From e82c1c7ab7c63d584a4ba1a89f86732717aec4f3 Mon Sep 17 00:00:00 2001 From: RATDAD Date: Sun, 15 Feb 2026 17:02:20 -0500 Subject: Updated Authelia container template; added helper scripts --- .gitignore | 1 + stacks/.template/.container.env | 13 --------- stacks/.template/.env | 18 ------------ stacks/.template/compose.template.yml | 54 ----------------------------------- stacks/auth/.gitignore | 7 ----- stacks/auth/compose.cache.yml | 18 ------------ stacks/auth/compose.yml | 33 --------------------- stacks/auth/secrets.sh | 17 ----------- stacks/auth/util/genhash.sh | 8 ------ stacks/codex/.codex.env.template | 6 ---- stacks/codex/.env.template | 13 --------- stacks/codex/.gitignore | 4 --- stacks/codex/compose.yml | 26 ----------------- stacks/iam/.gitignore | 7 +++++ stacks/iam/TODO | 1 + stacks/iam/auth.env.example | 12 ++++++++ stacks/iam/compose.yml | 54 +++++++++++++++++++++++++++++++++++ stacks/iam/env.example | 17 +++++++++++ stacks/iam/util/gen-oidc-client.sh | 7 +++++ stacks/iam/util/gen-oidc-jwk.sh | 5 ++++ stacks/iam/util/gen-secrets.sh | 21 ++++++++++++++ stacks/iam/util/gen-user-passwd.sh | 8 ++++++ 22 files changed, 133 insertions(+), 217 deletions(-) delete mode 100644 stacks/.template/.container.env delete mode 100644 stacks/.template/.env delete mode 100644 stacks/.template/compose.template.yml delete mode 100644 stacks/auth/.gitignore delete mode 100644 stacks/auth/compose.cache.yml delete mode 100644 stacks/auth/compose.yml delete mode 100755 stacks/auth/secrets.sh delete mode 100644 stacks/auth/util/genhash.sh delete mode 100644 stacks/codex/.codex.env.template delete mode 100644 stacks/codex/.env.template delete mode 100644 stacks/codex/.gitignore delete mode 100644 stacks/codex/compose.yml create mode 100644 stacks/iam/.gitignore create mode 100644 stacks/iam/TODO create mode 100644 stacks/iam/auth.env.example create mode 100644 stacks/iam/compose.yml create mode 100644 stacks/iam/env.example create mode 100755 stacks/iam/util/gen-oidc-client.sh create mode 100755 stacks/iam/util/gen-oidc-jwk.sh create mode 100755 stacks/iam/util/gen-secrets.sh create mode 100755 stacks/iam/util/gen-user-passwd.sh diff --git a/.gitignore b/.gitignore index 7f4b696..ea4ca75 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .editorconfig +srv/ diff --git a/stacks/.template/.container.env b/stacks/.template/.container.env deleted file mode 100644 index 511f12d..0000000 --- a/stacks/.template/.container.env +++ /dev/null @@ -1,13 +0,0 @@ -# -# -# Stack Runtime Variables - -# Auth -USERNAME= -PASSWORD= - -SECRET= - -# Database -DB_USER= -ET_CETERA= diff --git a/stacks/.template/.env b/stacks/.template/.env deleted file mode 100644 index d8fd2d5..0000000 --- a/stacks/.template/.env +++ /dev/null @@ -1,18 +0,0 @@ -# -# -# Stack Compose Variables - -# Namespace -_STACK_0= -_CONTAINER_0= - -_STACK_1= -_CONTAINER_1= - -# Network -_NET_0= -_NET_1= - -# Volumes -_VOLUME_0= -_VOLUME_1= diff --git a/stacks/.template/compose.template.yml b/stacks/.template/compose.template.yml deleted file mode 100644 index 65895df..0000000 --- a/stacks/.template/compose.template.yml +++ /dev/null @@ -1,54 +0,0 @@ -## Template compose used for each stack. -name: ${_STACK_X} # Explicit project name (do not rely on directory name) - -networks: - net: - name: ${_NET_X} - external: true # All