Finesse authelia

2023-02-06 13:56:11 -07:00 · 2023-02-06 13:56:11 -07:00 · 067b0e3cef
parent 335849665d
commit 067b0e3cef
3 changed files with 68 additions and 5 deletions
--- a/homelab/TODO.md
+++ b/homelab/TODO.md
@ -0,0 +1,9 @@
+* Single Sign-On
+  * [x] Replace simpleauth with somebody else's project
+  * [ ] Set up Forgejo OIDC to Authelia (there's a guide on Authelia's site)
+  * [x] Persist "remember me" across reboots
+* LDAP restrictions
+  * [x] People can only r/w their own storage
+  * [x] Public storage
+  * [x] Per-Group storage
+* [ ] Media-Sucker secure setup (bind to 0.0.0.0 opens to internet)
--- a/homelab/authelia.yaml
+++ b/homelab/authelia.yaml
@ -1,5 +1,5 @@
 log:
-  level: trace # error, warn, [info], debug, trace
+  level: info # error, warn, [info], debug, trace
 authentication_backend:
  password_reset:
    disable: true
@ -10,11 +10,53 @@ totp:
 session:
  domain: woozle.org
  same_site: strict
+  redis:
+    host: redis
+    port: 6379
+    database_index: 1
 storage:
  local:
    path: /srv/sys/authelia/db.sqlite3
-access_control:
-  default_policy: one_factor
 notifier:
  filesystem:
    filename: /run/emails.txt
+access_control:
+  default_policy: deny
+  rules:
+    - domain: deergrove.woozle.org
+      policy: one_factor
+
+    - domain: drive.woozle.org
+      policy: bypass
+      methods:
+        - HEAD
+        - GET
+        - PROPFIND
+      resources:
+        - '^/storage/public/'
+
+    - domain: drive.woozle.org
+      policy: one_factor
+      subject:
+        - "group:storage"
+      resources: 
+        - '^/incoming/'
+        - '^/media/'
+        - '^/storage/(README.md)?$'
+        - '^/storage/(?P<User>\w+)/'
+        - '^/storage/(?P<Group>\w+)/'
+        - '^/storage/shared/'
+        - '^/storage/public/'
+
+    - domain: drive.woozle.org
+      policy: one_factor
+      methods:
+        - HEAD
+        - GET
+        - PROPFIND
+      resources: 
+        - '^/(README.md)?$'
+        - '^/incoming/'
+        - '^/media/'
+        - '^/storage/shared/'
+
--- a/homelab/docker-compose.yaml
+++ b/homelab/docker-compose.yaml
@ -60,6 +60,18 @@ services:
        source: /srv/sys/authelia
        target: /srv/sys/authelia

+  redis:
+    image: redis:alpine
+    command:
+      - redis-server
+      - --save
+      - "60"
+      - "1"
+    volumes:
+      - type: bind
+        source: /srv/sys/redis
+        target: /data
+
  plex:
    image: ghcr.io/linuxserver/plex:1.29.2
    networks:
@ -308,7 +320,7 @@ configs:
    name: deergrove.png-v1
  authelia.yaml:
    file: authelia.yaml
-    name: authelia.yaml-v6
+    name: authelia.yaml-v16

 secrets:
  passwd:
@ -337,7 +349,7 @@ secrets:
    name: session.secret-v1
  users.yaml:
    file: secrets/users.yaml
-    name: users.yaml-v2
+    name: users.yaml-v6

 networks:
  hostnet: