Merge pull request #2 from Pandaura/dev-authelia

Starting Authelia integration

menu/shield/authelia.sh

@@ -0,0 +1,177 @@
+#!/bin/bash
+#
+# Title:      Traefikv2 with Authelia over Cloudflare
+# OS Branch:  ubuntu,debian,rasbian
+# Author(s):  mrdoob
+# Editor:     Hawks
+# GNU:        General Public License v3.0
+################################################################################
+# shellcheck disable=SC2003
+# shellcheck disable=SC2006
+# shellcheck disable=SC2207
+# shellcheck disable=SC2012
+# shellcheck disable=SC2086
+# shellcheck disable=SC2196
+# shellcheck disable=SC2046
+#FUNCTIONS
+
+########## FUNCTIONS START
+
+displayname() {
+basefolder="/opt/appdata"
+tee <<-EOF
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+🚀 Authelia Username
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+EOF
+   read -erp "Enter your username for Authelia (eg. John Doe): " DISPLAYNAME
+
+if [[ $DISPLAYNAME != "" ]];then
+   if [[ $(uname) == "Darwin" ]];then
+      sed -i '' "s/<DISPLAYNAME>/$DISPLAYNAME/g" $basefolder/authelia/users_database.yml
+      sed -i '' "s/<USERNAME>/$DISPLAYNAME/g" $basefolder/authelia/users_database.yml
+   else
+      sed -i "s/<DISPLAYNAME>/$DISPLAYNAME/g" $basefolder/authelia/users_database.yml
+      sed -i "s/<USERNAME>/$DISPLAYNAME/g" $basefolder/authelia/users_database.yml
+   fi
+else
+  echo "Display name cannot be empty"
+  displayname
+fi
+interface
+}
+
+password() {
+basefolder="/opt/appdata"
+tee <<-EOF
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+🚀 Authelia Password
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+EOF
+   read -erp "Enter a password for $USERNAME: " PASSWORD
+
+if [[ $PASSWORD != "" ]];then
+   $(command -v docker) pull authelia/authelia -q > /dev/null
+   PASSWORD=$($(command -v docker) run authelia/authelia authelia hash-password $PASSWORD -i 2 -k 32 -m 128 -p 8 -l 32 | sed 's/Password hash: //g')
+   JWTTOKEN=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+   SECTOKEN=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+   if [[ $(uname) == "Darwin" ]];then
+      sed -i '' "s/<PASSWORD>/$(echo $PASSWORD | sed -e 's/[\/&]/\\&/g')/g" $basefolder/authelia/users_database.yml
+      sed -i '' "s/JWTTOKENID/$(echo $JWTTOKEN | sed -e 's/[\/&]/\\&/g')/g" $basefolder/authelia/configuration.yml
+      sed -i '' "s/unsecure_session_secret/$(echo $SECTOKEN | sed -e 's/[\/&]/\\&/g')/g" $basefolder/authelia/configuration.yml
+   else
+      sed -i "s/<PASSWORD>/$(echo $PASSWORD | sed -e 's/[\/&]/\\&/g')/g" $basefolder/authelia/users_database.yml
+      sed -i "s/JWTTOKENID/$(echo $JWTTOKEN | sed -e 's/[\/&]/\\&/g')/g" $basefolder/authelia/configuration.yml
+      sed -i "s/unsecure_session_secret/$(echo $SECTOKEN | sed -e 's/[\/&]/\\&/g')/g" $basefolder/authelia/configuration.yml
+   fi
+else
+   echo "Password cannot be empty"
+   password
+fi
+interface
+}
+
+deploynow() {
+basefolder="/opt/appdata"
+compose="compose/docker-compose.yml"
+envcreate
+
+#cd $basefolder/compose && $(command -v docker-compose) up -d --force-recreate 1>/dev/null 2>&1 && sleep 5
+$(command -v cd) $basefolder/compose/
+if [[ -f $basefolder/$compose ]];then
+   $(command -v docker-compose) config 1>/dev/null 2>&1
+   code=$?
+   if [[ $code -ne 0 ]];then
+tee <<-EOF
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+    ❌ ERROR
+    compose check has failed || Return code is ${code}
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+EOF
+   read -erp "Confirm Info | PRESS [ENTER]" typed </dev/tty
+   clear && interface
+   fi
+fi
+if [[ -f $basefolder/$compose ]];then
+   $(command -v docker-compose) pull 1>/dev/null 2>&1
+   code=$?
+   if [[ $code -ne 0 ]];then
+tee <<-EOF
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+    ❌ ERROR
+    compose pull has failed || Return code is ${code}
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+EOF
+   read -erp "Confirm Info | PRESS [ENTER]" typed </dev/tty
+   clear && interface
+   fi
+fi
+if [[ -f $basefolder/$compose ]];then
+   $(command -v docker-compose) up -d --force-recreate 1>/dev/null 2>&1
+   source $basefolder/compose/.env
+   tee <<-EOF
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+   🚀 Authelia
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+	    Authelia is deployed
+        Please wait for Authelia to start-up 
+	    it needs some time to start all the services
+
+        Authelia:   https://authelia.${DOMAIN}
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+EOF
+clear && interface
+fi
+}
+######################################################
+interface() {
+tee <<-EOF
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+🚀 Shield - Protect your domain
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+[1] Shield Status                   [ $SHIELDSTATUS ]
+[2] Admin Username                  [ $DISPLAYNAME ]
+[3] Admin Password                  [ $PASSWORD ]
+
+[4] Add user
+[5] Remove user
+
+[L] List users
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+[E] Enable Shield
+[D] Disable Shield
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+[Z] - Exit
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+EOF
+  read -erp '↘️  Type Number | Press [ENTER]: ' typed </dev/tty
+
+  case $typed in
+
+     1) domain && clear && interface ;;
+     2) displayname && clear && interface ;;
+     3) password && clear && interface ;;
+     4) cfemail && clear && interface ;;
+     5) cfkey && clear && interface ;;
+     6) cfzoneid && clear && interface ;;
+     d) deploynow && clear && interface ;;
+     D) deploynow && clear && interface ;;
+     z) exit 0 ;;
+     Z) exit 0 ;;
+     *) clear && interface ;;
+
+  esac
+}
+# FUNCTIONS END ##############################################################
+updatesystem

menu/shield/authelia/configuration.yml

@@ -0,0 +1,78 @@
+###############################################################
+#                   Authelia configuration                    #
+###############################################################
+
+host: 0.0.0.0
+port: 9091
+theme: dark
+log_level: debug
+log_format: text
+log_file_path: /config/authelia.log
+jwt_secret: JWTTOKENID
+default_redirection_url: https://authelia.example.com
+
+totp:
+  issuer: authelia.com
+
+server:
+  read_buffer_size: 4096
+  write_buffer_size: 4096
+
+authentication_backend:
+  disable_reset_password: true
+  file:
+    path: /config/users_database.yml
+    password:
+      algorithm: argon2id
+      iterations: 4
+      salt_length: 32
+      parallelism: 8
+      memory: 1024
+
+# Rules applied to everyone
+access_control:
+  default_policy: deny
+  rules:
+    ## bypass rule for login
+    - domain: authelia.example.com
+      policy: bypass
+    ## bypass rule for apps
+    ## bypass rules for api / trigges
+    - domain: "*.example.com"
+      policy: bypass
+      resources:
+        - "^/api.*$"
+        - "^/identity.*$"
+        - "^/triggers/*$"
+    ## one factor login
+    - domain: "*.example.com"
+      policy: one_factor
+    ## deny rule
+    - domain: "example.com"
+      policy: deny
+    - domain: SERVERIP_ID
+      policy: deny
+
+session:
+  name: authelia_session
+  secret: unsecure_session_secret
+  expiration: 1h
+  inactivity: 10m
+  remember_me_duration: 1M
+  domain: example.com
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+storage:
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  filesystem:
+    filename: /config/notification.txt
+###############################################################
+#                   Authelia configuration                    #
+###############################################################

menu/shield/authelia/users_database.yml

@@ -0,0 +1,11 @@
+###############################################################
+#                         Users Database                      #
+###############################################################
+users:
+  <USERNAME>:
+    displayname: "<DISPLAYNAME>"
+    password: "<PASSWORD>"
+    email: example-CF-EMAIL
+    groups:
+      - admins
+      - dev

menu/shield/compose/authelia.yml

@@ -0,0 +1,66 @@
+#!/bin/bash
+# Title: authelia
+################################################################################
+---
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    # FACTS #######################################################################
+    - name: "Set Known Facts"
+      set_fact:
+        pgrole: "authelia"
+        intport: "9091"
+        extport: "9091"
+        image: "authelia/authelia:latest"
+
+    # CORE (MANDATORY) ############################################################
+    - name: "Including cron job"
+      include_tasks: "/opt/communityapps/apps/_core.yml"
+
+    # LABELS ######################################################################
+    - name: "Adding Traefik"
+      set_fact:
+        pg_labels:
+          traefik.enable: "true"
+          traefik.port: "{{intport}}"
+          traefik.frontend.auth.forward.address: "http://authelia:9091/api/verify?rd=https://authelia.{{domain.stdout}}/"
+          traefik.frontend.rule: "Host:{{pgrole}}.{{domain.stdout}}{{tldset}}{{cname}}"
+          traefik.frontend.headers.SSLHost: "{{domain.stdout}}"
+          traefik.frontend.headers.SSLRedirect: "true"
+          traefik.frontend.headers.STSIncludeSubdomains: "true"
+          traefik.frontend.headers.STSPreload: "true"
+          traefik.frontend.headers.STSSeconds: "315360000"
+          traefik.frontend.headers.browserXSSFilter: "true"
+          traefik.frontend.headers.contentTypeNosniff: "true"
+          traefik.frontend.headers.customResponseHeaders: "X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
+          traefik.frontend.headers.forceSTSHeader: "true"
+
+    - name: "Setting {{pgrole}} Volumes"
+      set_fact:
+        pg_volumes:
+          - "/etc/localtime:/etc/localtime:ro"
+          - "/opt/appdata/{{pgrole}}:/config"
+
+    - name: "Setting {{pgrole}} ENV"
+      set_fact:
+        pg_env:
+          PUID: "1000"
+          PGID: "1000"
+
+    # MAIN DEPLOYMENT #############################################################
+    - name: "Deploying {{pgrole}}"
+      docker_container:
+        name: "{{pgrole}}"
+        image: "{{image}}"
+        pull: yes
+        published_ports:
+          - "{{ports.stdout}}{{extport}}:{{intport}}"
+        volumes: "{{pg_volumes}}"
+        env: "{{pg_env}}"
+        restart_policy: unless-stopped
+        networks:
+          - name: plexguide
+            aliases:
+              - "{{pgrole}}"
+        state: started
+        labels: "{{pg_labels}}"