ATLAS

Go to file

Your Name ff3d077282 ci/woodpecker/push/woodpecker Pipeline failed Details fixing deploy step		2025-06-05 11:58:43 -04:00
docker	fix: create assets directory in Dockerfile to resolve configuration error - Add mkdir -p /config/assets to satisfy Authelia's expectation - Prevents 'directory does not exist' error without unnecessary config	2025-06-05 08:53:36 -04:00
scripts	fixing deploy step	2025-06-05 11:58:43 -04:00
tests	Reorganize tests into ./tests directory with precommit naming convention	2025-06-04 16:19:55 -04:00
.gitignore	fixup	2025-06-04 16:20:48 -04:00
.woodpecker.yml	fixing deploy step	2025-06-05 09:27:46 -04:00
README.md	fix: create assets directory in Dockerfile to resolve configuration error - Add mkdir -p /config/assets to satisfy Authelia's expectation - Prevents 'directory does not exist' error without unnecessary config	2025-06-05 08:53:36 -04:00
authelia-dev-config.yml	fixup	2025-06-04 16:20:48 -04:00
docker-compose.dev.yml	fixup	2025-06-04 16:20:48 -04:00
docker-compose.production.yml	pullup	2024-04-07 12:27:34 -04:00
docker-compose.staging.yml	pullup	2024-04-07 12:22:58 -04:00
generate-secrets.sh	fix: create assets directory in Dockerfile to resolve configuration error - Add mkdir -p /config/assets to satisfy Authelia's expectation - Prevents 'directory does not exist' error without unnecessary config	2025-06-05 08:53:36 -04:00
pullup.sh	pullup	2024-04-07 10:48:16 -04:00
secrets.md.backup	fix: create assets directory in Dockerfile to resolve configuration error - Add mkdir -p /config/assets to satisfy Authelia's expectation - Prevents 'directory does not exist' error without unnecessary config	2025-06-05 08:53:36 -04:00
stack.production.yml	fixing deploy step	2025-06-05 11:36:59 -04:00
stack.staging.yml	fixup	2025-06-04 16:20:48 -04:00
users_database.yml	fixup	2025-06-04 16:20:48 -04:00

README.md

Authelia with Traefik (ATLAS)

Authentication Traffic LDAP Application Security

A comprehensive, production-ready authentication solution using Authelia with Traefik reverse proxy, featuring automated CI/CD, comprehensive testing, and robust secrets management.

🌟 Features

🔐 Complete Authentication Stack: Authelia + LLDAP + MariaDB + Redis
🚀 Production-Ready Deployment: Docker Swarm with Traefik integration
🧪 Comprehensive Testing: Automated pre-commit tests and CI/CD validation
🔑 Robust Secrets Management: Automated generation and rotation capabilities
⚡ Development Environment: Isolated dev setup with hot-reload capabilities
🔄 OIDC Integration: Full OpenID Connect support for client applications
📊 Health Monitoring: Built-in health checks and monitoring endpoints

🚀 Quick Start

Prerequisites

Docker and Docker Compose
OpenSSL (for secrets generation)
Git with pre-commit hooks support

Development Setup

Clone the repository:
```
git clone <repository-url>
cd authelia
```

Start development environment:

docker compose -f docker-compose.dev.yml up -d

Access services:
- Authelia: http://localhost:9091
- LLDAP Admin: http://localhost:17170
  - Username: admin
  - Password: /ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0=
Run tests:
```
./tests/precommit.sh
```

🔑 Secrets Management

Initial Setup

Generate production secrets (⚠️ Use with extreme caution):

./generate-secrets.sh

CRITICAL: This script will:

Invalidate all existing sessions and tokens
Require updating all 10 secrets in Woodpecker CI vault
Potentially require recreating database volumes
Cause service downtime until deployment completes

Required Secrets (10 total)

Core Secrets (5)

AUTHENTICATION_BACKEND_LDAP_PASSWORD - LDAP authentication backend password
IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET - JWT secret for password reset tokens
STORAGE_ENCRYPTION_KEY - Database encryption key
SESSION_SECRET - Session encryption secret
NOTIFIER_SMTP_PASSWORD - SMTP email notifications password

OIDC Secrets (3)

