Updated Authelia container template; added helper scripts

author: RATDAD <lambda@disroot.org> 2026-02-15 17:02:20 -0500
committer: RATDAD <lambda@disroot.org> 2026-02-15 17:02:20 -0500
commit: e82c1c7ab7c63d584a4ba1a89f86732717aec4f3 (patch)
tree: 379c607401ce754921e22a7fe7ecc6a1e0f36f4c /stacks/iam
parent: a3f074fc780747f0cedfb8184502fc8e8834457a (diff)
download: rd-cloud-e82c1c7ab7c63d584a4ba1a89f86732717aec4f3.tar.gz
rd-cloud-e82c1c7ab7c63d584a4ba1a89f86732717aec4f3.tar.bz2
rd-cloud-e82c1c7ab7c63d584a4ba1a89f86732717aec4f3.zip
9 files changed, 132 insertions, 0 deletions
diff --git a/stacks/iam/.gitignore b/stacks/iam/.gitignore
new file mode 100644
index 0000000..4dfeb35
--- /dev/null
+++ b/stacks/iam/.gitignore
@@ -0,0 +1,7 @@
+*.env
+config/
+config/*
+secrets/
+secrets/*
+compose.test.yml
+compose.cache.test.yml
diff --git a/stacks/iam/TODO b/stacks/iam/TODO
new file mode 100644
index 0000000..dba0e14
--- /dev/null
+++ b/stacks/iam/TODO
@@ -0,0 +1 @@
+1. Make a script to initialize Authelia with an admin user and streamline prod setup.
diff --git a/stacks/iam/auth.env.example b/stacks/iam/auth.env.example
new file mode 100644
index 0000000..b5275ab
--- /dev/null
+++ b/stacks/iam/auth.env.example
@@ -0,0 +1,12 @@
+#
+#
+# Stack Runtime Variables
+
+# Authelia secrets
+AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE=/run/secrets/JWT_SECRET
+AUTHELIA_SESSION_SECRET_FILE=/run/secrets/SESSION_SECRET
+AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/STORAGE_ENCRYPTION
+AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE=/run/secrets/OIDC_HMAC_SECRET
+
+# Use Authelia's file filter in config.
+X_AUTHELIA_CONFIG_FILTERS=template
diff --git a/stacks/iam/compose.yml b/stacks/iam/compose.yml
new file mode 100644
index 0000000..af25bb9
--- /dev/null
+++ b/stacks/iam/compose.yml
@@ -0,0 +1,54 @@
+name: ${_STACK_0}
+
+networks:
+  net_0:
+    name: ${_NET_0}
+    external: true
+  net_1:
+    name: ${_NET_1}
+
+volumes:
+  volume_0:
+    name: ${_VOLUME_0}
+    external: true
+
+secrets:
+  JWT_SECRET:
+    file: '/srv/secrets/auth/JWT_SECRET'
+  SESSION_SECRET:
+    file: '/srv/secrets/auth/SESSION_SECRET'
+  STORAGE_ENCRYPTION:
+    file: '/srv/secrets/auth/STORAGE_ENCRYPTION'
+  OIDC_HMAC_SECRET:
+    file: '/srv/secrets/auth/OIDC_HMAC_SECRET'
+
+services:
+  auth:
+    container_name: ${_CONTAINER_0}
+    image: authelia/authelia:latest
+    restart: unless-stopped
+    secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_ENCRYPTION', 'OIDC_HMAC_SECRET']
+    env_file:
+      - .auth.env # Runtime Vars
+      - .env # Stack Vars
+    volumes:
+      - volume_0:/config/db
+      - /srv/secrets/auth/configuration.yml:/config/configuration.yml
+      - /srv/secrets/auth/users.yml:/config/users.yml
+      - /srv/secrets/auth/jwks/oidc-jwk.pem:/config/jwks/oidc-jwk.pem
+      - /srv/secrets/auth/jwks/oidc-jwk-pub.pem:/config/jwks/oidc-jwk-pub.pem
+    networks:
+      - net_0
+      - net_1
+    expose:
+      - 9091
