Compare commits
2 Commits
b29abbd069
...
98c3877081
Author | SHA1 | Date | |
---|---|---|---|
98c3877081 | |||
884a71ed23 |
@ -8,6 +8,9 @@ concise area of concern.
|
||||
|
||||
## Roles
|
||||
|
||||
- [`roles/authelia`](roles/authelia/README.md): Deploys an [authelia.com](https://www.authelia.com)
|
||||
instance, an authentication provider with beta OIDC provider support.
|
||||
|
||||
- [`roles/gitea`](roles/gitea/README.md): Deploy [gitea.io](https://gitea.io), a
|
||||
lightweight, self-hosted git service.
|
||||
|
||||
|
74
roles/authelia/README.md
Normal file
74
roles/authelia/README.md
Normal file
@ -0,0 +1,74 @@
|
||||
# `finallycoffee.services.authelia` ansible role
|
||||
|
||||
Deploys [authelia](https://www.authelia.com), an open-source full-featured
|
||||
authentication server with OIDC beta support.
|
||||
|
||||
## Configuration
|
||||
|
||||
Most configurations options are exposed to be overrideable by setting
|
||||
`authelia_config_{flat_config_key}`, which means `totp.digits: 8`
|
||||
would become `authelia_config_totp_digits: 8`.
|
||||
|
||||
If configuration is not exposed in [`defaults/main.yml`](defaults/main.yml),
|
||||
it can be overridden in `authelia_extra_config`, which is merged recursively
|
||||
to the default config. Entire blocks can currently not be easily overridden,
|
||||
it's best to rely on the `authelia_extra_config` here.
|
||||
|
||||
Below are some configuration hints towards enabling 2nd factor
|
||||
providers like TOTP, WebAuthN etc.
|
||||
|
||||
### TOTP
|
||||
|
||||
See [the authelia docs on TOTP](https://www.authelia.com/docs/configuration/one-time-password.html#algorithm)
|
||||
before adjusting some of the fine-grained configuration, as many
|
||||
TOTP clients do not properly support all by-spec supported values.
|
||||
|
||||
```yaml
|
||||
authelia_config_totp_disable: false
|
||||
authelia_config_totp_issuer: "your.authelia.domain"
|
||||
# Best to stick to authelias guide here
|
||||
authelia_config_totp_algorithm: [...]
|
||||
authelia_config_totp_digits: [...]
|
||||
authelia_config_totp_period: [...]
|
||||
```
|
||||
|
||||
### WebAuthN
|
||||
|
||||
```yaml
|
||||
authelia_config_webauthn_disable: false
|
||||
authelia_config_webauthn_timeout: 30s
|
||||
# Force user to touch the security key's confirmation button
|
||||
authelia_config_webauthn_user_verification: required
|
||||
```
|
||||
|
||||
For more information about possible WebAuthN configuration, see
|
||||
[the authelia docs on WebAuthN](https://www.authelia.com/docs/configuration/webauthn.html).
|
||||
|
||||
### Database & Redis
|
||||
|
||||
While Authelia can use a sqlite DB with in memory store by setting
|
||||
`authelia_sqlite_storage_file_path`, it is recommended to use a proper
|
||||
database and a redis instance:
|
||||
```yaml
|
||||
authelia_database_type: postgres
|
||||
authelia_database_host: /var/run/postgres/
|
||||
authelia_database_user: authelia
|
||||
authelia_database_pass: authelia
|
||||
|
||||
# Redis
|
||||
authelia_redis_host: /var/run/redis/
|
||||
authelia_redis_pass: very_long_static_secret
|
||||
|
||||
```
|
||||
|
||||
### Notifications
|
||||
|
||||
For a test setup, notifications can be written into a config file, this behaviour
|
||||
is enabled by setting `authelia_config_notifier_filesystem_filename`. For real-world
|
||||
use, an SMTP server is strongly recommended, its config is as follows:
|
||||
```
|
||||
authelia_smtp_host: mail.domain.com
|
||||
authelia_smtp_port: 587 # for StartTLS
|
||||
authelia_smtp_user: authelia@domain.com
|
||||
authelia_smtp_pass: authelia_user_pass
|
||||
```
|
@ -15,9 +15,11 @@ authelia_user_storage_file: "{{ authelia_data_dir }}/user_database.yml"
|
||||
authelia_container_name: authelia
|
||||
authelia_container_image_name: docker.io/authelia/authelia
|
||||
