1st commit

Signed-off-by: Marc Ahlgrim <marc@onemarcfifty.com>
This commit is contained in:
Marc Ahlgrim 2023-03-24 11:09:44 +01:00
parent 73dfbbc4ef
commit 84f15606b7
4 changed files with 358 additions and 0 deletions

45
README.md Normal file
View file

@ -0,0 +1,45 @@
# authelia-proxmox-SSO
Automated install for Authelia running in a container e.g. on Proxmox
You can use this repository in order to run an automated installation of Authelia into e.g. a Proxmox Container. If you want to run it in Proxmox, do the following:
1. Create a _privileged_ container
2. Give it 2 GB of RAM, 2 Cores, 8 GB of Disk (might be oversized)
The container needs to be privileged because it needs the `/dev/random` and/or `/dev/urandom` devices.
In order to install, open a shell on th container and type (as root)
```bash
wget https://raw.githubusercontent.com/onemarcfifty/authelia-proxmox-SSO/main/deploy_authelia.sh ; bash ./deploy_authelia.sh
```
## editing the config files
In order to edit the config files, you could use nano or vi. However, editing yaml Files in those editors is quite a challenge because you need to take care of proper indentation etc. Another possibility is to use WinSCP or FileZilla and connect over ssh or sftp to the container, and then edit with your favorite editor (e.g. Visual Studio).
To enable root password login over ssh in order to edit the files type
```bash
sed -i s/^\#PermitRootLogin\ prohibit-password$/PermitRootLogin\ yes/ /etc/ssh/sshd_config
systemctl restart ssh
```
You can later change this back by typing
```bash
sed -i s/^PermitRootLogin\ yes/PermitRootLogin\ prohibit-password/ /etc/ssh/sshd_config
systemctl restart ssh
```
## Watch the video on YouTube
The necessary changes to the config files and how to implement SSO are outlined in [This video](https://youtube.com). In the video we implement SSO for
- Nextcloud
- Proxmox
- Portainer
- Gitea
## More resources
The [Authelia Documentation](https://www.authelia.com/integration/openid-connect/introduction/) shows how to integrate OpenID Connect (OIDC) with various software platforms

View file

@ -0,0 +1,3 @@
# Supporting resources
If you have followed my video, then you can use the resources in this folder to accelerate the setup. The [authelia_config_sample.yml](authelia_config_sample.yml) file contains the Authelia config file the way it looked at the end of the video, after all changes.

View file

@ -0,0 +1,182 @@
# ##############################################
# ##############################################
# ##############################################
# This is the FULL authelia config
# from the video with all OpenID providers added
# Please use your own secrets!!!!
# ##############################################
# ##############################################
# ##############################################
# #######################################
# authelia config
# source: https://florianmuller.com
# #######################################
theme: dark
default_redirection_url: https://sandbox-auth.example.com/
server:
host: 127.0.0.1
port: 9091
asset_path: /etc/authelia/.assets/
tls:
key: /etc/authelia/certs/wildcard.key
certificate: /etc/authelia/certs/wildcard_fullchain.crt
log:
level: debug
file_path: /var/log/authelia.log
totp:
issuer: sandbox-auth.example.com
webauthn:
disable: false
display_name: Authelia
attestation_conveyance_preference: indirect
user_verification: discouraged
timeout: 60s
ntp:
address: "0.de.pool.ntp.org:123"
version: 4
max_desync: 3s
disable_startup_check: false
authentication_backend:
file:
path: /etc/authelia/.users/users_database.yml
password:
algorithm: argon2id
iterations: 1
key_length: 32
salt_length: 16
memory: 1024
parallelism: 8
access_control:
default_policy: deny
rules: ### OPTIONAL SETTING
# 2fa
- domain: example.com
policy: one_factor
session:
name: authelia_session
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
domain: sandbox-auth.example.com
same_site: lax
remember_me_duration: 7d
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
local:
path: /etc/authelia/.db/sqlite3.db
notifier:
disable_startup_check: false
smtp:
host: smtp.example.com
port: 25
timeout: 5s
sender: "Authentication Service <noreply@auth.example.com>"
subject: "{title}"
startup_check_address: debug@example.com
disable_require_tls: false
disable_starttls: false
disable_html_emails: false
tls:
skip_verify: true
minimum_version: TLS1.2
###############################################################
# OpenID endpoints
###############################################################
identity_providers: ### OPTIONAL SETTING
oidc:
access_token_lifespan: 1h
authorize_code_lifespan: 1m
id_token_lifespan: 1h
refresh_token_lifespan: 90m
enable_client_debug_messages: false
enforce_pkce: public_clients_only
cors:
endpoints:
- authorization
- token
- revocation
- introspection
allowed_origins:
- "*"
allowed_origins_from_client_redirect_uris: false
clients:
# ###################
- id: nextcloud
# ###################
description: NextCloud
secret: '$plaintext$qUykh83Fw8qGtf5Y8ZJmG4DIJtm0ygQgSypLfsBNTDhLT75gecWjg65moab0B1bV'
public: false
authorization_policy: two_factor
redirect_uris:
- https://sandbox-nextcloud.example.com/apps/oidc_login/oidc
- https://sandbox-nextcloud.example.com/index.php/apps/oidc_login/oidc
scopes:
- openid
- profile
- email
- groups
userinfo_signing_algorithm: none
# ###################
- id: proxmox
# ###################
description: Proxmox
secret: '$plaintext$urydGen3fhWDB5SX2hZNpXYtH7k7f8NDzdQ7lKUJ4hMOT6j4TDETq1r42Kwy6rDH'
public: false
authorization_policy: two_factor
redirect_uris:
- https://sandbox-proxmox.example.com:8006
scopes:
- openid
- profile
- email
userinfo_signing_algorithm: none
# ###################
- id: portainer
# ###################
description: Portainer
secret: '$plaintext$useNgEpSkm7Z59MOl1Fo97axf5HVAEfyDhV4NRJkDw9lYKMRIu3YBCtO3vsQaePZ'
public: false
authorization_policy: one_factor
redirect_uris:
- https://sandbox-docker.example.com:9443
scopes:
- openid
- profile
- groups
- email
userinfo_signing_algorithm: none
# ###################
- id: gitea
# ###################
description: Gitea
secret: '$plaintext$frwhgwrthwrthwrthwethwgfhwrhtwrthwrthwrhgwdfgjzrwthrth'
public: false
authorization_policy: one_factor
redirect_uris:
- https://sandbox-gitea.example.com:3000/user/oauth2/authelia/callback
scopes:
- openid
- email
- profile
userinfo_signing_algorithm: none

