mirror of
https://github.com/onemarcfifty/authelia-proxmox-SSO.git
synced 2026-07-17 16:34:56 +00:00
1st commit
Signed-off-by: Marc Ahlgrim <marc@onemarcfifty.com>
This commit is contained in:
parent
73dfbbc4ef
commit
84f15606b7
4 changed files with 358 additions and 0 deletions
45
README.md
Normal file
45
README.md
Normal file
|
|
@ -0,0 +1,45 @@
|
|||
# authelia-proxmox-SSO
|
||||
|
||||
Automated install for Authelia running in a container e.g. on Proxmox
|
||||
|
||||
You can use this repository in order to run an automated installation of Authelia into e.g. a Proxmox Container. If you want to run it in Proxmox, do the following:
|
||||
|
||||
1. Create a _privileged_ container
|
||||
2. Give it 2 GB of RAM, 2 Cores, 8 GB of Disk (might be oversized)
|
||||
|
||||
The container needs to be privileged because it needs the `/dev/random` and/or `/dev/urandom` devices.
|
||||
|
||||
In order to install, open a shell on th container and type (as root)
|
||||
```bash
|
||||
wget https://raw.githubusercontent.com/onemarcfifty/authelia-proxmox-SSO/main/deploy_authelia.sh ; bash ./deploy_authelia.sh
|
||||
```
|
||||
|
||||
## editing the config files
|
||||
|
||||
In order to edit the config files, you could use nano or vi. However, editing yaml Files in those editors is quite a challenge because you need to take care of proper indentation etc. Another possibility is to use WinSCP or FileZilla and connect over ssh or sftp to the container, and then edit with your favorite editor (e.g. Visual Studio).
|
||||
|
||||
To enable root password login over ssh in order to edit the files type
|
||||
```bash
|
||||
sed -i s/^\#PermitRootLogin\ prohibit-password$/PermitRootLogin\ yes/ /etc/ssh/sshd_config
|
||||
systemctl restart ssh
|
||||
```
|
||||
|
||||
You can later change this back by typing
|
||||
```bash
|
||||
sed -i s/^PermitRootLogin\ yes/PermitRootLogin\ prohibit-password/ /etc/ssh/sshd_config
|
||||
systemctl restart ssh
|
||||
```
|
||||
|
||||
## Watch the video on YouTube
|
||||
|
||||
The necessary changes to the config files and how to implement SSO are outlined in [This video](https://youtube.com). In the video we implement SSO for
|
||||
|
||||
- Nextcloud
|
||||
- Proxmox
|
||||
- Portainer
|
||||
- Gitea
|
||||
|
||||
## More resources
|
||||
|
||||
The [Authelia Documentation](https://www.authelia.com/integration/openid-connect/introduction/) shows how to integrate OpenID Connect (OIDC) with various software platforms
|
||||
|
||||
3
Supporting Resources/README.md
Normal file
3
Supporting Resources/README.md
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
# Supporting resources
|
||||
|
||||
If you have followed my video, then you can use the resources in this folder to accelerate the setup. The [authelia_config_sample.yml](authelia_config_sample.yml) file contains the Authelia config file the way it looked at the end of the video, after all changes.
