Nixius
/
authelia
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Enable passkey login and improve WebAuthn configuration
ci/woodpecker/push/woodpecker Pipeline was successful Details

This commit is contained in:
Your Name 2025-06-06 10:15:12 -04:00
parent 78cea66d39
commit e70fed6ad8
9 changed files with 785 additions and 136 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -27,3 +27,5 @@ logs/
# Temporary files
*.tmp
*.temp
# OAuth and other secrets - never commit!
secrets/

74
README.md
View File

@ -55,11 +55,16 @@ Generate production secrets (⚠️ **Use with extreme caution**):
**CRITICAL**: This script will:
- Invalidate all existing sessions and tokens
- Require updating all 10 secrets in Woodpecker CI vault
- Require updating all 12 secrets in Woodpecker CI vault
- Potentially require recreating database volumes
- Cause service downtime until deployment completes
### Required Secrets (10 total)
### CI/CD Vault Management
For comprehensive CI/CD vault setup and secret management:
**📖 [CI/CD Vault Setup Guide](docs/CI_CD_VAULT_SETUP.md)**
### Required Secrets (12 total)
#### Core Secrets (5)
- `AUTHENTICATION_BACKEND_LDAP_PASSWORD` - LDAP authentication backend password
@ -73,9 +78,11 @@ Generate production secrets (⚠️ **Use with extreme caution**):
- `IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY` - OIDC token signing private key (RSA)
- `IDENTITY_PROVIDERS_OIDC_JWKS_KEY` - OIDC JWKS validation key (RSA)
#### Client Secrets (2)
#### Client Secrets (4)
- `CLIENT_SECRET_HEADSCALE` - Headscale VPN OIDC client secret
- `CLIENT_SECRET_HEADADMIN` - Headscale admin panel OIDC client secret
- `CLIENT_SECRET_PORTAINER` - Portainer OAuth client secret
- `CLIENT_SECRET_GITEA` - Gitea OAuth client secret
## 🧪 Testing
@ -128,8 +135,49 @@ Key environment variables for customization:
- `X_AUTHELIA_EMAIL` - Notification email address
- `TRAEFIK_DOMAIN` - Base domain for services
## 🔗 OAuth/OIDC Integration
For advanced OAuth/OIDC setup with services like Portainer and Gitea, see the comprehensive guide:
**📖 [OAuth Setup Guide](docs/OAUTH_SETUP.md)**
This includes:
- OAuth client configuration for Portainer and Gitea
- Client secret generation and management
- CI/CD vault setup instructions
- Step-by-step authentication flow setup
### Quick OAuth Setup
```bash
# Generate OAuth client secrets
./scripts/generate-oauth-secrets.sh
# Follow the instructions to update your CI/CD vault
# Then configure OAuth in your services
```
## 📱 Client Integration Examples
### OAuth Integration (Recommended)
Use OAuth for better user experience and native service integration:
```yaml
# Portainer with OAuth - no Traefik middleware needed
labels:
traefik.enable: "true"
traefik.http.routers.portainer.rule: "Host(`portainer.nixc.us`)"
# OAuth configured in Portainer admin panel
```
### Traefik Middleware Protection
Use Authelia middleware for services without OAuth support:
```yaml
labels:
traefik.enable: "true"
traefik.http.routers.myapp.rule: "Host(`myapp.nixc.us`)"
traefik.http.routers.myapp.middlewares: "authelia_authelia@docker"
traefik.http.services.myapp.loadbalancer.server.port: "8080"
```
### Headscale VPN Integration
```yaml
labels:
@ -140,15 +188,6 @@ labels:
traefik.http.services.headscale.loadbalancer.server.port: "8080"
```
### Protected Web Service
```yaml
labels:
traefik.enable: "true"
traefik.http.routers.myapp.rule: "Host(`myapp.nixc.us`)"
traefik.http.routers.myapp.middlewares: "authelia_authelia@docker"
traefik.http.services.myapp.loadbalancer.server.port: "8080"
```
## 🔍 Monitoring & Troubleshooting
### Health Checks
@ -192,6 +231,17 @@ labels:
- **Session Security**: Secure session management with Redis
- **OIDC Standards**: Industry-standard OpenID Connect implementation
## 📖 Documentation
For comprehensive guides and setup instructions:
**📁 [Documentation Directory](docs/README.md)**
Available guides:
- **OAuth/OIDC Setup**: Complete OAuth integration guide
- **CI/CD Vault Setup**: Secret management and vault configuration
- **Troubleshooting**: Common issues and solutions
## 📞 Support & Contributing
### Reporting Issues

30
docker/authelia/config/configuration.oidc.clients.yml
View File

@ -43,3 +43,33 @@ identity_providers:
redirect_uris:
- https://headadmin.{{ env "TRAEFIK_DOMAIN" }}/oidc_callback
userinfo_signed_response_alg: none
- client_id: portainer
client_name: Portainer
client_secret: {{ secret "/run/secrets/CLIENT_SECRET_PORTAINER" }}
public: false
authorization_policy: one_factor
consent_mode: implicit
scopes:
- openid
- email
- profile
- groups
redirect_uris:
- https://portainer.{{ env "TRAEFIK_DOMAIN" }}/
userinfo_signed_response_alg: none
- client_id: gitea
client_name: Gitea
client_secret: {{ secret "/run/secrets/CLIENT_SECRET_GITEA" }}
public: false
authorization_policy: one_factor
consent_mode: implicit
scopes:
- openid
- email
- profile
- groups
redirect_uris:
- https://git.{{ env "TRAEFIK_DOMAIN" }}/user/oauth2/authelia/callback
userinfo_signed_response_alg: none

5
docker/authelia/config/configuration.server.yml
View File

@ -19,10 +19,15 @@ totp:
webauthn:
disable: false
enable_passkey_login: true
display_name: Authelia
attestation_conveyance_preference: indirect
user_verification: preferred
timeout: 60s
selection_criteria:
attachment: ""
discoverability: preferred
user_verification: preferred
identity_validation:
reset_password:

187
docs/CI_CD_VAULT_SETUP.md Normal file
View File

@ -0,0 +1,187 @@
# CI/CD Vault Setup & Secret Management
This guide covers managing secrets in your Woodpecker CI vault for Authelia deployment.
## 🔑 Required Vault Secrets
Your Woodpecker CI vault must contain **12 total secrets** for proper Authelia deployment:
### Core Secrets (5)
| Variable Name | Description | Generation Method |
|---------------|-------------|-------------------|
| `AUTHENTICATION_BACKEND_LDAP_PASSWORD` | LDAP authentication password | `./generate-secrets.sh` |
| `IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET` | Password reset JWT secret | `./generate-secrets.sh` |
| `STORAGE_ENCRYPTION_KEY` | Database encryption key | `./generate-secrets.sh` |
| `SESSION_SECRET` | Session encryption secret | `./generate-secrets.sh` |
| `NOTIFIER_SMTP_PASSWORD` | SMTP email notifications | Manual configuration |
### OIDC Secrets (3)
| Variable Name | Description | Generation Method |
|---------------|-------------|-------------------|
| `IDENTITY_PROVIDERS_OIDC_HMAC_SECRET` | OIDC HMAC signing secret | `./generate-secrets.sh` |
| `IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY` | OIDC token signing private key (RSA) | `./generate-secrets.sh` |
| `IDENTITY_PROVIDERS_OIDC_JWKS_KEY` | OIDC JWKS validation key (RSA) | `./generate-secrets.sh` |
### OAuth Client Secrets (4)
| Variable Name | Description | Generation Method |
|---------------|-------------|-------------------|
| `CLIENT_SECRET_HEADSCALE` | Headscale VPN OIDC client | `./generate-secrets.sh` |
| `CLIENT_SECRET_HEADADMIN` | Headscale admin OIDC client | `./generate-secrets.sh` |
| `CLIENT_SECRET_PORTAINER` | Portainer OAuth client | `./scripts/generate-oauth-secrets.sh` |
| `CLIENT_SECRET_GITEA` | Gitea OAuth client | `./scripts/generate-oauth-secrets.sh` |
## 🚀 Setup Process
### 1. Generate Core Secrets
```bash
# Generate main Authelia secrets (10 secrets)
./generate-secrets.sh
```
### 2. Generate OAuth Client Secrets
```bash
# Generate OAuth client secrets (2 additional secrets)
./scripts/generate-oauth-secrets.sh
```
### 3. Update CI/CD Vault
#### Using Woodpecker Web Interface
1. Go to your repository in Woodpecker CI
2. Navigate to **Settings** → **Secrets**
3. Add each secret with the exact variable name
4. Copy values from generated secret files
#### Using Woodpecker CLI
```bash
# Install Woodpecker CLI if not already installed
curl -L https://github.com/woodpecker-ci/woodpecker/releases/latest/download/woodpecker-cli_linux_amd64.tar.gz | tar zx
