lionel/202512docs
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2025-12-31. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
c15da603a6bfc105c3fc4fd3c1b0d99f5a54724c
202512docs/docs/services/authelia.md

142 lines
3.5 KiB
Markdown
Raw Blame History

# Authelia - SSO
Authelia fournit l authentification unique (SSO) pour tous les services Talloires.
## Acces
| Parametre | Valeur |
|-----------|--------|
| URL | [auth.talloires.local](https://auth.talloires.local) |
| Utilisateur | lionel |
| Email | dflected@dflected.org |
| 2FA | TOTP active |
## Matrice de protection des services
| Service | Authelia | Raison |
|---------|----------|--------|
| **docs** | ✅ | Documentation interne |
| **portainer** | ✅ | Admin Docker |
| **dockge** | ✅ | Admin Docker Compose |
| **transmission** | ✅ | Client torrent |
| **netdata** | ✅ | Monitoring systeme |
| **grafana** | ✅ | Dashboards / Logs |
| **uptime** | ✅ | Monitoring disponibilite |
| **cockpit** | ✅ | Admin systeme |
| **languagetool** | ✅ | API grammaire |
| **auth** | ❌ | C est Authelia lui-meme |
| **git** | ❌ | Auth OIDC propre |
| **jellyfin** | ❌ | Auth propre |
| **homeassistant** | ❌ | Auth propre |
| **linkwarden** | ❌ | Auth propre |
| **vikunja** | ❌ | Auth propre |
| **outline** | ❌ | Auth OIDC propre |
> **Note** : Cette protection s applique aux domaines `.local` ET `.1871.zt`
## Services avec OAuth/OIDC
Ces services utilisent Authelia comme provider OpenID Connect :
### Gitea
| Parametre | Valeur |
|-----------|--------|
| Client ID | gitea |
| Redirect URI | https://git.talloires.local/user/oauth2/Authelia/callback |
| Scopes | openid, email, profile |
### Outline
| Parametre | Valeur |
|-----------|--------|
| Client ID | outline |
| Redirect URI | https://outline.talloires.local/auth/oidc.callback |
| Scopes | openid, offline_access, profile, email |
### Grafana (Header Auth)
Grafana utilise l authentification par header via Authelia (pas OIDC) :
| Header | Valeur |
|--------|--------|
| Remote-User | Utilisateur authentifie |
| Remote-Email | Email de l utilisateur |
## Configuration
### Fichiers
| Fichier | Usage |
|---------|-------|
| ~/docker/authelia/config/configuration.yml | Config principale |
| ~/docker/authelia/config/users_database.yml | Base utilisateurs |
| ~/docker/authelia/config/oidc.key | Cle privee OIDC |
### SMTP (Proton Mail)
| Parametre | Valeur |
|-----------|--------|
| Serveur | smtp.protonmail.ch:465 |
| Protocol | TLS implicite |
| From | Talloires <dflected@dflected.org> |
## Integration Caddy
### Snippet forward_auth
```
(authelia) {
forward_auth authelia:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
```
### Usage dans Caddyfile
```
monservice.talloires.local, monservice.talloires.1871.zt {
import authelia
reverse_proxy backend:port
tls internal
}
```
## Ajouter un client OIDC
1. Generer le hash du secret :
```bash
docker exec authelia authelia crypto hash generate pbkdf2 --password "mon-secret"
```
2. Ajouter dans configuration.yml :
```yaml
- client_id: nouveau_client
client_name: Mon Service
client_secret: "$pbkdf2-sha512$..."
public: false
authorization_policy: two_factor
redirect_uris:
- https://service.talloires.local/callback
scopes:
- openid
- email
- profile
```
3. Redemarrer Authelia :
```bash
docker restart authelia
```
## Commandes utiles
```bash
# Logs
docker logs authelia -f
# Hash mot de passe utilisateur
docker exec authelia authelia crypto hash generate argon2 --password "motdepasse"
# Hash OIDC client secret
docker exec authelia authelia crypto hash generate pbkdf2 --password "secret"
# Valider la configuration
docker exec authelia authelia validate-config
```
Reference in New Issue View Git Blame Copy Permalink