--- title: description: date: 2023-04-20 lang: zh-tw tags: - 樹莓派 - Linux - docker --- # 樹莓派筆記- Authelia:綁定LLDAP與Postgres 先前設定好了LLDAP 接下來就要將Authelia與LLDAP和Postgres連接 同時加入Redis緩存 ## docker-compose `docker-compose.yml` ```yml= version: '3.3' networks: default: name: ${DOCKER_MY_NETWORK} external: true services: authelia: container_name: authelia image: authelia/authelia:latest restart: unless-stopped expose: - 9091 volumes: - ${HOME_PATH}/authelia/config:/config - ${HOME_PATH}/logs/authelia:/var/log/authelia env_file: - stack.env redis: container_name: redis image: redis:latest restart: unless-stopped expose: - 6379 volumes: - ${HOME_PATH}/redis/data:/data ``` ## .env `stack.env` ```env= DOCKER_MY_NETWORK=caddy_net HOME_PATH=<your path> TZ=Asia/Taipei ``` ## Authelia設置 `configuration.yml` ```yml= #將用戶資訊(帳號,密碼)存在lldap #Ref: https://www.authelia.com/integration/ldap/introduction/ authentication_backend: # Password reset through authelia works normally. password_reset: disable: false # How often authelia should check if there is an user update in LDAP refresh_interval: 1m ldap: implementation: custom url: ldap://lldap:3890 timeout: 5s start_tls: false base_dn: dc=example,dc=com username_attribute: uid # You need to set this to ou=people, because all users are stored in this ou! additional_users_dn: ou=people # To allow sign in both with username and email, one can use a filter like # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) # Set this to ou=groups, because all groups are stored in this ou additional_groups_dn: ou=groups groups_filter: (member={dn}) group_name_attribute: cn mail_attribute: mail display_name_attribute: displayName # The username and password of the admin user. # "admin" should be the admin username you set in the LLDAP configuration user: uid=admin,ou=people,dc=example,dc=com password: "LLDAP_ADMIN_PASSWORD" ``` --- ```yml= access_control: default_policy: deny rules: ## auth頁面不需要登入 - domain: - "auth.example.com" policy: bypass # api服務不需要登入 - domain: - "example.com" - "*.example.com" resources: - "^/api([/?].*)?$" policy: bypass ## 對所有網域套用1次驗證 - domain: - "example.com" - "*.example.com" subject: - 'group:Admins' - 'group:Users' policy: one_factor ``` > 由於LLDAP可以有group的設定 > 因此也可以限制哪個group能看那些內容 ---- ```yml= #Cookie 設置 #Ref: https://www.authelia.com/configuration/session/introduction/ session: name: authelia_session #used this site to generate the secret: https://www.grc.com/passwords.htm secret: <YOUR_KEY_2> domain: example.com same_site: lax expiration: 1h inactivity: 5m remember_me_duration: 1M redis: host: redis port: 6379 ``` > 這樣authelia重啟的時候就不需要再次登入了 --- ```yml= #Postgres資料庫 #Ref: https://www.authelia.com/configuration/storage/sqlite/ storage: #used this site to generate the secret: https://www.grc.com/passwords.htm encryption_key: <YOUR_KEY_3> postgres: host: postgres port: 5432 database: authelia schema: public username: postgres password: <postgres_password> ``` > 已經先創建好名 authelia 的 database --- ```yml notifier: disable_startup_check: false smtp: host: smtp.sendgrid.net port: 587 username: apikey password: <YOUR_API_KEY> sender: info@example.com ``` > 免費方案1天可以送100封 > 先驗證發送人 https://app.sendgrid.com/settings/sender_auth > 可以使用"域名認證" > 在依照 https://app.sendgrid.com/guide/integrate 創建 > sender@後面就填他給你的DOMAIN ## Ref * https://www.authelia.com/integration/ldap/introduction/ * https://github.com/lldap/lldap/blob/main/example_configs/authelia_config.yml * https://helgeklein.com/blog/authentication-sso-user-management-password-reset-for-home-networks/ * https://www.authelia.com/configuration/notifications/smtp/