Authelia: introduce to protect system services

2025-05-07 11:23:22 +03:00 · 2025-05-07 11:23:22 +03:00 · a77fefcded
commit a77fefcded
parent 41fac2c4f9
6 changed files with 3718 additions and 16 deletions
--- a/Taskfile.yml
+++ b/Taskfile.yml
@ -30,6 +30,10 @@ tasks:
    cmds:
      - ansible-vault encrypt vars/vars.yml

+  authelia-cli:
+    cmds:
+      - docker run --rm authelia/authelia:latest authelia {{.CLI_ARGS}}
+
  format-py-files:
    cmds:
    - >-
--- a/files/authelia/configuration.yml
+++ b/files/authelia/configuration.yml
--- a/files/authelia/docker-compose.yml.j2
+++ b/files/authelia/docker-compose.yml.j2
@ -0,0 +1,15 @@
+services:
+
+  authelia_app:
+    container_name: 'authelia_app'
+    image: 'docker.io/authelia/authelia:4.39.1'
+    user: '{{  user_create_result.uid }}:{{ user_create_result.group }}'
+    restart: 'unless-stopped'
+    networks:
+      - "{{ web_proxy_network }}"
+    volumes:
+      - "{{ config_dir }}:/config"
+
+networks:
+  {{ web_proxy_network }}:
+    external: true
--- a/files/authelia/users.yml
+++ b/files/authelia/users.yml
@ -0,0 +1,24 @@
+$ANSIBLE_VAULT;1.1;AES256
+66646631323832323465333132316165363434656531343331363563623132333562643164336534
+3362346337613232373461373965623662346661396535330a393061623061313633356161373565
+62346666633339663730346637323738336338653763393462653466646135313632393762376661
+6466343264353132660a393765636438623933613830313166653036313363616133653863613664
+65613765393838626165386366363930663466313931653764306565623234326163636265656238
+34366138386237646133643433333434363837346231306139363034393239626665653965353632
+65383965363936653361303561373763666462366630333834636532346664616538653261386265
+34373961373564646537383031356466306561393731646662326163366564306361323137366530
+63663766366330616130386233623866333230306539663663613937396464343836333633373931
+37343831333331656637326163633636613030653138333139356332623032346537653166333432
+37383938613837383163336138363039373630343737333532376365653834336364626461336232
+63663733663139326235346230613963626537373631653533666230343563346535656334333363
+61623835653130646166353135376633663037636439343533323133313036646661393336346136
+66633666636434373263376237306530393132323930653864343939643535663161316564336266
+62623638363062343362323438623438643230353262653562313830376133353566396130386335
+62343630633866643831613566633132313332333763306461343965656466666336393637386365
+39623534323462633161373332353231316133366464373738366262666334386638313739623961
+38386434616430326238623563356230343438373261663339643732333461333534373634343131
+34393263356332633136353461323833306636396636323964383631663233653936643132316163
+62613236393436326261366632306634653462646562323161343463666561663737613738303565
+36373538643561663364633337383637343233343866396134363639386335333965646639393630
+36393566333864333366386465343735616639623836336566353136616563356464383738316364
+623839366161633366653464656539306230
--- a/files/caddyproxy/Caddyfile.j2
+++ b/files/caddyproxy/Caddyfile.j2
@ -6,22 +6,6 @@
    grace_period 15s
 }

-# -------------------------------------------------------------------
-# Netdata service
-# -------------------------------------------------------------------
-
-status.vakhrushev.me, :29999 {
-    tls anwinged@ya.ru
-
-    reverse_proxy {
-        to netdata:19999
-    }
-
-    basicauth / {
-       {{ netdata.login }} {{ netdata.password_hash }}
-    }
-}
-
 # -------------------------------------------------------------------
 # Applications
 # -------------------------------------------------------------------
@ -34,6 +18,23 @@ vakhrushev.me {
    }
 }

+auth.vakhrushev.me {
+    tls anwinged@ya.ru
+    
+    reverse_proxy authelia_app:9091
+}
+
+status.vakhrushev.me, :29999 {
+    tls anwinged@ya.ru
+
+    forward_auth authelia_app:9091 {
+        uri /api/authz/forward-auth
+        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+    }
+
+    reverse_proxy netdata:19999
+}
+
 git.vakhrushev.me {
    tls anwinged@ya.ru

--- a/playbook-authelia.yml
+++ b/playbook-authelia.yml
@ -0,0 +1,61 @@
+---
+- name: "Configure authelia application"
+  hosts: all
+
+  vars_files:
+    - vars/ports.yml
+    - vars/vars.yml
+
+  vars:
+    app_name: "authelia"
+    app_user: "{{ app_name }}"
+    base_dir: "/home/{{ app_user }}"
+    config_dir: "{{ (base_dir, 'config') | path_join }}"
+
+  tasks:
+    - name: "Create user and environment"
+      ansible.builtin.import_role:
+        name: owner
+      vars:
+        owner_name: "{{ app_user }}"
+        owner_extra_groups: ["docker"]
+
+    - name: "Create internal application directories"
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: "directory"
+        owner: "{{ app_user }}"
+        group: "{{ app_user }}"
+        mode: "0700"
+      loop:
+        - "{{ config_dir }}"
+
+    - name: "Copy configuration files"
+      ansible.builtin.copy:
+        src: "files/{{ app_name }}/{{ item }}"
+        dest: "{{ (config_dir, item) | path_join }}"
+        owner: "{{ app_user }}"
+        group: "{{ app_user }}"
+        mode: "0600"
+      loop:
+        - "configuration.yml"
+        - "users.yml"
+
+    - name: "Copy docker compose file"
+      ansible.builtin.template:
+        src: "./files/{{ app_name }}/docker-compose.yml.j2"
+        dest: "{{ base_dir }}/docker-compose.yml"
+        owner: "{{ app_user }}"
+        group: "{{ app_user }}"
+        mode: "0640"
+
+    - name: "Run application with docker compose"
+      community.docker.docker_compose_v2:
+        project_src: "{{ base_dir }}"
+        state: "present"
+        remove_orphans: true
+
+    - name: "Restart application with docker compose"
+      community.docker.docker_compose_v2:
+        project_src: "{{ base_dir }}"
+        state: "restarted"