+  auth-cache:
+    container_name: ${_CONTAINER_1}
+    image: redis:latest
+    restart: unless-stopped
+    env_file:
+      - .env
+    networks:
+      - net_1
+    expose:
+      - 6379
diff --git a/stacks/iam/env.example b/stacks/iam/env.example
new file mode 100644
index 0000000..913a774
--- /dev/null
+++ b/stacks/iam/env.example
@@ -0,0 +1,17 @@
+#
+#
+# Stack Compose Variables
+
+# Namespace
+_STACK_0=
+
+# Containers
+_CONTAINER_0=
+_CONTAINER_1=
+
+# Network
+_NET_0=
+_NET_1=
+
+# Volumes
+_VOLUME_0=
diff --git a/stacks/iam/util/gen-oidc-client.sh b/stacks/iam/util/gen-oidc-client.sh
new file mode 100755
index 0000000..ee6d79a
--- /dev/null
+++ b/stacks/iam/util/gen-oidc-client.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+
+docker run --rm authelia/authelia:latest authelia crypto rand --length 72 --charset rfc3986
+docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
+
+printf "\n"
diff --git a/stacks/iam/util/gen-oidc-jwk.sh b/stacks/iam/util/gen-oidc-jwk.sh
new file mode 100755
index 0000000..48747fb
--- /dev/null
+++ b/stacks/iam/util/gen-oidc-jwk.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+set -euo pipefail
+
+openssl genrsa -out oidc-jwk.pem 2048
+openssl genrsa -in oidc-jwk.pem -outform PEM -pubout -out oidc-jwk-pub.pem
diff --git a/stacks/iam/util/gen-secrets.sh b/stacks/iam/util/gen-secrets.sh
new file mode 100755
index 0000000..832f5d8
--- /dev/null
+++ b/stacks/iam/util/gen-secrets.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+USERS=(RATDAD)
+SECRETS=(SESSION_SECRET STORAGE_ENCRYPTION JWT_SECRET OIDC_HMAC_SECRET)
+SECRET_DIR=$PWD/secrets
+
+[ ! -d "$SECRET_DIR" ] && mkdir -p "$SECRET_DIR"
+
+# Generate secrets
+for filename in "${SECRETS[@]}"; do
+    if [ ! -f "$SECRET_DIR"/"$filename" ]; then
+        openssl rand -hex 64 > "$SECRET_DIR"/"$filename"
+    fi
+done
+
+# Generate admin passwords
+for filename in "${USERS[@]}"; do
+    if [ ! -f "$SECRET_DIR"/"$filename" ]; then
+        openssl rand -hex 12 > "$SECRET_DIR"/"$filename"
+    fi
+done
diff --git a/stacks/iam/util/gen-user-passwd.sh b/stacks/iam/util/gen-user-passwd.sh
new file mode 100755
index 0000000..d8202ee
--- /dev/null
+++ b/stacks/iam/util/gen-user-passwd.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -euo pipefail
+
+read -rp "Enter a password for the new user: " PASSWORD
+HASHED=$(docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password "${PASSWORD}")
+
+printf "Password: %s\n" "${PASSWORD}"
+printf "Hash:     %s\n" "${HASHED}"
author	RATDAD <lambda@disroot.org>	2026-02-15 17:02:20 -0500
committer	RATDAD <lambda@disroot.org>	2026-02-15 17:02:20 -0500
commit	e82c1c7ab7c63d584a4ba1a89f86732717aec4f3 (patch)
tree	379c607401ce754921e22a7fe7ecc6a1e0f36f4c /stacks/iam
parent	a3f074fc780747f0cedfb8184502fc8e8834457a (diff)
download	rd-cloud-e82c1c7ab7c63d584a4ba1a89f86732717aec4f3.tar.gz rd-cloud-e82c1c7ab7c63d584a4ba1a89f86732717aec4f3.tar.bz2 rd-cloud-e82c1c7ab7c63d584a4ba1a89f86732717aec4f3.zip