3.5 KiB
3.5 KiB
Authelia - SSO
Authelia fournit l authentification unique (SSO) pour tous les services Talloires.
Acces
| Parametre | Valeur |
|---|---|
| URL | auth.talloires.local |
| Utilisateur | lionel |
| dflected@dflected.org | |
| 2FA | TOTP active |
Matrice de protection des services
| Service | Authelia | Raison |
|---|---|---|
| docs | ✅ | Documentation interne |
| portainer | ✅ | Admin Docker |
| dockge | ✅ | Admin Docker Compose |
| transmission | ✅ | Client torrent |
| netdata | ✅ | Monitoring systeme |
| grafana | ✅ | Dashboards / Logs |
| uptime | ✅ | Monitoring disponibilite |
| cockpit | ✅ | Admin systeme |
| languagetool | ✅ | API grammaire |
| auth | ❌ | C est Authelia lui-meme |
| git | ❌ | Auth OIDC propre |
| jellyfin | ❌ | Auth propre |
| homeassistant | ❌ | Auth propre |
| linkwarden | ❌ | Auth propre |
| vikunja | ❌ | Auth propre |
| outline | ❌ | Auth OIDC propre |
Note
: Cette protection s applique aux domaines
.localET.tailfd281f.ts.net
Services avec OAuth/OIDC
Ces services utilisent Authelia comme provider OpenID Connect :
Gitea
| Parametre | Valeur |
|---|---|
| Client ID | gitea |
| Redirect URI | https://git.talloires.local/user/oauth2/Authelia/callback |
| Scopes | openid, email, profile |
Outline
| Parametre | Valeur |
|---|---|
| Client ID | outline |
| Redirect URI | https://outline.talloires.local/auth/oidc.callback |
| Scopes | openid, offline_access, profile, email |
Grafana (Header Auth)
Grafana utilise l authentification par header via Authelia (pas OIDC) :
| Header | Valeur |
|---|---|
| Remote-User | Utilisateur authentifie |
| Remote-Email | Email de l utilisateur |
Configuration
Fichiers
| Fichier | Usage |
|---|---|
| ~/docker/authelia/config/configuration.yml | Config principale |
| ~/docker/authelia/config/users_database.yml | Base utilisateurs |
| ~/docker/authelia/config/oidc.key | Cle privee OIDC |
SMTP (Proton Mail)
| Parametre | Valeur |
|---|---|
| Serveur | smtp.protonmail.ch:465 |
| Protocol | TLS implicite |
| From | Talloires dflected@dflected.org |
Integration Caddy
Snippet forward_auth
(authelia) {
forward_auth authelia:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
Usage dans Caddyfile
monservice.talloires.local, monservice.talloires.tailfd281f.ts.net {
import authelia
reverse_proxy backend:port
tls internal
}
Ajouter un client OIDC
- Generer le hash du secret :
docker exec authelia authelia crypto hash generate pbkdf2 --password "mon-secret"
- Ajouter dans configuration.yml :
- client_id: nouveau_client
client_name: Mon Service
client_secret: "$pbkdf2-sha512$..."
public: false
authorization_policy: two_factor
redirect_uris:
- https://service.talloires.local/callback
scopes:
- openid
- email
- profile
- Redemarrer Authelia :
docker restart authelia
Commandes utiles
# Logs
docker logs authelia -f
# Hash mot de passe utilisateur
docker exec authelia authelia crypto hash generate argon2 --password "motdepasse"
# Hash OIDC client secret
docker exec authelia authelia crypto hash generate pbkdf2 --password "secret"
# Valider la configuration
docker exec authelia authelia validate-config