feat: 🎸 add authelia

.github/workflows/build-image-manual.yaml

@@ -40,6 +40,7 @@ on:
         - mitmproxy
         - redroid
         - nginx-proxy-manager
+        - authelia
       tag:
         description: 'Image tag'
 

authelia/Dockerfile

@@ -0,0 +1,15 @@
+# 使用官方的 Authelia 基础镜像
+FROM authelia/authelia:latest
+
+# 创建配置目录
+RUN mkdir -p /config /logs
+
+# 复制启动脚本到容器中
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+# 设置工作目录
+WORKDIR /config
+
+# 运行启动脚本
+ENTRYPOINT ["/entrypoint.sh"]

authelia/README.md

@@ -0,0 +1,37 @@
+## Run the Docker Container
+
+Run the container with the necessary environment variables:
+
+```bash
+docker run -d \
+  --name authelia \
+  --network authelia-network \
+  -e DOMAIN='your-domain.com' \
+  -e AUTH_URL='https://auth.your-domain.com' \
+  -e JWT_SECRET='your_jwt_secret' \
+  -e SESSION_SECRET='your_session_secret' \
+  -e STORAGE_ENCRYPTION_KEY='your_storage_encryption_key' \
+  -e USER_PASSWORD='your_user_password' \
+  -e USER_EMAIL='[email protected]' \
+  -v /path/to/config:/config \
+  monlor/authelia
+```
+
+## Environment Variables
+
+Before running the script, ensure you have the following environment variables set:
+
+- `DOMAIN`: The domain for which Authelia will be configured (e.g., `example.com`).
+- `AUTH_URL`: The URL where Authelia is accessible (e.g., `https://auth.example.com`).
+- `JWT_SECRET`: A secret key for JWT validation.
+- `SESSION_SECRET`: A secret key for session encryption.
+- `STORAGE_ENCRYPTION_KEY`: A key for encrypting storage data.
+- `USER_PASSWORD`: The password for the admin user.
+- `USER_EMAIL`: The email address for the admin user.
+- `LOG_LEVEL`: (Optional) The logging level (default is `info`).
+
+## Generate secret
+
+```bash
+openssl rand -base64 48
+```

authelia/entrypoint.sh

@@ -0,0 +1,78 @@
+#!/bin/sh
+
+set -eu
+
+# Create Authelia configuration file
+cat <<EOF > /config/configuration.yml
+server:
+  address: tcp://0.0.0.0:9091
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+
+access_control:
+  default_policy: deny
+  rules:
+    - domain: "*.${DOMAIN}"
+      policy: two_factor
+
+identity_validation:
+  reset_password:
+    jwt_secret: ${JWT_SECRET}
+
+session:
+  name: authelia_session
+  secret: ${SESSION_SECRET}
+  same_site: 'lax'
+  inactivity: '5m'
+  expiration: '1h'
+  remember_me: '1M'
+  cookies:
+    - domain: '${DOMAIN}'
+      authelia_url: '${AUTH_URL}'
+      default_redirection_url: 'https://www.${DOMAIN}'
+      name: 'authelia_session'
+      same_site: 'lax'
+      inactivity: '5m'
+      expiration: '1h'
+      remember_me: '1d'
+
+totp:
+  issuer: ${DOMAIN}
+  period: 30
+  skew: 1
+
+storage:
+  local:
+    path: /config/db.sqlite3
+  encryption_key: ${STORAGE_ENCRYPTION_KEY}
+
+notifier:
+  filesystem:
+    filename: /config/notification.txt
+
+log:
+  level: ${LOG_LEVEL:-info}
+EOF
+
+# # Generate a TOTP secret for the user
+# TOTP_SECRET=$(authelia storage user totp generate admin)
+
+# # Print the TOTP secret to the console
+# echo "Generated TOTP Secret for user 'alice': ${TOTP_SECRET}"
+
+# Generate the hashed password using Authelia's built-in command
+HASHED_PASSWORD=$(authelia crypto hash generate argon2 --password "${USER_PASSWORD}" | awk '{print$2}')
+
+# Create users database file with hashed password and TOTP secret
+cat <<EOF > /config/users_database.yml
+users:
+  admin:
+    password: '${HASHED_PASSWORD}'
+    displayname: Admin
+    email: ${USER_EMAIL}
+EOF
+
+# Start Authelia
+authelia --config /config/configuration.yml