sudo mv woodpecker-cli /usr/local/bin/
# Configure CLI
export WOODPECKER_SERVER=https://your-woodpecker-server.com
export WOODPECKER_TOKEN=your-api-token
# Update all secrets (example commands)
woodpecker secret update --repository your-repo --name CLIENT_SECRET_PORTAINER --value "$(cat secrets/clients/portainer-secret.txt)"
woodpecker secret update --repository your-repo --name CLIENT_SECRET_GITEA --value "$(cat secrets/clients/gitea-secret.txt)"
```
## 🔄 Secret Rotation
### Full Secret Rotation (Rare)
⚠️ **WARNING: This causes service downtime and invalidates all sessions**
```bash
# Regenerate all secrets
./generate-secrets.sh
# Update all 10 core secrets in CI vault
# Deploy immediately to avoid extended downtime
```
### OAuth Client Secret Rotation (Safe)
```bash
# Regenerate OAuth client secrets only
./scripts/generate-oauth-secrets.sh
# Update CLIENT_SECRET_PORTAINER and CLIENT_SECRET_GITEA in vault
# Deploy when convenient
```
## 🛡️ Security Best Practices
### Secret Storage
- **Never commit** secrets to git (automatically gitignored)
- **Use secure transmission** when copying to CI vault
- **Delete local secret files** after updating vault (optional)
- **Rotate secrets periodically** (recommended quarterly)
### Access Control
- **Limit vault access** to deployment administrators only
- **Use separate secrets** for development vs production
- **Monitor secret access** in CI/CD logs
- **Audit secret usage** regularly
### Backup and Recovery
- **Document secret locations** in secure password manager
- **Test recovery procedures** before emergencies
- **Keep vault backups** according to your backup policy
- **Plan for secret compromise** scenarios
## 🔍 Verification
### Check Secret Access
```bash
# Verify secrets are accessible in deployment
ssh macmini7 'docker service logs authelia_authelia | grep -i "secret\|error"'
# Check for missing secrets
ssh macmini7 'docker service logs authelia_authelia | grep -i "failed\|missing"'
```
### Test OAuth Integration
```bash
# Test OAuth endpoint accessibility
curl -s https://login.nixc.us/.well-known/openid_configuration | jq .
# Verify client configurations
ssh macmini7 'docker service logs authelia_authelia | grep -i "oidc\|oauth"'
```
## 🚨 Troubleshooting
### Common Issues
#### Secret Not Found
```
Error: secret not found: CLIENT_SECRET_PORTAINER
```
**Solution**: Verify secret name exactly matches in CI vault
#### Invalid Secret Format
```
Error: failed to parse RSA private key
```
**Solution**: Regenerate OIDC secrets with proper formatting
#### Service Won't Start
```
Error: configuration validation failed
```
**Solution**: Check all 12 secrets are present in vault
### Emergency Recovery
#### Lost Access to Vault
1. **Contact CI/CD administrator** for vault access
2. **Regenerate all secrets** with generation scripts
3. **Update vault immediately** with new values
4. **Redeploy services** to use new secrets
#### Compromised Secrets
1. **Rotate affected secrets immediately**
2. **Update CI/CD vault** with new values
3. **Deploy new secrets** as soon as possible
4. **Monitor for unauthorized access** in logs
5. **Review access logs** for compromise timeline
## 📞 Support
### CI/CD Vault Issues
- Check vault permissions and access rights
- Verify secret names match exactly (case-sensitive)
- Confirm vault backup and recovery procedures
- Test secret retrieval in deployment pipeline
### Secret Generation Issues
- Ensure OpenSSL is available for key generation
- Check file permissions in secrets directory
- Verify gitignore is properly configured
- Confirm script execution permissions
### Deployment Issues
- Monitor deployment logs for secret-related errors
- Check Docker Swarm secret creation
- Verify Authelia configuration template processing
- Test service connectivity after deployment

