├── .LICENSE ├── README.md ├── extras ├── caddy-auto-add.sh └── config.txt ├── proxy-setup.sh └── setup.sh /.LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 LordZeuss 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Auto-Authelia 2 | 3 | ![GitHub last commit](https://img.shields.io/github/last-commit/lordzeuss/auto-authelia?style=flat-square) 4 | ![GitHub Repo stars](https://img.shields.io/github/stars/lordzeuss/auto-authelia?style=social) 5 | 6 | A script that will configure authelia automatically. See future plans of adding features below. 7 | 8 | ## General Info 9 | I created a script that will install Nginx Proxy Manager via docker-compose, as well as Authelia and will give you prompts to quickly get Authelia up and running as quickly as possible. 10 | 11 | I update this repo from time to time, and since it's a personal project, major updates are periodic. Please leave feature requests if you'd like to see any additions. 12 | 13 | ## Future Plans: 14 | 15 | * Adding reverse proxy installation and assisted or fully automated configuration for multiple reverse proxy solutions. Mainly NGINX and traefik. I need to learn how these work so I can add it to the script. 16 | * Embedded video on how the to run the scripts, and using them with NPM & Caddy. For demo purposes as well as a short how-to. 17 | * Add a section to this README regarding email setup (since I have now added the ability to configure email setup, I want to give an example for guidance). 18 | 19 | #### UPDATE 3/26: NPM & Caddy (setup for caddy) script added! 20 | #### UPDATE 7/16: Added the option to install caddy via docker instead of only on bare metal. 21 | #### UPDATE 8/28: BIG UPDATE! I have added the ability to configure email/smtp for sending password resets! 22 | #### UPDATE 12/19: Extras folder added! If you are using a caddyfile in the root directory, you can run the caddy-auto-add.sh script to add services to your caddy file with ease! 23 | --- 24 | 25 | ## Table of Contents 26 | * [General Info](#general-info) 27 | * [Basic Commands](#basic-commands) 28 | * [Pre-Requirements](#pre-requirements) 29 | * [Installation](#installation) 30 | * [Configuring Protected Services](#configuring-protected-services) 31 | * [NGINX Proxy Manager Setup](#nginx-proxy-manager-setup) 32 | * [Caddy Setup](#caddy-setup) 33 | * [Starting Authelia](#starting-authelia) 34 | * [Support](#buy-me-a-beer) 35 | --- 36 | 37 | ## Pre-Requirements 38 | 39 | You will need: 40 | - Docker 41 | - Docker-Compose 42 | - Git 43 | 44 | ***NOTE: Check out my raspi-docker repository to auto install docker & docker compose!*** 45 | 46 | --- 47 | 48 | ## Installation 49 | 50 | To start the installation process, first clone the repo. 51 | 52 | ``` 53 | git clone https://github.com/lordzeuss/auto-authelia 54 | ``` 55 | 56 | Next, navigate to the new folder. 57 | 58 | ``` 59 | cd auto-authelia 60 | ``` 61 | 62 | Now, run the `setup.sh` to configure authelia, or run `proxy-setup.sh` to choose from a list of proxies to pre-configure. 63 | ``` 64 | ./setup.sh 65 | ``` 66 | ``` 67 | ./proxy-setup.sh 68 | ``` 69 | 70 | --- 71 | 72 | ## Important Notes 73 | 74 | The script will ask initially prompt you to update the system if needed. It will then prompt you to fill in information that is required by authelia. 75 | 76 | You will want to make sure that you already have docker & docker-compose installed because at one point in the script where it prompts you to automatically hash the admin password, it will run the authelia docker container to hash the password. 77 | 78 | Optionally, you can manually hash the password yourself. 79 | 80 | **Port Forwarding** 81 | I have noticed in some cases that you may need to port forward port 443/80 to the machine running authelia. If you encounter any errors, such as your router login showing up when going to the auth domain, give this a try. 82 | 83 | 84 | --- 85 | 86 | ## Configuring Protected Services 87 | 88 | How do I protect my services behind authelia? 89 | 90 | Navigate to the auto-authelia folder, and go into the config folder. 