IDENTITY_PROVIDERS_OIDC_HMAC_SECRET - OIDC HMAC signing secret
IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY - OIDC token signing private key (RSA)
IDENTITY_PROVIDERS_OIDC_JWKS_KEY - OIDC JWKS validation key (RSA)

Client Secrets (2)

CLIENT_SECRET_HEADSCALE - Headscale VPN OIDC client secret
CLIENT_SECRET_HEADADMIN - Headscale admin panel OIDC client secret

🧪 Testing

Automated Testing

The project includes comprehensive testing:

Pre-commit hooks: ./tests/precommit.sh
Authentication tests: ./tests/precommit-auth.sh
CI/CD pipeline: Automated testing on every push

Test Coverage

✅ Authelia health endpoints
✅ Web interface accessibility
✅ API endpoint validation
✅ Container health status
✅ LLDAP integration
✅ Service interconnectivity

🚀 Deployment

CI/CD Pipeline

Automated deployment through Woodpecker CI:

Build & Test: Comprehensive testing on every commit
Build Images: Multi-stage Docker builds for production
Secret Management: Automatic Docker secrets recreation
Deploy: Zero-downtime deployment to Docker Swarm
Verification: Post-deployment health checks

Manual Deployment

# Push changes to trigger CI/CD
git add .
git commit -m "your changes"
git push

# Monitor deployment
ssh macmini7 'docker service logs authelia_authelia --follow'

🔧 Configuration

Development vs Production

Development: Uses local secrets in docker-compose.dev.yml
Production: Uses Docker Swarm secrets from CI/CD vault

Environment Variables

Key environment variables for customization:

X_AUTHELIA_SITE_NAME - Site display name
X_AUTHELIA_EMAIL - Notification email address
TRAEFIK_DOMAIN - Base domain for services

📱 Client Integration Examples

Headscale VPN Integration

labels:
  traefik.enable: "true"
  traefik.http.routers.headscale.rule: "Host(`headscale.nixc.us`)"
  traefik.http.routers.headscale.entrypoints: "websecure"
  traefik.http.routers.headscale.tls.certresolver: "letsencryptresolver"
  traefik.http.services.headscale.loadbalancer.server.port: "8080"

Protected Web Service

labels:
  traefik.enable: "true"
  traefik.http.routers.myapp.rule: "Host(`myapp.nixc.us`)"
  traefik.http.routers.myapp.middlewares: "authelia_authelia@docker"
  traefik.http.services.myapp.loadbalancer.server.port: "8080"

🔍 Monitoring & Troubleshooting

Health Checks

Authelia: http://localhost:9091/api/health
Service Status: docker service ls
Logs: docker service logs authelia_authelia

Common Issues

Service won't start: Check secrets configuration
Authentication fails: Verify LLDAP connectivity
OIDC issues: Check RSA key format in JWKS configuration

🛠️ Development Workflow

Make changes to configuration or code
Test locally: ./tests/precommit.sh
Commit changes: Git pre-commit hooks run automatically
Push to repository: Triggers CI/CD pipeline
Monitor deployment: Check service health in production

📋 Requirements

Core Infrastructure

Docker & Docker Compose: Container orchestration
Traefik: Reverse proxy and load balancer
Authelia: Authentication and authorization server
LLDAP: Lightweight LDAP server for user management
MariaDB: Database backend
Redis: Session storage and caching

Development Tools

Woodpecker CI: Continuous integration and deployment
Git: Version control with pre-commit hooks
OpenSSL: Cryptographic operations and secrets generation

🔐 Security Considerations

Secrets Rotation: Use ./generate-secrets.sh for periodic rotation
Database Encryption: All sensitive data encrypted at rest
TLS Everywhere: HTTPS/TLS for all client communications
Session Security: Secure session management with Redis
OIDC Standards: Industry-standard OpenID Connect implementation

📞 Support & Contributing

Reporting Issues

Create detailed bug reports with logs and steps to reproduce
Include environment details and configuration (without secrets!)

Contributing

Fork the repository
Create a feature branch
Add tests for new functionality
Ensure all tests pass
Submit a pull request

🙏 Acknowledgments

This project leverages several excellent open-source projects:

Authelia - Authentication and authorization server
Traefik - Cloud-native reverse proxy
LLDAP - Lightweight LDAP implementation
Woodpecker CI - Continuous integration platform

⚠️ Important: Always keep secrets.md secure and never commit it to version control!