diff --git a/clusters/ipv6/tools/authelia/authelia-config.yml b/clusters/ipv6/tools/authelia/authelia-config.yml new file mode 100644 index 0000000..5592238 --- /dev/null +++ b/clusters/ipv6/tools/authelia/authelia-config.yml @@ -0,0 +1,115 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: authelia-config + namespace: tools +data: + configuration.yaml: | + server: + address: 'tcp4://:9091' + buffers: + read: 16384 + log: + level: info + file_path: '' + keep_stdout: true + + identity_validation: + elevated_session: + require_second_factor: true + reset_password: + jwt_lifespan: '5 minutes' + + theme: dark + + totp: + disable: false + issuer: 'akshun-lab.cc' + period: 30 + skew: 1 + algorithm: 'sha1' + digits: 6 + secret_size: 32 + allowed_algorithms: + - 'SHA1' + allowed_digits: + - 6 + allowed_periods: + - 30 + disable_reuse_security_policy: false + + password_policy: + zxcvbn: + enabled: true + min_score: 4 + + authentication_backend: + file: + path: '/config/users.yml' + password: + algorithm: 'argon2' + argon2: + variant: 'argon2id' + iterations: 3 + memory: 65535 + parallelism: 4 + key_length: 32 + salt_length: 16 + + access_control: + default_policy: 'deny' + rules: + - domain: 'auth.akshun-lab.cc' + policy: bypass + - domain: 'invidious.akshun-lab.cc' + resources: '^/(api/v1|feed|videoplayback|vi/.+\.(jpg|webp)|ggpht|latest_version|sb)' + policy: bypass + - domain: 'immich.akshun-lab.cc' + policy: bypass + - domain: 'jellyfin.akshun-lab.cc' + policy: bypass + - domain: 'gitea.akshun-lab.cc' + policy: bypass + - domain: 'nextcloud.akshun-lab.cc' + policy: bypass + - domain: 'collabora.akshun-lab.cc' + policy: bypass + - domain: 'vw.akshun-lab.cc' + policy: bypass + - domain: '*.akshun-lab.cc' + policy: two_factor + + session: + name: 'authelia_session' + cookies: + - domain: 'akshun-lab.cc' + authelia_url: 'https://auth.akshun-lab.cc' + + regulation: + max_retries: 4 + find_time: 120 + ban_time: 300 + + storage: + local: + path: '/config/db.sqlite3' + + notifier: + disable_startup_check: false + smtp: + address: submissions://smtp.gmail.com:465 + username: aggarwalakshun@gmail.com + sender: aggarwalakshun@gmail.com + identifier: localhost + subject: "[Authelia] {title}" + startup_check_address: aggarwalakshun@gmail.com + disable_require_tls: false + disable_html_emails: false + tls: + skip_verify: false + minimum_version: TLS1.2 + ntp: + address: 'time.google.com:123' + version: 4 + max_desync: '3s' + disable_startup_check: false diff --git a/clusters/ipv6/tools/authelia/authelia-ingress.yml b/clusters/ipv6/tools/authelia/authelia-ingress.yml new file mode 100644 index 0000000..1385610 --- /dev/null +++ b/clusters/ipv6/tools/authelia/authelia-ingress.yml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: authelia + namespace: tools + annotations: + cert-manager.io/cluster-issuer: letsencrypt-cloudflare +spec: + ingressClassName: traefik + tls: + - hosts: + - auth.akshun-lab.cc + secretName: authelia-tls + rules: + - host: auth.akshun-lab.cc + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: authelia + port: + number: 9091 + diff --git a/clusters/ipv6/tools/authelia/authelia-middleware.yml b/clusters/ipv6/tools/authelia/authelia-middleware.yml new file mode 100644 index 0000000..09a4f09 --- /dev/null +++ b/clusters/ipv6/tools/authelia/authelia-middleware.yml @@ -0,0 +1,15 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: authelia + namespace: tools +spec: + forwardAuth: + address: http://authelia.tools.svc.cluster.local:9091/api/authz/forward-auth + trustForwardHeader: true + authResponseHeaders: + - Remote-User + - Remote-Groups + - Remote-Name + - Remote-Email + diff --git a/clusters/ipv6/tools/authelia/authelia-pvc.yml b/clusters/ipv6/tools/authelia/authelia-pvc.yml new file mode 100644 index 0000000..e0c8ee6 --- /dev/null +++ b/clusters/ipv6/tools/authelia/authelia-pvc.yml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: authelia-pvc + namespace: tools +spec: + storageClassName: longhorn + resources: + requests: + storage: 1Gi + volumeMode: Filesystem + accessModes: + - ReadWriteOnce diff --git a/clusters/ipv6/tools/authelia/authelia-release.yml b/clusters/ipv6/tools/authelia/authelia-release.yml new file mode 100644 index 0000000..b3fb79f --- /dev/null +++ b/clusters/ipv6/tools/authelia/authelia-release.yml @@ -0,0 +1,46 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: authelia + namespace: tools +spec: + interval: 6h + chart: + spec: + chart: authelia + version: "0.10.49" + sourceRef: + kind: HelmRepository + name: authelia + namespace: flux-system + interval: 6h + install: + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + values: + configMap: + notifier: + smtp: + enabled: true + password: + path: password + secret_name: authelia-secrets + username: aggarwalakshun@gmail.com + existingConfigMap: authelia-config + persistence: + enabled: true + existingClaim: authelia-pvc + secret: + existingSecret: authelia-secrets + additionalSecrets: + authelia-secrets: {} + pod: + kind: Deployment + strategy: + type: Recreate + service: + port: 9091 diff --git a/clusters/ipv6/tools/authelia/authelia-repo.yml b/clusters/ipv6/tools/authelia/authelia-repo.yml new file mode 100644 index 0000000..53ade19 --- /dev/null +++ b/clusters/ipv6/tools/authelia/authelia-repo.yml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: authelia + namespace: flux-system +spec: + interval: 6h + url: https://charts.authelia.com diff --git a/clusters/ipv6/tools/authelia/authelia-secrets-sealed.yml b/clusters/ipv6/tools/authelia/authelia-secrets-sealed.yml new file mode 100644 index 0000000..5670e6b --- /dev/null +++ b/clusters/ipv6/tools/authelia/authelia-secrets-sealed.yml @@ -0,0 +1,20 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: authelia-secrets + namespace: tools +spec: + encryptedData: + identity_validation.reset_password.jwt.hmac.key: AgCHMesTu3xiWgUOZ8WSUV/qmxmV0QinuFMjC79EeCwL7npAvLmm7oaIl/gErKwmHM0BeJNh8upa/Qi/vz4xi7IAyaCqnmTRiKR2lLTipYtT4r3xQTnD3yX6RPqfESeLS8Oq2Y0s5v4Ypb7GHzqzjcV3Auji8Zi+iWCqXDrgSxWusGRqWOAPNEfThzJntDf5yxcpbARdP+80rac/+kij1Pa4oI+Rrbwi5frQ8GDRaQI1s3FiVmYfESDAIBGIRnMtLbsBVZvt1Vh51cpAb7HA32IxksFu81YdNrmO9QUQsxqrYEUgZCkMbKXbyXK+PPVfYNd9DcYpO7siImtjIk94oqUGEIy8F6G3nNoAwG1v8+qJZHBylooTesCXz0ORhm8Po9sL0bSBAOjVxRMEC7/EZ+WgDaHlAUXeJRQoorgL338TKVpftchFYOw625zuGqKziT7sBwnvpAVOYqIxVNU0nQLe+sbKuq6k3381wR7Cu5C7zAYPWA9Nq2DHv6czfyvUNc0o9YLEBRcZqrlmFoF0mpBRmORAdJJ8sAo/Jxpgnet+rQuaRaLIohg1paWKNGpv0VacXLIYF2FwHMLxDyPJtzV4bF91gAWhD27z8qenKVkZcim7Nvecc2IeRfrNWFD5m9q/Ca6XR8Y6liqKBE1wockR5HarXPxQ4X/Eo8jdorfiyI/3qvTVU5l7kblumSvKlsJUyYB+v5/fOBGXvMBzjwr1iOcZfZwhMkFYBXIaebXS + jwt.secret: AgDEmKfS0uyID0aWco02ktfU3VBqblcOW1XA21e3NA6ckdjFz9BYDT/Oq2Quj4AOyM33zEEamycL+anWfZzKbyFZ6QpDggOOnhG2M/rIe4WaxIUK8si7oZBFE8CJnMImplRjozFSa3z72Wzay1QK84gc6sCyiOpw2gbxY6c1kXZi/AdiJyHaN6o+7oJfEGczAaVGGKzbOZf5ynocvBDBx3n3IUkXiQw/OcL18sklInfrYC67+H/me6ga+Sm9Jfx4uF0Smf2+WFPAw/Ylu8U1QVWXMXHOVBt5KldkzTvtrTJsKWO9MG3xYp9AZtDQCFpHNjotLNcV5kcKoUoZWZgmn8BL6f4fNI3GJLNuhG+kam1T2lTiJrqBe+y15sRisc3M3zZJW9hC/Aa1Uph6Ba25r2ry9Li1L3Iqrd6yFzlq1Ecnhbscv+ImV3UkJ+hOOx/kqDq/SIMcigeemxgtkgmVrZVTQL7keswXs1ylCFd4PM/oi3KHNWG1+Ah23HxmwnYb3zCBaVTq0e3JLz8nRHL/SzaFl/JQKfi2P+j57qcdEN6s901srqh03M6Rg04VtgX+7WNgfVVpTby8Ayt0MJiyQvK0hHTi0e/Hu+oRhdZDR/RflAzxKVOFNkZzG3IpADeKSwR5iMWHYebBmVo/mgi+AA4Oo4Ma4axnTiczcPxMSJhslwWkEtMcXQzC3q2zBDWTbV6/4EQUPrKS8KTiZ+rIJzKwXhpOsosKDSTTCYTJi8+3ht5UsnP/3pK/KDSEIUsw33H92G0C33i2OHezSOgBhB+o + notifier.smtp.username: AgC1lL54rpLTear220XepMHxIiMFqz3sFQDhej+Ev/CFc5+EeC0iuQNRMMmQREinULYA+/Oy7TjFh89F0798SgCmVTYHNxQTgFS2aZn6HvVVNqSSefW7j70Gh3UVW9gmsiSg7hSnrM1dNk9m4BrrN9hf1CrKLLr3hAETQnDyCeWN53gYYByL4D3J2w46pb3AFkjXKU8Y0cz7mE8oB4ZcQhnNf7Cy2jJHaRQ08U+LZ/gD9d/U+orgYYMlzaw9vbSgcwYijjN9VT2DkTAg2Gf0mR7teklNp9OPRPl0uYyDjpyT+NzNLZN26Vljv6vUTtQlYh9O8Z/zTdtzpvQimcesCF+E/LhqJXqWiRQsMIb3Gih+zLIM6iPVkZQv5gEs5Fjc1TvhdHyn0FtWATrVUMKcFwznW0JisqJvTqm7FY9TUEXtqHMxs5BSPyNsUYpqqo8x+gll06ii1aVJRZyBUeShzcKsdLhrJmVPzC1FxOeWk0V/eK7KnG9QtBZNN/LkdMRTkvO+HlKqXP123TWjZUF8AR9kE34+yHrp1wiMdZADkFAX+Zaar/UwAhGfbcwVegSCTEHDpKZ2wCz5xmEczgg9ohWgOca8q69ola2tdP8ehBaMaviMmNBgD5B6LhFziVbhp1E+S7JRuwvdqdOx2YjkCw6rs7l6KceiGsDQ0T0CkvUWmKhNiKsoOmXys8tAS+jktCnoiNnZKleRjtZbWLQocwPGCzXPvoGSgDQ= + password: AgCEZBfAOk8yl0aU8ohD5FkPITTkvKDLNNr/0oMlwskkRDr+xvthPCMntPHXn4CISLDTHWjlr1JlEN/ggJdjYrso7oiI9Ku7RLrEeUJiIOOJDxcOY68ZNecGBKLQu3XmH0MmFCSLke2bG6bCK/NdnNKFQzzd+fMsxL04xjaHKpgyOU6tgbo9Cmlv/b3YcWPjXwdQRkWOTXEhpmbrVfZHtFjob51MHMB1Z6utXr613c7taGOkZZVxvVI3NskMvvWHPbzcceojB7AgeDoabIONDsg5p/rjdkpDq6nJJUNF0m1CjKDiYSfVmR2abUpwgic5X/O037X+/q0Nuk5hQWdhR0mgUiSXa/J3ftd8sAZFUKc4QiqU3/fCvcrwysVJOPpebah9F64MZBdcDvaqOPW3V7svLiIviPPpkZn/a32TTgzZjvn4nIhh6JTUNKj1QaP+jkX6KoUaPpTlWJgD4ksiyjiDl/FjHTHaiJkjchUCzRQIejoGF4JPmHAJk5G6z8elArpwzmHZQ36srjVLDCERbV9frDEx6DLY24WcBMtkGpV7oz8mrU9xipoPt/fR09riApFRslfgs+aK9RGwDP4HmxFQ/Qax4uUTwrcj17atlCQvtMHLHEYvI+8+bB9/aNwGUMr2IVZYQ1stg+dupRs2xQER/zQg+REj7bAbUTDWlkM680uv5Plxp2OfUSgAtiMbpwvX2wxw+eWtJ9lr0XCdZ+wp + session.authentication.key: AgAv7vKswgMSiZdJowR7yjwrU9ARqdGbLD7Cd0mTC9jdcU2yodANPN6gBichhJ14yj+NmI8r3dpOAZvhqCrZcHeB/qzTpZnHS6tcLbLmwmASfUvE8/CZCEuE3plY1SoWVsI3I8UN6+eeI0g6tXh5IcgJLw3qp3bj3aIXY9HJOYjhioEo+gG0RpeQ5VkPKFav2kb7jaXXYg4z3T3JyqE0jituNkGiZ3uTgZ1yPs7iYxqQ1wOtbWBj7SJYIH8SUV8UVbgIOGGs8jgRFiZeF6ABrZ54ZriGUI718qGY3FrbBJad9GiQvHuFXOyny2yeN1j3LTkr7cW0rpLBY1zzLWWny8FS+x69ftfbRTu+wBUaGfWNPNW3szGnSEDxbWs6j9dzHoUA06nKIbMICdlF8uhzb/MGf8YpR8wxFO5sDEcbIjG3MXc76a21ouqnJEi3kZlauwQx30/jqJMDqJ3onPI0/OhIvrqwyMGgCAGivCtDOmrCCwLtvCC+brc7sOPjAJ7O/BAUvEGw2YTbP5IGY+nW71/MQZB/AWz5o2u0Ro7wqE6EY3HDR5SEXGXOqnflrtUMVWNf7BU+Rr3rVkaakx6Mrmk3lhaF2gP1+MJochYGwnZqLlvi5ffmILWexbZjfw8V4fuPt9g+b04SELsmjXxpYddxxIOnQZUkh5c2OFZLDXX9DbncqpHU3q59Bojxq48bAfFv2ops6PogDtGfrQmcv/uWLJH6tV7i/kfi9MXyFr0/IQ== + session.encryption.key: AgAErQQk5jISeJWbwjVvtB4DIK3BeoZnoRyv0RtTbyheHZPNHtPro7bhD6v0wYh88spi51kaeYRDEJxGnHoOdiiFuI5Xo2UK4I4Poj6kCUQFhl2isntzd1dNonc6M5dikcnFYjQIIdMqPhW+jLNsnR7hJD9OksZhr27WPvvwE/h1QTRAKKIeeBeck2TnX8ArgA8lnzFAE3/U3V3PFgucrfYo/Zr/xTt+8267ouEL0x4jvjeOsynNqRvhcqAJtjwhxdobbP2GQ8e1jGyvXUBJ5v0qjwZpeoCvBqzprJaNnRARdMq+e0czrV7EdyDKZRqLpFOjAfs3AhMYHX02pjbvWgXN3AqMHojZDZtqvnDK+FncSS+t3E3sN/N/Bf2ruRVnlkRjdPAMU8jhw5X+cclZk8FH0M+MyGoGS/XXhFaYcaIg/YCIu4XDuGPmhUk4rVhz+ntaAm7+LJlHnt2NcINTdJ4NtU5LkrXovOhwDH6K+KNMdxPmUmj7U5XJSzbMr3Dyf4Y/rfWKofPsjCEyuwDfiSl+lyFH6p1Q8orbLE4flBgWuAn2lyLT4479uQ6jhqzYLfztsTkJiOxxLXC2oAiDQem12k9YuflQY1LsA2B/70K41gIEUynrwpV/sStL4f5oJH18c3HsNYeckULBfuBHRGTlHWJuL0gUNyxSt/wKlOlw4Rd7R6SvCxHXeb/E61ZW2RHVRTgw5/sUNM8KhYWVZdS9MXsWqkb4K6TXT6gXV+krvQ== + storage.encryption.key: AgB+YE9g1LGgUL7AilXufX2Ifqr+MUUfeJGEeVipNdif7Jd6lEZufj18W78OUn5TSvujT8eZIzsWC4s1DGxV8NO8G+1uNMFdL0gAXPtHTNQf06cfGYOxk6rXfgE+2U3qtN0/CHoLBKlaUEjtUzKeLpLntKobL2/vQf3OyDdogHlwGDINQ1L7dIUgoNSShfNVY62pDPPeQUuP8J9mxdEg2D+HFNTYX4mM9bCT31ZLReTKXpW4Cbc2cWsKe66jbtDfdthesV71dVgi8X5kacaW9O0O4bfq5iPZxuAfixeb/9QG1z7OolMpxGW2az1wZV8JfJrUWhgVGIGX67NJw2YYiSgp2dB6AcWmfHA0TAya84viJk35HthHRlYIArgIUYauPhAOzCRzc1oWzD7THVkLC+aGcccZC6n6eWnNNpYqxmJlZhp79oX2jHMtYD4HnmnYkhvf79R4MLU5YAvtdkxe9PGAqztufgSM7cq4cvQqTjddYjCyhrJYAyDmwOm9dDcCDqLcdIwRGmp0ELhr4KRYitBCN6/X9C5cq3CSn2NH0Jv9hmxnHoyvvA3mlLw8BuWF9AIGK89NoyuM50v0extpdZ8bpTd1Dd0Vzvt/iv/4n95+siW3YVr94id/LOIMVJKliXuL47Picu5bPMCylo9ss4odOQYADTfOckeSfFc6cz1SEk3k8pnv8wCfams2rB29En0wKOg70aBjEgDADqCGgOMOwFEjPqXhHbF1by9XwCNbeibML7eyPmdxMyzGwMbTkRVM/SqWhCEulqswCSS9DyEw + template: + metadata: + name: authelia-secrets + namespace: tools + type: Opaque