91 | 92 | Optionally, run this command: 93 | 94 | 95 | ``` 96 | cd /home/$USER/auto-authelia/authelia/config 97 | ``` 98 | 99 | Next, you will need to open the configuration file in a text editor of your choice. Usually vi/vim/nano. 100 | 101 | ``` 102 | nano configuration.yml 103 | 104 | OR 105 | 106 | nano /home/$USER/auto-authelia/authelia/config/configuration.yml 107 | ``` 108 | 109 | Scroll down in the document. You will notice that there is some example services such as "service.example.com" 110 | 111 | 112 | #### One factor vs Two factor authentication 113 | One factor authentication means that once you login with a user/pass to authelia, you will have access to your service. 114 | 115 | Two factor authentication will prompt you for a one time token, using a common app such as Duo/Google autheticator or similar. 116 | 117 | ***NOTE: When setting up for two factor auth, and trying to access that service for the first time, Authelia will give you QR code in order to setup your two factor auth app of choice.*** 118 | 119 | #### Adding services to protect 120 | 121 | You will need to replace the placeholders ("service.example.com") with your services. You can always add a new line if needed. I provided a few examples as default, add or remove as many as necessary. 122 | 123 | Put your service under one or two factor depending on what you prefer. You can also delete the placeholders if you so wish. 124 | 125 | #### Configure your reverse proxy 126 | 127 | Setting up the service in Authelia is as simple as adding the service to the configuration.yml file. The more "Challenging" part can be configuring it with your reverse proxy. 128 | 129 | Authelia has documentation on implimenting it for different proxies. I have provided NPM instructions and Caddy instructions, and I just switched from NPM to Caddy myself, as I'd rather add a few lines to the Caddyfile rather than use NPM and go through all the steps. 130 | 131 | --- 132 | 133 | ## NGINX Proxy Manager Setup 134 | 135 | First, install NPM. (I have plans to impliment a way to install/give option to install in the future.) 136 | 137 | Next, you will need to add the Proxy Host as normal for a reverse proxy. 138 | 139 | #### **Under the Advanaced tab:** 140 | 141 | You will need to add the following text, but replace a few parts: 142 | 143 | ``` 144 | location /authelia { 145 | internal; 146 | set $upstream_authelia http://IPOFAUTHELIASERVER:9091/api/verify; #ADD YOUR IP AND PORT OF AUTHELIA 147 | proxy_pass_request_body off; 148 | proxy_pass $upstream_authelia; 149 | proxy_set_header Content-Length ""; 150 | 151 | # Timeout if the real server is dead 152 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 153 | client_body_buffer_size 128k; 154 | proxy_set_header Host $host; 155 | proxy_set_header X-Original-URL $scheme://$http_host$request_uri; 156 | proxy_set_header X-Real-IP $remote_addr; 157 | proxy_set_header X-Forwarded-For $remote_addr; 158 | proxy_set_header X-Forwarded-Proto $scheme; 159 | proxy_set_header X-Forwarded-Host $http_host; 160 | proxy_set_header X-Forwarded-Uri $request_uri; 161 | proxy_set_header X-Forwarded-Ssl on; 162 | proxy_redirect http:// $scheme://; 163 | proxy_http_version 1.1; 164 | proxy_set_header Connection ""; 165 | proxy_cache_bypass $cookie_session; 166 | proxy_no_cache $cookie_session; 167 | proxy_buffers 4 32k; 168 | 169 | send_timeout 5m; 170 | proxy_read_timeout 240; 171 | proxy_send_timeout 240; 172 | proxy_connect_timeout 240; 173 | } 174 | 175 | location / { 176 | set $upstream_SERVICENAME http://IPOFSERVICE:PORT; #ADD IP AND PORT OF SERVICE 177 | proxy_pass $upstream_SERVICENAME; #change name of the service 178 | 179 | auth_request /authelia; 180 | auth_request_set $target_url $scheme://$http_host$request_uri; 181 | auth_request_set $user $upstream_http_remote_user; 182 | auth_request_set $groups $upstream_http_remote_groups; 183 | proxy_set_header Remote-User $user; 184 | proxy_set_header Remote-Groups $groups; 185 | error_page 401 =302 https://AUTH.EXAMPLE.COM/?rd=$target_url; 186 | 187 | client_body_buffer_size 128k; 188 | 189 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 190 | 191 | send_timeout 5m; 192 | proxy_read_timeout 360; 193 | proxy_send_timeout 360; 194 | proxy_connect_timeout 360; 195 | 196 | proxy_set_header Host $host; 197 | proxy_set_header X-Real-IP $remote_addr; 198 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 199 | proxy_set_header X-Forwarded-Proto $scheme; 200 | proxy_set_header X-Forwarded-Host $http_host; 201 | proxy_set_header X-Forwarded-Uri $request_uri; 202 | proxy_set_header X-Forwarded-Ssl on; 203 | proxy_redirect http:// $scheme://; 204 | proxy_http_version 1.1; 205 | proxy_set_header Connection ""; 206 | proxy_cache_bypass $cookie_session; 207 | proxy_no_cache $cookie_session; 208 | proxy_buffers 64 256k; 209 | 210 | set_real_ip_from REPLACEIPRANGE/16; 211 | set_real_ip_from 172.0.0.0/8; 212 | real_ip_header X-Forwarded-For; 213 | real_ip_recursive on; 214 | } 215 | ``` 216 | 217 | There is 5 things that you will need to replace. You will need to do this for each service in NPM. 218 | 219 | **Replace:** 220 | 221 | - IPOFAUTHELIASERVER with the ip of the system running authelia. EX: 192.168.1.10 222 | - SERVICENAME has 2 lines next to each other and needs to be replaced with the name of the service. EX: portainer 223 | - IPSERVICE:PORT needs to be replaced with the IP address and port of the service. EX: Portainer runs on 192.168.1.10:9000 224 | - AUTH.EXAMPLE.COM needs to be replaced with the default redirection url that was setup in the script earlier. It should be https://auth.example.com, but you only need to replace the AUTH.EXAMPLE.COM portion. 225 | - REPLACEIPRANGE will need the range of your network. Is usually something like: 192.168.1.0/16 226 | 227 | #### Correct configuration example: 228 | 229 | ``` 230 | location /authelia { 231 | internal; 232 | set $upstream_authelia http://192.168.1.10:9091/api/verify; #ADD YOUR IP AND PORT OF AUTHELIA 233 | proxy_pass_request_body off; 234 | proxy_pass $upstream_authelia; 235 | proxy_set_header Content-Length ""; 236 | 237 | # Timeout if the real server is dead 238 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 239 | client_body_buffer_size 128k; 240 | proxy_set_header Host $host; 241 | proxy_set_header X-Original-URL $scheme://$http_host$request_uri; 242 | proxy_set_header X-Real-IP $remote_addr; 243 | proxy_set_header X-Forwarded-For $remote_addr; 244 | proxy_set_header X-Forwarded-Proto $scheme; 245 | proxy_set_header X-Forwarded-Host $http_host; 246 | proxy_set_header X-Forwarded-Uri $request_uri; 247 | proxy_set_header X-Forwarded-Ssl on; 248 | proxy_redirect http:// $scheme://; 249 | proxy_http_version 1.1; 250 | proxy_set_header Connection ""; 251 | proxy_cache_bypass $cookie_session; 252 | proxy_no_cache $cookie_session; 253 | proxy_buffers 4 32k; 254 | 255 | send_timeout 5m; 256 | proxy_read_timeout 240; 257 | proxy_send_timeout 240; 258 | proxy_connect_timeout 240; 259 | } 260 | 261 | location / { 262 | set $upstream_portainer http://192.168.1.10:9000; #ADD IP AND PORT OF SERVICE 263 | proxy_pass $upstream_portainer; #change name of the service 264 | 265 | auth_request /authelia; 266 | auth_request_set $target_url $scheme://$http_host$request_uri; 267 | auth_request_set $user $upstream_http_remote_user; 268 | auth_request_set $groups $upstream_http_remote_groups; 269 | proxy_set_header Remote-User $user; 270 | proxy_set_header Remote-Groups $groups; 271 | error_page 401 =302 https://auth.testwebsite.com/?rd=$target_url; 272 | 273 | client_body_buffer_size 128k; 274 | 275 | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; 276 | 277 | send_timeout 5m; 278 | proxy_read_timeout 360; 279 | proxy_send_timeout 360; 280 | proxy_connect_timeout 360; 281 | 282 | proxy_set_header Host $host; 283 | proxy_set_header X-Real-IP $remote_addr; 284 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 285 | proxy_set_header X-Forwarded-Proto $scheme; 286 | proxy_set_header X-Forwarded-Host $http_host; 287 | proxy_set_header X-Forwarded-Uri $request_uri; 288 | proxy_set_header X-Forwarded-Ssl on; 289 | proxy_redirect http:// $scheme://; 290 | proxy_http_version 1.1; 291 | proxy_set_header Connection ""; 292 | proxy_cache_bypass $cookie_session; 293 | proxy_no_cache $cookie_session; 294 | proxy_buffers 64 256k; 295 | 296 | set_real_ip_from 192.168.1.0/16; 297 | set_real_ip_from 172.0.0.0/8; 298 | real_ip_header X-Forwarded-For; 299 | real_ip_recursive on; 300 | } 301 | ``` 302 | 303 | # Caddy Setup 304 | 305 | Run the proxy-setup.sh script. 306 | 307 | ``` 308 | ./proxy-setup.sh 309 | ``` 310 | Select number 2 for caddy. 311 | 312 | Once Caddy is selected, it will automatically install Caddy. 313 | 314 | ***NOTE: If you already have Caddy installed and it asks you if you want to overwrite the GPG keychain, you can select yes, or use CTRL+C to skip.*** 315 | 316 | Once Caddy is installed, you will need to provide the auth root domain, the same as you did with authelia. `EX: auth.yourdomain.com` 317 | 318 | The script will create your Caddyfile, inside of the auto-authelia folder. 319 | 320 | --- 321 | ## Caddy Configuration 322 | 323 | To add services to be used by caddy, edit the Caddyfile that was just created in the auto-authelia folder. 324 | 325 | ``` 326 | nano Caddyfile 327 | ``` 328 | The authelia section is already created for you. 329 | 330 | You will notice that there is a `service.example.com` section. You will need to replace `service.example.com` with the url you are going to use for the service. 331 | 332 | ``` 333 | EX: portainer.mydomain.com 334 | ``` 335 | Finally, under the `reverse_proxy` portion, you will need to replace `SERVICEPORTHERE` with the port of the service you are trying to proxy with authelia. 336 | 337 | It may look something like this: 338 | ``` 339 | localhost:9000 340 | ``` 341 | Or if your service is being ran by another server, and isn't a localhost service, it will look like this: 342 | ``` 343 | 192.168.1.10:9000 344 | ``` 345 | 346 | If you need to add more services, simply copy use the same format as `service.example.com` in another block below. 347 | 348 | Here is an example of two services (using localhost and a IP): 349 | ``` 350 | auth.example.com { 351 | reverse_proxy localhost:9091 352 | } 353 | 354 | service.example.com { 355 | forward_auth localhost:9091 { 356 | uri /api/verify?rd=https://auth.example.com/ 357 | copy_headers Remote-User Remote-Groups Remote-Name Remote-Email 358 | } 359 | reverse_proxy localhost:8080 { 360 | } 361 | 362 | anotherservice.example.com { 363 | forward_auth localhost:9091 { 364 | uri /api/verify?rd=https://auth.example.com/ 365 | copy_headers Remote-User Remote-Groups Remote-Name Remote-Email 366 | } 367 | reverse_proxy 192.168.1.10:9000 { 368 | } 369 | } 370 | ``` 371 | 372 | --- 373 | 374 | ## Start Caddy 375 | 376 | Navigate to the auto-authelia folder if you are not there already. 377 | 378 | #### *NOTE: Caddy will only start/stop if you are in the directory where the `Caddyfile` is located. Ours is in the auto-authelia directory.* 379 | 380 | To start Caddy: 381 | ``` 382 | caddy start 383 | ``` 384 | To stop Caddy: 385 | ``` 386 | caddy stop 387 | ``` 388 | 389 | #### *NOTE: If you edit the caddy file, just stop and start Caddy again* 390 | --- 391 | 392 | ## Starting Authelia 393 | Navigate to the Authelia folder 394 | 395 | ``` 396 | cd /home/$USER/auto-authelia/authelia 397 | ``` 398 | Run the docker-compose command to start everything up. 399 | 400 | ``` 401 | docker-compose up -d 402 | ``` 403 | 404 | ***NOTE: You will find the 2 factor authentication email inside of a `authelia/config` folder. It will be called `notification.txt`. This is because it is set to save on the system, unless you manually update the email settings in the configuration.yml file to send out an email.*** 405 | 406 | --- 407 | 408 | # buy-me-a-beer 409 | 410 | Liked some of my work? Buy me a beer! 411 | Buy Me A Coffee 412 | 413 | 414 | -------------------------------------------------------------------------------- /extras/caddy-auto-add.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #Auto add to Caddyfile in root dir. 4 | 5 | # Pull data from the config.txt file 6 | source config.txt 7 | 8 | read -p "Service: " url 9 | read -p "IP:PORT: " service 10 | 11 | echo "$url.$rootdomain { 12 | forward_auth localhost:9091 { 13 | uri /api/verify?rd=$authdomain 14 | copy_headers Remote-User Remote-Groups Remote-Name Remote-Email 15 | } 16 | reverse_proxy $service { 17 | } 18 | } 19 | " >> /home/$USER/auto-authelia/Caddyfile 20 | -------------------------------------------------------------------------------- /extras/config.txt: -------------------------------------------------------------------------------- 1 | authdomain=https://auth.example.com 2 | rootdomain=example.com 3 | -------------------------------------------------------------------------------- /proxy-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | clear 3 | 4 | echo -e "\e[1;31m 5 | ___ ____ _ _ ____ _ _ _ ____ ___ ____ _ _ ____ ____ 6 | / |___ | | [__ | |\ | [__ | |__| | | |___ |__/ 7 | /__ |___ |__| ___] | | \| ___] | | | |___ |___ |___ | \ 8 | 9 | \e[0m" 10 | 11 | 12 | 13 | echo " " 14 | echo -e "\e[1;33mSelect an option to install & configure: \e[0m" 15 | echo "1. Nginx Proxy Manager" 16 | echo "2. Caddy" 17 | echo "3. Caddy (Docker-Compose)" 18 | echo "4. Exit" 19 | echo " " 20 | 21 | read -p "Enter your selection: " chooseproxy 22 | 23 | case $chooseproxy in 24 | 1) 25 | # Create NPM directory & docker-compose file 26 | mkdir -p /home/$USER/auto-authelia/nginx-proxy-manager 27 | touch /home/$USER/auto-authelia/nginx-proxy-manager/docker-compose.yml 28 | 29 | # Appending docker-compose code into the file 30 | echo "version: '3' 31 | services: 32 | app: 33 | image: 'jc21/nginx-proxy-manager:latest' 34 | restart: unless-stopped 35 | ports: 36 | - '80:80' 37 | - '81:81' 38 | - '443:443' 39 | volumes: 40 | - ./data:/data 41 | - ./letsencrypt:/etc/letsencrypt" >> /home/$USER/auto-authelia/nginx-proxy-manager/docker-compose.yml 42 | 43 | echo " " 44 | echo " " 45 | echo -e "\e[1;33mMake sure you port forward ports 80 and 443 from your router to the device hosting Nginx Proxy Manager\e[0m" 46 | 47 | echo " " 48 | echo " " 49 | 50 | # Start NPM [Y/N] 51 | read -p "Would you like to start Nginx Proxy Manager via docker-compose? [Y/N] " npmstart 52 | 53 | if [ "$npmstart" = y ]; then 54 | echo " " 55 | echo -e "\e[1;33mStarting Nginx Proxy Manager. When launched it will be found at http://YOURIP:81\e[0m" 56 | echo " " 57 | echo " " 58 | cd /home/$USER/auto-authelia/nginx-proxy-manager 59 | docker-compose up -d 60 | echo " " 61 | echo -e "\e[1:32mDone.\e[0m" 62 | elif [ "$npmstart" = n ]; then 63 | echo " " 64 | echo -e "\e[1;31mNot starting Nginx Proxy Manager.\e[0m" 65 | echo " " 66 | else 67 | echo -e "\e[1;31mInvalid command. Not starting Nginx Proxy Manager by default\e[0m." 68 | fi 69 | ;; 70 | 2) 71 | #Caddy install 72 | echo " " 73 | echo " " 74 | echo -e "\e[1;33mInstalling Caddy. Please wait...\e[0m" 75 | echo " " 76 | sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https 77 | 78 | curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg 79 | 80 | curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list 81 | 82 | sudo apt update 83 | sudo apt install caddy 84 | echo " " 85 | echo -e "\e[1;32mDone.\e[0m" 86 | echo " " 87 | echo " " 88 | echo -e "\e[1;33mCreating Caddyfile for Caddy...\e[0m" 89 | 90 | echo " " 91 | echo " " 92 | touch /home/$USER/auto-authelia/Caddyfile 93 | 94 | read -p "Enter the auth root domain [EX: auth.example.com] (SAME AS AUTHELIA SETUP ROOT DOMAIN): " rootauthdomain 95 | 96 | echo "$rootauthdomain { 97 | reverse_proxy localhost:9091 98 | } 99 | 100 | service.example.com { 101 | forward_auth localhost:9091 { 102 | uri /api/verify?rd=https://$rootauthdomain/ 103 | copy_headers Remote-User Remote-Groups Remote-Name Remote-Email 104 | } 105 | reverse_proxy localhost:SERVICEPORTHERE { 106 | } 107 | }" >> /home/$USER/auto-authelia/Caddyfile 108 | 109 | echo " " 110 | echo -e "\e[1;32mDone.\e[0m" 111 | echo " " 112 | echo -e "\e[1;33mYou will need to edit the Caddyfile for your services. There is a service.example.com there to provide a example.\e[0m" 113 | echo -e "\e[1;33mVisit the auto-authelia github page for more instructions.\e[0m" 114 | ;; 115 | 116 | 117 | 118 | 3) 119 | echo " " 120 | echo " " 121 | echo -e "\e[1;33mInstalling Caddy. Please wait...\e[0m" 122 | echo " " 123 | 124 | touch /home/$USER/auto-authelia/Caddyfile 125 | mkdir /home/$USER/auto-authelia/caddy 126 | touch /home/$USER/auto-authelia/caddy/docker-compose.yml 127 | 128 | echo 'version: "3.7" 129 | 130 | services: 131 | caddy: 132 | image: caddy:latest 133 | restart: unless-stopped 134 | ports: 135 | - "80:80" 136 | - "443:443" 137 | - "443:443/udp" 138 | volumes: 139 | - /home/$USER/auto-authelia/Caddyfile:/etc/caddy/Caddyfile 140 | - $PWD/site:/srv 141 | - caddy_data:/data 142 | - caddy_config:/config 143 | 144 | volumes: 145 | caddy_data: 146 | external: true 147 | caddy_config:' >> /home/$USER/auto-authelia/caddy/docker-compose.yml 148 | 149 | read -p "Enter the auth root domain [EX: auth.example.com] (SAME AS AUTHELIA SETUP ROOT DOMAIN): " rootauthdomain 150 | 151 | echo "$rootauthdomain { 152 | reverse_proxy localhost:9091 153 | } 154 | 155 | service.example.com { 156 | forward_auth localhost:9091 { 157 | uri /api/verify?rd=https://$rootauthdomain/ 158 | copy_headers Remote-User Remote-Groups Remote-Name Remote-Email 159 | } 160 | reverse_proxy localhost:SERVICEPORTHERE { 161 | } 162 | }" >> /home/$USER/auto-authelia/Caddyfile 163 | 164 | echo " " 165 | echo " " 166 | echo -e "\e[1;33mStart Caddy?\e[0m" 167 | read -p "Answer: " cadstart 168 | 169 | if [ "$cadstart" = y ]; then 170 | cd /home/$USER/auto-authelia/caddy 171 | docker-compose up -d 172 | elif [ "$cadstart" = n ]; then 173 | echo -e "\e[1;33mSkipping...\e[0m" 174 | else 175 | echo -e "\e[1;33mSkipping.\e[0m" 176 | fi 177 | 178 | echo " " 179 | echo -e "\e[1;32mDone.\e[0m" 180 | echo " " 181 | echo -e "\e[1;33mYou will need to edit the Caddyfile for your services. There is a service.example.com there to provide a example.\e[0m" 182 | echo -e "\e[1;33mVisit the auto-authelia github page for more instructions.\e[0m" 183 | ;; 184 | 4) 185 | echo " " 186 | echo -e "\e[1;31mExiting...\e[0m" 187 | exit 0 188 | ;; 189 | 5) 190 | echo -e "\e[1;31mInvalid choice. Please select a valid option.\e[0m" 191 | ;; 192 | 193 | esac 194 | -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | clear 3 | 4 | echo -e "\e[1;31m 5 | ___ ____ _ _ ____ _ _ _ ____ ___ ____ _ _ ____ ____ 6 | / |___ | | [__ | |\ | [__ | |__| | | |___ |__/ 7 | /__ |___ |__| ___] | | \| ___] | | | |___ |___ |___ | \ 8 | 9 | \e[0m" 10 | 11 | #v1.0 12 | 13 | #Functions List 14 | update() { yes | sudo apt-get update; } 15 | upgrade() { yes | sudo apt-get upgrade; } 16 | 17 | # Update the system 18 | echo -e "\e[1;33mWould you like to update the system (Recommended)? (y/n/e)\e[0m" 19 | echo " " 20 | echo -e "\e[1;33my=yes | n=no | e=exit-installer.\e[0m" 21 | echo " " 22 | 23 | read -n1 yesorno 24 | 25 | if [ "$yesorno" = y ]; then 26 | update 27 | upgrade 28 | echo " " 29 | echo -e "\e[1;32mUpdate Successful.\e[0m" 30 | echo " " 31 | elif [ "$yesorno" = n ]; then 32 | echo " " 33 | echo -e "\e[1;33mSkipping...\e[0m" 34 | echo " " 35 | else 36 | echo " " 37 | echo -e "\e[1;31mNot a valid answer. Exiting...\e[0m" 38 | exit 1 39 | fi 40 | 41 | clear 42 | 43 | ###################################################################### 44 | # 45 | # Start of configuration 46 | # 47 | ###################################################################### 48 | 49 | echo -e "\e[1;33mDo you want to use the default installation path (Home directory)? [Y/N]\e[0m" 50 | read -n1 yesorno 51 | 52 | if [ "$yesorno" = y ]; then 53 | echo " " 54 | echo -e "\e[1;33mCreating files and directories for authelia...\e[0m" 55 | echo " " 56 | mkdir -p /home/$USER/auto-authelia/authelia 57 | mkdir -p /home/$USER/auto-authelia/authelia/config 58 | touch /home/$USER/auto-authelia/authelia/docker-compose.yml 59 | touch /home/$USER/auto-authelia/authelia/config/configuration.yml 60 | touch /home/$USER/auto-authelia/authelia/config/users_database.yml 61 | files=("/home/$USER/auto-authelia/authelia" "/home/$USER/auto-authelia/authelia/config" "/home/$USER/auto-authelia/authelia/docker-compose.yml" "/home/$USER/auto-authelia/authelia/config/configuration.yml" "/home/$USER/auto-authelia/authelia/config/users_database.yml") 62 | 63 | # Loop through the array and check each file or directory 64 | for file in "${files[@]}"; do 65 | if [ -e "$file" ]; then 66 | echo -e "\e[1;32mThe file or directory '$file' was created successfully...\e[0m" 67 | else 68 | echo -e "\e[1;31mThe file or directory '$file' was not created.\e[0m" 69 | echo -e "\e[1;31mPlease verify that the script can write to the /home/$USER/auto-authelia/authelia directory.\e[0m" 70 | fi 71 | done 72 | root=/home/$USER/auto-authelia 73 | 74 | elif [ "$yesorno" = n ]; then 75 | echo " " 76 | echo -e "\e[1;33mEnter install folder location\e[0m" 77 | read -r root 78 | echo " " 79 | echo -e "\e[1;33mCreating files and directories for authelia...\e[0m" 80 | echo " " 81 | mkdir -p "$root/authelia" 82 | mkdir -p "$root/authelia/config" 83 | touch "$root/authelia/docker-compose.yml" 84 | touch "$root/authelia/config/configuration.yml" 85 | touch "$root/authelia/config/users_database.yml" 86 | 87 | # Verifying that files/directories were created 88 | files=("$root/authelia" "$root/authelia/config" "$root/authelia/docker-compose.yml" "$root/authelia/config/configuration.yml" "$root/authelia/config/users_database.yml") 89 | 90 | # Loop through the array and check each file or directory 91 | for file in "${files[@]}"; do 92 | if [ -e "$file" ]; then 93 | echo -e "\e[1;32mThe file or directory '$file' was created successfully...