Bhasher/homelab
Bhasher
/
homelab
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Bxl-rpi Identity provider

This commit is contained in:
Brieuc Dubois 2023-04-12 21:57:59 +02:00 committed by Bhasher
parent f3c67e3223
commit a66a33140e
2 changed files with 208 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
bxl-rpi/config/idp/authelia.configuration.yaml Normal file
View File

@ -0,0 +1,101 @@
default_redirection_url: https://portal.bhasher.com
theme: dark
server:
host: 0.0.0.0
port: 9091
log:
level: info
totp:
disable: false
issuer: idp.bhasher.com
algorithm: sha256
digits: 6
period: 30
skew: 1
secret_size: 32
authentication_backend:
password_reset:
disable: false
refresh_interval: 5m
ldap:
user: cn=readonly,dc=bhasher,dc=com
implementation: custom
url: ldap://openldap
timeout: 5s
start_tls: false
base_dn: DC=bhasher,DC=com
username_attribute: uid
additional_users_dn: ou=users
users_filter: (&({username_attribute}={input})(objectClass=inetOrgPerson))
additional_groups_dn: ou=groups
groups_filter: (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: cn
permit_referrals: false
access_control:
default_policy: deny
rules:
- domain: '*.bhasher.com'
policy: two_factor
subject:
- "group:admin"
- domain: 'radarr.bhasher.com'
policy: two_factor
subject:
- "group:mediaserver"
- domain: 'sonarr.bhasher.com'
policy: two_factor
subject:
- "group:mediaserver"
- domain: 'jellyfin.bhasher.com'
policy: two_factor
subject:
- "group:mediaserver"
session:
name: auth_session
domain: bhasher.com
same_site: lax
expiration: 1d
inactivity: 3h
remember_me_duration: 1w
redis:
host: redis
port: 6379
regulation:
max_retries: 3
find_time: 1m
ban_time: 5m
storage:
# local:
# path: /data/db.sqlite3
postgres:
host: postgres
port: 5432
database: authelia
schema: public
username: postgres
notifier:
smtp:
host: bdubois.io
port: 587
sender: no-reply@bhasher.com
password_policy:
standard:
enabled: true
min_length: 8
max_length: 0
require_uppercase: false
require_lowercase: false
require_number: false
require_special: false

111
bxl-rpi/docker-compose.yaml
View File

@ -216,6 +216,7 @@ services:
- "traefik.http.routers.radarr.tls=true" - "traefik.http.routers.radarr.tls=true"
- "traefik.http.routers.radarr.tls.certresolver=http" - "traefik.http.routers.radarr.tls.certresolver=http"
- "traefik.http.routers.radarr.entrypoints=internalsecure" - "traefik.http.routers.radarr.entrypoints=internalsecure"
- "traefik.http.routers.radarr.middlewares=authelia@docker"
sonarr: sonarr:
container_name: sonarr container_name: sonarr
@ -236,6 +237,7 @@ services:
- "traefik.http.routers.sonarr.tls=true" - "traefik.http.routers.sonarr.tls=true"
- "traefik.http.routers.sonarr.tls.certresolver=http" - "traefik.http.routers.sonarr.tls.certresolver=http"
- "traefik.http.routers.sonarr.entrypoints=internalsecure" - "traefik.http.routers.sonarr.entrypoints=internalsecure"
- "traefik.http.routers.sonarr.middlewares=authelia@docker"
lidarr: lidarr:
container_name: lidarr container_name: lidarr
@ -256,6 +258,7 @@ services:
- "traefik.http.routers.lidarr.tls=true" - "traefik.http.routers.lidarr.tls=true"
