Deploy authelia

Backed by lldap and mysql and deployed on whoami for now as a forward proxy example Would be good to add oidc for Nomad as well as make policies configurable via Nomad variables.
2022-11-15 11:43:05 -08:00 · 2022-11-15 11:43:05 -08:00 · 88e91e5e5d
commit 88e91e5e5d
parent a90b3bbdbe
10 changed files with 516 additions and 25 deletions
--- a/.secrets-baseline
+++ b/.secrets-baseline
@ -144,6 +144,48 @@
        "is_secret": false
      }
    ],
+    "core/authelia.yml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "core/authelia.yml",
+        "hashed_secret": "7cb6efb98ba5972a9b5090dc2e517fe14d12cb04",
+        "is_verified": false,
+        "line_number": 55,
+        "is_secret": false
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "core/authelia.yml",
+        "hashed_secret": "a32b08d97b1615dc27f58b6b17f67624c04e2c4f",
+        "is_verified": false,
+        "line_number": 182,
+        "is_secret": false
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "core/authelia.yml",
+        "hashed_secret": "d16a67474cca598880e37d64557f1264586386bd",
+        "is_verified": false,
+        "line_number": 248,
+        "is_secret": false
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "core/authelia.yml",
+        "hashed_secret": "7e1f5e63ab2c1f926e5fb81cc004dc24af411376",
+        "is_verified": false,
+        "line_number": 249,
+        "is_secret": false
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "core/authelia.yml",
+        "hashed_secret": "0bb90d739912b79b54b811fec298da9f59008a26",
+        "is_verified": false,
+        "line_number": 304,
+        "is_secret": false
+      }
+    ],
    "core/metrics/grafana/grafana.ini": [
      {
        "type": "Basic Auth Credentials",
@ -195,5 +237,5 @@
      }
    ]
  },
-  "generated_at": "2023-03-24T18:23:24Z"
+  "generated_at": "2023-07-07T00:58:58Z"
 }
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@ -1,25 +1,6 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.

-provider "registry.terraform.io/hashicorp/external" {
-  version = "2.3.1"
-  hashes = [
-    "h1:bROCw6g5D/3fFnWeJ01L4IrdnJl1ILU8DGDgXCtYzaY=",
-    "zh:001e2886dc81fc98cf17cf34c0d53cb2dae1e869464792576e11b0f34ee92f54",
-    "zh:2eeac58dd75b1abdf91945ac4284c9ccb2bfb17fa9bdb5f5d408148ff553b3ee",
-    "zh:2fc39079ba61411a737df2908942e6970cb67ed2f4fb19090cd44ce2082903dd",
-    "zh:472a71c624952cff7aa98a7b967f6c7bb53153dbd2b8f356ceb286e6743bb4e2",
-    "zh:4cff06d31272aac8bc35e9b7faec42cf4554cbcbae1092eaab6ab7f643c215d9",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:7ed16ccd2049fa089616b98c0bd57219f407958f318f3c697843e2397ddf70df",
-    "zh:842696362c92bf2645eb85c739410fd51376be6c488733efae44f4ce688da50e",
-    "zh:8985129f2eccfd7f1841ce06f3bf2bbede6352ec9e9f926fbaa6b1a05313b326",
-    "zh:a5f0602d8ec991a5411ef42f872aa90f6347e93886ce67905c53cfea37278e05",
-    "zh:bf4ab82cbe5256dcef16949973bf6aa1a98c2c73a98d6a44ee7bc40809d002b8",
-    "zh:e70770be62aa70198fa899526d671643ff99eecf265bf1a50e798fc3480bd417",
-  ]
-}
-
 provider "registry.terraform.io/hashicorp/nomad" {
  version = "1.4.19"
  hashes = [
--- a/core/authelia.yml
+++ b/core/authelia.yml
@ -0,0 +1,354 @@
+theme: auto
+
+# jwt_secret: < in file >
+
+{{ with nomadVar "nomad/jobs" }}
+default_redirection_url: https://authelia.{{ .base_hostname }}/
+{{ end }}
+
+## Set the default 2FA method for new users and for when a user has a preferred method configured that has been
+## disabled. This setting must be a method that is enabled.
+## Options are totp, webauthn, mobile_push.
+default_2fa_method: ""
+
+server:
+  host: 0.0.0.0
+  port: 9091
+  disable_healthcheck: false
+
+log:
+  ## Level of verbosity for logs: info, debug, trace.
+  level: debug
+
+  ## Format the logs are written as: json, text.
+  format: json
+
+telemetry:
+  metrics:
+    enabled: false
+    # address: '0.0.0.0:{{ env "NOMAD_PORT_metrics" }}'
+
+totp:
+  disable: false
+  issuer: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}
+  digits: 6
+
+  ## The TOTP algorithm to use.
+  ## It is CRITICAL you read the documentation before changing this option:
+  ## https://www.authelia.com/c/totp#algorithm
+  algorithm: sha1
+
+webauthn:
+  disable: false
+  timeout: 60s
+  display_name: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}
+  user_verification: preferred
+
+duo_api:
+  disable: true
+  # hostname:
+  # integration_key:
+  # secret_key:
+  # enable_self_enrollment: false
+
+authentication_backend:
+  disable_reset_password: false
+
+  ## Password Reset Options.
+  password_reset:
+
+    ## External reset password url that redirects the user to an external reset portal. This disables the internal reset
+    ## functionality.
+    # TODO: not sure if this is needed, probably not?
+    custom_url: ""
+
+  refresh_interval: 5m
+
+  ldap:
+    implementation: custom
+
+    # stunnel url
+    url: ldap://127.0.0.1:389
+    timeout: 5s
+
+    # TODO: Maybe use stunnel for this
+    start_tls: false
+
+    base_dn: {{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}
+    additional_users_dn: ou=people
+    additional_groups_dn: ou=groups
+
+    username_attribute: uid
+    group_name_attribute: cn
+    mail_attribute: mail
+    display_name_attribute: displayName
+
+    # To allow sign in both with username and email, one can use a filter like
+    # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
+    users_filter: "(&({username_attribute}={input})(objectClass=person))"
+    # Only supported filter by lldap right now
+    groups_filter: (member={dn})
+
+    ## The username and password of the admin user.
+    {{ with nomadVar "nomad/jobs/authelia" }}
+    user: uid={{ .lldap_admin_user }},ou=people,{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}
+    {{ end }}
+    # password set using secrets file
+    # password: <secret>
+
+password_policy:
+  standard:
+    enabled: false
+    min_length: 8
+    max_length: 0
+    require_uppercase: true
+    require_lowercase: true
+    require_number: true
+    require_special: true
+
+  zxcvbn:
+    enabled: false
+    min_score: 3
+
+##
+## Access Control Configuration
+##
+## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
+##
+## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
+## to anyone. Otherwise restrictions follow the rules defined.
+##
+## Note: One can use the wildcard * to match any subdomain.
+## It must stand at the beginning of the pattern. (example: *.mydomain.com)
+##
+## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
+##
+## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
+##
+## - 'domain' defines which domain or set of domains the rule applies to.
+##
+## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
+##    provided. If provided, the parameter represents either a user or a group. It should be of the form
+##    'user:<username>' or 'group:<groupname>'.
+##
+## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
+##
+## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
+##   is optional and matches any resource if not provided.
+##
+## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
+access_control:
+  ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
+  ## resource if there is no policy to be applied to the user.
+  default_policy: deny
+
+  networks:
+    - name: internal
+      networks:
+        - 192.168.1.0/24
+        - 192.168.2.0/24
+        - 192.168.10.0/24
+    - name: VPN
+      networks: 192.168.5.0/24
+
+  rules:
+    ## Rules applied to everyone
+    - domain: '*.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
+      policy: one_factor
+
+    - domain:
+        # TODO: Drive these from Nomad variables
+        - 'secure.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
+      policy: two_factor
+
+session:
+  ## The name of the session cookie.
+  name: authelia_session
+  domain: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}
+
+  # Stored in a secrets file
+  # secret: <in file>
+
+  expiration: 1h
+  inactivity: 5m
+  remember_me_duration: 1M
+
+  # TODO: use redis when I figure out authentication and database indexes
+  # redis:
+  #   host:
+  #   port:
+  #
+  #   # username: authelia
+  #   # password: authelia
+  #   database_index: 0
+  #   maximum_active_connections: 8
+  #   minimum_idle_connections: 0
+
+regulation:
+  max_retries: 3
+  find_time: 2m
+  ban_time: 5m
+
+##
+## Storage Provider Configuration
+##
+## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
+storage:
+  # encryption_key: <in file>
+
+  ##
+  ## MySQL / MariaDB (Storage Provider)
+  ##
+  mysql:
+    host: 127.0.0.1
+    port: 3306
+    {{ with nomadVar "nomad/jobs/authelia" }}
+    database: {{ .db_name }}
+    username: {{ .db_user }}
+    # password: <in_file>
+    {{- end }}
+    timeout: 5s
+
+##
+## Notification Provider
+##
+## Notifications are sent to users when they require a password reset, a Webauthn registration or a TOTP registration.
+## The available providers are: filesystem, smtp. You must use only one of these providers.
+notifier:
+  ## You can disable the notifier startup check by setting this to true.
+  disable_startup_check: false
+
+{{ with nomadVar "nomad/jobs" }}
+  smtp:
+    host: {{ .smtp_server }}
+    port: {{ .smtp_port }}
+    username: {{ .smtp_user }}
+    # password: <in file>
+
+{{- end }}
+{{ with nomadVar "nomad/jobs/authelia" }}
+    sender: "{{ .email_sender }}"
+
+    ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
+    subject: "[Authelia] {title}"
+
+    ## This address is used during the startup check to verify the email configuration is correct.
+    ## It's not important what it is except if your email server only allows local delivery.
+    startup_check_address: test@iamthefij.com
+{{- end }}
+
+# identity_providers:
+  ##
+  ## OpenID Connect (Identity Provider)
+  ##
+  ## It's recommended you read the documentation before configuration of this section:
+  ## https://www.authelia.com/c/oidc
+  # oidc:
+    ## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
+    ## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets
+    # hmac_secret: this_is_a_secret_abc123abc123abc
+
+    ## The issuer_private_key is used to sign the JWT forged by OpenID Connect.
+    ## Issuer Private Key can also be set using a secret: https://www.authelia.com/c/secrets
+    # issuer_private_key: |
+    #   --- KEY START
+    #   --- KEY END
+
+    ## The lifespans configure the expiration for these token types.
+    # access_token_lifespan: 1h
+    # authorize_code_lifespan: 1m
+    # id_token_lifespan: 1h
+    # refresh_token_lifespan: 90m
+
+    ## Enables additional debug messages.
+    # enable_client_debug_messages: false
+
+    ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for
+    ## security reasons.
+    # minimum_parameter_entropy: 8
+
+    ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it set to 'never'
+    ## for security reasons.
+    # enforce_pkce: public_clients_only
+
+    ## Cross-Origin Resource Sharing (CORS) settings.
+    # cors:
+      ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
+      # endpoints:
+      #    - authorization
+      #    - token
+      #    - revocation
+      #    - introspection
+      #    - userinfo
+
+      ## List of allowed origins.
+      ## Any origin with https is permitted unless this option is configured or the
+      ## allowed_origins_from_client_redirect_uris option is enabled.
+      # allowed_origins:
+      #   - https://example.com
+
+      ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
+      ## provided they have the scheme http or https and do not have the hostname of localhost.
+      # allowed_origins_from_client_redirect_uris: false
+
+    ## Clients is a list of known clients and their configuration.
+    # clients:
+      # -
+        ## The ID is the OpenID Connect ClientID which is used to link an application to a configuration.
+        # id: myapp
+
+        ## The description to show to users when they end up on the consent screen. Defaults to the ID above.
+        # description: My Application
+
+        ## The client secret is a shared secret between Authelia and the consumer of this client.
+        # secret: this_is_a_secret
+
+        ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
+        ## necessary. Read the documentation for more information.
+        ## The subject identifier must be the host component of a URL, which is a domain name with an optional port.
+        # sector_identifier: example.com
+
+        ## Sets the client to public. This should typically not be set, please see the documentation for usage.
+        # public: false
+
+        ## The policy to require for this client; one_factor or two_factor.
+        # authorization_policy: two_factor
+
+        ## By default users cannot remember pre-configured consents. Setting this value to a period of time using a
+        ## duration notation will enable users to remember consent for this client. The time configured is the amount
+        ## of time the pre-configured consent is valid for granting new authorizations to the user.
+        # pre_configured_consent_duration:
+
+        ## Audience this client is allowed to request.
+        # audience: []
+
+        ## Scopes this client is allowed to request.
+        # scopes:
+          # - openid
+          # - groups
+          # - email
+          # - profile
+
+        ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
+        # redirect_uris:
+        # - https://oidc.example.com:8080/oauth2/callback
+
+        ## Grant Types configures which grants this client can obtain.
+        ## It's not recommended to define this unless you know what you're doing.
+        # grant_types:
+          # - refresh_token
+          # - authorization_code
+
+        ## Response Types configures which responses this client can be sent.
+        ## It's not recommended to define this unless you know what you're doing.
+        # response_types:
+          # - code
+
+        ## Response Modes configures which response modes this client supports.
+        # response_modes:
+          # - form_post
+          # - query
+          # - fragment
+
+        ## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256.
+        # userinfo_signing_algorithm: none
--- a/core/lldap.nomad
+++ b/core/lldap.nomad
@ -1,6 +1,7 @@
 job "lldap" {
  datacenters = ["dc1"]
  type = "service"
+  priority = 80

