cmonroe/proxmox-authelia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor: Add start_authelia.sh wrapper for secure Redis env loading

Browse Source
This commit is contained in:
root
2025-12-24 09:50:25 -08:00
parent 92a43ae5b0
commit bb14b435b3
3 changed files with 58 additions and 135 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
configuration.template.yml
View File

@@ -1,96 +0,0 @@
server:
address: tcp://0.0.0.0:9091
log:
level: info
identity_validation:
reset_password:
jwt_secret: "{{JWT_SECRET}}"
authentication_backend:
file:
path: /etc/authelia/users_database.yml
access_control:
default_policy: deny
rules:
- domain: "auth.poppyglen.cc"
policy: bypass
- domain: "*.poppyglen.cc"
policy: two_factor
subject: ["group:admins", "group:users"]
session:
secret: "{{SESSION_SECRET}}"
cookies:
- name: poppy_session
domain: poppyglen.cc
authelia_url: https://auth.poppyglen.cc
redis:
host: 127.0.0.1
port: 6379
storage:
encryption_key: "{{STORAGE_ENC_KEY}}"
local:
path: /etc/authelia/db.sqlite3
notifier:
disable_startup_check: true
smtp:
address: "submission://mail.poppyglen.cc:587"
username: "{{SMTP_USERNAME}}"
password: "{{SMTP_PASSWORD}}"
sender: "Authelia <{{SMTP_USERNAME}}>"
identifier: "authelia.poppyglen.cc"
tls:
skip_verify: true
identity_providers:
oidc:
hmac_secret: "{{HMAC_SECRET}}"
jwks:
- key_file: /etc/authelia/oidc.key
clients:
- client_id: nextcloud
client_name: Nextcloud
client_secret: "{{NEXTCLOUD_SECRET}}"
public: false
authorization_policy: two_factor
redirect_uris:
- https://cloud.poppyglen.cc/apps/user_oidc/code
scopes:
- openid
- profile
- email
- groups
userinfo_signed_response_alg: none
- client_id: jellyfin
client_name: Jellyfin
client_secret: "{{JELLYFIN_SECRET}}"
public: false
authorization_policy: two_factor
redirect_uris:
- https://jellyfin.poppyglen.cc/sso/OID/redirect/authelia
scopes:
- openid
- profile
- email
- groups
userinfo_signed_response_alg: none
- client_id: immich
client_name: Immich
client_secret: "{{IMMICH_SECRET}}"
public: false
authorization_policy: two_factor
redirect_uris:
- https://immich.poppyglen.cc/auth/login
- app.immich:/
scopes:
- openid
- profile
- email
userinfo_signed_response_alg: none

76
setup_authelia.sh
View File

@@ -16,19 +16,45 @@ echo "🛑 Stopping Authelia..."
systemctl stop authelia || true
mkdir -p "$CONFIG_DIR"
# --- 2. LOAD SECRETS ---
# --- 1.5 INSTALL RUNTIME WRAPPER (NEW) ---
echo "🔧 Installing Runtime Wrapper..."
if [[ -f "./start_authelia.sh" ]]; then
cp ./start_authelia.sh /usr/local/bin/start-authelia.sh
chmod +x /usr/local/bin/start-authelia.sh
else
echo "❌ ERROR: start_authelia.sh missing! Run this from your git repo folder."
exit 1
fi
# --- 1.6 CONFIGURE SYSTEMD (NEW) ---
echo "⚙️ Configuring Systemd..."
mkdir -p /etc/systemd/system/authelia.service.d
cat <<EOF > /etc/systemd/system/authelia.service.d/override.conf
[Service]
# Disable Sandbox to allow reading /mnt/secrets
PrivateUsers=no
# Use our wrapper script instead of the binary directly
ExecStart=
ExecStart=/usr/local/bin/start-authelia.sh
EOF
systemctl daemon-reload
# --- 2. LOAD SETUP SECRETS (Updated for Robustness) ---
echo "🔍 Checking environment..."
ADMIN_PASS="${AUTHELIA_ADMIN_PASSWORD:-}"
MAIL_PASS="${MAIL_ADMIN_PASSWORD:-}"
ADMIN_EMAIL="admin@poppyglen.cc"
# Source the setup-time secrets file if it exists
if [[ -f "/mnt/secrets/authelia.env" ]]; then
if [[ -z "$ADMIN_PASS" ]]; then
ADMIN_PASS=$(grep AUTHELIA_ADMIN_PASSWORD /mnt/secrets/authelia.env | cut -d '=' -f2 | tr -d '"' | tr -d "'")
fi
if [[ -z "$MAIL_PASS" ]]; then
MAIL_PASS=$(grep MAIL_ADMIN_PASSWORD /mnt/secrets/authelia.env | cut -d '=' -f2 | tr -d '"' | tr -d "'")
fi
echo " -> Sourcing /mnt/secrets/authelia.env"
set -a
. /mnt/secrets/authelia.env
set +a
# Update variables if they were loaded from file
[[ -n "${AUTHELIA_ADMIN_PASSWORD:-}" ]] && ADMIN_PASS="$AUTHELIA_ADMIN_PASSWORD"
[[ -n "${MAIL_ADMIN_PASSWORD:-}" ]] && MAIL_PASS="$MAIL_ADMIN_PASSWORD"
fi
if [[ -z "$ADMIN_PASS" ]]; then read -sp "Enter Admin Password: " ADMIN_PASS; echo; fi
@@ -38,9 +64,7 @@ if [[ -z "$MAIL_PASS" ]]; then read -sp "Enter Mail Password: " MAIL_PASS; echo;
echo "🔑 Generating Keys..."
openssl genpkey -algorithm RSA -out "$OIDC_KEY" -pkeyopt rsa_keygen_bits:4096
chmod 600 "$OIDC_KEY"
# READ AND INDENT OIDC KEY (The Fix for YAML errors)
# We indent every line by 10 spaces so it fits perfectly into the YAML block
# READ AND INDENT OIDC KEY
OIDC_KEY_CONTENT=$(cat "$OIDC_KEY" | sed 's/^/ /')
echo "🎲 Generating Secrets..."
@@ -53,12 +77,10 @@ echo "🔒 Hashing Client Secrets..."
hash_secret() {
$AUTHELIA_BIN crypto hash generate pbkdf2 --variant sha512 --password "$1" | awk '{print $NF}'
}
# Generate Plaintext
NEXTCLOUD_PLAIN=$(openssl rand -hex 32)
JELLYFIN_PLAIN=$(openssl rand -hex 32)
IMMICH_PLAIN=$(openssl rand -hex 32)
# Generate Hashes
NEXTCLOUD_HASH=$(hash_secret "$NEXTCLOUD_PLAIN")
JELLYFIN_HASH=$(hash_secret "$JELLYFIN_PLAIN")
@@ -66,22 +88,17 @@ IMMICH_HASH=$(hash_secret "$IMMICH_PLAIN")
# --- 4. GENERATE CONFIG ---
echo "📝 Writing Clean Configuration..."
cat <<EOF > "$CONFIG_FILE"
server:
address: tcp://0.0.0.0:9091
log:
level: info
identity_validation:
reset_password:
jwt_secret: "$JWT_SECRET"
authentication_backend:
file:
path: $USERS_FILE
access_control:
default_policy: deny
rules:
@@ -90,7 +107,6 @@ access_control:
- domain: "*.poppyglen.cc"
policy: two_factor
subject: ["group:admins", "group:users"]
session:
secret: "$SESSION_SECRET"
cookies:
@@ -98,16 +114,14 @@ session:
domain: poppyglen.cc
authelia_url: https://auth.poppyglen.cc
redis:
host: 192.168.0.120
host: 192.168.0.120
port: 6379
password: {{ env "REDIS_PASSWORD" }}
# Password line REMOVED. Handled by start_authelia.sh via AUTHELIA_SESSION_REDIS_PASSWORD
database_index: 1
storage:
encryption_key: "$STORAGE_KEY"
local:
path: $CONFIG_DIR/db.sqlite3
notifier:
disable_startup_check: true
smtp:
@@ -118,7 +132,6 @@ notifier:
identifier: "authelia.poppyglen.cc"
tls:
skip_verify: true
identity_providers:
oidc:
hmac_secret: "$HMAC_SECRET"
@@ -212,38 +225,23 @@ fi
# --- 6. PERMISSIONS & VALIDATION ---
echo "🔧 Fixing Permissions..."
# Check if authelia user exists
if ! id "$SERVICE_USER" &>/dev/null; then
echo "⚠️ User '$SERVICE_USER' does not exist. Creating system user..."
useradd -r -s /bin/false "$SERVICE_USER" || echo "Failed to create user."
fi
# Set Ownership
chown -R "$SERVICE_USER":"$SERVICE_GROUP" "$CONFIG_DIR"
# Files must be 600, Directories 700
chmod 600 "$CONFIG_FILE" "$USERS_FILE" "$OIDC_KEY"
chmod 700 "$CONFIG_DIR"
echo "🧪 PRE-FLIGHT CHECK..."
# If this fails, we force world-read just to get it running (debugging step)
if ! su -s /bin/bash "$SERVICE_USER" -c "cat $OIDC_KEY > /dev/null"; then
echo "The '$SERVICE_USER' user STILL cannot read $OIDC_KEY."
echo " Attempting emergency fix (chmod 644)..."
echo "Permission Error: '$SERVICE_USER' cannot read keys."
chmod 644 "$OIDC_KEY" "$CONFIG_FILE" "$USERS_FILE"
else
echo "✅ Permission Check Passed."
fi
echo "🕵️ VALIDATING CONFIGURATION..."
if $AUTHELIA_BIN validate-config --config "$CONFIG_FILE"; then
echo "✅ Validation Passed."
else
echo "❌ Validation FAILED."
cat -n "$CONFIG_FILE"
exit 1
fi
echo "🚀 Starting Authelia..."
systemctl start authelia

21
start_authelia.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# start_authelia.sh
# Wrapper script to load secrets and launch Authelia
# 1. Source the secret file silently
set -a
if [ -f /mnt/secrets/redis.env ]; then
. /mnt/secrets/redis.env
else
echo "ERROR: Redis secret file not found at /mnt/secrets/redis.env"
exit 1
fi
set +a
# 2. Map the Redis password to the specific variable Authelia expects
# This allows us to leave the 'password' field out of configuration.yml entirely
export AUTHELIA_SESSION_REDIS_PASSWORD="$REDIS_PASSWORD"
# 3. Start Authelia
# We use 'exec' so this script is replaced by the Authelia process (better for signal handling)
exec /usr/bin/authelia --config /etc/authelia/configuration.yml