204
docs/OAUTH_SETUP.md Normal file
View File

@ -0,0 +1,204 @@
# OAuth/OIDC Client Setup Guide
This guide covers setting up OAuth/OIDC authentication for services like Portainer and Gitea using Authelia as the identity provider.
## 🔧 Overview
Authelia provides OpenID Connect (OIDC) support, allowing services to authenticate users through OAuth flows instead of using Traefik middleware. This provides better integration and user experience.
## 🔑 Client Secrets Management
### Generate Client Secrets
```bash
# Generate secrets for new OAuth clients
./scripts/generate-oauth-secrets.sh
```
This script creates:
- `secrets/oauth-secrets.env` - Environment variables for local testing
- Individual secret files in `secrets/clients/` directory
- All files are automatically gitignored
### Required CI/CD Vault Secrets
Add these to your Woodpecker CI vault:
#### Portainer OAuth
- **Variable**: `CLIENT_SECRET_PORTAINER`
- **Value**: Generated from `secrets/clients/portainer-secret.txt`
#### Gitea OAuth
- **Variable**: `CLIENT_SECRET_GITEA`
- **Value**: Generated from `secrets/clients/gitea-secret.txt`
## 📱 Client Configurations
### Portainer OAuth Setup
#### 1. Authelia Configuration
Already configured in `docker/authelia/config/configuration.oidc.clients.yml`:
```yaml
- client_id: portainer
client_name: Portainer
client_secret: {{ secret "/run/secrets/CLIENT_SECRET_PORTAINER" }}
public: false
authorization_policy: one_factor
consent_mode: implicit
scopes:
- openid
- email
- profile
- groups
redirect_uris:
- https://portainer.{{ env "TRAEFIK_DOMAIN" }}/
userinfo_signed_response_alg: none
```
#### 2. Portainer OAuth Settings
Configure in Portainer → Settings → Authentication:
- **OAuth Provider**: Custom
- **Client ID**: `portainer`
- **Client Secret**: `<from CI vault>`
- **Authorization URL**: `https://login.nixc.us/api/oidc/authorization`
- **Token URL**: `https://login.nixc.us/api/oidc/token`
- **User Info URL**: `https://login.nixc.us/api/oidc/userinfo`
- **Scopes**: `openid email profile groups`
- **Redirect URL**: `https://portainer.nixc.us/`
#### 3. Remove Traefik Middleware (Optional)
Once OAuth is working, remove middleware protection:
```yaml
# Remove this line from Portainer service:
# traefik.http.routers.portainer.middlewares: authelia_authelia
```
### Gitea OAuth Setup
#### 1. Authelia Configuration
Already configured in `docker/authelia/config/configuration.oidc.clients.yml`:
```yaml
- client_id: gitea
client_name: Gitea
client_secret: {{ secret "/run/secrets/CLIENT_SECRET_GITEA" }}
public: false
authorization_policy: one_factor
consent_mode: implicit
scopes:
- openid
- email
- profile
- groups
redirect_uris:
- https://git.{{ env "TRAEFIK_DOMAIN" }}/user/oauth2/authelia/callback
userinfo_signed_response_alg: none
```
#### 2. Gitea OAuth Settings
Configure in Gitea → Site Administration → Authentication Sources:
- **Authentication Type**: OAuth2
- **Authentication Name**: `Authelia`
- **OAuth2 Provider**: OpenID Connect
- **Client ID**: `gitea`
- **Client Secret**: `<from CI vault>`
- **OpenID Connect Auto Discovery URL**: `https://login.nixc.us/.well-known/openid_configuration`
- **Icon URL**: `https://login.nixc.us/static/media/logo.png` (optional)
## 🔄 Deployment Process
### 1. Generate Secrets
```bash
./scripts/generate-oauth-secrets.sh
```
### 2. Update CI/CD Vault
Add the generated secrets to your Woodpecker CI vault:
- `CLIENT_SECRET_PORTAINER`
- `CLIENT_SECRET_GITEA`
### 3. Deploy Authelia
Push changes to trigger CI/CD deployment with new OAuth clients.
### 4. Configure Services
Set up OAuth in each service's admin interface using the URLs and client IDs above.
## 🔍 Testing OAuth Flow
### Test Authentication Flow
1. **Visit protected service** (e.g., `https://portainer.nixc.us`)
2. **Click OAuth login** button
3. **Redirect to Authelia** (`https://login.nixc.us`)
4. **Authenticate** with your credentials
5. **Redirect back** to service with authentication
6. **Access granted** with user information
### Troubleshooting
- **Check redirect URIs** match exactly (including trailing slashes)
- **Verify client secrets** in CI vault match generated values
- **Confirm Authelia** is accessible at `https://login.nixc.us`
- **Check service logs** for OAuth-specific error messages
## 🛡️ Security Considerations
### Client Secrets
- **Never commit** client secrets to git (automatically gitignored)
- **Rotate secrets** periodically using the generation script
- **Use secure transmission** when adding to CI vault
### Redirect URIs
- **Exact matching** required - include/exclude trailing slashes consistently
- **HTTPS only** in production
- **Specific paths** rather than wildcards
### Scopes
- **Minimal necessary** scopes for each client
- **Groups scope** enables role-based access control
- **Profile/email** scopes for user information
## 📋 Available Scopes
- **`openid`**: Required for OIDC, provides user identifier
- **`email`**: User's email address
- **`profile`**: User's display name and profile information
- **`groups`**: User's group memberships for authorization
## 🔧 Advanced Configuration
### Custom Authorization Policies
Create service-specific policies in `configuration.oidc.clients.yml`:
```yaml
authorization_policies:
portainer_admin:
default_policy: deny
rules:
- policy: one_factor
subject: group:portainer-admins
```
### Group-Based Access Control
Map LDAP groups to service permissions:
- **`portainer-admins`**: Full Portainer access
- **`developers`**: Git repository access
- **`users`**: Basic service access
## 📞 Support
### Common Issues
1. **Redirect URI mismatch**: Check exact URL format
2. **Client secret mismatch**: Regenerate and update vault
3. **Scope errors**: Verify service supports requested scopes
4. **Network issues**: Confirm Authelia accessibility
### Logs and Debugging
```bash
# Check Authelia OIDC logs
ssh macmini7 'docker service logs authelia_authelia | grep -i oidc'
# Check service-specific OAuth logs
ssh macmini7 'docker service logs <service_name> | grep -i oauth'
```

