From c948a1136e28459070025c0560d277927437af4c Mon Sep 17 00:00:00 2001 From: xeovalyte Date: Sun, 13 Oct 2024 17:05:00 +0200 Subject: [PATCH] Added authelia, caddy and adguard --- homelab/.gitignore | 2 + homelab/README.md | 5 + homelab/adguard/docker-compose.yml | 21 + homelab/authelia/config/.gitignore | 2 + homelab/authelia/config/configuration.yml | 1418 +++++++++++++++++ .../config/notification.txt} | 0 homelab/authelia/docker-compose.yml | 35 + homelab/caddy/Dockerfile | 8 + homelab/caddy/README.md | 2 + homelab/caddy/caddyfiles/Caddyfile | 16 + homelab/caddy/caddyfiles/routes/adguard | 9 + homelab/caddy/caddyfiles/routes/authelia | 9 + homelab/caddy/docker-compose.yml | 18 +- hosts/pm01vm01/default.nix | 6 +- hosts/pm01vm01/hardware-configuration.nix | 39 + modules/system/cli/docker.nix | 11 +- modules/system/hardware/firewall.nix | 4 +- 17 files changed, 1596 insertions(+), 9 deletions(-) create mode 100644 homelab/.gitignore create mode 100644 homelab/README.md create mode 100644 homelab/adguard/docker-compose.yml create mode 100644 homelab/authelia/config/.gitignore create mode 100644 homelab/authelia/config/configuration.yml rename homelab/{caddy/Caddyfile => authelia/config/notification.txt} (100%) create mode 100644 homelab/authelia/docker-compose.yml create mode 100644 homelab/caddy/Dockerfile create mode 100644 homelab/caddy/README.md create mode 100644 homelab/caddy/caddyfiles/routes/adguard create mode 100644 homelab/caddy/caddyfiles/routes/authelia create mode 100644 hosts/pm01vm01/hardware-configuration.nix diff --git a/homelab/.gitignore b/homelab/.gitignore new file mode 100644 index 0000000..c3cb00e --- /dev/null +++ b/homelab/.gitignore @@ -0,0 +1,2 @@ +secrets/ +.env diff --git a/homelab/README.md b/homelab/README.md new file mode 100644 index 0000000..3dc581a --- /dev/null +++ b/homelab/README.md @@ -0,0 +1,5 @@ +# Create proxy network +`docker network create proxy` + +# Configure caddy cloudflare +Find instructions on [caddy-dns cloudflare](https://github.com/caddy-dns/cloudflare) diff --git a/homelab/adguard/docker-compose.yml b/homelab/adguard/docker-compose.yml new file mode 100644 index 0000000..ce730c4 --- /dev/null +++ b/homelab/adguard/docker-compose.yml @@ -0,0 +1,21 @@ +services: + adguardhome: + image: adguard/adguardhome:latest + container_name: adguardhome + restart: unless-stopped + ports: + - 53:53/tcp + - 53:53/udp +# - 80:3000 # Only use during setup + volumes: + - work:/opt/adguardhome/work + - conf:/opt/adguardhome/conf + +volumes: + work: + conf: + +networks: + default: + name: proxy + external: true diff --git a/homelab/authelia/config/.gitignore b/homelab/authelia/config/.gitignore new file mode 100644 index 0000000..8fd2bb2 --- /dev/null +++ b/homelab/authelia/config/.gitignore @@ -0,0 +1,2 @@ +db.sqlite3 +notifications.txt diff --git a/homelab/authelia/config/configuration.yml b/homelab/authelia/config/configuration.yml new file mode 100644 index 0000000..66613e8 --- /dev/null +++ b/homelab/authelia/config/configuration.yml @@ -0,0 +1,1418 @@ +# yamllint disable rule:comments-indentation +--- +############################################################################### +## Authelia Configuration ## +############################################################################### + +## +## Notes: +## +## - the default location of this file is assumed to be configuration.yml unless otherwise noted +## - when using docker the container expects this by default to be at /config/configuration.yml +## - the default location where this file is loaded from can be overridden with the X_AUTHELIA_CONFIG environment var +## - the comments in this configuration file are helpful but users should consult the official documentation on the +## website at https://www.authelia.com/ or https://www.authelia.com/configuration/prologue/introduction/ +## - this configuration file template is not automatically updated +## + +## Certificates directory specifies where Authelia will load trusted certificates (public portion) from in addition to +## the system certificates store. +## They should be in base64 format, and have one of the following extensions: *.cer, *.crt, *.pem. +# certificates_directory: '/config/certificates/' + +## The theme to display: light, dark, grey, auto. +theme: 'dark' + +## Set the default 2FA method for new users and for when a user has a preferred method configured that has been +## disabled. This setting must be a method that is enabled. +## Options are totp, webauthn, mobile_push. +default_2fa_method: 'totp' + +## +## Server Configuration +## +server: + ## The address for the Main server to listen on in the address common syntax. + ## Formats: + ## - [://][:][/] + ## - [://][hostname]:[/] + ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', or 'unix'. + ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '9091'. + ## If the path is specified this configures the router to handle both the `/` path and the configured path. + # address: 'tcp://:9091/' + + ## Set the path on disk to Authelia assets. + ## Useful to allow overriding of specific static assets. + # asset_path: '/config/assets/' + + ## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0. + ## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist. + # disable_healthcheck: false + + ## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour. + # tls: + ## The path to the DER base64/PEM format private key. + # key: '' + + ## The path to the DER base64/PEM format public certificate. + # certificate: '' + + ## The list of certificates for client authentication. + # client_certificates: [] + + ## Server headers configuration/customization. + # headers: + + ## The CSP Template. Read the docs. + # csp_template: '' + + ## Server Buffers configuration. + # buffers: + + ## Buffers usually should be configured to be the same value. + ## Explanation at https://www.authelia.com/c/server#buffer-sizes + ## Read buffer size adjusts the server's max incoming request size in bytes. + ## Write buffer size does the same for outgoing responses. + + ## Read buffer. + # read: 4096 + + ## Write buffer. + # write: 4096 + + ## Server Timeouts configuration. + # timeouts: + + ## Read timeout in the duration common syntax. + # read: '6 seconds' + + ## Write timeout in the duration common syntax. + # write: '6 seconds' + + ## Idle timeout in the duration common syntax. + # idle: '30 seconds' + + ## Server Endpoints configuration. + ## This section is considered advanced and it SHOULD NOT be configured unless you've read the relevant documentation. + endpoints: + ## Enables the pprof endpoint. + # enable_pprof: false + + ## Enables the expvars endpoint. + # enable_expvars: false + + ## Configure the authz endpoints. + authz: + forward-auth: + implementation: 'ForwardAuth' + # authn_strategies: [] + # ext-authz: + # implementation: 'ExtAuthz' + # authn_strategies: [] + # auth-request: + # implementation: 'AuthRequest' + # authn_strategies: [] + # legacy: + # implementation: 'Legacy' + # authn_strategies: [] + +## +## Log Configuration +## +# log: + ## Level of verbosity for logs: info, debug, trace. + # level: 'debug' + + ## Format the logs are written as: json, text. + # format: 'json' + + ## File path where the logs will be written. If not set logs are written to stdout. + # file_path: '/config/authelia.log' + + ## Whether to also log to stdout when a log_file_path is defined. + # keep_stdout: false + +## +## Telemetry Configuration +## +# telemetry: + + ## + ## Metrics Configuration + ## + # metrics: + ## Enable Metrics. + # enabled: false + + ## The address for the Metrics server to listen on in the address common syntax. + ## Formats: + ## - [://][:][/] + ## - [://][hostname]:[/] + ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', or 'unix'. + ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '9959'. + ## If the path is not specified it defaults to `/metrics`. + # address: 'tcp://:9959/metrics' + + ## Metrics Server Buffers configuration. + # buffers: + + ## Read buffer. + # read: 4096 + + ## Write buffer. + # write: 4096 + + ## Metrics Server Timeouts configuration. + # timeouts: + + ## Read timeout in the duration common syntax. + # read: '6 seconds' + + ## Write timeout in the duration common syntax. + # write: '6 seconds' + + ## Idle timeout in the duration common syntax. + # idle: '30 seconds' + +## +## TOTP Configuration +## +## Parameters used for TOTP generation. +# totp: + ## Disable TOTP. + # disable: false + + ## The issuer name displayed in the Authenticator application of your choice. + # issuer: 'authelia.com' + + ## The TOTP algorithm to use. + ## It is CRITICAL you read the documentation before changing this option: + ## https://www.authelia.com/c/totp#algorithm + # algorithm: 'SHA1' + + ## The number of digits a user has to input. Must either be 6 or 8. + ## Changing this option only affects newly generated TOTP configurations. + ## It is CRITICAL you read the documentation before changing this option: + ## https://www.authelia.com/c/totp#digits + # digits: 6 + + ## The period in seconds a Time-based One-Time Password is valid for. + ## Changing this option only affects newly generated TOTP configurations. + # period: 30 + + ## The skew controls number of Time-based One-Time Passwords either side of the current one that are valid. + ## Warning: before changing skew read the docs link below. + # skew: 1 + ## See: https://www.authelia.com/c/totp#input-validation to read + ## the documentation. + + ## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20. + # secret_size: 32 + + ## The allowed algorithms for a user to pick from. + # allowed_algorithms: + # - 'SHA1' + + ## The allowed digits for a user to pick from. + # allowed_digits: + # - 6 + + ## The allowed periods for a user to pick from. + # allowed_periods: + # - 30 + + ## Disable the reuse security policy which prevents replays of one-time password code values. + # disable_reuse_security_policy: false + +## +## WebAuthn Configuration +## +## Parameters used for WebAuthn. +# webauthn: + ## Disable WebAuthn. + # disable: false + + ## The interaction timeout for WebAuthn dialogues in the duration common syntax. + # timeout: '60 seconds' + + ## The display name the browser should show the user for when using WebAuthn to login/register. + # display_name: 'Authelia' + + ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device. + ## Options are none, indirect, direct. + # attestation_conveyance_preference: 'indirect' + + ## User verification controls if the user must make a gesture or action to confirm they are present. + ## Options are required, preferred, discouraged. + # user_verification: 'preferred' + +## +## Duo Push API Configuration +## +## Parameters used to contact the Duo API. Those are generated when you protect an application of type +## "Partner Auth API" in the management panel. +# duo_api: + # disable: false + # hostname: 'api-123456789.example.com' + # integration_key: 'ABCDEF' + ## Secret can also be set using a secret: https://www.authelia.com/c/secrets + # secret_key: '1234567890abcdefghifjkl' + # enable_self_enrollment: false + +## +## Identity Validation Configuration +## +## This configuration tunes the identity validation flows. +identity_validation: + + ## Reset Password flow. Adjusts how the reset password flow operates. + reset_password: + ## Maximum allowed time before the JWT is generated and when the user uses it in the duration common syntax. + jwt_lifespan: '5 minutes' + + ## The algorithm used for the Reset Password JWT. + jwt_algorithm: 'HS256' + + ## The secret key used to sign and verify the JWT. + jwt_secret: '{{ env "JWT_SECRET" }}' + + ## Elevated Session flows. Adjusts the flow which require elevated sessions for example managing credentials, adding, + ## removing, etc. + # elevated_session: + ## Maximum allowed lifetime after the One-Time Code is generated that it is considered valid. + # code_lifespan: '5 minutes' + + ## Maximum allowed lifetime after the user uses the One-Time Code and the user must perform the validation again in + ## the duration common syntax. + # elevation_lifespan: '10 minutes' + + ## Number of characters the one-time password contains. + # characters: 8 + + ## In addition to the One-Time Code requires the user performs a second factor authentication. + # require_second_factor: false + + ## Skips the elevation requirement and entry of the One-Time Code if the user has performed second factor + ## authentication. + # skip_second_factor: false + +## +## NTP Configuration +## +## This is used to validate the servers time is accurate enough to validate TOTP. +# ntp: + ## The address of the NTP server to connect to in the address common syntax. + ## Format: [://][:]. + ## Square brackets indicate optional portions of the format. Scheme must be 'udp', 'udp4', or 'udp6'. + ## The default scheme is 'udp'. The default port is '123'. + # address: 'udp://time.cloudflare.com:123' + + ## NTP version. + # version: 4 + + ## Maximum allowed time offset between the host and the NTP server in the duration common syntax. + # max_desync: '3 seconds' + + ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you + ## set this to true, and can operate in a truly offline mode. + # disable_startup_check: false + + ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with + ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup + ## will continue regardless of results. + # disable_failure: false + +## +## Authentication Backend Provider Configuration +## +## Used for verifying user passwords and retrieve information such as email address and groups users belong to. +## +## The available providers are: `file`, `ldap`. You must use only one of these providers. +authentication_backend: + + ## Password Reset Options. + password_reset: + ## Disable both the HTML element and the API for reset password functionality. + disable: false + + ## External reset password url that redirects the user to an external reset portal. This disables the internal reset + ## functionality. + # custom_url: '' + + ## The amount of time to wait before we refresh data from the authentication backend in the duration common syntax. + ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will + ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP. + ## To force update on every request you can set this to '0' or 'always', this will increase processor demand. + ## See the below documentation for more information. + ## Refresh Interval docs: https://www.authelia.com/c/1fa#refresh-interval + # refresh_interval: '5 minutes' + + ## + ## LDAP (Authentication Provider) + ## + ## This is the recommended Authentication Provider in production + ## because it allows Authelia to offload the stateful operations + ## onto the LDAP service. + ldap: + ## The address of the directory server to connect to in the address common syntax. + ## Format: [://][:]. + ## Square brackets indicate optional portions of the format. Scheme must be 'ldap', 'ldaps', or 'ldapi`. + ## The default scheme is 'ldapi' if the address is an absolute path otherwise it's 'ldaps'. + ## The default port is '636', unless the scheme is 'ldap' in which case it's '389'. + address: 'ldap://lldap:3890' + + ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password. + ## Acceptable options are as follows: + ## - 'activedirectory' - for Microsoft Active Directory. + ## - 'freeipa' - for FreeIPA. + ## - 'lldap' - for lldap. + ## - 'custom' - for custom specifications of attributes and filters. + ## This currently defaults to 'custom' to maintain existing behaviour. + ## + ## Depending on the option here certain other values in this section have a default value, notably all of the + ## attribute mappings have a default value that this config overrides, you can read more about these default values + ## at https://www.authelia.com/c/ldap#defaults + implementation: 'custom' + + ## The dial timeout for LDAP in the duration common syntax. + timeout: '5 seconds' + + ## Use StartTLS with the LDAP connection. + start_tls: false + + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the address options hostname. + # server_name: 'ldap.example.com' + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false + + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' + + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' + + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + + ## The distinguished name of the container searched for objects in the directory information tree. + ## See also: additional_users_dn, additional_groups_dn. + base_dn: 'dc=bmrs,dc=nl' + + ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users. + ## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users. + additional_users_dn: 'OU=people' + + ## The users filter used in search queries to find the user profile based on input filled in login form. + ## Various placeholders are available in the user filter which you can read about in the documentation which can + ## be found at: https://www.authelia.com/c/ldap#users-filter-replacements + ## + ## Recommended settings are as follows: + ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) + ## - OpenLDAP: + ## - (&({username_attribute}={input})(objectClass=person)) + ## - (&({username_attribute}={input})(objectClass=inetOrgPerson)) + ## + ## To allow sign in both with username and email, one can use a filter like + ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) + users_filter: '(&({username_attribute}={input})(objectClass=person))' + + ## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups. + ## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups. + additional_groups_dn: 'OU=groups' + + ## The groups filter used in search queries to find the groups based on relevant authenticated user. + ## Various placeholders are available in the groups filter which you can read about in the documentation which can + ## be found at: https://www.authelia.com/c/ldap#groups-filter-replacements + ## + ## If your groups use the `groupOfUniqueNames` structure use this instead: + ## (&(uniqueMember={dn})(objectClass=groupOfUniqueNames)) + groups_filter: '(member={dn})' + + ## The group search mode to use. Options are 'filter' or 'memberof'. It's essential to read the docs if you wish to + ## use 'memberof'. Also 'filter' is the best choice for most use cases. + # group_search_mode: 'filter' + + ## Follow referrals returned by the server. + ## This is especially useful for environments where read-only servers exist. Only implemented for write operations. + # permit_referrals: false + + ## The username and password of the admin user. + user: 'UID=admin,OU=people,DC=bmrs,DC=nl' + ## Password can also be set using a secret: https://www.authelia.com/c/secrets + # password + + ## The attributes for users and objects from the directory server. + attributes: + + ## The distinguished name attribute if your directory server supports it. Users should read the docs before + ## configuring. Only used for the 'memberof' group search mode. + distinguished_name: 'distinguishedName' + + ## The attribute holding the username of the user. This attribute is used to populate the username in the session + ## information. For your information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP + ## usually uses 'uid'. Beware that this attribute holds the unique identifiers for the users binding the user and + ## the configuration stored in database; therefore only single value attributes are allowed and the value must + ## never be changed once attributed to a user otherwise it would break the configuration for that user. + ## Technically non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead + ## advise to use a filter to perform alternative lookups and the attributes mentioned above + ## (sAMAccountName and uid) to follow https://datatracker.ietf.org/doc/html/rfc2307. + username: 'uid' + + ## The attribute holding the display name of the user. This will be used to greet an authenticated user. + # display_name: 'displayName' + + ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only + ## the first one returned by the directory server is used. + mail: 'mail' + + ## The attribute which provides distinguished names of groups an object is a member of. + ## Only used for the 'memberof' group search mode. + member_of: 'memberOf' + + ## The attribute holding the name of the group. + group_name: 'cn' + + ## + ## File (Authentication Provider) + ## + ## With this backend, the users database is stored in a file which is updated when users reset their passwords. + ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia + ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security + ## implications it is highly recommended you leave the default values. Before considering changing these settings + ## please read the docs page below: + ## https://www.authelia.com/r/passwords#tuning + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness + ## + # file: + # path: '/config/users_database.yml' + # watch: false + # search: + # email: false + # case_insensitive: false + # password: + # algorithm: 'argon2' + # argon2: + # variant: 'argon2id' + # iterations: 3 + # memory: 65536 + # parallelism: 4 + # key_length: 32 + # salt_length: 16 + # scrypt: + # iterations: 16 + # block_size: 8 + # parallelism: 1 + # key_length: 32 + # salt_length: 16 + # pbkdf2: + # variant: 'sha512' + # iterations: 310000 + # salt_length: 16 + # sha2crypt: + # variant: 'sha512' + # iterations: 50000 + # salt_length: 16 + # bcrypt: + # variant: 'standard' + # cost: 12 + +## +## Password Policy Configuration. +## +# password_policy: + + ## The standard policy allows you to tune individual settings manually. + # standard: + # enabled: false + + ## Require a minimum length for passwords. + # min_length: 8 + + ## Require a maximum length for passwords. + # max_length: 0 + + ## Require uppercase characters. + # require_uppercase: true + + ## Require lowercase characters. + # require_lowercase: true + + ## Require numeric characters. + # require_number: true + + ## Require special characters. + # require_special: true + + ## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings. + # zxcvbn: + # enabled: false + + ## Configures the minimum score allowed. + # min_score: 3 + +## +## Privacy Policy Configuration +## +## Parameters used for displaying the privacy policy link and drawer. +# privacy_policy: + + ## Enables the display of the privacy policy using the policy_url. + # enabled: false + + ## Enables the display of the privacy policy drawer which requires users accept the privacy policy + ## on a per-browser basis. + # require_user_acceptance: false + + ## The URL of the privacy policy document. Must be an absolute URL and must have the 'https://' scheme. + ## If the privacy policy enabled option is true, this MUST be provided. + # policy_url: '' + +## +## Access Control Configuration +## +## Access control is a list of rules defining the authorizations applied for one resource to users or group of users. +## +## If 'access_control' is not defined, ACL rules are disabled and the 'deny' rule is applied, i.e., access is denied +## to everyone. Otherwise restrictions follow the rules defined. +## +## Note: One can use the wildcard * to match any subdomain. +## It must stand at the beginning of the pattern. (example: *.example.com) +## +## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct. +## +## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'. +## +## - 'domain' defines which domain or set of domains the rule applies to. +## +## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not +## provided. If provided, the parameter represents either a user or a group. It should be of the form +## 'user:' or 'group:'. +## +## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'. +## +## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter +## is optional and matches any resource if not provided. +## +## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies. +access_control: + ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any + ## resource if there is no policy to be applied to the user. + default_policy: 'deny' + + # networks: + # - name: 'internal' + # networks: + # - '10.10.0.0/16' + # - '192.168.2.0/24' + # - name: 'VPN' + # networks: '10.9.0.0/16' + + rules: + ## Rules applied to everyone + - domain: '*.timo.bmrs.nl' + policy: 'one_factor' + + ## Domain Regex examples. Generally we recommend just using a standard domain. + # - domain_regex: '^(?P\w+)\.example\.com$' + # policy: 'one_factor' + # - domain_regex: '^(?P\w+)\.example\.com$' + # policy: 'one_factor' + # - domain_regex: + # - '^appgroup-.*\.example\.com$' + # - '^appgroup2-.*\.example\.com$' + # policy: 'one_factor' + # - domain_regex: '^.*\.example\.com$' + # policy: 'two_factor' + + # - domain: 'secure.example.com' + # policy: 'one_factor' + ## Network based rule, if not provided any network matches. + # networks: + # - 'internal' + # - 'VPN' + # - '192.168.1.0/24' + # - '10.0.0.1' + + # - domain: + # - 'secure.example.com' + # - 'private.example.com' + # policy: 'two_factor' + + # - domain: 'singlefactor.example.com' + # policy: 'one_factor' + + ## Rules applied to 'admins' group + # - domain: 'mx2.mail.example.com' + # subject: 'group:admins' + # policy: 'deny' + + # - domain: '*.example.com' + # subject: + # - 'group:admins' + # - 'group:moderators' + # policy: 'two_factor' + + ## Rules applied to 'dev' group + # - domain: 'dev.example.com' + # resources: + # - '^/groups/dev/.*$' + # subject: 'group:dev' + # policy: 'two_factor' + + ## Rules applied to user 'john' + # - domain: 'dev.example.com' + # resources: + # - '^/users/john/.*$' + # subject: 'user:john' + # policy: 'two_factor' + + ## Rules applied to user 'harry' + # - domain: 'dev.example.com' + # resources: + # - '^/users/harry/.*$' + # subject: 'user:harry' + # policy: 'two_factor' + + ## Rules applied to user 'bob' + # - domain: '*.mail.example.com' + # subject: 'user:bob' + # policy: 'two_factor' + # - domain: 'dev.example.com' + # resources: + # - '^/users/bob/.*$' + # subject: 'user:bob' + # policy: 'two_factor' + +## +## Session Provider Configuration +## +## The session cookies identify the user once logged in. +## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined. +session: + ## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel. + ## Secret can also be set using a secret: https://www.authelia.com/c/secrets + secret: '{{ env "SESSION_SECRET" }}' + + ## Cookies configures the list of allowed cookie domains for sessions to be created on. + ## Undefined values will default to the values below. + cookies: + - + ## The name of the session cookie. + name: 'authelia_session' + + ## The domain to protect. + ## Note: the Authelia portal must also be in that domain. + domain: 'timo.bmrs.nl' + + ## Required. The fully qualified URI of the portal to redirect users to on proxies that support redirections. + ## Rules: + ## - MUST use the secure scheme 'https://' + ## - The above 'domain' option MUST either: + ## - Match the host portion of this URI. + ## - Match the suffix of the host portion when prefixed with '.'. + authelia_url: 'https://auth.timo.bmrs.nl' + + ## Optional. The fully qualified URI used as the redirection location if the portal is accessed directly. Not + ## configuring this option disables the automatic redirection behaviour. + ## + ## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication + ## unless they were redirected to Authelia by the proxy. + ## + ## Rules: + ## - MUST use the secure scheme 'https://' + ## - MUST not match the 'authelia_url' option. + ## - The above 'domain' option MUST either: + ## - Match the host portion of this URI. + ## - Match the suffix of the host portion when prefixed with '.'. + # default_redirection_url: 'https://www.example.com' + + ## Sets the Cookie SameSite value. Possible options are none, lax, or strict. + ## Please read https://www.authelia.com/c/session#same_site + # same_site: 'lax' + + ## The value for inactivity, expiration, and remember_me are in seconds or the duration common syntax. + ## All three of these values affect the cookie/session validity period. Longer periods are considered less secure + ## because a stolen cookie will last longer giving attackers more time to spy or attack. + + ## The inactivity time before the session is reset. If expiration is set to 1h, and this is set to 5m, if the user + ## does not select the remember me option their session will get destroyed after 1h, or after 5m since the last + ## time Authelia detected user activity. + # inactivity: '5 minutes' + + ## The time before the session cookie expires and the session is destroyed if remember me IS NOT selected by the + ## user. + # expiration: '1 hour' + + ## The time before the cookie expires and the session is destroyed if remember me IS selected by the user. Setting + ## this value to -1 disables remember me for this session cookie domain. If allowed and the user uses the remember + ## me checkbox this overrides the expiration option and disables the inactivity option. + # remember_me: '1 month' + + ## Cookie Session Domain default 'name' value. + # name: 'authelia_session' + + ## Cookie Session Domain default 'same_site' value. + # same_site: 'lax' + + ## Cookie Session Domain default 'inactivity' value. + # inactivity: '5m' + + ## Cookie Session Domain default 'expiration' value. + # expiration: '1h' + + ## Cookie Session Domain default 'remember_me' value. + # remember_me: '1M' + + ## + ## Redis Provider + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness + ## + # redis: + # host: '127.0.0.1' + # port: 6379 + ## Use a unix socket instead + # host: '/var/run/redis/redis.sock' + + ## Username used for redis authentication. This is optional and a new feature in redis 6.0. + # username: 'authelia' + + ## Password can also be set using a secret: https://www.authelia.com/c/secrets + # password: 'authelia' + + ## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc). + # database_index: 0 + + ## The maximum number of concurrent active connections to Redis. + # maximum_active_connections: 8 + + ## The target number of idle connections to have open ready for work. Useful when opening connections is slow. + # minimum_idle_connections: 0 + + ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s). + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the host option. + # server_name: 'myredis.example.com' + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false + + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' + + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' + + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + + ## The Redis HA configuration options. + ## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name). + # high_availability: + ## Sentinel Name / Master Name. + # sentinel_name: 'mysentinel' + + ## Specific username for Redis Sentinel. The node username and password is configured above. + # sentinel_username: 'sentinel_specific_user' + + ## Specific password for Redis Sentinel. The node username and password is configured above. + # sentinel_password: 'sentinel_specific_pass' + + ## The additional nodes to pre-seed the redis provider with (for sentinel). + ## If the host in the above section is defined, it will be combined with this list to connect to sentinel. + ## For high availability to be used you must have either defined; the host above or at least one node below. + # nodes: + # - host: 'sentinel-node1' + # port: 6379 + # - host: 'sentinel-node2' + # port: 6379 + + ## Choose the host with the lowest latency. + # route_by_latency: false + + ## Choose the host randomly. + # route_randomly: false + +## +## Regulation Configuration +## +## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made +## in a short period of time. +# regulation: + ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation. + # max_retries: 3 + + ## The time range during which the user can attempt login before being banned in the duration common syntax. The user + ## is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window. + # find_time: '2 minutes' + + ## The length of time before a banned user can login again in the duration common syntax. + # ban_time: '5 minutes' + +## +## Storage Provider Configuration +## +## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers. +storage: + ## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum + ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it, you MUST use + ## the CLI to change this in the database if you want to change it from a previously configured value. + encryption_key: '{{ env "STORAGE_ENCRYPTION_KEY" }}' + + ## + ## Local (Storage Provider) + ## + ## This stores the data in a SQLite3 Database. + ## This is only recommended for lightweight non-stateful installations. + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness + ## + local: + ## Path to the SQLite3 Database. + path: '/config/db.sqlite3' + + ## + ## MySQL / MariaDB (Storage Provider) + ## + # mysql: + ## The address of the MySQL server to connect to in the address common syntax. + ## Format: [://][:]. + ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', or 'unix`. + ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '3306'. + # address: 'tcp://127.0.0.1:3306' + + ## The database name to use. + # database: 'authelia' + + ## The username used for SQL authentication. + # username: 'authelia' + + ## The password used for SQL authentication. + ## Can also be set using a secret: https://www.authelia.com/c/secrets + # password: 'mypassword' + + ## The connection timeout in the duration common syntax. + # timeout: '5 seconds' + + ## MySQL TLS settings. Configuring this requires TLS. + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the address options hostname. + # server_name: 'mysql.example.com' + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false + + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' + + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' + + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + + ## + ## PostgreSQL (Storage Provider) + ## + # postgres: + ## The address of the PostgreSQL server to connect to in the address common syntax. + ## Format: [://][:]. + ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', or 'unix`. + ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '5432'. + # address: 'tcp://127.0.0.1:5432' + + ## The database name to use. + # database: 'authelia' + + ## The schema name to use. + # schema: 