From 0bdd9c40b2ab221faae96b3eb8b2f06c490fe951 Mon Sep 17 00:00:00 2001
From: Alpha Chen <alpha@kejadlen.dev>
Date: Wed, 13 Sep 2023 20:17:38 -0700
Subject: [PATCH] authelia

---
 lotus-land-story/authelia.yml                 | 48 ++++++++++++++
 lotus-land-story/caddy.yml                    |  9 +++
 lotus-land-story/grafana.yml                  | 16 +++++
 lotus-land-story/hledger.yml                  | 32 +++++++++
 lotus-land-story/templates/Caddyfile          | 37 ++++++++++-
 .../templates/authelia_configuration.yml      | 66 +++++++++++++++++++
 .../templates/authelia_users_database.yml     |  8 +++
 lotus-land-story/templates/prometheus.yml     |  4 ++
 8 files changed, 219 insertions(+), 1 deletion(-)
 create mode 100644 lotus-land-story/authelia.yml
 create mode 100644 lotus-land-story/hledger.yml
 create mode 100644 lotus-land-story/templates/authelia_configuration.yml
 create mode 100644 lotus-land-story/templates/authelia_users_database.yml

diff --git a/lotus-land-story/authelia.yml b/lotus-land-story/authelia.yml
new file mode 100644
index 0000000..3c8ce2a
--- /dev/null
+++ b/lotus-land-story/authelia.yml
@@ -0,0 +1,48 @@
+- name: Set up Authelia
+  hosts: lotus-land-story
+  vars_files:
+    - vars.yml
+  tasks:
+
+    - name: Create directories for volume mounting
+      ansible.builtin.file:
+        path: /mnt/lotus-land-story/authelia/{{ item }}
+        state: directory
+        mode: "0700"
+      loop:
+        - config
+        - secrets
+
+    - name: Copy configuration
+      ansible.builtin.template:
+        src: templates/authelia_{{ item }}.yml
+        dest: /mnt/lotus-land-story/authelia/config/{{ item }}.yml
+        mode: "0644"
+      loop:
+        - configuration
+        - users_database
+
+    - name: Get docker network
+      community.docker.docker_network:
+        name: lotus_land_story
+      register: docker_network
+
+    - name: Run Authelia
+      community.docker.docker_container:
+        restart: true
+        name: authelia
+        image: docker.io/authelia/authelia:4.37.5
+        env:
+          AUTHENTICATION_GUARD: remote_user_guard
+        volumes:
+          - /mnt/lotus-land-story/authelia/config:/config
+          - /mnt/lotus-land-story/authelia/secrets:/secrets
+        restart_policy: unless-stopped
+        networks:
+          - name: lotus_land_story
+
+  handlers:
+    - name: Import restarts
+      ansible.builtin.import_tasks: restarts.yml
+
+# vim: ft=yaml.ansible
diff --git a/lotus-land-story/caddy.yml b/lotus-land-story/caddy.yml
index a9c4aac..0bc2576 100644
--- a/lotus-land-story/caddy.yml
+++ b/lotus-land-story/caddy.yml
@@ -13,11 +13,20 @@
         - caddy
         - caddy/data
 
+    - name: Get docker network for trusted proxies
+      community.docker.docker_network:
+        name: lotus_land_story
+      register: docker_network
+
+    # TODO Reload Caddy when this changes:
+    #      docker exec -w /etc/caddy $caddy_container_id caddy reload
     - name: Set up Caddyfile
       ansible.builtin.template:
         src: templates/Caddyfile
         dest: /mnt/lotus-land-story/caddy/Caddyfile
         mode: "0644"
+      vars:
+        trusted_proxies: "{{ docker_network.network.IPAM.Config[0].Subnet }}"
 
     - name: Create Caddy volume
       community.docker.docker_volume:
diff --git a/lotus-land-story/grafana.yml b/lotus-land-story/grafana.yml
index 5c5ae42..5c09f36 100644
--- a/lotus-land-story/grafana.yml
+++ b/lotus-land-story/grafana.yml
@@ -22,6 +22,22 @@
           [server]
           domain = grafana.{{ domain }}
           http_addr = 0.0.0.0
+          root_url = https://grafana.{{ domain }}
+          [auth.generic_oauth]
+          enabled = true
+          name = Authelia
+          icon = signin
+          client_id = grafana
+          client_secret = {{ grafana.oauth_secret }}
+          scopes = openid profile email groups
+          empty_scopes = false
+          auth_url = https://auth.{{ domain }}/api/oidc/authorization
+          token_url = https://auth.{{ domain }}/api/oidc/token
+          api_url = https://auth.{{ domain }}/api/oidc/userinfo
+          login_attribute_path = preferred_username
+          groups_attribute_path = groups
+          name_attribute_path = name
+          use_pkce = true
         mode: "0644"
 
