From 46ab4acf42cf7b772b9520b01fb7753f1da80087 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 16 Jul 2020 14:00:30 +0200
Subject: [PATCH] services: add Authelia

---
 authelia/authelia.env                         |  4 ++
 authelia/configuration.yml                    | 49 +++++++++++++++++++
 authelia/users_database.yml                   |  8 +++
 docker-compose.yml                            | 11 +++++
 .../nginx/proxy-confs/authelia.subdomain.conf | 27 ++++++++++
 5 files changed, 99 insertions(+)
 create mode 100644 authelia/authelia.env
 create mode 100644 authelia/configuration.yml
 create mode 100644 authelia/users_database.yml
 create mode 100644 letsencrypt/nginx/proxy-confs/authelia.subdomain.conf

diff --git a/authelia/authelia.env b/authelia/authelia.env
new file mode 100644
index 0000000..7abf65f
--- /dev/null
+++ b/authelia/authelia.env
@@ -0,0 +1,4 @@
+TZ=Europe/Paris
+AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/config/secrets/smtp
+AUTHELIA_JWT_SECRET_FILE=/config/secrets/jwt
+AUTHELIA_SESSION_SECRET_FILE=/config/secrets/session
diff --git a/authelia/configuration.yml b/authelia/configuration.yml
new file mode 100644
index 0000000..1c1f714
--- /dev/null
+++ b/authelia/configuration.yml
@@ -0,0 +1,49 @@
+host: 0.0.0.0
+port: 9091
+log_level: debug
+# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
+#jwt_secret: a_very_important_secret
+default_redirection_url: https://belanyi.fr
+totp:
+  issuer: authelia.belanyi.fr
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+    password:
+      algorithm: argon2id
+      iterations: 1
+      salt_length: 16
+      parallelism: 8
+      memory: 1024
+
+access_control:
+  default_policy: two_factor
+  rules:
+    # Declare domain and policy for an override
+
+session:
+  name: authelia_session
+  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
+  #secret: unsecure_session_secret
+  expiration: 3600 # 1 hour
+  inactivity: 300 # 5 minutes
+  domain: belanyi.fr # Should match whatever your root protected domain is
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+storage:
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  smtp:
+    username: brunobelanyi@gmail.com
+    # Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
+    #password: yourapppassword
+    sender: authelia@belanyi.fr
+    host: smtp.gmail.com
+    port: 587
diff --git a/authelia/users_database.yml b/authelia/users_database.yml
new file mode 100644
index 0000000..3bcad76
--- /dev/null
+++ b/authelia/users_database.yml
@@ -0,0 +1,8 @@
+users:
+  Ambroisie:
+    displayname: "Bruno BELANYI"
+    password: "$argon2id$v=19$m=1048576,p=8$IcNVZ732CMoCSof6$h5zBFhd3t1d9Mx11uW+BahR6kGAaN59RQZwW9i3Nq9Q"
+    email: brunobelanyi@gmail.com
+    groups:
+      - admins
+      - dev
diff --git a/docker-compose.yml b/docker-compose.yml
index d8b26a2..114808f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -15,6 +15,17 @@ services:
       - 80:80
       - 443:443
 
+  authelia:
+    image: authelia/authelia
+    container_name: authelia
+    restart: unless-stopped
+    env_file:
+      - ./authelia/authelia.env
+    volumes:
+      - ./authelia:/config
+    expose:
+      - 9091
+
   freshrss:
     image: linuxserver/freshrss
     container_name: freshrss
diff --git a/letsencrypt/nginx/proxy-confs/authelia.subdomain.conf b/letsencrypt/nginx/proxy-confs/authelia.subdomain.conf
new file mode 100644
index 0000000..211a1c4
--- /dev/null
+++ b/letsencrypt/nginx/proxy-confs/authelia.subdomain.conf
@@ -0,0 +1,27 @@
+# make sure that your dns has a cname set for authelia
+# the default authelia-server and authelia-location confs included with letsencrypt rely on
+# subfolder proxy at "/authelia" and enabling of this proxy conf is not necessary.
+# But if you'd like to use authelia via subdomain, you can enable this proxy and set up your own
+# authelia-server and authelia-location confs as described in authelia docs.
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name auth.*;
+
+    include /config/nginx/ssl.conf;
+
+    client_max_body_size 0;
+
+    location / {
+
+        include /config/nginx/proxy.conf;
+        resolver 127.0.0.11 valid=30s;
+        set $upstream_app authelia;
+        set $upstream_port 9091;
+        set $upstream_proto http;
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+
+    }
+}