summaryrefslogtreecommitdiff
path: root/stacks/iam
diff options
context:
space:
mode:
Diffstat (limited to 'stacks/iam')
-rw-r--r--stacks/iam/.gitignore4
-rw-r--r--stacks/iam/compose.yml65
-rw-r--r--stacks/iam/env.template17
-rw-r--r--stacks/iam/iam.env.template12
-rwxr-xr-xstacks/iam/util/gen-oidc-client.sh7
-rwxr-xr-xstacks/iam/util/gen-oidc-jwk.sh5
-rwxr-xr-xstacks/iam/util/gen-secrets.sh21
-rwxr-xr-xstacks/iam/util/gen-user-passwd.sh8
8 files changed, 29 insertions, 110 deletions
diff --git a/stacks/iam/.gitignore b/stacks/iam/.gitignore
deleted file mode 100644
index 6b67a59..0000000
--- a/stacks/iam/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-*.env
-config
-secrets
-compose.test.yml
diff --git a/stacks/iam/compose.yml b/stacks/iam/compose.yml
index 3e516ca..398302d 100644
--- a/stacks/iam/compose.yml
+++ b/stacks/iam/compose.yml
@@ -1,62 +1,55 @@
-name: ${STACK}
-
networks:
- edge-net:
+ edge_net:
name: ${EDGE_NET}
external: true
- db-net:
+ db_net:
name: ${DB_NET}
external: true
cache-net:
volumes:
- config:
- name: ${IAM_CONFIG_VOLUME}
- external: true
+ name: ${IAM_DATA}
+ external: true
secrets:
- JWT_SECRET:
- file: './srv/secrets/auth/JWT_SECRET'
- SESSION_SECRET:
- file: './srv/secrets/auth/SESSION_SECRET'
- STORAGE_ENCRYPTION:
- file: './srv/secrets/auth/STORAGE_ENCRYPTION'
- OIDC_HMAC_SECRET:
- file: './srv/secrets/auth/OIDC_HMAC_SECRET'
- POSTGRES_PASSWORD:
- file: './srv/secrets/auth/POSTGRES_PASSWORD'
+ JWT:
+ file: '${ROOT}/secrets/iam/JWT'
+ SESSION:
+ file: '${ROOT}/secrets/iam/SESSION'
+ STORAGE:
+ file: '${ROOT}/secrets/iam/STORAGE'
+ OIDC_HMAC:
+ file: '${ROOT}/secrets/iam/OIDC_HMAC'
+ DB:
+ file: '${ROOT}/secrets/iam/DB'
services:
- auth-test:
- container_name: ${IAM_CONTAINER}
+ iam:
image: authelia/authelia:latest
restart: unless-stopped
- secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_ENCRYPTION', 'OIDC_HMAC_SECRET', 'POSTGRES_PASSWORD']
+ secrets: ['JWT', 'SESSION', 'STORAGE', 'OIDC_HMAC', 'POSTGRES']
environment:
- AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
- AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
- AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION'
- AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE: '/run/secrets/OIDC_HMAC_SECRET'
- AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: '/run/secrets/POSTGRES_PASSWORD'
+ AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT'
+ AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION'
+ AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE'
+ AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE: '/run/secrets/OIDC_HMAC'
+ AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: '/run/secrets/DB'
X_AUTHELIA_CONFIG_FILTERS: 'template'
env_file:
- - .run.env # Runtime Vars
- .env # Stack Vars
user: "${UID}:${GID}"
volumes:
- - config:/config
- - ${CONFIG_FILE}:/config/configuration.yml
- - ${USERS_FILE}:/config/users.yml
- - ${JWK_PRIV_KEY}:/config/jwks/oidc-jwk.pem
- - ${JWK_PUBL_KEY}:/config/jwks/oidc-jwk-pub.pem
+ - ${CONFIG}/iam/configuration.yml:/config/configuration.yml
+ - ${CONFIG}/iam/users.yml:/config/users.yml
+ - ${SECRET}/iam/jwk/oidc-jwk.pem:/config/jwks/oidc-jwk.pem
+ - ${SECRET}/iam/jwk/oidc-jwk-pub.pem:/config/jwks/oidc-jwk-pub.pem
networks:
- - edge-net
- - db-net
- - cache-net
+ - edge_net
+ - db_net
+ - cache_net
expose:
- 9091
- auth-cache-test:
- container_name: ${IAM_CACHE_CONTAINER}
+ iam-cache:
image: redis:latest
restart: unless-stopped
env_file:
diff --git a/stacks/iam/env.template b/stacks/iam/env.template
deleted file mode 100644
index b6a023e..0000000
--- a/stacks/iam/env.template
+++ /dev/null
@@ -1,17 +0,0 @@
-#
-#
-# Stack Compose Variables
-
-# Namespace
-STACK=
-
-# Containers
-IAM_CONTAINER=
-IAM_CACHE_CONTAINER=
-
-# Network
-EDGE_NET=
-DB_NET=
-
-# Volumes
-IAM_CONFIG_VOLUME=
diff --git a/stacks/iam/iam.env.template b/stacks/iam/iam.env.template
deleted file mode 100644
index b5275ab..0000000
--- a/stacks/iam/iam.env.template
+++ /dev/null
@@ -1,12 +0,0 @@
-#
-#
-# Stack Runtime Variables
-
-# Authelia secrets
-AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE=/run/secrets/JWT_SECRET
-AUTHELIA_SESSION_SECRET_FILE=/run/secrets/SESSION_SECRET
-AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/STORAGE_ENCRYPTION
-AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE=/run/secrets/OIDC_HMAC_SECRET
-
-# Use Authelia's file filter in config.
-X_AUTHELIA_CONFIG_FILTERS=template
diff --git a/stacks/iam/util/gen-oidc-client.sh b/stacks/iam/util/gen-oidc-client.sh
deleted file mode 100755
index ee6d79a..0000000
--- a/stacks/iam/util/gen-oidc-client.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-docker run --rm authelia/authelia:latest authelia crypto rand --length 72 --charset rfc3986
-docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
-
-printf "\n"
diff --git a/stacks/iam/util/gen-oidc-jwk.sh b/stacks/iam/util/gen-oidc-jwk.sh
deleted file mode 100755
index 48747fb..0000000
--- a/stacks/iam/util/gen-oidc-jwk.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-openssl genrsa -out oidc-jwk.pem 2048
-openssl genrsa -in oidc-jwk.pem -outform PEM -pubout -out oidc-jwk-pub.pem
diff --git a/stacks/iam/util/gen-secrets.sh b/stacks/iam/util/gen-secrets.sh
deleted file mode 100755
index 8ebec55..0000000
--- a/stacks/iam/util/gen-secrets.sh
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-
-USERS=(ADMIN)
-SECRETS=(SESSION_SECRET STORAGE_ENCRYPTION JWT_SECRET OIDC_HMAC_SECRET)
-SECRET_DIR=$PWD/secrets
-
-[ ! -d "$SECRET_DIR" ] && mkdir -p "$SECRET_DIR"
-
-# Generate secrets
-for filename in "${SECRETS[@]}"; do
- if [ ! -f "$SECRET_DIR"/"$filename" ]; then
- openssl rand -hex 64 > "$SECRET_DIR"/"$filename"
- fi
-done
-
-# Generate admin password
-for filename in "${USERS[@]}"; do
- if [ ! -f "$SECRET_DIR"/"$filename" ]; then
- openssl rand -hex 12 > "$SECRET_DIR"/"$filename"
- fi
-done
diff --git a/stacks/iam/util/gen-user-passwd.sh b/stacks/iam/util/gen-user-passwd.sh
deleted file mode 100755
index d8202ee..0000000
--- a/stacks/iam/util/gen-user-passwd.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-read -rp "Enter a password for the new user: " PASSWORD
-HASHED=$(docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password "${PASSWORD}")
-
-printf "Password: %s\n" "${PASSWORD}"
-printf "Hash: %s\n" "${HASHED}"