WIP: Lots more authelia

It was working before adding the secrets and db
2022-11-22 10:04:31 -08:00 · 2022-11-22 10:04:31 -08:00 · e8c49ad8d6
commit e8c49ad8d6
parent 3aeac1a0f2
6 changed files with 75 additions and 390 deletions
--- a/.secrets-baseline
+++ b/.secrets-baseline
@ -221,36 +221,12 @@
        "line_number": 18,
        "is_secret": false
      },
      {
        "type": "Secret Keyword",
        "filename": "services/authelia.yml",
        "hashed_secret": "1d8c6259d656cf71d6f60fe5577be56d8546e324",
        "is_verified": false,
        "line_number": 19,
        "is_secret": false
      },
      {
        "type": "Secret Keyword",
        "filename": "services/authelia.yml",
        "hashed_secret": "07d80ed2f78aa8ce991060b176dfb44232c2b755",
        "is_verified": false,
        "line_number": 186,
        "is_secret": false
      },
      {
        "type": "Secret Keyword",
        "filename": "services/authelia.yml",
        "hashed_secret": "7cb6efb98ba5972a9b5090dc2e517fe14d12cb04",
        "is_verified": false,
-        "line_number": 220,
+        "line_number": 134,
        "is_secret": false
      },
      {
        "type": "Secret Keyword",
        "filename": "services/authelia.yml",
        "hashed_secret": "67826082ce8df739f6a99f14c51b590c54e23647",
        "is_verified": false,
        "line_number": 535,
        "is_secret": false
      },
      {
@ -258,31 +234,7 @@
        "filename": "services/authelia.yml",
        "hashed_secret": "a32b08d97b1615dc27f58b6b17f67624c04e2c4f",
        "is_verified": false,
-        "line_number": 569,
+        "line_number": 409,
        "is_secret": false
      },
      {
        "type": "Secret Keyword",
        "filename": "services/authelia.yml",
        "hashed_secret": "be721ee537c54e5514543649a6781308db765290",
        "is_verified": false,
        "line_number": 603,
        "is_secret": false
      },
      {
        "type": "Secret Keyword",
        "filename": "services/authelia.yml",
        "hashed_secret": "91dfd9ddb4198affc5c194cd8ce6d338fde470e2",
        "is_verified": false,
        "line_number": 667,
        "is_secret": false
      },
      {
        "type": "Secret Keyword",
        "filename": "services/authelia.yml",
        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
        "is_verified": false,
        "line_number": 730,
        "is_secret": false
      },
      {
@ -290,7 +242,7 @@
        "filename": "services/authelia.yml",
        "hashed_secret": "7e1f5e63ab2c1f926e5fb81cc004dc24af411376",
        "is_verified": false,
-        "line_number": 778,
+        "line_number": 502,
        "is_secret": false
      },
      {
@ -298,10 +250,10 @@
        "filename": "services/authelia.yml",
        "hashed_secret": "0bb90d739912b79b54b811fec298da9f59008a26",
        "is_verified": false,
-        "line_number": 833,
+        "line_number": 557,
        "is_secret": false
      }
    ]
  },
-  "generated_at": "2022-11-15T19:42:58Z"
+  "generated_at": "2022-11-22T18:04:17Z"
 }
--- a/core/traefik/traefik.nomad
+++ b/core/traefik/traefik.nomad
@ -133,6 +133,15 @@ job "traefik" {
  [entryPoints.metrics]
    address = ":8989"
  [entryPoints.auth]
    # TODO: Narrow this from all interfaces to localhost only
    address = ":8999"
    # TODO: Narrow this from insecure to possibly localhost only
    [entryPoints.auth.forwardedHeaders]
      insecure = true
    [entryPoints.auth.proxyProtocol]
      insecure = true
  [entryPoints.syslogtcp]
    address = ":514"
@ -284,12 +293,6 @@ CF_ZONE_API_TOKEN={{ .Data.data.domain_lego_dns }}
  [http.middlewares.basic-auth.basicAuth]
    usersFile = "/etc/traefik/usersfile"
 {{ end }}
 {{ end }}
 {{ range service "authelia-sidecar-proxy" }}
  [http.middlewares.authelia.forwardAuth]
    address = "https://{{ .Address }}:{{ .Port }}/api/verify?rd=https://authelia.thefij.rocks"
    trustForwardHeader = true
    authResponseHeaders = "Remote-User,Remote-Groups,Remote-Name,Remote-Email"
 {{ end }}
        EOH
        destination = "local/config/conf/middlewares.toml"
--- a/services/authelia.nomad
+++ b/services/authelia.nomad
@ -68,10 +68,11 @@ job "authelia" {
      tags = [
        "traefik.enable=true",
-        "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia.service.consul/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F",
+        "traefik.http.routers.authelia.entryPoints=websecure,auth",
        "traefik.http.middlewares.authelia.forwardAuth.address=http://localhost:8999/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F",
        "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true",
        "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
-        "traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia.service.consul/api/verify?auth=basic",
+        "traefik.http.middlewares.authelia-basic.forwardAuth.address=http://http://localhost:8999/api/verify?auth=basic",
        "traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true",
        "traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
      ]
--- a/services/authelia.tf
+++ b/services/authelia.tf
@ -21,11 +21,12 @@ module "authelia" {
  ]
  service_tags = [
-    # These doamins should ideally not be routed through traefik as well
+    "traefik.http.routers.authelia-internal.entryPoints=auth",
-    "traefik.http.middlewares.authelia.forwardAuth.address=https://authelia.thefij.rocks/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F",
+    "traefik.http.routers.authelia-internal.rule=Path(`/api/verify`)",
    "traefik.http.middlewares.authelia.forwardAuth.address=http://localhost:8999/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F",
    "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true",
    "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
-    "traefik.http.middlewares.authelia-basic.forwardAuth.address=https://authelia.thefij.rocks/api/verify?auth=basic",
+    "traefik.http.middlewares.authelia-basic.forwardAuth.address=http://localhost:8999/api/verify?auth=basic",
    "traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true",
    "traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email",
  ]
@ -34,6 +35,10 @@ module "authelia" {
  use_ldap  = true
  use_redis = true
  use_mysql = true
  mysql_bootstrap = {
    vault_key = "kv/data/authelia"
  }
 }
 # locals {
--- a/services/authelia.yml
+++ b/services/authelia.yml
@ -16,7 +16,9 @@ theme: auto
 ## The secret used to generate JWT tokens when validating user identity by email confirmation. JWT Secret can also be
 ## set using a secret: https://www.authelia.com/c/secrets
-jwt_secret: a_very_important_secret
+{{ with secret "kv/data/authelia" -}}
 jwt_secret: {{ .Data.data.jwt_secret }}
 {{- end }}
 ## Default redirection URL
 ##
@ -25,7 +27,7 @@ jwt_secret: a_very_important_secret
 ## in such a case.
 ##
 ## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication.
-default_redirection_url: https://home.example.com/
+default_redirection_url: https://authelia.thefij.rocks/
 ## Set the default 2FA method for new users and for when a user has a preferred method configured that has been
 ## disabled. This setting must be a method that is enabled.
@ -36,55 +38,13 @@ default_2fa_method: ""
 ## Server Configuration
 ##
 server:
  ## The address to listen on.
  host: 0.0.0.0
  ## The port to listen on.
  port: 9091
  ## Set the single level path Authelia listens on.
  ## Must be alphanumeric chars and should not contain any slashes.
  path: ""
  ## Set the path on disk to Authelia assets.
  ## Useful to allow overriding of specific static assets.
  # asset_path: /config/assets/
  ## Buffers usually should be configured to be the same value.
  ## Explanation at https://www.authelia.com/c/server#buffer-sizes
  ## Read buffer size adjusts the server's max incoming request size in bytes.
  ## Write buffer size does the same for outgoing responses.
  read_buffer_size: 4096
  write_buffer_size: 4096
  ## Enables the pprof endpoint.
  enable_pprof: false
  ## Enables the expvars endpoint.
  enable_expvars: false
  ## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0.
  ## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist.
  disable_healthcheck: false
  ## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour.
  tls:
    ## The path to the DER base64/PEM format private key.
    key: ""
    ## The path to the DER base64/PEM format public certificate.
    certificate: ""
    ## The list of certificates for client authentication.
    client_certificates: []
  ## Server headers configuration/customization.
  headers:
    ## The CSP Template. Read the docs.
    csp_template: ""
 ##
 ## Log Configuration
 ##
@ -93,22 +53,12 @@ log:
  level: debug
  ## Format the logs are written as: json, text.
-  # format: json
+  format: json
  ## File path where the logs will be written. If not set logs are written to stdout.
  # file_path: /config/authelia.log
  ## Whether to also log to stdout when a log_file_path is defined.
  # keep_stdout: false
 ##
 ## Telemetry Configuration
 ##
 telemetry:
  ##
  ## Metrics Configuration
  ##
  metrics:
    ## Enable Metrics.
    enabled: true
@ -125,7 +75,7 @@ totp:
  disable: false
  ## The issuer name displayed in the Authenticator application of your choice.
-  issuer: authelia.com
+  issuer: {{ keyOrDefault "global/base_hostname" "Example.com" }}
  ## The TOTP algorithm to use.
  ## It is CRITICAL you read the documentation before changing this option:
@ -138,19 +88,6 @@ totp:
  ## https://www.authelia.com/c/totp#digits
  digits: 6
  ## The period in seconds a one-time password is valid for.
  ## Changing this option only affects newly generated TOTP configurations.
  period: 30
  ## The skew controls number of one-time passwords either side of the current one that are valid.
  ## Warning: before changing skew read the docs link below.
  skew: 1
  ## See: https://www.authelia.com/c/totp#input-validation to read
  ## the documentation.
  ## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20.
  secret_size: 32
 ##
 ## WebAuthn Configuration
 ##
@ -163,11 +100,7 @@ webauthn:
  timeout: 60s
  ## The display name the browser should show the user for when using Webauthn to login/register.
-  display_name: Authelia
+  display_name: {{ keyOrDefault "global/base_hostname" "Example.com" }}
  ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device.
  ## Options are none, indirect, direct.
  attestation_conveyance_preference: indirect
  ## User verification controls if the user must make a gesture or action to confirm they are present.
  ## Options are required, preferred, discouraged.
@ -178,36 +111,17 @@ webauthn:
 ##
 ## Parameters used to contact the Duo API. Those are generated when you protect an application of type
 ## "Partner Auth API" in the management panel.
 {{ with secret "kv/data/duo" -}}
 duo_api:
  disable: false
-  hostname: api-123456789.example.com
+  hostname: {{ .Data.data.hostname }}
-  integration_key: ABCDEF
+  integration_key: {{ .Data.data.integration_key }}
-  ## Secret can also be set using a secret: https://www.authelia.com/c/secrets
+  secret_key: {{ .Data.data.secret_key }}
-  secret_key: 1234567890abcdefghifjkl
+  # enable_self_enrollment: false
-  enable_self_enrollment: false
+{{ else }}
-
+duo_api:
-##
+  disable: true
-## NTP Configuration
+{{- end }}
 ##
 ## This is used to validate the servers time is accurate enough to validate TOTP.
 ntp:
  ## NTP server address.
  address: "time.cloudflare.com:123"
  ## NTP version.
  version: 4
  ## Maximum allowed time offset between the host and the NTP server.
  max_desync: 3s
  ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
  ## set this to true, and can operate in a truly offline mode.
  disable_startup_check: false
  ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with
  ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup
  ## will continue regardless of results.
  disable_failure: false
 ##
 ## Authentication Backend Provider Configuration
@ -438,80 +352,14 @@ access_control:
  rules:
    ## Rules applied to everyone
-    - domain: 'public.example.com'
+    - domain: '*.thefij.rocks'
      policy: bypass
    ## Domain Regex examples. Generally we recommend just using a standard domain.
    # - domain_regex: '^(?P<User>\w+)\.example\.com$'
    #   policy: one_factor
    # - domain_regex: '^(?P<Group>\w+)\.example\.com$'
    #   policy: one_factor
    # - domain_regex:
    #    - '^appgroup-.*\.example\.com$'
    #    - '^appgroup2-.*\.example\.com$'
    #   policy: one_factor
    # - domain_regex: '^.*\.example\.com$'
    #   policy: two_factor
    - domain: 'secure.example.com'
      policy: one_factor
      ## Network based rule, if not provided any network matches.
      networks:
        - internal
        - VPN
        - 192.168.1.0/24
        - 10.0.0.1
    - domain:
        - 'secure.example.com'
        - 'private.example.com'
      policy: two_factor
    - domain: 'singlefactor.example.com'
      policy: one_factor
    ## Rules applied to 'admins' group
    - domain: 'mx2.mail.example.com'
      subject: 'group:admins'
      policy: deny
    - domain: '*.example.com'
      subject:
        - 'group:admins'
        - 'group:moderators'
      policy: two_factor
    ## Rules applied to 'dev' group
    - domain: 'dev.example.com'
      resources:
        - '^/groups/dev/.*$'
      subject: 'group:dev'
      policy: two_factor
    ## Rules applied to user 'john'
    - domain: 'dev.example.com'
      resources:
        - '^/users/john/.*$'
      subject: 'user:john'
      policy: two_factor
    ## Rules applied to user 'harry'
    - domain: 'dev.example.com'
      resources:
        - '^/users/harry/.*$'
      subject: 'user:harry'
      policy: two_factor
    ## Rules applied to user 'bob'
    - domain: '*.mail.example.com'
      subject: 'user:bob'
      policy: two_factor
    - domain: 'dev.example.com'
      resources:
        - '^/users/bob/.*$'
      subject: 'user:bob'
      policy: two_factor
 ##
 ## Session Provider Configuration
 ##
@ -520,19 +368,13 @@ access_control:
 session:
  ## The name of the session cookie.
  name: authelia_session
-
+  domain: {{ keyOrDefault "global/base_hostname" "example.com" }}
  ## The domain to protect.
  ## Note: the authenticator must also be in that domain.
  ## If empty, the cookie is restricted to the subdomain of the issuer.
  domain: example.com
  ## Sets the Cookie SameSite value. Possible options are none, lax, or strict.
  ## Please read https://www.authelia.com/c/session#same_site
  same_site: lax
  ## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel.
  ## Secret can also be set using a secret: https://www.authelia.com/c/secrets
-  secret: insecure_session_secret
+  {{ with secret "kv/data/authelia" -}}
  secret: {{ .Data.data.session_secret }}
  {{- end }}
  ## The value for expiration, inactivity, and remember_me_duration are in seconds or the duration notation format.
  ## See: https://www.authelia.com/c/common#duration-notation-format
@ -559,8 +401,6 @@ session:
  redis:
    host: {{ env "NOMAD_UPSTREAM_IP_redis" }}
    port: {{ env "NOMAD_UPSTREAM_PORT_redis" }}
    ## Use a unix socket instead
    # host: /var/run/redis/redis.sock
    ## Username used for redis authentication. This is optional and a new feature in redis 6.0.
    # username: authelia
@ -577,46 +417,6 @@ session:
    ## The target number of idle connections to have open ready for work. Useful when opening connections is slow.
    minimum_idle_connections: 0
    ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
    # tls:
      ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
      # server_name: myredis.example.com
      ## Skip verifying the server certificate (to allow a self-signed certificate).
      ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
      ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
      # skip_verify: false
      ## Minimum TLS version for the connection.
      # minimum_version: TLS1.2
    ## The Redis HA configuration options.
    ## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name).
    # high_availability:
      ## Sentinel Name / Master Name.
      # sentinel_name: mysentinel
      ## Specific username for Redis Sentinel. The node username and password is configured above.
      # sentinel_username: sentinel_specific_user
      ## Specific password for Redis Sentinel. The node username and password is configured above.
      # sentinel_password: sentinel_specific_pass
      ## The additional nodes to pre-seed the redis provider with (for sentinel).
      ## If the host in the above section is defined, it will be combined with this list to connect to sentinel.
      ## For high availability to be used you must have either defined; the host above or at least one node below.
      # nodes:
      #   - host: sentinel-node1
      #     port: 6379
      #   - host: sentinel-node2
      #     port: 6379
      ## Choose the host with the lowest latency.
      # route_by_latency: false
      ## Choose the host randomly.
      # route_randomly: false
 ##
 ## Regulation Configuration
 ##
@ -644,46 +444,18 @@ storage:
  ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it.
  encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
  ##
  ## Local (Storage Provider)
  ##
  ## This stores the data in a SQLite3 Database.
  ## This is only recommended for lightweight non-stateful installations.
  ##
  ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
  ##
  local:
    path: /config/db.sqlite3
  ##
  ## MySQL / MariaDB (Storage Provider)
  ##
-  # mysql:
+  {{ with secret "kv/data/authelia" -}}
-  #   host: 127.0.0.1
+  mysql:
-  #   port: 3306
+    host: {{ env "NOMAD_UPSTREAM_IP_mysql-server" }}
-  #   database: authelia
+    port: {{ env "NOMAD_UPSTREAM_PORT_mysql-server" }}
-  #   username: authelia
+    database: {{ .Data.data.db_name }}
-  #   ## Password can also be set using a secret: https://www.authelia.com/c/secrets
+    username: {{ .Data.data.db_user }}
-  #   password: mypassword
+    password: {{ .Data.data.db_pass }}
-  #   timeout: 5s
+    timeout: 5s
-
+  {{- end }}
  ##
  ## PostgreSQL (Storage Provider)
  ##
  # postgres:
  #   host: 127.0.0.1
  #   port: 5432
  #   database: authelia
  #   schema: public
  #   username: authelia
  #   ## Password can also be set using a secret: https://www.authelia.com/c/secrets
  #   password: mypassword
  #   timeout: 5s
  #   ssl:
  #     mode: disable
  #     root_certificate: disable
  #     certificate: disable
  #     key: disable
 ##
 ## Notification Provider
@ -694,73 +466,25 @@ notifier:
  ## You can disable the notifier startup check by setting this to true.
  disable_startup_check: false
-  ##
+{{ with secret "kv/data/smtp" -}}
-  ## File System (Notification Provider)
+  smtp:
-  ##
+    host: {{ .Data.data.server }}
-  ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
+    port: {{ .Data.data.port}}
-  ##
+    username: {{ .Data.data.user }}
-  filesystem:
+    password: {{ .Data.data.password }}
    filename: /config/notification.txt
-  ##
+    ## The sender is used to is used for the MAIL FROM command and the FROM header.
-  ## SMTP (Notification Provider)
+    ## If this is not defined and the username is an email, we use the username as this value. This can either be just
-  ##
+    ## an email address or the RFC5322 'Name <email address>' format.
-  ## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate.
+    sender: "Authelia <admin@thefij.rocks>"
-  ## [Security] By default Authelia will:
+
-  ##   - force all SMTP connections over TLS including unauthenticated connections
+    ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
-  ##      - use the disable_require_tls boolean value to disable this requirement
+    subject: "[Authelia] {title}"
-  ##        (only works for unauthenticated connections)
+
-  ##   - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
+    ## This address is used during the startup check to verify the email configuration is correct.
-  ##     (configure in tls section)
+    ## It's not important what it is except if your email server only allows local delivery.
-  # smtp:
+    startup_check_address: test@authelia.com
-  #   ## The SMTP host to connect to.
+{{- end }}
  #   host: 127.0.0.1
  #
  #   ## The port to connect to the SMTP host on.
  #   port: 1025
  #
  #   ## The connection timeout.
  #   timeout: 5s
  #
  #   ## The username used for SMTP authentication.
  #   username: test
  #
  #   ## The password used for SMTP authentication.
  #   ## Can also be set using a secret: https://www.authelia.com/c/secrets
  #   password: password
  #
  #   ## The sender is used to is used for the MAIL FROM command and the FROM header.
  #   ## If this is not defined and the username is an email, we use the username as this value. This can either be just
  #   ## an email address or the RFC5322 'Name <email address>' format.
  #   sender: "Authelia <admin@example.com>"
  #
  #   ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
  #   identifier: localhost
  #
  #   ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
  #   subject: "[Authelia] {title}"
  #
  #   ## This address is used during the startup check to verify the email configuration is correct.
  #   ## It's not important what it is except if your email server only allows local delivery.
  #   startup_check_address: test@authelia.com
  #
  #   ## By default we require some form of TLS. This disables this check though is not advised.
  #   disable_require_tls: false
  #
  #   ## Disables sending HTML formatted emails.
  #   disable_html_emails: false
  #
  #   tls:
  #     ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
  #     # server_name: smtp.example.com
  #
  #     ## Skip verifying the server certificate (to allow a self-signed certificate).
  #     ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
  #     ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
  #     skip_verify: false
  #
  #     ## Minimum TLS version for either StartTLS or SMTPS.
  #     minimum_version: TLS1.2
 ##
 ## Identity Providers
--- a/services/whoami.nomad
+++ b/services/whoami.nomad
@ -51,9 +51,9 @@ job "whoami" {
        "traefik.enable=true",
        "traefik.http.routers.whoami.entryPoints=websecure",
        # "traefik.http.routers.whoami.middlewares=basic-auth@file",
-        # "traefik.http.routers.whoami.middlewares=authelia@consulcatalog",
+        "traefik.http.routers.whoami.middlewares=authelia@consulcatalog",
        "traefik.http.routers.whoami.middlewares=authelia@file",
        # "traefik.http.routers.whoami.middlewares=authelia-basic@consulcatalog",
        # "traefik.http.routers.whoami.middlewares=authelia@file",
      ]
    }