\e[0m" 94 | else 95 | echo -e "\e[1;31mThe file or directory '$file' was not created.\e[0m" 96 | echo -e "\e[1;31mPlease verify that the script can write to the $root/authelia directory.\e[0m" 97 | fi 98 | done 99 | fi 100 | 101 | echo " " 102 | echo " " 103 | echo " " 104 | echo " " 105 | echo -e "\e[1;33mCreating the docker-compose file...\e[0m" 106 | # Create compose file 107 | echo "version: '3.3' 108 | services: 109 | authelia: 110 | image: authelia/authelia 111 | volumes: 112 | - ./config:/config 113 | ports: 114 | - 9091:9091 115 | restart: unless-stopped 116 | healthcheck: 117 | disable: true 118 | environment: 119 | - TZ=America/Chicago 120 | depends_on: 121 | - redis 122 | redis: 123 | image: redis:alpine 124 | volumes: 125 | - ./redis:/data 126 | expose: 127 | - 6379 128 | restart: unless-stopped 129 | environment: 130 | - TZ=America/Chicago 131 | " >>$root/authelia/docker-compose.yml 132 | echo " " 133 | echo -e "\e[1;33mDone.\e[0m" 134 | echo " " 135 | 136 | ###################################################################### 137 | 138 | # Creating the configuration file 139 | read -p $'\e[1;36mEnter the Redirect URL [INCLUDE https:// HERE][EX: https://auth.example.com]\e[0m: ' redirecturl 140 | read -p $'\e[1;36mEnter the Root Domain to protect [EX: example.com]\e[0m: ' rootdomain 141 | read -p $'\e[1;36mEnter the Auth root domain [EX: auth.example.com]\e[0m: ' rootauth 142 | read -p $'\e[1;36mDo you prefer Light or Dark mode/theme? [TYPE light OR dark]\e[0m: ' theme 143 | 144 | echo "############################################################### 145 | # Authelia configuration # 146 | ############################################################### 147 | server: 148 | host: 0.0.0.0 149 | port: 9091 150 | jwt_secret: SECRETREPLACE #Generate a random string 151 | log: 152 | level: debug 153 | default_redirection_url: $redirecturl #Ex:https://auth.example.com 154 | totp: 155 | issuer: $rootdomain #EX: example.com 156 | period: 30 157 | skew: 1 158 | #duo_api: ## You can use this api if you want push notifications of auth attempts 159 | # hostname: api-123456789.example.com 160 | # integration_key: ABCDEF 161 | # secret_key: yet-another-long-string-of-characters-and-numbers-and-symbols 162 | authentication_backend: 163 | password_reset.disable: false 164 | file: 165 | path: /config/users_database.yml 166 | password: 167 | algorithm: argon2id 168 | iterations: 1 169 | salt_length: 16 170 | parallelism: 8 171 | memory: 64 172 | 173 | access_control: 174 | default_policy: deny 175 | rules: 176 | # Rules applied to everyone 177 | - domain: 178 | - AUTHDOMAIN-CHANGEME #Ex: "auth.example.com" 179 | policy: bypass 180 | - domain: 181 | - '"service.example.com"' #Ex: "search.example.com" - Single factor stuff. Only need a Password to authenticate. 182 | - '"service2.example.com"' 183 | policy: one_factor 184 | - domain: 185 | - '"service3.example.com"' #Ex: "tv.example.com" - Two factor auth. Need a password as well as a OTP to authenticate. 186 | - '"service4.example.com"' 187 | policy: two_factor 188 | 189 | # networks: 190 | # - 192.168.1.0/24 191 | session: 192 | name: authelia_session 193 | # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE 194 | secret: SECRETREPLACE2 #Generate long string numb/letters 195 | expiration: 3600 # 1 hour 196 | inactivity: 7200 # 2 hours 197 | domain: $rootdomain # Should match whatever your root protected domain is EX: example.com 198 | # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE 199 | # password: authelia 200 | regulation: 201 | max_retries: RETRIES 202 | find_time: FINDTIME 203 | ban_time: BANTIME 204 | 205 | theme: $theme #light or dark 206 | storage: 207 | encryption_key: SECRETREPLACE3 #Generate long string numb/letters 208 | local: 209 | path: /config/db.sqlite3 210 | 211 | notifier: 212 | filesystem: 213 | filename: /config/notification.txt 214 | # smtp: 215 | # username: EMAILUSERNAME 216 | # password: EMAILPASSWORD 217 | # host: EMAILHOST 