From 56be9eec50b1e3ef455931cabc52692e0c309785 Mon Sep 17 00:00:00 2001 From: auricom <27022259+auricom@users.noreply.github.com> Date: Tue, 13 Sep 2022 23:18:06 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=9A=80=20new=20authentication=20module?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitattributes | 5 +- .sops.yaml | 4 + .../authelia/config/configuration.yml | 85 ++++++++ .../authentication/authelia/helm-release.yaml | 96 +++++++++ .../authelia/kustomization.yaml | 17 ++ .../authentication/authelia/patches/env.yaml | 40 ++++ .../authelia/patches/postgres.yaml | 31 +++ .../authentication/authelia/secret.sops.yaml | 36 ++++ .../authelia/service-monitor.yaml | 19 ++ .../glauth/config/groups.sops.toml | 20 ++ .../glauth/config/server.sops.toml | 20 ++ .../glauth/config/users.sops.toml | 20 ++ .../authentication/glauth/helm-release.yaml | 64 ++++++ .../authentication/glauth/kustomization.yaml | 14 ++ .../kustomization.yaml | 6 +- cluster/apps/authentication/readme.md | 90 ++++++++ .../documentation/outline/patches/env.yaml | 6 +- .../home-automation/frigate/helm-release.yaml | 4 +- .../home-assistant/helm-release.yaml | 4 +- .../zigbee2mqtt/helm-release.yaml | 4 +- .../zwavejs2mqtt/helm-release.yaml | 4 +- cluster/apps/kustomization.yaml | 1 + cluster/apps/media/bazarr/helm-release.yaml | 4 +- cluster/apps/media/calibre/helm-release.yaml | 4 +- cluster/apps/media/flood/helm-release.yaml | 4 +- cluster/apps/media/lidarr/helm-release.yaml | 4 +- cluster/apps/media/prowlarr/helm-release.yaml | 4 +- cluster/apps/media/pyload/helm-release.yaml | 4 +- .../apps/media/qbittorrent/helm-release.yaml | 4 +- cluster/apps/media/radarr/helm-release.yaml | 4 +- cluster/apps/media/readarr/helm-release.yaml | 4 +- cluster/apps/media/sabnzbd/helm-release.yaml | 4 +- cluster/apps/media/sonarr/helm-release.yaml | 4 +- cluster/apps/media/tdarr/helm-release.yaml | 4 +- .../apps/media/travelstories/deployment.yaml | 4 +- .../blackbox-exporter/helm-release.yaml | 4 +- .../apps/monitoring/grafana/helm-release.yaml | 8 +- .../kube-prometheus-stack/helm-release.yaml | 8 +- .../apps/monitoring/thanos/helm-release.yaml | 4 +- .../apps/networking/authelia/configmap.yaml | 27 --- .../networking/authelia/helm-release.yaml | 203 ------------------ cluster/apps/networking/kustomization.yaml | 1 - cluster/charts/authelia-charts.yaml | 10 - cluster/charts/authentik-charts.yaml | 10 - cluster/charts/kustomization.yaml | 2 - .../configuration/cluster-secrets.sops.yaml | 14 +- 46 files changed, 615 insertions(+), 318 deletions(-) create mode 100644 cluster/apps/authentication/authelia/config/configuration.yml create mode 100644 cluster/apps/authentication/authelia/helm-release.yaml create mode 100644 cluster/apps/authentication/authelia/kustomization.yaml create mode 100644 cluster/apps/authentication/authelia/patches/env.yaml create mode 100644 cluster/apps/authentication/authelia/patches/postgres.yaml create mode 100644 cluster/apps/authentication/authelia/secret.sops.yaml create mode 100644 cluster/apps/authentication/authelia/service-monitor.yaml create mode 100644 cluster/apps/authentication/glauth/config/groups.sops.toml create mode 100644 cluster/apps/authentication/glauth/config/server.sops.toml create mode 100644 cluster/apps/authentication/glauth/config/users.sops.toml create mode 100644 cluster/apps/authentication/glauth/helm-release.yaml create mode 100644 cluster/apps/authentication/glauth/kustomization.yaml rename cluster/apps/{networking/authelia => authentication}/kustomization.yaml (61%) create mode 100644 cluster/apps/authentication/readme.md delete mode 100644 cluster/apps/networking/authelia/configmap.yaml delete mode 100644 cluster/apps/networking/authelia/helm-release.yaml delete mode 100644 cluster/charts/authelia-charts.yaml delete mode 100644 cluster/charts/authentik-charts.yaml diff --git a/.gitattributes b/.gitattributes index 11eb61a05..163155fe4 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,2 +1,3 @@ -secret.enc.yaml diff=sopsdiffer -cluster-secrets.yaml diff=sopsdiffer \ No newline at end of file +*.sops.yaml diff=sopsdiffer +cluster-secrets.yaml diff=sopsdiffer +*.sops.toml linguist-language=JSON diff --git a/.sops.yaml b/.sops.yaml index 58bcf0450..9ce925ea6 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,3 +9,7 @@ creation_rules: key_groups: - age: - age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg + - path_regex: cluster/.*\.sops\.toml + key_groups: + - age: + - age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg diff --git a/cluster/apps/authentication/authelia/config/configuration.yml b/cluster/apps/authentication/authelia/config/configuration.yml new file mode 100644 index 000000000..e49920a5f --- /dev/null +++ b/cluster/apps/authentication/authelia/config/configuration.yml @@ -0,0 +1,85 @@ +--- +session: + redis: + high_availability: + sentinel_name: redis-master + nodes: + - host: redis-node-0.redis-headless.default.svc.cluster.local + port: 26379 + - host: redis-node-1.redis-headless.default.svc.cluster.local + port: 26379 + - host: redis-node-2.redis-headless.default.svc.cluster.local + port: 26379 + +access_control: + ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any + ## resource if there is no policy to be applied to the user. + default_policy: deny + networks: + - name: private + networks: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] + - name: vpn + networks: ["10.10.0.0/16"] + rules: + # bypass Authelia WAN + LAN + - domain: + - auth.${SECRET_CLUSTER_DOMAIN} + policy: bypass + # One factor auth for LAN + - domain: + - "*.${SECRET_CLUSTER_DOMAIN}" + policy: one_factor + subject: ["group:admins", "group:users"] + networks: + - private + # Two factors auth for WAN + - domain: + - "*.${SECRET_CLUSTER_DOMAIN}" + subject: ["group:admins", "group:users"] + policy: two_factor + +identity_providers: + oidc: + cors: + endpoints: ["authorization", "token", "revocation", "introspection"] + allowed_origins_from_client_redirect_uris: true + clients: + - id: gitea + secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}" + public: false + authorization_policy: two_factor + scopes: ["openid", "profile", "groups", "email"] + redirect_uris: + [ + "https://gitea.${SECRET_CLUSTER_DOMAIN}/user/oauth2/authelia/callback", + ] + userinfo_signing_algorithm: none + - id: grafana + description: Grafana + secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}" + public: false + authorization_policy: two_factor + pre_configured_consent_duration: 1y + scopes: ["openid", "profile", "groups", "email"] + redirect_uris: + ["https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth"] + userinfo_signing_algorithm: none + - id: outline + description: Outline + secret: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}" + public: false + authorization_policy: two_factor + pre_configured_consent_duration: 1y + scopes: ["openid", "profile", "email", "offline_access"] + redirect_uris: + ["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"] + userinfo_signing_algorithm: none + # - id: minio + # description: Minio + # secret: "${SECRET_MINIO_OAUTH_CLIENT_SECRET}" + # public: false + # authorization_policy: two_factor + # pre_configured_consent_duration: 1y + # scopes: ["openid", "profile", "groups", "email"] + # redirect_uris: ["https://minio.${SECRET_PUBLIC_DOMAIN}/oauth_callback"] + # userinfo_signing_algorithm: none diff --git a/cluster/apps/authentication/authelia/helm-release.yaml b/cluster/apps/authentication/authelia/helm-release.yaml new file mode 100644 index 000000000..37b312779 --- /dev/null +++ b/cluster/apps/authentication/authelia/helm-release.yaml @@ -0,0 +1,96 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app authelia + namespace: default +spec: + interval: 15m + chart: + spec: + chart: app-template + version: 0.1.1 + sourceRef: + kind: HelmRepository + name: bjw-s-charts + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 + dependsOn: + - name: glauth + namespace: default + - name: redis + namespace: default + values: + controller: + replicas: 1 + strategy: RollingUpdate + image: + repository: ghcr.io/authelia/authelia + tag: 4.36.7 + envFrom: + - secretRef: + name: *app + enableServiceLinks: false + service: + main: + ports: + http: + port: 80 + metrics: + enabled: true + port: 8080 + ingress: + main: + enabled: true + ingressClassName: "nginx" + annotations: + external-dns.alpha.kubernetes.io/target: "services.${SECRET_DOMAIN}." + external-dns/is-public: "true" + nginx.ingress.kubernetes.io/configuration-snippet: | + add_header Cache-Control "no-store"; + add_header Pragma "no-cache"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + hosts: + - host: &host "auth.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host + podSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: "OnRootMismatch" + persistence: + config: + enabled: true + type: configMap + name: *app + subPath: configuration.yml + mountPath: /config/configuration.yml + readOnly: false + podAnnotations: + configmap.reloader.stakater.com/reload: *app + secret.reloader.stakater.com/reload: *app + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + resources: + requests: + cpu: 5m + memory: 10Mi + limits: + memory: 100Mi diff --git a/cluster/apps/authentication/authelia/kustomization.yaml b/cluster/apps/authentication/authelia/kustomization.yaml new file mode 100644 index 000000000..7acebf563 --- /dev/null +++ b/cluster/apps/authentication/authelia/kustomization.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: default +resources: + - secret.sops.yaml + - helm-release.yaml + - service-monitor.yaml +patchesStrategicMerge: + - patches/env.yaml + #- patches/postgres.yaml +configMapGenerator: + - name: authelia + files: + - config/configuration.yml +generatorOptions: + disableNameSuffixHash: true diff --git a/cluster/apps/authentication/authelia/patches/env.yaml b/cluster/apps/authentication/authelia/patches/env.yaml new file mode 100644 index 000000000..ff6fcfd1c --- /dev/null +++ b/cluster/apps/authentication/authelia/patches/env.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: authelia + namespace: default +spec: + values: + env: + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN: ou=users + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN: dc=home,dc=arpa + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_DISPLAY_NAME_ATTRIBUTE: givenName + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER: "(&(memberUid={username})(objectClass=posixGroup))" + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUP_NAME_ATTRIBUTE: cn + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_MAIL_ATTRIBUTE: mail + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_URL: "ldap://glauth.default.svc.cluster.local:389" + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER: cn=search,ou=svcaccts,dc=home,dc=arpa + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERNAME_ATTRIBUTE: uid + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER: "(&({username_attribute}={input})(objectClass=posixAccount))" + AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE: "true" + AUTHELIA_DEFAULT_REDIRECTION_URL: "https://auth.${SECRET_CLUSTER_DOMAIN}" + AUTHELIA_DUO_API_DISABLE: "true" + AUTHELIA_LOG_LEVEL: trace + AUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS: "true" + AUTHELIA_NOTIFIER_SMTP_HOST: smtp-relay.default.svc.cluster.local + AUTHELIA_NOTIFIER_SMTP_PORT: 2525 + AUTHELIA_NOTIFIER_SMTP_SENDER: "Authelia " + AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true" + AUTHELIA_SERVER_PORT: 80 + AUTHELIA_SESSION_DOMAIN: "${SECRET_CLUSTER_DOMAIN}" + AUTHELIA_SESSION_REDIS_DATABASE_INDEX: 14 + AUTHELIA_SESSION_REDIS_HOST: redis.default.svc.cluster.local + AUTHELIA_STORAGE_POSTGRES_DATABASE: authelia + AUTHELIA_STORAGE_POSTGRES_HOST: postgres.${SECRET_DOMAIN} + AUTHELIA_STORAGE_POSTGRES_SSL_MODE: verify-full + AUTHELIA_TELEMETRY_METRICS_ADDRESS: "tcp://0.0.0.0:8080" + AUTHELIA_TELEMETRY_METRICS_ENABLED: "true" + AUTHELIA_THEME: grey + AUTHELIA_TOTP_ISSUER: authelia.com + AUTHELIA_WEBAUTHN_DISABLE: "true" diff --git a/cluster/apps/authentication/authelia/patches/postgres.yaml b/cluster/apps/authentication/authelia/patches/postgres.yaml new file mode 100644 index 000000000..f8b4c8725 --- /dev/null +++ b/cluster/apps/authentication/authelia/patches/postgres.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: authelia + namespace: default +spec: + values: + initContainers: + init-db: + image: ghcr.io/onedr0p/postgres-initdb:14.5 + env: + - name: POSTGRES_HOST + value: postgres.${SECRET_DOMAIN} + - name: POSTGRES_DB + value: authelia + - name: POSTGRES_SUPER_PASS + valueFrom: + secretKeyRef: + name: postgres-superuser + key: password + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: authelia + key: AUTHELIA_STORAGE_POSTGRES_USERNAME + - name: POSTGRES_PASS + valueFrom: + secretKeyRef: + name: authelia + key: AUTHELIA_STORAGE_POSTGRES_PASSWORD diff --git a/cluster/apps/authentication/authelia/secret.sops.yaml b/cluster/apps/authentication/authelia/secret.sops.yaml new file mode 100644 index 000000000..7384707b8 --- /dev/null +++ b/cluster/apps/authentication/authelia/secret.sops.yaml @@ -0,0 +1,36 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: authelia + namespace: default +type: Opaque +stringData: + AUTHELIA_STORAGE_POSTGRES_USERNAME: ENC[AES256_GCM,data:popD58odXyQ=,iv:gw+Y2n/ZRRAudSZy6T6aYdLq504xEH6Ntk+nWY39zjE=,tag:okpCZIGgCzeooa+eSWhAbA==,type:str] + AUTHELIA_STORAGE_POSTGRES_PASSWORD: ENC[AES256_GCM,data:j/VlSpeqwTVKCDN+Law=,iv:k+PKPq1iF/bl0acff1DrbQzRKOb3cy37Sq5R+wuKOQc=,tag:ouhjcJuZJQ0Gc/T396WDrg==,type:str] + AUTHELIA_JWT_SECRET: ENC[AES256_GCM,data:/FH8Yi4olsLQgbAbTGh23wvZ+0bY5XZMxyXUcQ==,iv:BB18NV8++Uqh3TS9KeDAOV3WH8gvBa/vKRAoV48ddMU=,tag:jbNMXobzUIIEd/fQKrD17Q==,type:str] + AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:oKlY7wYdJWyVyS9L0kEyE/FBaX8QguU7ZwN4wg==,iv:qn3DBkozHECvEvjfJaGwogGdNcEYfL9Mr4sZhkmRvUs=,tag:tmvKCTehK5APrJG/xRzdtg==,type:str] + AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:dhPWtO+l7X+9chnJczfL1qE0ckO58kRAvzjTiA==,iv:ac8mMxYENkUv7llxkHHdTiCxMaqP0/joJeAxDkc7vNE=,tag:HUZudNImGCxzlGXeYJZGtA==,type:str] + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ENC[AES256_GCM,data:iF/190/mZpbDwCd5Q+VOTQVyRbs=,iv:xKhvy4ufkiPqmiWUPKQjxRqUA3VH1Y/PTc8BVnLIaDA=,tag:KB3Bs71cARnYo3noOZs+Fw==,type:str] + AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: ENC[AES256_GCM,data:GQ5FI3GP+dNfWapUXbkWRoUi4N8oHLn6Kotmmfaqxd0=,iv:iZMUl9vBZUdWElVV1iqPNhdTy0aQKw3H318UT/rTpWs=,tag:iuKMZal34P0zFy6v+Dvj7g==,type:str] + AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: ENC[AES256_GCM,data:IeAA9iN8w6vU5ZsJVAmLyaH4xuADYg0ESKdqIWSCQ6OJKd60E0UNhIQOIH25JCQnRo3cpAflkqDHRdMNnoUY4apsA5GBZtO9+kDnswMHFfMwhgP15V6RBLObvIFVFfjH5n2k7hObMeS2qm8+rVIaUpyNDu3elD8KrKHOiqN0dxbd4PVx1CmN3c9kJGqSWrYFhBo44fULjUzWYSaQbfMqxotkxodtfRDKYlwvXBh9fg1hWblBj2LEl8yPd2V3QiKDH2o6um8VWw33ryUzAeefJOelUUU/s8EynbGwTZwuPVy8LATSSiDtvramFpsk7XXshDLrwEir7hujaieP3P0T7XspF9i85wFVZrTqZDtlysYgziwTEqSbd2vL737p6S5l3QpAn5De+QkZyYDbPYJ2X/PTESeY1X4hJ8TI0OK15DXX5+YYkh3Vnvl21xseaAoT9QvTcXM9jjUug8cwt56UhG/grNFrYLjngq4cLPHI4vzE9JXLfXlax+Y+jj0t1Bv8EPA66RzXxJWYgbLP/SdHPFDpyMwRjSzm5zJ9ldG+ajJ1B6pVuWb53USVxtRu6aRnZsxWpJfkn7HqGkXjRPT0mSiU2tFpwaM/NDxMB66DiIZjCwjeTfbFSngDQc88fcwv8V6klASM0iCbsQCtXDGoAt1mG6wmA5UhMmoKkqdRVj+qov+ZeMz+dlafdoXJNXT8ncTo06RDQAZX/3kW+7uK5EbfSRUmDUdPnHHBL/fhEYEasZoF5nwegp9gGPOX6N+mHyYoB3tJNrATJkBa7bTDcPcKpRL5a472ApXva6WYyDgnO4FrvxlkC0wt9Dt8Tw/YakwxY+UtatmdEyYRprxRWQDPYHCqe+lK8S0LGHq+2HEcf109lzAszhkEHj4AKXVuwc2ooWlqVFoCMB4+1sJzawA4Ry5mXNFLN9eb+6xO8fg6DMxRZFbZTL+mdOUfIQxz+nCbEm48xakSj3NJzQ4Rd+31kuapmcnjCLoWdDItXfPrIV160v0GGGMQmrzL7PJVmBaFwmRfJ5YJz5UE0qi8z5RC1d//0ywEyb0EBNCouuWh47XHo2EDKTbhy3o0qpkQBHIQuxUZcIPM+3veF/SOT7pFYPGHMFPbif/71j1HgxuE/E1p+How0XfelOfP4Z8rUWZcDWLJp0wDrD7WRe9564/cqCTvqBRusPKYlCG/xJreqn42LV0bVN4JxJAiBXM68lasZJHunMJcd1E1DB/p1S0Wooezc7J67sPMiLAfiq4GdBSq8Z+8OJKcv88KDXu/PPCh8Ke4xVLdovK1KUncP/T8cppFhyE61CkDjcGvahGbuLkZl2mkR5oHoNerOXqFQ/tvIR34vXRRbb6Qo92r/yJmi6lsXGEu1dxMKBPKkOdCqWYXcSgGtDgyETm1+keoNjh67f7M0rl7eztHpFDl9CX9b4lYEBTiaaozWN+LYdPQps5IZfZDzTN4NScfx2CDve46xVLxNc/DpLhUih/a9i3/kHUB6aPNN/IxA6mhZqrya3gAUfAstxlkiBme8Wa902DFOh10YTn0VP9H+yRihK/OECDMhDDwrqSC1dn7BOF5iWFg9CMB6OzABstucmFDAgRxkqkaIPTSYF0mbZnD5KeZYRjeUV43m7BstHFXGSmb4R2CI9popqvDV1y/7ANpiepXlN2JFGCeCgW/SyyPAZw/xnQUH3ZGjK4lon1l45YA2YRvWnfurGZemaAtir499dbKNa1JK+1POmpAHvMw7tm7Jj2LjaHNKD40jGY782ucZkLFGwBm8P0KU44vjKinQNvjhNrct/USTEMxU+sHtuE9jFDsufKlNeOK/LkjCKfbOu6PNKF8MXoXw8bUsHSqMYHXRvBDiYNmuHp0zitet8JLvdKW1LVLTpuFR7/13y5L//9RvpvD66gjbO9LawIm4oX/RrkzzCEf/eMC4jCPvAe5KhcDGxW53LRYAowGLHmNlKDzWMWMAwe86dT9Y49cQYuznLYifu2ApeQ4nEFW4b0bktrzxSuZCVhWXPs+e0OnEWTUC3lzTd0MSfUgI1pSW+HmKs9+nr+YcEOBTmGd35oyjKGLq4SE4SecckslWnvYpXnHj2QOTqVD/Mn36B3NQgPIQOeh3uOiKhfOw4T0TiBc8ElBGbM0bsp5Cp2q41xByITXaVsgPo6IksI+dnoaqaDwzXVW2RABuuEDNAhC64gJW+t94obETP8X/ulGzxqibLVmOJgcdQ31TuEoE1z17TALTjm6GwZj8Jz80CfM2gHivh41xHjw23yHev3tJ4y5iOQ2fJRE9nM+Lwx3YjN0311PQ63ZfF453flkw7tzvHT+WMUyMHJBCwlQyrYVSVAd1NPdov4i/Ru/OSGGRQ2W3gdkDpTTbxB3rHzWaXS47mQHT9m60SfXDccT7JrZeDb6R8KhpS3aBL8k9paarynaFPrvjwRgJyjZAXzk38StzSRoRIUdS4teWlOm0aLjWA2N+FNxTnHif7fXLXQGnlHIhAU2U3KJ9mlqCq+pxqy2nmnDoXwBh0MjWYvEXwJhEQXv7PdXN6+74jlgx5xrmvyCqOJFuVIvIcRzj74mFIqMTMzXLL6eAjg9xLleTtCbY8jxjBrzfENYpYMQHPVRM1fwipu973WV33sEGmmtk6K79sQyI9Re2J5vneBJ5nT0/xqzA3EWQVEgXMXuOSthjO3PICYrPaH0ohlhiFEwlKpFWBAFKDwxilXeYMBN8epnm3tQjsnUoDyW4TTO/5j4e0Yb/k2z3T7IMYSme4AJq/ulf1Og+aIxHPfJ+QPfTqDnaF/zhkhYHh1iDEa9Dp4UEXyhgytbpr5f+tmcVuvGmtK4k6aOi1XkaLg6/CUa2O00MVqyLmqOeGDAw8z+UJcyFTk86kvNk8PMMrXsEzt6xDGkpSEjiPXL2vf1PrJIYi/99rcWrXR82zMCZg0EaM3zxhZvWzOFrWqHuE9u2ErgzgRt1GQ8iA3gFPw8uP7o8SCjE1Ig9kf56+OncA1fyJRFCPBe9Y36izZtEt901k9aMhZVmiuuCQAtptGFYslKFkLTeaQesnaSgSO2jq1wDEUtRHLHaTeBVWupB1AWvM9u661iC1dk32eVsclftyH5Auf0R58TohDLzhGT8e8NkOii9IJ2+N+ua8nPPiQqxfjbdXrKJFLFeyYimb/h6yfugQpxiDXWOfZFFkdKSZJqONaQ+aURqK3gyavzJeYUdRoiattdNNgGl+jTI/OEe3lt69oimYYExFQRzJ2R3uYYVbVyvaptW7+ppGxOxk4yfoQAcMZnOTGu9DKgBDClGOcdI2LeluieJrfXwoMq3o5wcoM6yvTmgfxzUMZ3DELWwP7Fqv0IJyRD0tXbIcQxGGyd1U3aGq6u0sGJaQy6+sb+s8hFPglL0CrzvCJPJERm8PHiJtiLHDa6WG1+b3V9fPnmJFD0AJEggE7fPolq5/j1dm1SRNmWNffHXcqGrCDcZ0qx6BE2pEzTY2VtyinsaNuigULK6kL55srFHh9xjwdgTD5F7czuqoIo2Phm8PoRW5X8I7dQZ0Psiur2d9tMAT+ChDWoytqmZH3edCN0a1kjWKN8+hDzIptbW68j+JuNLCtBc2ENtCo2mne4Kz15oYgbR7urht+CvagdKxauBiDGcp/KXuRUQKz7onCgnMmMkLP3lHXeyRqi2maG58K0Vngdsi2nFn7IzbeM8ieF2D7mo7FK5lyRlyIy3X2GwTQvEUTUyTUkv/cNCSet4O3zVeMY+hgegZzU1h8Cpzp+GF7v8wEVAe6DZTu+0aubwb27lqiweBUBBNJf9GuAMnuYGHODMsn1CNe3wNtgRlp0liGyT4YmoZlgO6rPcpUpjtxAdw+legYXdylGMwX/Cer2OLxe/VOsd1wjmMcZL1009guK7t6BjwGY9/g85y8MMPiHpWwo1MUOuKPQZFK2c2iu3IiQJtawqocNvmBeZ4/h9978Rod2aUbYXvTRFJbDbRqfqojEDgZv0JgIpBQKT/cIqQLPXoigyab45tMoKWKm2D7lSdwQIWpc2tx4qkECbLy5KEmd0UbCmCC8RDUk3I/Nkycwf1XrlZVYwNpKhQMIytDUyIf9TqTrU/XIJ/Q6Ib7kSyjZeK46GldMNuGnc05mPlJQoj75ZxxtWibfPG9kH7ImR4K1PgHoY2gHleca/paVyC9jNKpKiyB3m4WDnrxK5N+NpO+wlbNXAtGeqZJd6H/V8URnBuIv0NxFRhQ1seVZQKElkol1KCe9H/+n0Hs/fz5RdBwa/Oh9/lVNrJiVcnH1/5JGpR5/p/RLElE9Nl+GJGS2uWasvREyXjoLrB0aSwQK,iv:+H0Qz07NHU6fs7mJk9VnLZlYSoxTCnW59oPSHOmGr+s=,tag:w7NtwB7ks/Tb3eky5e/P/A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2 + akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC + Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT + Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq + DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-09-13T21:14:03Z" + mac: ENC[AES256_GCM,data:ujW5w84/5GmwWvH8RdAoMdEXDNQptKhK0Whbd3Byg0o02NDA3SkQsMJsaSNG9Sp5CZnYxSBHdL1AT/1pldFsrxU7TcIpU1mh9zs4nf9B8x/9CEH/3fKSOZuHRKF56LHkqXLFbcC1o+GQHfg1zWlNFWBQ4ToPnqFlLneKFcHT/Sc=,iv:15KsYWcwbuCnsNOvjh7iMuv9gOsLnbvldUlUOl1l2eI=,tag:spHas6eWDLhcaK4cFStnww==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/apps/authentication/authelia/service-monitor.yaml b/cluster/apps/authentication/authelia/service-monitor.yaml new file mode 100644 index 000000000..174542950 --- /dev/null +++ b/cluster/apps/authentication/authelia/service-monitor.