'public' + + ## The username used for SQL authentication. + # username: 'authelia' + + ## The password used for SQL authentication. + ## Can also be set using a secret: https://www.authelia.com/c/secrets + # password: 'mypassword' + + ## The connection timeout in the duration common syntax. + # timeout: '5 seconds' + + ## PostgreSQL TLS settings. Configuring this requires TLS. + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the address options hostname. + # server_name: 'postgres.example.com' + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false + + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' + + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' + + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + +## +## Notification Provider +## +## Notifications are sent to users when they require a password reset, a WebAuthn registration or a TOTP registration. +## The available providers are: filesystem, smtp. You must use only one of these providers. +notifier: + ## You can disable the notifier startup check by setting this to true. + # disable_startup_check: false + + ## + ## File System (Notification Provider) + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness + ## + filesystem: + filename: '/config/notification.txt' + + ## + ## SMTP (Notification Provider) + ## + ## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate. + ## [Security] By default Authelia will: + ## - force all SMTP connections over TLS including unauthenticated connections + ## - use the disable_require_tls boolean value to disable this requirement + ## (only works for unauthenticated connections) + ## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates + ## (configure in tls section) + # smtp: + ## The address of the SMTP server to connect to in the address common syntax. + # address: 'smtp://127.0.0.1:25' + + ## The connection timeout in the duration common syntax. + # timeout: '5 seconds' + + ## The username used for SMTP authentication. + # username: 'test' + + ## The password used for SMTP authentication. + ## Can also be set using a secret: https://www.authelia.com/c/secrets + # password: 'password' + + ## The sender is used to is used for the MAIL FROM command and the FROM header. + ## If this is not defined and the username is an email, we use the username as this value. This can either be just + ## an email address or the RFC5322 'Name ' format. + # sender: 'Authelia ' + + ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost. + # identifier: 'localhost' + + ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier. + # subject: '[Authelia] {title}' + + ## This address is used during the startup check to verify the email configuration is correct. + ## It's not important what it is except if your email server only allows local delivery. + # startup_check_address: 'test@authelia.com' + + ## By default we require some form of TLS. This disables this check though is not advised. + # disable_require_tls: false + + ## Disables sending HTML formatted emails. + # disable_html_emails: false + + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the address options hostname. + # server_name: 'smtp.example.com' + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false + + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' + + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' + + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + +## +## Identity Providers +## +# identity_providers: + + ## + ## OpenID Connect (Identity Provider) + ## + ## It's recommended you read the documentation before configuration of this section: + ## https://www.authelia.com/c/oidc + # oidc: + ## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens). + ## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets + # hmac_secret: 'this_is_a_secret_abc123abc123abc' + + ## The JWK's issuer option configures multiple JSON Web Keys. It's required that at least one of the JWK's + ## configured has the RS256 algorithm. For RSA keys (RS or PS) the minimum is a 2048 bit key. + # jwks: + # - + ## Key ID embedded into the JWT header for key matching. Must be an alphanumeric string with 7 or less characters. + ## This value is automatically generated if not provided. It's recommended to not configure this. + # key_id: 'example' + + ## The key algorithm used with this key. + # algorithm: 'RS256' + + ## The key use expected with this key. Currently only 'sig' is supported. + # use: 'sig' + + ## Required Private Key in PEM DER form. + # key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + + + ## Optional matching certificate chain in PEM DER form that matches the key. All certificates within the chain + ## must be valid and current, and from top to bottom each certificate must be signed by the subsequent one. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## Enables additional debug messages. + # enable_client_debug_messages: false + + ## SECURITY NOTICE: It's not recommended changing this option and values below 8 are strongly discouraged. + # minimum_parameter_entropy: 8 + + ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it set to 'never' + ## for security reasons. + # enforce_pkce: 'public_clients_only' + + ## SECURITY NOTICE: It's not recommended changing this option. We encourage you to read the documentation and fully + ## understanding it before enabling this option. + # enable_jwt_access_token_stateless_introspection: false + + ## The signing algorithm used for signing the discovery and metadata responses. An issuer JWK with a matching + ## algorithm must be available when configured. Most clients completely ignore this and it has a performance cost. + # discovery_signed_response_alg: 'none' + + ## The signing key id used for signing the discovery and metadata responses. An issuer JWK with a matching key id + ## must be available when configured. Most clients completely ignore this and it has a performance cost. + # discovery_signed_response_key_id: '' + + ## Authorization Policies which can be utilized by clients. The 'policy_name' is an arbitrary value that you pick + ## which is utilized as the value for the 'authorization_policy' on the client. + # authorization_policies: + # policy_name: + # default_policy: 'two_factor' + # rules: + # - policy: 'one_factor' + # subject: 'group:services' + + ## The lifespans configure the expiration for these token types in the duration common syntax. In addition to this + ## syntax the lifespans can be customized per-client. + # lifespans: + ## Configures the default/fallback lifespan for given token types. This behaviour applies to all clients and all + ## grant types but you can override this behaviour using the custom lifespans. + # access_token: '1 hour' + # authorize_code: '1 minute' + # id_token: '1 hour' + # refresh_token: '90 minutes' + + ## Cross-Origin Resource Sharing (CORS) settings. + # cors: + ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on. + # endpoints: + # - 'authorization' + # - 'pushed-authorization-request' + # - 'token' + # - 'revocation' + # - 'introspection' + # - 'userinfo' + + ## List of allowed origins. + ## Any origin with https is permitted unless this option is configured or the + ## allowed_origins_from_client_redirect_uris option is enabled. + # allowed_origins: + # - 'https://example.com' + + ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins, + ## provided they have the scheme http or https and do not have the hostname of localhost. + # allowed_origins_from_client_redirect_uris: false + + ## Clients is a list of known clients and their configuration. + # clients: + # - + ## The Client ID is the OAuth 2.0 and OpenID Connect 1.0 Client ID which is used to link an application to a + ## configuration. + # client_id: 'myapp' + + ## The description to show to users when they end up on the consent screen. Defaults to the ID above. + # client_name: 'My Application' + + ## The client secret is a shared secret between Authelia and the consumer of this client. + # yamllint disable-line rule:line-length + # client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. + + ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not + ## necessary. It is critical to read the documentation for more information. + # sector_identifier_uri: 'https://example.com/sector.json' + + ## Sets the client to public. This should typically not be set, please see the documentation for usage. + # public: false + + ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client. + # redirect_uris: + # - 'https://oidc.example.com:8080/oauth2/callback' + + ## Request URI's specifies a list of valid case-sensitive TLS-secured URIs for this client for use as + ## URIs to fetch Request Objects. + # request_uris: + # - 'https://oidc.example.com:8080/oidc/request-object.jwk' + + ## Audience this client is allowed to request. + # audience: [] + + ## Scopes this client is allowed to request. + # scopes: + # - 'openid' + # - 'groups' + # - 'email' + # - 'profile' + + ## Grant Types configures which grants this client can obtain. + ## It's not recommended to define this unless you know what you're doing. + # grant_types: + # - 'authorization_code' + + ## Response Types configures which responses this client can be sent. + ## It's not recommended to define this unless you know what you're doing. + # response_types: + # - 'code' + + ## Response Modes configures which response modes this client supports. + # response_modes: + # - 'form_post' + # - 'query' + + ## The policy to require for this client; one_factor or two_factor. Can also be the key names for the + ## authorization policies section. + # authorization_policy: 'two_factor' + + ## The custom lifespan name to use for this client. This must be configured independent of the client before + ## utilization. Custom lifespans are reusable similar to authorization policies. + # lifespan: '' + + ## The consent mode controls how consent is obtained. + # consent_mode: 'auto' + + ## This value controls the duration a consent on this client remains remembered when the consent mode is + ## configured as 'auto' or 'pre-configured' in the duration common syntax. + # pre_configured_consent_duration: '1 week' + + ## Requires the use of Pushed Authorization Requests for this client when set to true. + # require_pushed_authorization_requests: false + + ## Enforces the use of PKCE for this client when set to true. + # require_pkce: false + + ## Enforces the use of PKCE for this client when configured, and enforces the specified challenge method. + ## Options are 'plain' and 'S256'. + # pkce_challenge_method: 'S256' + + ## The permitted client authentication method for the Token Endpoint for this client. + ## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it + ## defaults to 'none' per the specifications. + # token_endpoint_auth_method: 'client_secret_basic' + + ## The permitted client authentication signing algorithm for the Token Endpoint for this client when using + ## the 'client_secret_jwt' or 'private_key_jwt' token_endpoint_auth_method. + # token_endpoint_auth_signing_alg: 'RS256' + + ## The signing algorithm which must be used for request objects. A client JWK with a matching algorithm must be + ## available if configured. + # request_object_signing_alg: 'RS256' + + ## The signing algorithm used for signing the authorization response. An issuer JWK with a matching algorithm + ## must be available when configured. Configuring this value enables the JWT Secured Authorization Response + ## Mode (JARM) for this client. JARM is not understood by a majority of clients so you should only configure + ## this when you know it's supported. + ## Has no effect if authorization_signed_response_key_id is configured. + # authorization_signed_response_alg: 'none' + + ## The signing key id used for signing the authorization response. An issuer JWK with a matching key id must be + ## available when configured. Configuring this value enables the JWT Secured Authorization Response Mode (JARM) + ## for this client. JARM is not understood by a majority of clients so you should only configure this when you + ## know it's supported. + # authorization_signed_response_key_id: '' + + ## The signing algorithm used for ID Tokens. An issuer JWK with a matching algorithm must be available when + ## configured. Has no effect if id_token_signed_response_key_id is configured. + # id_token_signed_response_alg: 'RS256' + + ## The signing key id used for ID Tokens. An issuer JWK with a matching key id must be available when + ## configured. + # id_token_signed_response_key_id: '' + + ## The signing algorithm used for Access Tokens. An issuer JWK with a matching algorithm must be available. + ## Has no effect if access_token_signed_response_key_id is configured. Values other than 'none' enable RFC9068 + ## for this client. + # access_token_signed_response_alg: 'none' + + ## The signing key id used for Access Tokens. An issuer JWK with a matching key id must be available when + ## configured. Values other than a blank value enable RFC9068 for this client. + # access_token_signed_response_key_id: '' + + ## The signing algorithm used for User Info responses. An issuer JWK with a matching algorithm must be + ## available. Has no effect if userinfo_signing_key_id is configured. + # userinfo_signed_response_alg: 'none' + + ## The signing key id used for User Info responses. An issuer JWK with a matching key id must be available when + ## configured. + # userinfo_signed_response_key_id: '' + + ## The signing algorithm used for Introspection responses. An issuer JWK with a matching algorithm must be + ## available when configured. Has no effect if introspection_signed_response_key_id is configured. + # introspection_signed_response_alg: 'none' + + ## The signing key id used for Introspection responses. An issuer JWK with a