From e70fed6ad84fb141d3aa36744802f5532f8f02ab Mon Sep 17 00:00:00 2001 From: Your Name Date: Fri, 6 Jun 2025 10:15:12 -0400 Subject: [PATCH] Enable passkey login and improve WebAuthn configuration --- .gitignore | 4 +- README.md | 74 ++++++- .../config/configuration.oidc.clients.yml | 30 +++ .../authelia/config/configuration.server.yml | 5 + docs/CI_CD_VAULT_SETUP.md | 187 ++++++++++++++++ docs/OAUTH_SETUP.md | 204 +++++++++++++++++ docs/README.md | 89 ++++++++ scripts/generate-oauth-secrets.sh | 205 ++++++++++++++++++ secrets.md.backup | 123 ----------- 9 files changed, 785 insertions(+), 136 deletions(-) create mode 100644 docs/CI_CD_VAULT_SETUP.md create mode 100644 docs/OAUTH_SETUP.md create mode 100644 docs/README.md create mode 100755 scripts/generate-oauth-secrets.sh delete mode 100644 secrets.md.backup diff --git a/.gitignore b/.gitignore index a6d43ac..75964e0 100644 --- a/.gitignore +++ b/.gitignore @@ -26,4 +26,6 @@ logs/ # Temporary files *.tmp -*.temp \ No newline at end of file +*.temp +# OAuth and other secrets - never commit! +secrets/ diff --git a/README.md b/README.md index d0378d5..bc68524 100644 --- a/README.md +++ b/README.md @@ -55,11 +55,16 @@ Generate production secrets (โš ๏ธ **Use with extreme caution**): **CRITICAL**: This script will: - Invalidate all existing sessions and tokens -- Require updating all 10 secrets in Woodpecker CI vault +- Require updating all 12 secrets in Woodpecker CI vault - Potentially require recreating database volumes - Cause service downtime until deployment completes -### Required Secrets (10 total) +### CI/CD Vault Management +For comprehensive CI/CD vault setup and secret management: + +**๐Ÿ“– [CI/CD Vault Setup Guide](docs/CI_CD_VAULT_SETUP.md)** + +### Required Secrets (12 total) #### Core Secrets (5) - `AUTHENTICATION_BACKEND_LDAP_PASSWORD` - LDAP authentication backend password @@ -73,9 +78,11 @@ Generate production secrets (โš ๏ธ **Use with extreme caution**): - `IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY` - OIDC token signing private key (RSA) - `IDENTITY_PROVIDERS_OIDC_JWKS_KEY` - OIDC JWKS validation key (RSA) -#### Client Secrets (2) +#### Client Secrets (4) - `CLIENT_SECRET_HEADSCALE` - Headscale VPN OIDC client secret - `CLIENT_SECRET_HEADADMIN` - Headscale admin panel OIDC client secret +- `CLIENT_SECRET_PORTAINER` - Portainer OAuth client secret +- `CLIENT_SECRET_GITEA` - Gitea OAuth client secret ## ๐Ÿงช Testing @@ -128,8 +135,49 @@ Key environment variables for customization: - `X_AUTHELIA_EMAIL` - Notification email address - `TRAEFIK_DOMAIN` - Base domain for services +## ๐Ÿ”— OAuth/OIDC Integration + +For advanced OAuth/OIDC setup with services like Portainer and Gitea, see the comprehensive guide: + +**๐Ÿ“– [OAuth Setup Guide](docs/OAUTH_SETUP.md)** + +This includes: +- OAuth client configuration for Portainer and Gitea +- Client secret generation and management +- CI/CD vault setup instructions +- Step-by-step authentication flow setup + +### Quick OAuth Setup +```bash +# Generate OAuth client secrets +./scripts/generate-oauth-secrets.sh + +# Follow the instructions to update your CI/CD vault +# Then configure OAuth in your services +``` + ## ๐Ÿ“ฑ Client Integration Examples +### OAuth Integration (Recommended) +Use OAuth for better user experience and native service integration: +```yaml +# Portainer with OAuth - no Traefik middleware needed +labels: + traefik.enable: "true" + traefik.http.routers.portainer.rule: "Host(`portainer.nixc.us`)" + # OAuth configured in Portainer admin panel +``` + +### Traefik Middleware Protection +Use Authelia middleware for services without OAuth support: +```yaml +labels: + traefik.enable: "true" + traefik.http.routers.myapp.rule: "Host(`myapp.nixc.us`)" + traefik.http.routers.myapp.middlewares: "authelia_authelia@docker" + traefik.http.services.myapp.loadbalancer.server.port: "8080" +``` + ### Headscale VPN Integration ```yaml labels: @@ -140,15 +188,6 @@ labels: traefik.http.services.headscale.loadbalancer.server.port: "8080" ``` -### Protected Web Service -```yaml -labels: - traefik.enable: "true" - traefik.http.routers.myapp.rule: "Host(`myapp.nixc.us`)" - traefik.http.routers.myapp.middlewares: "authelia_authelia@docker" - traefik.http.services.myapp.loadbalancer.server.port: "8080" -``` - ## ๐Ÿ” Monitoring & Troubleshooting ### Health Checks @@ -192,6 +231,17 @@ labels: - **Session Security**: Secure session management with Redis - **OIDC Standards**: Industry-standard OpenID Connect implementation +## ๐Ÿ“– Documentation + +For comprehensive guides and setup instructions: + +**๐Ÿ“ [Documentation Directory](docs/README.md)** + +Available guides: +- **OAuth/OIDC Setup**: Complete OAuth integration guide +- **CI/CD Vault Setup**: Secret management and vault configuration +- **Troubleshooting**: Common issues and solutions + ## ๐Ÿ“ž Support & Contributing ### Reporting Issues diff --git a/docker/authelia/config/configuration.oidc.clients.yml b/docker/authelia/config/configuration.oidc.clients.yml index 222f38e..7503702 100644 --- a/docker/authelia/config/configuration.oidc.clients.yml +++ b/docker/authelia/config/configuration.oidc.clients.yml @@ -42,4 +42,34 @@ identity_providers: - profile redirect_uris: - https://headadmin.{{ env "TRAEFIK_DOMAIN" }}/oidc_callback + userinfo_signed_response_alg: none + + - client_id: portainer + client_name: Portainer + client_secret: {{ secret "/run/secrets/CLIENT_SECRET_PORTAINER" }} + public: false + authorization_policy: one_factor + consent_mode: implicit + scopes: + - openid + - email + - profile + - groups + redirect_uris: + - https://portainer.{{ env "TRAEFIK_DOMAIN" }}/ + userinfo_signed_response_alg: none + + - client_id: gitea + client_name: Gitea + client_secret: {{ secret "/run/secrets/CLIENT_SECRET_GITEA" }} + public: false + authorization_policy: one_factor + consent_mode: implicit + scopes: + - openid + - email + - profile + - groups + redirect_uris: + - https://git.{{ env "TRAEFIK_DOMAIN" }}/user/oauth2/authelia/callback userinfo_signed_response_alg: none \ No newline at end of file diff --git a/docker/authelia/config/configuration.server.yml b/docker/authelia/config/configuration.server.yml index 1449e85..14bec97 100644 --- a/docker/authelia/config/configuration.server.yml +++ b/docker/authelia/config/configuration.server.yml @@ -19,10 +19,15 @@ totp: webauthn: disable: false + enable_passkey_login: true display_name: Authelia attestation_conveyance_preference: indirect user_verification: preferred timeout: 60s + selection_criteria: + attachment: "" + discoverability: preferred + user_verification: preferred identity_validation: reset_password: diff --git a/docs/CI_CD_VAULT_SETUP.md b/docs/CI_CD_VAULT_SETUP.md new file mode 100644 index 0000000..b08dceb --- /dev/null +++ b/docs/CI_CD_VAULT_SETUP.md @@ -0,0 +1,187 @@ +# CI/CD Vault Setup & Secret Management + +This guide covers managing secrets in your Woodpecker CI vault for Authelia deployment. + +## ๐Ÿ”‘ Required Vault Secrets + +Your Woodpecker CI vault must contain **12 total secrets** for proper Authelia deployment: + +### Core Secrets (5) +| Variable Name | Description | Generation Method | +|---------------|-------------|-------------------| +| `AUTHENTICATION_BACKEND_LDAP_PASSWORD` | LDAP authentication password | `./generate-secrets.sh` | +| `IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET` | Password reset JWT secret | `./generate-secrets.sh` | +| `STORAGE_ENCRYPTION_KEY` | Database encryption key | `./generate-secrets.sh` | +| `SESSION_SECRET` | Session encryption secret | `./generate-secrets.sh` | +| `NOTIFIER_SMTP_PASSWORD` | SMTP email notifications | Manual configuration | + +### OIDC Secrets (3) +| Variable Name | Description | Generation Method | +|---------------|-------------|-------------------| +| `IDENTITY_PROVIDERS_OIDC_HMAC_SECRET` | OIDC HMAC signing secret | `./generate-secrets.sh` | +| `IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY` | OIDC token signing private key (RSA) | `./generate-secrets.sh` | +| `IDENTITY_PROVIDERS_OIDC_JWKS_KEY` | OIDC JWKS validation key (RSA) | `./generate-secrets.sh` | + +### OAuth Client Secrets (4) +| Variable Name | Description | Generation Method | +|---------------|-------------|-------------------| +| `CLIENT_SECRET_HEADSCALE` | Headscale VPN OIDC client | `./generate-secrets.sh` | +| `CLIENT_SECRET_HEADADMIN` | Headscale admin OIDC client | `./generate-secrets.sh` | +| `CLIENT_SECRET_PORTAINER` | Portainer OAuth client | `./scripts/generate-oauth-secrets.sh` | +| `CLIENT_SECRET_GITEA` | Gitea OAuth client | `./scripts/generate-oauth-secrets.sh` | + +## ๐Ÿš€ Setup Process + +### 1. Generate Core Secrets +```bash +# Generate main Authelia secrets (10 secrets) +./generate-secrets.sh +``` + +### 2. Generate OAuth Client Secrets +```bash +# Generate OAuth client secrets (2 additional secrets) +./scripts/generate-oauth-secrets.sh +``` + +### 3. Update CI/CD Vault + +#### Using Woodpecker Web Interface +1. Go to your repository in Woodpecker CI +2. Navigate to **Settings** โ†’ **Secrets** +3. Add each secret with the exact variable name +4. Copy values from generated secret files + +#### Using Woodpecker CLI +```bash +# Install Woodpecker CLI if not already installed +curl -L https://github.com/woodpecker-ci/woodpecker/releases/latest/download/woodpecker-cli_linux_amd64.tar.gz | tar zx +sudo mv woodpecker-cli /usr/local/bin/ + +# Configure CLI +export WOODPECKER_SERVER=https://your-woodpecker-server.com +export WOODPECKER_TOKEN=your-api-token + +# Update all secrets (example commands) +woodpecker secret update --repository your-repo --name CLIENT_SECRET_PORTAINER --value "$(cat secrets/clients/portainer-secret.txt)" +woodpecker secret update --repository your-repo --name CLIENT_SECRET_GITEA --value "$(cat secrets/clients/gitea-secret.txt)" +``` + +## ๐Ÿ”„ Secret Rotation + +### Full Secret Rotation (Rare) +โš ๏ธ **WARNING: This causes service downtime and invalidates all sessions** + +```bash +# Regenerate all secrets +./generate-secrets.sh + +# Update all 10 core secrets in CI vault +# Deploy immediately to avoid extended downtime +``` + +### OAuth Client Secret Rotation (Safe) +```bash +# Regenerate OAuth client secrets only +./scripts/generate-oauth-secrets.sh + +# Update CLIENT_SECRET_PORTAINER and CLIENT_SECRET_GITEA in vault +# Deploy when convenient +``` + +## ๐Ÿ›ก๏ธ Security Best Practices + +### Secret Storage +- **Never commit** secrets to git (automatically gitignored) +- **Use secure transmission** when copying to CI vault +- **Delete local secret files** after updating vault (optional) +- **Rotate secrets periodically** (recommended quarterly) + +### Access Control +- **Limit vault access** to deployment administrators only +- **Use separate secrets** for development vs production +- **Monitor secret access** in CI/CD logs +- **Audit secret usage** regularly + +### Backup and Recovery +- **Document secret locations** in secure password manager +- **Test recovery procedures** before emergencies +- **Keep vault backups** according to your backup policy +- **Plan for secret compromise** scenarios + +## ๐Ÿ” Verification + +### Check Secret Access +```bash +# Verify secrets are accessible in deployment +ssh macmini7 'docker service logs authelia_authelia | grep -i "secret\|error"' + +# Check for missing secrets +ssh macmini7 'docker service logs authelia_authelia | grep -i "failed\|missing"' +``` + +### Test OAuth Integration +```bash +# Test OAuth endpoint accessibility +curl -s https://login.nixc.us/.well-known/openid_configuration | jq . + +# Verify client configurations +ssh macmini7 'docker service logs authelia_authelia | grep -i "oidc\|oauth"' +``` + +## ๐Ÿšจ Troubleshooting + +### Common Issues + +#### Secret Not Found +``` +Error: secret not found: CLIENT_SECRET_PORTAINER +``` +**Solution**: Verify secret name exactly matches in CI vault + +#### Invalid Secret Format +``` +Error: failed to parse RSA private key +``` +**Solution**: Regenerate OIDC secrets with proper formatting + +#### Service Won't Start +``` +Error: configuration validation failed +``` +**Solution**: Check all 12 secrets are present in vault + +### Emergency Recovery + +#### Lost Access to Vault +1. **Contact CI/CD administrator** for vault access +2. **Regenerate all secrets** with generation scripts +3. **Update vault immediately** with new values +4. **Redeploy services** to use new secrets + +#### Compromised Secrets +1. **Rotate affected secrets immediately** +2. **Update CI/CD vault** with new values +3. **Deploy new secrets** as soon as possible +4. **Monitor for unauthorized access** in logs +5. **Review access logs** for compromise timeline + +## ๐Ÿ“ž Support + +### CI/CD Vault Issues +- Check vault permissions and access rights +- Verify secret names match exactly (case-sensitive) +- Confirm vault backup and recovery procedures +- Test secret retrieval in deployment pipeline + +### Secret Generation Issues +- Ensure OpenSSL is available for key generation +- Check file permissions in secrets directory +- Verify gitignore is properly configured +- Confirm script execution permissions + +### Deployment Issues +- Monitor deployment logs for secret-related errors +- Check Docker Swarm secret creation +- Verify Authelia configuration template processing +- Test service connectivity after deployment \ No newline at end of file diff --git a/docs/OAUTH_SETUP.md b/docs/OAUTH_SETUP.md new file mode 100644 index 0000000..bdb7b50 --- /dev/null +++ b/docs/OAUTH_SETUP.md @@ -0,0 +1,204 @@ +# OAuth/OIDC Client Setup Guide + +This guide covers setting up OAuth/OIDC authentication for services like Portainer and Gitea using Authelia as the identity provider. + +## ๐Ÿ”ง Overview + +Authelia provides OpenID Connect (OIDC) support, allowing services to authenticate users through OAuth flows instead of using Traefik middleware. This provides better integration and user experience. + +## ๐Ÿ”‘ Client Secrets Management + +### Generate Client Secrets +```bash +# Generate secrets for new OAuth clients +./scripts/generate-oauth-secrets.sh +``` + +This script creates: +- `secrets/oauth-secrets.env` - Environment variables for local testing +- Individual secret files in `secrets/clients/` directory +- All files are automatically gitignored + +### Required CI/CD Vault Secrets + +Add these to your Woodpecker CI vault: + +#### Portainer OAuth +- **Variable**: `CLIENT_SECRET_PORTAINER` +- **Value**: Generated from `secrets/clients/portainer-secret.txt` + +#### Gitea OAuth +- **Variable**: `CLIENT_SECRET_GITEA` +- **Value**: Generated from `secrets/clients/gitea-secret.txt` + +## ๐Ÿ“ฑ Client Configurations + +### Portainer OAuth Setup + +#### 1. Authelia Configuration +Already configured in `docker/authelia/config/configuration.oidc.clients.yml`: + +```yaml +- client_id: portainer + client_name: Portainer + client_secret: {{ secret "/run/secrets/CLIENT_SECRET_PORTAINER" }} + public: false + authorization_policy: one_factor + consent_mode: implicit + scopes: + - openid + - email + - profile + - groups + redirect_uris: + - https://portainer.{{ env "TRAEFIK_DOMAIN" }}/ + userinfo_signed_response_alg: none +``` + +#### 2. Portainer OAuth Settings +Configure in Portainer โ†’ Settings โ†’ Authentication: + +- **OAuth Provider**: Custom +- **Client ID**: `portainer` +- **Client Secret**: `` +- **Authorization URL**: `https://login.nixc.us/api/oidc/authorization` +- **Token URL**: `https://login.nixc.us/api/oidc/token` +- **User Info URL**: `https://login.nixc.us/api/oidc/userinfo` +- **Scopes**: `openid email profile groups` +- **Redirect URL**: `https://portainer.nixc.us/` + +#### 3. Remove Traefik Middleware (Optional) +Once OAuth is working, remove middleware protection: + +```yaml +# Remove this line from Portainer service: +# traefik.http.routers.portainer.middlewares: authelia_authelia +``` + +### Gitea OAuth Setup + +#### 1. Authelia Configuration +Already configured in `docker/authelia/config/configuration.oidc.clients.yml`: + +```yaml +- client_id: gitea + client_name: Gitea + client_secret: {{ secret "/run/secrets/CLIENT_SECRET_GITEA" }} + public: false + authorization_policy: one_factor + consent_mode: implicit + scopes: + - openid + - email + - profile + - groups + redirect_uris: + - https://git.{{ env "TRAEFIK_DOMAIN" }}/user/oauth2/authelia/callback + userinfo_signed_response_alg: none +``` + +#### 2. Gitea OAuth Settings +Configure in Gitea โ†’ Site Administration โ†’ Authentication Sources: + +- **Authentication Type**: OAuth2 +- **Authentication Name**: `Authelia` +- **OAuth2 Provider**: OpenID Connect +- **Client ID**: `gitea` +- **Client Secret**: `` +- **OpenID Connect Auto Discovery URL**: `https://login.nixc.us/.well-known/openid_configuration` +- **Icon URL**: `https://login.nixc.us/static/media/logo.png` (optional) + +## ๐Ÿ”„ Deployment Process + +### 1. Generate Secrets +```bash +./scripts/generate-oauth-secrets.sh +``` + +### 2. Update CI/CD Vault +Add the generated secrets to your Woodpecker CI vault: +- `CLIENT_SECRET_PORTAINER` +- `CLIENT_SECRET_GITEA` + +### 3. Deploy Authelia +Push changes to trigger CI/CD deployment with new OAuth clients. + +### 4. Configure Services +Set up OAuth in each service's admin interface using the URLs and client IDs above. + +## ๐Ÿ” Testing OAuth Flow + +### Test Authentication Flow +1. **Visit protected service** (e.g., `https://portainer.nixc.us`) +2. **Click OAuth login** button +3. **Redirect to Authelia** (`https://login.nixc.us`) +4. **Authenticate** with your credentials +5. **Redirect back** to service with authentication +6. **Access granted** with user information + +### Troubleshooting +- **Check redirect URIs** match exactly (including trailing slashes) +- **Verify client secrets** in CI vault match generated values +- **Confirm Authelia** is accessible at `https://login.nixc.us` +- **Check service logs** for OAuth-specific error messages + +## ๐Ÿ›ก๏ธ Security Considerations + +### Client Secrets +- **Never commit** client secrets to git (automatically gitignored) +- **Rotate secrets** periodically using the generation script +- **Use secure transmission** when adding to CI vault + +### Redirect URIs +- **Exact matching** required - include/exclude trailing slashes consistently +- **HTTPS only** in production +- **Specific paths** rather than wildcards + +### Scopes +- **Minimal necessary** scopes for each client +- **Groups scope** enables role-based access control +- **Profile/email** scopes for user information + +## ๐Ÿ“‹ Available Scopes + +- **`openid`**: Required for OIDC, provides user identifier +- **`email`**: User's email address +- **`profile`**: User's display name and profile information +- **`groups`**: User's group memberships for authorization + +## ๐Ÿ”ง Advanced Configuration + +### Custom Authorization Policies +Create service-specific policies in `configuration.oidc.clients.yml`: + +```yaml +authorization_policies: + portainer_admin: + default_policy: deny + rules: + - policy: one_factor + subject: group:portainer-admins +``` + +### Group-Based Access Control +Map LDAP groups to service permissions: +- **`portainer-admins`**: Full Portainer access +- **`developers`**: Git repository access +- **`users`**: Basic service access + +## ๐Ÿ“ž Support + +### Common Issues +1. **Redirect URI mismatch**: Check exact URL format +2. **Client secret mismatch**: Regenerate and update vault +3. **Scope errors**: Verify service supports requested scopes +4. **Network issues**: Confirm Authelia accessibility + +### Logs and Debugging +```bash +# Check Authelia OIDC logs +ssh macmini7 'docker service logs authelia_authelia | grep -i oidc' + +# Check service-specific OAuth logs +ssh macmini7 'docker service logs | grep -i oauth' +``` \ No newline at end of file diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 0000000..b2d5393 --- /dev/null +++ b/docs/README.md @@ -0,0 +1,89 @@ +# Documentation Index + +This directory contains comprehensive guides for Authelia deployment and configuration. + +## ๐Ÿ“š Available Guides + +### ๐Ÿ”ง Setup & Configuration +- **[OAuth/OIDC Setup Guide](OAUTH_SETUP.md)** - Complete OAuth integration for Portainer, Gitea, and other services +- **[CI/CD Vault Setup](CI_CD_VAULT_SETUP.md)** - Secret management and Woodpecker CI vault configuration + +### ๐Ÿš€ Getting Started + +1. **Initial Deployment** + - Follow the main [README.md](../README.md) for basic setup + - Generate core secrets with `./generate-secrets.sh` + - Set up CI/CD vault using [CI/CD Vault Setup](CI_CD_VAULT_SETUP.md) + +2. **OAuth Integration** + - Generate OAuth client secrets with `./scripts/generate-oauth-secrets.sh` + - Follow [OAuth Setup Guide](OAUTH_SETUP.md) for service configuration + - Configure individual services (Portainer, Gitea) with OAuth + +3. **Production Deployment** + - Commit changes to trigger CI/CD pipeline + - Monitor deployment through Woodpecker CI + - Verify service health and authentication flows + +## ๐Ÿ”‘ Quick Reference + +### Essential Commands +```bash +# Generate core Authelia secrets (10 secrets) +./generate-secrets.sh + +# Generate OAuth client secrets (2 additional secrets) +./scripts/generate-oauth-secrets.sh + +# Run development environment +docker compose -f docker-compose.dev.yml up -d + +# Run tests +./tests/precommit.sh +``` + +### Important URLs +- **Authelia**: https://login.nixc.us +- **Development**: http://localhost:9091 +- **Health Check**: https://login.nixc.us/api/health +- **OIDC Discovery**: https://login.nixc.us/.well-known/openid_configuration + +### Required Secrets (12 Total) +- **Core Secrets (5)**: LDAP, JWT, encryption, session, SMTP +- **OIDC Secrets (3)**: HMAC, private key, JWKS key +- **Client Secrets (4)**: Headscale (2), Portainer, Gitea + +## ๐Ÿ” Troubleshooting + +### Common Issues +- **Service won't start**: Check secrets in CI vault +- **OAuth fails**: Verify redirect URIs and client secrets +- **Database errors**: Check MariaDB connectivity and initialization +- **Health check fails**: Verify Authelia startup and port binding + +### Useful Commands +```bash +# Check service logs +ssh macmini7 'docker service logs authelia_authelia --follow' + +# Verify secrets access +ssh macmini7 'docker service logs authelia_authelia | grep -i secret' + +# Test OAuth endpoints +curl -s https://login.nixc.us/.well-known/openid_configuration | jq . +``` + +## ๐Ÿ“ž Support + +For issues not covered in these guides: +1. Check service logs for specific error messages +2. Verify all secrets are present in CI vault +3. Confirm network connectivity between services +4. Review Authelia configuration for syntax errors + +## ๐Ÿ”„ Updates + +Keep documentation synchronized with code changes: +- Update OAuth client configurations when adding new services +- Refresh secret generation procedures when security requirements change +- Document new troubleshooting steps as issues are resolved \ No newline at end of file diff --git a/scripts/generate-oauth-secrets.sh b/scripts/generate-oauth-secrets.sh new file mode 100755 index 0000000..d05bd0d --- /dev/null +++ b/scripts/generate-oauth-secrets.sh @@ -0,0 +1,205 @@ +#!/bin/sh + +# OAuth Client Secrets Generation Script +# Generates secure client secrets for OAuth/OIDC integration + +set -e + +# Color codes for output +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +BLUE='\033[0;34m' +NC='\033[0m' # No Color + +# Script directory and workspace root +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +WORKSPACE_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)" +SECRETS_DIR="$WORKSPACE_ROOT/secrets" +CLIENTS_DIR="$SECRETS_DIR/clients" + +print_header() { + echo "${BLUE}================================${NC}" + echo "${BLUE} OAuth Client Secrets Generator${NC}" + echo "${BLUE}================================${NC}" + echo +} + +print_warning() { + echo "${YELLOW}โš ๏ธ WARNING: This will generate new OAuth client secrets!${NC}" + echo "${YELLOW} - Any existing client secrets will be replaced${NC}" + echo "${YELLOW} - You must update your CI/CD vault with new secrets${NC}" + echo "${YELLOW} - Services using old secrets will fail authentication${NC}" + echo +} + +ensure_directories() { + echo "${BLUE}Creating directories...${NC}" + mkdir -p "$SECRETS_DIR" + mkdir -p "$CLIENTS_DIR" +} + +ensure_gitignore() { + echo "${BLUE}Ensuring secrets are gitignored...${NC}" + + # Create .gitignore if it doesn't exist + touch "$WORKSPACE_ROOT/.gitignore" + + # Check and add secrets directory to gitignore + if ! grep -q "^secrets/" "$WORKSPACE_ROOT/.gitignore" 2>/dev/null; then + echo "" >> "$WORKSPACE_ROOT/.gitignore" + echo "# OAuth and other secrets - never commit!" >> "$WORKSPACE_ROOT/.gitignore" + echo "secrets/" >> "$WORKSPACE_ROOT/.gitignore" + echo "${GREEN}โœ… Added secrets/ to .gitignore${NC}" + else + echo "${GREEN}โœ… secrets/ already in .gitignore${NC}" + fi +} + +generate_secret() { + # Generate a 64-character random string using available tools + if command -v openssl >/dev/null 2>&1; then + openssl rand -base64 48 | tr -d '\n' + elif [ -r /dev/urandom ]; then + dd if=/dev/urandom bs=48 count=1 2>/dev/null | base64 | tr -d '\n' + else + # Fallback for systems without openssl or /dev/urandom + date +%s%N | sha256sum | head -c 64 + fi +} + +generate_client_secret() { + local client_name="$1" + local file_name="$2" + + echo "${BLUE}Generating secret for $client_name...${NC}" + + local secret + secret=$(generate_secret) + + # Write to individual file + echo "$secret" > "$CLIENTS_DIR/$file_name" + + # Add to environment file + local env_var_name + env_var_name=$(echo "CLIENT_SECRET_$(echo "$client_name" | tr '[:lower:]' '[:upper:]')" | tr '-' '_') + echo "${env_var_name}=$secret" >> "$SECRETS_DIR/oauth-secrets.env" + + echo "${GREEN}โœ… Generated secret for $client_name${NC}" + echo " File: secrets/clients/$file_name" + echo " Env: $env_var_name" + echo +} + +create_vault_instructions() { + echo "${BLUE}Creating CI/CD vault instructions...