table
[[ -d "/federated/apps/pdnsmysql/data/var/lib/mysql/pdnsadmin" ]] && POWERDNS_DB="pdnsadmin" || POWERDNS_DB="pdns"
docker exec pdnsmysql mariadb -uroot -p$MYSQL_ROOTPASSWORD $POWERDNS_DB -e "delete from setting where name like '%oidc_oauth%';"
# Delete the app directory
rm -rf /federated/apps/authelia
# Delete the image
docker image rm authelia/authelia:$IMAGE_VERSION &> /dev/null
# Delete the DNS record
docker exec pdns pdnsutil delete-rrset $DOMAIN authelia A
echo -ne "done.\n"
}