networks SHOULD be external in production. - net2: - name: ${_NET_Y} - external: true - -volumes: - data: - name: ${_VOLUME_X} # Naming Convention: _[PURPOSE]_VOLUME - external: true # All volumes SHOULD be external in production. - config: - name: ${_VOLUME_Y} - external: true - custom: - name: ${_VOLUME_Z} # Custom volumes may not be external depending on the stack. - # External volumes are not required for local stack testing. - -services: - servicename: - container_name: ${_CONTAINER_X} # Explicitly named containers. - image: ${_IMAGE_X} - restart: unless-stopped - env_file: - # NOTE: .compose.env WILL override .env if there are overlapping values. - - .compose.env # Compose wiring defaults go here - - .env # Service env vars - # Uncomment if bind mounting should not belong to root - # UID and GID MUST be set in .env - # user: '${UID}:${GID}' - volumes: - # Directory Bind Mounting - # - ./conf:/etc/service:ro - - # External Docker Volume Mount - - type: volume - source: data # Must exist if external; overridden in local dev - target: /data - - type: volume - source: config # Must exist if external; overridden in local dev - target: /config - - type: volume - source: custom # Must exist if external; overridden in local dev - target: /custom - networks: - - net - expose: - - 80 - - 9001 - - 67 diff --git a/stacks/auth/.gitignore b/stacks/auth/.gitignore deleted file mode 100644 index 52db271..0000000 --- a/stacks/auth/.gitignore +++ /dev/null @@ -1,7 +0,0 @@ -*.env -config/ -config/* -secrets/ -secrets/* -compose.local.yml -compose.cache.local.yml diff --git a/stacks/auth/compose.cache.yml b/stacks/auth/compose.cache.yml deleted file mode 100644 index 4c7727a..0000000 --- a/stacks/auth/compose.cache.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: ${_STACK_1} - -networks: - net: - name: ${_NET_0} - external: true - -services: - servicename: - container_name: ${_CONTAINER_1} - image: redis:latest - restart: unless-stopped - env_file: - - .env - networks: - - net - expose: - - 6379 diff --git a/stacks/auth/compose.yml b/stacks/auth/compose.yml deleted file mode 100644 index e935946..0000000 --- a/stacks/auth/compose.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: ${_STACK_0} - -networks: - net: - name: ${_NET_0} - external: true - -secrets: - JWT_SECRET: - file: './secrets/JWT_SECRET' - SESSION_SECRET: - file: './secrets/SESSION_SECRET' - STORAGE_ENCRYPTION: - file: './secrets/STORAGE_ENCRYPTION' - OIDC_HMAC_SECRET: - file: './secrets/OIDC_HMAC_SECRET' - -services: - auth: - container_name: ${_CONTAINER_0} - image: authelia/authelia:latest - restart: unless-stopped - user: '${UID}:${GID}' - secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_ENCRYPTION', OIDC_HMAC_SECRET] - env_file: - - .auth.env # Runtime Vars - - .env # Stack Vars - volumes: - - ./config/:/config - networks: - - net - expose: - - 9091 diff --git a/stacks/auth/secrets.sh b/stacks/auth/secrets.sh deleted file mode 100755 index 19031da..0000000 --- a/stacks/auth/secrets.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -USERS=(RATDAD) -SECRETS=(SESSION_SECRET STORAGE_ENCRYPTION JWT_SECRET OIDC_HMAC_SECRET) -SECRET_DIR=$PWD/secrets - -[ ! -d "$SECRET_DIR" ] && mkdir -p "$SECRET_DIR" - -# Generate secrets -for filename in "${SECRETS[@]}"; do - openssl rand -hex 64 > "$SECRET_DIR"/"$filename" -done - -# Generate admin passwords -for filename in "${USERS[@]}"; do - openssl rand -hex 12 > "$SECRET_DIR"/"$filename" -done diff --git a/stacks/auth/util/genhash.sh b/stacks/auth/util/genhash.sh deleted file mode 100644 index d8202ee..0000000 --- a/stacks/auth/util/genhash.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -set -euo pipefail - -read -rp "Enter a password for the new user: " PASSWORD -HASHED=$(docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password "${PASSWORD}") - -printf "Password: %s\n" "${PASSWORD}" -printf "Hash: %s\n" "${HASHED}" diff --git a/stacks/codex/.codex.env.template b/stacks/codex/.codex.env.template deleted file mode 100644 index 9f373a5..0000000 --- a/stacks/codex/.codex.env.template +++ /dev/null @@ -1,6 +0,0 @@ -# -# -# Stack Runtime Variables -SB_USER= -SB_NAME= -SB_DESCRIPTION= diff --git a/stacks/codex/.env.template b/stacks/codex/.env.template deleted file mode 100644 index fa0eaba..0000000 --- a/stacks/codex/.env.template +++ /dev/null @@ -1,13 +0,0 @@ -# -# -# Stack Compose Variables - -# Namespace -_STACK= -_CONTAINER= - -# Network -_NET= - -# Volumes -_DATA_VOLUME= diff --git a/stacks/codex/.gitignore b/stacks/codex/.gitignore deleted file mode 100644 index 8507661..0000000 --- a/stacks/codex/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -*.env -space/ -space/** -compose.local.yml diff --git a/stacks/codex/compose.yml b/stacks/codex/compose.yml deleted file mode 100644 index d144cb4..0000000 --- a/stacks/codex/compose.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: ${_STACK} - -networks: - net: - name: ${_NET} - external: true - -volumes: - data: - name: ${_DATA_VOLUME} - external: true - -services: - silverbullet: - container_name: ${_CONTAINER} - image: ghcr.io/silverbulletmd/silverbullet - restart: unless-stopped - env_file: - - .env - - .codex.env - networks: - - net - expose: - - 3000 - volumes: - - data:/space diff --git a/stacks/iam/.gitignore b/stacks/iam/.gitignore new file mode 100644 index 0000000..4dfeb35 --- /dev/null +++ b/stacks/iam/.gitignore @@ -0,0 +1,7 @@ +*.env +config/ +config/* +secrets/ +secrets/* +compose.test.yml +compose.cache.test.yml diff --git a/stacks/iam/TODO b/stacks/iam/TODO new file mode 100644 index 0000000..dba0e14 --- /dev/null +++ b/stacks/iam/TODO @@ -0,0 +1 @@ +1. Make a script to initialize Authelia with an admin user and streamline prod setup. diff --git a/stacks/iam/auth.env.example b/stacks/iam/auth.env.example new file mode 100644 index 0000000..b5275ab --- /dev/null +++ b/stacks/iam/auth.env.example @@ -0,0 +1,12 @@ +# +# +# Stack Runtime Variables + +# Authelia secrets +AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE=/run/secrets/JWT_SECRET +AUTHELIA_SESSION_SECRET_FILE=/run/secrets/SESSION_SECRET +AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/STORAGE_ENCRYPTION +AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE=/run/secrets/OIDC_HMAC_SECRET + +# Use Authelia's file filter in config. +X_AUTHELIA_CONFIG_FILTERS=template diff --git a/stacks/iam/compose.yml b/stacks/iam/compose.yml new file mode 100644 index 0000000..af25bb9 --- /dev/null +++ b/stacks/iam/compose.yml @@ -0,0 +1,54 @@ +name: ${_STACK_0} + +networks: + net_0: + name: ${_NET_0} + external: true + net_1: + name: ${_NET_1} + +volumes: + volume_0: + name: ${_VOLUME_0} + external: true + +secrets: + JWT_SECRET: + file: '/srv/secrets/auth/JWT_SECRET' + SESSION_SECRET: + file: '/srv/secrets/auth/SESSION_SECRET' + STORAGE_ENCRYPTION: + file: '/srv/secrets/auth/STORAGE_ENCRYPTION' + OIDC_HMAC_SECRET: + file: '/srv/secrets/auth/OIDC_HMAC_SECRET' + +services: + auth: + container_name: ${_CONTAINER_0} + image: authelia/authelia:latest + restart: unless-stopped + secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_ENCRYPTION', 'OIDC_HMAC_SECRET'] + env_file: + - .auth.env # Runtime Vars + - .env # Stack Vars + volumes: + - volume_0:/config/db + - /srv/secrets/auth/configuration.yml:/config/configuration.yml + - /srv/secrets/auth/users.yml:/config/users.yml + - /srv/secrets/auth/jwks/oidc-jwk.pem:/config/jwks/oidc-jwk.pem + - /srv/secrets/auth/jwks/oidc-jwk-pub.pem:/config/jwks/oidc-jwk-pub.pem + networks: + - net_0 + - net_1 + expose: + - 9091 + auth-cache: + container_name: ${_CONTAINER_1} + image: redis:latest + restart: unless-stopped + env_file: + - .env + networks: + - net_1 + expose: + - 6379 diff --git a/stacks/iam/env.example b/stacks/iam/env.example new file mode 100644 index 0000000..913a774 --- /dev/null +++ b/stacks/iam/env.example @@ -0,0 +1,17 @@ +# +# +# Stack Compose Variables + +# Namespace +_STACK_0= + +# Containers +_CONTAINER_0= +_CONTAINER_1= + +# Network +_NET_0= +_NET_1= + +# Volumes +_VOLUME_0= diff --git a/stacks/iam/util/gen-oidc-client.sh b/stacks/iam/util/gen-oidc-client.sh new file mode 100755 index 0000000..ee6d79a --- /dev/null +++ b/stacks/iam/util/gen-oidc-client.sh @@ -0,0 +1,7 @@ +#!/bin/bash +set -euo pipefail + +docker run --rm authelia/authelia:latest authelia crypto rand --length 72 --charset rfc3986 +docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + +printf "\n" diff --git a/stacks/iam/util/gen-oidc-jwk.sh b/stacks/iam/util/gen-oidc-jwk.sh new file mode 100755 index 0000000..48747fb --- /dev/null +++ b/stacks/iam/util/gen-oidc-jwk.sh @@ -0,0 +1,5 @@ +#!/bin/bash +set -euo pipefail + +openssl genrsa -out oidc-jwk.pem 2048 +openssl genrsa -in oidc-jwk.pem -outform PEM -pubout -out oidc-jwk-pub.pem diff --git a/stacks/iam/util/gen-secrets.sh b/stacks/iam/util/gen-secrets.sh new file mode 100755 index 0000000..832f5d8 --- /dev/null +++ b/stacks/iam/util/gen-secrets.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +USERS=(RATDAD) +SECRETS=(SESSION_SECRET STORAGE_ENCRYPTION JWT_SECRET OIDC_HMAC_SECRET) +SECRET_DIR=$PWD/secrets + +[ ! -d "$SECRET_DIR" ] && mkdir -p "$SECRET_DIR" + +# Generate secrets +for filename in "${SECRETS[@]}"; do + if [ ! -f "$SECRET_DIR"/"$filename" ]; then + openssl rand -hex 64 > "$SECRET_DIR"/"$filename" + fi +done + +# Generate admin passwords +for filename in "${USERS[@]}"; do + if [ ! -f "$SECRET_DIR"/"$filename" ]; then + openssl rand -hex 12 > "$SECRET_DIR"/"$filename" + fi +done diff --git a/stacks/iam/util/gen-user-passwd.sh b/stacks/iam/util/gen-user-passwd.sh new file mode 100755 index 0000000..d8202ee --- /dev/null +++ b/stacks/iam/util/gen-user-passwd.sh @@ -0,0 +1,8 @@ +#!/bin/bash +set -euo pipefail + +read -rp "Enter a password for the new user: " PASSWORD +HASHED=$(docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password "${PASSWORD}") + +printf "Password: %s\n" "${PASSWORD}" +printf "Hash: %s\n" "${HASHED}" -- cgit v1.2.3-70-g09d2