From e82c1c7ab7c63d584a4ba1a89f86732717aec4f3 Mon Sep 17 00:00:00 2001
From: RATDAD <lambda@disroot.org>
Date: Sun, 15 Feb 2026 17:02:20 -0500
Subject: Updated Authelia container template; added helper scripts

---
 stacks/iam/util/gen-oidc-client.sh |  7 +++++++
 stacks/iam/util/gen-oidc-jwk.sh    |  5 +++++
 stacks/iam/util/gen-secrets.sh     | 21 +++++++++++++++++++++
 stacks/iam/util/gen-user-passwd.sh |  8 ++++++++
 4 files changed, 41 insertions(+)
 create mode 100755 stacks/iam/util/gen-oidc-client.sh
 create mode 100755 stacks/iam/util/gen-oidc-jwk.sh
 create mode 100755 stacks/iam/util/gen-secrets.sh
 create mode 100755 stacks/iam/util/gen-user-passwd.sh

(limited to 'stacks/iam/util')

diff --git a/stacks/iam/util/gen-oidc-client.sh b/stacks/iam/util/gen-oidc-client.sh
new file mode 100755
index 0000000..ee6d79a
--- /dev/null
+++ b/stacks/iam/util/gen-oidc-client.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+
+docker run --rm authelia/authelia:latest authelia crypto rand --length 72 --charset rfc3986
+docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
+
+printf "\n"
diff --git a/stacks/iam/util/gen-oidc-jwk.sh b/stacks/iam/util/gen-oidc-jwk.sh
new file mode 100755
index 0000000..48747fb
--- /dev/null
+++ b/stacks/iam/util/gen-oidc-jwk.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+set -euo pipefail
+
+openssl genrsa -out oidc-jwk.pem 2048
+openssl genrsa -in oidc-jwk.pem -outform PEM -pubout -out oidc-jwk-pub.pem
diff --git a/stacks/iam/util/gen-secrets.sh b/stacks/iam/util/gen-secrets.sh
new file mode 100755
index 0000000..832f5d8
--- /dev/null
+++ b/stacks/iam/util/gen-secrets.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+USERS=(RATDAD)
+SECRETS=(SESSION_SECRET STORAGE_ENCRYPTION JWT_SECRET OIDC_HMAC_SECRET)
+SECRET_DIR=$PWD/secrets
+
+[ ! -d "$SECRET_DIR" ] && mkdir -p "$SECRET_DIR"
+
+# Generate secrets
+for filename in "${SECRETS[@]}"; do
+    if [ ! -f "$SECRET_DIR"/"$filename" ]; then
+        openssl rand -hex 64 > "$SECRET_DIR"/"$filename"
+    fi
+done
+
+# Generate admin passwords
+for filename in "${USERS[@]}"; do
+    if [ ! -f "$SECRET_DIR"/"$filename" ]; then
+        openssl rand -hex 12 > "$SECRET_DIR"/"$filename"
+    fi
+done
diff --git a/stacks/iam/util/gen-user-passwd.sh b/stacks/iam/util/gen-user-passwd.sh
new file mode 100755
index 0000000..d8202ee
--- /dev/null
+++ b/stacks/iam/util/gen-user-passwd.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -euo pipefail
+
+read -rp "Enter a password for the new user: " PASSWORD
+HASHED=$(docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password "${PASSWORD}")
+
+printf "Password: %s\n" "${PASSWORD}"
+printf "Hash:     %s\n" "${HASHED}"
-- 
cgit v1.2.3-70-g09d2