${NC}" + + cat > "$SECRETS_DIR/VAULT_SECRETS.md" << 'EOF' +# CI/CD Vault Secrets + +Add these secrets to your Woodpecker CI vault: + +## OAuth Client Secrets + +### Portainer OAuth +- **Variable Name**: `CLIENT_SECRET_PORTAINER` +- **Secret File**: `secrets/clients/portainer-secret.txt` +- **Value**: (copy content from the file above) + +### Gitea OAuth +- **Variable Name**: `CLIENT_SECRET_GITEA` +- **Secret File**: `secrets/clients/gitea-secret.txt` +- **Value**: (copy content from the file above) + +## Important Notes + +1. **Never commit these files** - they are automatically gitignored +2. **Copy the exact content** from each secret file to the CI vault +3. **Update vault immediately** after generating new secrets +4. **Services will fail** until vault is updated with new secrets + +## Vault Update Commands + +If using Woodpecker CLI: +```bash +# Update Portainer secret +woodpecker secret update --repository your-repo --name CLIENT_SECRET_PORTAINER --value "$(cat secrets/clients/portainer-secret.txt)" + +# Update Gitea secret +woodpecker secret update --repository your-repo --name CLIENT_SECRET_GITEA --value "$(cat secrets/clients/gitea-secret.txt)" +``` + +## Verification + +After updating the vault, check that services can access secrets: +```bash +# Check deployment logs for secret access +ssh macmini7 'docker service logs authelia_authelia | grep -i "secret"' +``` +EOF + + echo "${GREEN}โœ… Created vault instructions: secrets/VAULT_SECRETS.md${NC}" +} + +print_summary() { + echo "${GREEN}================================${NC}" + echo "${GREEN} ๐ŸŽ‰ OAuth Secrets Generated! ${NC}" + echo "${GREEN}================================${NC}" + echo + echo "${YELLOW}๐Ÿ“ Generated Files:${NC}" + echo " โ€ข secrets/oauth-secrets.env" + echo " โ€ข secrets/clients/portainer-secret.txt" + echo " โ€ข secrets/clients/gitea-secret.txt" + echo " โ€ข secrets/VAULT_SECRETS.md" + echo + echo "${YELLOW}๐Ÿ”‘ Required CI/CD Vault Updates:${NC}" + echo " โ€ข CLIENT_SECRET_PORTAINER" + echo " โ€ข CLIENT_SECRET_GITEA" + echo + echo "${RED}โš ๏ธ NEXT STEPS:${NC}" + echo " 1. Update your CI/CD vault with new secrets" + echo " 2. Deploy Authelia to use new client configurations" + echo " 3. Configure OAuth in Portainer and Gitea admin panels" + echo " 4. Test authentication flows" + echo + echo "${BLUE}๐Ÿ“– Full setup guide: docs/OAUTH_SETUP.md${NC}" +} + +# Main execution +main() { + print_header + print_warning + + # Prompt for confirmation + printf "${YELLOW}Continue? (y/N): ${NC}" + read -r confirm + case "$confirm" in + [yY]|[yY][eE][sS]) + echo "${GREEN}Proceeding with secret generation...${NC}" + echo + ;; + *) + echo "${YELLOW}Cancelled by user.${NC}" + exit 0 + ;; + esac + + ensure_directories + ensure_gitignore + + # Clear previous oauth-secrets.env + > "$SECRETS_DIR/oauth-secrets.env" + echo "# OAuth Client Secrets - Generated $(date)" >> "$SECRETS_DIR/oauth-secrets.env" + echo "# NEVER COMMIT THIS FILE" >> "$SECRETS_DIR/oauth-secrets.env" + echo "" >> "$SECRETS_DIR/oauth-secrets.env" + + # Generate client secrets + generate_client_secret "portainer" "portainer-secret.txt" + generate_client_secret "gitea" "gitea-secret.txt" + + create_vault_instructions + print_summary +} + +# Run main function +main "$@" \ No newline at end of file diff --git a/secrets.md.backup b/secrets.md.backup deleted file mode 100644 index 42bb610..0000000 --- a/secrets.md.backup +++ /dev/null @@ -1,123 +0,0 @@ -# Authelia Production Secrets - -**DO NOT COMMIT THIS FILE TO VERSION CONTROL** - -## Core Secrets - -### AUTHENTICATION_BACKEND_LDAP_PASSWORD -LDAP authentication backend password -``` -M3OPMiRaWrL2RKfbf89AkdGPXtvu0HO54JkjgHfS4aKX7uZFunoRRJe6QoizcZdl -``` - -### IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET -JWT secret for password reset tokens -``` -zvVa7SFCU4QsBYyV/ofERdhqX3S072knmWHc+vIYVR0Jf/iWLfogpVnsCO0fe84d -``` - -### STORAGE_ENCRYPTION_KEY -Database encryption key -``` -aghKiwANaIIiDu4hsn34gok273Jn/xLjfFEm2OLoqqnVs1EnriYI7igJXc6LdYZ+ -``` - -### SESSION_SECRET -Session encryption secret -``` -hYtbSIYvh/gH3jLlmk+qrokQehytAeLQrUIwVuyEXstA2FFXDizaZF2vbdlrHCc8 -``` - -### NOTIFIER_SMTP_PASSWORD -SMTP email notifications password -``` -8P7ah6U5ZjbQ2Faaw1fJoehxJrMOslCu -``` - -## OIDC Secrets - -### IDENTITY_PROVIDERS_OIDC_HMAC_SECRET -OIDC HMAC signing secret -``` -zrnMWj61QvLebBFWphAjOMwb8TIStT+FWZaP83Zn8oVP24s1t5UnJD0syL4kREQk -``` - -### IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY -OIDC token signing private key -``` ------BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCEhL7zgYaHoO28 -0ZRWcqNrvhQMkN+ikCeo3Gf/XQX1BYsduvMc8EghVcB1uIdMKw7qZ4+uuBzE1kGi -qRYhsOyn5ARuKLO2SA0HuFJE3O4CK+P5jHBTP4XX64NLcGIu8HFW6a57M/R7CyZp -+hMB1TVBH1qkogw0ON188dwGqz7feAdwZLAV4yoB3DCbYNwNOx0VAmwXljpcHGqx -t4OTokHxUFqqzvAFOWAfPQ53pW/H9TV889XYME+/nf4/mfdU7mtrLBAtl1AEcuud -HAcAyggyLGmOeOqeHjPZUs/aMDlngpLG7+KMubsSSh9AyIc3HKec696Gs7J0YyLB -tJjq4vJJAgMBAAECggEADYRw6evTajBLL9B8/hhxfQMFjoaUmUN1GC9rWEwH2Id5 -Ok4gkFoeMXBK0ndBLc7Slax8pojXPmjQhyQSQtuGOFX08burITPWSGxP0ABtMsGB -XqoppwQ6xdybJu3OxhT2qrPpfV2+WXK4t2Sv3ab+6KanG1YAQq9uQFl3ZSLAphC1 -temZektnU5KgcNlTJ9b3gQgyX4YaTsl4rNglN/gCtxleIOWhLyE5qHAedrKJW3lF -cxtpm3+0ObKzZmPR6t8PgDwytYrcLUcVQAdE8RlPvyArES5y5cHHXtsIUEC2I7PH -IY8nglYhJ9HtnW7XWQLJCWsIlZj4qEqrkLpR/Fm0xQKBgQC5XgyJ5UZCeq/hMMiv -Q+pTNJj/k3j5gCa9f9wKCJmumtS+RFbucNQsnpmOhFEC1P4SyyPH/YrBeLtgWWKM -gxIK1VpJSPpNSL50FnyfzjJxAy6eHqNNupBPR29dxwaY3lehFVRvb+0FZ753+ATl -vc5BTf4xj//z7Ozd3jXlJ/Yk/wKBgQC3A3lfwDj4Q4IW/XaquzfsEuVKrJygwNsB -eCKMHJU0q01rOEGf5i1WXRJKRLS8EMXaawLYA+DO5ya9QlhWw+JWRcuJenBLEQ3J -x1IgJZm9sPeByGPpsz0f3TLcwMBg1f101xY4RedYCaDGhNTBww6Fs8Fx9zeLeOXA -GxCdrZGAtwKBgCxepbOwLKQnB8hoS/Ef2Yv3EBRE8XUPRrafT0Ubj+Wqa/frFb/X -RAI2KF1jsJxz7SkEdNkfCEKNKpTCcINfsEblkMnv7PHo0qWo6EW8Lni8oUD55m7p -lDdVywNwa1TWC7WkDGTsLpjXn1DKDioLx7379Dda15JEiOIGmXHzochzAoGAQJi9 -UoqqkRZi6HJ2XDTQvEa/H+hlMGhh5Nbees3r7Dc6kEm/AA1im0Umm4g8stTIwRtc -WZqk0uLLzamJPLbPQNxJxzCsShKu5zWvSyF6bnX0Jp7whSB6xrBwr3JpdMSTPZZd -hWdHDM/5K5je77VFfvO/p9Y2iMgXcAMdjkohPWkCgYAl7IOXO8nFpR0Nn9nWtFca -llWXYHT16aFtWWjVNQg0LcsouaLL0/yywjIfda9fYlCcqaTF5XCCDZacn7CYTvZx -ty4l37GfJNcF7RvMpr8tUybnMk23u7jQ9xiWWuDSmKasNjdgNJmV8S4PfPK0NlLI -9bnk3nH2w/bIQdtbh7cApQ== ------END PRIVATE KEY----- -``` - -### IDENTITY_PROVIDERS_OIDC_JWKS_KEY -OIDC JWKS validation key -``` ------BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyyQ0Rjs59GkJ+ -flL1PoJfdFIeNvLZ8RNees300f5cT2KFmO/K5viuEpCp+JA/cO93EjqEUECblb41 -nXzCG89anwH+ifXqWcZMDZ24A3MCLBNFVgTGJwGw1adRgJ+xDNB1uslOJ/62L8d3 -Op1nm1/OXCrzVj/GJqyJDj6w5FpW6lGB5DzSQNKwUr9ngve7XQhwKI8OVHm8KjW9 -tG2DZEdt4Jjj/sxycNrJFt0+jk443IehIuGstGrPYFL+JRfmDB6cvrRVF3j54L2j -qj6mk7ZMTh1AMN2AmSvIH100YqM1hj75prM/fYT+2hTse5CxzKY+SOSV2ekD5A0n -J8o5maS9AgMBAAECggEAK7gSZArB38G+JOSLMMF6bBEry4uwUy8qh14MYyO+yZ/3 -/adqa/mTMi4EBixsSbc6N6nTeWuOgP1bKA085tKaIBTmDfJ6mjYd0Zc6zDa7tvpE -NB5WyIXdWfrFEZ8cbdUuXLuyYlRRawfABR3mQ+Gwyeur7RlYOwJWCqXbGrKcjMgS -lGnBT7U5BaJwvX+Hd9HaI/zWUBK8ZZ8rkcvTCE/bz/gutwWq1QCKyosgYMr9eaQQ -8FeEaoAz7OikIwviXjIIcZZH8CrAQQDqMhG55+LRkacbdI6p9blpNNm2ORUPhFuN -JEgTv5kDfldy3S3kvullNrxwNBD7I6oyMmO+Kk/XGQKBgQDwQDB3arxhDka3hTgl -yvcBYaC0NUJK/uwHHt/QkTZyqgu7wTfHaEQnwnk4tqoB2zHjEhoc+EVntSdMbvyE -pugPbr5rdDHpP9/crp8fFdmYTYxiXnlDiWWRg/2hI6kIMymuFg9xt0dwcnnbjLpE -Hki1bvAsXOGBAqrbpooB2cuRrwKBgQC+gV6R6aIk2RolV1BU55d73Ixa0UJJ9Apw -awU5jaf3dpzxmGd3HZvp9Y6MaUutkuY/qQAxth3z+SW+hXIpNa2FjayObB2PSIFS -pQv0UFcOC6cp179bRvxp1COaODlrk1tcJTmFE1U+gaiA3SOi83QHTJ7c07U7bUhO -mQaQRcRnUwKBgCDuO3Zy2+VVxp2rFfogKuE2l4d78V1EOefz9GurK9Jlunv+zP15 -LjZg8qqyZvUgLWNZfNjRsvm3G+7fG5+3HQHYhSNHZvv4tF+UU9036n50yrRFDMwU -Dib295HZyHaGRMVG4tEMdS9VkZxlWraxi/fKgAMkrAg57F91IV+FkeCjAoGADFD2 -2T4ekn1KuHFNqz+Rxps6o8B1paxWZHA21UK4QkJz4Ra2UbgjVVvfzGoeT2l441K8 -xXn9s8E+1HNyLwHeZw0Cw+5vdsz8N2iePjxXdHwCYa0mHPOY7AqgBp9t7uuG840g -i971GuZtC2/Alw9gR/yHJMW3KNFm5FX2W6t3CCsCgYEAigFe+tPNlzk6cZcLTPB+ -sX6eO2pkPlQgG1SQf4ymYs9FG1ATGtMm9u1oSZ52rgQVo74rGooZWKqtOHpcZ9no -KpEIgjO+GoWjJ8ZA/qy33OzOCkRblGy7pUEoQxaIMG9snJcBQuEiQWU+gn0EvrRx -jQ6d0U5snWDdVPexoihst/M= ------END PRIVATE KEY----- -``` - -## Client Secrets - -### CLIENT_SECRET_HEADSCALE -Headscale VPN OIDC client secret -``` -I7tiomn7akKaKF+xOj2W8JDudQQTd5CAj88nfngQbhgn4wRf9iwEinDSQnghCmCq -``` - -### CLIENT_SECRET_HEADADMIN -Headscale admin panel OIDC client secret -``` -fEXUwuVB7JJL3sg7fasiNoPGA4XGWYUxbyuonX6CK7ABZw5H24HMfYmpAb3VR5J0 -```