- "traefik.http.routers.lidarr.tls.certresolver=http" - "traefik.http.routers.lidarr.tls.certresolver=http"
- "traefik.http.routers.lidarr.entrypoints=internalsecure" - "traefik.http.routers.lidarr.entrypoints=internalsecure"
- "traefik.http.routers.lidarr.middlewares=authelia@docker"
transmission: transmission:
container_name: transmission container_name: transmission
@ -279,6 +282,7 @@ services:
- "traefik.http.routers.transmission.tls=true" - "traefik.http.routers.transmission.tls=true"
- "traefik.http.routers.transmission.tls.certresolver=http" - "traefik.http.routers.transmission.tls.certresolver=http"
- "traefik.http.routers.transmission.entrypoints=internalsecure" - "traefik.http.routers.transmission.entrypoints=internalsecure"
- "traefik.http.routers.transmission.middlewares=authelia@docker"
jackett: jackett:
container_name: jackett container_name: jackett
@ -299,6 +303,7 @@ services:
- "traefik.http.routers.jackett.tls=true" - "traefik.http.routers.jackett.tls=true"
- "traefik.http.routers.jackett.tls.certresolver=http" - "traefik.http.routers.jackett.tls.certresolver=http"
- "traefik.http.routers.jackett.entrypoints=internalsecure" - "traefik.http.routers.jackett.entrypoints=internalsecure"
- "traefik.http.routers.jackett.middlewares=authelia@docker"
flaresolverr: flaresolverr:
container_name: flaresolverr container_name: flaresolverr
@ -329,6 +334,7 @@ services:
- "traefik.http.routers.bazarr.tls=true" - "traefik.http.routers.bazarr.tls=true"
- "traefik.http.routers.bazarr.tls.certresolver=http" - "traefik.http.routers.bazarr.tls.certresolver=http"
- "traefik.http.routers.bazarr.entrypoints=internalsecure" - "traefik.http.routers.bazarr.entrypoints=internalsecure"
- "traefik.http.routers.bazarr.middlewares=authelia@docker"
baikal: baikal:
container_name: baikal container_name: baikal
@ -380,19 +386,19 @@ services:
- 53:53/udp - 53:53/udp
environment: environment:
- TZ=Europe/Paris - TZ=Europe/Paris
- WEBPASSWORD=${PIHOLE_PASSWORD} - WEBPASSWORD=
- WEBTHEME=default-dark - WEBTHEME=default-dark
- REV_SERVER=false - REV_SERVER=false
- PIHOLE_DNS_=127.0.0.1#5335 - PIHOLE_DNS_=127.0.0.1#5335
- DNSSEC=true - DNSSEC=true
- DNSMASQ_LISTENING=all - DNSMASQ_LISTENING=all
- FTLCONF_REPLY_ADDR4=192.168.1.220 - FTLCONF_LOCAL_IPV4=192.168.1.220
- FTLCONF_RATE_LIMIT=0/0 - FTLCONF_RATE_LIMIT=0/0
- FTL_CMD=debug - FTL_CMD=debug
- DNSMASQ_USER=root - DNSMASQ_USER=root
volumes: volumes:
- $HOME/pihole/config:/etc/pihole - $DATA/pihole/config:/etc/pihole
- $HOME/pihole/dnsmasq.d:/etc/dnsmasq.d - $DATA/pihole/dnsmasq.d:/etc/dnsmasq.d
restart: unless-stopped restart: unless-stopped
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
@ -401,3 +407,100 @@ services:
- "traefik.http.services.pihole.loadbalancer.server.port=80" - "traefik.http.services.pihole.loadbalancer.server.port=80"
- "traefik.http.routers.pihole.tls=true" - "traefik.http.routers.pihole.tls=true"
- "traefik.http.routers.pihole.tls.certresolver=http" - "traefik.http.routers.pihole.tls.certresolver=http"
- "traefik.http.routers.pihole.middlewares=pihole-strip,authelia@docker"
#- "traefik.http.middlewares.pihole-strip.stripprefix.prefixes=/admin"
