iamthefij/authelia-cloudron
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Running, but untested

Browse Source
This commit is contained in:
IamTheFij 2019-03-07 02:27:34 +00:00
parent 2f660829fb
commit adb005b9e6
5 changed files with 148 additions and 138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CloudronManifest.json
View File

@ -9,8 +9,11 @@
"healthCheckPath": "/", "healthCheckPath": "/",
"httpPort": 3000, "httpPort": 3000,
"addons": { "addons": {
"ldap": {},
"localstorage": {}, "localstorage": {},
"ldap": {} "mongodb": {},
"redis": {},
"sendmail": {}
}, },
"manifestVersion": 1, "manifestVersion": 1,
"website": "https://www.authelia.com/", "website": "https://www.authelia.com/",

94
config.custom_template.yml Normal file
View File

@ -0,0 +1,94 @@
############################################
# Cloudron users
#
# Add additional customizations in this file.
# Certain features, such as Access Control *must* be done in this file.
############################################
# Access Control
#
# Access control is a list of rules defining the authorizations applied for one
# resource to users or group of users.
#
# If 'access_control' is not defined, ACL rules are disabled and the `bypass`
# rule is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
# the rules defined.
#
# Note: One can use the wildcard * to match any subdomain.
# It must stand at the beginning of the pattern. (example: *.mydomain.com)
#
# Note: You must put patterns containing wildcards between simple quotes for the YAML
# to be syntaxically correct.
#
# Definition: A `rule` is an object with the following keys: `domain`, `subject`,
# `policy` and `resources`.
#
# - `domain` defines which domain or set of domains the rule applies to.
#
# - `subject` defines the subject to apply authorizations to. This parameter is
# optional and matching any user if not provided. If provided, the parameter
# represents either a user or a group. It should be of the form 'user:<username>'
# or 'group:<groupname>'.
#
# - `policy` is the policy to apply to resources. It must be either `bypass`,
# `one_factor`, `two_factor` or `deny`.
#
# - `resources` is a list of regular expressions that matches a set of resources to
#  apply the policy to. This parameter is optional and matches any resource if not
# provided.
#
# Note: the order of the rules is important. The first policy matching
# (domain, resource, subject) applies.
access_control:
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
# It is the policy applied to any resource if there is no policy to be applied
# to the user.
default_policy: deny
rules:
# Rules applied to everyone
- domain: public.example.com
policy: two_factor
- domain: single_factor.example.com
policy: one_factor
# Rules applied to 'admin' group
- domain: 'mx2.mail.example.com'
subject: 'group:admin'
policy: deny
- domain: '*.example.com'
subject: 'group:admin'
policy: two_factor
# Rules applied to 'dev' group
- domain: dev.example.com
resources:
- '^/groups/dev/.*$'
subject: 'group:dev'
policy: two_factor
# Rules applied to user 'john'
- domain: dev.example.com
resources:
- '^/users/john/.*$'
subject: 'user:john'
policy: two_factor
# Rules applied to user 'harry'
- domain: dev.example.com
resources:
- '^/users/harry/.*$'
subject: 'user:harry'
policy: two_factor
# Rules applied to user 'bob'
- domain: '*.mail.example.com'
subject: 'user:bob'
policy: two_factor
- domain: 'dev.example.com'
resources:
- '^/users/bob/.*$'
subject: 'user:bob'
policy: two_factor

