docs(authelia): authelia guide updates (#29702)

**Description**
Updates authelia guides with yaml

⚒️ Fixes  # 

**⚙️ Type of change**

- [ ] ⚙️ Feature/App addition
- [ ] 🪛 Bugfix
- [ ] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] 🔃 Refactor of current code

**🧪 How Has This Been Tested?**

**📃 Notes:**

**✔️ Checklist:**

- [ ] ⚖️ My code follows the style guidelines of this project
- [ ] 👀 I have performed a self-review of my own code
- [ ] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [ ] 📄 I have made corresponding changes to the documentation
- [ ] ⚠️ My changes generate no new warnings
- [ ] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [ ] ⬆️ I increased versions for any altered app according to semantic
versioning
- [ ] I made sure the title starts with `feat(chart-name):`,
`fix(chart-name):` or `chore(chart-name):`

** App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._
This commit is contained in:
kqmaverick
2024-11-26 07:37:04 -07:00
committed by GitHub
parent afa869fdb6
commit fd338bec5c
4 changed files with 183 additions and 252 deletions
+106 -76
View File
@@ -2,113 +2,143 @@
title: Authelia + LLDAP + Traefik ForwardAuth Setup guide
---
This quick guide should take you through the steps necessary to setup `Authelia` as your `forwardAuth` for `Traefik`. We'll be using `LLDAP` as the backend for `Authelia` since it's lightweight and simple enough for most users. A more complete video is available on our YouTube Channel.
## Prerequisites
- Traefik installed (enable the `premium train`)
- Clusterissuer for certificates
- CloudnativePG operator (enable the `system train`)
This quick guide should take you through the steps necessary to setup `Authelia` as your `forwardAuth` for `Traefik`. We'll be using `LLDAP` as the backend for `Authelia` since it's lightweight and simple enough for most users.
## Setup LLDAP
:::caution
LLDAP is a `Stable` train chart and therefore isn't supported at the same level as the charts in the `premium` train (Authelia and Traefik).
LLDAP is a `stable` train chart and therefore isn't supported at the same level as the charts in the `premium` train (Authelia and Traefik).
:::
- Follow the easy steps included in the [Installation Notes](/charts/stable/lldap/installation-notes) for [LLDAP](/charts/stable/lldap/). Change `dc=example,dc=com` to your domain, i.e. `dc=MYDOMAIN,dc=net` and then change your password. Also, make sure you have the `system` train enabled and `CloudnativePG` operator installed, since you'll need it for `LLDAP` and `Authelia`.
- Follow the easy steps included in the [Installation Notes](/charts/stable/lldap/installation-notes) for [LLDAP](/charts/stable/lldap/). Change `dc=example,dc=com` to your domain, i.e. `dc=MYDOMAIN,dc=net` and then change your password.
![LLDAP Config](./img/LLDAPCatalogConfig.png)
- Once in `LLDAP`, create a user inside the `lldap_password_manager` group and change your default `admin` password. That `lldap_password_manager` user will be used to bind to `Authelia`. Here I've created a user called `manager`, but you can use anything
- Ensure you've set the services to `ClusterIP` since you'll be using ingress
- Once in `LLDAP`, create a user inside the `lldap_password_manager` group and change your default `admin` password. That `lldap_password_manager` user will be used to bind to `Authelia`. Here I've created a user called `Steven`, but you can use anything
- Create an `admin` group and add `Steven` to it. We will allow users of this group to access the site with Authelia later in the guide.
- Create an `admin` group and add `User` to it. We will allow users of this group to access the site with Authelia later in the guide.
## Setup Authelia
- The setup for Authelia is very specific and the logs won't tell you where you've messed up, but there's precise steps used to integrate `LLDAP` into `Authelia`. The info comes from the [LLDAP Authelia Docs](/charts/stable/lldap/authelia) and the upstream repo.
- The setup for Authelia is very specific and the logs won't tell you where you've messed up, but there's precise steps used to integrate `LLDAP` into `Authelia`.
### App Configuration
- Domain: `mydomain.com` - Your domain without https://
- Default Redirection URL: `https://auth.mydomain.com` - Can be anything, but we'll stick to auth.mydomain.com. As well, this will be the ingress URL for `Authelia`.
### LDAP Backend Configuration
Click `Enable` then ensure everything is as below or you won't be able to connect to the LLDAP backend:
- Implementation: `Custom` (that's the default)
- URL: `ldap://lldap-ldap.ix-lldap.svc.cluster.local:3890`
- Connection Timeout: 5s
- Start TLS: (Not necessary)
- TLS Settings: (Not necessary)
- Server Name: Leave blank
- Skip Certificate Verification: Leave unchecked
- Minimum TLS version: `TLS1.2`
- Base DN: `DC=mydomain,DC=com`
- Username Attribute: `uid`
- Additional Users DN: `ou=people`
- Users Filter: `(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))`
- Additional Groups DN: `ou=groups`
- Groups Filter: `(member={dn})`
- Group name Attribute:`cn`
- Mail Attribute:`mail`
- Display Name Attribute:`displayName`
- Admin User: `uid=Steven,ou=people,dc=mydomain,dc=com` - Notice the uid=Steven, most of the time people use admin and a generated password
- Password: `RANDOMPASSWORD`
#### SMTP Configuration
Check your mail provider for this, generally Gmail gives you an app specific password for your email account and uses `smtp.gmail.com` and port `587`.
### Access Control Configuration
This section is to set rules to connect to `Authelia` and defines which users can go where. This is a basic general rule where users of the `admin` group (Steven) can access all of the site using a wildcard.
Set the default `deny`. Then click `Add` next to `Rules` to get the screen below.
![AutheliaAccessControl](./img/AutheliaAccessControl.png)
- Add your `Domain` and a `Wildcard` for your subdomains
- Set policy to `one_factor` or `two_factor`, up to you
- Click `Add Subject` and add a subject of `group:admin` since `Steven` is part of that group.
```yaml
// values.yaml
# your domain
domain: example.com
# autehlia ingress url
default_redirection_url: https://auth.example.com
authentication_backend:
# lldap setup
ldap:
enabled: true
implementation: custom
# if name is not lldap update as needed
url: ldap://lldap-ldap.lldap.svc.cluster.local:3890
# replace with your domain
base_dn: DC=example,DC=com
username_attribute: uid
additional_users_dn: ou=people
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
additional_groups_dn: ou=groups
groups_filter: (member={dn})
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: displayName
# user with lldap_password_manager group
user: uid=manager,ou=people,dc=example,dc=com
# above user password in plain text
plain_password: somepassword
file:
enabled: false
notifier:
# smtp setup (example is gmail)
smtp:
enabled: true
host: smtp.gmail.com
port: 587
# gmail email address (username)
username: email@gmail.com
# use a google app password if using gmail
plain_password: somepassword
# email address to show as sender
sender: no-reply@example.com
filesystem:
enabled: false
access_control:
rules:
# basic rule for one factor (username/password) login for users in the lldap_admin group
- domain:
- "*.example.com"
- example.com
policy: one_factor
subject: "group:lldap_admin"
```
Please see [Authelia Rules](./authelia-rules) for more advanced rules.
#### Setup Authelia Ingress
### Setup Authelia Ingress
- Make sure you're using the same domain as the `Default Redirection URL` above, so for me that's `auth.mydomain.com`
![AutheliaIngress](./img/AutheliaIngress.png)
```yaml
// values.yaml
ingress:
main:
enabled: true
integrations:
traefik:
enabled: true
certManager:
enabled: true
certificateIssuer: domain-0-le-prod
hosts:
- host: auth.example.com
```
## Traefik ForwardAuth Setup
- This part is straight forward as long as you have a working `Traefik` install, please see our [How-To](/charts/premium/traefik/how-to) if you need more info on getting that running.
- Scroll down to `forwardAuth` and click `Add`
- The following is added to `Traefik` `values.yaml`,
![TraefikForwardAuth](./img/TraefikForwardAuth.png)
- Name your `forwardauth` something you'll remember, since that's the middleware you'll add to your ingress going forward. Most people use `auth`
- Address: `http://authelia.ix-authelia.svc.cluster.local:9091/api/verify?rd=https://auth.mydomain.com/` and replace the last part based on `mydomain.com`, and if you've changed ports/names you can get that from [`HeavyScript`](/
- Check `trustForwardHeader`
- Add the following `authResponseHeaders` (press `Add` 4 times)
- `Remote-User`
- `Remote-Groups`
- `Remote-Name`
- `Remote-Email`
```yaml
// values.yaml
middlewares:
forwardAuth:
- name: auth
address: http://authelia.authelia.svc.cluster.local:9091/api/verify?rd=https://auth.example.com/
authResponseHeaders:
- Remote-User
- Remote-Group
- Remote-Name
- Remote-Email
trustForwardHeader: true
```
### Adding the forwardauth to your Apps
The last step is adding the `forwardauth` along with the standard `ingress` settings for your app, for more info on setting ingress see the [ClusterIssuer Guide](/charts/premium/clusterissuer/how-to). What changes versus a standard setup is the `Traefik Middlewares` section, where you must add your `forwardauth` to the section.
The last step is adding the `forwardauth` along with the standard `ingress` settings for your app, for more info on setting ingress see the [ClusterIssuer Guide](/charts/premium/clusterissuer/how-to).
- In this example we use the same name as above, or `auth`. Click `Add` to the `Traefik Middlewares` section, and enter your `forwardauth` name.
- In this example we use the same name as above, or `auth`.
![TraefikForwardAuthMiddleware](./img/TraefikForwardAuthMiddleware.png)
```yaml
// values.yaml
ingress:
main:
enabled: true
integrations:
traefik:
enabled: true
middlewares:
- name: auth
namespace: traefik
certManager:
enabled: true
certificateIssuer: domain-0-le-prod
hosts:
- host: radarr.example.com
```
### References
+46 -99
View File
@@ -26,116 +26,63 @@ Members of the `user` group will only have access to a select set of apps you ch
This rule will bypass Authelia for API level access in most apps. This should always be your first rule.
Domain: `*.domain.tld`
Policy: `bypass`
Subject: `Not Used (Do Not Add)`
Networks: `Not Used (Do Not Add)`
Resources:
- `^/api([/?].*)?$`
- `^/identity.*$`
- `^/triggers.*$`
- `^/meshagents.*$`
- `^/meshsettings.*$`
- `^/agent.*$`
- `^/control.*$`
- `^/meshrelay.*$`
- `^/wl.*$`
![authelia-api](./img/authelia-api.png)
```yaml
// values.yaml
- domain: "*.example.com"
policy: bypass
resources:
- "^/api([/?].*)?$"
- "^/api([/?].*)?$"
- "^/identity.*$"
- "^/triggers.*$"
- "^/meshagents.*$"
- "^/meshsettings.*$"
- "^/agent.*$"
- "^/control.*$"
- "^/meshrelay.*$"
- "^/wl.*$"
```
## Vaultwarden
These rules will protect the Vaultwarden admin page with Authelia but bypass when accessing the web vault. The order of these rules is critical or the admin page will not be protected.
This rule will allow users of the `admin` group to access the Vaultwarden admin page and bypass Authelia when accessing the webportal as auth is already provided by vaultwarden.
### Rule 1
This rule will allow users of the `admin` group to access the Vaultwarden admin page.
Domain: `vaultwarden.domain.tld`
Policy: `two_factor`
Subject: `group:admin`
Networks: `Not Used (Do Not Add)`
Resources: `^*/admin.*$`
![authelia-vw1](./img/authelia-vw1.png)
### Rule 2
This rule will prevent users not in the `admin` group to access the Vaultwarden admin page.
This is necessary even if the your default policy is set to `deny` because of the `bypass` rule below.
Domain: `vaultwarden.domain.tld`
Policy: `deny`
Subject: `Not Used (Do Not Add)`
Networks: `Not Used (Do Not Add)`
Resources: `^*/admin.*$`
![authelia-vw1](./img/authelia-vw2.png)
### Rule 3
This rule will bypass Authelia when accessing the webportal as auth is already provided by vaultwarden.
Domain: `vaultwarden.domain.tld`
Policy: `bypass`
Subject: `Not Used (Do Not Add)`
Networks: `Not Used (Do Not Add)`
Resources: `Not Used (Do Not Add)`
![authelia-vw2](./img/authelia-vw3.png)
```yaml
// values.yaml
- domain: "vaultwarden.example.com"
policy: two_factor
subject: group:admin
resources: "^*/admin.*$"
- domain: "vaultwarden.example.com"
policy: deny
resources: "^*/admin.*$"
- domain: "vaultwarden.example.com"
policy: bypass
```
## User Rule
This rule will allow users in the `user` group access to only the specified applications.
Domain:
- `jellyfin.domain.tld`
- `nextcloud.domain.tld`
- `whateveryouwant.domain.tld`
Policy: `two_factor`
Subject: `group:user`
Networks: `Not Used (Do Not Add)`
Resources: `Not Used (Do Not Add)`
![authelia-user](./img/authelia-user.png)
```yaml
// values.yaml
- domain:
- "jellyfin.example.com"
- "nextcloud.example.com"
- "whateveryouwant.example.com"
policy: two_factor
subject: group:user
```
## Catch All Rule
This rule will give access to everything to users of the `admin` group.
Domain:
- `domain.tld`
- `*.domain.tld`
Policy: `two_factor`
Subject: `group:admin`
Networks: `Not Used (Do Not Add)`
Resources: `Not Used (Do Not Add)`
![authelia-catch](./img/authelia-catch.png)
```yaml
// values.yaml
- domain:
- "example.com"
- "*.example.com"
policy: two_factor
subject: group:admin
```
-58
View File
@@ -1,58 +0,0 @@
---
title: Authelia Setup
---
Authelia which is available in the premium train can act as the authentication provider for your apps and services either through OAuth or forward authentication. LLDAP can be used to manage your Authelia users and groups. To enable this as an option follow the steps outlined below. References to the specific questions as they appear in the TrueNAS SCALE UI are included in the guide and highlighted along with the answers you should use. Authelia is the recommended authentication provider for TrueCharts however you can use any other provider you wish for Authentik is available in the Stable train.
This guide has been written as LLDAP has specific requirements for the LDAP setup of Authelia. If you are using another LDAP provider you will need to follow the setup instructions for that provider.
> **Disclaimer:** This guide only covers the LDAP setup of Authelia. Refer to other guides for the remaining setup of Authelia.
## Setup instructions
1. Tick the box for `LDAP backend configuration` a further set of questions will then appear.
2. The dropdown `Implementation` should be set as `custom`
3. URL should be set to internally link back to your LLDAP instance for the default configuration it should look something like this, `ldap://lldap-ldap.ix-lldap.svc.cluster.local:3890`. This will need to be adapted if you have named LLDAP differently or used a different port for LDAP.
4. Next, set the `Base DN`. This is one of the configurable options you set when installing LLDAP, which by default is `dc=example,dc=com` and should be adapted to your domain if set.
5. The `Username Attribute` should be set to `uid`.
6. The `Additional Users DN` should be set to `ou=people`, as this is where all your users are stored.
7. The users filter can be set to one of two options depending on whether you want to allow sign-in with a username or both username and email. Both options are outlined below.
**Username only**
```shell
(&({username_attribute}={input})(objectClass=person))
```
**Username and email**
```shell
(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
```
8. The next option that needs setting is `Additional Groups DN`. It must be set to `ou=groups`, as this is where all your groups are stored.
9. LLDAP only supports only one filter, which should be set in `Groups Filter` and set to `(member={dn})`.
10. The `Group name Attribute` should be set to `cn`.
11. The `Mail Attribute` should simply be set to `mail`.
12. The `Display Name Attribute` should be set to `displayName`. This is the attribute that Authelia will use to greet users when they log in.
13. `Admin user` is the default admin user used when setting up LLDAP initially and is auto-generated for you. The entry you input into this box should look something like the one below. Change `dc=example,dc=com` to match the `Base DN` you set earlier.
**Admin user**
```shell
uid=admin,ou=people,dc=example,dc=com
```
14. Enter the admin user password into the `Password` field. As stated earlier, **DO NOT** use the default password.
## References
The origin material for this guide is available on the [LLDAP Github](https://github.com/lldap/lldap). While further information on Authelia can be found on their [Github](https://github.com/authelia/authelia) and [website](https://www.authelia.com/).
## Support
If you have any issues with following this guide, we can be reached using [Discord](https://discord.gg/tVsPTHWTtr) for real-time feedback and support.
---
All Rights Reserved - The TrueCharts Project
+31 -19
View File
@@ -6,25 +6,37 @@ title: Installation notes
LLDAP is configured using the default options generated by the application on first run. The exception to this is the 'Base DN for LDAP' option which has been exposed to the user.
By default, LLDAP will use the following options:
- Base DN for LDAP: `dc=example,dc=org`
- Ldap User DN: `admin`
- Ldap User Email: `admin@admin.com`
- Ldap User Password: `password`
- Public URL:`<https://lldap.example.com>`
- LDAP port: `3890`
- JWT secret: random (generated on first run)
- Show SMTP Settings
- Enable Password Reset: false
- SMTP Server Url: smtp.gmail.com
- SMTP Server Port: 587
- SMTP Encryption: STARTTLS
- SMTP User: email
- SMTP Password: password | app password
- SMTP From: LLDAP Admin `<sender@gmail.com>`
- SMTP Reply To: Do not reply `<noreply@localhost>`
```yaml
// values.yaml
workload:
main:
podSpec:
containers:
main:
env:
# replace with your domain
LLDAP_LDAP_BASE_DN: "dc=example,dc=com"
# initial lldap admin account
LLDAP_LDAP_USER_DN: admin
# initial lldap admin email
LLDAP_LDAP_USER_EMAIL: email@gmail.com
# above user password in plain text
LLDAP_LDAP_USER_PASS: somepassword
# allow password reset using email
LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET: true
# smtp setup (example is gmail)
LLDAP_SMTP_OPTIONS__SERVER: smtp.gmail.com
LLDAP_SMTP_OPTIONS__PORT: 587
LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION: "STARTTLS"
# gmail email address (username)
LLDAP_SMTP_OPTIONS__USER: email@gmail.com
# use a google app password if using gmail
LLDAP_SMTP_OPTIONS__PASSWORD: somepassword
# email address to show as sender
LLDAP_SMTP_OPTIONS__FROM: "LLDAP Admin <no-reply@example.com>"
# email address to show as reply address
LLDAP_SMTP_OPTIONS__REPLY_TO: "Do not reply <no-reply@example.com>"
```
## Usage