|
||||
182
Supporting Resources/authelia_config_sample.yml
Normal file
182
Supporting Resources/authelia_config_sample.yml
Normal file
|
|
@ -0,0 +1,182 @@
|
|||
# ##############################################
|
||||
# ##############################################
|
||||
# ##############################################
|
||||
# This is the FULL authelia config
|
||||
# from the video with all OpenID providers added
|
||||
# Please use your own secrets!!!!
|
||||
# ##############################################
|
||||
# ##############################################
|
||||
# ##############################################
|
||||
|
||||
|
||||
|
||||
# #######################################
|
||||
# authelia config
|
||||
# source: https://florianmuller.com
|
||||
# #######################################
|
||||
|
||||
theme: dark
|
||||
default_redirection_url: https://sandbox-auth.example.com/
|
||||
|
||||
server:
|
||||
host: 127.0.0.1
|
||||
port: 9091
|
||||
asset_path: /etc/authelia/.assets/
|
||||
tls:
|
||||
key: /etc/authelia/certs/wildcard.key
|
||||
certificate: /etc/authelia/certs/wildcard_fullchain.crt
|
||||
|
||||
log:
|
||||
level: debug
|
||||
file_path: /var/log/authelia.log
|
||||
|
||||
totp:
|
||||
issuer: sandbox-auth.example.com
|
||||
|
||||
webauthn:
|
||||
disable: false
|
||||
display_name: Authelia
|
||||
attestation_conveyance_preference: indirect
|
||||
user_verification: discouraged
|
||||
timeout: 60s
|
||||
|
||||
ntp:
|
||||
address: "0.de.pool.ntp.org:123"
|
||||
version: 4
|
||||
max_desync: 3s
|
||||
disable_startup_check: false
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /etc/authelia/.users/users_database.yml
|
||||
password:
|
||||
algorithm: argon2id
|
||||
iterations: 1
|
||||
key_length: 32
|
||||
salt_length: 16
|
||||
memory: 1024
|
||||
parallelism: 8
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
rules: ### OPTIONAL SETTING
|
||||
# 2fa
|
||||
- domain: example.com
|
||||
policy: one_factor
|
||||
|
||||
session:
|
||||
name: authelia_session
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
domain: sandbox-auth.example.com
|
||||
same_site: lax
|
||||
remember_me_duration: 7d
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 120
|
||||
ban_time: 300
|
||||
|
||||
storage:
|
||||
local:
|
||||
path: /etc/authelia/.db/sqlite3.db
|
||||
|
||||
|
||||
notifier:
|
||||
disable_startup_check: false
|
||||
smtp:
|
||||
host: smtp.example.com
|
||||
port: 25
|
||||
timeout: 5s
|
||||
sender: "Authentication Service <noreply@auth.example.com>"
|
||||
subject: "{title}"
|
||||
startup_check_address: debug@example.com
|
||||
disable_require_tls: false
|
||||
disable_starttls: false
|
||||
disable_html_emails: false
|
||||
tls:
|
||||
skip_verify: true
|
||||
minimum_version: TLS1.2
|
||||
|
||||
###############################################################
|
||||
# OpenID endpoints
|
||||
###############################################################
|
||||
|
||||
identity_providers: ### OPTIONAL SETTING
|
||||
oidc:
|
||||
access_token_lifespan: 1h
|
||||
authorize_code_lifespan: 1m
|
||||
id_token_lifespan: 1h
|
||||
refresh_token_lifespan: 90m
|
||||
enable_client_debug_messages: false
|
||||
enforce_pkce: public_clients_only
|
||||
cors:
|
||||
endpoints:
|
||||
- authorization
|
||||
- token
|
||||
- revocation
|
||||
- introspection
|
||||
allowed_origins:
|
||||
- "*"
|
||||
allowed_origins_from_client_redirect_uris: false
|
||||
clients:
|
||||
# ###################
|
||||
- id: nextcloud
|
||||
# ###################
|
||||
description: NextCloud
|
||||
secret: '$plaintext$qUykh83Fw8qGtf5Y8ZJmG4DIJtm0ygQgSypLfsBNTDhLT75gecWjg65moab0B1bV'
