Initial Commit

2022-09-09 16:37:09 -07:00
commit dddb37e979
21 changed files with 826 additions and 0 deletions
--- a/authelia/README.md
+++ b/authelia/README.md
@@ -0,0 +1,11 @@
+# Authelia
+
+This job file runs [Authelia](https://www.authelia.com/), which allows users to protect services that prpvide no authentication mechanism with a password and 2fa. It can also be used to log in to other self-hosted services, similar to how "Log in to Google" buttons work.
+
+IMPORTANT NOTE: Some services in this repo are protected by Authelia. You can find out which by doing Ctrl+F in their nomad files and searching for "authelia". If you are not running Authelia, those services will be available WITHOUT A PASSWORD, so do not expose them to the internet without Authelia protecting them.
+
+This job requires one volume for Authelia's config and secrets. This volume should be named `authelia-config`, and be read/write, not readonly. 
+
+There is one thing you will want to change in this file. In the `env` stanza, the timezone, or `TZ`, is set to "CHANGE ME". Set this to your timezone as it is used when generating TOTP codes for 2fa.
+
+Since configuration for Authelia is complex and heavily dependent on your environment and what you want it to do, I will leave my authelia config out and instead direct you to the documentation: https://www.authelia.com/configuration/prologue/introduction/, and this blog post that I used when configuring authelia: https://spad.uk/configure-authelia-to-work-with-traefik/.
--- a/authelia/authelia.nomad
+++ b/authelia/authelia.nomad
@@ -0,0 +1,54 @@
+job "authelia" {
+  region      = "global"
+  datacenters = ["dc1"]
+  type        = "service"
+
+  group "authelia" {
+    count = 1
+
+    volume "authelia-config" {
+      type      = "host"
+      source    = "authelia-config"
+      read_only = false
+    }
+
+    network {
+      port "authelia" {
+        to = 9091
+        static = 9091
+      }
+    }
+
+    task "authelia" {
+      driver = "docker"
+
+      volume_mount {
+        volume      = "authelia-config"
+        destination = "/config"
+        read_only   = false
+      }
+
+      env {
+        TZ                           = "CHANGE ME"
+        AUTHELIA_JWT_SECRET_FILE     = "/config/secrets/jwt"
+        AUTHELIA_SESSION_SECRET_FILE = "/config/secrets/session"
+      }
+
+      config {
+        image = "authelia/authelia:latest"
+        ports = ["authelia"]
+      }
+
+      service {
+        name = "authelia"
+        port = "authelia"
+
+        tags = [
+          "traefik.enable=true",
+          "traefik.http.routers.authelia.rule=Host(`auth.arsenm.dev`)",
+          "traefik.http.routers.authelia.tls.certResolver=letsencrypt",
+        ]
+      }
+    }
+  }
+}