128
deploy_authelia.sh Normal file
View file

@ -0,0 +1,128 @@
#!/bin/bash
# ##########################################################
#
# This script installs Authelia with
# a template configuration like it is
# outlined in this video:
#
# a detailed description is also available
# on https://www.onemarcfifty.com/blog/Authelia_Proxmox/
#
# ##########################################################
# The script needs to be run as root!
if [ "$EUID" -ne 0 ]
then echo "Please run as root"
exit
fi
# ####################################
# ##### first we update apt
# ##### and apt sources,
# ##### then we install authelia
# ####################################
apt update
apt install -y curl gnupg apt-transport-https sudo
curl -s https://apt.authelia.com/organization/signing.asc | sudo apt-key add -
echo "deb https://apt.authelia.com/stable/debian/debian/ all main" >>/etc/apt/sources.list.d/authelia.list
apt-key export C8E4D80D | sudo gpg --dearmour -o /usr/share/keyrings/authelia.gpg
apt update
apt install -y authelia
# ####################################
# ##### Now we create the secrets
# ##### and the systemd unit file
# ####################################
for i in .secrets .users .assets .db ; do mkdir /etc/authelia/$i ; done
for i in jwtsecret session storage smtp oidcsecret redis ; do tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' > /etc/authelia/.secrets/$i ; done
openssl genrsa -out /etc/authelia/.secrets/oicd.pem 4096
openssl rsa -in /etc/authelia/.secrets/oicd.pem -outform PEM -pubout -out /etc/authelia/.secrets/oicd.pub.pem
(cat >/etc/authelia/secrets) <<EOF
AUTHELIA_JWT_SECRET_FILE=/etc/authelia/.secrets/jwtsecret
AUTHELIA_SESSION_SECRET_FILE=/etc/authelia/.secrets/session
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/etc/authelia/.secrets/storage
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/etc/authelia/.secrets/smtp
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE=/etc/authelia/.secrets/oidcsecret
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/etc/authelia/.secrets/oicd.pem
EOF
chmod 600 -R /etc/authelia/.secrets/
chmod 600 /etc/authelia/secrets
(cat >/etc/systemd/system/authelia.service) <<EOF
[Unit]
Description=Authelia authentication and authorization server
After=multi-user.target
[Service]
Environment=AUTHELIA_SERVER_DISABLE_HEALTHCHECK=true
EnvironmentFile=/etc/authelia/secrets
ExecStart=/usr/bin/authelia --config /etc/authelia/configuration.yml
SyslogIdentifier=authelia
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
# ####################################
# ##### Now we create a user yaml
# ##### file with 4 demo users
# ##### bob, alice, dave and frank
# ####################################
echo "users:" > /etc/authelia/.users/users_database.yml
for user in bob alice dave frank ; do
randompassword=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n')
encryptedpwd=$(authelia hash-password --no-confirm -- $randompassword | cut -d " " -f 2)
(
echo " ${user}:"
echo ' displayname: "First Last"'
echo " password: $encryptedpwd"
echo " email: ${user}@example.com"
) >> /etc/authelia/.users/users_database.yml
done
chmod 600 -R /etc/authelia/.users/
# ####################################
# ##### Next, we pull the skeleton of
# ##### the authelia config file from
# ##### Marc's Github Repo
# ####################################
cd /etc/authelia
# save the old version of the file
if [ -e configuration.yml ] ; then
mv configuration.yml configuration.yml.old
fi
# Now let's use Marc's version of Florian's Template File for the new config:
wget https://raw.githubusercontent.com/onemarcfifty/cheat-sheets/main/templates/authelia/configuration.yml
chmod 600 configuration.yml
# ##### Now let's try and start Authelia
systemctl enable authelia
systemctl start authelia
# ####################################
# ##### Next we install NGINX
# ##### It will probably not start
# ##### without valid certificates
# ##### we'll handle this later
# ####################################
# install nginx
apt install -y nginx
# stop NGINX
systemctl stop nginx
# remove the default site
rm /etc/nginx/sites-enabled/*
# download the templates from Marc's cheat sheets
wget https://raw.githubusercontent.com/onemarcfifty/cheat-sheets/main/templates/nginx/authelia/siteconf -O /etc/nginx/sites-available/authelia.conf
wget https://raw.githubusercontent.com/onemarcfifty/cheat-sheets/main/templates/nginx/authelia/proxy-snippet -O /etc/nginx/snippets/proxy.conf
wget https://raw.githubusercontent.com/onemarcfifty/cheat-sheets/main/templates/nginx/authelia/ssl-snippet -O /etc/nginx/snippets/ssl.conf
# link back the authelia site as enabled to NGINX
ln -s /etc/nginx/sites-available/authelia.conf /etc/nginx/sites-enabled/authelia.conf