From 73e9856e613f969de262faab1d0f9f0857003d46 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 4 Jun 2025 16:20:48 -0400 Subject: [PATCH] fixup --- .gitignore | 29 +++++++ authelia-dev-config.yml | 49 ++++++++++++ docker-compose.dev.yml | 163 ++++++++++++++++++++++++++++++++++++++ docker-compose.simple.yml | 93 ++++++++++++++++++++++ docker/redis/Dockerfile | 8 +- stack.production.yml | 14 +++- stack.staging.yml | 16 ++-- users_database.yml | 19 +++++ 8 files changed, 382 insertions(+), 9 deletions(-) create mode 100644 .gitignore create mode 100644 authelia-dev-config.yml create mode 100644 docker-compose.dev.yml create mode 100644 docker-compose.simple.yml create mode 100644 users_database.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a6d43ac --- /dev/null +++ b/.gitignore @@ -0,0 +1,29 @@ +# Secrets and sensitive files +secrets.md +*.secret +*.key +*.pem + +# OS generated files +.DS_Store +.DS_Store? +._* +.Spotlight-V100 +.Trashes +ehthumbs.db +Thumbs.db + +# IDE files +.vscode/ +.idea/ +*.swp +*.swo +*~ + +# Logs +*.log +logs/ + +# Temporary files +*.tmp +*.temp \ No newline at end of file diff --git a/authelia-dev-config.yml b/authelia-dev-config.yml new file mode 100644 index 0000000..03b97f1 --- /dev/null +++ b/authelia-dev-config.yml @@ -0,0 +1,49 @@ +--- +# Authelia Development Configuration +# Minimal config for local development + +server: + address: tcp://0.0.0.0:9091 + +log: + level: debug + +identity_validation: + reset_password: + jwt_secret: DoXL9Z1aCrXQ3Ylc2J9MWLO8QeseI8W6F91R0lS0SIE= + +authentication_backend: + file: + path: /config/users_database.yml + +access_control: + default_policy: one_factor + rules: + - domain: ["dev.local.com"] + policy: one_factor + +session: + cookies: + - name: authelia_session + domain: dev.local.com + authelia_url: http://dev.local.com:9091 + secret: DoXL9Z1aCrXQ3Ylc2J9MWLO8QeseI8W6F91R0lS0SIE= + expiration: 1h + inactivity: 5m + +regulation: + max_retries: 3 + find_time: 120 + ban_time: 300 + +storage: + local: + path: /data/db.sqlite3 + encryption_key: DvbtMjsNDIC3eqtNaPtdHm/f07dtlHREgieDStTu9NA= + +notifier: + filesystem: + filename: /data/notification.txt + +totp: + issuer: authelia.com \ No newline at end of file diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml new file mode 100644 index 0000000..cad29e0 --- /dev/null +++ b/docker-compose.dev.yml @@ -0,0 +1,163 @@ +services: + mariadb: + image: mariadb:latest + container_name: authelia_mariadb + environment: + MYSQL_ROOT_PASSWORD: dev_authelia_root + MYSQL_DATABASE: authelia + MYSQL_USER: authelia + MYSQL_PASSWORD: authelia + volumes: + - mariadb_data:/var/lib/mysql + # No ports exposed - internal only + networks: + - authelia_dev + healthcheck: + test: ["CMD", "/usr/local/bin/healthcheck.sh", "--su-mysql", "--connect", "--innodb_initialized"] + start_period: 30s + interval: 30s + timeout: 10s + retries: 5 + + redis: + image: redis:latest + container_name: authelia_redis + command: redis-server --appendonly yes + volumes: + - redis_data:/data + # No ports exposed - internal only + networks: + - authelia_dev + healthcheck: + test: ["CMD", "redis-cli", "ping"] + start_period: 10s + interval: 30s + timeout: 5s + retries: 3 + + lldap: + image: nitnelave/lldap:latest + container_name: lldap_lldap + volumes: + - lldap_data:/data + environment: + - LLDAP_JWT_SECRET=I2sNvGvhzZlTJWPfNL9MBPFGhyG/gWU5wHz6wFsIC3I= + - LLDAP_LDAP_USER_PASS=/ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0= + - LLDAP_LDAP_BASE_DN=dc=nixc,dc=us + - PUID=33 + - PGID=33 + ports: + # Only expose web UI for manual