     - name: Provision Prometheus
diff --git a/lotus-land-story/hledger.yml b/lotus-land-story/hledger.yml
new file mode 100644
index 0000000..9d81579
--- /dev/null
+++ b/lotus-land-story/hledger.yml
@@ -0,0 +1,32 @@
+- name: Set up hledger
+  hosts: lotus-land-story
+  vars_files:
+    - vars.yml
+  tasks:
+
+    - name: Create directory for volume mounting
+      ansible.builtin.file:
+        path: /mnt/lotus-land-story/hledger
+        state: directory
+        mode: "0755"
+
+    - name: Run hledger
+      community.docker.docker_container:
+        restart: true
+        name: hledger
+        image: dastapov/hledger:1.31
+        env:
+          HLEDGER_JOURNAL_FILE: /data/all.journal
+          HLEDGER_BASE_URL: https://{{ hledger.subdomain }}.{{ domain }}
+          HLEDGER_ARGS: --capabilities=view,add,manage
+        volumes:
+          - /mnt/lotus-land-story/hledger:/data
+        restart_policy: unless-stopped
+        networks:
+          - name: lotus_land_story
+
+  handlers:
+    - name: Import restarts
+      ansible.builtin.import_tasks: restarts.yml
+
+# vim: ft=yaml.ansible
diff --git a/lotus-land-story/templates/Caddyfile b/lotus-land-story/templates/Caddyfile
index 36cd9f1..406354b 100644
--- a/lotus-land-story/templates/Caddyfile
+++ b/lotus-land-story/templates/Caddyfile
@@ -1,3 +1,8 @@
+# https://www.authelia.com/integration/proxies/caddy/#forwarded-header-trust#trusted-proxies
+(trusted_proxy_list) {
+       trusted_proxies {{ trusted_proxies }}
+}
+
 :2019 {
 	metrics
 }
@@ -27,5 +32,35 @@ woodpecker.{{ domain }} {
 }
 
 {{ firefly_iii.subdomain }}.{{ domain }} {
-	reverse_proxy firefly-iii:8080
+	forward_auth authelia:9091 {
+		uri /api/verify?rd=https://auth.{{ domain }}
+		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+
+		## This import needs to be included if you're relying on a trusted proxies configuration.
+		import trusted_proxy_list
+	}
+
+	reverse_proxy firefly-iii:8080 {
+		import trusted_proxy_list
+	}
+}
+
+auth.{{ domain }} {
+	reverse_proxy authelia:9091 {
+		import trusted_proxy_list
+	}
+}
+
+{{ hledger.subdomain }}.{{ domain }} {
+	forward_auth authelia:9091 {
+		uri /api/verify?rd=https://auth.{{ domain }}
+		# copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+
+		## This import needs to be included if you're relying on a trusted proxies configuration.
+		import trusted_proxy_list
+	}
+
+	reverse_proxy hledger:5000 {
+		import trusted_proxy_list
+	}
 }
diff --git a/lotus-land-story/templates/authelia_configuration.yml b/lotus-land-story/templates/authelia_configuration.yml
new file mode 100644
index 0000000..b4c4458
--- /dev/null
+++ b/lotus-land-story/templates/authelia_configuration.yml
@@ -0,0 +1,66 @@
+theme: auto
+jwt_secret: {{ authelia.jwt_secret }}
+default_redirection_url: https://auth.{{ domain }}/
+
+log:
+  level: debug
+  format: json
+
+telemetry:
+  metrics:
+    enabled: true
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+
+access_control:
+  default_policy: deny
+  rules:
+    - domain: "*.{{ domain }}"
+      policy: two_factor
+
+session:
+  secret: {{ authelia.session_secret }}
+  domain: {{ domain }}
+
+storage:
+  encryption_key: {{ authelia.storage_encryption_key }}
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  smtp:
+    username: apikey
+    password: {{ authelia.smtp_password }}
+    host: smtp.sendgrid.net
+    port: 25
+    sender: authelia@kejadlen.dev
+
+identity_providers:
+  oidc:
+    issuer_private_key: |
+      {{ authelia.oidc_private_key | indent(6) }}
+    clients:
+    - id: grafana
+      description: Grafana
+      secret: $argon2id$v=19$m=65536,t=3,p=4$bHcAAorVdHuZzuz53WfAQA$x+pIDTo6SsGyY9JD4OZ7dT6pkEcPf8Yh6Yb7DXco8aQ
+      public: false
+      authorization_policy: two_factor
+      redirect_uris:
+        - https://grafana.{{ domain }}/login/generic_oauth
+      scopes:
+        - openid
+        - profile
+        - groups
+        - email
+      userinfo_signing_algorithm: none
+    - id: tailscale
+      description: Tailscale
+      secret: $argon2id$v=19$m=65536,t=3,p=4$RivlSdV1WE/NLfd3Pzrubw$ljSvHj9sb0byolv7fk5G3nL415nS7Ze2RMASwPgfBX0
+      redirect_uris:
+        - https://login.tailscale.com/a/oauth_response
+      scopes:
+        - openid
+        - email
+        - profile
diff --git a/lotus-land-story/templates/authelia_users_database.yml b/lotus-land-story/templates/authelia_users_database.yml
new file mode 100644
index 0000000..3c40ec3
--- /dev/null
+++ b/lotus-land-story/templates/authelia_users_database.yml
@@ -0,0 +1,8 @@
+users:
+  alpha:
+    disabled: false
+    displayname: "Alpha"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$JHtyy/vVD+37neJUjy5Shw$6GODmDOXW/v7cfhqwuEp30bVSCWLT5R3OEe/Gi5FGX0"  # yamllint disable-line rule:line-length
+    email: alpha@kejadlen.dev
+    groups:
+      - admins
diff --git a/lotus-land-story/templates/prometheus.yml b/lotus-land-story/templates/prometheus.yml
index e2f81af..e190c1b 100644
--- a/lotus-land-story/templates/prometheus.yml
+++ b/lotus-land-story/templates/prometheus.yml
@@ -42,6 +42,10 @@ scrape_configs:
     static_configs:
       - targets: ['woodpecker-server:8000']
 
+  - job_name: authelia
+    static_configs:
+      - targets: ['authelia:9959']
+
   # - job_name: linode
   #   linode_sd_configs:
   #     - authorization: