RWejlgaard/pez-infra
1
0
Fork 0
mirror of https://github.com/RWejlgaard/pez-infra.git synced 2026-05-06 04:14:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
pez-infra/ansible/services/authelia/README.md
Rasmus Wejlgaard 8bb91032f3 Add Authelia config and SOPS-encrypted secrets 
- Add configuration.yml from running helsinki-a deployment
- Replace example secrets with real SOPS-encrypted config.enc.yml
- Add LDAP and SMTP password file env vars to docker-compose
  (all secrets now via file mounts, zero inline passwords)
- Update README with secret mapping and deployment steps

Closes PESO-89
2026-03-28 17:42:07 +00:00

50 lines
2.1 KiB
Markdown
Raw Permalink Blame History

# Authelia
SSO authentication portal with LLDAP directory and MariaDB backend.
- **Host:** helsinki-a (100.67.6.27)
- **URL:** https://auth.pez.sh / https://auth.pez.solutions
- **Components:**
- **Authelia** — SSO portal (port 9091, localhost only)
- **LLDAP** — Lightweight LDAP directory (port 3890 LDAP, port 17170 web UI)
- **MariaDB 11** — Session/config storage
- **Config:** `/root/authelia/config/configuration.yml`
- **Secrets:** `/root/authelia/secrets/` (mounted into containers)
- **LDAP base DN:** `dc=pez,dc=sh`
## Secrets
All secrets are stored in `config.enc.yml` (SOPS-encrypted with age).
To decrypt: `sops -d config.enc.yml`
Secret files expected in `/root/authelia/secrets/` on helsinki-a:
| File | Source key in config.enc.yml | Used by |
|------|------------------------------|---------|
| `JWT_SECRET` | `jwt_secret` | Authelia (password reset JWT) |
| `SESSION_SECRET` | `session_secret` | Authelia (session encryption) |
| `STORAGE_ENCRYPTION_KEY` | `storage_encryption_key` | Authelia (DB encryption) |
| `MYSQL_PASSWORD` | `mysql_password` | Authelia + MariaDB |
| `MYSQL_ROOT_PASSWORD` | `mysql_root_password` | MariaDB |
| `LLDAP_ADMIN_PASSWORD` | `lldap_admin_password` | LLDAP + Authelia (LDAP bind) |
| `LLDAP_JWT_SECRET` | `lldap_jwt_secret` | LLDAP |
| `SMTP_PASSWORD` | `smtp_password` | Authelia (email notifications) |
## Access Control
Default policy: **deny**. Per-service access via LLDAP groups (e.g. `pez_grafana_users`).
Domains covered: `*.pez.sh` and `*.pez.solutions` (mirrors).
## Deployment
1. Decrypt secrets: `sops -d config.enc.yml > /tmp/secrets.yml`
2. Write each key as a file to `/root/authelia/secrets/<FILENAME>`
3. Copy `configuration.yml` to `/root/authelia/config/`
4. Copy `docker-compose.yml` to `/root/authelia/`
5. `docker compose up -d`
> **Note:** The current deployment lives at `/root/authelia/` (not `/opt/docker/authelia/`).
> The Ansible `docker_services` role deploys to `/opt/docker/` — if adding authelia
> to `docker_services` in host_vars, the paths in docker-compose.yml or the deploy
> target would need to be reconciled.
Reference in a new issue View git blame Copy permalink