From ff7f9a50ab39b6e7932f216732001562a567dece Mon Sep 17 00:00:00 2001 From: Amir Zarrinkafsh Date: Wed, 17 Jun 2020 16:25:35 +1000 Subject: [PATCH] [FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml --- .buildkite/hooks/pre-artifact | 2 +- BREAKING.md | 14 +++++ Dockerfile | 15 +++--- Dockerfile.arm32v7 | 15 +++--- Dockerfile.arm64v8 | 15 +++--- Dockerfile.coverage | 15 +++--- cmd/authelia-scripts/cmd_build.go | 9 ++++ compose/lite/{ => authelia}/configuration.yml | 4 +- .../lite/{ => authelia}/users_database.yml | 0 compose/lite/docker-compose.yml | 4 +- compose/local/configuration.yml | 45 ---------------- compose/local/docker-compose.yml | 4 +- compose/local/users_database.yml | 14 ----- config.template.yml | 12 ++--- docs/configuration/authentication/file.md | 2 +- docs/configuration/miscellaneous.md | 6 +-- docs/configuration/notifier/filesystem.md | 2 +- docs/configuration/notifier/smtp.md | 2 +- docs/configuration/secrets.md | 39 +++++++------- docs/configuration/storage/sqlite.md | 2 +- docs/deployment/deployment-ha.md | 2 +- .../supported-proxies/traefik1.x.md | 3 +- .../supported-proxies/traefik2.x.md | 3 +- go.sum | 29 ++--------- internal/authentication/configuration.gen.go | 5 ++ internal/authentication/file_user_provider.go | 51 +++++++++++++++++++ .../authentication/file_user_provider_test.go | 37 ++++++++++++++ internal/configuration/configuration.gen.go | 5 ++ internal/configuration/reader.go | 34 ++++++++++++- internal/configuration/reader_test.go | 32 +++++++++++- .../test_resources/config_bad_keys.yml | 2 +- .../test_resources/config_bad_quoting.yml | 2 +- internal/suites/BypassAll/configuration.yml | 8 +-- internal/suites/BypassAll/docker-compose.yml | 6 +-- internal/suites/Docker/configuration.yml | 8 +-- internal/suites/Docker/docker-compose.yml | 6 +-- internal/suites/DuoPush/configuration.yml | 8 +-- internal/suites/DuoPush/docker-compose.yml | 6 +-- internal/suites/HAProxy/configuration.yml | 8 +-- internal/suites/HAProxy/docker-compose.yml | 6 +-- .../suites/HighAvailability/configuration.yml | 4 +- .../HighAvailability/docker-compose.yml | 4 +- internal/suites/LDAP/configuration.yml | 6 +-- internal/suites/LDAP/docker-compose.yml | 4 +- internal/suites/Mariadb/configuration.yml | 6 +-- internal/suites/Mariadb/docker-compose.yml | 6 +-- internal/suites/MySQL/configuration.yml | 6 +-- internal/suites/MySQL/docker-compose.yml | 6 +-- internal/suites/NetworkACL/configuration.yml | 8 +-- internal/suites/NetworkACL/docker-compose.yml | 6 +-- .../suites/OneFactorOnly/configuration.yml | 8 +-- .../suites/OneFactorOnly/docker-compose.yml | 6 +-- internal/suites/PathPrefix/configuration.yml | 8 +-- internal/suites/PathPrefix/docker-compose.yml | 6 +-- internal/suites/Postgres/configuration.yml | 6 +-- internal/suites/Postgres/docker-compose.yml | 6 +-- .../suites/ShortTimeouts/configuration.yml | 8 +-- .../suites/ShortTimeouts/docker-compose.yml | 6 +-- internal/suites/Standalone/configuration.yml | 6 +-- internal/suites/Standalone/docker-compose.yml | 6 +-- internal/suites/Traefik/configuration.yml | 8 +-- internal/suites/Traefik/docker-compose.yml | 6 +-- internal/suites/Traefik2/configuration.yml | 8 +-- internal/suites/Traefik2/docker-compose.yml | 6 +-- .../compose/authelia/Dockerfile.backend | 6 +-- .../authelia/docker-compose.backend.dist.yml | 2 +- .../authelia/resources/run-backend-dev.sh | 2 +- .../kube/authelia/configs/configuration.yml | 4 +- .../example/kube/authelia/deployment.yml | 14 ++--- .../suites/example/swarm/docker-compose.yml | 4 +- 70 files changed, 380 insertions(+), 284 deletions(-) rename compose/lite/{ => authelia}/configuration.yml (95%) rename compose/lite/{ => authelia}/users_database.yml (100%) delete mode 100644 compose/local/configuration.yml delete mode 100644 compose/local/users_database.yml create mode 100644 internal/authentication/configuration.gen.go create mode 100644 internal/configuration/configuration.gen.go diff --git a/.buildkite/hooks/pre-artifact b/.buildkite/hooks/pre-artifact index fc2a6719..a9f62a4d 100755 --- a/.buildkite/hooks/pre-artifact +++ b/.buildkite/hooks/pre-artifact @@ -14,7 +14,7 @@ if [[ $BUILDKITE_LABEL =~ ":docker: Build Image" ]]; then # Save binary for buildkite and github artifacts if [[ "${ARCH}" != "coverage" ]]; then docker create --name authelia-binary ${DOCKER_IMAGE}:latest - docker cp authelia-binary:/usr/app/authelia ./authelia-"${OS}"-"${ARCH}" + docker cp authelia-binary:/app/authelia ./authelia-"${OS}"-"${ARCH}" docker rm -f authelia-binary tar -czf authelia-"${OS}"-"${ARCH}".tar.gz authelia-"${OS}"-"${ARCH}" authelia.service config.template.yml sha256sum authelia-"${OS}"-"${ARCH}".tar.gz > authelia-"${OS}"-"${ARCH}".tar.gz.sha256 diff --git a/BREAKING.md b/BREAKING.md index 9e0bd5f5..920deb55 100644 --- a/BREAKING.md +++ b/BREAKING.md @@ -6,6 +6,20 @@ recommended not to use the 'latest' Docker image tag blindly but pick a version and read this documentation before upgrading. This is where you will get information about breaking changes and about what you should do to overcome those changes. +## Breaking in v4.20.0 +* Authelia's Docker volumes have been refactored. All data should reside within a single volume of `/config`. +All examples have been updated to reflect this change. The entrypoint for the container changed from +`authelia --config /etc/authelia/configuration.yml` to `authelia --config /config/configuration.yml`. + +Users migrating to v4.20.0 have two options: +1. Change your container mappings to point to `/config` also change any associated paths in your `configuration.yml` to +represent the new `/config` mappings. +2. Change your container entry point back to `authelia --config /etc/authelia/configuration.yml` + * **Docker Compose:** `command: authelia --config /etc/authelia/configuration.yml` + * **Docker Run:** `docker run -d -v /path/on/host:/etc/authelia authelia/authelia:latest authelia --config /etc/authelia/configuration.yml` + +The team recommends option 1 to unify/simplify troubleshooting for support related issues. + ## Breaking in v4.18.0 * Secrets stored directly in ENV are now removed from Authelia. They have been replaced with file secrets. If you still have not moved feel free to contact the team for assistance, otherwise the diff --git a/Dockerfile b/Dockerfile index 557136b7..3dd5b73e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,7 +22,7 @@ RUN apk --no-cache add gcc musl-dev WORKDIR /go/src/app -COPY go.mod go.sum ./ +COPY go.mod go.sum config.template.yml ./ COPY --from=builder-frontend /node/src/app/build public_html RUN go mod download @@ -32,7 +32,9 @@ COPY internal internal # Prepare static files to be embedded in Go binary RUN go get -u aletheia.icu/broccoli && \ -cd internal/server && \ +cd internal/configuration && \ +go generate . && \ +cd ../server && \ go generate . # Set the build version and time @@ -51,15 +53,14 @@ FROM alpine:3.12.0 RUN apk --no-cache add ca-certificates tzdata -WORKDIR /usr/app +WORKDIR /app COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./ EXPOSE 9091 -VOLUME /etc/authelia -VOLUME /var/lib/authelia +VOLUME /config -ENV PATH="/usr/app:${PATH}" +ENV PATH="/app:${PATH}" -CMD ["./authelia", "--config", "/etc/authelia/configuration.yml"] +CMD ["authelia", "--config", "/config/configuration.yml"] diff --git a/Dockerfile.arm32v7 b/Dockerfile.arm32v7 index 2a4673e0..25c2ddea 100644 --- a/Dockerfile.arm32v7 +++ b/Dockerfile.arm32v7 @@ -25,7 +25,7 @@ RUN apk --no-cache add curl && \ WORKDIR /go/src/app -COPY go.mod go.sum ./ +COPY go.mod go.sum config.template.yml ./ COPY --from=builder-frontend /node/src/app/build public_html RUN go mod download @@ -35,7 +35,9 @@ COPY internal internal # Prepare static files to be embedded in Go binary RUN go get -u aletheia.icu/broccoli && \ -cd internal/server && \ +cd internal/configuration && \ +go generate . && \ +cd ../server && \ go generate . # Set the build version and time @@ -57,15 +59,14 @@ COPY ./qemu-arm-static /usr/bin/qemu-arm-static RUN apk --no-cache add ca-certificates tzdata && \ rm /usr/bin/qemu-arm-static -WORKDIR /usr/app +WORKDIR /app COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./ EXPOSE 9091 -VOLUME /etc/authelia -VOLUME /var/lib/authelia +VOLUME /config -ENV PATH="/usr/app:${PATH}" +ENV PATH="/app:${PATH}" -CMD ["./authelia", "--config", "/etc/authelia/configuration.yml"] +CMD ["authelia", "--config", "/config/configuration.yml"] diff --git a/Dockerfile.arm64v8 b/Dockerfile.arm64v8 index 396b59ff..a42a95be 100644 --- a/Dockerfile.arm64v8 +++ b/Dockerfile.arm64v8 @@ -25,7 +25,7 @@ RUN apk --no-cache add curl && \ WORKDIR /go/src/app -COPY go.mod go.sum ./ +COPY go.mod go.sum config.template.yml ./ COPY --from=builder-frontend /node/src/app/build public_html RUN go mod download @@ -35,7 +35,9 @@ COPY internal internal # Prepare static files to be embedded in Go binary RUN go get -u aletheia.icu/broccoli && \ -cd internal/server && \ +cd internal/configuration && \ +go generate . && \ +cd ../server && \ go generate . # Set the build version and time @@ -57,15 +59,14 @@ COPY ./qemu-aarch64-static /usr/bin/qemu-aarch64-static RUN apk --no-cache add ca-certificates tzdata && \ rm /usr/bin/qemu-aarch64-static -WORKDIR /usr/app +WORKDIR /app COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./ EXPOSE 9091 -VOLUME /etc/authelia -VOLUME /var/lib/authelia +VOLUME /config -ENV PATH="/usr/app:${PATH}" +ENV PATH="/app:${PATH}" -CMD ["./authelia", "--config", "/etc/authelia/configuration.yml"] +CMD ["authelia", "--config", "/config/configuration.yml"] diff --git a/Dockerfile.coverage b/Dockerfile.coverage index 96558929..98aec871 100644 --- a/Dockerfile.coverage +++ b/Dockerfile.coverage @@ -22,7 +22,7 @@ RUN apk --no-cache add gcc musl-dev WORKDIR /go/src/app -COPY go.mod go.sum ./ +COPY go.mod go.sum config.template.yml ./ COPY --from=builder-frontend /node/src/app/build public_html RUN go mod download @@ -32,7 +32,9 @@ COPY internal internal # Prepare static files to be embedded in Go binary RUN go get -u aletheia.icu/broccoli && \ -cd internal/server && \ +cd internal/configuration && \ +go generate . && \ +cd ../server && \ go generate . # Set the build version and time @@ -51,15 +53,14 @@ FROM alpine:3.12.0 RUN apk --no-cache add ca-certificates tzdata -WORKDIR /usr/app +WORKDIR /app COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./ EXPOSE 9091 -VOLUME /etc/authelia -VOLUME /var/lib/authelia +VOLUME /config -ENV PATH="/usr/app:${PATH}" +ENV PATH="/app:${PATH}" -CMD ["./authelia", "-test.coverprofile=/app/coverage.txt", "COVERAGE", "--config", "/etc/authelia/configuration.yml"] +CMD ["authelia", "-test.coverprofile=/authelia/coverage.txt", "COVERAGE", "--config", "/config/configuration.yml"] diff --git a/cmd/authelia-scripts/cmd_build.go b/cmd/authelia-scripts/cmd_build.go index 9c955d6e..21aa9669 100644 --- a/cmd/authelia-scripts/cmd_build.go +++ b/cmd/authelia-scripts/cmd_build.go @@ -56,6 +56,15 @@ func generateEmbeddedAssets() { panic(err) } + cmd = utils.CommandWithStdout("go", "generate", ".") + cmd.Dir = "internal/configuration" + + err = cmd.Run() + + if err != nil { + panic(err) + } + cmd = utils.CommandWithStdout("go", "generate", ".") cmd.Dir = "internal/server" diff --git a/compose/lite/configuration.yml b/compose/lite/authelia/configuration.yml similarity index 95% rename from compose/lite/configuration.yml rename to compose/lite/authelia/configuration.yml index dc88a91c..e7e56357 100644 --- a/compose/lite/configuration.yml +++ b/compose/lite/authelia/configuration.yml @@ -19,7 +19,7 @@ totp: authentication_backend: file: - path: /etc/authelia/users_database.yml + path: /config/users_database.yml access_control: default_policy: deny @@ -53,7 +53,7 @@ regulation: storage: local: - path: /var/lib/authelia/db.sqlite3 + path: /config/db.sqlite3 notifier: smtp: diff --git a/compose/lite/users_database.yml b/compose/lite/authelia/users_database.yml similarity index 100% rename from compose/lite/users_database.yml rename to compose/lite/authelia/users_database.yml diff --git a/compose/lite/docker-compose.yml b/compose/lite/docker-compose.yml index 884f4e24..d0e9f761 100644 --- a/compose/lite/docker-compose.yml +++ b/compose/lite/docker-compose.yml @@ -9,9 +9,7 @@ services: image: authelia/authelia container_name: authelia volumes: - - ./authelia:/var/lib/authelia - - ./configuration.yml:/etc/authelia/configuration.yml:ro - - ./users_database.yml:/etc/authelia/users_database.yml + - ./authelia:/config networks: - net labels: diff --git a/compose/local/configuration.yml b/compose/local/configuration.yml deleted file mode 100644 index 4c56917f..00000000 --- a/compose/local/configuration.yml +++ /dev/null @@ -1,45 +0,0 @@ -############################################################### -# Authelia configuration # -############################################################### - -host: 0.0.0.0 -port: 9091 -log_level: debug -jwt_secret: a_very_important_secret -default_redirection_url: https://public.example.com -totp: - issuer: authelia.com - -authentication_backend: - file: - path: /etc/authelia/users_database.yml - -access_control: - default_policy: deny - rules: - - domain: public.example.com - policy: bypass - - domain: traefik.example.com - policy: one_factor - - domain: secure.example.com - policy: two_factor - -session: - name: authelia_session - secret: unsecure_session_secret - expiration: 3600 # 1 hour - inactivity: 300 # 5 minutes - domain: example.com # Should match whatever your root protected domain is - -regulation: - max_retries: 3 - find_time: 120 - ban_time: 300 - -storage: - local: - path: /var/lib/authelia/db.sqlite3 - -notifier: - filesystem: - filename: /var/lib/authelia/notification.txt \ No newline at end of file diff --git a/compose/local/docker-compose.yml b/compose/local/docker-compose.yml index 83b4eb56..4c3908e6 100644 --- a/compose/local/docker-compose.yml +++ b/compose/local/docker-compose.yml @@ -9,9 +9,7 @@ services: image: authelia/authelia container_name: authelia volumes: - - ./authelia:/var/lib/authelia - - ./configuration.yml:/etc/authelia/configuration.yml:ro - - ./users_database.yml:/etc/authelia/users_database.yml + - ./authelia:/config networks: - net labels: diff --git a/compose/local/users_database.yml b/compose/local/users_database.yml deleted file mode 100644 index 3feabf73..00000000 --- a/compose/local/users_database.yml +++ /dev/null @@ -1,14 +0,0 @@ -############################################################### -# Users Database # -############################################################### - -# This file can be used if you do not have an LDAP set up. - -# List of users -users: - : - password: "" - email: @example.com - groups: - - admins - - dev \ No newline at end of file diff --git a/config.template.yml b/config.template.yml index b327433c..6025f066 100644 --- a/config.template.yml +++ b/config.template.yml @@ -5,8 +5,8 @@ # The host and port to listen on host: 0.0.0.0 port: 9091 -# tls_key: /var/lib/authelia/ssl/key.pem -# tls_cert: /var/lib/authelia/ssl/cert.pem +# tls_key: /config/ssl/key.pem +# tls_cert: /config/ssl/cert.pem # Configuration options specific to the internal http server server: @@ -22,7 +22,7 @@ server: # Level of verbosity for logs: info, debug, trace log_level: debug ## File path where the logs will be written. If not set logs are written to stdout. -# log_file_path: /var/log/authelia +# log_file_path: /config/authelia.log # The secret used to generate JWT tokens when validating user identity by # email confirmation. @@ -169,7 +169,7 @@ authentication_backend: # https://docs.authelia.com/configuration/authentication/file.html#password-hash-algorithm-tuning # ## file: - ## path: ./users_database.yml + ## path: /config/users_database.yml ## password: ## algorithm: argon2id ## iterations: 1 @@ -345,7 +345,7 @@ regulation: storage: # The directory where the DB files will be saved ## local: - ## path: /var/lib/authelia/db.sqlite3 + ## path: /config/db.sqlite3 # Settings to connect to MySQL server mysql: @@ -377,7 +377,7 @@ notifier: # For testing purpose, notifications can be sent in a file ## filesystem: - ## filename: /tmp/authelia/notification.txt + ## filename: /config/notification.txt # Use a SMTP server for sending notifications. Authelia uses PLAIN or LOGIN method to authenticate. # [Security] By default Authelia will: diff --git a/docs/configuration/authentication/file.md b/docs/configuration/authentication/file.md index be2ccfff..72e8718c 100644 --- a/docs/configuration/authentication/file.md +++ b/docs/configuration/authentication/file.md @@ -33,7 +33,7 @@ authentication_backend: # https://docs.authelia.com/configuration/authentication/file.html#password-hash-algorithm-tuning file: - path: /var/lib/authelia/users.yml + path: /config/users.yml password: algorithm: argon2id iterations: 1 diff --git a/docs/configuration/miscellaneous.md b/docs/configuration/miscellaneous.md index 8796a0a7..a248a2ba 100644 --- a/docs/configuration/miscellaneous.md +++ b/docs/configuration/miscellaneous.md @@ -28,8 +28,8 @@ Authelia can use TLS. Provide the certificate and the key with the following configuration options: ```yaml -tls_key: /var/lib/authelia/ssl/key.pem -tls_cert: /var/lib/authelia/ssl/cert.pem +tls_key: /config/ssl/key.pem +tls_cert: /config/ssl/cert.pem ``` ## Log @@ -55,7 +55,7 @@ Logs can be stored in a file when file path is provided. Otherwise logs are written to standard output. ```yaml -log_file_path: /var/log/authelia.log +log_file_path: /config/authelia.log ``` diff --git a/docs/configuration/notifier/filesystem.md b/docs/configuration/notifier/filesystem.md index c3267c9e..ae9547a7 100644 --- a/docs/configuration/notifier/filesystem.md +++ b/docs/configuration/notifier/filesystem.md @@ -23,5 +23,5 @@ notifier: # For testing purpose, notifications can be sent in a file. filesystem: - filename: /tmp/authelia/notification.txt + filename: /config/notification.txt ``` diff --git a/docs/configuration/notifier/smtp.md b/docs/configuration/notifier/smtp.md index 2036e1bc..c95731c4 100644 --- a/docs/configuration/notifier/smtp.md +++ b/docs/configuration/notifier/smtp.md @@ -23,7 +23,7 @@ notifier: # For testing purpose, notifications can be sent in a file. ## filesystem: - ## filename: /tmp/authelia/notification.txt + ## filename: /config/notification.txt # Use a SMTP server for sending notifications. Authelia uses PLAIN or LOGIN method to authenticate. # [Security] By default Authelia will: diff --git a/docs/configuration/secrets.md b/docs/configuration/secrets.md index b33e5b9d..ec677476 100644 --- a/docs/configuration/secrets.md +++ b/docs/configuration/secrets.md @@ -107,8 +107,7 @@ services: - smtp - ldap volumes: - - /path/to/authelia:/var/lib/authelia - - /path/to/authelia/configuration.yml:/etc/authelia/configuration.yml:ro + - /path/to/authelia:/config networks: - net expose: @@ -129,7 +128,7 @@ services: This example assumes secrets are stored in `/path/to/authelia/secrets/{secretname}` on the host and are exposed with bind mounted secret files in a `docker-compose.yml` file -at `/etc/authelia/secrets/`: +at `/config/secrets/`: ```yaml version: '3.8' @@ -143,22 +142,20 @@ services: image: authelia/authelia container_name: authelia volumes: - - /path/to/authelia:/var/lib/authelia - - /path/to/authelia/configuration.yml:/etc/authelia/configuration.yml:ro - - /path/to/authelia/secrets:/etc/authelia/secrets + - /path/to/authelia:/config networks: - net expose: - 9091 restart: unless-stopped environment: - - AUTHELIA_JWT_SECRET_FILE=/etc/authelia/secrets/jwt - - AUTHELIA_DUO_API_SECRET_KEY_FILE=/etc/authelia/secrets/duo - - AUTHELIA_SESSION_SECRET_FILE=/etc/authelia/secrets/session - - AUTHELIA_SESSION_REDIS_PASSWORD_FILE=/etc/authelia/secrets/redis - - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/etc/authelia/secrets/mysql - - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/etc/authelia/secrets/smtp - - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/etc/authelia/secrets/ldap + - AUTHELIA_JWT_SECRET_FILE=/config/secrets/jwt + - AUTHELIA_DUO_API_SECRET_KEY_FILE=/config/secrets/duo + - AUTHELIA_SESSION_SECRET_FILE=/config/secrets/session + - AUTHELIA_SESSION_REDIS_PASSWORD_FILE=/config/secrets/redis + - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/config/secrets/mysql + - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/config/secrets/smtp + - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/config/secrets/ldap - TZ=Australia/Melbourne ``` @@ -233,17 +230,17 @@ spec: imagePullPolicy: IfNotPresent env: - name: AUTHELIA_JWT_SECRET_FILE - value: /usr/app/secrets/jwt + value: /app/secrets/jwt - name: AUTHELIA_DUO_API_SECRET_KEY_FILE - value: /usr/app/secrets/duo + value: /app/secrets/duo - name: AUTHELIA_SESSION_SECRET_FILE - value: /usr/app/secrets/session + value: /app/secrets/session - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE - value: /usr/app/secrets/ldap_password + value: /app/secrets/ldap_password - name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE - value: /usr/app/secrets/smtp_password + value: /app/secrets/smtp_password - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE - value: /usr/app/secrets/sql_password + value: /app/secrets/sql_password ports: - name: http containerPort: 80 @@ -272,9 +269,9 @@ spec: periodSeconds: 5 failureThreshold: 5 volumeMounts: - - mountPath: /etc/authelia + - mountPath: /config name: config-volume - - mountPath: /usr/app/secrets + - mountPath: /app/secrets name: secrets readOnly: true - mountPath: /etc/localtime diff --git a/docs/configuration/storage/sqlite.md b/docs/configuration/storage/sqlite.md index dda23b63..430075b6 100644 --- a/docs/configuration/storage/sqlite.md +++ b/docs/configuration/storage/sqlite.md @@ -19,5 +19,5 @@ Just give the path to the sqlite database. It will be created if the file does n ```yaml storage: local: - path: /var/lib/authelia/db.sqlite3 + path: /config/db.sqlite3 ``` diff --git a/docs/deployment/deployment-ha.md b/docs/deployment/deployment-ha.md index 717165d1..19f47912 100644 --- a/docs/deployment/deployment-ha.md +++ b/docs/deployment/deployment-ha.md @@ -44,7 +44,7 @@ pay attention to the permissions of the configuration file. See ### Deploy With Docker - $ docker run -v /path/to/your/configuration.yml:/etc/authelia/configuration.yml -e TZ=Europe/Paris authelia/authelia + $ docker run -v /path/to/your/configuration.yml:/config/configuration.yml -e TZ=Europe/Paris authelia/authelia ## FAQ diff --git a/docs/deployment/supported-proxies/traefik1.x.md b/docs/deployment/supported-proxies/traefik1.x.md index fd1aa208..0d84dc1f 100644 --- a/docs/deployment/supported-proxies/traefik1.x.md +++ b/docs/deployment/supported-proxies/traefik1.x.md @@ -63,8 +63,7 @@ services: image: authelia/authelia container_name: authelia volumes: - - /path/to/authelia:/var/lib/authelia - - /path/to/authelia/config.yml:/etc/authelia/configuration.yml:ro + - /path/to/authelia:/config networks: - net labels: diff --git a/docs/deployment/supported-proxies/traefik2.x.md b/docs/deployment/supported-proxies/traefik2.x.md index cdb8531f..aaf2deb5 100644 --- a/docs/deployment/supported-proxies/traefik2.x.md +++ b/docs/deployment/supported-proxies/traefik2.x.md @@ -66,8 +66,7 @@ services: image: authelia/authelia container_name: authelia volumes: - - /path/to/authelia:/var/lib/authelia - - /path/to/authelia/config.yml:/etc/authelia/configuration.yml:ro + - /path/to/authelia:/config networks: - net labels: diff --git a/go.sum b/go.sum index d33e759c..dc85c53c 100644 --- a/go.sum +++ b/go.sum @@ -25,6 +25,7 @@ github.com/DataDog/sketches-go v0.0.0-20190923095040-43f19ad77ff7 h1:qELHH0AWCvf github.com/DataDog/sketches-go v0.0.0-20190923095040-43f19ad77ff7/go.mod h1:Q5DbzQ+3AkgGwymQO7aZFNP7ns2lZKGtvRBzRXfdi60= github.com/Gurpartap/logrus-stack v0.0.0-20170710170904-89c00d8a28f4 h1:vdT7QwBhJJEVNFMBNhRSFDRCB6O16T28VhvqRgqFyn8= github.com/Gurpartap/logrus-stack v0.0.0-20170710170904-89c00d8a28f4/go.mod h1:SvXOG8ElV28oAiG9zv91SDe5+9PfIr7PPccpr8YyXNs= +github.com/OneOfOne/xxhash v1.2.2 h1:KMrpdQIwFcEqXDklaen+P1axHaj9BSKzvpUUfnHldSE= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/Workiva/go-datastructures v1.0.52 h1:PLSK6pwn8mYdaoaCZEMsXBpBotr4HHn9abU0yMQt0NI= github.com/Workiva/go-datastructures v1.0.52/go.mod h1:Z+F2Rca0qCsVYDS8z7bAGm8f3UkzuWYS/oBZz5a7VVA= @@ -54,6 +55,7 @@ github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= @@ -72,6 +74,7 @@ github.com/deckarep/golang-set v1.7.1 h1:SCQV0S6gTtp6itiFrTqI+pfmJ4LN85S1YzhDf9r github.com/deckarep/golang-set v1.7.1/go.mod h1:93vsz/8Wt4joVM7c2AVqh+YRMiUSc14yDtF28KmMOgQ= github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-rendezvous v0.0.0-20180401054734-3692eb46c031 h1:GqrUYGzmGuc00lpc+K0wwrqshfkKLwgYFJiCyOZFMVE= github.com/dgryski/go-rendezvous v0.0.0-20180401054734-3692eb46c031/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/duosecurity/duo_api_golang v0.0.0-20190308151101-6c680f768e74 h1:2MIhn2R6oXQbgW5yHfS+d6YqyMfXiu2L55rFZC4UD/M= @@ -82,36 +85,23 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 h1:JWuenKqqX8nojtoVVWjGfOF9635RETekkoH6Cc9SX0A= github.com/facebookgo/stack v0.0.0-20160209184415-751773369052/go.mod h1:UbMTZqLaRiH3MsBH8va0n7s1pQYcu3uTb8G4tygF4Zg= -github.com/fasthttp/router v1.1.6 h1:lBcXxp1ZNoNbSeh4+RvAaXKSEiHU6sGd+gEMpd5Xjog= -github.com/fasthttp/router v1.1.6/go.mod h1:E1mpv7mrQzAhiSQdqhRb+GBTC7MEV+bLFVmgzSA5oFM= -github.com/fasthttp/router v1.1.7 h1:1Wt3iK7yILMNUlgWg3kfqNW8cQhvMIgkqKUhh370wR4= -github.com/fasthttp/router v1.1.7/go.mod h1:GllqmaKtAsIvYwz5Nbu0qcbQQXBSVaeXw2KY3SmlbYM= -github.com/fasthttp/router v1.2.1 h1:8xVgc9j39HkI4KQcxcN3Kmo0K/1/GnGGbBeqjegtCJk= -github.com/fasthttp/router v1.2.1/go.mod h1:7KEYuV4ieG9kNJqqxnH0pwIdO69cJCVhVqZx3CpOURw= github.com/fasthttp/router v1.2.2 h1:znEzZbSKjKDzXwUHiq/HQ17brnKx9ZF6ZphYKGrfkVk= github.com/fasthttp/router v1.2.2/go.mod h1:7KEYuV4ieG9kNJqqxnH0pwIdO69cJCVhVqZx3CpOURw= -github.com/fasthttp/session/v2 v2.1.0 h1:X84Wx3S5hO2AM5B030yhus6+J3ROWY/wA76rye3K00s= -github.com/fasthttp/session/v2 v2.1.0/go.mod h1:VEaGPgnkB9J+/fy0nKqSU6VGS7hjVy1H7/zI+LCOgbo= github.com/fasthttp/session/v2 v2.1.1 h1:Cw+BZkfgfQ/IXYTYNtYXxj5Qg5WbArCrRQnfIok9OuM= github.com/fasthttp/session/v2 v2.1.1/go.mod h1:JBwLzecuSht7fkNJXvB5mvRoi2BhSiTZZ1+vKoWyjAE= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-asn1-ber/asn1-ber v1.3.1 h1:gvPdv/Hr++TRFCl0UbPFHC54P9N9jgsRPnmnr419Uck= -github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-asn1-ber/asn1-ber v1.5.0 h1:/S4hO/AO6tLMlPX0oftGSOcdGJJN/MuYzfgWRMn199E= github.com/go-asn1-ber/asn1-ber v1.5.0/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= -github.com/go-ldap/ldap/v3 v3.1.10 h1:7WsKqasmPThNvdl0Q5GPpbTDD/ZD98CfuawrMIuh7qQ= -github.com/go-ldap/ldap/v3 v3.1.10/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q= github.com/go-ldap/ldap/v3 v3.1.11 h1:EojIR9zHvfQS8LEz+EjvnPSvsfPYS3UioBezeOOskIA= github.com/go-ldap/ldap/v3 v3.1.11/go.mod h1:dtLsnBXnSLIsMRbCBuRpHflCGaYzZ5jn+x1q7XqMTKU= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= -github.com/go-redis/redis/v8 v8.0.0-beta.2 h1:9S28J9QMBotgI3tGgXbX1Wk9i8QYC3Orw4bTLoPrQeI= -github.com/go-redis/redis/v8 v8.0.0-beta.2/go.mod h1:o1M7JtsgfDYyv3o+gBn/jJ1LkqpnCrmil7PSppZGBak= +github.com/go-redis/redis/v8 v8.0.0-beta.4 h1:oIZMgBk2CHvLd1/rfn8sybGNwzTTmKEvRoXGz6ZiWnI= github.com/go-redis/redis/v8 v8.0.0-beta.4/go.mod h1:NlNCdZHGMxsMUjOkA1Xab/1SsVzAwI7WPBXbh1O7vHM= github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= @@ -226,8 +216,6 @@ github.com/kr/pty v1.1.1 h1:VkoXIwSboBpnk99O/KFauAEILuNHv5DVFKZMBN/gUgw= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/lib/pq v1.5.2 h1:yTSXVswvWUOQ3k1sd7vJfDrbSl8lKuscqFJRqjC0ifw= -github.com/lib/pq v1.5.2/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.6.0 h1:I5DPxhYJChW9KYc66se+oKFFQX6VuQrKiprsX6ivRZc= github.com/lib/pq v1.6.0/go.mod h1:4vXEAYvW1fRQ2/FhZ78H73A60MHw1geSm145z2mdY1g= github.com/lib/pq v1.7.0 h1:h93mCPfUSkaul3Ka/VG8uZdmW1uMHDGxzu0NWHuJmHY= @@ -304,12 +292,8 @@ github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6So github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= -github.com/savsgio/dictpool v0.0.0-20200414074025-215dfcb77c2c h1:EVgT3hCwdDn/HmAmzRLEAoK2qHhcO8AD22AvPAE1/mk= -github.com/savsgio/dictpool v0.0.0-20200414074025-215dfcb77c2c/go.mod h1:InhUgunRRHK3vhg8YZHIRnxyoQGvGxwOE1p55leevWU= github.com/savsgio/dictpool v0.0.0-20200608150529-6a3c1a8f6ab2 h1:V+VG/pzeMdwBlS21mJmNkBnQQmZWyuBgYRoz0SVxaVk= github.com/savsgio/dictpool v0.0.0-20200608150529-6a3c1a8f6ab2/go.mod h1:LTEdLD+Y+KR4yx9eRMIgciXZo4Od0doGWP/hjgfOlE0= -github.com/savsgio/gotils v0.0.0-20200413113635-8c468ce75cca h1:Qe7Mtuhjkk38HVpRtvWdziZJcwG3Qup1mfyvyOrcnyM= -github.com/savsgio/gotils v0.0.0-20200413113635-8c468ce75cca/go.mod h1:TWNAOTaVzGOXq8RbEvHnhzA/A2sLZzgn0m6URjnukY8= github.com/savsgio/gotils v0.0.0-20200608150037-a5f6f5aef16c h1:2nF5+FZ4/qp7pZVL7fR6DEaSTzuDmNaFTyqp92/hwF8= github.com/savsgio/gotils v0.0.0-20200608150037-a5f6f5aef16c/go.mod h1:TWNAOTaVzGOXq8RbEvHnhzA/A2sLZzgn0m6URjnukY8= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= @@ -324,6 +308,7 @@ github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1 github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72 h1:qLC7fQah7D6K1B0ujays3HV9gkFtllcxhzImRR7ArPQ= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2 h1:m8/z1t7/fwjysjQRYbP0RD+bUIF/8tJwPdEZsI83ACI= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= @@ -345,8 +330,6 @@ github.com/stretchr/testify v1.2.0/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.6.0 h1:jlIyCplCJFULU/01vCkhKuTyc3OorI3bJFuw6obfgho= -github.com/stretchr/testify v1.6.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s= @@ -361,8 +344,6 @@ github.com/tstranex/u2f v1.0.0/go.mod h1:eahSLaqAS0zsIEv80+vXT7WanXs7MQQDg3j3wGB github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= -github.com/valyala/fasthttp v1.13.1 h1:Z7kVhKP9NZz+tCSY7AVhCMPPAk7b+e5fq0l/BfdTlFc= -github.com/valyala/fasthttp v1.13.1/go.mod h1:ol1PCaL0dX20wC0htZ7sYCsvCYmrouYra0zHzaclZhE= github.com/valyala/fasthttp v1.14.0 h1:67bfuW9azCMwW/Jlq/C+VeihNpAuJMWkYPBig1gdi3A= github.com/valyala/fasthttp v1.14.0/go.mod h1:ol1PCaL0dX20wC0htZ7sYCsvCYmrouYra0zHzaclZhE= github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio= diff --git a/internal/authentication/configuration.gen.go b/internal/authentication/configuration.gen.go new file mode 100644 index 00000000..8c526bca --- /dev/null +++ b/internal/authentication/configuration.gen.go @@ -0,0 +1,5 @@ +package authentication + +import "aletheia.icu/broccoli/fs" + +var cfg = fs.New(false, []byte("\x8b\xa1\x80\r\xff\x83\x02\x01\x02\xff\x84\x00\x01\xff\x82\x00\x00=\xff\x81\x03\x01\x02\xff\x82\x00\x01\x05\x01\x04Data\x01\n\x00\x01\x05Fpath\x01\f\x00\x01\x05Fname\x01\f\x00\x01\x05Fsize\x01\x04\x00\x01\x05Ftime\x01\x04\x00\x00\x00\xff\xf6\xff\x84\x00\x01\x01\xff\xaa\x1b\xe6\x00`\x1c\x87\xb1\xf3\xa4II\xda\xd3]\xbci`\x9e\xa9θ\x13\x91\xe6\x06\xb8A\xc2Z\x14F\x8fNn~P\xeb\xe7nAy@\x10C 7\xecwSb\xed\x15\xee>\x0f\xa3\xbe\x8b\xfc,\xb6\xa3\x98\xfe\xe7\x00Bj²\x90b\x0f\x19\xc4=\x92\x8b\xc2j\xb7\xden\x98Nd\xaa\x1d\xa2?J\xc9\xd3ŗ\xb9\x9cM+\u07bf\xfe\xcf{c\x85H9\xaf\xec97\xa6\xe4o\xeaƘ\xdfO\xf1\xf3\xdd\\\xd2Iٮ\u074b\xaa4i#\x17\xc5w=\x19\xd9\n\x02\xbf3o\xdc\x028\rp:\xf7\x011\x8fY\x88g\x87\x9c\b}\xf8\xa1\xc8mݞ?\x00\x01\x1busers_database.template.yml\x01\x1busers_database.template.yml\x01\xfe\x01\xce\x01\xfc\xbd\xcb\xdc\xf6\x00\x03")) diff --git a/internal/authentication/file_user_provider.go b/internal/authentication/file_user_provider.go index 18e38ad6..32a57cdf 100644 --- a/internal/authentication/file_user_provider.go +++ b/internal/authentication/file_user_provider.go @@ -3,6 +3,7 @@ package authentication import ( "fmt" "io/ioutil" + "os" "strings" "sync" @@ -11,6 +12,7 @@ import ( "gopkg.in/yaml.v2" "github.com/authelia/authelia/internal/configuration/schema" + "github.com/authelia/authelia/internal/logging" "github.com/authelia/authelia/internal/utils" ) @@ -38,6 +40,15 @@ type DatabaseModel struct { // NewFileUserProvider creates a new instance of FileUserProvider. func NewFileUserProvider(configuration *schema.FileAuthenticationBackendConfiguration) *FileUserProvider { + errs := checkDatabase(configuration.Path) + if errs != nil { + for _, err := range errs { + logging.Logger().Error(err) + } + + os.Exit(1) + } + database, err := readDatabase(configuration.Path) if err != nil { // Panic since the file does not exist when Authelia is starting. @@ -86,6 +97,46 @@ func checkPasswordHashes(database *DatabaseModel) error { return nil } +func checkDatabase(path string) []error { + _, err := os.Stat(path) + if err != nil { + errs := []error{ + fmt.Errorf("Unable to find database file: %v", path), + fmt.Errorf("Generating database file: %v", path), + } + + err := generateDatabaseFromTemplate(path) + if err != nil { + errs = append(errs, err) + } else { + errs = append(errs, fmt.Errorf("Generated database at: %v", path)) + } + + return errs + } + + return nil +} + +func generateDatabaseFromTemplate(path string) error { + f, err := cfg.Open("users_database.template.yml") + if err != nil { + return fmt.Errorf("Unable to open users_database.template.yml: %v", err) + } + + b, err := ioutil.ReadAll(f) + if err != nil { + return fmt.Errorf("Unable to read users_database.template.yml: %v", err) + } + + err = ioutil.WriteFile(path, b, 0600) + if err != nil { + return fmt.Errorf("Unable to generate %v: %v", path, err) + } + + return nil +} + func readDatabase(path string) (*DatabaseModel, error) { content, err := ioutil.ReadFile(path) if err != nil { diff --git a/internal/authentication/file_user_provider_test.go b/internal/authentication/file_user_provider_test.go index 2c9dbe1f..7ce16def 100644 --- a/internal/authentication/file_user_provider_test.go +++ b/internal/authentication/file_user_provider_test.go @@ -7,7 +7,9 @@ import ( "strings" "testing" + "aletheia.icu/broccoli/fs" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/authelia/authelia/internal/configuration/schema" ) @@ -32,6 +34,41 @@ func WithDatabase(content []byte, f func(path string)) { } } +func TestShouldErrorNoUserDBInEmbeddedFS(t *testing.T) { + oldCfg := cfg + cfg = fs.New(false, []byte("\x1b~\x00\x80\x8d\x94n\xc2|\x84J\xf7\xbfn\xfd\xf7w;.\x8d m\xb2&\xd1Z\xec\xb2\x05\xb9\xc00\x8a\xf7(\x80^78\t(\f\f\xc3p\xc2\xc1\x06[a\xa2\xb3\xa4P\xe5\xa14\xfb\x19\xb2cp\xf6\x90-Z\xb2\x11\xe0l\xa1\x80\\\x95Vh\t\xc5\x06\x16\xfa\x8c\xc0\"!\xa5\xcf\xf7$\x9a\xb2\a`\xc6\x18\xc8~\xce8\r\x16Z\x9d\xc3\xe3\xff\x00")) + errors := checkDatabase("./nonexistent.yml") + cfg = oldCfg + + require.Len(t, errors, 3) + + require.EqualError(t, errors[0], "Unable to find database file: ./nonexistent.yml") + require.EqualError(t, errors[1], "Generating database file: ./nonexistent.yml") + require.EqualError(t, errors[2], "Unable to open users_database.template.yml: file does not exist") +} + +func TestShouldErrorPermissionsOnLocalFS(t *testing.T) { + _ = os.Mkdir("/tmp/noperms/", 0000) + errors := checkDatabase("/tmp/noperms/users_database.yml") + + require.Len(t, errors, 3) + + require.EqualError(t, errors[0], "Unable to find database file: /tmp/noperms/users_database.yml") + require.EqualError(t, errors[1], "Generating database file: /tmp/noperms/users_database.yml") + require.EqualError(t, errors[2], "Unable to generate /tmp/noperms/users_database.yml: open /tmp/noperms/users_database.yml: permission denied") +} + +func TestShouldErrorAndGenerateUserDB(t *testing.T) { + errors := checkDatabase("./nonexistent.yml") + _ = os.Remove("./nonexistent.yml") + + require.Len(t, errors, 3) + + require.EqualError(t, errors[0], "Unable to find database file: ./nonexistent.yml") + require.EqualError(t, errors[1], "Generating database file: ./nonexistent.yml") + require.EqualError(t, errors[2], "Generated database at: ./nonexistent.yml") +} + func TestShouldCheckUserArgon2idPasswordIsCorrect(t *testing.T) { WithDatabase(UserDatabaseContent, func(path string) { config := DefaultFileAuthenticationBackendConfiguration diff --git a/internal/configuration/configuration.gen.go b/internal/configuration/configuration.gen.go new file mode 100644 index 00000000..6d41137e --- /dev/null +++ b/internal/configuration/configuration.gen.go @@ -0,0 +1,5 @@ +package configuration + +import "aletheia.icu/broccoli/fs" + +var cfg = fs.New(false, []byte("\x1b~\x00\x80\x8d\x94n\xc2|\x84J\xf7\xbfn\xfd\xf7w;.\x8d m\xb2&\xd1Z\xec\xb2\x05\xb9\xc00\x8a\xf7(\x80^78\t(\f\f\xc3p\xc2\xc1\x06[a\xa2\xb3\xa4P\xe5\xa14\xfb\x19\xb2cp\xf6\x90-Z\xb2\x11\xe0l\xa1\x80\\\x95Vh\t\xc5\x06\x16\xfa\x8c\xc0\"!\xa5\xcf\xf7$\x9a\xb2\a`\xc6\x18\xc8~\xce8\r\x16Z\x9d\xc3\xe3\xff\x00")) diff --git a/internal/configuration/reader.go b/internal/configuration/reader.go index e89f7a8c..6eeb868b 100644 --- a/internal/configuration/reader.go +++ b/internal/configuration/reader.go @@ -15,6 +15,7 @@ import ( ) // Read a YAML configuration and create a Configuration object out of it. +//go:generate broccoli -src ../../config.template.yml -var=cfg -o configuration func Read(configPath string) (*schema.Configuration, []error) { if configPath == "" { return nil, []error{errors.New("No config file path provided")} @@ -22,7 +23,19 @@ func Read(configPath string) (*schema.Configuration, []error) { _, err := os.Stat(configPath) if err != nil { - return nil, []error{fmt.Errorf("Unable to find config file: %v", configPath)} + errs := []error{ + fmt.Errorf("Unable to find config file: %v", configPath), + fmt.Errorf("Generating config file: %v", configPath), + } + + err = generateConfigFromTemplate(configPath) + if err != nil { + errs = append(errs, err) + } else { + errs = append(errs, fmt.Errorf("Generated configuration at: %v", configPath)) + } + + return nil, errs } file, err := ioutil.ReadFile(configPath) @@ -67,3 +80,22 @@ func Read(configPath string) (*schema.Configuration, []error) { return &configuration, nil } + +func generateConfigFromTemplate(configPath string) error { + f, err := cfg.Open("config.template.yml") + if err != nil { + return fmt.Errorf("Unable to open config.template.yml: %v", err) + } + + b, err := ioutil.ReadAll(f) + if err != nil { + return fmt.Errorf("Unable to read config.template.yml: %v", err) + } + + err = ioutil.WriteFile(configPath, b, 0600) + if err != nil { + return fmt.Errorf("Unable to generate %v: %v", configPath, err) + } + + return nil +} diff --git a/internal/configuration/reader_test.go b/internal/configuration/reader_test.go index ecc5bfcc..adaf053e 100644 --- a/internal/configuration/reader_test.go +++ b/internal/configuration/reader_test.go @@ -7,6 +7,7 @@ import ( "sort" "testing" + "aletheia.icu/broccoli/fs" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -65,12 +66,39 @@ func TestShouldErrorNoConfigPath(t *testing.T) { require.EqualError(t, errors[0], "No config file path provided") } -func TestShouldErrorNoConfigFile(t *testing.T) { +func TestShouldErrorNoConfigFileInEmbeddedFS(t *testing.T) { + oldCfg := cfg + cfg = fs.New(false, []byte("\x1b~\x00\x80\x8d\x94n\xc2|\x84J\xf7\xbfn\xfd\xf7w;.\x8d m\xb2&\xd1Z\xec\xb2\x05\xb9\xc00\x8a\xf7(\x80^78\t(\f\f\xc3p\xc2\xc1\x06[a\xa2\xb3\xa4P\xe5\xa14\xfb\x19\xb2cp\xf6\x90-Z\xb2\x11\xe0l\xa1\x80\\\x95Vh\t\xc5\x06\x16\xfa\x8c\xc0\"!\xa5\xcf\xf7$\x9a\xb2\a`\xc6\x18\xc8~\xce8\r\x16Z\x9d\xc3\xe3\xff\x00")) _, errors := Read("./nonexistent.yml") + cfg = oldCfg - require.Len(t, errors, 1) + require.Len(t, errors, 3) require.EqualError(t, errors[0], "Unable to find config file: ./nonexistent.yml") + require.EqualError(t, errors[1], "Generating config file: ./nonexistent.yml") + require.EqualError(t, errors[2], "Unable to open config.template.yml: file does not exist") +} + +func TestShouldErrorPermissionsOnLocalFS(t *testing.T) { + _ = os.Mkdir("/tmp/noperms/", 0000) + _, errors := Read("/tmp/noperms/configuration.yml") + + require.Len(t, errors, 3) + + require.EqualError(t, errors[0], "Unable to find config file: /tmp/noperms/configuration.yml") + require.EqualError(t, errors[1], "Generating config file: /tmp/noperms/configuration.yml") + require.EqualError(t, errors[2], "Unable to generate /tmp/noperms/configuration.yml: open /tmp/noperms/configuration.yml: permission denied") +} + +func TestShouldErrorAndGenerateConfigFile(t *testing.T) { + _, errors := Read("./nonexistent.yml") + _ = os.Remove("./nonexistent.yml") + + require.Len(t, errors, 3) + + require.EqualError(t, errors[0], "Unable to find config file: ./nonexistent.yml") + require.EqualError(t, errors[1], "Generating config file: ./nonexistent.yml") + require.EqualError(t, errors[2], "Generated configuration at: ./nonexistent.yml") } func TestShouldErrorPermissionsConfigFile(t *testing.T) { diff --git a/internal/configuration/test_resources/config_bad_keys.yml b/internal/configuration/test_resources/config_bad_keys.yml index 8f1b5558..ea9a303e 100644 --- a/internal/configuration/test_resources/config_bad_keys.yml +++ b/internal/configuration/test_resources/config_bad_keys.yml @@ -4,7 +4,7 @@ host: 127.0.0.1 port: 9091 -loggy_file: /etc/authelia/svc.log +loggy_file: /config/svc.log logs_level: debug default_redirection_url: https://home.example.com:8080/ diff --git a/internal/configuration/test_resources/config_bad_quoting.yml b/internal/configuration/test_resources/config_bad_quoting.yml index 1f41a8a5..8027be8a 100644 --- a/internal/configuration/test_resources/config_bad_quoting.yml +++ b/internal/configuration/test_resources/config_bad_quoting.yml @@ -13,7 +13,7 @@ totp: authentication_backend: file: - path: /etc/authelia/users_database.yml + path: /config/users_database.yml access_control: default_policy: deny diff --git a/internal/suites/BypassAll/configuration.yml b/internal/suites/BypassAll/configuration.yml index 01c8f94a..dd0bb246 100644 --- a/internal/suites/BypassAll/configuration.yml +++ b/internal/suites/BypassAll/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -12,7 +12,7 @@ jwt_secret: unsecure_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -23,7 +23,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite # The Duo Push Notification API configuration duo_api: diff --git a/internal/suites/BypassAll/docker-compose.yml b/internal/suites/BypassAll/docker-compose.yml index 94777608..5b8d5619 100644 --- a/internal/suites/BypassAll/docker-compose.yml +++ b/internal/suites/BypassAll/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './BypassAll/configuration.yml:/etc/authelia/configuration.yml:ro' - - './BypassAll/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './BypassAll/configuration.yml:/config/configuration.yml:ro' + - './BypassAll/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/Docker/configuration.yml b/internal/suites/Docker/configuration.yml index 1392772b..a72593bb 100644 --- a/internal/suites/Docker/configuration.yml +++ b/internal/suites/Docker/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -14,7 +14,7 @@ jwt_secret: very_important_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -25,7 +25,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite3 + path: /config/db.sqlite3 totp: issuer: example.com diff --git a/internal/suites/Docker/docker-compose.yml b/internal/suites/Docker/docker-compose.yml index 6a4cf388..9aeff689 100644 --- a/internal/suites/Docker/docker-compose.yml +++ b/internal/suites/Docker/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './Docker/configuration.yml:/etc/authelia/configuration.yml:ro' - - './Docker/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './Docker/configuration.yml:/config/configuration.yml:ro' + - './Docker/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/DuoPush/configuration.yml b/internal/suites/DuoPush/configuration.yml index 60451bf8..6328189f 100644 --- a/internal/suites/DuoPush/configuration.yml +++ b/internal/suites/DuoPush/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: trace @@ -14,7 +14,7 @@ jwt_secret: very_important_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -26,7 +26,7 @@ session: # Configuration of the storage backend used to store data and secrets. i.e. totp data storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite # TOTP Issuer Name # diff --git a/internal/suites/DuoPush/docker-compose.yml b/internal/suites/DuoPush/docker-compose.yml index 5913560d..ea931e12 100644 --- a/internal/suites/DuoPush/docker-compose.yml +++ b/internal/suites/DuoPush/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './DuoPush/configuration.yml:/etc/authelia/configuration.yml:ro' - - './DuoPush/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './DuoPush/configuration.yml:/config/configuration.yml:ro' + - './DuoPush/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/HAProxy/configuration.yml b/internal/suites/HAProxy/configuration.yml index c9c34ffc..991f10d0 100644 --- a/internal/suites/HAProxy/configuration.yml +++ b/internal/suites/HAProxy/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -12,7 +12,7 @@ jwt_secret: unsecure_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -23,7 +23,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite access_control: default_policy: bypass diff --git a/internal/suites/HAProxy/docker-compose.yml b/internal/suites/HAProxy/docker-compose.yml index 2c6ddf17..6553cdb1 100644 --- a/internal/suites/HAProxy/docker-compose.yml +++ b/internal/suites/HAProxy/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './HAProxy/configuration.yml:/etc/authelia/configuration.yml:ro' - - './HAProxy/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './HAProxy/configuration.yml:/config/configuration.yml:ro' + - './HAProxy/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/HighAvailability/configuration.yml b/internal/suites/HighAvailability/configuration.yml index 2f4f588b..3c4d1b59 100644 --- a/internal/suites/HighAvailability/configuration.yml +++ b/internal/suites/HighAvailability/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug diff --git a/internal/suites/HighAvailability/docker-compose.yml b/internal/suites/HighAvailability/docker-compose.yml index 38bba312..5cb53220 100644 --- a/internal/suites/HighAvailability/docker-compose.yml +++ b/internal/suites/HighAvailability/docker-compose.yml @@ -2,5 +2,5 @@ version: '3' services: authelia-backend: volumes: - - './HighAvailability/configuration.yml:/etc/authelia/configuration.yml:ro' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './HighAvailability/configuration.yml:/config/configuration.yml:ro' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/LDAP/configuration.yml b/internal/suites/LDAP/configuration.yml index be6d7412..80645ee4 100644 --- a/internal/suites/LDAP/configuration.yml +++ b/internal/suites/LDAP/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -36,7 +36,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite3 + path: /config/db.sqlite3 totp: issuer: example.com diff --git a/internal/suites/LDAP/docker-compose.yml b/internal/suites/LDAP/docker-compose.yml index dfb0d559..f60766d8 100644 --- a/internal/suites/LDAP/docker-compose.yml +++ b/internal/suites/LDAP/docker-compose.yml @@ -2,5 +2,5 @@ version: '3' services: authelia-backend: volumes: - - './LDAP/configuration.yml:/etc/authelia/configuration.yml:ro' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './LDAP/configuration.yml:/config/configuration.yml:ro' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/Mariadb/configuration.yml b/internal/suites/Mariadb/configuration.yml index a366c6fa..7b845887 100644 --- a/internal/suites/Mariadb/configuration.yml +++ b/internal/suites/Mariadb/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -14,7 +14,7 @@ jwt_secret: very_important_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret diff --git a/internal/suites/Mariadb/docker-compose.yml b/internal/suites/Mariadb/docker-compose.yml index 1bda82c0..0ef47877 100644 --- a/internal/suites/Mariadb/docker-compose.yml +++ b/internal/suites/Mariadb/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './Mariadb/configuration.yml:/etc/authelia/configuration.yml:ro' - - './Mariadb/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './Mariadb/configuration.yml:/config/configuration.yml:ro' + - './Mariadb/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/MySQL/configuration.yml b/internal/suites/MySQL/configuration.yml index 962c6b3a..c752254c 100644 --- a/internal/suites/MySQL/configuration.yml +++ b/internal/suites/MySQL/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -14,7 +14,7 @@ jwt_secret: very_important_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret diff --git a/internal/suites/MySQL/docker-compose.yml b/internal/suites/MySQL/docker-compose.yml index ad9179ba..e6e9b604 100644 --- a/internal/suites/MySQL/docker-compose.yml +++ b/internal/suites/MySQL/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './MySQL/configuration.yml:/etc/authelia/configuration.yml:ro' - - './MySQL/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './MySQL/configuration.yml:/config/configuration.yml:ro' + - './MySQL/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/NetworkACL/configuration.yml b/internal/suites/NetworkACL/configuration.yml index be4c4640..673160b8 100644 --- a/internal/suites/NetworkACL/configuration.yml +++ b/internal/suites/NetworkACL/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -12,7 +12,7 @@ jwt_secret: unsecure_password authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -24,7 +24,7 @@ session: # Configuration of the storage backend used to store data and secrets. i.e. totp data storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite # Access Control # diff --git a/internal/suites/NetworkACL/docker-compose.yml b/internal/suites/NetworkACL/docker-compose.yml index 34eb9a02..dd1b1ded 100644 --- a/internal/suites/NetworkACL/docker-compose.yml +++ b/internal/suites/NetworkACL/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './NetworkACL/configuration.yml:/etc/authelia/configuration.yml:ro' - - './NetworkACL/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './NetworkACL/configuration.yml:/config/configuration.yml:ro' + - './NetworkACL/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/OneFactorOnly/configuration.yml b/internal/suites/OneFactorOnly/configuration.yml index c82ace09..5ae40fa9 100644 --- a/internal/suites/OneFactorOnly/configuration.yml +++ b/internal/suites/OneFactorOnly/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -14,7 +14,7 @@ jwt_secret: unsecure_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -25,7 +25,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite access_control: default_policy: deny diff --git a/internal/suites/OneFactorOnly/docker-compose.yml b/internal/suites/OneFactorOnly/docker-compose.yml index ab16e700..7be2d0e5 100644 --- a/internal/suites/OneFactorOnly/docker-compose.yml +++ b/internal/suites/OneFactorOnly/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './OneFactorOnly/configuration.yml:/etc/authelia/configuration.yml:ro' - - './OneFactorOnly/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './OneFactorOnly/configuration.yml:/config/configuration.yml:ro' + - './OneFactorOnly/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/PathPrefix/configuration.yml b/internal/suites/PathPrefix/configuration.yml index 3e1888d0..b2e7ca94 100644 --- a/internal/suites/PathPrefix/configuration.yml +++ b/internal/suites/PathPrefix/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem server: path: auth @@ -15,7 +15,7 @@ jwt_secret: unsecure_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -26,7 +26,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite access_control: default_policy: bypass diff --git a/internal/suites/PathPrefix/docker-compose.yml b/internal/suites/PathPrefix/docker-compose.yml index 2d2c7d29..78be7a62 100644 --- a/internal/suites/PathPrefix/docker-compose.yml +++ b/internal/suites/PathPrefix/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './PathPrefix/configuration.yml:/etc/authelia/configuration.yml:ro' - - './PathPrefix/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './PathPrefix/configuration.yml:/config/configuration.yml:ro' + - './PathPrefix/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/Postgres/configuration.yml b/internal/suites/Postgres/configuration.yml index 2f9eff19..f56739d8 100644 --- a/internal/suites/Postgres/configuration.yml +++ b/internal/suites/Postgres/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -14,7 +14,7 @@ jwt_secret: very_important_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret diff --git a/internal/suites/Postgres/docker-compose.yml b/internal/suites/Postgres/docker-compose.yml index 03168aa7..d3539af4 100644 --- a/internal/suites/Postgres/docker-compose.yml +++ b/internal/suites/Postgres/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './Postgres/configuration.yml:/etc/authelia/configuration.yml:ro' - - './Postgres/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './Postgres/configuration.yml:/config/configuration.yml:ro' + - './Postgres/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/ShortTimeouts/configuration.yml b/internal/suites/ShortTimeouts/configuration.yml index 67b2d2c0..2954d7eb 100644 --- a/internal/suites/ShortTimeouts/configuration.yml +++ b/internal/suites/ShortTimeouts/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -14,7 +14,7 @@ default_redirection_url: https://home.example.com:8080/ authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -25,7 +25,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite totp: issuer: example.com diff --git a/internal/suites/ShortTimeouts/docker-compose.yml b/internal/suites/ShortTimeouts/docker-compose.yml index fda2f1a9..87edd07f 100644 --- a/internal/suites/ShortTimeouts/docker-compose.yml +++ b/internal/suites/ShortTimeouts/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './ShortTimeouts/configuration.yml:/etc/authelia/configuration.yml:ro' - - './ShortTimeouts/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './ShortTimeouts/configuration.yml:/config/configuration.yml:ro' + - './ShortTimeouts/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/Standalone/configuration.yml b/internal/suites/Standalone/configuration.yml index 8e7dc51e..b22fe06e 100644 --- a/internal/suites/Standalone/configuration.yml +++ b/internal/suites/Standalone/configuration.yml @@ -3,14 +3,14 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: domain: example.com diff --git a/internal/suites/Standalone/docker-compose.yml b/internal/suites/Standalone/docker-compose.yml index 91c8a527..e6e08799 100644 --- a/internal/suites/Standalone/docker-compose.yml +++ b/internal/suites/Standalone/docker-compose.yml @@ -5,8 +5,8 @@ services: - AUTHELIA_JWT_SECRET_FILE=/tmp/authelia/StandaloneSuite/jwt - AUTHELIA_SESSION_SECRET_FILE=/tmp/authelia/StandaloneSuite/session volumes: - - './Standalone/configuration.yml:/etc/authelia/configuration.yml:ro' - - './Standalone/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' + - './Standalone/configuration.yml:/config/configuration.yml:ro' + - './Standalone/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' - '/tmp:/tmp' user: ${USER_ID}:${GROUP_ID} \ No newline at end of file diff --git a/internal/suites/Traefik/configuration.yml b/internal/suites/Traefik/configuration.yml index cb6617eb..59224cca 100644 --- a/internal/suites/Traefik/configuration.yml +++ b/internal/suites/Traefik/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -12,7 +12,7 @@ jwt_secret: unsecure_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -23,7 +23,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite access_control: default_policy: bypass diff --git a/internal/suites/Traefik/docker-compose.yml b/internal/suites/Traefik/docker-compose.yml index 9737ffed..355eac40 100644 --- a/internal/suites/Traefik/docker-compose.yml +++ b/internal/suites/Traefik/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './Traefik/configuration.yml:/etc/authelia/configuration.yml:ro' - - './Traefik/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './Traefik/configuration.yml:/config/configuration.yml:ro' + - './Traefik/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/Traefik2/configuration.yml b/internal/suites/Traefik2/configuration.yml index cb6617eb..59224cca 100644 --- a/internal/suites/Traefik2/configuration.yml +++ b/internal/suites/Traefik2/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -12,7 +12,7 @@ jwt_secret: unsecure_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -23,7 +23,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite access_control: default_policy: bypass diff --git a/internal/suites/Traefik2/docker-compose.yml b/internal/suites/Traefik2/docker-compose.yml index 6a75bff9..dcddd1d3 100644 --- a/internal/suites/Traefik2/docker-compose.yml +++ b/internal/suites/Traefik2/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './Traefik2/configuration.yml:/etc/authelia/configuration.yml:ro' - - './Traefik2/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './Traefik2/configuration.yml:/config/configuration.yml:ro' + - './Traefik2/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/example/compose/authelia/Dockerfile.backend b/internal/suites/example/compose/authelia/Dockerfile.backend index e7fed817..745d2aaa 100644 --- a/internal/suites/example/compose/authelia/Dockerfile.backend +++ b/internal/suites/example/compose/authelia/Dockerfile.backend @@ -8,12 +8,10 @@ RUN addgroup --gid ${GROUP_ID} dev && \ adduser --uid ${USER_ID} -G dev -D dev && \ apk --no-cache add gcc musl-dev git -RUN mkdir -p /etc/authelia && chown dev:dev /etc/authelia -RUN mkdir -p /var/lib/authelia && chown dev:dev /var/lib/authelia +RUN mkdir -p /config && chown dev:dev /config USER dev -VOLUME /etc/authelia -VOLUME /var/lib/authelia +VOLUME /config EXPOSE 9091 diff --git a/internal/suites/example/compose/authelia/docker-compose.backend.dist.yml b/internal/suites/example/compose/authelia/docker-compose.backend.dist.yml index a35b48dc..c7994263 100644 --- a/internal/suites/example/compose/authelia/docker-compose.backend.dist.yml +++ b/internal/suites/example/compose/authelia/docker-compose.backend.dist.yml @@ -12,7 +12,7 @@ services: - 'traefik.http.routers.authelia_backend.tls=true' - 'traefik.http.services.authelia_backend.loadbalancer.server.scheme=https' volumes: - - '../..:/app' + - '../..:/authelia' environment: - ENVIRONMENT=dev restart: always diff --git a/internal/suites/example/compose/authelia/resources/run-backend-dev.sh b/internal/suites/example/compose/authelia/resources/run-backend-dev.sh index 67fb450d..64b866cd 100755 --- a/internal/suites/example/compose/authelia/resources/run-backend-dev.sh +++ b/internal/suites/example/compose/authelia/resources/run-backend-dev.sh @@ -4,6 +4,6 @@ set -e while true; do - dlv --listen 0.0.0.0:2345 --headless=true --continue --accept-multiclient debug cmd/authelia/*.go -- --config /etc/authelia/configuration.yml + dlv --listen 0.0.0.0:2345 --headless=true --continue --accept-multiclient debug cmd/authelia/*.go -- --config /config/configuration.yml sleep 10 done \ No newline at end of file diff --git a/internal/suites/example/kube/authelia/configs/configuration.yml b/internal/suites/example/kube/authelia/configs/configuration.yml index a21c83e8..ce9e1fa8 100644 --- a/internal/suites/example/kube/authelia/configs/configuration.yml +++ b/internal/suites/example/kube/authelia/configs/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 443 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug diff --git a/internal/suites/example/kube/authelia/deployment.yml b/internal/suites/example/kube/authelia/deployment.yml index 085c16b0..2945205f 100644 --- a/internal/suites/example/kube/authelia/deployment.yml +++ b/internal/suites/example/kube/authelia/deployment.yml @@ -23,23 +23,23 @@ spec: - containerPort: 443 volumeMounts: - name: config-volume - mountPath: /etc/authelia + mountPath: /config - name: ssl-volume - mountPath: /var/lib/authelia/ssl + mountPath: /config/ssl - name: secrets - mountPath: /usr/app/secrets + mountPath: /app/secrets readOnly: true env: # We set secrets directly here for ease of deployment but all secrets # should be stored in the Kube Vault in production. - name: AUTHELIA_JWT_SECRET_FILE - value: /usr/app/secrets/jwt_secret + value: /app/secrets/jwt_secret - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE - value: /usr/app/secrets/ldap_password + value: /app/secrets/ldap_password - name: AUTHELIA_SESSION_SECRET_FILE - value: /usr/app/secrets/session + value: /app/secrets/session - name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE - value: /usr/app/secrets/sql_password + value: /app/secrets/sql_password volumes: - name: config-volume configMap: diff --git a/internal/suites/example/swarm/docker-compose.yml b/internal/suites/example/swarm/docker-compose.yml index 0b53319d..060fe16e 100644 --- a/internal/suites/example/swarm/docker-compose.yml +++ b/internal/suites/example/swarm/docker-compose.yml @@ -5,7 +5,7 @@ services: # Used for Docker configs configs: - source: authelia - target: /etc/authelia/configuration.yml + target: /config/configuration.yml uid: '0' gid: '0' mode: 0444 @@ -14,7 +14,7 @@ services: # Where the authelia volume is to be mounted. To only use a single volume, the minimal config needs to be changed to read the users_database.yml also from this subdirectory. # Otherwise a second volume will need to be configured here to mount the users_database.yml. volumes: - - authelia:/etc/authelia/storage + - authelia:/config/storage networks: - overlay deploy: