Initial commit - Migration documentation 2026

2025-12-31 18:44:24 +01:00
commit f00047c7d1
23 changed files with 2372 additions and 0 deletions
--- a/docs/vault/services-v1/authelia.md
+++ b/docs/vault/services-v1/authelia.md
@@ -0,0 +1,141 @@
+# Authelia - SSO
+
+Authelia fournit l authentification unique (SSO) pour tous les services Talloires.
+
+## Acces
+
+| Parametre | Valeur |
+|-----------|--------|
+| URL | [auth.talloires.local](https://auth.talloires.local) |
+| Utilisateur | lionel |
+| Email | dflected@dflected.org |
+| 2FA | TOTP active |
+
+## Matrice de protection des services
+
+| Service | Authelia | Raison |
+|---------|----------|--------|
+| **docs** | ✅ | Documentation interne |
+| **portainer** | ✅ | Admin Docker |
+| **dockge** | ✅ | Admin Docker Compose |
+| **transmission** | ✅ | Client torrent |
+| **netdata** | ✅ | Monitoring systeme |
+| **grafana** | ✅ | Dashboards / Logs |
+| **uptime** | ✅ | Monitoring disponibilite |
+| **cockpit** | ✅ | Admin systeme |
+| **languagetool** | ✅ | API grammaire |
+| **auth** | ❌ | C est Authelia lui-meme |
+| **git** | ❌ | Auth OIDC propre |
+| **jellyfin** | ❌ | Auth propre |
+| **homeassistant** | ❌ | Auth propre |
+| **linkwarden** | ❌ | Auth propre |
+| **vikunja** | ❌ | Auth propre |
+| **outline** | ❌ | Auth OIDC propre |
+
+> **Note** : Cette protection s applique aux domaines `.local` ET `.tailfd281f.ts.net`
+
+## Services avec OAuth/OIDC
+
+Ces services utilisent Authelia comme provider OpenID Connect :
+
+### Gitea
+| Parametre | Valeur |
+|-----------|--------|
+| Client ID | gitea |
+| Redirect URI | https://git.talloires.local/user/oauth2/Authelia/callback |
+| Scopes | openid, email, profile |
+
+### Outline
+| Parametre | Valeur |
+|-----------|--------|
+| Client ID | outline |
+| Redirect URI | https://outline.talloires.local/auth/oidc.callback |
+| Scopes | openid, offline_access, profile, email |
+
+### Grafana (Header Auth)
+Grafana utilise l authentification par header via Authelia (pas OIDC) :
+
+| Header | Valeur |
+|--------|--------|
+| Remote-User | Utilisateur authentifie |
+| Remote-Email | Email de l utilisateur |
+
+## Configuration
+
+### Fichiers
+| Fichier | Usage |
+|---------|-------|
+| ~/docker/authelia/config/configuration.yml | Config principale |
+| ~/docker/authelia/config/users_database.yml | Base utilisateurs |
+| ~/docker/authelia/config/oidc.key | Cle privee OIDC |
+
+### SMTP (Proton Mail)
+| Parametre | Valeur |
+|-----------|--------|
+| Serveur | smtp.protonmail.ch:465 |
+| Protocol | TLS implicite |
+| From | Talloires <dflected@dflected.org> |
+
+## Integration Caddy
+
+### Snippet forward_auth
+```
+(authelia) {
+    forward_auth authelia:9091 {
+        uri /api/authz/forward-auth
+        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+    }
+}
+```
+
+### Usage dans Caddyfile
+```
+monservice.talloires.local, monservice.talloires.tailfd281f.ts.net {
+    import authelia
+    reverse_proxy backend:port
+    tls internal
+}
+```
+
+## Ajouter un client OIDC
+
+1. Generer le hash du secret :
+```bash
+docker exec authelia authelia crypto hash generate pbkdf2 --password "mon-secret"
+```
+
+2. Ajouter dans configuration.yml :
+```yaml
+- client_id: nouveau_client
+  client_name: Mon Service
+  client_secret: "$pbkdf2-sha512$..."
+  public: false
+  authorization_policy: two_factor
+  redirect_uris:
+    - https://service.talloires.local/callback
+  scopes:
+    - openid
+    - email
+    - profile
+```
+
+3. Redemarrer Authelia :
+```bash
+docker restart authelia
+```
+
+## Commandes utiles
+
+```bash
+# Logs
+docker logs authelia -f
+
+# Hash mot de passe utilisateur
+docker exec authelia authelia crypto hash generate argon2 --password "motdepasse"
+
+# Hash OIDC client secret
+docker exec authelia authelia crypto hash generate pbkdf2 --password "secret"
+
+# Valider la configuration
+docker exec authelia authelia validate-config
+```