Authelia: introduce to protect system services

2025-05-07 11:23:22 +03:00 · 2025-05-07 11:23:22 +03:00 · a77fefcded
commit a77fefcded
parent 41fac2c4f9
6 changed files with 3718 additions and 16 deletions
--- a/Taskfile.yml
+++ b/Taskfile.yml
@ -30,6 +30,10 @@ tasks:
    cmds:
      - ansible-vault encrypt vars/vars.yml
  authelia-cli:
    cmds:
      - docker run --rm authelia/authelia:latest authelia {{.CLI_ARGS}}
  format-py-files:
    cmds:
    - >-
--- a/files/authelia/configuration.yml
+++ b/files/authelia/configuration.yml
--- a/files/authelia/docker-compose.yml.j2
+++ b/files/authelia/docker-compose.yml.j2
@ -0,0 +1,15 @@
 services:
  authelia_app:
    container_name: 'authelia_app'
    image: 'docker.io/authelia/authelia:4.39.1'
    user: '{{  user_create_result.uid }}:{{ user_create_result.group }}'
    restart: 'unless-stopped'
    networks:
      - "{{ web_proxy_network }}"
    volumes:
      - "{{ config_dir }}:/config"
 networks:
  {{ web_proxy_network }}:
    external: true
--- a/files/authelia/users.yml
+++ b/files/authelia/users.yml
@ -0,0 +1,24 @@
 $ANSIBLE_VAULT;1.1;AES256
 66646631323832323465333132316165363434656531343331363563623132333562643164336534
 3362346337613232373461373965623662346661396535330a393061623061313633356161373565
 62346666633339663730346637323738336338653763393462653466646135313632393762376661
 6466343264353132660a393765636438623933613830313166653036313363616133653863613664
 65613765393838626165386366363930663466313931653764306565623234326163636265656238
 34366138386237646133643433333434363837346231306139363034393239626665653965353632
 65383965363936653361303561373763666462366630333834636532346664616538653261386265
 34373961373564646537383031356466306561393731646662326163366564306361323137366530
 63663766366330616130386233623866333230306539663663613937396464343836333633373931
 37343831333331656637326163633636613030653138333139356332623032346537653166333432
 37383938613837383163336138363039373630343737333532376365653834336364626461336232
 63663733663139326235346230613963626537373631653533666230343563346535656334333363
 61623835653130646166353135376633663037636439343533323133313036646661393336346136
 66633666636434373263376237306530393132323930653864343939643535663161316564336266
 62623638363062343362323438623438643230353262653562313830376133353566396130386335
 62343630633866643831613566633132313332333763306461343965656466666336393637386365
 39623534323462633161373332353231316133366464373738366262666334386638313739623961
 38386434616430326238623563356230343438373261663339643732333461333534373634343131
 34393263356332633136353461323833306636396636323964383631663233653936643132316163
 62613236393436326261366632306634653462646562323161343463666561663737613738303565
 36373538643561663364633337383637343233343866396134363639386335333965646639393630
 36393566333864333366386465343735616639623836336566353136616563356464383738316364
 623839366161633366653464656539306230
--- a/files/caddyproxy/Caddyfile.j2
+++ b/files/caddyproxy/Caddyfile.j2
@ -6,22 +6,6 @@
    grace_period 15s
 }
 # -------------------------------------------------------------------
 # Netdata service
 # -------------------------------------------------------------------
 status.vakhrushev.me, :29999 {
    tls anwinged@ya.ru
    reverse_proxy {
        to netdata:19999
    }
    basicauth / {
       {{ netdata.login }} {{ netdata.password_hash }}
    }
 }
 # -------------------------------------------------------------------
 # Applications
 # -------------------------------------------------------------------
@ -34,6 +18,23 @@ vakhrushev.me {
    }
 }
 auth.vakhrushev.me {
    tls anwinged@ya.ru
    reverse_proxy authelia_app:9091
 }
 status.vakhrushev.me, :29999 {
    tls anwinged@ya.ru
    forward_auth authelia_app:9091 {
        uri /api/authz/forward-auth
        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
    }
    reverse_proxy netdata:19999
 }
 git.vakhrushev.me {
    tls anwinged@ya.ru
--- a/playbook-authelia.yml
+++ b/playbook-authelia.yml
@ -0,0 +1,61 @@
 ---
 - name: "Configure authelia application"
  hosts: all
  vars_files:
    - vars/ports.yml
    - vars/vars.yml
  vars:
    app_name: "authelia"
    app_user: "{{ app_name }}"
    base_dir: "/home/{{ app_user }}"
    config_dir: "{{ (base_dir, 'config') | path_join }}"
  tasks:
    - name: "Create user and environment"
      ansible.builtin.import_role:
        name: owner
      vars:
        owner_name: "{{ app_user }}"
        owner_extra_groups: ["docker"]
    - name: "Create internal application directories"
      ansible.builtin.file:
        path: "{{ item }}"
        state: "directory"
        owner: "{{ app_user }}"
        group: "{{ app_user }}"
        mode: "0700"
      loop:
        - "{{ config_dir }}"
    - name: "Copy configuration files"
      ansible.builtin.copy:
        src: "files/{{ app_name }}/{{ item }}"
        dest: "{{ (config_dir, item) | path_join }}"
        owner: "{{ app_user }}"
        group: "{{ app_user }}"
        mode: "0600"
      loop:
        - "configuration.yml"
        - "users.yml"
    - name: "Copy docker compose file"
      ansible.builtin.template:
        src: "./files/{{ app_name }}/docker-compose.yml.j2"
        dest: "{{ base_dir }}/docker-compose.yml"
        owner: "{{ app_user }}"
        group: "{{ app_user }}"
        mode: "0640"
    - name: "Run application with docker compose"
      community.docker.docker_compose_v2:
        project_src: "{{ base_dir }}"
        state: "present"
        remove_orphans: true
    - name: "Restart application with docker compose"
      community.docker.docker_compose_v2:
        project_src: "{{ base_dir }}"
        state: "restarted"