# Authelia - SSO Authelia fournit l authentification unique (SSO) pour tous les services Talloires. ## Acces | Parametre | Valeur | |-----------|--------| | URL | [auth.talloires.local](https://auth.talloires.local) | | Utilisateur | lionel | | Email | dflected@dflected.org | | 2FA | TOTP active | ## Matrice de protection des services | Service | Authelia | Raison | |---------|----------|--------| | **docs** | ✅ | Documentation interne | | **portainer** | ✅ | Admin Docker | | **dockge** | ✅ | Admin Docker Compose | | **transmission** | ✅ | Client torrent | | **netdata** | ✅ | Monitoring systeme | | **grafana** | ✅ | Dashboards / Logs | | **uptime** | ✅ | Monitoring disponibilite | | **cockpit** | ✅ | Admin systeme | | **languagetool** | ✅ | API grammaire | | **auth** | ❌ | C est Authelia lui-meme | | **git** | ❌ | Auth OIDC propre | | **jellyfin** | ❌ | Auth propre | | **homeassistant** | ❌ | Auth propre | | **linkwarden** | ❌ | Auth propre | | **vikunja** | ❌ | Auth propre | | **outline** | ❌ | Auth OIDC propre | > **Note** : Cette protection s applique aux domaines `.local` ET `.tailfd281f.ts.net` ## Services avec OAuth/OIDC Ces services utilisent Authelia comme provider OpenID Connect : ### Gitea | Parametre | Valeur | |-----------|--------| | Client ID | gitea | | Redirect URI | https://git.talloires.local/user/oauth2/Authelia/callback | | Scopes | openid, email, profile | ### Outline | Parametre | Valeur | |-----------|--------| | Client ID | outline | | Redirect URI | https://outline.talloires.local/auth/oidc.callback | | Scopes | openid, offline_access, profile, email | ### Grafana (Header Auth) Grafana utilise l authentification par header via Authelia (pas OIDC) : | Header | Valeur | |--------|--------| | Remote-User | Utilisateur authentifie | | Remote-Email | Email de l utilisateur | ## Configuration ### Fichiers | Fichier | Usage | |---------|-------| | ~/docker/authelia/config/configuration.yml | Config principale | | ~/docker/authelia/config/users_database.yml | Base utilisateurs | | ~/docker/authelia/config/oidc.key | Cle privee OIDC | ### SMTP (Proton Mail) | Parametre | Valeur | |-----------|--------| | Serveur | smtp.protonmail.ch:465 | | Protocol | TLS implicite | | From | Talloires | ## Integration Caddy ### Snippet forward_auth ``` (authelia) { forward_auth authelia:9091 { uri /api/authz/forward-auth copy_headers Remote-User Remote-Groups Remote-Email Remote-Name } } ``` ### Usage dans Caddyfile ``` monservice.talloires.local, monservice.talloires.tailfd281f.ts.net { import authelia reverse_proxy backend:port tls internal } ``` ## Ajouter un client OIDC 1. Generer le hash du secret : ```bash docker exec authelia authelia crypto hash generate pbkdf2 --password "mon-secret" ``` 2. Ajouter dans configuration.yml : ```yaml - client_id: nouveau_client client_name: Mon Service client_secret: "$pbkdf2-sha512$..." public: false authorization_policy: two_factor redirect_uris: - https://service.talloires.local/callback scopes: - openid - email - profile ``` 3. Redemarrer Authelia : ```bash docker restart authelia ``` ## Commandes utiles ```bash # Logs docker logs authelia -f # Hash mot de passe utilisateur docker exec authelia authelia crypto hash generate argon2 --password "motdepasse" # Hash OIDC client secret docker exec authelia authelia crypto hash generate pbkdf2 --password "secret" # Valider la configuration docker exec authelia authelia validate-config ```