  group "lldap" {

@ -51,6 +52,7 @@ job "lldap" {
      }

      env = {
+        "LLDAP_VERBOSE" = "true"
        "LLDAP_LDAP_PORT" = "${NOMAD_PORT_ldap}"
        "LLDAP_HTTP_PORT" = "${NOMAD_PORT_web}"
      }
--- a/core/main.tf
+++ b/core/main.tf
@ -53,3 +53,83 @@ resource "nomad_job" "ddclient" {
 resource "nomad_job" "lldap" {
  jobspec = file("${path.module}/lldap.nomad")
 }
+
+module "authelia" {
+  source = "../services/service"
+
+  name         = "authelia"
+  priority     = 70
+  image        = "authelia/authelia:latest"
+  args         = ["--config", "$${NOMAD_TASK_DIR}/authelia.yml"]
+  ingress      = true
+  service_port = 9091
+  # metrics_port = 9959
+  env = {
+    AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/ldap_password.txt"
+    AUTHELIA_JWT_SECRET_FILE                           = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
+    AUTHELIA_SESSION_SECRET_FILE                       = "$${NOMAD_SECRETS_DIR}/session_secret.txt"
+    AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE               = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt"
+    AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE               = "$${NOMAD_SECRETS_DIR}/mysql_password.txt"
+    AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE               = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
+  }
+
+  use_mysql = true
+  use_ldap  = true
+  mysql_bootstrap = {
+    enabled = true
+  }
+
+  service_tags = [
+    # Configure traefik to add this middleware
+    "traefik.http.middlewares.authelia.forwardAuth.address=http://$${NOMAD_IP_main}:$${NOMAD_HOST_PORT_main}/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F",
+    "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true",
+    "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
+    "traefik.http.middlewares.authelia-basic.forwardAuth.address=http://$${NOMAD_IP_main}:$${NOMAD_HOST_PORT_main}/api/verify?auth=basic",
+    "traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true",
+    "traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
+  ]
+
+  templates = [
+    {
+      data  = file("${path.module}/authelia.yml")
+      dest  = "authelia.yml"
+      mount = false
+    },
+    {
+      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .lldap_admin_password }}{{ end }}"
+      dest_prefix = "$${NOMAD_SECRETS_DIR}"
+      dest        = "ldap_password.txt"
+      mount       = false
+    },
+    {
+      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .jwt_secret }}{{ end }}"
+      dest_prefix = "$${NOMAD_SECRETS_DIR}"
+      dest        = "jwt_secret.txt"
+      mount       = false
+    },
+    {
+      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .session_secret }}{{ end }}"
+      dest_prefix = "$${NOMAD_SECRETS_DIR}"
+      dest        = "session_secret.txt"
+      mount       = false
+    },
+    {
+      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .storage_encryption_key }}{{ end }}"
+      dest_prefix = "$${NOMAD_SECRETS_DIR}"
+      dest        = "storage_encryption_key.txt"
+      mount       = false
+    },
+    {
+      data        = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .db_pass }}{{ end }}"
+      dest_prefix = "$${NOMAD_SECRETS_DIR}"
+      dest        = "mysql_password.txt"
+      mount       = false
+    },
+    {
+      data        = "{{ with nomadVar \"nomad/jobs\" }}{{ .smtp_password }}{{ end }}"
+      dest_prefix = "$${NOMAD_SECRETS_DIR}"
+      dest        = "smtp_password.txt"
+      mount       = false
+    },
+  ]
+}
--- a/databases/redis.nomad
+++ b/databases/redis.nomad
@ -1,7 +1,7 @@
 job "redis" {
  datacenters = ["dc1"]
  type = "service"
-  priority = 60
+  priority = 80

