From e8c49ad8d68730405d44b0c90a716748c34472f9 Mon Sep 17 00:00:00 2001 From: Ian Fijolek Date: Tue, 22 Nov 2022 10:04:31 -0800 Subject: [PATCH] WIP: Lots more authelia It was working before adding the secrets and db --- .secrets-baseline | 58 +----- core/traefik/traefik.nomad | 15 +- services/authelia.nomad | 5 +- services/authelia.tf | 11 +- services/authelia.yml | 372 +++++-------------------------------- services/whoami.nomad | 4 +- 6 files changed, 75 insertions(+), 390 deletions(-) diff --git a/.secrets-baseline b/.secrets-baseline index 67a2bc6..93cff5d 100644 --- a/.secrets-baseline +++ b/.secrets-baseline @@ -221,36 +221,12 @@ "line_number": 18, "is_secret": false }, - { - "type": "Secret Keyword", - "filename": "services/authelia.yml", - "hashed_secret": "1d8c6259d656cf71d6f60fe5577be56d8546e324", - "is_verified": false, - "line_number": 19, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "services/authelia.yml", - "hashed_secret": "07d80ed2f78aa8ce991060b176dfb44232c2b755", - "is_verified": false, - "line_number": 186, - "is_secret": false - }, { "type": "Secret Keyword", "filename": "services/authelia.yml", "hashed_secret": "7cb6efb98ba5972a9b5090dc2e517fe14d12cb04", "is_verified": false, - "line_number": 220, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "services/authelia.yml", - "hashed_secret": "67826082ce8df739f6a99f14c51b590c54e23647", - "is_verified": false, - "line_number": 535, + "line_number": 134, "is_secret": false }, { @@ -258,31 +234,7 @@ "filename": "services/authelia.yml", "hashed_secret": "a32b08d97b1615dc27f58b6b17f67624c04e2c4f", "is_verified": false, - "line_number": 569, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "services/authelia.yml", - "hashed_secret": "be721ee537c54e5514543649a6781308db765290", - "is_verified": false, - "line_number": 603, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "services/authelia.yml", - "hashed_secret": "91dfd9ddb4198affc5c194cd8ce6d338fde470e2", - "is_verified": false, - "line_number": 667, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "services/authelia.yml", - "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", - "is_verified": false, - "line_number": 730, + "line_number": 409, "is_secret": false }, { @@ -290,7 +242,7 @@ "filename": "services/authelia.yml", "hashed_secret": "7e1f5e63ab2c1f926e5fb81cc004dc24af411376", "is_verified": false, - "line_number": 778, + "line_number": 502, "is_secret": false }, { @@ -298,10 +250,10 @@ "filename": "services/authelia.yml", "hashed_secret": "0bb90d739912b79b54b811fec298da9f59008a26", "is_verified": false, - "line_number": 833, + "line_number": 557, "is_secret": false } ] }, - "generated_at": "2022-11-15T19:42:58Z" + "generated_at": "2022-11-22T18:04:17Z" } diff --git a/core/traefik/traefik.nomad b/core/traefik/traefik.nomad index 636c229..573c854 100644 --- a/core/traefik/traefik.nomad +++ b/core/traefik/traefik.nomad @@ -133,6 +133,15 @@ job "traefik" { [entryPoints.metrics] address = ":8989" + [entryPoints.auth] + # TODO: Narrow this from all interfaces to localhost only + address = ":8999" + # TODO: Narrow this from insecure to possibly localhost only + [entryPoints.auth.forwardedHeaders] + insecure = true + [entryPoints.auth.proxyProtocol] + insecure = true + [entryPoints.syslogtcp] address = ":514" @@ -284,12 +293,6 @@ CF_ZONE_API_TOKEN={{ .Data.data.domain_lego_dns }} [http.middlewares.basic-auth.basicAuth] usersFile = "/etc/traefik/usersfile" {{ end }} -{{ end }} -{{ range service "authelia-sidecar-proxy" }} - [http.middlewares.authelia.forwardAuth] - address = "https://{{ .Address }}:{{ .Port }}/api/verify?rd=https://authelia.thefij.rocks" - trustForwardHeader = true - authResponseHeaders = "Remote-User,Remote-Groups,Remote-Name,Remote-Email" {{ end }} EOH destination = "local/config/conf/middlewares.toml" diff --git a/services/authelia.nomad b/services/authelia.nomad index 6a6ab4f..bd3fd0f 100644 --- a/services/authelia.nomad +++ b/services/authelia.nomad @@ -68,10 +68,11 @@ job "authelia" { tags = [ "traefik.enable=true", - "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia.service.consul/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F", + "traefik.http.routers.authelia.entryPoints=websecure,auth", + "traefik.http.middlewares.authelia.forwardAuth.address=http://localhost:8999/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F", "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true", "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email", - "traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia.service.consul/api/verify?auth=basic", + "traefik.http.middlewares.authelia-basic.forwardAuth.address=http://http://localhost:8999/api/verify?auth=basic", "traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true", "traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email", ] diff --git a/services/authelia.tf b/services/authelia.tf index ab32931..f999310 100644 --- a/services/authelia.tf +++ b/services/authelia.tf @@ -21,11 +21,12 @@ module "authelia" { ] service_tags = [ - # These doamins should ideally not be routed through traefik as well - "traefik.http.middlewares.authelia.forwardAuth.address=https://authelia.thefij.rocks/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F", + "traefik.http.routers.authelia-internal.entryPoints=auth", + "traefik.http.routers.authelia-internal.rule=Path(`/api/verify`)", + "traefik.http.middlewares.authelia.forwardAuth.address=http://localhost:8999/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F", "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true", "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email", - "traefik.http.middlewares.authelia-basic.forwardAuth.address=https://authelia.thefij.rocks/api/verify?auth=basic", + "traefik.http.middlewares.authelia-basic.forwardAuth.address=http://localhost:8999/api/verify?auth=basic", "traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true", "traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email", ] @@ -34,6 +35,10 @@ module "authelia" { use_ldap = true use_redis = true use_mysql = true + + mysql_bootstrap = { + vault_key = "kv/data/authelia" + } } # locals { diff --git a/services/authelia.yml b/services/authelia.yml index 3a5e65f..1b6c7d9 100644 --- a/services/authelia.yml +++ b/services/authelia.yml @@ -16,7 +16,9 @@ theme: auto ## The secret used to generate JWT tokens when validating user identity by email confirmation. JWT Secret can also be ## set using a secret: https://www.authelia.com/c/secrets -jwt_secret: a_very_important_secret +{{ with secret "kv/data/authelia" -}} +jwt_secret: {{ .Data.data.jwt_secret }} +{{- end }} ## Default redirection URL ## @@ -25,7 +27,7 @@ jwt_secret: a_very_important_secret ## in such a case. ## ## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication. -default_redirection_url: https://home.example.com/ +default_redirection_url: https://authelia.thefij.rocks/ ## Set the default 2FA method for new users and for when a user has a preferred method configured that has been ## disabled. This setting must be a method that is enabled. @@ -36,55 +38,13 @@ default_2fa_method: "" ## Server Configuration ## server: - - ## The address to listen on. host: 0.0.0.0 - - ## The port to listen on. port: 9091 - ## Set the single level path Authelia listens on. - ## Must be alphanumeric chars and should not contain any slashes. - path: "" - - ## Set the path on disk to Authelia assets. - ## Useful to allow overriding of specific static assets. - # asset_path: /config/assets/ - - ## Buffers usually should be configured to be the same value. - ## Explanation at https://www.authelia.com/c/server#buffer-sizes - ## Read buffer size adjusts the server's max incoming request size in bytes. - ## Write buffer size does the same for outgoing responses. - read_buffer_size: 4096 - write_buffer_size: 4096 - - ## Enables the pprof endpoint. - enable_pprof: false - - ## Enables the expvars endpoint. - enable_expvars: false - ## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0. ## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist. disable_healthcheck: false - ## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour. - tls: - ## The path to the DER base64/PEM format private key. - key: "" - - ## The path to the DER base64/PEM format public certificate. - certificate: "" - - ## The list of certificates for client authentication. - client_certificates: [] - - ## Server headers configuration/customization. - headers: - - ## The CSP Template. Read the docs. - csp_template: "" - ## ## Log Configuration ## @@ -93,22 +53,12 @@ log: level: debug ## Format the logs are written as: json, text. - # format: json - - ## File path where the logs will be written. If not set logs are written to stdout. - # file_path: /config/authelia.log - - ## Whether to also log to stdout when a log_file_path is defined. - # keep_stdout: false + format: json ## ## Telemetry Configuration ## telemetry: - - ## - ## Metrics Configuration - ## metrics: ## Enable Metrics. enabled: true @@ -125,7 +75,7 @@ totp: disable: false ## The issuer name displayed in the Authenticator application of your choice. - issuer: authelia.com + issuer: {{ keyOrDefault "global/base_hostname" "Example.com" }} ## The TOTP algorithm to use. ## It is CRITICAL you read the documentation before changing this option: @@ -138,19 +88,6 @@ totp: ## https://www.authelia.com/c/totp#digits digits: 6 - ## The period in seconds a one-time password is valid for. - ## Changing this option only affects newly generated TOTP configurations. - period: 30 - - ## The skew controls number of one-time passwords either side of the current one that are valid. - ## Warning: before changing skew read the docs link below. - skew: 1 - ## See: https://www.authelia.com/c/totp#input-validation to read - ## the documentation. - - ## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20. - secret_size: 32 - ## ## WebAuthn Configuration ## @@ -163,11 +100,7 @@ webauthn: timeout: 60s ## The display name the browser should show the user for when using Webauthn to login/register. - display_name: Authelia - - ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device. - ## Options are none, indirect, direct. - attestation_conveyance_preference: indirect + display_name: {{ keyOrDefault "global/base_hostname" "Example.com" }} ## User verification controls if the user must make a gesture or action to confirm they are present. ## Options are required, preferred, discouraged. @@ -178,36 +111,17 @@ webauthn: ## ## Parameters used to contact the Duo API. Those are generated when you protect an application of type ## "Partner Auth API" in the management panel. +{{ with secret "kv/data/duo" -}} duo_api: disable: false - hostname: api-123456789.example.com - integration_key: ABCDEF - ## Secret can also be set using a secret: https://www.authelia.com/c/secrets - secret_key: 1234567890abcdefghifjkl - enable_self_enrollment: false - -## -## NTP Configuration -## -## This is used to validate the servers time is accurate enough to validate TOTP. -ntp: - ## NTP server address. - address: "time.cloudflare.com:123" - - ## NTP version. - version: 4 - - ## Maximum allowed time offset between the host and the NTP server. - max_desync: 3s - - ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you - ## set this to true, and can operate in a truly offline mode. - disable_startup_check: false - - ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with - ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup - ## will continue regardless of results. - disable_failure: false + hostname: {{ .Data.data.hostname }} + integration_key: {{ .Data.data.integration_key }} + secret_key: {{ .Data.data.secret_key }} + # enable_self_enrollment: false +{{ else }} +duo_api: + disable: true +{{- end }} ## ## Authentication Backend Provider Configuration @@ -438,80 +352,14 @@ access_control: rules: ## Rules applied to everyone - - domain: 'public.example.com' - policy: bypass - - ## Domain Regex examples. Generally we recommend just using a standard domain. - # - domain_regex: '^(?P\w+)\.example\.com$' - # policy: one_factor - # - domain_regex: '^(?P\w+)\.example\.com$' - # policy: one_factor - # - domain_regex: - # - '^appgroup-.*\.example\.com$' - # - '^appgroup2-.*\.example\.com$' - # policy: one_factor - # - domain_regex: '^.*\.example\.com$' - # policy: two_factor - - - domain: 'secure.example.com' + - domain: '*.thefij.rocks' policy: one_factor - ## Network based rule, if not provided any network matches. - networks: - - internal - - VPN - - 192.168.1.0/24 - - 10.0.0.1 - domain: - 'secure.example.com' - 'private.example.com' policy: two_factor - - domain: 'singlefactor.example.com' - policy: one_factor - - ## Rules applied to 'admins' group - - domain: 'mx2.mail.example.com' - subject: 'group:admins' - policy: deny - - - domain: '*.example.com' - subject: - - 'group:admins' - - 'group:moderators' - policy: two_factor - - ## Rules applied to 'dev' group - - domain: 'dev.example.com' - resources: - - '^/groups/dev/.*$' - subject: 'group:dev' - policy: two_factor - - ## Rules applied to user 'john' - - domain: 'dev.example.com' - resources: - - '^/users/john/.*$' - subject: 'user:john' - policy: two_factor - - ## Rules applied to user 'harry' - - domain: 'dev.example.com' - resources: - - '^/users/harry/.*$' - subject: 'user:harry' - policy: two_factor - - ## Rules applied to user 'bob' - - domain: '*.mail.example.com' - subject: 'user:bob' - policy: two_factor - - domain: 'dev.example.com' - resources: - - '^/users/bob/.*$' - subject: 'user:bob' - policy: two_factor - ## ## Session Provider Configuration ## @@ -520,19 +368,13 @@ access_control: session: ## The name of the session cookie. name: authelia_session - - ## The domain to protect. - ## Note: the authenticator must also be in that domain. - ## If empty, the cookie is restricted to the subdomain of the issuer. - domain: example.com - - ## Sets the Cookie SameSite value. Possible options are none, lax, or strict. - ## Please read https://www.authelia.com/c/session#same_site - same_site: lax + domain: {{ keyOrDefault "global/base_hostname" "example.com" }} ## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel. ## Secret can also be set using a secret: https://www.authelia.com/c/secrets - secret: insecure_session_secret + {{ with secret "kv/data/authelia" -}} + secret: {{ .Data.data.session_secret }} + {{- end }} ## The value for expiration, inactivity, and remember_me_duration are in seconds or the duration notation format. ## See: https://www.authelia.com/c/common#duration-notation-format @@ -559,8 +401,6 @@ session: redis: host: {{ env "NOMAD_UPSTREAM_IP_redis" }} port: {{ env "NOMAD_UPSTREAM_PORT_redis" }} - ## Use a unix socket instead - # host: /var/run/redis/redis.sock ## Username used for redis authentication. This is optional and a new feature in redis 6.0. # username: authelia @@ -577,46 +417,6 @@ session: ## The target number of idle connections to have open ready for work. Useful when opening connections is slow. minimum_idle_connections: 0 - ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s). - # tls: - ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option). - # server_name: myredis.example.com - - ## Skip verifying the server certificate (to allow a self-signed certificate). - ## In preference to setting this we strongly recommend you add the public portion of the certificate to the - ## certificates directory which is defined by the `certificates_directory` option at the top of the config. - # skip_verify: false - - ## Minimum TLS version for the connection. - # minimum_version: TLS1.2 - - ## The Redis HA configuration options. - ## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name). - # high_availability: - ## Sentinel Name / Master Name. - # sentinel_name: mysentinel - - ## Specific username for Redis Sentinel. The node username and password is configured above. - # sentinel_username: sentinel_specific_user - - ## Specific password for Redis Sentinel. The node username and password is configured above. - # sentinel_password: sentinel_specific_pass - - ## The additional nodes to pre-seed the redis provider with (for sentinel). - ## If the host in the above section is defined, it will be combined with this list to connect to sentinel. - ## For high availability to be used you must have either defined; the host above or at least one node below. - # nodes: - # - host: sentinel-node1 - # port: 6379 - # - host: sentinel-node2 - # port: 6379 - - ## Choose the host with the lowest latency. - # route_by_latency: false - - ## Choose the host randomly. - # route_randomly: false - ## ## Regulation Configuration ## @@ -644,46 +444,18 @@ storage: ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it. encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this - ## - ## Local (Storage Provider) - ## - ## This stores the data in a SQLite3 Database. - ## This is only recommended for lightweight non-stateful installations. - ## - ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness - ## - local: - path: /config/db.sqlite3 - ## ## MySQL / MariaDB (Storage Provider) ## - # mysql: - # host: 127.0.0.1 - # port: 3306 - # database: authelia - # username: authelia - # ## Password can also be set using a secret: https://www.authelia.com/c/secrets - # password: mypassword - # timeout: 5s - - ## - ## PostgreSQL (Storage Provider) - ## - # postgres: - # host: 127.0.0.1 - # port: 5432 - # database: authelia - # schema: public - # username: authelia - # ## Password can also be set using a secret: https://www.authelia.com/c/secrets - # password: mypassword - # timeout: 5s - # ssl: - # mode: disable - # root_certificate: disable - # certificate: disable - # key: disable + {{ with secret "kv/data/authelia" -}} + mysql: + host: {{ env "NOMAD_UPSTREAM_IP_mysql-server" }} + port: {{ env "NOMAD_UPSTREAM_PORT_mysql-server" }} + database: {{ .Data.data.db_name }} + username: {{ .Data.data.db_user }} + password: {{ .Data.data.db_pass }} + timeout: 5s + {{- end }} ## ## Notification Provider @@ -694,73 +466,25 @@ notifier: ## You can disable the notifier startup check by setting this to true. disable_startup_check: false - ## - ## File System (Notification Provider) - ## - ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness - ## - filesystem: - filename: /config/notification.txt +{{ with secret "kv/data/smtp" -}} + smtp: + host: {{ .Data.data.server }} + port: {{ .Data.data.port}} + username: {{ .Data.data.user }} + password: {{ .Data.data.password }} - ## - ## SMTP (Notification Provider) - ## - ## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate. - ## [Security] By default Authelia will: - ## - force all SMTP connections over TLS including unauthenticated connections - ## - use the disable_require_tls boolean value to disable this requirement - ## (only works for unauthenticated connections) - ## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates - ## (configure in tls section) - # smtp: - # ## The SMTP host to connect to. - # host: 127.0.0.1 - # - # ## The port to connect to the SMTP host on. - # port: 1025 - # - # ## The connection timeout. - # timeout: 5s - # - # ## The username used for SMTP authentication. - # username: test - # - # ## The password used for SMTP authentication. - # ## Can also be set using a secret: https://www.authelia.com/c/secrets - # password: password - # - # ## The sender is used to is used for the MAIL FROM command and the FROM header. - # ## If this is not defined and the username is an email, we use the username as this value. This can either be just - # ## an email address or the RFC5322 'Name ' format. - # sender: "Authelia " - # - # ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost. - # identifier: localhost - # - # ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier. - # subject: "[Authelia] {title}" - # - # ## This address is used during the startup check to verify the email configuration is correct. - # ## It's not important what it is except if your email server only allows local delivery. - # startup_check_address: test@authelia.com - # - # ## By default we require some form of TLS. This disables this check though is not advised. - # disable_require_tls: false - # - # ## Disables sending HTML formatted emails. - # disable_html_emails: false - # - # tls: - # ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option). - # # server_name: smtp.example.com - # - # ## Skip verifying the server certificate (to allow a self-signed certificate). - # ## In preference to setting this we strongly recommend you add the public portion of the certificate to the - # ## certificates directory which is defined by the `certificates_directory` option at the top of the config. - # skip_verify: false - # - # ## Minimum TLS version for either StartTLS or SMTPS. - # minimum_version: TLS1.2 + ## The sender is used to is used for the MAIL FROM command and the FROM header. + ## If this is not defined and the username is an email, we use the username as this value. This can either be just + ## an email address or the RFC5322 'Name ' format. + sender: "Authelia " + + ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier. + subject: "[Authelia] {title}" + + ## This address is used during the startup check to verify the email configuration is correct. + ## It's not important what it is except if your email server only allows local delivery. + startup_check_address: test@authelia.com +{{- end }} ## ## Identity Providers diff --git a/services/whoami.nomad b/services/whoami.nomad index 7910f07..e8171ae 100644 --- a/services/whoami.nomad +++ b/services/whoami.nomad @@ -51,9 +51,9 @@ job "whoami" { "traefik.enable=true", "traefik.http.routers.whoami.entryPoints=websecure", # "traefik.http.routers.whoami.middlewares=basic-auth@file", - # "traefik.http.routers.whoami.middlewares=authelia@consulcatalog", - "traefik.http.routers.whoami.middlewares=authelia@file", + "traefik.http.routers.whoami.middlewares=authelia@consulcatalog", # "traefik.http.routers.whoami.middlewares=authelia-basic@consulcatalog", + # "traefik.http.routers.whoami.middlewares=authelia@file", ] }