✨ new talos cluster

2025-09-17 18:24:14 +02:00 · 2022-11-19 04:47:32 +01:00
parent 42346bd99b
commit 4ac38f95e9
548 changed files with 1642 additions and 2331 deletions
--- a/kubernetes/cluster-0/apps/authentication/authelia/config/configuration.yml
+++ b/kubernetes/cluster-0/apps/authentication/authelia/config/configuration.yml
@@ -0,0 +1,88 @@
+---
+session:
+  redis:
+    high_availability:
+      sentinel_name: redis-master
+      nodes:
+        - host: redis-node-0.redis-headless.default.svc.cluster.local.
+          port: 26379
+        - host: redis-node-1.redis-headless.default.svc.cluster.local.
+          port: 26379
+        - host: redis-node-2.redis-headless.default.svc.cluster.local.
+          port: 26379
+
+access_control:
+  ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
+  ## resource if there is no policy to be applied to the user.
+  default_policy: deny
+  networks:
+    - name: private
+      networks: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+    - name: vpn
+      networks: ["10.10.0.0/16"]
+  rules:
+    # bypass Authelia WAN + LAN
+    - domain:
+        - auth.${SECRET_CLUSTER_DOMAIN}
+      policy: bypass
+    # One factor auth for LAN
+    - domain:
+        - "*.${SECRET_CLUSTER_DOMAIN}"
+      policy: one_factor
+      subject: ["group:admins", "group:users"]
+      networks:
+        - private
+    # Deny public resources
+    - domain: ["navidrome.${SECRET_CLUSTER_DOMAIN}"]
+      resources: ["^/metrics.*$"]
+      policy: deny
+    # Two factors auth for WAN
+    - domain:
+        - "*.${SECRET_CLUSTER_DOMAIN}"
+      subject: ["group:admins", "group:users"]
+      policy: two_factor
+identity_providers:
+  oidc:
+    cors:
+      endpoints: ["authorization", "token", "revocation", "introspection"]
+      allowed_origins_from_client_redirect_uris: true
+    clients:
+      - id: gitea
+        secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}"
+        public: false
+        authorization_policy: two_factor
+        scopes: ["openid", "profile", "groups", "email"]
+        redirect_uris:
+          [
+            "https://gitea.${SECRET_CLUSTER_DOMAIN}/user/oauth2/authelia/callback",
+          ]
+        userinfo_signing_algorithm: none
+      - id: grafana
+        description: Grafana
+        secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}"
+        public: false
+        authorization_policy: two_factor
+        pre_configured_consent_duration: 1y
+        scopes: ["openid", "profile", "groups", "email"]
+        redirect_uris:
+          ["https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth"]
+        userinfo_signing_algorithm: none
+      - id: outline
+        description: Outline
+        secret: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}"
+        public: false
+        authorization_policy: two_factor
+        pre_configured_consent_duration: 1y
+        scopes: ["openid", "profile", "email", "offline_access"]
+        redirect_uris:
+          ["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"]
+        userinfo_signing_algorithm: none
+      # - id: minio
+      #   description: Minio
+      #   secret: "${SECRET_MINIO_OAUTH_CLIENT_SECRET}"
+      #   public: false
+      #   authorization_policy: two_factor
+      #   pre_configured_consent_duration: 1y
+      #   scopes: ["openid", "profile", "groups", "email"]
+      #   redirect_uris: ["https://minio.${SECRET_CLUSTER_DOMAIN}/oauth_callback"]
+      #   userinfo_signing_algorithm: none