  group "cache" {
    count = 1
--- a/services/service/main.tf
+++ b/services/service/main.tf
@ -12,8 +12,10 @@ resource "nomad_job" "service" {
    docker_devices     = var.docker_devices

    service_port = var.service_port
+    ports        = var.ports
    sticky_disk  = var.sticky_disk
    resources    = var.resources
+    service_tags = var.service_tags

    ingress             = var.ingress
    ingress_rule        = var.ingress_rule
--- a/services/service/service_template.nomad
+++ b/services/service/service_template.nomad
@ -13,7 +13,14 @@ job "${name}" {
        host_network = "wesher"
        to = ${service_port}
      }
-      %{ endif }
+      %{ endif ~}
+      %{ for port in ports ~}
+      port "${port.name}" {
+        %{ if port.host_network != null }host_network = "${port.host_network}"%{ endif ~}
+        %{ if port.to != null }to = ${port.to}%{ endif ~}
+        %{ if port.static != null }static = ${port.static}%{ endif ~}
+      }
+      %{ endfor }
    }

    %{ for constraint in constraints ~}
@ -62,8 +69,11 @@ job "${name}" {
        %{ endif ~}
        %{ for middleware in ingress_middlewares ~}
        "traefik.http.routers.${name}.middlewares=${middleware}",
-        %{~ endfor }
-        %{~ endif }
+        %{ endfor ~}
+        %{ endif ~}
+        %{ for tag in service_tags ~}
+        "${tag}",
+        %{ endfor ~}
      ]
    }

--- a/services/service/vars.tf
+++ b/services/service/vars.tf
@ -95,6 +95,23 @@ variable "ingress_middlewares" {
  description = "Traefik middlewares that should be used"
 }

+variable "service_tags" {
+  type        = list(string)
+  default     = []
+  description = "Additional tags to be added to the service."
+}
+
+variable "ports" {
+  type = list(object({
+    name         = string
+    host_network = optional(string)
+    to           = optional(number)
+    static       = optional(number)
+  }))
+  default     = []
+  description = "Additional ports (not service_port) to be bound."
+}
+
 variable "templates" {
  type = list(object({
    data            = string
--- a/services/whoami.nomad
+++ b/services/whoami.nomad
@ -28,7 +28,10 @@ job "whoami" {
      tags = [
        "traefik.enable=true",
        "traefik.http.routers.whoami.entryPoints=websecure",
-        "traefik.http.routers.whoami.middlewares=basic-auth@file",
+        # "traefik.http.routers.whoami.middlewares=basic-auth@file",
+        "traefik.http.routers.whoami.middlewares=authelia@nomad",
+        # "traefik.http.routers.whoami.middlewares=authelia-basic@consulcatalog",
+        # "traefik.http.routers.whoami.middlewares=authelia@file",
      ]
    }