lionel/202512docs
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2025-12-31. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
41bd0988537d51f02722f274278132149534dbd8
202512docs/docs/services/authelia.md

183 lines
4.2 KiB
Markdown
Raw Blame History

# Authelia - SSO
Authelia fournit l'authentification unique (SSO) pour tous les services Talloires.
## Accès
| Paramètre | Valeur |
|-----------|--------|
| URL | [auth.talloires.local](https://auth.talloires.local) |
| Utilisateur | lionel |
| Email | dflected@dflected.org |
| 2FA | TOTP activé |
## Services protégés (forward_auth)
Ces services requièrent une authentification via Authelia avant d'accéder au backend :
| Service | URL |
|---------|-----|
| docs | docs.talloires.local |
| portainer | portainer.talloires.local |
| dockge | dockge.talloires.local |
| transmission | transmission.talloires.local |
| netdata | netdata.talloires.local |
| homeassistant | homeassistant.talloires.local |
| uptime | uptime.talloires.local |
| cockpit | cockpit.talloires.local |
| vikunja | vikunja.talloires.local |
| hoarder | hoarder.talloires.local |
| linkwarden | linkwarden.talloires.local |
| languagetool | languagetool.talloires.local |
| jellyfin | jellyfin.talloires.local |
## Services avec OAuth/OIDC
Ces services utilisent Authelia comme provider OpenID Connect :
### Gitea
| Paramètre | Valeur |
|-----------|--------|
| Client ID | gitea |
| Redirect URI | https://git.talloires.local/user/oauth2/Authelia/callback |
| Scopes | openid, email, profile |
### Outline
| Paramètre | Valeur |
|-----------|--------|
| Client ID | outline |
| Redirect URI | https://outline.talloires.local/auth/oidc.callback |
| Scopes | openid, offline_access, profile, email |
### Grafana (Header Auth)
Grafana utilise l'authentification par header via Authelia (pas OIDC) :
| Header | Valeur |
|--------|--------|
| Remote-User | Utilisateur authentifié |
| Remote-Email | Email de l'utilisateur |
## Configuration
### Fichiers
| Fichier | Usage |
|---------|-------|
| ~/docker/authelia/config/configuration.yml | Config principale |
| ~/docker/authelia/config/users_database.yml | Base utilisateurs |
| ~/docker/authelia/config/oidc.key | Clé privée OIDC |
### SMTP (Proton Mail)
| Paramètre | Valeur |
|-----------|--------|
| Serveur | smtp.protonmail.ch:465 |
| Protocol | TLS implicite (submissions://) |
| From | Talloires <dflected@dflected.org> |
### Buffers HTTP
Pour éviter l'erreur 431 (Request Header Fields Too Large), la config inclut :
```yaml
server:
buffers:
read: 8192
write: 8192
```
## Intégration Caddy
### Snippet forward_auth
```
(authelia) {
forward_auth authelia:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
```
### Usage dans Caddyfile
```
monservice.talloires.local {
import authelia
reverse_proxy backend:port
tls internal
}
```
### Bypass Authelia (accès ZeroTier)
```
monservice.talloires.1871.zt {
# Pas de forward_auth = pas d'Authelia
reverse_proxy backend:port
tls internal
}
```
## Ajouter un client OIDC
1. Générer le hash du secret :
```bash
docker exec authelia authelia crypto hash generate pbkdf2 --password "mon-secret"
```
2. Ajouter dans configuration.yml (section identity_providers.oidc.clients) :
```yaml
- client_id: nouveau_client
client_name: Mon Service
client_secret: "$pbkdf2-sha512$..."
public: false
authorization_policy: two_factor
redirect_uris:
- https://service.talloires.local/callback
scopes:
- openid
- email
- profile
token_endpoint_auth_method: client_secret_post
```
3. Redémarrer Authelia :
```bash
docker restart authelia
```
## Commandes utiles
```bash
# Logs
docker logs authelia -f
# Générer un hash de mot de passe utilisateur
docker exec authelia authelia crypto hash generate argon2 --password "motdepasse"
# Générer un hash pour OIDC client secret
docker exec authelia authelia crypto hash generate pbkdf2 --password "secret"
# Valider la configuration
docker exec authelia authelia validate-config
```
## Dépannage
### Erreur 431 (Header Fields Too Large)
Augmenter les buffers dans configuration.yml :
```yaml
server:
buffers:
read: 8192
write: 8192
```
### OIDC "invalid_client"
Vérifier que le client_secret est hashé avec pbkdf2 (pas argon2).
### Cookies non persistants
Vérifier que le domain est correct dans session :
```yaml
session:
cookies:
- domain: talloires.local
authelia_url: https://auth.talloires.local
```
Reference in New Issue View Git Blame Copy Permalink