218 | # port: EMAILPORT 219 | # sender: EMAILSENDER 220 | # subject: "[Authelia] {title}" 221 | # disable_require_tls: false 222 | # disable_html_emails: false 223 | # tls: 224 | # server_name: EMAILSERVERNAME 225 | # skip_verify: false 226 | # minimum_version: TLS1.2" >>$root/authelia/config/configuration.yml 227 | 228 | # Formatting the configuration file 229 | sed -i "s/AUTHDOMAIN-CHANGEME/\"$rootauth\"/g" $root/authelia/config/configuration.yml 230 | secret=$(LC_CTYPE=C tr -dc 'a-zA-Z' >/home/$USER/auto-authelia/authelia/config/users_database.yml 314 | echo " " 315 | echo " " 316 | echo -e "\e[1;33mRunning Authelia docker container to hash password. Please wait...\e[0m" 317 | # Run the docker command and save the output to a variable 318 | output=$(docker run authelia/authelia:latest authelia crypto hash generate argon2 --password '$adminpass') 319 | # Extract the hash from the output and save it to a variable 320 | HASHPASS=${output#Digest: } 321 | sed -i "s/HASHPASS/$secret/" $root/authelia/config/users_database.yml 322 | echo " " 323 | echo -e "\e[1;32mPassword Updated.\e[0m" 324 | elif [ "$yesorno" = m ]; then 325 | echo "users: 326 | $user: #username for user 1. change to whatever you'd like 327 | displayname: "$userdisplay" #whatever you want the display name to be 328 | password: "HASHPASS" #generated at https://argon2.online/ 329 | email: $useremail #whatever your email address is 330 | groups: 331 | - admins 332 | #user2: #Use the above details as a template. Uncomment to use. Add as many users as necessary. 333 | #displayname: "User2" 334 | #password: "hashedpasswordhere" #generated at https://argon2.online/ OR docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'TYPEPASSWORDHERE' 335 | #email: user2@email.com 336 | " >>$root/authelia/config/users_database.yml 337 | 338 | echo " " 339 | echo -e "\e[1;33mYou can generate a password at https://argon2.online/ OR run the command: docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'TYPEPASSWORDHERE'\e[0m" 340 | echo " " 341 | echo -e "\e[1;33mNavigate to $root/authelia/config and edit the configuration.yml file. Replace the HASHPASS string with the hashed password\e[0m" 342 | else 343 | echo " " 344 | echo -e "\e[1;33mSkipping...\e[0m" 345 | fi 346 | 347 | ###################################################################### 348 | 349 | # Setting up email password resets 350 | 351 | echo " " 352 | echo " " 353 | echo -e "\e[1;36mWould you like to configure emails for password resets? (Default is no.) [Y\N] \e[0m" 354 | 355 | read -n1 yesorno 356 | 357 | if [ "$yesorno" = y ]; then 358 | 359 | # Comment out the local notification and enable smtp 360 | configfileloc="$root/authelia/config/configuration.yml" 361 | sed -i '68,83 s/^#//' "$configfileloc" 362 | sed -i '69,70 s/^/#/' "$configfileloc" 363 | 364 | echo " " 365 | read -p $'\e[1;36mWhat is the email username? EX: user@gmail.com\e[0m: ' EMAILUSERNAME 366 | read -p $'\e[1;36mWhat is the email password?\e[0m: ' EMAILPASSWORD 367 | read -p $'\e[1;36mWhat is the email hostname? EX: mail.example.com\e[0m: ' EMAILHOST 368 | read -p $'\e[1;36mWhat is the smtp port? (Default is typically 110/587)\e[0m: ' EMAILPORT 369 | read -p $'\e[1;36mWhat is the name of the sender? (Typically the same as your email username)\e[0m: ' EMAILSENDER 370 | read -p $'\e[1;36mWhat is the server name? (Ex: smtp.example.com)\e[0m: ' EMAILSERVERNAME 371 | 372 | sed -i "s/EMAILUSERNAME/$EMAILUSERNAME/" $root/authelia/config/configuration.yml 373 | sed -i "s/EMAILPASSWORD/$EMAILPASSWORD/" $root/authelia/config/configuration.yml 374 | sed -i "s/EMAILHOST/$EMAILHOST/" $root/authelia/config/configuration.yml 375 | sed -i "s/EMAILPORT/$EMAILPORT/" $root/authelia/config/configuration.yml 376 | sed -i "s/EMAILSENDER/$EMAILSENDER/" $root/authelia/config/configuration.yml 377 | sed -i "s/EMAILSERVERNAME/$EMAILSERVERNAME/" $root/authelia/config/configuration.yml 378 | 379 | elif [ "$yesorno" = n ]; then 380 | echo " " 381 | echo -e "\e[1;33mUsing default.\e[0m" 382 | echo -e "\e[1;33mSkipping...\e[0m" 383 | echo " " 384 | else 385 | echo " " 386 | echo -e "\e[1;33mUsing default.\e[0m" 387 | echo -e "\e[1;33mSkipping...\e[0m" 388 | echo " " 389 | fi 390 | --------------------------------------------------------------------------------