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: &app authelia + namespace: default + labels: &labels + app.kubernetes.io/instance: *app + app.kubernetes.io/name: *app +spec: + selector: + matchLabels: + <<: *labels + endpoints: + - port: metrics + scheme: http + path: /metrics + interval: 1m + scrapeTimeout: 10s diff --git a/cluster/apps/authentication/glauth/config/groups.sops.toml b/cluster/apps/authentication/glauth/config/groups.sops.toml new file mode 100644 index 000000000..a02e0e4b4 --- /dev/null +++ b/cluster/apps/authentication/glauth/config/groups.sops.toml @@ -0,0 +1,20 @@ +{ + "data": "ENC[AES256_GCM,data:sjxgm11rLpMMX0WY45XoNmqEvTJdHgZwD2LBYxVOYEYEK9yVU4ibmimoDHn0eZKRjAG+zWXWPItmMoOFiBHCgYGueYPPjcFgHDy8y8hfFxh+SmIZdd4elQ2+BswuwIMLgK3B+T2dX9uihuqXQggDpWAcbb47ErEM3XNlvwWwfy2onNbJJBT1hdEatvB/baRrI1lxss5Y0c9+yBhpjqw=,iv:i2R7PBKXaRsLlyvvv7nRrt0B3/DKlMFPGPUBzdDrKMk=,tag:qI48NEaaZS8E/Oj/gI0e+Q==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuK0t1cGxMclcrN1VkblJm\nazY5ME9nMXNVVG8vTTJpV0kvVk1HaWNBaGtRCkVYaElLY09VRm5LRmhmand1SWl6\nSnJXR0VWZ3NCMWlJTjY2K2ZhaE01TmMKLS0tIHUxUEtzbTV2T2w4eHhNSTJsZGdK\nalBYbVVmdWpSZVJyUXZ6S2c2Zm1qd0kK03R6jpoZSyzEbubjGidgPdLj4ur7voyX\ntCnbIuHE1XyAzUNHXRmh2neVpJZizEcvePgyBx008tUg2Bm0h7ywUQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2022-09-13T21:09:48Z", + "mac": "ENC[AES256_GCM,data:lhhx8KwISfglzFwxyt4DHnwwoVWkI+FZsQvHKPvHgVqdAI67gUO2cZUQVv2gRq5WRYyfehBkJO0aJKtzrTG/ocmwDomIcTsuHy9ibNrFqjTxGCBwRLmJ+Mk8yutjkRhERolscdg42w/0/kf46h09+wpRcXfGU+0CY7WTXXNrYo8=,iv:rKYJyp86NRlcTL3nDaYeFDMPFRSJ70eyfTON5tuO2z8=,tag:bhfA4BgIWvhmEUenNREkQQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} diff --git a/cluster/apps/authentication/glauth/config/server.sops.toml b/cluster/apps/authentication/glauth/config/server.sops.toml new file mode 100644 index 000000000..26e66885c --- /dev/null +++ b/cluster/apps/authentication/glauth/config/server.sops.toml @@ -0,0 +1,20 @@ +{ + "data": "ENC[AES256_GCM,data:78oUuR7O9j8wqKKiTrCbg1QNVB2a+i3CWgNDNM38zQNDO/LZ3juQkda5rRZsvvH9ovGwsIVo+nk2omMLY5FUceFxQFssXYH5EGgPOA9cXYtbql8jdbp0Lh/41RAC3+WrEe3Pj/5/Qyl+1rMgQPg2JJf7KudJRt4whA6Lkehd3147Au12fMxTpxZpnSczk1MroZwsE+DdQStkVDdzwMA/QvWhnXCDCMcawFrHxrQvmRGOHAyYGomOrPm8WMKSdBpNDMZQFg1pjORK/QQ3LzeQpnoJ25iu/fA9OfpyYsbhryk2asOCyA==,iv:SZ1DXCoib5E9PurrC622tAcELIxxWGiensfZTVKFzXw=,tag:lDDsTO/Y5mXfEqyAJ0z0jQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3Mk9heFBGdDdueGFkT3Va\nS1pyMC8wOGJDSTJ3d3JPSjNnTVkzYVJ0eTJJCjVoUy8wMXdPc3Myc2JaalZ2ZG9Q\nc3J4QldvZlJqMFN4WnhvYnJmZXVuNjAKLS0tIDR5K08rWmJvR1VSSjVHUFdWNjRK\nWHd4Ny9ubjVIZ0V1SXhTMnJFN3hCK00KvH0z/ys31lAX2pYNt2JdWqPSDhp4PKEn\nbQ1Z99aG5DedV/4KqOH3L9bvHl3M5am0MiKW/CngOfN9M49bWwQ6VQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2022-09-13T21:10:04Z", + "mac": "ENC[AES256_GCM,data:rKjnXHgG5ws0WdcGmTXpZ7PPGm2UIhVASqQ8K6Vtadws2g4M5OOk2JYI9sKjpnGd/Ht0pssBBpLWbqcwV2M2Ug96tkiDMRHHT7vgw4X5Y9NmnYt+5/An7ynsudraAr9AvjRS7Xux03OIPc7LjzOtCv4BIDyFR7vPj5+7opdedC0=,iv:3VPRTkVPL640URtVG5SxLKXE0/Pe3RORttfmnU0AYY0=,tag:Fcl2j31dKdCUwvfozWpRTw==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} diff --git a/cluster/apps/authentication/glauth/config/users.sops.toml b/cluster/apps/authentication/glauth/config/users.sops.toml new file mode 100644 index 000000000..4809eec11 --- /dev/null +++ b/cluster/apps/authentication/glauth/config/users.sops.toml @@ -0,0 +1,20 @@ +{ + "data": "ENC[AES256_GCM,data:oVTmrHJKhuu11gADtjwZmE7UX05mVTsHkuC7XHkljkf21YJzSoiVStCOR6lZPdGFnOrWwwl+Yxxcs2alP/3G1SBkOtcv4zswDy/M3nr0BbMVBU9MmcFFFt9k0DfKWYyvhjea4uooPTRDH+shUKBG1wGiZyFQRLxrET5+ERwFsEEej5p35/I6HZbp3S7kT0tY0ThxbDt+/u3zwvR/2riWDscKy/75m3UIacnhS97MiOVe/Pv08b64wPg9ES62EV++VRsRFUBW7BrECeXDJfhVerBLmZBsxAxif2DqpOwxNnYqvAdMN/lSnr2mqtmSXP/i2Mg9KENe/i4ZoIFTdau3lBTyw8Fi86aOKkbyq4RqO5ZQ1kr/YtrJfL7I/i5nAXsF1UcyTWBscK1glWUq7vqr6/HOU8gPg3tSNgfTwvDxlXgXxl+bYDgRe5iHxNSvymiDH1Wf8AmlC2uFn9T+r515rMnWw64+FgVa60XCBn2t5IlXmnpNnO6k1U5Ce7jwU4EiDzljrwCKnUy7lSUtLdawaroIxuF0MTVS+kNoXpMXIgX3MBDKEQNIR9l65EK6wQm5QdzjhXOZzNeVEHK4p8dho84D3W9jyvl4VAtH3L5VeDT5PH2y33PXo4F5qHbArEwtkfz6r2aoJM+7hSLV4Er/Lu2+vaUuCRYJDxwdun/r6DoaGrEnNmrTo8OloQG1YdHDNiSN0xD+wdG0w/Iir/GGthW7QqwHjWrwTaunkgVS+g/e+jv4ILBdciWNc40ieazsPvaI+MRi+Hu4hKGRinFEKlv0ydeo53P8dEONsYk+jk5GkqHNynLDfNZ5kdT7K9yQcVJEE0X9a0JCCAIqDTP47YbhPpnmDfpf85LwWsXS/wS+Q04BvBn+09J2wQ==,iv:0S6oUJiSwAEkf5CIxA/y9Oga9vYU415gvJgnq91nXo8=,tag:RF3h6nOtjYRCOYmUYbDbZg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmaHV4Z0l3TjdRTTNZZ3Bi\nd1NlVW5LRjNNRWcvV3ZEdndGK3FvaHJIUzNvClBKMk9ramhuNEZaK0l2OGhQS1Rl\nUWJKM1Q2ajNXc3BWSjRvVEdhMmRHRVEKLS0tIG9jWktVeWhJZnFDYXpEcStGbFBG\nUHFZazNMYlRGRjZ3eWcvWGNRc2tDa2sKWWPURYhrSLSFllErtv4kqlbwVwFm6C4H\nWEBjUkuR4IrV4iN21St1mGvJt7BNzksPOIanHiyV/X8UzM+2MtZ33g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2022-09-13T21:59:06Z", + "mac": "ENC[AES256_GCM,data:KxDoqYhcWY5VsmMSLiOlfTyVwta/7nKS4rGwyyoa/Kzwl1hNp0R+oQhhqPesple1zbtIPDVJJYY+dtQT74X6uBlCLxzFrB1zRu9nOPK3LIutMkcXAab3AdD7ZP8OjdCcXsyVj+xO+DtK0EvnZxFi6wMEQK54FEWCMIGmuLLBpLg=,iv:y8wkX6/itIeLniKjxtHIhgMe/zB27ieu/HFOtt6Nlwg=,tag:JJCGe3ycl6Omg2zWl6b72A==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} diff --git a/cluster/apps/authentication/glauth/helm-release.yaml b/cluster/apps/authentication/glauth/helm-release.yaml new file mode 100644 index 000000000..0f5e3e189 --- /dev/null +++ b/cluster/apps/authentication/glauth/helm-release.yaml @@ -0,0 +1,64 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app glauth + namespace: default +spec: + interval: 15m + chart: + spec: + chart: app-template + version: 0.1.1 + sourceRef: + kind: HelmRepository + name: bjw-s-charts + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 + values: + controller: + replicas: 1 + strategy: RollingUpdate + image: + repository: docker.io/glauth/glauth + tag: v2.1.0 + command: ["/app/glauth", "-c", "/config"] + service: + main: + ports: + http: + port: 5555 + ldap: + enabled: true + port: 389 + podSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: "OnRootMismatch" + persistence: + config: + enabled: true + type: secret + name: *app + items: + - key: server.toml + path: server.toml + - key: groups.toml + path: groups.toml + - key: users.toml + path: users.toml + podAnnotations: + secret.reloader.stakater.com/reload: *app + resources: + requests: + cpu: 5m + memory: 10Mi + limits: + memory: 50Mi diff --git a/cluster/apps/authentication/glauth/kustomization.yaml b/cluster/apps/authentication/glauth/kustomization.yaml new file mode 100644 index 000000000..f97aa7b1a --- /dev/null +++ b/cluster/apps/authentication/glauth/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: default +resources: + - helm-release.yaml +secretGenerator: + - name: glauth + files: + - server.toml=config/server.sops.toml + - groups.toml=config/groups.sops.toml + - users.toml=config/users.sops.toml +generatorOptions: + disableNameSuffixHash: true diff --git a/cluster/apps/networking/authelia/kustomization.yaml b/cluster/apps/authentication/kustomization.yaml similarity index 61% rename from cluster/apps/networking/authelia/kustomization.yaml rename to cluster/apps/authentication/kustomization.yaml index efed43cbc..9be20faa0 100644 --- a/cluster/apps/networking/authelia/kustomization.yaml +++ b/cluster/apps/authentication/kustomization.yaml @@ -1,5 +1,7 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: default resources: - - configmap.yaml - - helm-release.yaml + - authelia + - glauth diff --git a/cluster/apps/authentication/readme.md b/cluster/apps/authentication/readme.md new file mode 100644 index 000000000..f4dcb546a --- /dev/null +++ b/cluster/apps/authentication/readme.md @@ -0,0 +1,90 @@ +# Authentication + +## GLAuth + +### Repo configuration + +1. Add/Update `.vscode/extensions.json` + + ```json + { + "files.associations": { + "**/cluster/**/*.sops.toml": "plaintext" + } + } + ``` + +2. Add/Update `.gitattributes` + + ```text + *.sops.toml linguist-language=JSON + ``` + +3. Add/Update `.sops.yaml` + + ```yaml + - path_regex: cluster/.*\.sops\.toml + key_groups: + - age: + - age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg + ``` + +## App Configuration + +Below are the decrypted versions of the sops encrypted toml files. + +> `passbcrypt` can be generated [on CyberChef](https://gchq.github.io/CyberChef/#recipe=Bcrypt(12)To_Hex(%27None%27,0)) + +1. `server.sops.toml` + + ```toml + debug = true + [ldap] + enabled = true + listen = "0.0.0.0:389" + [ldaps] + enabled = false + [api] + enabled = true + tls = false + listen = "0.0.0.0:5555" + [backend] + datastore = "config" + baseDN = "dc=home,dc=arpa" + ``` + +2. `groups.sops.toml` + + ```toml + [[groups]] + name = "svcaccts" + gidnumber = 6500 + [[groups]] + name = "admins" + gidnumber = 6501 + [[groups]] + name = "people" + gidnumber = 6502 + ``` + +3. `users.sops.toml` + + ```toml + [[users]] + name = "search" + uidnumber = 5000 + primarygroup = 6500 + passbcrypt = "" + [[users.capabilities]] + action = "search" + object = "*" + [[users]] + name = "" + mail = "" + givenname = "" + sn = "" + uidnumber = + primarygroup = + othergroups = [ ] + passbcrypt = "" + ``` diff --git a/cluster/apps/documentation/outline/patches/env.yaml b/cluster/apps/documentation/outline/patches/env.yaml index 38b0b0bc9..1b63883c0 100644 --- a/cluster/apps/documentation/outline/patches/env.yaml +++ b/cluster/apps/documentation/outline/patches/env.yaml @@ -14,13 +14,13 @@ spec: AWS_S3_UPLOAD_BUCKET_URL: "https://minio.${SECRET_DOMAIN}" AWS_S3_UPLOAD_MAX_SIZE: "26214400" ENABLE_UPDATES: "false" - OIDC_AUTH_URI: "https://login.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization" + OIDC_AUTH_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization" OIDC_CLIENT_ID: outline OIDC_CLIENT_SECRET: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}" OIDC_DISPLAY_NAME: Authelia OIDC_SCOPES: "openid profile email offline_access" - OIDC_TOKEN_URI: "https://login.${SECRET_CLUSTER_DOMAIN}/api/oidc/token" - OIDC_USERINFO_URI: "https://login.${SECRET_CLUSTER_DOMAIN}/api/oidc/userinfo" + OIDC_TOKEN_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/token" + OIDC_USERINFO_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/userinfo" OIDC_USERNAME_CLAIM: email PGSSLMODE: require PORT: 80 diff --git a/cluster/apps/home-automation/frigate/helm-release.yaml b/cluster/apps/home-automation/frigate/helm-release.yaml index 93ece22a8..6003c453c 100644 --- a/cluster/apps/home-automation/frigate/helm-release.yaml +++ b/cluster/apps/home-automation/frigate/helm-release.yaml @@ -68,8 +68,8 @@ spec: enabled: true ingressClassName: "nginx" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" hosts: - host: &host "frigate.${SECRET_CLUSTER_DOMAIN}" paths: diff --git a/cluster/apps/home-automation/home-assistant/helm-release.yaml b/cluster/apps/home-automation/home-assistant/helm-release.yaml index 410f812ee..89e62746d 100644 --- a/cluster/apps/home-automation/home-assistant/helm-release.yaml +++ b/cluster/apps/home-automation/home-assistant/helm-release.yaml @@ -109,8 +109,8 @@ spec: enabled: true ingressClassName: "nginx" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" hosts: - host: "hass-config.${SECRET_CLUSTER_DOMAIN}" paths: diff --git a/cluster/apps/home-automation/zigbee2mqtt/helm-release.yaml b/cluster/apps/home-automation/zigbee2mqtt/helm-release.yaml index 1ac166190..8730ed061 100644 --- a/cluster/apps/home-automation/zigbee2mqtt/helm-release.yaml +++ b/cluster/apps/home-automation/zigbee2mqtt/helm-release.yaml @@ -75,8 +75,8 @@ spec: enabled: true ingressClassName: "nginx" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" hosts: - host: "zigbee.${SECRET_CLUSTER_DOMAIN}" paths: diff --git a/cluster/apps/home-automation/zwavejs2mqtt/helm-release.yaml b/cluster/apps/home-automation/zwavejs2mqtt/helm-release.yaml index 04d66c6ef..c9597c0c1 100644 --- a/cluster/apps/home-automation/zwavejs2mqtt/helm-release.yaml +++ b/cluster/apps/home-automation/zwavejs2mqtt/helm-release.yaml @@ -39,8 +39,8 @@ spec: enabled: true ingressClassName: "nginx" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" hosts: - host: zwave.