156
config.template.yml
View File

@ -27,7 +27,7 @@ default_redirection_url: ##DEFAULT_REDIRECT_URL
# This will be the issuer name displayed in Google Authenticator # This will be the issuer name displayed in Google Authenticator
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names # See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
totp: totp:
issuer: ##TOTP_ISSUER issuer: ##APP_DOMAIN
# The authentication backend to use for verifying user passwords # The authentication backend to use for verifying user passwords
# and retrieve information such as email address and groups # and retrieve information such as email address and groups
@ -45,10 +45,11 @@ authentication_backend:
url: ##LDAP_URL url: ##LDAP_URL
# The base dn for every entries # The base dn for every entries
base_dn: '' base_dn: dc=cloudron
# An additional dn to define the scope to all users # An additional dn to define the scope to all users
additional_users_dn: ##LDAP_USERS_BASE_DN # additional_users_dn: ##LDAP_USERS_BASE_DN
additional_users_dn: ou=users
# The users filter used to find the user DN # The users filter used to find the user DN
# {0} is a matcher replaced by username. # {0} is a matcher replaced by username.
@ -56,13 +57,15 @@ authentication_backend:
users_filter: (&(objectclass=user)(|(username={0})(mail={0}))) users_filter: (&(objectclass=user)(|(username={0})(mail={0})))
# An additional dn to define the scope of groups # An additional dn to define the scope of groups
additional_groups_dn: ##LDAP_GROUPS_BASE_DN # additional_groups_dn: ##LDAP_GROUPS_BASE_DN
additional_groups_dn: ou=groups
# The groups filter used for retrieving groups of a given user. # The groups filter used for retrieving groups of a given user.
# {0} is a matcher replaced by username. # {0} is a matcher replaced by username.
# {dn} is a matcher replaced by user DN. # {dn} is a matcher replaced by user DN.
# {uid} is a matcher replaced by user uid.
# 'member={dn}' by default. # 'member={dn}' by default.
groups_filter: (&(member={dn})(objectclass=groupOfNames)) groups_filter: (&(memberuid={uid})(objectclass=group))
# The attribute holding the name of the group # The attribute holding the name of the group
group_name_attribute: cn group_name_attribute: cn
@ -74,104 +77,9 @@ authentication_backend:
user: ##LDAP_BIND_DN user: ##LDAP_BIND_DN
password: ##LDAP_BIND_PASSWORD password: ##LDAP_BIND_PASSWORD
# File backend configuration.
#
# With this backend, the users database is stored in a file
# which is updated when users reset their passwords.
# Therefore, this backend is meant to be used in a dev environment
# and not in production since it prevents Authelia to be scaled to
# more than one instance.
#
## file:
## path: ./users_database.yml
# Access Control must be customized in /app/data/config.yml
# Access Control # access_control:
#
# Access control is a list of rules defining the authorizations applied for one
# resource to users or group of users.
#
# If 'access_control' is not defined, ACL rules are disabled and the `bypass`
# rule is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
# the rules defined.
#
# Note: One can use the wildcard * to match any subdomain.
# It must stand at the beginning of the pattern. (example: *.mydomain.com)
#
# Note: You must put patterns containing wildcards between simple quotes for the YAML
# to be syntaxically correct.
#
# Definition: A `rule` is an object with the following keys: `domain`, `subject`,
# `policy` and `resources`.
#
# - `domain` defines which domain or set of domains the rule applies to.
#
# - `subject` defines the subject to apply authorizations to. This parameter is
# optional and matching any user if not provided. If provided, the parameter
# represents either a user or a group. It should be of the form 'user:<username>'
# or 'group:<groupname>'.
#
# - `policy` is the policy to apply to resources. It must be either `bypass`,
# `one_factor`, `two_factor` or `deny`.
#
# - `resources` is a list of regular expressions that matches a set of resources to
#  apply the policy to. This parameter is optional and matches any resource if not
# provided.
#
# Note: the order of the rules is important. The first policy matching
# (domain, resource, subject) applies.
access_control:
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
# It is the policy applied to any resource if there is no policy to be applied
# to the user.
default_policy: deny
rules:
# Rules applied to everyone
- domain: public.example.com
policy: two_factor
- domain: single_factor.example.com
policy: one_factor
# Rules applied to 'admin' group
- domain: 'mx2.mail.example.com'
subject: 'group:admin'
policy: deny
- domain: '*.example.com'
subject: 'group:admin'
policy: two_factor
# Rules applied to 'dev' group
- domain: dev.example.com
resources:
- '^/groups/dev/.*$'
subject: 'group:dev'
policy: two_factor
# Rules applied to user 'john'
- domain: dev.example.com
resources:
- '^/users/john/.*$'
subject: 'user:john'
policy: two_factor
# Rules applied to user 'harry'
- domain: dev.example.com
resources:
- '^/users/harry/.*$'
subject: 'user:harry'
policy: two_factor
# Rules applied to user 'bob'
- domain: '*.mail.example.com'
subject: 'user:bob'
policy: two_factor
- domain: 'dev.example.com'
resources:
- '^/users/bob/.*$'
subject: 'user:bob'
policy: two_factor
# Configuration of session cookies # Configuration of session cookies
@ -182,7 +90,7 @@ session:
name: authelia_session name: authelia_session
# The secret to encrypt the session cookie. # The secret to encrypt the session cookie.
secret: unsecure_session_secret secret: ##SESSION_SECRET
# The time in ms before the cookie expires and session is reset. # The time in ms before the cookie expires and session is reset.
expiration: 3600000 # 1 hour expiration: 3600000 # 1 hour
@ -193,13 +101,13 @@ session:
# The domain to protect. # The domain to protect.
# Note: the authenticator must also be in that domain. If empty, the cookie # Note: the authenticator must also be in that domain. If empty, the cookie
# is restricted to the subdomain of the issuer. # is restricted to the subdomain of the issuer.
domain: example.com domain: ##APP_DOMAIN
# The redis connection details # The redis connection details
redis: redis:
host: redis host: ##REDIS_HOST
port: 6379 port: ##REDIS_PORT
password: authelia password: ##REDIS_PASSWORD
# Configuration of the authentication regulation mechanism. # Configuration of the authentication regulation mechanism.
# #
@ -222,17 +130,13 @@ regulation:
# #
# You must use only an available configuration: local, mongo # You must use only an available configuration: local, mongo
storage: storage:
# The directory where the DB files will be saved
## local:
## path: /var/lib/authelia/store
# Settings to connect to mongo server # Settings to connect to mongo server
mongo: mongo:
url: mongodb://mongo url: ##MONGODB_URL
database: authelia database: ##MONGODB_DATABASE
auth: auth:
username: authelia username: ##MONGODB_USERNAME
password: authelia password: ##MONGODB_PASSWORD
# Configuration of the notification system. # Configuration of the notification system.
# #
@ -240,23 +144,11 @@ storage:
# registration or a TOTP registration. # registration or a TOTP registration.
# Use only an available configuration: filesystem, gmail # Use only an available configuration: filesystem, gmail
notifier: notifier:
# For testing purpose, notifications can be sent in a file
## filesystem:
## filename: /tmp/authelia/notification.txt
# Use your email account to send the notifications. You can use an app password.
# List of valid services can be found here: https://nodemailer.com/smtp/well-known/
## email:
## username: user@example.com
## password: yourpassword
## sender: admin@example.com
## service: gmail
# Use a SMTP server for sending notifications # Use a SMTP server for sending notifications
smtp: smtp:
username: test username: ##MAIL_SMTP_USERNAME
password: password password: ##MAIL_SMTP_PASSWORD
secure: false secure: false
host: 'smtp' host: ##MAIL_SMTP_SERVER
port: 1025 port: ##MAIL_SMTP_PORT
sender: admin@example.com sender: ##MAIL_FROM

