Initial commit - Talloires documentation
This commit is contained in:
182
docs/services/authelia.md
Normal file
182
docs/services/authelia.md
Normal file
@@ -0,0 +1,182 @@
|
||||
# Authelia - SSO
|
||||
|
||||
Authelia fournit l'authentification unique (SSO) pour tous les services Talloires.
|
||||
|
||||
## Accès
|
||||
|
||||
| Paramètre | Valeur |
|
||||
|-----------|--------|
|
||||
| URL | [auth.talloires.local](https://auth.talloires.local) |
|
||||
| Utilisateur | lionel |
|
||||
| Email | dflected@dflected.org |
|
||||
| 2FA | TOTP activé |
|
||||
|
||||
## Services protégés (forward_auth)
|
||||
|
||||
Ces services requièrent une authentification via Authelia avant d'accéder au backend :
|
||||
|
||||
| Service | URL |
|
||||
|---------|-----|
|
||||
| docs | docs.talloires.local |
|
||||
| portainer | portainer.talloires.local |
|
||||
| dockge | dockge.talloires.local |
|
||||
| transmission | transmission.talloires.local |
|
||||
| netdata | netdata.talloires.local |
|
||||
| homeassistant | homeassistant.talloires.local |
|
||||
| uptime | uptime.talloires.local |
|
||||
| cockpit | cockpit.talloires.local |
|
||||
| vikunja | vikunja.talloires.local |
|
||||
| hoarder | hoarder.talloires.local |
|
||||
| linkwarden | linkwarden.talloires.local |
|
||||
| languagetool | languagetool.talloires.local |
|
||||
| jellyfin | jellyfin.talloires.local |
|
||||
|
||||
## Services avec OAuth/OIDC
|
||||
|
||||
Ces services utilisent Authelia comme provider OpenID Connect :
|
||||
|
||||
### Gitea
|
||||
| Paramètre | Valeur |
|
||||
|-----------|--------|
|
||||
| Client ID | gitea |
|
||||
| Redirect URI | https://git.talloires.local/user/oauth2/Authelia/callback |
|
||||
| Scopes | openid, email, profile |
|
||||
|
||||
### Outline
|
||||
| Paramètre | Valeur |
|
||||
|-----------|--------|
|
||||
| Client ID | outline |
|
||||
| Redirect URI | https://outline.talloires.local/auth/oidc.callback |
|
||||
| Scopes | openid, offline_access, profile, email |
|
||||
|
||||
### Grafana (Header Auth)
|
||||
Grafana utilise l'authentification par header via Authelia (pas OIDC) :
|
||||
|
||||
| Header | Valeur |
|
||||
|--------|--------|
|
||||
| Remote-User | Utilisateur authentifié |
|
||||
| Remote-Email | Email de l'utilisateur |
|
||||
|
||||
## Configuration
|
||||
|
||||
### Fichiers
|
||||
| Fichier | Usage |
|
||||
|---------|-------|
|
||||
| ~/docker/authelia/config/configuration.yml | Config principale |
|
||||
| ~/docker/authelia/config/users_database.yml | Base utilisateurs |
|
||||
| ~/docker/authelia/config/oidc.key | Clé privée OIDC |
|
||||
|
||||
### SMTP (Proton Mail)
|
||||
| Paramètre | Valeur |
|
||||
|-----------|--------|
|
||||
| Serveur | smtp.protonmail.ch:465 |
|
||||
| Protocol | TLS implicite (submissions://) |
|
||||
| From | Talloires <dflected@dflected.org> |
|
||||
|
||||
### Buffers HTTP
|
||||
|
||||
Pour éviter l'erreur 431 (Request Header Fields Too Large), la config inclut :
|
||||
|
||||
```yaml
|
||||
server:
|
||||
buffers:
|
||||
read: 8192
|
||||
write: 8192
|
||||
```
|
||||
|
||||
## Intégration Caddy
|
||||
|
||||
### Snippet forward_auth
|
||||
```
|
||||
(authelia) {
|
||||
forward_auth authelia:9091 {
|
||||
uri /api/authz/forward-auth
|
||||
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Usage dans Caddyfile
|
||||
```
|
||||
monservice.talloires.local {
|
||||
import authelia
|
||||
reverse_proxy backend:port
|
||||
tls internal
|
||||
}
|
||||
```
|
||||
|
||||
### Bypass Authelia (accès ZeroTier)
|
||||
```
|
||||
monservice.talloires.1871.zt {
|
||||
# Pas de forward_auth = pas d'Authelia
|
||||
reverse_proxy backend:port
|
||||
tls internal
|
||||
}
|
||||
```
|
||||
|
||||
## Ajouter un client OIDC
|
||||
|
||||
1. Générer le hash du secret :
|
||||
```bash
|
||||
docker exec authelia authelia crypto hash generate pbkdf2 --password "mon-secret"
|
||||
```
|
||||
|
||||
2. Ajouter dans configuration.yml (section identity_providers.oidc.clients) :
|
||||
```yaml
|
||||
- client_id: nouveau_client
|
||||
client_name: Mon Service
|
||||
client_secret: "$pbkdf2-sha512$..."
|
||||
public: false
|
||||
authorization_policy: two_factor
|
||||
redirect_uris:
|
||||
- https://service.talloires.local/callback
|
||||
scopes:
|
||||
- openid
|
||||
- email
|
||||
- profile
|
||||
token_endpoint_auth_method: client_secret_post
|
||||
```
|
||||
|
||||
3. Redémarrer Authelia :
|
||||
```bash
|
||||
docker restart authelia
|
||||
```
|
||||
|
||||
## Commandes utiles
|
||||
|
||||
```bash
|
||||
# Logs
|
||||
docker logs authelia -f
|
||||
|
||||
# Générer un hash de mot de passe utilisateur
|
||||
docker exec authelia authelia crypto hash generate argon2 --password "motdepasse"
|
||||
|
||||
# Générer un hash pour OIDC client secret
|
||||
docker exec authelia authelia crypto hash generate pbkdf2 --password "secret"
|
||||
|
||||
# Valider la configuration
|
||||
docker exec authelia authelia validate-config
|
||||
```
|
||||
|
||||
## Dépannage
|
||||
|
||||
### Erreur 431 (Header Fields Too Large)
|
||||
Augmenter les buffers dans configuration.yml :
|
||||
```yaml
|
||||
server:
|
||||
buffers:
|
||||
read: 8192
|
||||
write: 8192
|
||||
```
|
||||
|
||||
### OIDC "invalid_client"
|
||||
Vérifier que le client_secret est hashé avec pbkdf2 (pas argon2).
|
||||
|
||||
### Cookies non persistants
|
||||
Vérifier que le domain est correct dans session :
|
||||
```yaml
|
||||
session:
|
||||
cookies:
|
||||
- domain: talloires.local
|
||||
authelia_url: https://auth.talloires.local
|
||||
```
|
||||
Reference in New Issue
Block a user