Finesse authelia

This commit is contained in:
Neale Pickett 2023-02-06 13:56:11 -07:00
parent 335849665d
commit 067b0e3cef
3 changed files with 68 additions and 5 deletions

9
homelab/TODO.md Normal file
View File

@ -0,0 +1,9 @@
* Single Sign-On
* [x] Replace simpleauth with somebody else's project
* [ ] Set up Forgejo OIDC to Authelia (there's a guide on Authelia's site)
* [x] Persist "remember me" across reboots
* LDAP restrictions
* [x] People can only r/w their own storage
* [x] Public storage
* [x] Per-Group storage
* [ ] Media-Sucker secure setup (bind to 0.0.0.0 opens to internet)

View File

@ -1,5 +1,5 @@
log: log:
level: trace # error, warn, [info], debug, trace level: info # error, warn, [info], debug, trace
authentication_backend: authentication_backend:
password_reset: password_reset:
disable: true disable: true
@ -10,11 +10,53 @@ totp:
session: session:
domain: woozle.org domain: woozle.org
same_site: strict same_site: strict
redis:
host: redis
port: 6379
database_index: 1
storage: storage:
local: local:
path: /srv/sys/authelia/db.sqlite3 path: /srv/sys/authelia/db.sqlite3
access_control:
default_policy: one_factor
notifier: notifier:
filesystem: filesystem:
filename: /run/emails.txt filename: /run/emails.txt
access_control:
default_policy: deny
rules:
- domain: deergrove.woozle.org
policy: one_factor
- domain: drive.woozle.org
policy: bypass
methods:
- HEAD
- GET
- PROPFIND
resources:
- '^/storage/public/'
- domain: drive.woozle.org
policy: one_factor
subject:
- "group:storage"
resources:
- '^/incoming/'
- '^/media/'
- '^/storage/(README.md)?$'
- '^/storage/(?P<User>\w+)/'
- '^/storage/(?P<Group>\w+)/'
- '^/storage/shared/'
- '^/storage/public/'
- domain: drive.woozle.org
policy: one_factor
methods:
- HEAD
- GET
- PROPFIND
resources:
- '^/(README.md)?$'
- '^/incoming/'
- '^/media/'
- '^/storage/shared/'

View File

@ -60,6 +60,18 @@ services:
source: /srv/sys/authelia source: /srv/sys/authelia
target: /srv/sys/authelia target: /srv/sys/authelia
redis:
image: redis:alpine
command:
- redis-server
- --save
- "60"
- "1"
volumes:
- type: bind
source: /srv/sys/redis
target: /data
plex: plex:
image: ghcr.io/linuxserver/plex:1.29.2 image: ghcr.io/linuxserver/plex:1.29.2
networks: networks:
@ -308,7 +320,7 @@ configs:
name: deergrove.png-v1 name: deergrove.png-v1
authelia.yaml: authelia.yaml:
file: authelia.yaml file: authelia.yaml
name: authelia.yaml-v6 name: authelia.yaml-v16
secrets: secrets:
passwd: passwd:
@ -337,7 +349,7 @@ secrets:
name: session.secret-v1 name: session.secret-v1
users.yaml: users.yaml:
file: secrets/users.yaml file: secrets/users.yaml
name: users.yaml-v2 name: users.yaml-v6
networks: networks:
hostnet: hostnet: