From 11ba9fba9a783aba28212bb0b6deb50975d10031 Mon Sep 17 00:00:00 2001 From: Gabriel Carneiro Date: Thu, 27 Feb 2025 08:48:32 -0300 Subject: [PATCH] initial commit --- .env.example | 24 +++++++++++++ config/configuration.yml | 73 ++++++++++++++++++++++++++++++++++++++++ docker-compose.yml | 35 +++++++++++++++++++ 3 files changed, 132 insertions(+) create mode 100644 .env.example create mode 100644 config/configuration.yml create mode 100644 docker-compose.yml diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..b3e5c40 --- /dev/null +++ b/.env.example @@ -0,0 +1,24 @@ +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDRESS='ldaps://ldap.example.edu.br' +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_IMPLEMENTATION='custom' +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TIMEOUT='5s' +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_START_TLS=false +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_MINIMUM_VERSION='TLS1.2' +# AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_MAXIMUM_VERSION='' +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_SKIP_VERIFY=false +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_SERVER_NAME='ldap.example.edu.br' +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN='DC=ldap,DC=example' +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN='OU=users' +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER='(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=posixAccount))' +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_GROUPS_DN='OU=groups' +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER='(&(member=CN={input},OU=users,DC=ldap,DC=example)(objectClass=groupOfEntries))' +# AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUP_SEARCH_MODE='' +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_DISTINGUISHED_NAME='dn' +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_USERNAME='cn' +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_DISPLAY_NAME='' +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_MAIL='mail' +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_MEMBER_OF='memberOf' +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_GROUP_NAME='cn' +# AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PERMIT_REFERRALS='' +# AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PERMIT_UNAUTHENTICATED_BIND='' +# AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PERMIT_FEATURE_DETECTION_FAILURE='' +AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER='cn=binduser,DC=ldap,DC=example' diff --git a/config/configuration.yml b/config/configuration.yml new file mode 100644 index 0000000..5c30c22 --- /dev/null +++ b/config/configuration.yml @@ -0,0 +1,73 @@ +--- +############################################################### +# Authelia configuration # +############################################################### + +server: + address: 'tcp://:9091' + +theme: "dark" + +log: + level: 'debug' + +totp: + issuer: 'authelia.com' + +access_control: + default_policy: 'deny' + rules: + # Rules applied to everyone + # - domain: '*.alice.ufsj.edu.br' + # policy: 'one_factor' + - domain: 'ldap.alice.ufsj.edu.br' + policy: 'bypass' + - domain: 'authelia.alice.ufsj.edu.br' + policy: 'bypass' + - domain: 'traefik.alice.ufsj.edu.br' + policy: 'one_factor' + - domain: 'docker.alice.ufsj.edu.br' + policy: 'one_factor' + - domain: 'dash.alice.ufsj.edu.br' + policy: 'one_factor' + # - domain: 'secure.example.com' + # policy: 'two_factor' + +session: + # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE + # secret: 'insecure_session_secret' + + cookies: + - name: 'authelia_session' + domain: 'alice.ufsj.edu.br' # Should match whatever your root protected domain is + authelia_url: 'https://authelia.alice.ufsj.edu.br' + expiration: '1 hour' + inactivity: '5 minutes' + + # redis: + # host: 'redis' + # port: 6379 + # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE + # password: authelia + +regulation: + max_retries: 3 + find_time: '2 minutes' + ban_time: '5 minutes' + +storage: +# encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this' + local: + path: '/config/db.sqlite3' +notifier: + disable_startup_check: true + template_path: '' + # filesystem: {} + # smtp: {} +# filesystem: + smtp: + username: 'test' + # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE + # password: 'password' + address: 'smtp://mail.alice.ufsj.edu.br:25' + sender: 'admin@alice.ufsj.edu.br' diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..25015db --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,35 @@ +services: + authelia: + container_name: 'authelia' + image: 'docker.io/authelia/authelia:latest' + restart: 'unless-stopped' + secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_ENCRYPTION_KEY'] + environment: + AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET' + AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET' + AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY' + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE: '/run/secrets/LDAP_BINDDN_PASSWORD' + volumes: + - ./config:/config + networks: + traefik-public: + aliases: [] + labels: + traefik.enable: 'true' + traefik.http.routers.authelia.rule: 'Host(`authelia.alice.ufsj.edu.br`)' + traefik.http.routers.authelia.entrypoints: 'websecure' + traefik.http.routers.authelia.middlewares: 'authelia@docker' + +networks: + traefik-public: + external: true + +secrets: + JWT_SECRET: + file: './secrets/JWT_SECRET' + SESSION_SECRET: + file: './secrets/SESSION_SECRET' + STORAGE_ENCRYPTION_KEY: + file: './secrets/STORAGE_ENCRYPTION_KEY' + LDAP_BINDDN_PASSWORD: + file: './secrets/LDAP_BINDDN_PASSWORD'