From a66a33140e4ce23deb47e71972ad9f8dd56d1304 Mon Sep 17 00:00:00 2001 From: BhasherBEL Date: Wed, 12 Apr 2023 21:57:59 +0200 Subject: [PATCH] Bxl-rpi Identity provider --- .../config/idp/authelia.configuration.yaml | 101 ++++++++++++++++ bxl-rpi/docker-compose.yaml | 111 +++++++++++++++++- 2 files changed, 208 insertions(+), 4 deletions(-) create mode 100644 bxl-rpi/config/idp/authelia.configuration.yaml diff --git a/bxl-rpi/config/idp/authelia.configuration.yaml b/bxl-rpi/config/idp/authelia.configuration.yaml new file mode 100644 index 0000000..1106cfe --- /dev/null +++ b/bxl-rpi/config/idp/authelia.configuration.yaml @@ -0,0 +1,101 @@ +default_redirection_url: https://portal.bhasher.com +theme: dark + +server: + host: 0.0.0.0 + port: 9091 + +log: + level: info + +totp: + disable: false + issuer: idp.bhasher.com + algorithm: sha256 + digits: 6 + period: 30 + skew: 1 + secret_size: 32 + +authentication_backend: + password_reset: + disable: false + refresh_interval: 5m + ldap: + user: cn=readonly,dc=bhasher,dc=com + implementation: custom + url: ldap://openldap + timeout: 5s + start_tls: false + base_dn: DC=bhasher,DC=com + username_attribute: uid + additional_users_dn: ou=users + users_filter: (&({username_attribute}={input})(objectClass=inetOrgPerson)) + additional_groups_dn: ou=groups + groups_filter: (&(uniqueMember={dn})(objectClass=groupOfUniqueNames)) + group_name_attribute: cn + mail_attribute: mail + display_name_attribute: cn + permit_referrals: false + +access_control: + default_policy: deny + rules: + - domain: '*.bhasher.com' + policy: two_factor + subject: + - "group:admin" + - domain: 'radarr.bhasher.com' + policy: two_factor + subject: + - "group:mediaserver" + - domain: 'sonarr.bhasher.com' + policy: two_factor + subject: + - "group:mediaserver" + - domain: 'jellyfin.bhasher.com' + policy: two_factor + subject: + - "group:mediaserver" + +session: + name: auth_session + domain: bhasher.com + same_site: lax + expiration: 1d + inactivity: 3h + remember_me_duration: 1w + redis: + host: redis + port: 6379 + +regulation: + max_retries: 3 + find_time: 1m + ban_time: 5m + +storage: + # local: + # path: /data/db.sqlite3 + postgres: + host: postgres + port: 5432 + database: authelia + schema: public + username: postgres + +notifier: + smtp: + host: bdubois.io + port: 587 + sender: no-reply@bhasher.com + +password_policy: + standard: + enabled: true + min_length: 8 + max_length: 0 + require_uppercase: false + require_lowercase: false + require_number: false + require_special: false diff --git a/bxl-rpi/docker-compose.yaml b/bxl-rpi/docker-compose.yaml index 396cf06..3aac55f 100644 --- a/bxl-rpi/docker-compose.yaml +++ b/bxl-rpi/docker-compose.yaml @@ -216,6 +216,7 @@ services: - "traefik.http.routers.radarr.tls=true" - "traefik.http.routers.radarr.tls.certresolver=http" - "traefik.http.routers.radarr.entrypoints=internalsecure" + - "traefik.http.routers.radarr.middlewares=authelia@docker" sonarr: container_name: sonarr @@ -236,6 +237,7 @@ services: - "traefik.http.routers.sonarr.tls=true" - "traefik.http.routers.sonarr.tls.certresolver=http" - "traefik.http.routers.sonarr.entrypoints=internalsecure" + - "traefik.http.routers.sonarr.middlewares=authelia@docker" lidarr: container_name: lidarr @@ -256,6 +258,7 @@ services: - "traefik.http.routers.lidarr.tls=true" - "traefik.http.routers.lidarr.tls.certresolver=http" - "traefik.http.routers.lidarr.entrypoints=internalsecure" + - "traefik.http.routers.lidarr.middlewares=authelia@docker" transmission: container_name: transmission @@ -279,6 +282,7 @@ services: - "traefik.http.routers.transmission.tls=true" - "traefik.http.routers.transmission.tls.certresolver=http" - "traefik.http.routers.transmission.entrypoints=internalsecure" + - "traefik.http.routers.transmission.middlewares=authelia@docker" jackett: container_name: jackett @@ -299,6 +303,7 @@ services: - "traefik.http.routers.jackett.tls=true" - "traefik.http.routers.jackett.tls.certresolver=http" - "traefik.http.routers.jackett.entrypoints=internalsecure" + - "traefik.http.routers.jackett.middlewares=authelia@docker" flaresolverr: container_name: flaresolverr @@ -329,6 +334,7 @@ services: - "traefik.http.routers.bazarr.tls=true" - "traefik.http.routers.bazarr.tls.certresolver=http" - "traefik.http.routers.bazarr.entrypoints=internalsecure" + - "traefik.http.routers.bazarr.middlewares=authelia@docker" baikal: container_name: baikal @@ -380,19 +386,19 @@ services: - 53:53/udp environment: - TZ=Europe/Paris - - WEBPASSWORD=${PIHOLE_PASSWORD} + - WEBPASSWORD= - WEBTHEME=default-dark - REV_SERVER=false - PIHOLE_DNS_=127.0.0.1#5335 - DNSSEC=true - DNSMASQ_LISTENING=all - - FTLCONF_REPLY_ADDR4=192.168.1.220 + - FTLCONF_LOCAL_IPV4=192.168.1.220 - FTLCONF_RATE_LIMIT=0/0 - FTL_CMD=debug - DNSMASQ_USER=root volumes: - - $HOME/pihole/config:/etc/pihole - - $HOME/pihole/dnsmasq.d:/etc/dnsmasq.d + - $DATA/pihole/config:/etc/pihole + - $DATA/pihole/dnsmasq.d:/etc/dnsmasq.d restart: unless-stopped labels: - "traefik.enable=true" @@ -401,3 +407,100 @@ services: - "traefik.http.services.pihole.loadbalancer.server.port=80" - "traefik.http.routers.pihole.tls=true" - "traefik.http.routers.pihole.tls.certresolver=http" + - "traefik.http.routers.pihole.middlewares=pihole-strip,authelia@docker" + #- "traefik.http.middlewares.pihole-strip.stripprefix.prefixes=/admin" + - "traefik.http.middlewares.pihole-strip.addprefix.prefix=/admin" + + postgres: + container_name: postgres + image: postgres:latest + restart: unless-stopped + environment: + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + volumes: + - $DATA/postgres:/var/lib/postgresql/data + + redis: + container_name: redis + image: redis:latest + restart: unless-stopped + + openldap: + container_name: openldap + image: osixia/openldap:latest + restart: unless-stopped + environment: + - LDAP_ADMIN_USERNAME=admin + - LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD} + - LDAP_READONLY_USER=true + - LDAP_READONLY_USER_USERNAME=readonly + - LDAP_READONLY_USER_PASSWORD=${LDAP_READONLY_PASSWORD} + - LDAP_DOMAIN=bhasher.com + - LDAP_ORGANISATION=Bhasher + - LDAP_RFC2307BIS_SCHEMA=true + - LDAP_TLS=false + volumes: + - $DATA/openldap/ldap:/var/lib/ldap + - $DATA/openldap/slapd.d:/etc/ldap/slapd.d + + ldapusermanager: + container_name: ldapusermanager + image: wheelybird/ldap-user-manager:latest + restart: unless-stopped + environment: + - LDAP_URI=ldap://openldap + - LDAP_BASE_DN=dc=bhasher,dc=com + - LDAP_ADMIN_BIND_DN=cn=admin,dc=bhasher,dc=com + - LDAP_ADMINS_GROUP=admin + - SERVER_HOSTNAME=lum.bhasher.com + - NO_HTTPS=true + - ORGANISATION_NAME=Bhasher + - LDAP_REQUIRE_STARTTLS=false + - FORCE_RFC2307BIS=true + - SHOW_POSIX_ATTRIBUTES=false + - LDAP_ADMIN_BIND_PWD=${LDAP_ADMIN_PASSWORD} + - LDAP_USER_OU=users + - LDAP_GROUP_OU=groups + - LDAP_ACCOUNT_ATTRIBUTE=uid + - LDAP_GROUP_ATTRIBUTE=cn + - USERNAME_FORMAT={first_name}.{last_name} + - ENFORCE_SAFE_SYSTEM_NAMES=false + - PASSWORD_HASH=SHA512CRYPT + - ACCEPT_WEAK_PASSWORDS=false + - LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES=jpegPhoto^:Profile picture,sshpubkey^+:SSH public key + - REMOTE_HTTP_HEADERS_LOGIN=true + labels: + - "traefik.enable=true" + - "traefik.http.routers.lum.rule=Host(`lum.bhasher.com`)" + - "traefik.http.routers.lum.entrypoints=internalsecure" + - "traefik.http.services.lum.loadbalancer.server.port=80" + - "traefik.http.routers.lum.tls=true" + - "traefik.http.routers.lum.tls.certresolver=http" + - "traefik.http.routers.lum.middlewares=authelia@docker" + + authelia: + container_name: authelia + image: authelia/authelia:latest + restart: unless-stopped + environment: + - TZ=Europe/Paris + - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD=${LDAP_READONLY_PASSWORD} + - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET} + - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET} + - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_ENCRYPTION_KEY} + - AUTHELIA_STORAGE_POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + - AUTHELIA_NOTIFIER_SMTP_PASSWORD=${SMTP_PASSWORD} + - AUTHELIA_NOTIFIER_SMTP_USERNAME=${SMTP_USER} + labels: + - "traefik.enable=true" + - "traefik.http.routers.authelia.rule=Host(`idp.bhasher.com`)" + - "traefik.http.routers.authelia.entrypoints=internalsecure,externalsecure" + - "traefik.http.services.authelia.loadbalancer.server.port=9091" + - "traefik.http.routers.authelia.tls=true" + - "traefik.http.routers.authelia.tls.certresolver=http" + - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https%3A%2F%2Fidp.bhasher.com%2F' + - 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true' + - 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' + volumes: + - ./config/idp/authelia.configuration.yaml:/config/configuration.yml:ro