- "traefik.http.middlewares.pihole-strip.addprefix.prefix=/admin"
postgres:
container_name: postgres
image: postgres:latest
restart: unless-stopped
environment:
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
volumes:
- $DATA/postgres:/var/lib/postgresql/data
redis:
container_name: redis
image: redis:latest
restart: unless-stopped
openldap:
container_name: openldap
image: osixia/openldap:latest
restart: unless-stopped
environment:
- LDAP_ADMIN_USERNAME=admin
- LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD}
- LDAP_READONLY_USER=true
- LDAP_READONLY_USER_USERNAME=readonly
- LDAP_READONLY_USER_PASSWORD=${LDAP_READONLY_PASSWORD}
- LDAP_DOMAIN=bhasher.com
- LDAP_ORGANISATION=Bhasher
- LDAP_RFC2307BIS_SCHEMA=true
- LDAP_TLS=false
volumes:
- $DATA/openldap/ldap:/var/lib/ldap
- $DATA/openldap/slapd.d:/etc/ldap/slapd.d
ldapusermanager:
container_name: ldapusermanager
image: wheelybird/ldap-user-manager:latest
restart: unless-stopped
environment:
- LDAP_URI=ldap://openldap
- LDAP_BASE_DN=dc=bhasher,dc=com
- LDAP_ADMIN_BIND_DN=cn=admin,dc=bhasher,dc=com
- LDAP_ADMINS_GROUP=admin
- SERVER_HOSTNAME=lum.bhasher.com
- NO_HTTPS=true
- ORGANISATION_NAME=Bhasher
- LDAP_REQUIRE_STARTTLS=false
- FORCE_RFC2307BIS=true
- SHOW_POSIX_ATTRIBUTES=false
- LDAP_ADMIN_BIND_PWD=${LDAP_ADMIN_PASSWORD}
- LDAP_USER_OU=users
- LDAP_GROUP_OU=groups
- LDAP_ACCOUNT_ATTRIBUTE=uid
- LDAP_GROUP_ATTRIBUTE=cn
- USERNAME_FORMAT={first_name}.{last_name}
- ENFORCE_SAFE_SYSTEM_NAMES=false
- PASSWORD_HASH=SHA512CRYPT
- ACCEPT_WEAK_PASSWORDS=false
- LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES=jpegPhoto^:Profile picture,sshpubkey^+:SSH public key
- REMOTE_HTTP_HEADERS_LOGIN=true
labels:
- "traefik.enable=true"
- "traefik.http.routers.lum.rule=Host(`lum.bhasher.com`)"
- "traefik.http.routers.lum.entrypoints=internalsecure"
- "traefik.http.services.lum.loadbalancer.server.port=80"
- "traefik.http.routers.lum.tls=true"
- "traefik.http.routers.lum.tls.certresolver=http"
- "traefik.http.routers.lum.middlewares=authelia@docker"
authelia:
container_name: authelia
image: authelia/authelia:latest
restart: unless-stopped
environment:
- TZ=Europe/Paris
- AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD=${LDAP_READONLY_PASSWORD}
- AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
- AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
- AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_ENCRYPTION_KEY}
- AUTHELIA_STORAGE_POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- AUTHELIA_NOTIFIER_SMTP_PASSWORD=${SMTP_PASSWORD}
- AUTHELIA_NOTIFIER_SMTP_USERNAME=${SMTP_USER}
labels:
- "traefik.enable=true"
- "traefik.http.routers.authelia.rule=Host(`idp.bhasher.com`)"
- "traefik.http.routers.authelia.entrypoints=internalsecure,externalsecure"
- "traefik.http.services.authelia.loadbalancer.server.port=9091"
- "traefik.http.routers.authelia.tls=true"
- "traefik.http.routers.authelia.tls.certresolver=http"
- 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https%3A%2F%2Fidp.bhasher.com%2F'
- 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
volumes:
- ./config/idp/authelia.configuration.yaml:/config/configuration.yml:ro