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://sandbox-nextcloud.example.com/apps/oidc_login/oidc
|
||||
- https://sandbox-nextcloud.example.com/index.php/apps/oidc_login/oidc
|
||||
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- email
|
||||
- groups
|
||||
userinfo_signing_algorithm: none
|
||||
# ###################
|
||||
- id: proxmox
|
||||
# ###################
|
||||
description: Proxmox
|
||||
secret: '$plaintext$urydGen3fhWDB5SX2hZNpXYtH7k7f8NDzdQ7lKUJ4hMOT6j4TDETq1r42Kwy6rDH'
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://sandbox-proxmox.example.com:8006
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- email
|
||||
userinfo_signing_algorithm: none
|
||||
# ###################
|
||||
- id: portainer
|
||||
# ###################
|
||||
description: Portainer
|
||||
secret: '$plaintext$useNgEpSkm7Z59MOl1Fo97axf5HVAEfyDhV4NRJkDw9lYKMRIu3YBCtO3vsQaePZ'
|
||||
public: false
|
||||
authorization_policy: one_factor
|
||||
redirect_uris:
|
||||
- https://sandbox-docker.example.com:9443
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- groups
|
||||
- email
|
||||
userinfo_signing_algorithm: none
|
||||
# ###################
|
||||
- id: gitea
|
||||
# ###################
|
||||
description: Gitea
|
||||
secret: '$plaintext$frwhgwrthwrthwrthwethwgfhwrhtwrthwrthwrhgwdfgjzrwthrth'
|
||||
public: false
|
||||
authorization_policy: one_factor
|
||||
redirect_uris:
|
||||
- https://sandbox-gitea.example.com:3000/user/oauth2/authelia/callback
|
||||
scopes:
|
||||
- openid
|
||||
- email
|
||||
- profile
|
||||
userinfo_signing_algorithm: none
|
||||
128
deploy_authelia.sh
Normal file
128
deploy_authelia.sh
Normal file
|
|
@ -0,0 +1,128 @@
|
|||
#!/bin/bash
|
||||
|
||||
# ##########################################################
|
||||
#
|
||||
# This script installs Authelia with
|
||||
# a template configuration like it is
|
||||
# outlined in this video:
|
||||
#
|
||||
# a detailed description is also available
|
||||
# on https://www.onemarcfifty.com/blog/Authelia_Proxmox/
|
||||
#
|
||||
# ##########################################################
|
||||
|
||||
# The script needs to be run as root!
|
||||
|
||||
if [ "$EUID" -ne 0 ]
|
||||
then echo "Please run as root"
|
||||
exit
|
||||
fi
|
||||
|
||||
# ####################################
|
||||
# ##### first we update apt
|
||||
# ##### and apt sources,
|
||||
# ##### then we install authelia
|
||||
# ####################################
|
||||
|
||||
apt update
|
||||
apt install -y curl gnupg apt-transport-https sudo
|
||||
curl -s https://apt.authelia.com/organization/signing.asc | sudo apt-key add -
|
||||
echo "deb https://apt.authelia.com/stable/debian/debian/ all main" >>/etc/apt/sources.list.d/authelia.list
|
||||
apt-key export C8E4D80D | sudo gpg --dearmour -o /usr/share/keyrings/authelia.gpg
|
||||
apt update
|
||||
apt install -y authelia
|
||||
|
||||
# ####################################
|
||||
# ##### Now we create the secrets
|
||||
# ##### and the systemd unit file
|
||||
# ####################################
|
||||
|
||||
for i in .secrets .users .assets .db ; do mkdir /etc/authelia/$i ; done
|
||||
for i in jwtsecret session storage smtp oidcsecret redis ; do tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' > /etc/authelia/.secrets/$i ; done
|
||||
openssl genrsa -out /etc/authelia/.secrets/oicd.pem 4096
|
||||
openssl rsa -in /etc/authelia/.secrets/oicd.pem -outform PEM -pubout -out /etc/authelia/.secrets/oicd.pub.pem
|
||||
(cat >/etc/authelia/secrets) <<EOF
|
||||
AUTHELIA_JWT_SECRET_FILE=/etc/authelia/.secrets/jwtsecret
|
||||
AUTHELIA_SESSION_SECRET_FILE=/etc/authelia/.secrets/session
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/etc/authelia/.secrets/storage
|
||||
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/etc/authelia/.secrets/smtp
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE=/etc/authelia/.secrets/oidcsecret
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/etc/authelia/.secrets/oicd.pem
|
||||
EOF
|
||||
chmod 600 -R /etc/authelia/.secrets/
|
||||
chmod 600 /etc/authelia/secrets
|
||||
(cat >/etc/systemd/system/authelia.service) <<EOF
|
||||
[Unit]
|
||||
Description=Authelia authentication and authorization server
|
||||
After=multi-user.target
|
||||
|
||||
[Service]
|
||||
Environment=AUTHELIA_SERVER_DISABLE_HEALTHCHECK=true
|
||||
EnvironmentFile=/etc/authelia/secrets
|
||||
ExecStart=/usr/bin/authelia --config /etc/authelia/configuration.yml
|
||||
SyslogIdentifier=authelia
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
EOF
|
||||
systemctl daemon-reload
|
||||
|
||||
# ####################################
|
||||
# ##### Now we create a user yaml
|
||||
# ##### file with 4 demo users
|
||||
# ##### bob, alice, dave and frank
|
||||
# ####################################
|
||||
|
||||
echo "users:" > /etc/authelia/.users/users_database.yml
|
||||
for user in bob alice dave frank ; do
|
||||
randompassword=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n')
|
||||
encryptedpwd=$(authelia hash-password --no-confirm -- $randompassword | cut -d " " -f 2)
|
||||
(
|
||||
echo " ${user}:"
|
||||
echo ' displayname: "First Last"'
|
||||
echo " password: $encryptedpwd"
|
||||
echo " email: ${user}@example.com"
|
||||
) >> /etc/authelia/.users/users_database.yml
|
||||
done
|
||||
chmod 600 -R /etc/authelia/.users/
|
||||
|
||||
# ####################################
|
||||
# ##### Next, we pull the skeleton of
|
||||
# ##### the authelia config file from
|
||||
# ##### Marc's Github Repo
|
||||
# ####################################
|
||||
|
||||
cd /etc/authelia
|
||||
# save the old version of the file
|
||||
if [ -e configuration.yml ] ; then
|
||||
mv configuration.yml configuration.yml.old
|
||||
fi
|
||||
# Now let's use Marc's version of Florian's Template File for the new config:
|
||||
wget https://raw.githubusercontent.com/onemarcfifty/cheat-sheets/main/templates/authelia/configuration.yml
|
||||
chmod 600 configuration.yml
|
||||
|
||||
# ##### Now let's try and start Authelia
|
||||
|
||||
systemctl enable authelia
|
||||
systemctl start authelia
|
||||
|
||||
# ####################################
|
||||
# ##### Next we install NGINX
|
||||
# ##### It will probably not start
|
||||
# ##### without valid certificates
|
||||
# ##### we'll handle this later
|
||||
# ####################################
|
||||
|
||||
# install nginx
|
||||
apt install -y nginx
|
||||
# stop NGINX
|
||||
systemctl stop nginx
|
||||
# remove the default site
|
||||
rm /etc/nginx/sites-enabled/*
|
||||
# download the templates from Marc's cheat sheets
|
||||
wget https://raw.githubusercontent.com/onemarcfifty/cheat-sheets/main/templates/nginx/authelia/siteconf -O /etc/nginx/sites-available/authelia.conf
|
||||
wget https://raw.githubusercontent.com/onemarcfifty/cheat-sheets/main/templates/nginx/authelia/proxy-snippet -O /etc/nginx/snippets/proxy.conf
|
||||
wget https://raw.githubusercontent.com/onemarcfifty/cheat-sheets/main/templates/nginx/authelia/ssl-snippet -O /etc/nginx/snippets/ssl.conf
|
||||
# link back the authelia site as enabled to NGINX
|
||||
ln -s /etc/nginx/sites-available/authelia.conf /etc/nginx/sites-enabled/authelia.conf
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue