module "authelia" { source = "../services/service" name = "authelia" instance_count = 2 priority = 70 image = "authelia/authelia:4.37" args = ["--config", "$${NOMAD_TASK_DIR}/authelia.yml"] ingress = true service_port = 9999 service_port_static = true # metrics_port = 9959 env = { AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/ldap_password.txt" AUTHELIA_JWT_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt" AUTHELIA_SESSION_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/session_secret.txt" AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "$${NOMAD_SECRETS_DIR}/storage_encryption_key.txt" AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/mysql_password.txt" AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "$${NOMAD_SECRETS_DIR}/smtp_password.txt" AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = "$${NOMAD_SECRETS_DIR}/oidc_hmac_secret.txt" AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_private_key.txt" # AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE = "$${NOMAD_SECRETS_DIR}/oidc_issuer_certificate_chain.txt" } use_mysql = true use_ldap = true use_redis = true mysql_bootstrap = { enabled = true } service_tags = [ # Configure traefik to add this middleware "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia.nomad:$${NOMAD_PORT_main}/api/verify?rd=https%3A%2F%2Fauthelia.thefij.rocks%2F", "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true", "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email", "traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia.nomad:$${NOMAD_PORT_main}/api/verify?auth=basic", "traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true", "traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email", ] templates = [ { data = file("${path.module}/authelia.yml") dest = "authelia.yml" mount = false }, { data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .lldap_admin_password }}{{ end }}" dest_prefix = "$${NOMAD_SECRETS_DIR}" dest = "ldap_password.txt" mount = false }, { data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .jwt_secret }}{{ end }}" dest_prefix = "$${NOMAD_SECRETS_DIR}" dest = "jwt_secret.txt" mount = false }, { data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .session_secret }}{{ end }}" dest_prefix = "$${NOMAD_SECRETS_DIR}" dest = "session_secret.txt" mount = false }, { data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .storage_encryption_key }}{{ end }}" dest_prefix = "$${NOMAD_SECRETS_DIR}" dest = "storage_encryption_key.txt" mount = false }, { data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .db_pass }}{{ end }}" dest_prefix = "$${NOMAD_SECRETS_DIR}" dest = "mysql_password.txt" mount = false }, { data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_hmac_secret }}{{ end }}" dest_prefix = "$${NOMAD_SECRETS_DIR}" dest = "oidc_hmac_secret.txt" mount = false }, { data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_private_key }}{{ end }}" dest_prefix = "$${NOMAD_SECRETS_DIR}" dest = "oidc_issuer_private_key.txt" mount = false }, { data = "{{ with nomadVar \"nomad/jobs/authelia\" }}{{ .oidc_issuer_certificate_chain }}{{ end }}" dest_prefix = "$${NOMAD_SECRETS_DIR}" dest = "oidc_issuer_certificate_chain.txt" mount = false }, { data = "{{ with nomadVar \"nomad/jobs\" }}{{ .smtp_password }}{{ end }}" dest_prefix = "$${NOMAD_SECRETS_DIR}" dest = "smtp_password.txt" mount = false }, ] } resource "nomad_acl_auth_method" "nomad_authelia" { name = "authelia" type = "OIDC" token_locality = "global" max_token_ttl = "1h0m0s" default = true config { oidc_discovery_url = "https://authelia.thefij.rocks" oidc_client_id = "nomad" oidc_client_secret = yamldecode(file("${path.module}/../ansible_playbooks/vars/nomad_vars.yml"))["nomad/oidc"]["secret"] bound_audiences = ["nomad"] oidc_scopes = [ "groups", "openid", ] allowed_redirect_uris = [ "https://nomad.thefij.rocks/oidc/callback", "https://nomad.thefij.rocks/ui/settings/tokens", ] list_claim_mappings = { "groups" : "roles" } } } resource "nomad_acl_binding_rule" "nomad_authelia_admin" { description = "engineering rule" auth_method = nomad_acl_auth_method.nomad_authelia.name selector = "\"nomad-deploy\" in list.roles" bind_type = "role" bind_name = "admin" # acls.nomad_acl_role.admin.name } resource "nomad_acl_binding_rule" "nomad_authelia_deploy" { description = "engineering rule" auth_method = nomad_acl_auth_method.nomad_authelia.name selector = "\"nomad-deploy\" in list.roles" bind_type = "role" bind_name = "deploy" # acls.nomad_acl_role.deploy.name }