From 067b0e3cefd09378b7db4adb742923accaf84bf4 Mon Sep 17 00:00:00 2001 From: Neale Pickett Date: Mon, 6 Feb 2023 13:56:11 -0700 Subject: [PATCH] Finesse authelia --- homelab/TODO.md | 9 +++++++ homelab/authelia.yaml | 48 ++++++++++++++++++++++++++++++++++--- homelab/docker-compose.yaml | 16 +++++++++++-- 3 files changed, 68 insertions(+), 5 deletions(-) create mode 100644 homelab/TODO.md diff --git a/homelab/TODO.md b/homelab/TODO.md new file mode 100644 index 0000000..ad37edc --- /dev/null +++ b/homelab/TODO.md @@ -0,0 +1,9 @@ +* Single Sign-On + * [x] Replace simpleauth with somebody else's project + * [ ] Set up Forgejo OIDC to Authelia (there's a guide on Authelia's site) + * [x] Persist "remember me" across reboots +* LDAP restrictions + * [x] People can only r/w their own storage + * [x] Public storage + * [x] Per-Group storage +* [ ] Media-Sucker secure setup (bind to 0.0.0.0 opens to internet) diff --git a/homelab/authelia.yaml b/homelab/authelia.yaml index 5cd0d65..86c39d8 100644 --- a/homelab/authelia.yaml +++ b/homelab/authelia.yaml @@ -1,5 +1,5 @@ log: - level: trace # error, warn, [info], debug, trace + level: info # error, warn, [info], debug, trace authentication_backend: password_reset: disable: true @@ -10,11 +10,53 @@ totp: session: domain: woozle.org same_site: strict + redis: + host: redis + port: 6379 + database_index: 1 storage: local: path: /srv/sys/authelia/db.sqlite3 -access_control: - default_policy: one_factor notifier: filesystem: filename: /run/emails.txt +access_control: + default_policy: deny + rules: + - domain: deergrove.woozle.org + policy: one_factor + + - domain: drive.woozle.org + policy: bypass + methods: + - HEAD + - GET + - PROPFIND + resources: + - '^/storage/public/' + + - domain: drive.woozle.org + policy: one_factor + subject: + - "group:storage" + resources: + - '^/incoming/' + - '^/media/' + - '^/storage/(README.md)?$' + - '^/storage/(?P\w+)/' + - '^/storage/(?P\w+)/' + - '^/storage/shared/' + - '^/storage/public/' + + - domain: drive.woozle.org + policy: one_factor + methods: + - HEAD + - GET + - PROPFIND + resources: + - '^/(README.md)?$' + - '^/incoming/' + - '^/media/' + - '^/storage/shared/' + diff --git a/homelab/docker-compose.yaml b/homelab/docker-compose.yaml index 5f0b452..530e02b 100644 --- a/homelab/docker-compose.yaml +++ b/homelab/docker-compose.yaml @@ -60,6 +60,18 @@ services: source: /srv/sys/authelia target: /srv/sys/authelia + redis: + image: redis:alpine + command: + - redis-server + - --save + - "60" + - "1" + volumes: + - type: bind + source: /srv/sys/redis + target: /data + plex: image: ghcr.io/linuxserver/plex:1.29.2 networks: @@ -308,7 +320,7 @@ configs: name: deergrove.png-v1 authelia.yaml: file: authelia.yaml - name: authelia.yaml-v6 + name: authelia.yaml-v16 secrets: passwd: @@ -337,7 +349,7 @@ secrets: name: session.secret-v1 users.yaml: file: secrets/users.yaml - name: users.yaml-v2 + name: users.yaml-v6 networks: hostnet: