feat: restructure Caddy and Nginx configurations for Authelia integration and remove unused LDAP service

Author: Youssef-Harby

authelia/configuration-lldap.yml

@@ -0,0 +1,119 @@
+---
+###############################################################
+#                   Authelia configuration                    #
+###############################################################
+
+# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
+identity_validation:
+  reset_password:
+    jwt_secret: a_very_important_secret
+
+server:
+  address: tcp://0.0.0.0:9091/
+  endpoints:
+    authz:
+      forward-auth:
+        implementation: "ForwardAuth"
+
+log:
+  level: debug
+
+totp:
+  issuer: authelia.com
+
+# duo_api:
+#  hostname: api-123456789.pygeoapi.local
+#  integration_key: ABCDEF
+#  # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
+#  secret_key: 1234567890abcdefghifjkl
+
+authentication_backend:
+  password_reset:
+    disable: false
+  refresh_interval: 1m
+  ldap:
+    implementation: custom
+    address: ldap://lldap:3890
+    timeout: 5s
+    start_tls: false
+    base_dn: dc=pygeoapi,dc=local
+    additional_users_dn: ou=people
+    users_filter: "(&({username_attribute}={input})(objectClass=person))"
+    additional_groups_dn: ou=groups
+    groups_filter: "(member={dn})"
+    attributes:
+      display_name: displayName
+      username: uid
+      group_name: cn
+      mail: mail
+    user: uid=admin,ou=people,dc=pygeoapi,dc=local
+    password: "super_strong_ldap_password" ## change this
+
+access_control:
+  default_policy: deny
+  rules:
+    - domain: "app.pygeoapi.local"
+      policy: one_factor
+      resources:
+        - "^/api/collections/obs.*"
+      subject:
+        - "group:cartologic"
+
+    - domain: "app.pygeoapi.local"
+      policy: one_factor
+      resources:
+        - "^/api/collections/lakes.*"
+      subject:
+        - "group:geobeyond"
+
+    - domain: "app.pygeoapi.local"
+      policy: one_factor
+      resources:
+        - "^.*\\/api(?:\\/)?(?:\\?.*)?$"
+        - "^/api/static/.*"
+        - "^.*\\/api\\/collections(?:\\?.*)?$"
+        - "^.*\\/api\\/processes(?:\\?.*)?$"
+        - "^.*\\/api\\/jobs(?:\\?.*)?$"
+        - "^.*\\/api\\/openapi(?:\\?.*)?$"
+        - "^.*\\/api\\/conformance(?:\\?.*)?$"
+      subject:
+        - "group:geobeyond"
+        - "group:cartologic"
+
+session:
+  secret: unsecure_session_secret
+  name: authelia_session
+  same_site: "lax"
+  inactivity: 5m
+  expiration: 1h
+  remember_me: 5M
+  # Remove the `cookies` block if keeping `domain`, or vice versa
+  domain: "pygeoapi.local"
+  # cookies:
+  #   - domain: "pygeoapi.local"
+  #     authelia_url: "https://pygeoapi.local"
+  #     default_redirection_url: "https://app.pygeoapi.local/api"
+  #     name: "authelia_session"
+  #     same_site: "lax"
+  #     inactivity: "5m"
+  #     expiration: "1h"
+  #     remember_me: "1d"
+
+  redis:
+    host: redis
+    port: 6379
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+storage:
+  encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  disable_startup_check: true
+  filesystem:
+    filename: /config/notification.txt

authelia/configuration.yml

@@ -87,19 +87,6 @@ session:
   inactivity: 5m
   expiration: 1h
   remember_me: 5M
-<<<<<<< HEAD
-  # Remove the `cookies` block if keeping `domain`, or vice versa
-  domain: "pygeoapi.local"
-  # cookies:
-  #   - domain: "pygeoapi.local"
-  #     authelia_url: "https://pygeoapi.local"
-  #     default_redirection_url: "https://app.pygeoapi.local/api"
-  #     name: "authelia_session"
-  #     same_site: "lax"
-  #     inactivity: "5m"
-  #     expiration: "1h"
-  #     remember_me: "1d"
-=======
   cookies:
     - domain: "pygeoapi.local"
       authelia_url: "https://pygeoapi.local"
@@ -109,7 +96,6 @@ session:
       inactivity: "5m"
       expiration: "1h"
       remember_me: "1d"
->>>>>>> main
 
   redis:
     host: redis

caddy/Caddyfile

@@ -13,8 +13,4 @@ app.pygeoapi.local {
                 header_up Proxy-Authorization {http.request.header.Authorization}
         }
         reverse_proxy pygeoapi:80
-}
-
-lldap.pygeoapi.local {
-        reverse_proxy lldap:17170 
 }

caddy/lldap.Caddyfile

@@ -0,0 +1,20 @@
+# Authelia Portal.
+pygeoapi.local {
+        reverse_proxy authelia:9091
+}
+
+# Protected Endpoint.
+app.pygeoapi.local {
+        forward_auth authelia:9091 {
+                uri /api/authz/forward-auth?authelia_url=https://pygeoapi.local/
+                copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+                header_up X-Forwarded-Method {method}
+                header_up X-Forwarded-URI {uri}
+                header_up Proxy-Authorization {http.request.header.Authorization}
+        }
+        reverse_proxy pygeoapi:80
+}
+
+lldap.pygeoapi.local {
+        reverse_proxy lldap:17170 
+}

docker-compose-caddy-lldap.yml

@@ -0,0 +1,75 @@
+services:
+  caddy:
+    container_name: caddy
+    image: caddy:2.8.4
+    restart: unless-stopped
+    networks:
+      - caddy
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - ./caddy/lldap.Caddyfile:/etc/caddy/Caddyfile
+
+  authelia:
+    container_name: authelia
+    image: authelia/authelia:4.38.17
+    restart: unless-stopped
+    networks:
+      - caddy
+    expose:
+      - 9091
+    ports:
+      - 9091
+    volumes:
+      - ./authelia:/config
+      - ./authelia/configuration-lldap.yml:/config/configuration.yml
+    depends_on:
+      - redis
+    environment:
+      - AUTHELIA_SESSION_DOMAIN=pygeoapi.local
+      - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD=super_strong_ldap_password
+      - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN=dc=pygeoapi,dc=local
+
+  redis:
+    container_name: redis
+    image: redis:7.0
+    restart: unless-stopped
+    networks:
+      - caddy
+
+  pygeoapi:
+    container_name: pygeoapi
+    image: geopython/pygeoapi:latest
+    volumes:
+      - ./pygeoapi-config.yml:/pygeoapi/local.config.yml
+    ports:
+      - 80
+    environment:
+      - SCRIPT_NAME=/api
+    depends_on:
+      - redis
+      - caddy
+      - authelia
+    networks:
+      - caddy
+
+  lldap:
+    container_name: lldap
+    image: lldap/lldap:stable
+    restart: unless-stopped
+    networks:
+      - caddy
+    expose:
+      - 3890 # LDAP service
+      - 17170 # Web service
+    volumes:
+      - ./lldap/config:/data:rw
+    environment:
+      - LLDAP_JWT_SECRET=REPLACE_WITH_RANDOM
+      - LLDAP_KEY_SEED=REPLACE_WITH_RANDOM
+      - LLDAP_LDAP_BASE_DN=dc=pygeoapi,dc=local
+      - LLDAP_LDAP_USER_PASS="super_strong_ldap_password"
+networks:
+  caddy:
+    name: caddy

docker-compose-nginx-lldap.yml

@@ -0,0 +1,73 @@
+
+services:
+  nginx:
+    container_name: nginx
+    image: lscr.io/linuxserver/nginx
+    restart: unless-stopped
+    networks:
+      - nginx
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - ./nginx/site-confs:/config/nginx/site-confs
+      - ./nginx/snippets:/config/nginx/snippets
+      - ./nginx/certs:/config/ssl # see nginx/README.md to generate self signed certs in this directory
+    environment:
+      TZ: 'UTC'
+      DOCKER_MODS: 'linuxserver/mods:nginx-proxy-confs'
+
+  authelia:
+    container_name: authelia
+    image: authelia/authelia:4.38.9
+    restart: unless-stopped
+    networks:
+      - nginx
+    ports:
+      - 9091:9091
+    volumes:
+      - ./authelia:/config
+      - ./authelia/configuration-lldap.yml:/config/configuration.yml
+    depends_on:
+      - redis
+
+  redis:
+    container_name: redis
+    image: redis:7.0
+    restart: unless-stopped
+    networks:
+      - nginx
+
+  pygeoapi:
+    container_name: pygeoapi
+    image: geopython/pygeoapi:latest
+    volumes:
+      - ./pygeoapi-config.yml:/pygeoapi/local.config.yml
+    environment:
+      - SCRIPT_NAME=/api
+    depends_on:
+      - redis
+      - nginx
+      - authelia
+    networks:
+      - nginx
+
+  lldap:
+    container_name: lldap
+    image: lldap/lldap:stable
+    restart: unless-stopped
+    networks:
+      - nginx
+    expose:
+      - 3890 # LDAP service
+      - 17170 # Web service
+    volumes:
+      - ./lldap/config:/data:rw
+    environment:
+      - LLDAP_JWT_SECRET=REPLACE_WITH_RANDOM
+      - LLDAP_KEY_SEED=REPLACE_WITH_RANDOM
+      - LLDAP_LDAP_BASE_DN=dc=pygeoapi,dc=local
+      - LLDAP_LDAP_USER_PASS="super_strong_ldap_password"
+networks:
+  nginx:
+    name: nginx

docker-compose.yml

@@ -25,10 +25,6 @@ services:
       - ./authelia:/config
     depends_on:
       - redis
-    environment:
-      - AUTHELIA_SESSION_DOMAIN=pygeoapi.local
-      - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD=super_strong_ldap_password
-      - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN=dc=pygeoapi,dc=local
 
   redis:
     container_name: redis
@@ -53,22 +49,6 @@ services:
     networks:
       - caddy
 
-  lldap:
-    container_name: lldap
-    image: lldap/lldap:stable
-    restart: unless-stopped
-    networks:
-      - caddy
-    expose:
-      - 3890 # LDAP service
-      - 17170 # Web service
-    volumes:
-      - ./lldap/config:/data:rw
-    environment:
-      - LLDAP_JWT_SECRET=REPLACE_WITH_RANDOM
-      - LLDAP_KEY_SEED=REPLACE_WITH_RANDOM
-      - LLDAP_LDAP_BASE_DN=dc=pygeoapi,dc=local
-      - LLDAP_LDAP_USER_PASS="super_strong_ldap_password"
 networks:
   caddy:
-    name: caddy
+    name: caddy