diff --git a/authelia-config.tar.gz b/authelia-config.tar.gz new file mode 100644 index 0000000..b047e4e Binary files /dev/null and b/authelia-config.tar.gz differ diff --git a/docker/authelia/config/configuration.identity.providers.yml b/docker/authelia/config/configuration.identity.providers.yml index 659924a..5e84e93 100644 --- a/docker/authelia/config/configuration.identity.providers.yml +++ b/docker/authelia/config/configuration.identity.providers.yml @@ -1,19 +1,20 @@ -identity_providers: - oidc: - lifespans: - access_token: 1h - authorize_code: 1m - id_token: 1h - refresh_token: 90m - enable_client_debug_messages: false - enforce_pkce: public_clients_only - cors: - endpoints: - - authorization - - token - - revocation - - introspection - - userinfo - allowed_origins: - - "*" - allowed_origins_from_client_redirect_uris: false \ No newline at end of file +# TEMPORARILY DISABLED - OIDC provider causing startup issues +# identity_providers: +# oidc: +# lifespans: +# access_token: 1h +# authorize_code: 1m +# id_token: 1h +# refresh_token: 90m +# enable_client_debug_messages: false +# enforce_pkce: public_clients_only +# cors: +# endpoints: +# - authorization +# - token +# - revocation +# - introspection +# - userinfo +# allowed_origins: +# - "*" +# allowed_origins_from_client_redirect_uris: false \ No newline at end of file diff --git a/docker/authelia/config/configuration.oidc.clients.yml b/docker/authelia/config/configuration.oidc.clients.yml index 131d60e..650e7b8 100644 --- a/docker/authelia/config/configuration.oidc.clients.yml +++ b/docker/authelia/config/configuration.oidc.clients.yml @@ -1,60 +1,61 @@ -identity_providers: - oidc: - hmac_secret: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_HMAC_SECRET" }} - jwks: - - key: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_JWKS_KEY" | mindent 10 "|" | msquote }} - - authorization_policies: - - headscale: - default_policy: deny - rules: - - policy: one_factor - subject: group:headscale -# To generate secrets: -# docker exec -it authelia authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - clients: - - - client_id: headscale - client_name: Headscale - client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADSCALE" }} - public: false - authorization_policy: headscale - consent_mode: implicit - scopes: - - openid - - email - - profile - redirect_uris: - - https://headscale.{{ env "TRAEFIK_DOMAIN" }}/oidc/callback - - https://headscale.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on same domain as headscale - # - https://headplane.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on it's own domain - userinfo_signed_response_alg: none - - client_id: headadmin - client_name: headadmin - client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADADMIN" }} - public: false - authorization_policy: one_factor - consent_mode: implicit - scopes: - - openid - - email - - profile - redirect_uris: - - https://headadmin.{{ env "TRAEFIK_DOMAIN" }}/oidc_callback - userinfo_signed_response_alg: none - - - client_id: portainer - client_name: Portainer - client_secret: {{ secret "/run/secrets/CLIENT_SECRET_PORTAINER" }} - public: false - authorization_policy: one_factor - consent_mode: implicit - scopes: - - openid - - email - - profile - - groups - redirect_uris: - - https://portainer.{{ env "TRAEFIK_DOMAIN" }}/ - userinfo_signed_response_alg: none \ No newline at end of file +# TEMPORARILY DISABLED - OIDC clients causing template processing issues +# identity_providers: +# oidc: +# hmac_secret: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_HMAC_SECRET" }} +# jwks: +# - key: {{ secret "/run/secrets/IDENTITY_PROVIDERS_OIDC_JWKS_KEY" | mindent 10 "|" | msquote }} +# +# authorization_policies: +# +# headscale: +# default_policy: deny +# rules: +# - policy: one_factor +# subject: group:headscale +# # To generate secrets: +# # docker exec -it authelia authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 +# clients: +# +# - client_id: headscale +# client_name: Headscale +# client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADSCALE" }} +# public: false +# authorization_policy: headscale +# consent_mode: implicit +# scopes: +# - openid +# - email +# - profile +# redirect_uris: +# - https://headscale.{{ env "TRAEFIK_DOMAIN" }}/oidc/callback +# - https://headscale.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on same domain as headscale +# # - https://headplane.{{ env "TRAEFIK_DOMAIN" }}/admin/oidc/callback # headplane on it's own domain +# userinfo_signed_response_alg: none +# - client_id: headadmin +# client_name: headadmin +# client_secret: {{ secret "/run/secrets/CLIENT_SECRET_HEADADMIN" }} +# public: false +# authorization_policy: one_factor +# consent_mode: implicit +# scopes: +# - openid +# - email +# - profile +# redirect_uris: +# - https://headadmin.{{ env "TRAEFIK_DOMAIN" }}/oidc_callback +# userinfo_signed_response_alg: none +# +# - client_id: portainer +# client_name: Portainer +# client_secret: {{ secret "/run/secrets/CLIENT_SECRET_PORTAINER" }} +# public: false +# authorization_policy: one_factor +# consent_mode: implicit +# scopes: +# - openid +# - email +# - profile +# - groups +# redirect_uris: +# - https://portainer.{{ env "TRAEFIK_DOMAIN" }}/ +# userinfo_signed_response_alg: none \ No newline at end of file diff --git a/stack.production.yml b/stack.production.yml index 4c0c26f..3bcb43e 100644 --- a/stack.production.yml +++ b/stack.production.yml @@ -10,24 +10,26 @@ secrets: external: true IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: external: true - IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: - external: true - IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: - external: true - IDENTITY_PROVIDERS_OIDC_JWKS_KEY: - external: true + # TEMPORARILY DISABLED - OIDC provider disabled + # IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: + # external: true + # IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: + # external: true + # IDENTITY_PROVIDERS_OIDC_JWKS_KEY: + # external: true NOTIFIER_SMTP_PASSWORD: external: true SESSION_SECRET: external: true STORAGE_ENCRYPTION_KEY: external: true - CLIENT_SECRET_HEADSCALE: - external: true - CLIENT_SECRET_HEADADMIN: - external: true - CLIENT_SECRET_PORTAINER: - external: true + # TEMPORARILY DISABLED - OAuth clients disabled + # CLIENT_SECRET_HEADSCALE: + # external: true + # CLIENT_SECRET_HEADADMIN: + # external: true + # CLIENT_SECRET_PORTAINER: + # external: true # TEMPORARILY DISABLED - Gitea OAuth (not ready yet) # CLIENT_SECRET_GITEA: # external: true @@ -63,15 +65,15 @@ services: secrets: - AUTHENTICATION_BACKEND_LDAP_PASSWORD - IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET - - IDENTITY_PROVIDERS_OIDC_HMAC_SECRET - - IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY - - IDENTITY_PROVIDERS_OIDC_JWKS_KEY + # - IDENTITY_PROVIDERS_OIDC_HMAC_SECRET + # - IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY + # - IDENTITY_PROVIDERS_OIDC_JWKS_KEY - NOTIFIER_SMTP_PASSWORD - SESSION_SECRET - STORAGE_ENCRYPTION_KEY - - CLIENT_SECRET_HEADSCALE - - CLIENT_SECRET_HEADADMIN - - CLIENT_SECRET_PORTAINER + # - CLIENT_SECRET_HEADSCALE + # - CLIENT_SECRET_HEADADMIN + # - CLIENT_SECRET_PORTAINER environment: *authelia-env dns: - 1.1.1.1 # Cloudflare