Initial CommitHEAD master

author: Sam Chudnick <sam@chudnick.com> 2023-06-25 09:52:36 -0400
committer: Sam Chudnick <sam@chudnick.com> 2023-06-25 09:52:36 -0400
commit: 95b73daa36b23565a8566f71f9b202d3459b685f (patch)
tree: cb17b021be70e7868d0ec235a761f0ecdc80f3f2 /data/authelia
5 files changed, 457 insertions, 0 deletions
diff --git a/data/authelia/authelia-authrequest.conf b/data/authelia/authelia-authrequest.conf
new file mode 100644
index 0000000..8d629bf
--- /dev/null
+++ b/data/authelia/authelia-authrequest.conf
@@ -0,0 +1,25 @@
+## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
+auth_request /authelia;
+## Set the $target_url variable based on the original request.
+## Comment this line if you're using nginx without the http_set_misc module.
+#set_escape_uri $target_url $scheme://$http_host$request_uri;
+## Uncomment this line if you're using NGINX without the http_set_misc module.
+set $target_url $scheme://$http_host$request_uri;
+## Save the upstream response headers from Authelia to variables.
+auth_request_set $user $upstream_http_remote_user;
+auth_request_set $groups $upstream_http_remote_groups;
+auth_request_set $name $upstream_http_remote_name;
+auth_request_set $email $upstream_http_remote_email;
+## Inject the response headers from the variables into the request made to the backend.
+proxy_set_header Remote-User $user;
+proxy_set_header Remote-Groups $groups;
+proxy_set_header Remote-Name $name;
+proxy_set_header Remote-Email $email;
+## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
+error_page 401 =302 https://auth.chudnick.com/?rd=$target_url;
diff --git a/data/authelia/authelia-location.conf b/data/authelia/authelia-location.conf
new file mode 100644
index 0000000..43504e9
--- /dev/null
+++ b/data/authelia/authelia-location.conf
@@ -0,0 +1,36 @@
+set $upstream_authelia http://127.0.0.1:9091/api/verify;
+## Virtual endpoint created by nginx to forward auth requests.
+location /authelia {
+    ## Essential Proxy Configuration
+    internal;
+    proxy_pass $upstream_authelia;
+    ## Headers
+    ## The headers starting with X-* are required.
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Original-Method $request_method;
+    proxy_set_header X-Forwarded-Method $request_method;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-Uri $request_uri;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Content-Length "";
+    proxy_set_header Connection "";
+    ## Basic Proxy Configuration
+    proxy_pass_request_body off;
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
+    proxy_redirect http:// $scheme://;
+    proxy_http_version 1.1;
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 4 32k;
+    client_body_buffer_size 128k;
+    ## Advanced Proxy Configuration
+    send_timeout 5m;
+    proxy_read_timeout 240;
+    proxy_send_timeout 240;
+    proxy_connect_timeout 240;
+}
diff --git a/data/authelia/authelia.conf b/data/authelia/authelia.conf
new file mode 100644
index 0000000..5f3a573
--- /dev/null
+++ b/data/authelia/authelia.conf
@@ -0,0 +1,61 @@
+server {
+        listen 443 ssl;
+    ssl_certificate /etc/letsencrypt/live/chudnick.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/chudnick.com/privkey.pem;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+        server_name auth.chudnick.com;
+        location / {
+                ## Headers
+                proxy_set_header Host $host;
+                proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header X-Forwarded-Host $http_host;
+                proxy_set_header X-Forwarded-Uri $request_uri;
+                proxy_set_header X-Forwarded-Ssl on;
+                proxy_set_header X-Forwarded-For $remote_addr;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header Connection "";
+                ## Basic Proxy Configuration
+                client_body_buffer_size 128k;