89
docs/README.md Normal file
View File

@ -0,0 +1,89 @@
# Documentation Index
This directory contains comprehensive guides for Authelia deployment and configuration.
## 📚 Available Guides
### 🔧 Setup & Configuration
- **[OAuth/OIDC Setup Guide](OAUTH_SETUP.md)** - Complete OAuth integration for Portainer, Gitea, and other services
- **[CI/CD Vault Setup](CI_CD_VAULT_SETUP.md)** - Secret management and Woodpecker CI vault configuration
### 🚀 Getting Started
1. **Initial Deployment**
- Follow the main [README.md](../README.md) for basic setup
- Generate core secrets with `./generate-secrets.sh`
- Set up CI/CD vault using [CI/CD Vault Setup](CI_CD_VAULT_SETUP.md)
2. **OAuth Integration**
- Generate OAuth client secrets with `./scripts/generate-oauth-secrets.sh`
- Follow [OAuth Setup Guide](OAUTH_SETUP.md) for service configuration
- Configure individual services (Portainer, Gitea) with OAuth
3. **Production Deployment**
- Commit changes to trigger CI/CD pipeline
- Monitor deployment through Woodpecker CI
- Verify service health and authentication flows
## 🔑 Quick Reference
### Essential Commands
```bash
# Generate core Authelia secrets (10 secrets)
./generate-secrets.sh
# Generate OAuth client secrets (2 additional secrets)
./scripts/generate-oauth-secrets.sh
# Run development environment
docker compose -f docker-compose.dev.yml up -d
# Run tests
./tests/precommit.sh
```
### Important URLs
- **Authelia**: https://login.nixc.us
- **Development**: http://localhost:9091
- **Health Check**: https://login.nixc.us/api/health
- **OIDC Discovery**: https://login.nixc.us/.well-known/openid_configuration
### Required Secrets (12 Total)
- **Core Secrets (5)**: LDAP, JWT, encryption, session, SMTP
- **OIDC Secrets (3)**: HMAC, private key, JWKS key
- **Client Secrets (4)**: Headscale (2), Portainer, Gitea
## 🔍 Troubleshooting
### Common Issues
- **Service won't start**: Check secrets in CI vault
- **OAuth fails**: Verify redirect URIs and client secrets
- **Database errors**: Check MariaDB connectivity and initialization
- **Health check fails**: Verify Authelia startup and port binding
### Useful Commands
```bash
# Check service logs
ssh macmini7 'docker service logs authelia_authelia --follow'
# Verify secrets access
ssh macmini7 'docker service logs authelia_authelia | grep -i secret'
# Test OAuth endpoints
curl -s https://login.nixc.us/.well-known/openid_configuration | jq .
```
## 📞 Support
For issues not covered in these guides:
1. Check service logs for specific error messages
2. Verify all secrets are present in CI vault
3. Confirm network connectivity between services
4. Review Authelia configuration for syntax errors
## 🔄 Updates
Keep documentation synchronized with code changes:
- Update OAuth client configurations when adding new services
- Refresh secret generation procedures when security requirements change
- Document new troubleshooting steps as issues are resolved