27
start.sh
View File

@ -4,18 +4,39 @@ set -eu
mkdir -p /run/authelia mkdir -p /run/authelia
# Generate session secret if it doesn't exist
if [[ ! -f /app/data/session_secret ]]; then
pwgen -1 -s > /app/data/session_secret
fi
SESSION_SECRET=$(cat /app/data/session_secret)
# Generate base config from template # Generate base config from template
sed -e "s/##DEFAULT_REDIRECT_URL/${REDIRECT_URL}/" \ sed -e "s|##DEFAULT_REDIRECT_URL|${WEBADMIN_ORIGIN}|" \
-e "s/##TOTP_ISSUER/${}/"\ -e "s|##LDAP_URL|${LDAP_URL}|"\
-e "s/##LDAP_URL/${LDAP_URL}/"\
-e "s/##LDAP_USERS_BASE_DN/${LDAP_USERS_BASE_DN}/"\ -e "s/##LDAP_USERS_BASE_DN/${LDAP_USERS_BASE_DN}/"\
-e "s/##LDAP_GROUPS_BASE_DN/${LDAP_GROUPS_BASE_DN}/"\ -e "s/##LDAP_GROUPS_BASE_DN/${LDAP_GROUPS_BASE_DN}/"\
-e "s/##LDAP_BIND_DN/${LDAP_BIND_DN}/"\ -e "s/##LDAP_BIND_DN/${LDAP_BIND_DN}/"\
-e "s/##LDAP_BIND_PASSWORD/${LDAP_BIND_PASSWORD}/"\ -e "s/##LDAP_BIND_PASSWORD/${LDAP_BIND_PASSWORD}/"\
-e "s/##SESSION_SECRET/${SESSION_SECRET}/"\
-e "s/##APP_DOMAIN/${APP_DOMAIN}/"\
-e "s|##APP_ORIGIN|${APP_ORIGIN}|"\
-e "s/##REDIS_HOST/${REDIS_HOST}/"\
-e "s/##REDIS_PORT/${REDIS_PORT}/"\
-e "s/##REDIS_PASSWORD/${REDIS_PASSWORD}/"\
-e "s|##MONGODB_URL|${MONGODB_URL}|"\
-e "s/##MONGODB_DATABASE/${MONGODB_DATABASE}/"\
-e "s/##MONGODB_USERNAME/${MONGODB_USERNAME}/"\
-e "s/##MONGODB_PASSWORD/${MONGODB_PASSWORD}/"\
-e "s/##MAIL_SMTP_USERNAME/${MAIL_SMTP_USERNAME}/"\
-e "s/##MAIL_SMTP_PASSWORD/${MAIL_SMTP_PASSWORD}/"\
-e "s/##MAIL_SMTP_SERVER/${MAIL_SMTP_SERVER}/"\
-e "s/##MAIL_SMTP_PORT/${MAIL_SMTP_PORT}/"\
-e "s/##MAIL_FROM/${MAIL_FROM}/"\
/app/code/config.template.yml > /run/authelia/config.yml /app/code/config.template.yml > /run/authelia/config.yml
# Create override config.yml file if not exists # Create override config.yml file if not exists
if [[ ! -f /app/data/config.yml ]]; then if [[ ! -f /app/data/config.yml ]]; then
cp /app/code/config.custom_template.yml > /app/data/config.yml
echo "# Add additional customizations in this file" > /app/data/config.yml echo "# Add additional customizations in this file" > /app/data/config.yml
fi fi

4
yaml-override.js
View File

@ -5,7 +5,7 @@
var fs = require('fs'), var fs = require('fs'),
yaml = require('yamljs'); yaml = require('yamljs');
var target = yaml.load(fs.readFileSync(process.argv[2] ,'utf8')); var target = yaml.load(process.argv[2]);
var source = yaml.load(fs.readFileSync(process.argv[3], 'utf8')); var source = yaml.load(process.argv[3]);
target = Object.assign(target, source); target = Object.assign(target, source);
fs.writeFileSync(process.argv[2], yaml.dump(target)); fs.writeFileSync(process.argv[2], yaml.dump(target));