testing + - "17170:17170" # Web interface port + networks: + - authelia_dev + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:17170/health"] + start_period: 10s + interval: 30s + timeout: 5s + retries: 3 + + authelia: + build: + context: ./docker/authelia/ + dockerfile: Dockerfile + image: git.nixc.us/nixius/authelia:dev-authelia + container_name: authelia_dev_main + command: + - sh + - -c + - | + # Create the secrets directory and populate with environment variables + mkdir -p /run/secrets + echo "$${IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET}" > /run/secrets/IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET + echo "$${STORAGE_ENCRYPTION_KEY}" > /run/secrets/STORAGE_ENCRYPTION_KEY + echo "$${SESSION_SECRET}" > /run/secrets/SESSION_SECRET + echo "$${NOTIFIER_SMTP_PASSWORD}" > /run/secrets/NOTIFIER_SMTP_PASSWORD + echo "$${AUTHENTICATION_BACKEND_LDAP_PASSWORD}" > /run/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD + echo "$${IDENTITY_PROVIDERS_OIDC_HMAC_SECRET}" > /run/secrets/IDENTITY_PROVIDERS_OIDC_HMAC_SECRET + echo "$${IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY}" > /run/secrets/IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY + echo "$${IDENTITY_PROVIDERS_OIDC_JWKS_KEY}" > /run/secrets/IDENTITY_PROVIDERS_OIDC_JWKS_KEY + echo "$${CLIENT_SECRET_HEADSCALE}" > /run/secrets/CLIENT_SECRET_HEADSCALE + echo "$${CLIENT_SECRET_HEADADMIN}" > /run/secrets/CLIENT_SECRET_HEADADMIN + # Start Authelia with original command + exec authelia --config=/config/configuration.server.yml --config=/config/configuration.ldap.yml --config=/config/configuration.acl.yml + environment: + # Template environment variables + X_AUTHELIA_EMAIL: authelia@nixc.us + X_AUTHELIA_SITE_NAME: ATLAS-DEV + X_AUTHELIA_CONFIG_FILTERS: template + X_AUTHELIA_LDAP_DOMAIN: dc=nixc,dc=us + TRAEFIK_DOMAIN: dev.local.com + # Development secrets for templates + IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: DoXL9Z1aCrXQ3Ylc2J9MWLO8QeseI8W6F91R0lS0SIE= + STORAGE_ENCRYPTION_KEY: DvbtMjsNDIC3eqtNaPtdHm/f07dtlHREgieDStTu9NA= + SESSION_SECRET: DoXL9Z1aCrXQ3Ylc2J9MWLO8QeseI8W6F91R0lS0SIE= + NOTIFIER_SMTP_PASSWORD: 8P7ah6U5ZjbQ2Faaw1fJoehxJrMOslCu + AUTHENTICATION_BACKEND_LDAP_PASSWORD: /ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0= + IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: Pq5+dkrmh04daeSEPEXGq6JniiPsgJ6nHBi/ettUGLSKcuZtnaw3em8/BCXn2iFhUqTRdLSeCiWMbo+oEl/ZYA== + IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: | + -----BEGIN PRIVATE KEY----- + MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC0JC4jaDhdqk3U + 0yDwAh5JVQR84htkPY0Trf5VQYNnBhglo2CqRm6jwjzfOJLBruCUokbG5wJL+OU8 + zDm3aQAhF0xWPEr1ad1U+fIezdF4pZ0fDHVAG9MYTwZYD8iYQclVhoKA8M6/gT15 + QHq0Fzfgf4U5dmsNH2CWiFi+TAWQ85bxLiXchTnRkoyZ445xBqCuthJyvvUtrZrl + dCAcnNJ6kdGypXwqAuOGrRDz1g9cv52aoJC0k747EnMcmm1HEuR2zGXyw2RM+Sbu + GrUhLk2vCE448zKXuJGEckalMn2yBfaf5RsZYC9j7SwB0ehyNk5Bn4tKuPt38C7T + wWkIoI/DAgMBAAECggEAAIQB/2cmK8GrC14dwAVUu0NoPRTgnMulHCNPxERPV5Va + 4fCy/CNlE0iHdODsLdKN7gVkGOAPnGwP+LnIIh0Sbp9q2bkk3C/IMTZ6wCY5E64i + e85E7HQOVjytRfjb/on7RSianKF6PG4Z4PKTgPFE30c+K5XwZIJse/UHKM3kgWLp + exKVvYyKDrERunDJqZbYsxSnixk8TavOWFHkpk0wHYvxso6a7jQfEjDWh3N7lduj + RlaesSO+NJrZDq44zbyJNsFjh4DsNITdBwYXERPUS33Dp+IlrD2SeQMtMBtz+7Ha + Pd8jMpx8Fw/S3CnjSYRRzDj5Z21EfspfoO6v1ULA0QKBgQDyQejBS7QNwNRIcnhO + b6TVOPmqcOL9gR/mkC4VmWFvf4pTA69OOuU/gHeF6+J40Z4tuFggHMoPmZuPi9AL + GSp2UZQHYa7BxTk7XxESflF/8HzgbtFtK/0dUp1l2JN26qha+djQADFFPNWs8abX + wpbKfjPqLzwR8K5kCtbd3WWDrwKBgQC+XDajJ6I4k9hwfYDxb35UkNFjboK4NfTY + u5Eiz1NhbqqkNV8idZhadJfnbgIAymqr9Yf9M9ncAbuUhCDI2r/VL1CLMx/y/DGH + RxlXWq4sArG1xpR1Muc9W8tTT9cf9XDMmuL81wYccXGqv3RpYQM/VtYIRSWvC0HE + FxZCGPa2LQKBgHlg1IGksH4Dk1kJIYYLIgdDGLRxAwoI3DblHnHr+4ml2WRmgDst + /xamAzyyRzJJtHsr1duhEQxn5i0x2/bzkPbfQM/B/ZFQg7BfnWoqqCL2F1tLqtqM + I7HBZuNUc+4s/FU4wYzVy9no9RZFrVaFRJAIU3KOYAaNFJNDawyWlPo5AoGARe6C + c/W/dqF5xfmVQR0Af/ijs6+Jfjr0NBrT+sHHk+ef8Ktaw8IHslNa6r5TJg82mO2e + g7pksppAWxMfKCqUhrDXGgwyFIXpfBT2jkzV530l4+2L5HJK2RO74mNWWHtGcSQF + d3VW3WQfqeaj0YK+Oqqf/nHIokG0a2E/4BBjshECgYAnlU2Fl7uI1lQBbWsckaQ9 + EVeSDtrRvNuER0Eh3WFni9affOqB9qAZXNfCZ+goFJoNgk4fww0OqmewX9Y18/3a + vsrm7L7OKFFlM6vmIG1nPX/s5l++mkMe+qRd4B7C4NSF0bzJlweTozQFDp+prp1y + SHERk3EUdAZn7yyIISd/Qg== + -----END PRIVATE KEY----- + IDENTITY_PROVIDERS_OIDC_JWKS_KEY: mbfKKlpQ5QEzrmBCCcOg7yubDBKZtKCAiL7rGtVdMq/hpCorO+Qiei2fKbB/xieDS3BIg5BMza5fZm5w0hMiNA== + CLIENT_SECRET_HEADSCALE: t4Hvp6DnpA0T+0ePbdx8lPIAujFMrkjEnx5aMQkMFiA= + CLIENT_SECRET_HEADADMIN: RAxwkJxwMBSYkaA0r+D5qZdEFIrVEZJbigOPtkCBED8= + volumes: + - authelia_data:/data + ports: + - "9091:9091" + networks: + - authelia_dev + depends_on: + redis: + condition: service_healthy + mariadb: + condition: service_healthy + lldap: + condition: service_healthy + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:9091/api/health"] + start_period: 15s + interval: 30s + timeout: 10s + retries: 3 + +networks: + authelia_dev: + driver: bridge + +volumes: + mariadb_data: + driver: local + redis_data: + driver: local + authelia_data: + driver: local + lldap_data: + driver: local \ No newline at end of file diff --git a/docker-compose.simple.yml b/docker-compose.simple.yml new file mode 100644 index 0000000..2693728 --- /dev/null +++ b/docker-compose.simple.yml @@ -0,0 +1,93 @@ +services: + mariadb: + image: mariadb:latest + container_name: authelia_simple_mariadb + environment: + MYSQL_ROOT_PASSWORD: dev_authelia_root + MYSQL_DATABASE: authelia + MYSQL_USER: authelia + MYSQL_PASSWORD: dev_authelia_db + volumes: + - mariadb_data:/var/lib/mysql + networks: + - authelia_dev + healthcheck: + test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "authelia", "-pdev_authelia_db"] + start_period: 15s + interval: 30s + timeout: 10s + retries: 3 + + redis: + image: redis:latest + container_name: authelia_simple_redis + command: redis-server --appendonly yes + volumes: + - redis_data:/data + networks: + - authelia_dev + healthcheck: + test: ["CMD", "redis-cli", "ping"] + start_period: 10s + interval: 30s + timeout: 5s + retries: 3 + + lldap: + image: nitnelave/lldap:latest + container_name: authelia_simple_lldap + volumes: + - lldap_data:/data + environment: + - LLDAP_JWT_SECRET=I2sNvGvhzZlTJWPfNL9MBPFGhyG/gWU5wHz6wFsIC3I= + - LLDAP_LDAP_USER_PASS=/ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0= + - LLDAP_LDAP_BASE_DN=dc=nixc,dc=us + - PUID=33 + - PGID=33 + ports: + - "17170:17170" + networks: + - authelia_dev + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:17170/health"] + start_period: 10s + interval: 30s + timeout: 5s + retries: 3 + + authelia: + image: authelia/authelia:latest + container_name: authelia_simple_main + environment: + AUTHELIA_SERVER_HOST: 0.0.0.0 + AUTHELIA_SERVER_PORT: 9091 + AUTHELIA_LOG_LEVEL: debug + ports: + - "9091:9091" + networks: + - authelia_dev + depends_on: + mariadb: + condition: service_healthy + redis: + condition: service_healthy + lldap: + condition: service_healthy + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:9091/api/health"] + start_period: 15s + interval: 30s + timeout: 10s + retries: 3 + +networks: + authelia_dev: + driver: bridge + +volumes: + mariadb_data: + driver: local + redis_data: + driver: local + lldap_data: + driver: local \ No newline at end of file diff --git a/docker/redis/Dockerfile b/docker/redis/Dockerfile index 94c1dec..c0d95b8 100644 --- a/docker/redis/Dockerfile +++ b/docker/redis/Dockerfile @@ -1 +1,7 @@ -FROM ghcr.io/microsoft/garnet \ No newline at end of file +FROM redis:latest + +# Copy any custom configuration if needed +# COPY redis.conf /usr/local/etc/redis/redis.conf + +# Use the default Redis configuration with persistence enabled +CMD ["redis-server", "--appendonly", "yes"] \ No newline at end of file diff --git a/stack.production.yml b/stack.production.yml index 6e4c321..7f8161f 100644 --- a/stack.production.yml +++ b/stack.production.yml @@ -29,6 +29,14 @@ networks: ad: external: true +volumes: + authelia_config: + driver: local + authelia_redis_data: + driver: local + authelia_mariadb_data: + driver: local + services: authelia: image: git.nixc.us/nixius/authelia:production-authelia @@ -52,7 +60,7 @@ services: - 1.1.1.1 # Cloudflare - 9.9.9.9 # Quad9 volumes: - - /mnt/tank/persist/nixc.us/authelia/production/config:/config:rw + - authelia_config:/config:rw networks: - traefik - default @@ -104,7 +112,7 @@ services: image: git.nixc.us/nixius/authelia:production-redis command: redis-server --appendonly yes volumes: - - /mnt/tank/persist/nixc.us/authelia/production/redis:/data:rw + - authelia_redis_data:/data:rw networks: - default deploy: @@ -141,7 +149,7 @@ services: MYSQL_USER: authelia MYSQL_PASSWORD: authelia volumes: - - /mnt/tank/persist/nixc.us/authelia/production/db:/var/lib/mysql:rw + - authelia_mariadb_data:/var/lib/mysql:rw networks: - default deploy: diff --git a/stack.staging.yml b/stack.staging.yml index e0004bb..6b0aefe 100644 --- a/stack.staging.yml +++ b/stack.staging.yml @@ -13,6 +13,14 @@ networks: ad: external: true +volumes: + authelia_staging_config: + driver: local + authelia_staging_redis_data: + driver: local + authelia_staging_mariadb_data: + driver: local + services: authelia: image: git.nixc.us/nixius/authelia:staging-authelia @@ -25,7 +33,7 @@ services: - --config=/config/configuration.oidc.clients.yml environment: *authelia-env volumes: - - /mnt/tank/persist/nixc.us/authelia/staging/config:/config:rw + - authelia_staging_config:/config:rw networks: - traefik - default @@ -67,7 +75,7 @@ services: image: git.nixc.us/nixius/authelia:staging-redis command: redis-server --appendonly yes volumes: - - /mnt/tank/persist/nixc.us/authelia/staging/redis:/data:rw + - authelia_staging_redis_data:/data:rw networks: - default deploy: @@ -98,7 +106,7 @@ services: MYSQL_USER: authelia MYSQL_PASSWORD: authelia volumes: - - /mnt/tank/persist/nixc.us/authelia/staging/db:/var/lib/mysql:rw + - authelia_staging_mariadb_data:/var/lib/mysql:rw networks: - default deploy: @@ -112,8 +120,6 @@ services: placement: constraints: - node.hostname == ingress.nixc.us - - labels: us.nixc.autodeploy: "true" traefik.enable: "false" diff --git a/users_database.yml b/users_database.yml new file mode 100644 index 0000000..02a39a5 --- /dev/null +++ b/users_database.yml @@ -0,0 +1,19 @@ +--- +# Authelia Development Users Database +# Password: password (bcrypt hashed) + +users: + authelia: + displayname: "Authelia User" + password: "$2a$10$3EtQKrGrfQJDdUZ4W3zWcuKU9KN7k/XC4EQFOKZvIrQJXQFQy1H6K" # password + email: authelia@dev.local + groups: + - admins + - dev + + testuser: + displayname: "Test User" + password: "$2a$10$3EtQKrGrfQJDdUZ4W3zWcuKU9KN7k/XC4EQFOKZvIrQJXQFQy1H6K" # password + email: testuser@dev.local + groups: + - dev \ No newline at end of file