authelia_container_image_tag: ~
|
||||
authelia_container_image_ref: "{{ authelia_container_image_name }}:{{ authelia_container_image_tag | default('v' + authelia_version) }}"
|
||||
authelia_container_image_ref: "{{ authelia_container_image_name }}:{{ authelia_container_image_tag | default(authelia_version, true) }}"
|
||||
authelia_container_image_force_pull: "{{ authelia_container_image_tag | default(false, True) }}"
|
||||
authelia_container_env: {}
|
||||
authelia_container_env:
|
||||
PUID: "{{ authelia_run_user }}"
|
||||
PGID: "{{ authelia_run_group }}"
|
||||
authelia_container_labels: >-2
|
||||
{{ authelia_container_base_labels | combine(authelia_container_extra_labels) }}
|
||||
authelia_container_extra_labels: {}
|
||||
@ -78,22 +80,14 @@ authelia_config_authentication_backend_disable_reset_password: false
|
||||
authelia_config_authentication_backend_refresh_interval: 5m
|
||||
authelia_config_authentication_backend_password_reset_custom_url: ~
|
||||
authelia_config_authentication_backend_ldap_implementation: custom
|
||||
authelia_config_authentication_backend_ldap_url: ldap://127.0.0.1
|
||||
authelia_config_authentication_backend_ldap_url: ldap://127.0.0.1:389
|
||||
authelia_config_authentication_backend_ldap_timeout: 5s
|
||||
authelia_config_authentication_backend_ldap_start_tls: false
|
||||
authelia_config_authentication_backend_ldap_tls_skip_verify: false
|
||||
authelia_config_authentication_backend_ldap_minimum_version: "{{ authelia_tls_minimum_version }}"
|
||||
authelia_config_authentication_backend_ldap_base_dn: ~
|
||||
authelia_config_authentication_backend_ldap_additional_users_dn: "ou=users"
|
||||
authelia_config_authentication_backend_ldap_users_filter: >-2
|
||||
(&
|
||||
(|
|
||||
({username_attribute}={input})
|
||||
({mail_attribute}={input})
|
||||
)
|
||||
(objectClass=inetOrgPerson)
|
||||
(enabled=TRUE)
|
||||
)
|
||||
authelia_config_authentication_backend_ldap_users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=inetOrgPerson))"
|
||||
authelia_config_authentication_backend_ldap_additional_groups_dn: "ou=groups"
|
||||
authelia_config_authentication_backend_ldap_groups_filter: "(member={dn})"
|
||||
authelia_config_authentication_backend_ldap_group_name_attribute: cn
|
||||
@ -153,8 +147,8 @@ authelia_config_notifier_disable_startup_check: false
|
||||
authelia_config_notifier_filesystem_filename: ~
|
||||
authelia_config_notifier_smtp_host: "{{ authelia_smtp_host }}"
|
||||
authelia_config_notifier_smtp_port: "{{ authelia_stmp_port }}"
|
||||
authelia_config_notifier_smtp_user: "{{ authelia_stmp_user }}"
|
||||
authelia_config_notifier_smtp_pass: "{{ authelia_stmp_pass }}"
|
||||
authelia_config_notifier_smtp_username: "{{ authelia_smtp_user }}"
|
||||
authelia_config_notifier_smtp_password: "{{ authelia_smtp_pass }}"
|
||||
authelia_config_notifier_smtp_timeout: 5s
|
||||
authelia_config_notifier_smtp_sender: "Authelia on {{ authelia_domain }} <admin@{{ authelia_domain }}>"
|
||||
authelia_config_notifier_smtp_identifier: "{{ authelia_domain }}"
|
||||
|
@ -40,7 +40,7 @@
|
||||
mode: "0640"
|
||||
access_time: preserve
|
||||
modification_time: preserve
|
||||
when: "{{ authelia_config_storage_local_path | default(false, true) }}"
|
||||
when: authelia_config_storage_local_path | default(false, true)
|
||||
|
||||
- name: Ensure user database exists before mounting it
|
||||
file:
|
||||
@ -51,7 +51,7 @@
|
||||
mode: "0640"
|
||||
access_time: preserve
|
||||
modification_time: preserve
|
||||
when: "{{ authelia_config_authentication_backend_file_path | default(false, true) }}"
|
||||
when: authelia_config_authentication_backend_file_path | default(false, true)
|
||||
|
||||
- name: Ensure notification reports file exists before mounting it
|
||||
file:
|
||||
@ -62,10 +62,10 @@
|
||||
mode: "0640"
|
||||
access_time: preserve
|
||||
modification_time: preserve
|
||||
when: "{{ authelia_config_notifier_filesystem_filename | default(false, true) }}"
|
||||
when: authelia_config_notifier_filesystem_filename | default(false, true)
|
||||
|
||||
- name: Ensure authelia container image is present
|
||||
docker_image:
|
||||
community.docker.docker_image:
|
||||
name: "{{ authelia_container_image_ref }}"
|
||||
state: present
|
||||
source: pull
|
||||
@ -82,7 +82,7 @@
|
||||
labels: "{{ authelia_container_labels }}"
|
||||
volumes: "{{ authelia_container_volumes }}"
|
||||
networks: "{{ authelia_container_networks | default(omit, true) }}"
|
||||
purge_networks: "{{ authelia_container_purge_networks }}"
|
||||
purge_networks: "{{ authelia_container_purge_networks | default(omit, true)}}"
|
||||
restart_policy: "{{ authelia_container_restart_policy }}"
|
||||
state: "{{ authelia_container_state }}"
|
||||
register: authelia_container_info
|
||||
|
@ -5,8 +5,8 @@ authelia_run_group: "{{ (authelia_user_info.group) if authelia_user_info is defi
|
||||
|
||||
authelia_container_base_volumes: >-2
|
||||
{{ [ authelia_config_file + ":/config/configuration.yml:ro"]
|
||||
+ ([ authelia_sqlite_storage_file + ":" + authelia_config_storage_local_path + ":z" ])
|
||||
if authelia_config_storage_local_path | default(false, true) else []
|
||||
+ ([ authelia_sqlite_storage_file + ":" + authelia_config_storage_local_path + ":z" ]
|
||||
if authelia_config_storage_local_path | default(false, true) else [])
|
||||
+ ([ authelia_notification_storage_file + ":" + authelia_config_notifier_filesystem_filename + ":z" ]
|
||||
if authelia_config_notifier_filesystem_filename | default(false, true) else [])
|
||||
+ ( [authelia_user_storage_file + ":" + authelia_config_authentication_backend_file_path + ":z"]
|
||||
@ -16,7 +16,7 @@ authelia_container_base_volumes: >-2
|
||||
authelia_container_base_labels:
|
||||
version: "{{ authelia_version }}"
|
||||
|
||||
authelia_config: "{{ authelia_base_config | combine(authelia_extra_config) }}"
|
||||
authelia_config: "{{ authelia_base_config | combine(authelia_extra_config, recursive=True) }}"
|
||||
authelia_top_level_config:
|
||||
theme: "{{ authelia_config_theme }}"
|
||||
jwt_secret: "{{ authelia_config_jwt_secret }}"
|
||||
@ -26,7 +26,7 @@ authelia_top_level_config:
|
||||
duo_api: "{{ authelia_config_duo_api }}"
|
||||
ntp: "{{ authelia_config_ntp }}"
|
||||
authentication_backend: "{{ authelia_config_authentication_backend }}"
|
||||
password_policy: "{{ authelia_config_password_policy }}"
|
||||
# password_policy: "{{ authelia_config_password_policy }}"
|
||||
access_control: "{{ authelia_config_access_control }}"
|
||||
session: "{{ authelia_config_session }}"
|
||||
regulation: "{{ authelia_config_regulation }}"
|
||||
@ -41,7 +41,7 @@ authelia_base_config: >-2
|
||||
| combine(({"server": authelia_config_server })
|
||||
| combine({"tls": authelia_config_server_tls}
|
||||
if authelia_config_server_tls_key | default(false, true) else {}))
|
||||
|
||||
}}
|
||||
|
||||
authelia_config_server: >-2
|
||||
{{
|
||||
@ -79,7 +79,7 @@ authelia_config_totp:
|
||||
digits: "{{ authelia_config_totp_digits }}"
|
||||
period: "{{ authelia_config_totp_period }}"
|
||||
skew: "{{ authelia_config_totp_skew }}"
|
||||
secret_size: "{{ authelia_config_totp_secret_size }}"
|
||||
# secret_size: "{{ authelia_config_totp_secret_size }}"
|
||||
authelia_config_webauthn:
|
||||
disable: "{{ authelia_config_webauthn_disable }}"
|
||||
timeout: "{{ authelia_config_webauthn_timeout }}"
|
||||
@ -107,7 +107,7 @@ authelia_config_authentication_backend: >-2
|
||||
| combine({"password_reset": authelia_config_authentication_backend_password_reset}
|
||||
if authelia_config_authentication_backend_password_reset_custom_url | default(false, true) else {})
|
||||
