From 46ab4acf42cf7b772b9520b01fb7753f1da80087 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 16 Jul 2020 14:00:30 +0200 Subject: [PATCH] services: add Authelia --- authelia/authelia.env | 4 ++ authelia/configuration.yml | 49 +++++++++++++++++++ authelia/users_database.yml | 8 +++ docker-compose.yml | 11 +++++ .../nginx/proxy-confs/authelia.subdomain.conf | 27 ++++++++++ 5 files changed, 99 insertions(+) create mode 100644 authelia/authelia.env create mode 100644 authelia/configuration.yml create mode 100644 authelia/users_database.yml create mode 100644 letsencrypt/nginx/proxy-confs/authelia.subdomain.conf diff --git a/authelia/authelia.env b/authelia/authelia.env new file mode 100644 index 0000000..7abf65f --- /dev/null +++ b/authelia/authelia.env @@ -0,0 +1,4 @@ +TZ=Europe/Paris +AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/config/secrets/smtp +AUTHELIA_JWT_SECRET_FILE=/config/secrets/jwt +AUTHELIA_SESSION_SECRET_FILE=/config/secrets/session diff --git a/authelia/configuration.yml b/authelia/configuration.yml new file mode 100644 index 0000000..1c1f714 --- /dev/null +++ b/authelia/configuration.yml @@ -0,0 +1,49 @@ +host: 0.0.0.0 +port: 9091 +log_level: debug +# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE +#jwt_secret: a_very_important_secret +default_redirection_url: https://belanyi.fr +totp: + issuer: authelia.belanyi.fr + +authentication_backend: + file: + path: /config/users_database.yml + password: + algorithm: argon2id + iterations: 1 + salt_length: 16 + parallelism: 8 + memory: 1024 + +access_control: + default_policy: two_factor + rules: + # Declare domain and policy for an override + +session: + name: authelia_session + # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE + #secret: unsecure_session_secret + expiration: 3600 # 1 hour + inactivity: 300 # 5 minutes + domain: belanyi.fr # Should match whatever your root protected domain is + +regulation: + max_retries: 3 + find_time: 120 + ban_time: 300 + +storage: + local: + path: /config/db.sqlite3 + +notifier: + smtp: + username: brunobelanyi@gmail.com + # Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html + #password: yourapppassword + sender: authelia@belanyi.fr + host: smtp.gmail.com + port: 587 diff --git a/authelia/users_database.yml b/authelia/users_database.yml new file mode 100644 index 0000000..3bcad76 --- /dev/null +++ b/authelia/users_database.yml @@ -0,0 +1,8 @@ +users: + Ambroisie: + displayname: "Bruno BELANYI" + password: "$argon2id$v=19$m=1048576,p=8$IcNVZ732CMoCSof6$h5zBFhd3t1d9Mx11uW+BahR6kGAaN59RQZwW9i3Nq9Q" + email: brunobelanyi@gmail.com + groups: + - admins + - dev diff --git a/docker-compose.yml b/docker-compose.yml index d8b26a2..114808f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -15,6 +15,17 @@ services: - 80:80 - 443:443 + authelia: + image: authelia/authelia + container_name: authelia + restart: unless-stopped + env_file: + - ./authelia/authelia.env + volumes: + - ./authelia:/config + expose: + - 9091 + freshrss: image: linuxserver/freshrss container_name: freshrss diff --git a/letsencrypt/nginx/proxy-confs/authelia.subdomain.conf b/letsencrypt/nginx/proxy-confs/authelia.subdomain.conf new file mode 100644 index 0000000..211a1c4 --- /dev/null +++ b/letsencrypt/nginx/proxy-confs/authelia.subdomain.conf @@ -0,0 +1,27 @@ +# make sure that your dns has a cname set for authelia +# the default authelia-server and authelia-location confs included with letsencrypt rely on +# subfolder proxy at "/authelia" and enabling of this proxy conf is not necessary. +# But if you'd like to use authelia via subdomain, you can enable this proxy and set up your own +# authelia-server and authelia-location confs as described in authelia docs. + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name auth.*; + + include /config/nginx/ssl.conf; + + client_max_body_size 0; + + location / { + + include /config/nginx/proxy.conf; + resolver 127.0.0.11 valid=30s; + set $upstream_app authelia; + set $upstream_port 9091; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + + } +}