add authelia

clusters/ipv6/tools/authelia/authelia-config.yml

@@ -0,0 +1,115 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: authelia-config
+  namespace: tools
+data:
+  configuration.yaml: |
+    server:
+      address: 'tcp4://:9091'
+      buffers:
+        read: 16384
+    log:
+      level: info 
+      file_path: ''
+      keep_stdout: true
+
+    identity_validation:
+      elevated_session:
+        require_second_factor: true
+      reset_password:
+        jwt_lifespan: '5 minutes'
+
+    theme: dark
+
+    totp:
+      disable: false
+      issuer: 'akshun-lab.cc'
+      period: 30
+      skew: 1
+      algorithm: 'sha1'
+      digits: 6
+      secret_size: 32
+      allowed_algorithms:
+        - 'SHA1'
+      allowed_digits:
+        - 6
+      allowed_periods:
+        - 30
+      disable_reuse_security_policy: false
+
+    password_policy:
+      zxcvbn:
+        enabled: true
+        min_score: 4
+
+    authentication_backend:
+      file:
+        path: '/config/users.yml'
+        password:
+          algorithm: 'argon2'
+          argon2:
+            variant: 'argon2id'
+            iterations: 3
+            memory: 65535
+            parallelism: 4
+            key_length: 32
+            salt_length: 16
+
+    access_control:
+      default_policy: 'deny'
+      rules:
+        - domain: 'auth.akshun-lab.cc'
+          policy: bypass
+        - domain: 'invidious.akshun-lab.cc'
+          resources: '^/(api/v1|feed|videoplayback|vi/.+\.(jpg|webp)|ggpht|latest_version|sb)'
+          policy: bypass
+        - domain: 'immich.akshun-lab.cc'
+          policy: bypass
+        - domain: 'jellyfin.akshun-lab.cc'
+          policy: bypass
+        - domain: 'gitea.akshun-lab.cc'
+          policy: bypass
+        - domain: 'nextcloud.akshun-lab.cc'
+          policy: bypass
+        - domain: 'collabora.akshun-lab.cc'
+          policy: bypass
+        - domain: 'vw.akshun-lab.cc'
+          policy: bypass
+        - domain: '*.akshun-lab.cc'
+          policy: two_factor
+    
+    session:
+      name: 'authelia_session'
+      cookies:
+        - domain: 'akshun-lab.cc'
+          authelia_url: 'https://auth.akshun-lab.cc'
+
+    regulation:
+      max_retries: 4
+      find_time: 120
+      ban_time: 300
+
+    storage:
+      local:
+        path: '/config/db.sqlite3'
+
+    notifier:
+      disable_startup_check: false
+      smtp:
+        address: submissions://smtp.gmail.com:465
+        username: aggarwalakshun@gmail.com
+        sender: aggarwalakshun@gmail.com
+        identifier: localhost
+        subject: "[Authelia] {title}"
+        startup_check_address: aggarwalakshun@gmail.com
+        disable_require_tls: false
+        disable_html_emails: false
+        tls:
+          skip_verify: false
+          minimum_version: TLS1.2
+    ntp:
+      address: 'time.google.com:123'
+      version: 4
+      max_desync: '3s'
+      disable_startup_check: false

clusters/ipv6/tools/authelia/authelia-ingress.yml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: authelia
+  namespace: tools
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+spec:
+  ingressClassName: traefik
+  tls:
+    - hosts:
+        - auth.akshun-lab.cc
+      secretName: authelia-tls
+  rules:
+    - host: auth.akshun-lab.cc
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: authelia
+                port:
+                  number: 9091
+

clusters/ipv6/tools/authelia/authelia-middleware.yml

@@ -0,0 +1,15 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: authelia
+  namespace: tools
+spec:
+  forwardAuth:
+    address: http://authelia.tools.svc.cluster.local:9091/api/authz/forward-auth
+    trustForwardHeader: true
+    authResponseHeaders:
+      - Remote-User
+      - Remote-Groups
+      - Remote-Name
+      - Remote-Email
+

clusters/ipv6/tools/authelia/authelia-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: authelia-pvc
+  namespace: tools
+spec:
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 1Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce

clusters/ipv6/tools/authelia/authelia-release.yml

@@ -0,0 +1,46 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authelia
+  namespace: tools
+spec:
+  interval: 6h
+  chart:
+    spec:
+      chart: authelia
+      version: "0.10.49"
+      sourceRef:
+        kind: HelmRepository
+        name: authelia
+        namespace: flux-system
+      interval: 6h
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    configMap:
+      notifier:
+        smtp:
+          enabled: true
+          password:
+            path: password
+            secret_name: authelia-secrets
+          username: aggarwalakshun@gmail.com
+      existingConfigMap: authelia-config
+    persistence:
+      enabled: true
+      existingClaim: authelia-pvc
+    secret:
+      existingSecret: authelia-secrets
+      additionalSecrets:
+        authelia-secrets: {}
+    pod:
+      kind: Deployment
+      strategy:
+        type: Recreate
+    service:
+      port: 9091

clusters/ipv6/tools/authelia/authelia-repo.yml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: authelia
+  namespace: flux-system
+spec:
+  interval: 6h
+  url: https://charts.authelia.com

clusters/ipv6/tools/authelia/authelia-secrets-sealed.yml

@@ -0,0 +1,20 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: authelia-secrets
+  namespace: tools
+spec:
+  encryptedData:
+    identity_validation.reset_password.jwt.hmac.key: AgCHMesTu3xiWgUOZ8WSUV/qmxmV0QinuFMjC79EeCwL7npAvLmm7oaIl/gErKwmHM0BeJNh8upa/Qi/vz4xi7IAyaCqnmTRiKR2lLTipYtT4r3xQTnD3yX6RPqfESeLS8Oq2Y0s5v4Ypb7GHzqzjcV3Auji8Zi+iWCqXDrgSxWusGRqWOAPNEfThzJntDf5yxcpbARdP+80rac/+kij1Pa4oI+Rrbwi5frQ8GDRaQI1s3FiVmYfESDAIBGIRnMtLbsBVZvt1Vh51cpAb7HA32IxksFu81YdNrmO9QUQsxqrYEUgZCkMbKXbyXK+PPVfYNd9DcYpO7siImtjIk94oqUGEIy8F6G3nNoAwG1v8+qJZHBylooTesCXz0ORhm8Po9sL0bSBAOjVxRMEC7/EZ+WgDaHlAUXeJRQoorgL338TKVpftchFYOw625zuGqKziT7sBwnvpAVOYqIxVNU0nQLe+sbKuq6k3381wR7Cu5C7zAYPWA9Nq2DHv6czfyvUNc0o9YLEBRcZqrlmFoF0mpBRmORAdJJ8sAo/Jxpgnet+rQuaRaLIohg1paWKNGpv0VacXLIYF2FwHMLxDyPJtzV4bF91gAWhD27z8qenKVkZcim7Nvecc2IeRfrNWFD5m9q/Ca6XR8Y6liqKBE1wockR5HarXPxQ4X/Eo8jdorfiyI/3qvTVU5l7kblumSvKlsJUyYB+v5/fOBGXvMBzjwr1iOcZfZwhMkFYBXIaebXS
+    jwt.secret: AgDEmKfS0uyID0aWco02ktfU3VBqblcOW1XA21e3NA6ckdjFz9BYDT/Oq2Quj4AOyM33zEEamycL+anWfZzKbyFZ6QpDggOOnhG2M/rIe4WaxIUK8si7oZBFE8CJnMImplRjozFSa3z72Wzay1QK84gc6sCyiOpw2gbxY6c1kXZi/AdiJyHaN6o+7oJfEGczAaVGGKzbOZf5ynocvBDBx3n3IUkXiQw/OcL18sklInfrYC67+H/me6ga+Sm9Jfx4uF0Smf2+WFPAw/Ylu8U1QVWXMXHOVBt5KldkzTvtrTJsKWO9MG3xYp9AZtDQCFpHNjotLNcV5kcKoUoZWZgmn8BL6f4fNI3GJLNuhG+kam1T2lTiJrqBe+y15sRisc3M3zZJW9hC/Aa1Uph6Ba25r2ry9Li1L3Iqrd6yFzlq1Ecnhbscv+ImV3UkJ+hOOx/kqDq/SIMcigeemxgtkgmVrZVTQL7keswXs1ylCFd4PM/oi3KHNWG1+Ah23HxmwnYb3zCBaVTq0e3JLz8nRHL/SzaFl/JQKfi2P+j57qcdEN6s901srqh03M6Rg04VtgX+7WNgfVVpTby8Ayt0MJiyQvK0hHTi0e/Hu+oRhdZDR/RflAzxKVOFNkZzG3IpADeKSwR5iMWHYebBmVo/mgi+AA4Oo4Ma4axnTiczcPxMSJhslwWkEtMcXQzC3q2zBDWTbV6/4EQUPrKS8KTiZ+rIJzKwXhpOsosKDSTTCYTJi8+3ht5UsnP/3pK/KDSEIUsw33H92G0C33i2OHezSOgBhB+o
+    notifier.smtp.username: AgC1lL54rpLTear220XepMHxIiMFqz3sFQDhej+Ev/CFc5+EeC0iuQNRMMmQREinULYA+/Oy7TjFh89F0798SgCmVTYHNxQTgFS2aZn6HvVVNqSSefW7j70Gh3UVW9gmsiSg7hSnrM1dNk9m4BrrN9hf1CrKLLr3hAETQnDyCeWN53gYYByL4D3J2w46pb3AFkjXKU8Y0cz7mE8oB4ZcQhnNf7Cy2jJHaRQ08U+LZ/gD9d/U+orgYYMlzaw9vbSgcwYijjN9VT2DkTAg2Gf0mR7teklNp9OPRPl0uYyDjpyT+NzNLZN26Vljv6vUTtQlYh9O8Z/zTdtzpvQimcesCF+E/LhqJXqWiRQsMIb3Gih+zLIM6iPVkZQv5gEs5Fjc1TvhdHyn0FtWATrVUMKcFwznW0JisqJvTqm7FY9TUEXtqHMxs5BSPyNsUYpqqo8x+gll06ii1aVJRZyBUeShzcKsdLhrJmVPzC1FxOeWk0V/eK7KnG9QtBZNN/LkdMRTkvO+HlKqXP123TWjZUF8AR9kE34+yHrp1wiMdZADkFAX+Zaar/UwAhGfbcwVegSCTEHDpKZ2wCz5xmEczgg9ohWgOca8q69ola2tdP8ehBaMaviMmNBgD5B6LhFziVbhp1E+S7JRuwvdqdOx2YjkCw6rs7l6KceiGsDQ0T0CkvUWmKhNiKsoOmXys8tAS+jktCnoiNnZKleRjtZbWLQocwPGCzXPvoGSgDQ=
+    password: AgCEZBfAOk8yl0aU8ohD5FkPITTkvKDLNNr/0oMlwskkRDr+xvthPCMntPHXn4CISLDTHWjlr1JlEN/ggJdjYrso7oiI9Ku7RLrEeUJiIOOJDxcOY68ZNecGBKLQu3XmH0MmFCSLke2bG6bCK/NdnNKFQzzd+fMsxL04xjaHKpgyOU6tgbo9Cmlv/b3YcWPjXwdQRkWOTXEhpmbrVfZHtFjob51MHMB1Z6utXr613c7taGOkZZVxvVI3NskMvvWHPbzcceojB7AgeDoabIONDsg5p/rjdkpDq6nJJUNF0m1CjKDiYSfVmR2abUpwgic5X/O037X+/q0Nuk5hQWdhR0mgUiSXa/J3ftd8sAZFUKc4QiqU3/fCvcrwysVJOPpebah9F64MZBdcDvaqOPW3V7svLiIviPPpkZn/a32TTgzZjvn4nIhh6JTUNKj1QaP+jkX6KoUaPpTlWJgD4ksiyjiDl/FjHTHaiJkjchUCzRQIejoGF4JPmHAJk5G6z8elArpwzmHZQ36srjVLDCERbV9frDEx6DLY24WcBMtkGpV7oz8mrU9xipoPt/fR09riApFRslfgs+aK9RGwDP4HmxFQ/Qax4uUTwrcj17atlCQvtMHLHEYvI+8+bB9/aNwGUMr2IVZYQ1stg+dupRs2xQER/zQg+REj7bAbUTDWlkM680uv5Plxp2OfUSgAtiMbpwvX2wxw+eWtJ9lr0XCdZ+wp
+    session.authentication.key: AgAv7vKswgMSiZdJowR7yjwrU9ARqdGbLD7Cd0mTC9jdcU2yodANPN6gBichhJ14yj+NmI8r3dpOAZvhqCrZcHeB/qzTpZnHS6tcLbLmwmASfUvE8/CZCEuE3plY1SoWVsI3I8UN6+eeI0g6tXh5IcgJLw3qp3bj3aIXY9HJOYjhioEo+gG0RpeQ5VkPKFav2kb7jaXXYg4z3T3JyqE0jituNkGiZ3uTgZ1yPs7iYxqQ1wOtbWBj7SJYIH8SUV8UVbgIOGGs8jgRFiZeF6ABrZ54ZriGUI718qGY3FrbBJad9GiQvHuFXOyny2yeN1j3LTkr7cW0rpLBY1zzLWWny8FS+x69ftfbRTu+wBUaGfWNPNW3szGnSEDxbWs6j9dzHoUA06nKIbMICdlF8uhzb/MGf8YpR8wxFO5sDEcbIjG3MXc76a21ouqnJEi3kZlauwQx30/jqJMDqJ3onPI0/OhIvrqwyMGgCAGivCtDOmrCCwLtvCC+brc7sOPjAJ7O/BAUvEGw2YTbP5IGY+nW71/MQZB/AWz5o2u0Ro7wqE6EY3HDR5SEXGXOqnflrtUMVWNf7BU+Rr3rVkaakx6Mrmk3lhaF2gP1+MJochYGwnZqLlvi5ffmILWexbZjfw8V4fuPt9g+b04SELsmjXxpYddxxIOnQZUkh5c2OFZLDXX9DbncqpHU3q59Bojxq48bAfFv2ops6PogDtGfrQmcv/uWLJH6tV7i/kfi9MXyFr0/IQ==
+    session.encryption.key: AgAErQQk5jISeJWbwjVvtB4DIK3BeoZnoRyv0RtTbyheHZPNHtPro7bhD6v0wYh88spi51kaeYRDEJxGnHoOdiiFuI5Xo2UK4I4Poj6kCUQFhl2isntzd1dNonc6M5dikcnFYjQIIdMqPhW+jLNsnR7hJD9OksZhr27WPvvwE/h1QTRAKKIeeBeck2TnX8ArgA8lnzFAE3/U3V3PFgucrfYo/Zr/xTt+8267ouEL0x4jvjeOsynNqRvhcqAJtjwhxdobbP2GQ8e1jGyvXUBJ5v0qjwZpeoCvBqzprJaNnRARdMq+e0czrV7EdyDKZRqLpFOjAfs3AhMYHX02pjbvWgXN3AqMHojZDZtqvnDK+FncSS+t3E3sN/N/Bf2ruRVnlkRjdPAMU8jhw5X+cclZk8FH0M+MyGoGS/XXhFaYcaIg/YCIu4XDuGPmhUk4rVhz+ntaAm7+LJlHnt2NcINTdJ4NtU5LkrXovOhwDH6K+KNMdxPmUmj7U5XJSzbMr3Dyf4Y/rfWKofPsjCEyuwDfiSl+lyFH6p1Q8orbLE4flBgWuAn2lyLT4479uQ6jhqzYLfztsTkJiOxxLXC2oAiDQem12k9YuflQY1LsA2B/70K41gIEUynrwpV/sStL4f5oJH18c3HsNYeckULBfuBHRGTlHWJuL0gUNyxSt/wKlOlw4Rd7R6SvCxHXeb/E61ZW2RHVRTgw5/sUNM8KhYWVZdS9MXsWqkb4K6TXT6gXV+krvQ==
+    storage.encryption.key: AgB+YE9g1LGgUL7AilXufX2Ifqr+MUUfeJGEeVipNdif7Jd6lEZufj18W78OUn5TSvujT8eZIzsWC4s1DGxV8NO8G+1uNMFdL0gAXPtHTNQf06cfGYOxk6rXfgE+2U3qtN0/CHoLBKlaUEjtUzKeLpLntKobL2/vQf3OyDdogHlwGDINQ1L7dIUgoNSShfNVY62pDPPeQUuP8J9mxdEg2D+HFNTYX4mM9bCT31ZLReTKXpW4Cbc2cWsKe66jbtDfdthesV71dVgi8X5kacaW9O0O4bfq5iPZxuAfixeb/9QG1z7OolMpxGW2az1wZV8JfJrUWhgVGIGX67NJw2YYiSgp2dB6AcWmfHA0TAya84viJk35HthHRlYIArgIUYauPhAOzCRzc1oWzD7THVkLC+aGcccZC6n6eWnNNpYqxmJlZhp79oX2jHMtYD4HnmnYkhvf79R4MLU5YAvtdkxe9PGAqztufgSM7cq4cvQqTjddYjCyhrJYAyDmwOm9dDcCDqLcdIwRGmp0ELhr4KRYitBCN6/X9C5cq3CSn2NH0Jv9hmxnHoyvvA3mlLw8BuWF9AIGK89NoyuM50v0extpdZ8bpTd1Dd0Vzvt/iv/4n95+siW3YVr94id/LOIMVJKliXuL47Picu5bPMCylo9ss4odOQYADTfOckeSfFc6cz1SEk3k8pnv8wCfams2rB29En0wKOg70aBjEgDADqCGgOMOwFEjPqXhHbF1by9XwCNbeibML7eyPmdxMyzGwMbTkRVM/SqWhCEulqswCSS9DyEw
+  template:
+    metadata:
+      name: authelia-secrets
+      namespace: tools
+    type: Opaque