205
scripts/generate-oauth-secrets.sh Executable file
View File

@ -0,0 +1,205 @@
#!/bin/sh
# OAuth Client Secrets Generation Script
# Generates secure client secrets for OAuth/OIDC integration
set -e
# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Script directory and workspace root
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
WORKSPACE_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
SECRETS_DIR="$WORKSPACE_ROOT/secrets"
CLIENTS_DIR="$SECRETS_DIR/clients"
print_header() {
echo "${BLUE}================================${NC}"
echo "${BLUE} OAuth Client Secrets Generator${NC}"
echo "${BLUE}================================${NC}"
echo
}
print_warning() {
echo "${YELLOW}⚠️ WARNING: This will generate new OAuth client secrets!${NC}"
echo "${YELLOW} - Any existing client secrets will be replaced${NC}"
echo "${YELLOW} - You must update your CI/CD vault with new secrets${NC}"
echo "${YELLOW} - Services using old secrets will fail authentication${NC}"
echo
}
ensure_directories() {
echo "${BLUE}Creating directories...${NC}"
mkdir -p "$SECRETS_DIR"
mkdir -p "$CLIENTS_DIR"
}
ensure_gitignore() {
echo "${BLUE}Ensuring secrets are gitignored...${NC}"
# Create .gitignore if it doesn't exist
touch "$WORKSPACE_ROOT/.gitignore"
# Check and add secrets directory to gitignore
if ! grep -q "^secrets/" "$WORKSPACE_ROOT/.gitignore" 2>/dev/null; then
echo "" >> "$WORKSPACE_ROOT/.gitignore"
echo "# OAuth and other secrets - never commit!" >> "$WORKSPACE_ROOT/.gitignore"
echo "secrets/" >> "$WORKSPACE_ROOT/.gitignore"
echo "${GREEN}✅ Added secrets/ to .gitignore${NC}"
else
echo "${GREEN}✅ secrets/ already in .gitignore${NC}"
fi
}
generate_secret() {
# Generate a 64-character random string using available tools
if command -v openssl >/dev/null 2>&1; then
openssl rand -base64 48 | tr -d '\n'
elif [ -r /dev/urandom ]; then
dd if=/dev/urandom bs=48 count=1 2>/dev/null | base64 | tr -d '\n'
else
# Fallback for systems without openssl or /dev/urandom
date +%s%N | sha256sum | head -c 64
fi
}
generate_client_secret() {
local client_name="$1"
local file_name="$2"
echo "${BLUE}Generating secret for $client_name...${NC}"
local secret
secret=$(generate_secret)
# Write to individual file
echo "$secret" > "$CLIENTS_DIR/$file_name"
# Add to environment file
local env_var_name
env_var_name=$(echo "CLIENT_SECRET_$(echo "$client_name" | tr '[:lower:]' '[:upper:]')" | tr '-' '_')
echo "${env_var_name}=$secret" >> "$SECRETS_DIR/oauth-secrets.env"
echo "${GREEN}✅ Generated secret for $client_name${NC}"
echo " File: secrets/clients/$file_name"
echo " Env: $env_var_name"
echo
}
create_vault_instructions() {
echo "${BLUE}Creating CI/CD vault instructions...${NC}"
cat > "$SECRETS_DIR/VAULT_SECRETS.md" << 'EOF'
# CI/CD Vault Secrets
Add these secrets to your Woodpecker CI vault:
## OAuth Client Secrets
### Portainer OAuth
- **Variable Name**: `CLIENT_SECRET_PORTAINER`
- **Secret File**: `secrets/clients/portainer-secret.txt`
- **Value**: (copy content from the file above)
### Gitea OAuth
- **Variable Name**: `CLIENT_SECRET_GITEA`
- **Secret File**: `secrets/clients/gitea-secret.txt`
- **Value**: (copy content from the file above)
## Important Notes
1. **Never commit these files** - they are automatically gitignored
2. **Copy the exact content** from each secret file to the CI vault
3. **Update vault immediately** after generating new secrets
4. **Services will fail** until vault is updated with new secrets
## Vault Update Commands
If using Woodpecker CLI:
```bash
# Update Portainer secret
woodpecker secret update --repository your-repo --name CLIENT_SECRET_PORTAINER --value "$(cat secrets/clients/portainer-secret.txt)"
# Update Gitea secret
woodpecker secret update --repository your-repo --name CLIENT_SECRET_GITEA --value "$(cat secrets/clients/gitea-secret.txt)"
```
## Verification
After updating the vault, check that services can access secrets:
```bash
# Check deployment logs for secret access
ssh macmini7 'docker service logs authelia_authelia | grep -i "secret"'
```
EOF
echo "${GREEN}✅ Created vault instructions: secrets/VAULT_SECRETS.md${NC}"
}
print_summary() {
echo "${GREEN}================================${NC}"
echo "${GREEN} 🎉 OAuth Secrets Generated! ${NC}"
echo "${GREEN}================================${NC}"
echo
echo "${YELLOW}📁 Generated Files:${NC}"
echo " • secrets/oauth-secrets.env"
echo " • secrets/clients/portainer-secret.txt"
echo " • secrets/clients/gitea-secret.txt"
echo " • secrets/VAULT_SECRETS.md"
echo
echo "${YELLOW}🔑 Required CI/CD Vault Updates:${NC}"
echo " • CLIENT_SECRET_PORTAINER"
echo " • CLIENT_SECRET_GITEA"
echo
echo "${RED}⚠️ NEXT STEPS:${NC}"
echo " 1. Update your CI/CD vault with new secrets"
echo " 2. Deploy Authelia to use new client configurations"
echo " 3. Configure OAuth in Portainer and Gitea admin panels"
echo " 4. Test authentication flows"
echo
echo "${BLUE}📖 Full setup guide: docs/OAUTH_SETUP.md${NC}"
}
# Main execution
main() {
print_header
print_warning
# Prompt for confirmation
printf "${YELLOW}Continue? (y/N): ${NC}"
read -r confirm
case "$confirm" in
[yY]|[yY][eE][sS])
echo "${GREEN}Proceeding with secret generation...${NC}"
echo
;;
*)
echo "${YELLOW}Cancelled by user.${NC}"
exit 0
;;
esac
ensure_directories
ensure_gitignore
# Clear previous oauth-secrets.env
> "$SECRETS_DIR/oauth-secrets.env"
echo "# OAuth Client Secrets - Generated $(date)" >> "$SECRETS_DIR/oauth-secrets.env"
echo "# NEVER COMMIT THIS FILE" >> "$SECRETS_DIR/oauth-secrets.env"
echo "" >> "$SECRETS_DIR/oauth-secrets.env"
# Generate client secrets
generate_client_secret "portainer" "portainer-secret.txt"
generate_client_secret "gitea" "gitea-secret.txt"
create_vault_instructions
print_summary
}
# Run main function
main "$@"

123
secrets.md.backup
View File

@ -1,123 +0,0 @@
# Authelia Production Secrets
**DO NOT COMMIT THIS FILE TO VERSION CONTROL**
## Core Secrets
### AUTHENTICATION_BACKEND_LDAP_PASSWORD
LDAP authentication backend password
```
M3OPMiRaWrL2RKfbf89AkdGPXtvu0HO54JkjgHfS4aKX7uZFunoRRJe6QoizcZdl
```
### IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
JWT secret for password reset tokens
```
zvVa7SFCU4QsBYyV/ofERdhqX3S072knmWHc+vIYVR0Jf/iWLfogpVnsCO0fe84d
```
### STORAGE_ENCRYPTION_KEY
Database encryption key
```
aghKiwANaIIiDu4hsn34gok273Jn/xLjfFEm2OLoqqnVs1EnriYI7igJXc6LdYZ+
```
### SESSION_SECRET
Session encryption secret
```
hYtbSIYvh/gH3jLlmk+qrokQehytAeLQrUIwVuyEXstA2FFXDizaZF2vbdlrHCc8
```
### NOTIFIER_SMTP_PASSWORD
SMTP email notifications password
```
8P7ah6U5ZjbQ2Faaw1fJoehxJrMOslCu
```
## OIDC Secrets
### IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
OIDC HMAC signing secret
```
zrnMWj61QvLebBFWphAjOMwb8TIStT+FWZaP83Zn8oVP24s1t5UnJD0syL4kREQk
```
### IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY
OIDC token signing private key
```
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCEhL7zgYaHoO28
0ZRWcqNrvhQMkN+ikCeo3Gf/XQX1BYsduvMc8EghVcB1uIdMKw7qZ4+uuBzE1kGi
qRYhsOyn5ARuKLO2SA0HuFJE3O4CK+P5jHBTP4XX64NLcGIu8HFW6a57M/R7CyZp
+hMB1TVBH1qkogw0ON188dwGqz7feAdwZLAV4yoB3DCbYNwNOx0VAmwXljpcHGqx
t4OTokHxUFqqzvAFOWAfPQ53pW/H9TV889XYME+/nf4/mfdU7mtrLBAtl1AEcuud
HAcAyggyLGmOeOqeHjPZUs/aMDlngpLG7+KMubsSSh9AyIc3HKec696Gs7J0YyLB
tJjq4vJJAgMBAAECggEADYRw6evTajBLL9B8/hhxfQMFjoaUmUN1GC9rWEwH2Id5
Ok4gkFoeMXBK0ndBLc7Slax8pojXPmjQhyQSQtuGOFX08burITPWSGxP0ABtMsGB
XqoppwQ6xdybJu3OxhT2qrPpfV2+WXK4t2Sv3ab+6KanG1YAQq9uQFl3ZSLAphC1
temZektnU5KgcNlTJ9b3gQgyX4YaTsl4rNglN/gCtxleIOWhLyE5qHAedrKJW3lF
cxtpm3+0ObKzZmPR6t8PgDwytYrcLUcVQAdE8RlPvyArES5y5cHHXtsIUEC2I7PH
IY8nglYhJ9HtnW7XWQLJCWsIlZj4qEqrkLpR/Fm0xQKBgQC5XgyJ5UZCeq/hMMiv
Q+pTNJj/k3j5gCa9f9wKCJmumtS+RFbucNQsnpmOhFEC1P4SyyPH/YrBeLtgWWKM
gxIK1VpJSPpNSL50FnyfzjJxAy6eHqNNupBPR29dxwaY3lehFVRvb+0FZ753+ATl
vc5BTf4xj//z7Ozd3jXlJ/Yk/wKBgQC3A3lfwDj4Q4IW/XaquzfsEuVKrJygwNsB
eCKMHJU0q01rOEGf5i1WXRJKRLS8EMXaawLYA+DO5ya9QlhWw+JWRcuJenBLEQ3J
x1IgJZm9sPeByGPpsz0f3TLcwMBg1f101xY4RedYCaDGhNTBww6Fs8Fx9zeLeOXA
GxCdrZGAtwKBgCxepbOwLKQnB8hoS/Ef2Yv3EBRE8XUPRrafT0Ubj+Wqa/frFb/X
RAI2KF1jsJxz7SkEdNkfCEKNKpTCcINfsEblkMnv7PHo0qWo6EW8Lni8oUD55m7p
lDdVywNwa1TWC7WkDGTsLpjXn1DKDioLx7379Dda15JEiOIGmXHzochzAoGAQJi9
UoqqkRZi6HJ2XDTQvEa/H+hlMGhh5Nbees3r7Dc6kEm/AA1im0Umm4g8stTIwRtc
WZqk0uLLzamJPLbPQNxJxzCsShKu5zWvSyF6bnX0Jp7whSB6xrBwr3JpdMSTPZZd
hWdHDM/5K5je77VFfvO/p9Y2iMgXcAMdjkohPWkCgYAl7IOXO8nFpR0Nn9nWtFca
llWXYHT16aFtWWjVNQg0LcsouaLL0/yywjIfda9fYlCcqaTF5XCCDZacn7CYTvZx
ty4l37GfJNcF7RvMpr8tUybnMk23u7jQ9xiWWuDSmKasNjdgNJmV8S4PfPK0NlLI
9bnk3nH2w/bIQdtbh7cApQ==
-----END PRIVATE KEY-----
```
### IDENTITY_PROVIDERS_OIDC_JWKS_KEY
OIDC JWKS validation key
```
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyyQ0Rjs59GkJ+
flL1PoJfdFIeNvLZ8RNees300f5cT2KFmO/K5viuEpCp+JA/cO93EjqEUECblb41
nXzCG89anwH+ifXqWcZMDZ24A3MCLBNFVgTGJwGw1adRgJ+xDNB1uslOJ/62L8d3
Op1nm1/OXCrzVj/GJqyJDj6w5FpW6lGB5DzSQNKwUr9ngve7XQhwKI8OVHm8KjW9
tG2DZEdt4Jjj/sxycNrJFt0+jk443IehIuGstGrPYFL+JRfmDB6cvrRVF3j54L2j
qj6mk7ZMTh1AMN2AmSvIH100YqM1hj75prM/fYT+2hTse5CxzKY+SOSV2ekD5A0n
J8o5maS9AgMBAAECggEAK7gSZArB38G+JOSLMMF6bBEry4uwUy8qh14MYyO+yZ/3
/adqa/mTMi4EBixsSbc6N6nTeWuOgP1bKA085tKaIBTmDfJ6mjYd0Zc6zDa7tvpE
NB5WyIXdWfrFEZ8cbdUuXLuyYlRRawfABR3mQ+Gwyeur7RlYOwJWCqXbGrKcjMgS
lGnBT7U5BaJwvX+Hd9HaI/zWUBK8ZZ8rkcvTCE/bz/gutwWq1QCKyosgYMr9eaQQ
8FeEaoAz7OikIwviXjIIcZZH8CrAQQDqMhG55+LRkacbdI6p9blpNNm2ORUPhFuN
JEgTv5kDfldy3S3kvullNrxwNBD7I6oyMmO+Kk/XGQKBgQDwQDB3arxhDka3hTgl
yvcBYaC0NUJK/uwHHt/QkTZyqgu7wTfHaEQnwnk4tqoB2zHjEhoc+EVntSdMbvyE
pugPbr5rdDHpP9/crp8fFdmYTYxiXnlDiWWRg/2hI6kIMymuFg9xt0dwcnnbjLpE
Hki1bvAsXOGBAqrbpooB2cuRrwKBgQC+gV6R6aIk2RolV1BU55d73Ixa0UJJ9Apw
awU5jaf3dpzxmGd3HZvp9Y6MaUutkuY/qQAxth3z+SW+hXIpNa2FjayObB2PSIFS
pQv0UFcOC6cp179bRvxp1COaODlrk1tcJTmFE1U+gaiA3SOi83QHTJ7c07U7bUhO
mQaQRcRnUwKBgCDuO3Zy2+VVxp2rFfogKuE2l4d78V1EOefz9GurK9Jlunv+zP15
LjZg8qqyZvUgLWNZfNjRsvm3G+7fG5+3HQHYhSNHZvv4tF+UU9036n50yrRFDMwU
Dib295HZyHaGRMVG4tEMdS9VkZxlWraxi/fKgAMkrAg57F91IV+FkeCjAoGADFD2
2T4ekn1KuHFNqz+Rxps6o8B1paxWZHA21UK4QkJz4Ra2UbgjVVvfzGoeT2l441K8
xXn9s8E+1HNyLwHeZw0Cw+5vdsz8N2iePjxXdHwCYa0mHPOY7AqgBp9t7uuG840g
i971GuZtC2/Alw9gR/yHJMW3KNFm5FX2W6t3CCsCgYEAigFe+tPNlzk6cZcLTPB+
sX6eO2pkPlQgG1SQf4ymYs9FG1ATGtMm9u1oSZ52rgQVo74rGooZWKqtOHpcZ9no
KpEIgjO+GoWjJ8ZA/qy33OzOCkRblGy7pUEoQxaIMG9snJcBQuEiQWU+gn0EvrRx
jQ6d0U5snWDdVPexoihst/M=
-----END PRIVATE KEY-----
```
## Client Secrets
### CLIENT_SECRET_HEADSCALE
Headscale VPN OIDC client secret
```
I7tiomn7akKaKF+xOj2W8JDudQQTd5CAj88nfngQbhgn4wRf9iwEinDSQnghCmCq
```
### CLIENT_SECRET_HEADADMIN
Headscale admin panel OIDC client secret
```
fEXUwuVB7JJL3sg7fasiNoPGA4XGWYUxbyuonX6CK7ABZw5H24HMfYmpAb3VR5J0
```