From 66a793b0813d0bb5900fa4c17e5db13b23855c15 Mon Sep 17 00:00:00 2001
From: spinach <spinach@spin.ach>
Date: Sat, 1 Mar 2025 15:34:02 -0500
Subject: [PATCH] added barebones auth frontend

---
 authelia/config/configuration.yml  | 74 ++++++++++++++++++++++++++++++
 authelia/config/users_database.yml | 19 ++++++++
 authelia/docker-compose.yml        | 26 +++++++++++
 caddy/Caddyfile                    |  8 ++++
 caddy/docker-compose.yml           |  5 ++
 5 files changed, 132 insertions(+)
 create mode 100644 authelia/config/configuration.yml
 create mode 100644 authelia/config/users_database.yml
 create mode 100644 authelia/docker-compose.yml

diff --git a/authelia/config/configuration.yml b/authelia/config/configuration.yml
new file mode 100644
index 0000000..972d7d5
--- /dev/null
+++ b/authelia/config/configuration.yml
@@ -0,0 +1,74 @@
+---
+###############################################################
+#                   Authelia configuration                    #
+###############################################################
+
+server:
+  address: 'tcp://:9091'
+
+log:
+  level: 'debug'
+
+totp:
+  issuer: 'authelia.com'
+
+identity_validation:
+  reset_password:
+    jwt_secret: 'a_very_important_secret'
+
+# duo_api:
+#  hostname: api-123456789.example.com
+#  integration_key: ABCDEF
+#  # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
+#  secret_key: 1234567890abcdefghifjkl
+
+authentication_backend:
+  file:
+    path: '/config/users_database.yml'
+
+access_control:
+  default_policy: 'deny'
+  rules:
+    # Rules applied to everyone
+    - domain: 'public.example.com'
+      policy: 'bypass'
+    - domain: 'traefik.example.com'
+      policy: 'one_factor'
+    - domain: 'secure.example.com'
+      policy: 'two_factor'
+
+session:
+  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
+  secret: 'insecure_session_secret'
+
+  cookies:
+    - name: 'authelia_session'
+      domain: 'example.com'  # Should match whatever your root protected domain is
+      authelia_url: 'https://authelia.example.com'
+      expiration: '1 hour'
+      inactivity: '5 minutes'
+
+  redis:
+    host: 'redis'
+    port: 6379
+    # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
+    # password: authelia
+
+regulation:
+  max_retries: 3
+  find_time: '2 minutes'
+  ban_time: '5 minutes'
+
+storage:
+  encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this'
+  local:
+    path: '/config/db.sqlite3'
+
+notifier:
+  smtp:
+    username: 'test'
+    # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
+    password: 'password'
+    address: 'smtp://mail.example.com:25'
+    sender: 'admin@example.com'
+...
diff --git a/authelia/config/users_database.yml b/authelia/config/users_database.yml
new file mode 100644
index 0000000..91699ed
--- /dev/null
+++ b/authelia/config/users_database.yml
@@ -0,0 +1,19 @@
+---
+###############################################################
+#                         Users Database                      #
+###############################################################
+
+# This file can be used if you do not have an LDAP set up.
+
+# List of users
+users:
+  authelia:
+    disabled: false
+    displayname: 'Authelia User'
+    # Password is authelia
+    password: '$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/'  # yamllint disable-line rule:line-length
+    email: 'authelia@authelia.com'
+    groups:
+      - 'admins'
+      - 'dev'
+...
diff --git a/authelia/docker-compose.yml b/authelia/docker-compose.yml
new file mode 100644
index 0000000..071da72
--- /dev/null
+++ b/authelia/docker-compose.yml
@@ -0,0 +1,26 @@
+services:
+  authelia:
+    image: 'authelia/authelia:4.38'
+    container_name: 'authelia'
+    volumes:
+      - './volumes/authelia:/config'
+    networks:
+      - auth
+    restart: 'unless-stopped'
+    environment:
+      TZ: 'America/New_York'
+
+  redis:
+    image: 'redis:alpine'
+    container_name: 'redis'
+    volumes:
+      - './volumes/redis:/data'
+    networks:
+      - auth
+    restart: 'unless-stopped'
+    environment:
+      TZ: 'America/New_York'
+
+networks:
+  auth:
+    driver: 'bridge'
diff --git a/caddy/Caddyfile b/caddy/Caddyfile
index 7ef2f96..a4664d8 100644
--- a/caddy/Caddyfile
+++ b/caddy/Caddyfile
@@ -3,7 +3,15 @@ keegandeppe.com {
 	file_server
 }
 
+auth.keegandeppe.com {
+    reverse_proxy authelia:9091
+}
+
 seafile.keegandeppe.com {
+    forward_auth authelia:9091 {
+        uri /api/authz/forward-auth
+        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+    }
 	reverse_proxy seafile
 }
 
diff --git a/caddy/docker-compose.yml b/caddy/docker-compose.yml
index 7e905d6..98ec401 100644
--- a/caddy/docker-compose.yml
+++ b/caddy/docker-compose.yml
@@ -9,6 +9,7 @@ services:
       - "443:443"
     networks:
       - caddy
+      - auth
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile
       - ./website/public:/srv/keegan
@@ -20,3 +21,7 @@ networks:
   caddy:
     external: false
     driver: bridge
+  auth:
+    external: true
+    driver: bridge
+    name: authelia_auth