From e82c1c7ab7c63d584a4ba1a89f86732717aec4f3 Mon Sep 17 00:00:00 2001 From: RATDAD Date: Sun, 15 Feb 2026 17:02:20 -0500 Subject: Updated Authelia container template; added helper scripts --- stacks/iam/.gitignore | 7 +++++ stacks/iam/TODO | 1 + stacks/iam/auth.env.example | 12 +++++++++ stacks/iam/compose.yml | 54 ++++++++++++++++++++++++++++++++++++++ stacks/iam/env.example | 17 ++++++++++++ stacks/iam/util/gen-oidc-client.sh | 7 +++++ stacks/iam/util/gen-oidc-jwk.sh | 5 ++++ stacks/iam/util/gen-secrets.sh | 21 +++++++++++++++ stacks/iam/util/gen-user-passwd.sh | 8 ++++++ 9 files changed, 132 insertions(+) create mode 100644 stacks/iam/.gitignore create mode 100644 stacks/iam/TODO create mode 100644 stacks/iam/auth.env.example create mode 100644 stacks/iam/compose.yml create mode 100644 stacks/iam/env.example create mode 100755 stacks/iam/util/gen-oidc-client.sh create mode 100755 stacks/iam/util/gen-oidc-jwk.sh create mode 100755 stacks/iam/util/gen-secrets.sh create mode 100755 stacks/iam/util/gen-user-passwd.sh (limited to 'stacks/iam') diff --git a/stacks/iam/.gitignore b/stacks/iam/.gitignore new file mode 100644 index 0000000..4dfeb35 --- /dev/null +++ b/stacks/iam/.gitignore @@ -0,0 +1,7 @@ +*.env +config/ +config/* +secrets/ +secrets/* +compose.test.yml +compose.cache.test.yml diff --git a/stacks/iam/TODO b/stacks/iam/TODO new file mode 100644 index 0000000..dba0e14 --- /dev/null +++ b/stacks/iam/TODO @@ -0,0 +1 @@ +1. Make a script to initialize Authelia with an admin user and streamline prod setup. diff --git a/stacks/iam/auth.env.example b/stacks/iam/auth.env.example new file mode 100644 index 0000000..b5275ab --- /dev/null +++ b/stacks/iam/auth.env.example @@ -0,0 +1,12 @@ +# +# +# Stack Runtime Variables + +# Authelia secrets +AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE=/run/secrets/JWT_SECRET +AUTHELIA_SESSION_SECRET_FILE=/run/secrets/SESSION_SECRET +AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/STORAGE_ENCRYPTION +AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE=/run/secrets/OIDC_HMAC_SECRET + +# Use Authelia's file filter in config. +X_AUTHELIA_CONFIG_FILTERS=template diff --git a/stacks/iam/compose.yml b/stacks/iam/compose.yml new file mode 100644 index 0000000..af25bb9 --- /dev/null +++ b/stacks/iam/compose.yml @@ -0,0 +1,54 @@ +name: ${_STACK_0} + +networks: + net_0: + name: ${_NET_0} + external: true + net_1: + name: ${_NET_1} + +volumes: + volume_0: + name: ${_VOLUME_0} + external: true + +secrets: + JWT_SECRET: + file: '/srv/secrets/auth/JWT_SECRET' + SESSION_SECRET: + file: '/srv/secrets/auth/SESSION_SECRET' + STORAGE_ENCRYPTION: + file: '/srv/secrets/auth/STORAGE_ENCRYPTION' + OIDC_HMAC_SECRET: + file: '/srv/secrets/auth/OIDC_HMAC_SECRET' + +services: + auth: + container_name: ${_CONTAINER_0} + image: authelia/authelia:latest + restart: unless-stopped + secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_ENCRYPTION', 'OIDC_HMAC_SECRET'] + env_file: + - .auth.env # Runtime Vars + - .env # Stack Vars + volumes: + - volume_0:/config/db + - /srv/secrets/auth/configuration.yml:/config/configuration.yml + - /srv/secrets/auth/users.yml:/config/users.yml + - /srv/secrets/auth/jwks/oidc-jwk.pem:/config/jwks/oidc-jwk.pem + - /srv/secrets/auth/jwks/oidc-jwk-pub.pem:/config/jwks/oidc-jwk-pub.pem + networks: + - net_0 + - net_1 + expose: + - 9091 + auth-cache: + container_name: ${_CONTAINER_1} + image: redis:latest + restart: unless-stopped + env_file: + - .env + networks: + - net_1 + expose: + - 6379 diff --git a/stacks/iam/env.example b/stacks/iam/env.example new file mode 100644 index 0000000..913a774 --- /dev/null +++ b/stacks/iam/env.example @@ -0,0 +1,17 @@ +# +# +# Stack Compose Variables + +# Namespace +_STACK_0= + +# Containers +_CONTAINER_0= +_CONTAINER_1= + +# Network +_NET_0= +_NET_1= + +# Volumes +_VOLUME_0= diff --git a/stacks/iam/util/gen-oidc-client.sh b/stacks/iam/util/gen-oidc-client.sh new file mode 100755 index 0000000..ee6d79a --- /dev/null +++ b/stacks/iam/util/gen-oidc-client.sh @@ -0,0 +1,7 @@ +#!/bin/bash +set -euo pipefail + +docker run --rm authelia/authelia:latest authelia crypto rand --length 72 --charset rfc3986 +docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + +printf "\n" diff --git a/stacks/iam/util/gen-oidc-jwk.sh b/stacks/iam/util/gen-oidc-jwk.sh new file mode 100755 index 0000000..48747fb --- /dev/null +++ b/stacks/iam/util/gen-oidc-jwk.sh @@ -0,0 +1,5 @@ +#!/bin/bash +set -euo pipefail + +openssl genrsa -out oidc-jwk.pem 2048 +openssl genrsa -in oidc-jwk.pem -outform PEM -pubout -out oidc-jwk-pub.pem diff --git a/stacks/iam/util/gen-secrets.sh b/stacks/iam/util/gen-secrets.sh new file mode 100755 index 0000000..832f5d8 --- /dev/null +++ b/stacks/iam/util/gen-secrets.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +USERS=(RATDAD) +SECRETS=(SESSION_SECRET STORAGE_ENCRYPTION JWT_SECRET OIDC_HMAC_SECRET) +SECRET_DIR=$PWD/secrets + +[ ! -d "$SECRET_DIR" ] && mkdir -p "$SECRET_DIR" + +# Generate secrets +for filename in "${SECRETS[@]}"; do + if [ ! -f "$SECRET_DIR"/"$filename" ]; then + openssl rand -hex 64 > "$SECRET_DIR"/"$filename" + fi +done + +# Generate admin passwords +for filename in "${USERS[@]}"; do + if [ ! -f "$SECRET_DIR"/"$filename" ]; then + openssl rand -hex 12 > "$SECRET_DIR"/"$filename" + fi +done diff --git a/stacks/iam/util/gen-user-passwd.sh b/stacks/iam/util/gen-user-passwd.sh new file mode 100755 index 0000000..d8202ee --- /dev/null +++ b/stacks/iam/util/gen-user-passwd.sh @@ -0,0 +1,8 @@ +#!/bin/bash +set -euo pipefail + +read -rp "Enter a password for the new user: " PASSWORD +HASHED=$(docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password "${PASSWORD}") + +printf "Password: %s\n" "${PASSWORD}" +printf "Hash: %s\n" "${HASHED}" -- cgit v1.2.3-70-g09d2