${SECRET_CLUSTER_DOMAIN} paths: diff --git a/cluster/apps/kustomization.yaml b/cluster/apps/kustomization.yaml index c5f69aff5..b07294c27 100644 --- a/cluster/apps/kustomization.yaml +++ b/cluster/apps/kustomization.yaml @@ -1,6 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - authentication - data - databases - development diff --git a/cluster/apps/media/bazarr/helm-release.yaml b/cluster/apps/media/bazarr/helm-release.yaml index c40e56110..3f7110eeb 100644 --- a/cluster/apps/media/bazarr/helm-release.yaml +++ b/cluster/apps/media/bazarr/helm-release.yaml @@ -60,8 +60,8 @@ spec: enabled: true ingressClassName: "nginx" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" # nginx.ingress.kubernetes.io/configuration-snippet: | # proxy_set_header Accept-Encoding ""; # sub_filter '' ''; diff --git a/cluster/apps/media/calibre/helm-release.yaml b/cluster/apps/media/calibre/helm-release.yaml index e4e4e64b1..5dee2b9c4 100644 --- a/cluster/apps/media/calibre/helm-release.yaml +++ b/cluster/apps/media/calibre/helm-release.yaml @@ -45,8 +45,8 @@ spec: enabled: true ingressClassName: "nginx" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" hosts: - host: &host "calibre.${SECRET_CLUSTER_DOMAIN}" paths: diff --git a/cluster/apps/media/flood/helm-release.yaml b/cluster/apps/media/flood/helm-release.yaml index f8011ce71..8f87e8a3b 100644 --- a/cluster/apps/media/flood/helm-release.yaml +++ b/cluster/apps/media/flood/helm-release.yaml @@ -58,8 +58,8 @@ spec: enabled: true ingressClassName: "nginx" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" hosts: - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}" paths: diff --git a/cluster/apps/media/lidarr/helm-release.yaml b/cluster/apps/media/lidarr/helm-release.yaml index 0076cc2f9..1ca447db5 100644 --- a/cluster/apps/media/lidarr/helm-release.yaml +++ b/cluster/apps/media/lidarr/helm-release.yaml @@ -68,8 +68,8 @@ spec: ingressClassName: "nginx" annotations: nginx.ingress.kubernetes.io/proxy-body-size: "0" - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" nginx.ingress.kubernetes.io/configuration-snippet: | proxy_set_header Accept-Encoding ""; sub_filter '' ''; diff --git a/cluster/apps/media/prowlarr/helm-release.yaml b/cluster/apps/media/prowlarr/helm-release.yaml index bb0248f9a..b667d9759 100644 --- a/cluster/apps/media/prowlarr/helm-release.yaml +++ b/cluster/apps/media/prowlarr/helm-release.yaml @@ -51,8 +51,8 @@ spec: enabled: true ingressClassName: "nginx" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" nginx.ingress.kubernetes.io/configuration-snippet: | proxy_set_header Accept-Encoding ""; sub_filter '' ''; diff --git a/cluster/apps/media/pyload/helm-release.yaml b/cluster/apps/media/pyload/helm-release.yaml index 8699031e9..570e6e21b 100644 --- a/cluster/apps/media/pyload/helm-release.yaml +++ b/cluster/apps/media/pyload/helm-release.yaml @@ -56,8 +56,8 @@ spec: enabled: true ingressClassName: "nginx" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" hosts: - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}" diff --git a/cluster/apps/media/qbittorrent/helm-release.yaml b/cluster/apps/media/qbittorrent/helm-release.yaml index 583f18e6d..e80517cc0 100644 --- a/cluster/apps/media/qbittorrent/helm-release.yaml +++ b/cluster/apps/media/qbittorrent/helm-release.yaml @@ -75,8 +75,8 @@ spec: enabled: true ingressClassName: "nginx" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" hosts: - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}" diff --git a/cluster/apps/media/radarr/helm-release.yaml b/cluster/apps/media/radarr/helm-release.yaml index efa8d60aa..3ab530fed 100644 --- a/cluster/apps/media/radarr/helm-release.yaml +++ b/cluster/apps/media/radarr/helm-release.yaml @@ -68,8 +68,8 @@ spec: ingressClassName: "nginx" annotations: nginx.ingress.kubernetes.io/proxy-body-size: "0" - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" nginx.ingress.kubernetes.io/configuration-snippet: | proxy_set_header Accept-Encoding ""; sub_filter '' ''; diff --git a/cluster/apps/media/readarr/helm-release.yaml b/cluster/apps/media/readarr/helm-release.yaml index ab4a91fdd..d8ddcb6e9 100644 --- a/cluster/apps/media/readarr/helm-release.yaml +++ b/cluster/apps/media/readarr/helm-release.yaml @@ -62,8 +62,8 @@ spec: enabled: true ingressClassName: "nginx" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" nginx.ingress.kubernetes.io/configuration-snippet: | proxy_set_header Accept-Encoding ""; sub_filter '' ''; diff --git a/cluster/apps/media/sabnzbd/helm-release.yaml b/cluster/apps/media/sabnzbd/helm-release.yaml index 1b264af70..a38ddc9c8 100644 --- a/cluster/apps/media/sabnzbd/helm-release.yaml +++ b/cluster/apps/media/sabnzbd/helm-release.yaml @@ -70,8 +70,8 @@ spec: enabled: true ingressClassName: "nginx" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" nginx.ingress.kubernetes.io/configuration-snippet: | proxy_set_header Accept-Encoding ""; sub_filter '' ''; diff --git a/cluster/apps/media/sonarr/helm-release.yaml b/cluster/apps/media/sonarr/helm-release.yaml index 5fa8de143..fc43289d8 100644 --- a/cluster/apps/media/sonarr/helm-release.yaml +++ b/cluster/apps/media/sonarr/helm-release.yaml @@ -68,8 +68,8 @@ spec: ingressClassName: "nginx" annotations: nginx.ingress.kubernetes.io/proxy-body-size: "0" - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" nginx.ingress.kubernetes.io/configuration-snippet: | proxy_set_header Accept-Encoding ""; sub_filter '' ''; diff --git a/cluster/apps/media/tdarr/helm-release.yaml b/cluster/apps/media/tdarr/helm-release.yaml index 6436fe966..2ff1c1339 100644 --- a/cluster/apps/media/tdarr/helm-release.yaml +++ b/cluster/apps/media/tdarr/helm-release.yaml @@ -72,8 +72,8 @@ spec: enabled: true ingressClassName: "nginx" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" # traefik.ingress.kubernetes.io/router.entrypoints: "websecure" # traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd hosts: diff --git a/cluster/apps/media/travelstories/deployment.yaml b/cluster/apps/media/travelstories/deployment.yaml index 8ddd03cb5..120f9c898 100644 --- a/cluster/apps/media/travelstories/deployment.yaml +++ b/cluster/apps/media/travelstories/deployment.yaml @@ -75,8 +75,8 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" labels: app.kubernetes.io/instance: travelstories app.kubernetes.io/name: travelstories diff --git a/cluster/apps/monitoring/blackbox-exporter/helm-release.yaml b/cluster/apps/monitoring/blackbox-exporter/helm-release.yaml index b781cef45..3b46c9e02 100644 --- a/cluster/apps/monitoring/blackbox-exporter/helm-release.yaml +++ b/cluster/apps/monitoring/blackbox-exporter/helm-release.yaml @@ -94,8 +94,8 @@ spec: enabled: true className: nginx annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" hosts: - host: "blackbox.${SECRET_CLUSTER_DOMAIN}" paths: diff --git a/cluster/apps/monitoring/grafana/helm-release.yaml b/cluster/apps/monitoring/grafana/helm-release.yaml index 68ad965a8..480f8705e 100644 --- a/cluster/apps/monitoring/grafana/helm-release.yaml +++ b/cluster/apps/monitoring/grafana/helm-release.yaml @@ -34,7 +34,7 @@ spec: existingSecret: grafana-admin-creds grafana.ini: auth: - signout_redirect_url: "https://login.${SECRET_CLUSTER_DOMAIN}/logout" + signout_redirect_url: "https://auth.${SECRET_CLUSTER_DOMAIN}/logout" oauth_auto_login: false auth.generic_oauth: enabled: true @@ -43,9 +43,9 @@ spec: client_secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}" scopes: "openid profile email groups" empty_scopes: false - auth_url: "https://login.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization" - token_url: "https://login.${SECRET_CLUSTER_DOMAIN}/api/oidc/token" - api_url: "https://login.${SECRET_CLUSTER_DOMAIN}/api/oidc/userinfo" + auth_url: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization" + token_url: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/token" + api_url: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/userinfo" login_attribute_path: preferred_username groups_attribute_path: groups name_attribute_path: name diff --git a/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml b/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml index a7f8ed2da..f125d526a 100644 --- a/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml +++ b/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml @@ -118,8 +118,8 @@ spec: pathType: Prefix ingressClassName: "nginx" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" hosts: ["prometheus.${SECRET_CLUSTER_DOMAIN}"] tls: - hosts: @@ -363,8 +363,8 @@ spec: pathType: Prefix ingressClassName: "nginx" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" hosts: ["alert-manager.${SECRET_CLUSTER_DOMAIN}"] tls: - hosts: diff --git a/cluster/apps/monitoring/thanos/helm-release.yaml b/cluster/apps/monitoring/thanos/helm-release.yaml index 4c50813eb..52183da83 100644 --- a/cluster/apps/monitoring/thanos/helm-release.yaml +++ b/cluster/apps/monitoring/thanos/helm-release.yaml @@ -38,8 +38,8 @@ spec: enabled: true hostname: &host "thanos-query.${SECRET_CLUSTER_DOMAIN}" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}" + nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify" + nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}" ingressClassName: "nginx" tls: true extraTls: diff --git a/cluster/apps/networking/authelia/configmap.yaml b/cluster/apps/networking/authelia/configmap.yaml deleted file mode 100644 index 205ebbaf5..000000000 --- a/cluster/apps/networking/authelia/configmap.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: authelia-config-custom - namespace: networking -data: - users_database.yml: | - users: - Claude: - displayname: "Claude" - password: "${SECRET_AUTHELIA_USER_CLAUDE_PASSWORD}" - email: ${SECRET_AUTHELIA_USER_CLAUDE_EMAIL} - groups: - - admins - Helene: - displayname: "Helene" - password: "${SECRET_AUTHELIA_USER_HELENE_PASSWORD}" - email: ${SECRET_AUTHELIA_USER_HELENE_EMAIL} - groups: - - users - visitor: - displayname: "visitor" - password: "${SECRET_AUTHELIA_USER_VISITOR_PASSWORD}" - email: ${SECRET_AUTHELIA_USER_VISITOR_EMAIL} - groups: - - users diff --git a/cluster/apps/networking/authelia/helm-release.yaml b/cluster/apps/networking/authelia/helm-release.yaml deleted file mode 100644 index 859db1817..000000000 --- a/cluster/apps/networking/authelia/helm-release.yaml +++ /dev/null @@ -1,203 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: authelia - namespace: networking -spec: - interval: 5m - chart: - spec: - chart: authelia - version: 0.8.38 - sourceRef: - kind: HelmRepository - name: authelia-charts - namespace: flux-system - interval: 5m - - values: - domain: ${SECRET_CLUSTER_DOMAIN} - - service: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: "http" - - ingress: - enabled: true - className: nginx - annotations: - external-dns.alpha.kubernetes.io/target: "services.${SECRET_DOMAIN}." - external-dns/is-public: "true" - subdomain: login - - tls: - enabled: true - secret: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" - - pod: - # Must be Deployment, DaemonSet, or StatefulSet. - kind: Deployment - - env: - - name: TZ - value: ${TIMEZONE} - - extraVolumeMounts: - - name: config-custom - mountPath: /config - extraVolumes: - - name: config-custom - configMap: - name: authelia-config-custom - items: - - key: users_database.yml - path: users_database.yml - - resources: - requests: - cpu: 500m - memory: 1500Mi - limits: {} - - ## - ## Authelia Config Map Generator - ## - configMap: - enabled: true - server: - read_buffer_size: 8192 - write_buffer_size: 8192 - theme: light - authentication_backend: - disable_reset_password: true - ldap: - enabled: false - file: - enabled: true - password: - algorithm: argon2id - - access_control: - ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any - ## resource if there is no policy to be applied to the user. - default_policy: deny - - networks: - - name: private - networks: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - - name: vpn - networks: - - 10.10.0.0/16 - - rules: - # bypass Authelia WAN + LAN - - domain: - - login.${SECRET_CLUSTER_DOMAIN} - policy: bypass - - # Deny admin services to users - - domain: - - alert-manager.${SECRET_CLUSTER_DOMAIN} - - prometheus.${SECRET_CLUSTER_DOMAIN} - - thanos.${SECRET_CLUSTER_DOMAIN} - subject: ["group:users"] - policy: deny - - # One factor auth for LAN - - domain: - - "*.${SECRET_CLUSTER_DOMAIN}" - policy: one_factor - subject: ["group:admins", "group:users"] - networks: - - private - - # Two factors auth for WAN - - domain: - - "*.${SECRET_CLUSTER_DOMAIN}" - subject: ["group:admins", "group:users"] - policy: two_factor - - session: - redis: - enabled: false - high_availability: - enabled: true - sentinel_name: redis-master - nodes: - - host: redis-node-0.redis-headless.default.svc.cluster.local - port: 26379 - - host: redis-node-1.redis-headless.default.svc.cluster.local - port: 26379 - - host: redis-node-2.redis-headless.default.svc.cluster.local - port: 26379 - storage: - postgres: - enabled: true - host: postgres.${SECRET_DOMAIN} - ssl: - mode: verify-full - - notifier: - smtp: - enabled: true - host: smtp-relay.default.svc.cluster.local - port: 2525 - sender: authelia@${SECRET_DOMAIN} - identifier: ${SECRET_DOMAIN} - - identity_providers: - oidc: - enabled: true - cors: - endpoints: ["authorization", "token", "revocation", "introspection"] - allowed_origins_from_client_redirect_uris: true - clients: - - id: gitea - secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}" - public: false - authorization_policy: one_factor - scopes: ["openid", "profile", "groups", "email"] - redirect_uris: - [ - "https://gitea.${SECRET_CLUSTER_DOMAIN}/user/oauth2/authelia/callback", - ] - userinfo_signing_algorithm: none - - id: grafana - description: Grafana - secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}" - public: false - authorization_policy: one_factor - pre_configured_consent_duration: 1y - scopes: ["openid", "profile", "groups", "email"] - redirect_uris: - ["https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth"] - userinfo_signing_algorithm: none - - id: outline - description: Outline - secret: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}" - public: false - authorization_policy: one_factor - pre_configured_consent_duration: 1y - scopes: ["openid", "profile", "email", "offline_access"] - redirect_uris: - ["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"] - userinfo_signing_algorithm: none - - secret: - storage: - key: STORAGE_PASSWORD - value: "${SECRET_AUTHELIA_POSTGRES_PASSWORD}" - filename: STORAGE_PASSWORD - jwt: - key: JWT_TOKEN - value: "${SECRET_AUTHELIA_JWT_SECRET}" - filename: JWT_TOKEN - storageEncryptionKey: - key: STORAGE_ENCRYPTION_KEY - value: "${SECRET_AUTHELIA_STORAGE_ENCRYPTION_KEY}" - filename: STORAGE_ENCRYPTION_KEY diff --git a/cluster/apps/networking/kustomization.yaml b/cluster/apps/networking/kustomization.yaml index 49400b499..807fd0410 100644 --- a/cluster/apps/networking/kustomization.yaml +++ b/cluster/apps/networking/kustomization.yaml @@ -3,7 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - namespace.yaml - - authelia - certificate - external-dns - ingress-nginx diff --git a/cluster/charts/authelia-charts.yaml b/cluster/charts/authelia-charts.yaml deleted file mode 100644 index b6bf9501f..000000000 --- a/cluster/charts/authelia-charts.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1beta1 -kind: HelmRepository -metadata: - name: authelia-charts - namespace: flux-system -spec: - interval: 1h - url: https://charts.authelia.com - timeout: 3m diff --git a/cluster/charts/authentik-charts.yaml b/cluster/charts/authentik-charts.yaml deleted file mode 100644 index 860700578..000000000 --- a/cluster/charts/authentik-charts.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1beta1 -kind: HelmRepository -metadata: - name: authentik-charts - namespace: flux-system -spec: - interval: 1h - url: https://charts.goauthentik.io - timeout: 3m diff --git a/cluster/charts/kustomization.yaml b/cluster/charts/kustomization.yaml index bb0dfe6ed..6f834f4cc 100644 --- a/cluster/charts/kustomization.yaml +++ b/cluster/charts/kustomization.yaml @@ -2,8 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - authelia-charts.yaml - - authentik-charts.yaml - bitnami-charts.yaml - bjw-s-charts.yaml - cert-manager-webhook-ovh.yaml diff --git a/cluster/configuration/cluster-secrets.sops.yaml b/cluster/configuration/cluster-secrets.sops.yaml index 5aa45ee4c..01057e66f 100644 --- a/cluster/configuration/cluster-secrets.sops.yaml +++ b/cluster/configuration/cluster-secrets.sops.yaml @@ -5,16 +5,6 @@ metadata: name: cluster-secrets namespace: flux-system stringData: - SECRET_AUTHELIA_JWT_SECRET: ENC[AES256_GCM,data:B3+umypR5/b1Emnk5C4iPOKV0guv6kHPm24SOA==,iv:cGSElgFacEEfrYXNYMbfLnJzeILcrfA/hehyJc2pwiM=,tag:Z0VOJic0pnzEicU1tOwDxg==,type:str] - SECRET_AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:Mtm1pKD/EKy0iCp+MZu13FsNWRm1A87831gp5g==,iv:Rgz11SVbvgNEmG2DDEvD7OFtUjr9uc2s6Ba7eAw2VWU=,tag:3DvjMDhZR/Id0+lvaNuQQg==,type:str] - SECRET_AUTHELIA_POSTGRES_PASSWORD: ENC[AES256_GCM,data:s7FKzSB4j/loBw+kGio=,iv:AaDnVGqR/AnkTtwaWc2MdZMTEzS9oqD69Yx7ERCMLw4=,tag:oxqPv3/ScxDmau5D1jRHgg==,type:str] - SECRET_AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:YBU5F2QjInHEVg6zg6QFVqTLCsztq9VDfvAWeg==,iv:SAD1P95b5SUxPsq9+KGEaJr5+/NcC7nFkIZ23SuMe6g=,tag:HTdrjhqmAzoa8Me7YF+9rg==,type:str] - SECRET_AUTHELIA_USER_CLAUDE_EMAIL: ENC[AES256_GCM,data:zFcLu4r4WFMVU1T1EPgiJKi8CxAyvuE=,iv:pv6ea/TcPEI9jIntJrjo14iBqj9GjgVhWHWrPn6mnQs=,tag:yMbeHtwIkjXt7aNGJU/UWA==,type:str] - SECRET_AUTHELIA_USER_CLAUDE_PASSWORD: ENC[AES256_GCM,data:LMO3QfNvpse/BEjyOG6cfsllHcJ28OE8LLqlPGZdVOHkqG9C/naZ2Ri4k1x/1fyzL6YUOODZYExj6g3Zdl3zTsbjdVEryTrZ810183Zcb7RjBrXSZB81tk1CW+EARFq5Jc2N,iv:OGlGQQAPrrF9YP+tux39MeZWnrr+F7IsLfklv5xKfkE=,tag:sPewO2VQNR+8aq7S4JiXLg==,type:str] - SECRET_AUTHELIA_USER_HELENE_EMAIL: ENC[AES256_GCM,data:OHljFRDSlX7MG0qOhPodseC1Xqa815tl,iv:NmuPZt3KkJPV28i26eU84Z+aPE55DHkkAz+llmSnloU=,tag:aUMYpZp+ObeYZ9GmrAbJ4g==,type:str] - SECRET_AUTHELIA_USER_HELENE_PASSWORD: ENC[AES256_GCM,data:DyRpTyVyey4lhjDijfB/2Cf4Weg8virytgtsirtIUuBesq9QAuUffgLScA6TF4FYY79vbZNupfICuUwaHvZM1eyhzfwilWhlNp6dIxPTuEqC6TWP7dHEIGKF8yFB659veOis,iv:NJ7ENJU5Gr1VGdivBS4JCAbvsig1g92cx62kC6EKPu0=,tag:bjr90OBDYyE6c1kwXam1wg==,type:str] - SECRET_AUTHELIA_USER_VISITOR_EMAIL: ENC[AES256_GCM,data:9k/iAk6pG/nNpn2wedTz20s+IsZ3ww==,iv:ZgNGCEeLkdymzq+xVfur9T/24+v2mzrjwwsr7VKdNe4=,tag:H2o6blNKxgMRFhE/QtVSNg==,type:str] - SECRET_AUTHELIA_USER_VISITOR_PASSWORD: ENC[AES256_GCM,data:VlKk9ZOpKCHy1AW4usy9o0G5f5iSLRlSM0Lo265UC4EP6XO6HLR0415Ro2FFdHm8NkJZqjguFgqd0bC7G4HDjVqS4Y+kwd1wO5TzVQGtI3aE9npJdo+zlISM0aX6eID8Vp+s,iv:Bz7Bow0Gb4VRFRLB8eNXq2kyPveX+t6H0BEdLxh2Igk=,tag:JGkgQIWoCZGM3Fcj+l6i4g==,type:str] SECRET_BOOKSTACK_DB_PASSWORD: ENC[AES256_GCM,data:cq8X8QDvbi3IO/g2bEj1tQ==,iv:6YtfNCxqeq7iifIeSrA26DrEBKTjUNB4nrtM72hKpbY=,tag:DxX88KMJXYWM3FsYbK58+Q==,type:str] SECRET_BOOKSTACK_TOKEN_ID: ENC[AES256_GCM,data:wR2K8DEdDiDBL1Q1QFLHPbbtPwCucXns3r0pt38kNmQ=,iv:yVWYuPMrxImLJQyw7yvqCESBLcMIMxUMbY9RVYH54JQ=,tag:mL1TDd2A+EsN0p5SPH6jKw==,type:str] SECRET_BOOKSTACK_TOKEN_SECRET: ENC[AES256_GCM,data:zRNzXpum9u/6VEIIhoYdIyh9zrLq5gxYXTX5WHrb+fQ=,iv:oIU2pm6PO7tGHbuvVe1XC7VcmeAeewSV+PbU3Pj9b7s=,tag:Lcej5PL+aNgY3GLHrs6VwQ==,type:str] @@ -92,8 +82,8 @@ sops: WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-09-13T20:27:31Z" - mac: ENC[AES256_GCM,data:ybA9+ZtgN6rhindjNIZfm0iCWSWuwACt1vOFxLfnNH71AAS6AMl+AYiLpOKq9+jwAoi4T9B+kvdtL8Kmhzc6Q30oqhwKO8SpeLkpkPOE2woqapiZvjk467VVYpUCKEKarXE3bZY+9w0gvms02Jrg421+vnDTEF/HZKamLf4pizo=,iv:iZfsRxkYg//LshAFX2063BT4wcrVe5lErO16DcEgGN0=,tag:s0J1+0Cr6DaFMMN1q645YA==,type:str] + lastmodified: "2022-09-13T21:06:40Z" + mac: ENC[AES256_GCM,data:fi8v5TVbw/Ki4z2l53CJJ1h+XNtX6YczzHD71UKJEWgHIyp6R9mY5UHTCdGJYNurcOA6IzP24XRjx2Z3s43jArIy0ojyVYYudyVLzrUYTf712CvgBF1YVeWu9sluM+7xutEvpG7byJ7gEml+B6FlN2duf902KFiiZIMhh4fvVmI=,iv:KnVclXvl3qgLlrQXG6FtXjmW5TFyvWoJMoJk3O9kwVs=,tag:moe3SNsZF+a5cPpW0XfMvg==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3