matching key id must be available + ## when configured. + # introspection_signed_response_key_id: '' + + ## Trusted public keys configuration for request object signing for things such as 'private_key_jwt'. + ## URL of the HTTPS endpoint which serves the keys. Please note the 'jwks_uri' and the 'jwks' option below + ## are mutually exclusive. + # jwks_uri: 'https://app.example.com/jwks.json' + + ## Trusted public keys configuration for request object signing for things such as 'private_key_jwt'. + ## List of JWKs known and registered with this client. It's recommended to use the 'jwks_uri' option if + ## available due to key rotation. Please note the 'jwks' and the 'jwks_uri' option above are mutually exclusive. + # jwks: + # - + ## Key ID used to match the JWT's to an individual identifier. This option is required if configured. + # key_id: 'example' + + ## The key algorithm expected with this key. + # algorithm: 'RS256' + + ## The key use expected with this key. Currently only 'sig' is supported. + # use: 'sig' + + ## Required Public Key in PEM DER form. + # key: | + # -----BEGIN RSA PUBLIC KEY----- + # ... + # -----END RSA PUBLIC KEY----- + + ## The matching certificate chain in PEM DER form that matches the key if available. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- +... diff --git a/homelab/caddy/Caddyfile b/homelab/authelia/config/notification.txt similarity index 100% rename from homelab/caddy/Caddyfile rename to homelab/authelia/config/notification.txt diff --git a/homelab/authelia/docker-compose.yml b/homelab/authelia/docker-compose.yml new file mode 100644 index 0000000..7f3fb65 --- /dev/null +++ b/homelab/authelia/docker-compose.yml @@ -0,0 +1,35 @@ +services: + authelia: + image: authelia/authelia:latest + container_name: authelia + restart: unless-stopped + volumes: + - ./config:/config + depends_on: + - lldap + environment: + JWT_SECRET: ${AUTHELIA_JWT_SECRET} + SESSION_SECRET: ${AUTHELIA_SESSION_SECRET} + STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY} + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ${LLDAP_ADMIN_PASSWORD} + + lldap: + image: lldap/lldap:latest + container_name: lldap + restart: unless-stopped + volumes: + - data_lldap:/data + environment: + LLDAP_JWT_SECRET: ${LLDAP_JWT_SECRET} + LLDAP_KEY_SEED: ${LLDAP_KEY_SEED} + LLDAP_LDAP_BASE_DN: dc=bmrs,dc=nl + LLDAP_LDAP_USER_PASS: ${LLDAP_ADMIN_PASSWORD} + +volumes: + data_lldap: + +networks: + default: + name: proxy + external: true + diff --git a/homelab/caddy/Dockerfile b/homelab/caddy/Dockerfile new file mode 100644 index 0000000..64a4dc3 --- /dev/null +++ b/homelab/caddy/Dockerfile @@ -0,0 +1,8 @@ +FROM caddy:2.8-builder AS builder + +RUN xcaddy build \ + --with github.com/caddy-dns/cloudflare + +FROM caddy:2.8 + +COPY --from=builder /usr/bin/caddy /usr/bin/caddy diff --git a/homelab/caddy/README.md b/homelab/caddy/README.md new file mode 100644 index 0000000..b5bf719 --- /dev/null +++ b/homelab/caddy/README.md @@ -0,0 +1,2 @@ +# Caddy reverse proxy +Follow [this](https://github.com/caddy-dns/cloudflare) to obtain secrets diff --git a/homelab/caddy/caddyfiles/Caddyfile b/homelab/caddy/caddyfiles/Caddyfile index e69de29..ea4f651 100644 --- a/homelab/caddy/caddyfiles/Caddyfile +++ b/homelab/caddy/caddyfiles/Caddyfile @@ -0,0 +1,16 @@ +localhost { + respond "Hello world!" +} + + +*.timo.bmrs.nl timo.bmrs.nl { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_TOKEN} + api_token {env.CF_API_TOKEN} + } + resolvers 1.1.1.1 + } + + import routes/* +} diff --git a/homelab/caddy/caddyfiles/routes/adguard b/homelab/caddy/caddyfiles/routes/adguard new file mode 100644 index 0000000..9db15fd --- /dev/null +++ b/homelab/caddy/caddyfiles/routes/adguard @@ -0,0 +1,9 @@ +@adguard host adguard.timo.bmrs.nl +handle @adguard { + forward_auth authelia:9091 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + + reverse_proxy adguardhome:3000 +} diff --git a/homelab/caddy/caddyfiles/routes/authelia b/homelab/caddy/caddyfiles/routes/authelia new file mode 100644 index 0000000..3110a0d --- /dev/null +++ b/homelab/caddy/caddyfiles/routes/authelia @@ -0,0 +1,9 @@ +@ldap host ldap.timo.bmrs.nl +handle @ldap { + reverse_proxy lldap:17170 +} + +@authelia host auth.timo.bmrs.nl +handle @authelia { + reverse_proxy authelia:9091 +} diff --git a/homelab/caddy/docker-compose.yml b/homelab/caddy/docker-compose.yml index 4ca5248..3c82eea 100644 --- a/homelab/caddy/docker-compose.yml +++ b/homelab/caddy/docker-compose.yml @@ -1,6 +1,6 @@ services: caddy: - image: caddy:2.8 + build: . container_name: caddy restart: unless-stopped cap_add: @@ -10,10 +10,18 @@ services: - 443:443 - 443:443/udp volumes: - - caddy_data:/data - - caddy_config:/config + - data:/data + - config:/config - ./caddyfiles:/etc/caddy/ + environment: + CF_ZONE_TOKEN: ${CF_ZONE_TOKEN} + CF_API_TOKEN: ${CF_API_TOKEN} volumes: - caddy_data: - caddy_config: + data: + config: + +networks: + default: + name: proxy + external: true diff --git a/hosts/pm01vm01/default.nix b/hosts/pm01vm01/default.nix index 4e0c30c..54210c5 100644 --- a/hosts/pm01vm01/default.nix +++ b/hosts/pm01vm01/default.nix @@ -37,7 +37,11 @@ # Enable ssh services.openssh.enable = true; - boot.kernelPackages = pkgs.linuxPackages_latest; + # Forward ports + networking.firewall = { + allowedTCPPorts = [ 80 443 53 ]; + allowedUDPPorts = [ 53 ]; + }; system.stateVersion = "24.05"; diff --git a/hosts/pm01vm01/hardware-configuration.nix b/hosts/pm01vm01/hardware-configuration.nix new file mode 100644 index 0000000..466f457 --- /dev/null +++ b/hosts/pm01vm01/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ohci_pci" "ehci_pci" "virtio_pci" "ahci" "usbhid" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/649666ff-db85-4666-86d0-c088732505d6"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/A157-F96E"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/f8c0a59c-7e1a-4eb7-960e-20ba65fec156"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s8.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/modules/system/cli/docker.nix b/modules/system/cli/docker.nix index 80d4841..6f9a138 100644 --- a/modules/system/cli/docker.nix +++ b/modules/system/cli/docker.nix @@ -1,4 +1,4 @@ -{ ... }: +{ pkgs, ... }: { virtualisation.docker = { @@ -10,4 +10,13 @@ }; users.users.xeovalyte.extraGroups = [ "docker" ]; + + security.wrappers = { + docker-rootlesskit = { + owner = "root"; + group = "root"; + capabilities = "cap_net_bind_service+ep"; + source = "${pkgs.rootlesskit}/bin/rootlesskit"; + }; + }; } diff --git a/modules/system/hardware/firewall.nix b/modules/system/hardware/firewall.nix index 361d97b..7b9bb93 100644 --- a/modules/system/hardware/firewall.nix +++ b/modules/system/hardware/firewall.nix @@ -3,7 +3,7 @@ { networking.firewall = { enable = true; - allowedTCPPorts = [ 53317 3000 24800 ]; - allowedUDPPorts = [ 53317 24800 ]; + allowedTCPPorts = [ ]; + allowedUDPPorts = [ ]; }; }