feat!: Add Authelia for authentication and Redis for session storage
Some checks failed
/ validate-docker-compose (push) Has been cancelled
Some checks failed
/ validate-docker-compose (push) Has been cancelled
- Introduced Redis service for session management with health checks. - Added Authelia service for user authentication with necessary environment variables. - Configured Traefik to use Authelia as middleware for various services. - Created Authelia configuration file with session, storage, and access control settings. - Added user database for Authelia with an example admin user.
This commit is contained in:
83
authelia/configuration.yml
Normal file
83
authelia/configuration.yml
Normal file
@@ -0,0 +1,83 @@
|
||||
# Authelia Configuration File
|
||||
# Documentation: https://www.authelia.com/configuration/
|
||||
|
||||
# Default configuration options affecting multiple sections.
|
||||
default_redirection_url: ${AUTHELIA_DEFAULT_REDIRECT_URL}
|
||||
|
||||
# Server settings (listening address, paths, etc.)
|
||||
server:
|
||||
host: 0.0.0.0
|
||||
port: 9091
|
||||
|
||||
# Logging configuration
|
||||
log:
|
||||
level: info
|
||||
format: text # or json
|
||||
|
||||
# Session configuration
|
||||
session:
|
||||
name: authelia_session
|
||||
secret: ${AUTHELIA_SESSION_SECRET}
|
||||
expiration: 1h # Adjust as needed
|
||||
inactivity: 5m # Adjust as needed
|
||||
domain: ${AUTHELIA_SESSION_DOMAIN} # Set from .env
|
||||
redis:
|
||||
host: redis
|
||||
port: 6379
|
||||
password: ${AUTHELIA_REDIS_PASSWORD}
|
||||
database_index: 0
|
||||
|
||||
# Regulation (brute force protection)
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 2m
|
||||
ban_time: 5m
|
||||
|
||||
# Storage (for user preferences, etc. - encrypted using storage key)
|
||||
storage:
|
||||
encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
|
||||
local:
|
||||
path: /config/db.sqlite3 # Example using SQLite for simple storage needs
|
||||
|
||||
# Authentication backend (using file-based user database)
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users_database.yml
|
||||
password:
|
||||
algorithm: argon2id # Recommended hashing algorithm
|
||||
iterations: 1
|
||||
memory: 1024 # MiB
|
||||
parallelism: 8
|
||||
salt_length: 16
|
||||
key_length: 32
|
||||
|
||||
# Access control rules
|
||||
access_control:
|
||||
default_policy: deny # Deny access by default
|
||||
rules:
|
||||
# Rule to allow authenticated users access to the domain
|
||||
- domain: ${AUTHELIA_SESSION_DOMAIN}
|
||||
policy: one_factor # Requires username/password
|
||||
|
||||
# Notifier (Optional, for password resets, etc. - configure if needed)
|
||||
# notifier:
|
||||
# smtp:
|
||||
# address: smtp.example.com:587
|
||||
# username: user@example.com
|
||||
# password: password
|
||||
# sender: Authelia <authelia@example.com>
|
||||
# subject: "[Authelia] {title}"
|
||||
# startup_check_address: test@authelia.com
|
||||
|
||||
# JWT configuration (used for forwardAuth)
|
||||
jwt_secret: ${AUTHELIA_JWT_SECRET}
|
||||
|
||||
# Identity Providers (None configured for this setup)
|
||||
identity_providers:
|
||||
oidc: null # Explicitly disable OIDC
|
||||
|
||||
# Enable registration (requires manual approval by editing users_database.yml)
|
||||
# Set 'enable: true' to allow users to register.
|
||||
# They will be added to users_database.yml commented out or with disabled: true.
|
||||
# registration:
|
||||
# enable: false # Set to true to enable registration form
|
||||
39
authelia/users_database.yml
Normal file
39
authelia/users_database.yml
Normal file
@@ -0,0 +1,39 @@
|
||||
# Authelia User Database
|
||||
# Documentation: https://www.authelia.com/configuration/security/authentication/file/
|
||||
|
||||
# To add users:
|
||||
# 1. Generate a password hash:
|
||||
# docker run authelia/authelia:latest authelia hash-password 'your_strong_password'
|
||||
# 2. Add the user entry below.
|
||||
#
|
||||
# To approve registered users (if registration is enabled in configuration.yml):
|
||||
# 1. New users will appear here, possibly commented out or with 'disabled: true'.
|
||||
# 2. Uncomment the user or set 'disabled: false' to grant access.
|
||||
|
||||
users:
|
||||
# First user is typically considered the admin in access rules
|
||||
admin:
|
||||
displayname: "Admin User"
|
||||
# Replace this hash with one generated for your desired password!
|
||||
password: "$argon2id$v=19$m=102400,t=1,p=8$PBf/L9l3s7LwN6jX/B3tVg$9+q3kL8VAbpWj9Gv9Z6uA5bA4zT1fB2fH3aD5c6b7e8" # Example hash for 'password'
|
||||
email: admin@example.com
|
||||
groups:
|
||||
- admins
|
||||
- users
|
||||
|
||||
# Example of a regular user
|
||||
# user1:
|
||||
# displayname: "Regular User"
|
||||
# password: "..." # Generate hash
|
||||
# email: user1@example.com
|
||||
# groups:
|
||||
# - users
|
||||
|
||||
# Example of a registered user waiting for approval (if registration enabled)
|
||||
# newuser:
|
||||
# disabled: true
|
||||
# displayname: "New User"
|
||||
# password: "..." # Hash generated during registration
|
||||
# email: newuser@example.com
|
||||
# groups:
|
||||
# - users
|
||||
Reference in New Issue
Block a user