| combine({"file": authelia_config_authentication_backend_file}
|
||||
if authelia_config_authentication_backend_file | default(false, true)
|
||||
if authelia_config_authentication_backend_file_path | default(false, true)
|
||||
else {"ldap": authelia_config_authentication_backend_ldap})
|
||||
}}
|
||||
authelia_config_authentication_backend_password_reset:
|
||||
@ -123,7 +123,7 @@ authelia_config_authentication_backend_ldap:
|
||||
base_dn: "{{ authelia_config_authentication_backend_ldap_base_dn }}"
|
||||
additional_users_dn: "{{ authelia_config_authentication_backend_ldap_additional_users_dn }}"
|
||||
additional_groups_dn: "{{ authelia_config_authentication_backend_ldap_additional_groups_dn }}"
|
||||
users_filter: "{{ authelia_config_authentication_backend_ldap_groups_filter }}"
|
||||
users_filter: "{{ authelia_config_authentication_backend_ldap_users_filter }}"
|
||||
groups_filter: "{{ authelia_config_authentication_backend_ldap_groups_filter }}"
|
||||
group_name_attribute: "{{ authelia_config_authentication_backend_ldap_group_name_attribute }}"
|
||||
username_attribute: "{{ authelia_config_authentication_backend_ldap_username_attribute }}"
|
||||
@ -140,17 +140,22 @@ authelia_config_authentication_backend_file:
|
||||
salt_lenght: "{{ authelia_config_authentication_backend_file_password_salt_length }}"
|
||||
memory: "{{ authelia_config_authentication_backend_file_password_memory }}"
|
||||
parallelism: "{{ authelia_config_authentication_backend_file_password_parallelism }}"
|
||||
authelia_config_password_policy:
|
||||
standard:
|
||||
enabled: "{{ authelia_config_password_policy_standard_enabled }}"
|
||||
min_length: "{{ authelia_config_password_policy_standard_min_length }}"
|
||||
max_length: "{{ authelia_config_password_policy_standard_max_length }}"
|
||||
require_uppercase: "{{ authelia_config_password_policy_standard_require_uppercase }}"
|
||||
require_lowercase: "{{ authelia_config_password_policy_standard_require_lowercase }}"
|
||||
require_number: "{{ authelia_config_password_policy_standard_require_number }}"
|
||||
require_special: "{{ authelia_config_password_policy_standard_require_special }}"
|
||||
zxcvbn:
|
||||
enabled: "{{ authelia_config_password_policy_zxcvbn_enabled }}"
|
||||
authelia_config_password_policy: >-2
|
||||
{{
|
||||
{"standard": authelia_config_password_policy_standard}
|
||||
if authelia_config_password_policy_standard_enabled
|
||||
else {"zxcvbn": authelia_config_password_policy_zxcvbn}
|
||||
}}
|
||||
authelia_config_password_policy_standard:
|
||||
enabled: "{{ authelia_config_password_policy_standard_enabled }}"
|
||||
min_length: "{{ authelia_config_password_policy_standard_min_length }}"
|
||||
max_length: "{{ authelia_config_password_policy_standard_max_length }}"
|
||||
require_uppercase: "{{ authelia_config_password_policy_standard_require_uppercase }}"
|
||||
require_lowercase: "{{ authelia_config_password_policy_standard_require_lowercase }}"
|
||||
require_number: "{{ authelia_config_password_policy_standard_require_number }}"
|
||||
require_special: "{{ authelia_config_password_policy_standard_require_special }}"
|
||||
authelia_config_password_policy_zxcvbn:
|
||||
enabled: "{{ authelia_config_password_policy_zxcvbn_enabled }}"
|
||||
authelia_config_access_control:
|
||||
default_policy: "{{ authelia_config_access_control_default_policy }}"
|
||||
networks: "{{ authelia_config_access_control_networks }}"
|
||||
@ -203,7 +208,6 @@ authelia_config_storage: >-2
|
||||
| combine({"postgres": authelia_config_storage_postgres}
|
||||
if authelia_database_type in ['postgres', 'postgresql'] else {})
|
||||
}}
|
||||
|
||||
authelia_config_storage_local:
|
||||
path: "{{ authelia_config_storage_local_path }}"
|
||||
authelia_config_storage_mysql:
|
||||
|
Loading…
x
Reference in New Issue
Block a user