+                proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+                proxy_redirect  http://  $scheme://;
+                proxy_http_version 1.1;
+                proxy_cache_bypass $cookie_session;
+                proxy_no_cache $cookie_session;
+                proxy_buffers 64 256k;
+                ## Trusted Proxies Configuration
+                real_ip_header X-Forwarded-For;
+                real_ip_recursive on;
+                ## Advanced Proxy Configuration
+                send_timeout 5m;
+                proxy_read_timeout 360;
+                proxy_send_timeout 360;
+                proxy_connect_timeout 360;
+                proxy_set_header Host $host;
+                proxy_pass http://127.0.0.1:9091;
+        }
+        location /metrics {
+                proxy_set_header Host $host;
+                proxy_pass http://127.0.0.1:9959;
+        }
+        location /api/verify {
+                proxy_pass http://127.0.0.1:9091;
+    }
+        
+}
+server {
+    listen 80;
+    listen [::]:80;
+    server_name auth.chudnick.com;
+        return 301 https://$host$request_uri;
+}
diff --git a/data/authelia/configuration.yml b/data/authelia/configuration.yml
new file mode 100644
index 0000000..c4fc923
--- /dev/null
+++ b/data/authelia/configuration.yml
@@ -0,0 +1,300 @@
+theme: dark
+default_redirection_url: https://auth.chudnick.com
+server:
+  host: 0.0.0.0
+  port: 9091
+  read_buffer_size: 10485760
+log:
+  level: info
+  keep_stdout: true
+authentication_backend:
+  password_reset:
+    disable: true
+  ldap:
+    implementation: freeipa
+    url: ldap://192.168.20.20
+    timeout: 5s
+    start_tls: false
+    base_dn: DC=home,DC=local
+    user: UID=authelia,CN=users,CN=accounts,DC=home,DC=local
+access_control:
+  default_policy: deny
+  rules:
+    - domain: auth.chudnick.com
+      policy: bypass
+    # bypass subsonic api endpoint
+    - domain: "music.chudnick.com"
+      resources: "^/rest/.*$"
+      policy: bypass
+    # bypass metrics endpoint for monitoring server
+    - domain: "music.chudnick.com"
+      resources: "^/metrics$"
+      networks:
+        - '192.168.20.32'
+      policy: bypass
+    - domain: "music.chudnick.com"
+      policy: one_factor
+    # bypass mobile client api
+    - domain: "rss.chudnick.com"
+      resources: "/api/.*$"
+      policy: bypass
+    - domain: "rss.chudnick.com"
+      resources: 
+        - "/" 
+        - "/i/.*$"
+      policy: one_factor
+    - domain: "invidious.chudnick.com"
+      policy: one_factor
+    # bypass grafana connection to prometheus
+    - domain: "monitoring.chudnick.com"
+      resources: "^/prometheus/api.*"
+      networks:
+        - '127.0.0.1'
+        - '192.168.20.32'
+      policy: bypass
+    - domain: "monitoring.chudnick.com"
+      resources: "^/prometheus.*"
+      policy: one_factor
+    # bypass metrics endpoint for monitoring server
+    - domain: "cadvisor.chudnick.com"
+      resources: "/metrics"
+      networks:
+        - '192.168.20.32'
+      policy: bypass
+    - domain: "cadvisor.chudnick.com"
+      policy: one_factor
+    - domain: "drawio.chudnick.com"
+      policy: one_factor
+    # bypass grafana connection to loki
+    - domain: "logs.chudnick.com"
+      networks:
+        - '127.0.0.1'
+        - '192.168.20.32'
+      policy: bypass
+    # bypass loki log push
+    - domain: "logs.chudnick.com"
+      resources: "/loki/api/v1/push"
+      policy: bypass
+    - domain: "logs.chudnick.com"
+      policy: one_factor
+    - domain: "dashboard.chudnick.com"
+      policy: one_factor
+    - domain: "photos.chudnick.com"
+      policy: one_factor
+    - domain: "qbittorrent.chudnick.com"
+      policy: one_factor
+    - domain: "sonarr.chudnick.com"
+      policy: one_factor
+    - domain: "radarr.chudnick.com"
+      policy: one_factor
+    - domain: "lidarr.chudnick.com"
+      policy: one_factor
+    - domain: "readarr.chudnick.com"
+      policy: one_factor
+    - domain: "prowlarr.chudnick.com"
+      policy: one_factor
+    - domain: "weather.chudnick.com"
+      policy: one_factor
+    - domain: "gpt.chudnick.com"
+      policy: one_factor
+    - domain: "tasks.chudnick.com"
+      policy: one_factor
+    - domain: "finances.chudnick.com"
+      policy: one_factor
+    - domain: "finimporter.chudnick.com"
+      policy: one_factor
+    - domain: "homeassistant.chudnick.com"
+      policy: one_factor
+    - domain: "vaultwarden.chudnick.com"
+      resources: "^/admin.*$"
+      subject: 'group:vaultwarden-admins'
+      policy: two_factor
+totp:
+  issuer: auth.chudnick.com
+  algorithm: sha1
+  digits: 6
+  period: 30
+  skew: 1
+  secret_size: 32
+session:
+  name: authelia_session
+  expiration: 3600
+  inactivity: 300
+  domain: "chudnick.com"
+  redis:
+    host: redis_authelia
+    port: 6379
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+storage:
+  local:
+    path: /config/db.sqlite3
+telemetry:
+  metrics:
+    enabled: true
+    address: "tcp://0.0.0.0:9959"
+    buffers: 
+      read: 4096
+      write: 4096
+    timeouts:
+      read: 2s
+      write: 2s
+      idle: 30s
+notifier:
+  disable_startup_check: false
+  smtp:
+    host: mail.chudnick.com
+    port: 465
+    timeout: 5s
+    username: authelia
+    sender: "Authelia <authelia@chudnick.com>"
+    identifier: "auth.chudnick.com"
+    subject: "[Authelia] {title}"
+    startup_check_address: "sam@chudnick.com"
+ntp: 
+  address: "netservices.home.local:123"
+identity_providers:
+  oidc:
+    clients:
+      - id: gitea
+        description: gitea
+        secret: '$plaintext${{ gitea_client_secret }}'
+        public: false
+        authorization_policy: one_factor
+        redirect_uris:
+          - https://gitea.chudnick.com/user/oauth2/authelia/callback
+        scopes:
+          - openid
+          - profile
+          - email
+          - groups
+        userinfo_signing_algorithm: none
+        pre_configured_consent_duration: 4w
+        grant_types:
+          - refresh_token
+          - authorization_code
+        response_types:
+          - code
+        response_modes:
+          - form_post
+          - query
+          - fragment
+      - id: grafana
+        description: grafana
+        secret: '$plaintext${{ grafana_client_secret }}'
+        public: false
+        authorization_policy: one_factor
+        pre_configured_consent_duration: 4w
+        redirect_uris:
+          - https://monitoring.chudnick.com/grafana/login/generic_oauth
+        scopes:
+          - openid
+          - profile
+          - groups
+          - email
+        userinfo_signing_algorithm: none
+      - id: nextcloud
+        description: NextCloud
+        secret: '$plaintext${{ nextcloud_client_secret }}'
+        public: false
+        authorization_policy: one_factor
+        pre_configured_consent_duration: 4w
+        redirect_uris:
+          - https://nextcloud.chudnick.com/apps/oidc_login/oidc
+        scopes:
+          - openid
+          - profile
+          - email
+          - groups
+        userinfo_signing_algorithm: none
+      - id: jenkins
+        description: Jenkins
+        secret: '$plaintext${{ jenkins_client_secret }}'
+        public: false
+        authorization_policy: one_factor
+        pre_configured_consent_duration: 4w
+        redirect_uris:
+          - https://jenkins.chudnick.com/securityRealm/finishLogin
+        scopes:
+          - openid
+          - profile
+          - email
+          - groups
+          - offline_access
+        userinfo_signing_algorithm: none
+      - id: jellyfin
+        description: jellyfin
+        secret: '$plaintext${{ jellyfin_client_secret }}'
+        public: false
+        authorization_policy: one_factor
+        pre_configured_consent_duration: 4w
+        redirect_uris:
+          - https://jellyfin.chudnick.com/sso/OID/r/authelia
+        scopes:
+          - openid
+          - groups
+          - profile
+        userinfo_signing_algorithm: none
+          
+      - id: bookstack
+        description: bookstack
+        secret: '$plaintext${{ bookstack_client_secret }}'
+        public: false
+        authorization_policy: one_factor
+        pre_configured_consent_duration: 4w
+        redirect_uris:
+          - https://wiki.chudnick.com/oidc/callback
+        scopes:
+          - openid
+          - groups
+          - profile
+          - email
+        userinfo_signing_algorithm: none
diff --git a/data/authelia/proxy.conf b/data/authelia/proxy.conf
new file mode 100644
index 0000000..4098bb2
--- /dev/null
+++ b/data/authelia/proxy.conf
@@ -0,0 +1,35 @@
+## Headers
+proxy_set_header Host $host;
+proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host $http_host;
+proxy_set_header X-Forwarded-Uri $request_uri;
+proxy_set_header X-Forwarded-Ssl on;
+proxy_set_header X-Forwarded-For $remote_addr;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header Connection "";
+## Basic Proxy Configuration
+client_body_buffer_size 128k;
+proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
+proxy_redirect  http://  $scheme://;
+proxy_http_version 1.1;
+proxy_cache_bypass $cookie_session;
+proxy_no_cache $cookie_session;
+proxy_buffers 64 256k;
+## Trusted Proxies Configuration
+## Please read the following documentation before configuring this:
+##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
+# set_real_ip_from 10.0.0.0/8;
+# set_real_ip_from 172.16.0.0/12;
+# set_real_ip_from 192.168.0.0/16;
+# set_real_ip_from fc00::/7;
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;
+## Advanced Proxy Configuration
+send_timeout 5m;
+proxy_read_timeout 360;
+proxy_send_timeout 360;
+proxy_connect_timeout 360;
author	Sam Chudnick <sam@chudnick.com>	2023-06-25 09:52:36 -0400
committer	Sam Chudnick <sam@chudnick.com>	2023-06-25 09:52:36 -0400
commit	95b73daa36b23565a8566f71f9b202d3459b685f (patch)
tree	cb17b021be70e7868d0ec235a761f0ecdc80f3f2 /data/authelia

diff --git a/data/authelia/authelia-authrequest.conf b/data/authelia/authelia-authrequest.conf new file mode 100644 index 0000000..8d629bf --- /dev/null +++ b/data/authelia/authelia-authrequest.conf
@@ -0,0 +1,25 @@
	1	## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
	2	auth_request /authelia;
	3
	4	## Set the $target_url variable based on the original request.
	5
	6	## Comment this line if you're using nginx without the http_set_misc module.
	7	#set_escape_uri $target_url $scheme://$http_host$request_uri;
	8
	9	## Uncomment this line if you're using NGINX without the http_set_misc module.
	10	set $target_url $scheme://$http_host$request_uri;
	11
	12	## Save the upstream response headers from Authelia to variables.
	13	auth_request_set $user $upstream_http_remote_user;
	14	auth_request_set $groups $upstream_http_remote_groups;
	15	auth_request_set $name $upstream_http_remote_name;
	16	auth_request_set $email $upstream_http_remote_email;
	17
	18	## Inject the response headers from the variables into the request made to the backend.
	19	proxy_set_header Remote-User $user;
	20	proxy_set_header Remote-Groups $groups;
	21	proxy_set_header Remote-Name $name;
	22	proxy_set_header Remote-Email $email;
	23
	24	## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
	25	error_page 401 =302 https://auth.chudnick.com/?rd=$target_url;


diff --git a/data/authelia/authelia-location.conf b/data/authelia/authelia-location.conf new file mode 100644 index 0000000..43504e9 --- /dev/null +++ b/data/authelia/authelia-location.conf
@@ -0,0 +1,36 @@
	1	set $upstream_authelia http://127.0.0.1:9091/api/verify;
	2
	3	## Virtual endpoint created by nginx to forward auth requests.
	4	location /authelia {
	5	## Essential Proxy Configuration
	6	internal;
	7	proxy_pass $upstream_authelia;
	8
	9	## Headers
	10	## The headers starting with X-* are required.
	11	proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
	12	proxy_set_header X-Original-Method $request_method;
	13	proxy_set_header X-Forwarded-Method $request_method;
	14	proxy_set_header X-Forwarded-Proto $scheme;
	15	proxy_set_header X-Forwarded-Host $http_host;
	16	proxy_set_header X-Forwarded-Uri $request_uri;
	17	proxy_set_header X-Forwarded-For $remote_addr;
	18	proxy_set_header Content-Length "";
	19	proxy_set_header Connection "";
	20
	21	## Basic Proxy Configuration
	22	proxy_pass_request_body off;
	23	proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
	24	proxy_redirect http:// $scheme://;
	25	proxy_http_version 1.1;
	26	proxy_cache_bypass $cookie_session;
	27	proxy_no_cache $cookie_session;
	28	proxy_buffers 4 32k;
	29	client_body_buffer_size 128k;
	30
	31	## Advanced Proxy Configuration
	32	send_timeout 5m;
	33	proxy_read_timeout 240;
	34	proxy_send_timeout 240;
	35	proxy_connect_timeout 240;
	36	}


diff --git a/data/authelia/authelia.conf b/data/authelia/authelia.conf new file mode 100644 index 0000000..5f3a573 --- /dev/null +++ b/data/authelia/authelia.conf
@@ -0,0 +1,61 @@
	1	server {
	2	listen 443 ssl;
	3	ssl_certificate /etc/letsencrypt/live/chudnick.com/fullchain.pem;
	4	ssl_certificate_key /etc/letsencrypt/live/chudnick.com/privkey.pem;
	5	ssl_stapling on;
	6	ssl_stapling_verify on;
	7
	8	server_name auth.chudnick.com;
	9
	10	location / {
	11	## Headers
	12	proxy_set_header Host $host;
	13	proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
	14	proxy_set_header X-Forwarded-Proto $scheme;
	15	proxy_set_header X-Forwarded-Host $http_host;
	16	proxy_set_header X-Forwarded-Uri $request_uri;
	17	proxy_set_header X-Forwarded-Ssl on;
	18	proxy_set_header X-Forwarded-For $remote_addr;
	19	proxy_set_header X-Real-IP $remote_addr;
	20	proxy_set_header Connection "";
	21
	22	## Basic Proxy Configuration
	23	client_body_buffer_size 128k;
	24	proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
	25	proxy_redirect http:// $scheme://;
	26	proxy_http_version 1.1;
	27	proxy_cache_bypass $cookie_session;
	28	proxy_no_cache $cookie_session;
	29	proxy_buffers 64 256k;
	30
	31	## Trusted Proxies Configuration
	32	real_ip_header X-Forwarded-For;
	33	real_ip_recursive on;
	34
	35	## Advanced Proxy Configuration
	36	send_timeout 5m;
	37	proxy_read_timeout 360;
	38	proxy_send_timeout 360;
	39	proxy_connect_timeout 360;
	40	proxy_set_header Host $host;
	41	proxy_pass http://127.0.0.1:9091;
	42	}
	43
	44	location /metrics {
	45	proxy_set_header Host $host;
	46	proxy_pass http://127.0.0.1:9959;
	47	}
	48
	49	location /api/verify {
	50	proxy_pass http://127.0.0.1:9091;
	51	}
	52
	53	}
	54
	55	server {
	56	listen 80;
	57	listen [::]:80;
	58	server_name auth.chudnick.com;
	59	return 301 https://$host$request_uri;
	60	}
	61


diff --git a/data/authelia/configuration.yml b/data/authelia/configuration.yml new file mode 100644 index 0000000..c4fc923 --- /dev/null +++ b/data/authelia/configuration.yml
@@ -0,0 +1,300 @@
	1	theme: dark
	2	default_redirection_url: https://auth.chudnick.com
	3
	4	server:
	5	host: 0.0.0.0
	6	port: 9091
	7	read_buffer_size: 10485760
	8
	9	log:
	10	level: info
	11	keep_stdout: true
	12
	13	authentication_backend:
	14	password_reset:
	15	disable: true
	16	ldap:
	17	implementation: freeipa
	18	url: ldap://192.168.20.20
	19	timeout: 5s
	20	start_tls: false
	21	base_dn: DC=home,DC=local
	22	user: UID=authelia,CN=users,CN=accounts,DC=home,DC=local
	23
	24	access_control:
	25	default_policy: deny
	26	rules:
	27	- domain: auth.chudnick.com
	28	policy: bypass
	29
	30	# bypass subsonic api endpoint
	31	- domain: "music.chudnick.com"
	32	resources: "^/rest/.*$"
	33	policy: bypass
	34
	35	# bypass metrics endpoint for monitoring server
	36	- domain: "music.chudnick.com"
	37	resources: "^/metrics$"
	38	networks:
	39	- '192.168.20.32'
	40	policy: bypass
	41
	42	- domain: "music.chudnick.com"
	43	policy: one_factor
	44
	45	# bypass mobile client api
	46	- domain: "rss.chudnick.com"
	47	resources: "/api/.*$"
	48	policy: bypass
	49
	50	- domain: "rss.chudnick.com"
	51	resources:
	52	- "/"
	53	- "/i/.*$"
	54	policy: one_factor
	55
	56	- domain: "invidious.chudnick.com"
	57	policy: one_factor
	58
	59	# bypass grafana connection to prometheus
	60	- domain: "monitoring.chudnick.com"
	61	resources: "^/prometheus/api.*"
	62	networks:
	63	- '127.0.0.1'
	64	- '192.168.20.32'
	65	policy: bypass
	66
	67	- domain: "monitoring.chudnick.com"
	68	resources: "^/prometheus.*"
	69	policy: one_factor
	70
	71	# bypass metrics endpoint for monitoring server
	72	- domain: "cadvisor.chudnick.com"
	73	resources: "/metrics"
	74	networks:
	75	- '192.168.20.32'
	76	policy: bypass
	77
	78	- domain: "cadvisor.chudnick.com"
	79	policy: one_factor
	80
	81	- domain: "drawio.chudnick.com"
	82	policy: one_factor
	83
	84	# bypass grafana connection to loki
	85	- domain: "logs.chudnick.com"
	86	networks:
	87	- '127.0.0.1'
	88	- '192.168.20.32'
	89	policy: bypass
	90
	91	# bypass loki log push
	92	- domain: "logs.chudnick.com"
	93	resources: "/loki/api/v1/push"
	94	policy: bypass
	95
	96	- domain: "logs.chudnick.com"
	97	policy: one_factor
	98
	99	- domain: "dashboard.chudnick.com"
	100	policy: one_factor
	101
	102	- domain: "photos.chudnick.com"
	103	policy: one_factor
	104
	105	- domain: "qbittorrent.chudnick.com"
	106	policy: one_factor
	107
	108	- domain: "sonarr.chudnick.com"
	109	policy: one_factor
	110
	111	- domain: "radarr.chudnick.com"
	112	policy: one_factor
	113
	114	- domain: "lidarr.chudnick.com"
	115	policy: one_factor
	116
	117	- domain: "readarr.chudnick.com"
	118	policy: one_factor
	119
	120	- domain: "prowlarr.chudnick.com"
	121	policy: one_factor
	122
	123	- domain: "weather.chudnick.com"
	124	policy: one_factor
	125
	126	- domain: "gpt.chudnick.com"
	127	policy: one_factor
	128
	129	- domain: "tasks.chudnick.com"
	130	policy: one_factor
	131
	132	- domain: "finances.chudnick.com"
	133	policy: one_factor
	134
	135	- domain: "finimporter.chudnick.com"
	136	policy: one_factor
	137
	138	- domain: "homeassistant.chudnick.com"
	139	policy: one_factor
	140
	141	- domain: "vaultwarden.chudnick.com"
	142	resources: "^/admin.*$"
	143	subject: 'group:vaultwarden-admins'
	144	policy: two_factor
	145
	146	totp:
	147	issuer: auth.chudnick.com
	148	algorithm: sha1
	149	digits: 6
	150	period: 30
	151	skew: 1
	152	secret_size: 32
	153
	154	session:
	155	name: authelia_session
	156	expiration: 3600
	157	inactivity: 300
	158	domain: "chudnick.com"
	159
	160	redis:
	161	host: redis_authelia
	162	port: 6379
	163
	164	regulation:
	165	max_retries: 3
	166	find_time: 120
	167	ban_time: 300
	168
	169	storage:
	170	local:
	171	path: /config/db.sqlite3
	172
	173	telemetry:
	174	metrics:
	175	enabled: true
	176	address: "tcp://0.0.0.0:9959"
	177	buffers:
	178	read: 4096
	179	write: 4096
	180	timeouts:
	181	read: 2s
	182	write: 2s
	183	idle: 30s
	184
	185	notifier:
	186	disable_startup_check: false
	187	smtp:
	188	host: mail.chudnick.com
	189	port: 465
	190	timeout: 5s
	191	username: authelia
	192	sender: "Authelia <authelia@chudnick.com>"
	193	identifier: "auth.chudnick.com"
	194	subject: "[Authelia] {title}"
	195	startup_check_address: "sam@chudnick.com"
	196
	197	ntp:
	198	address: "netservices.home.local:123"
	199
	200	identity_providers:
	201	oidc:
	202	clients:
	203	- id: gitea
	204	description: gitea
	205	secret: '$plaintext${{ gitea_client_secret }}'
	206	public: false
	207	authorization_policy: one_factor
	208	redirect_uris:
	209	- https://gitea.chudnick.com/user/oauth2/authelia/callback
	210	scopes:
	211	- openid
	212	- profile
	213	- email
	214	- groups
	215	userinfo_signing_algorithm: none
	216	pre_configured_consent_duration: 4w
	217	grant_types:
	218	- refresh_token
	219	- authorization_code
	220	response_types:
	221	- code
	222	response_modes:
	223	- form_post
	224	- query
	225	- fragment
	226
	227	- id: grafana
	228	description: grafana
	229	secret: '$plaintext${{ grafana_client_secret }}'
	230	public: false
	231	authorization_policy: one_factor
	232	pre_configured_consent_duration: 4w
	233	redirect_uris:
	234	- https://monitoring.chudnick.com/grafana/login/generic_oauth
	235	scopes:
	236	- openid
	237	- profile
	238	- groups
	239	- email
	240	userinfo_signing_algorithm: none
	241
	242	- id: nextcloud
	243	description: NextCloud
	244	secret: '$plaintext${{ nextcloud_client_secret }}'
	245	public: false
	246	authorization_policy: one_factor
	247	pre_configured_consent_duration: 4w
	248	redirect_uris:
	249	- https://nextcloud.chudnick.com/apps/oidc_login/oidc
	250	scopes:
	251	- openid
	252	- profile
	253	- email
	254	- groups
	255	userinfo_signing_algorithm: none
	256
	257	- id: jenkins
	258	description: Jenkins
	259	secret: '$plaintext${{ jenkins_client_secret }}'
	260	public: false
	261	authorization_policy: one_factor
	262	pre_configured_consent_duration: 4w
	263	redirect_uris:
	264	- https://jenkins.chudnick.com/securityRealm/finishLogin
	265	scopes:
	266	- openid
	267	- profile
	268	- email
	269	- groups
	270	- offline_access
	271	userinfo_signing_algorithm: none
	272
	273	- id: jellyfin
	274	description: jellyfin
	275	secret: '$plaintext${{ jellyfin_client_secret }}'
	276	public: false
	277	authorization_policy: one_factor
	278	pre_configured_consent_duration: 4w
	279	redirect_uris:
	280	- https://jellyfin.chudnick.com/sso/OID/r/authelia
	281	scopes:
	282	- openid
	283	- groups
	284	- profile
	285	userinfo_signing_algorithm: none
	286
	287	- id: bookstack
	288	description: bookstack
	289	secret: '$plaintext${{ bookstack_client_secret }}'
	290	public: false
	291	authorization_policy: one_factor
	292	pre_configured_consent_duration: 4w
	293	redirect_uris:
	294	- https://wiki.chudnick.com/oidc/callback
	295	scopes:
	296	- openid
	297	- groups
	298	- profile
	299	- email
	300	userinfo_signing_algorithm: none


diff --git a/data/authelia/proxy.conf b/data/authelia/proxy.conf new file mode 100644 index 0000000..4098bb2 --- /dev/null +++ b/data/authelia/proxy.conf
@@ -0,0 +1,35 @@
	1	## Headers
	2	proxy_set_header Host $host;
	3	proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
	4	proxy_set_header X-Forwarded-Proto $scheme;
	5	proxy_set_header X-Forwarded-Host $http_host;
	6	proxy_set_header X-Forwarded-Uri $request_uri;
	7	proxy_set_header X-Forwarded-Ssl on;
	8	proxy_set_header X-Forwarded-For $remote_addr;
	9	proxy_set_header X-Real-IP $remote_addr;
	10	proxy_set_header Connection "";
	11
	12	## Basic Proxy Configuration
	13	client_body_buffer_size 128k;
	14	proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
	15	proxy_redirect http:// $scheme://;
	16	proxy_http_version 1.1;
	17	proxy_cache_bypass $cookie_session;
	18	proxy_no_cache $cookie_session;
	19	proxy_buffers 64 256k;
	20
	21	## Trusted Proxies Configuration
	22	## Please read the following documentation before configuring this:
	23	## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
	24	# set_real_ip_from 10.0.0.0/8;
	25	# set_real_ip_from 172.16.0.0/12;
	26	# set_real_ip_from 192.168.0.0/16;
	27	# set_real_ip_from fc00::/7;
	28	real_ip_header X-Forwarded-For;
	29	real_ip_recursive on;
	30
	31	## Advanced Proxy Configuration
	32	send_timeout 5m;
	33	proxy_read_timeout 360;
	34	proxy_send_timeout 360;
	35	proxy_connect_timeout 360;