From ff7f9a50ab39b6e7932f216732001562a567dece Mon Sep 17 00:00:00 2001 From: Amir Zarrinkafsh Date: Wed, 17 Jun 2020 16:25:35 +1000 Subject: [PATCH] [FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml --- .buildkite/hooks/pre-artifact | 2 +- BREAKING.md | 14 +++++ Dockerfile | 15 +++--- Dockerfile.arm32v7 | 15 +++--- Dockerfile.arm64v8 | 15 +++--- Dockerfile.coverage | 15 +++--- cmd/authelia-scripts/cmd_build.go | 9 ++++ compose/lite/{ => authelia}/configuration.yml | 4 +- .../lite/{ => authelia}/users_database.yml | 0 compose/lite/docker-compose.yml | 4 +- compose/local/configuration.yml | 45 ---------------- compose/local/docker-compose.yml | 4 +- compose/local/users_database.yml | 14 ----- config.template.yml | 12 ++--- docs/configuration/authentication/file.md | 2 +- docs/configuration/miscellaneous.md | 6 +-- docs/configuration/notifier/filesystem.md | 2 +- docs/configuration/notifier/smtp.md | 2 +- docs/configuration/secrets.md | 39 +++++++------- docs/configuration/storage/sqlite.md | 2 +- docs/deployment/deployment-ha.md | 2 +- .../supported-proxies/traefik1.x.md | 3 +- .../supported-proxies/traefik2.x.md | 3 +- go.sum | 29 ++--------- internal/authentication/configuration.gen.go | 5 ++ internal/authentication/file_user_provider.go | 51 +++++++++++++++++++ .../authentication/file_user_provider_test.go | 37 ++++++++++++++ internal/configuration/configuration.gen.go | 5 ++ internal/configuration/reader.go | 34 ++++++++++++- internal/configuration/reader_test.go | 32 +++++++++++- .../test_resources/config_bad_keys.yml | 2 +- .../test_resources/config_bad_quoting.yml | 2 +- internal/suites/BypassAll/configuration.yml | 8 +-- internal/suites/BypassAll/docker-compose.yml | 6 +-- internal/suites/Docker/configuration.yml | 8 +-- internal/suites/Docker/docker-compose.yml | 6 +-- internal/suites/DuoPush/configuration.yml | 8 +-- internal/suites/DuoPush/docker-compose.yml | 6 +-- internal/suites/HAProxy/configuration.yml | 8 +-- internal/suites/HAProxy/docker-compose.yml | 6 +-- .../suites/HighAvailability/configuration.yml | 4 +- .../HighAvailability/docker-compose.yml | 4 +- internal/suites/LDAP/configuration.yml | 6 +-- internal/suites/LDAP/docker-compose.yml | 4 +- internal/suites/Mariadb/configuration.yml | 6 +-- internal/suites/Mariadb/docker-compose.yml | 6 +-- internal/suites/MySQL/configuration.yml | 6 +-- internal/suites/MySQL/docker-compose.yml | 6 +-- internal/suites/NetworkACL/configuration.yml | 8 +-- internal/suites/NetworkACL/docker-compose.yml | 6 +-- .../suites/OneFactorOnly/configuration.yml | 8 +-- .../suites/OneFactorOnly/docker-compose.yml | 6 +-- internal/suites/PathPrefix/configuration.yml | 8 +-- internal/suites/PathPrefix/docker-compose.yml | 6 +-- internal/suites/Postgres/configuration.yml | 6 +-- internal/suites/Postgres/docker-compose.yml | 6 +-- .../suites/ShortTimeouts/configuration.yml | 8 +-- .../suites/ShortTimeouts/docker-compose.yml | 6 +-- internal/suites/Standalone/configuration.yml | 6 +-- internal/suites/Standalone/docker-compose.yml | 6 +-- internal/suites/Traefik/configuration.yml | 8 +-- internal/suites/Traefik/docker-compose.yml | 6 +-- internal/suites/Traefik2/configuration.yml | 8 +-- internal/suites/Traefik2/docker-compose.yml | 6 +-- .../compose/authelia/Dockerfile.backend | 6 +-- .../authelia/docker-compose.backend.dist.yml | 2 +- .../authelia/resources/run-backend-dev.sh | 2 +- .../kube/authelia/configs/configuration.yml | 4 +- .../example/kube/authelia/deployment.yml | 14 ++--- .../suites/example/swarm/docker-compose.yml | 4 +- 70 files changed, 380 insertions(+), 284 deletions(-) rename compose/lite/{ => authelia}/configuration.yml (93%) rename compose/lite/{ => authelia}/users_database.yml (100%) delete mode 100644 compose/local/configuration.yml delete mode 100644 compose/local/users_database.yml create mode 100644 internal/authentication/configuration.gen.go create mode 100644 internal/configuration/configuration.gen.go diff --git a/.buildkite/hooks/pre-artifact b/.buildkite/hooks/pre-artifact index fc2a67197..a9f62a4da 100755 --- a/.buildkite/hooks/pre-artifact +++ b/.buildkite/hooks/pre-artifact @@ -14,7 +14,7 @@ if [[ $BUILDKITE_LABEL =~ ":docker: Build Image" ]]; then # Save binary for buildkite and github artifacts if [[ "${ARCH}" != "coverage" ]]; then docker create --name authelia-binary ${DOCKER_IMAGE}:latest - docker cp authelia-binary:/usr/app/authelia ./authelia-"${OS}"-"${ARCH}" + docker cp authelia-binary:/app/authelia ./authelia-"${OS}"-"${ARCH}" docker rm -f authelia-binary tar -czf authelia-"${OS}"-"${ARCH}".tar.gz authelia-"${OS}"-"${ARCH}" authelia.service config.template.yml sha256sum authelia-"${OS}"-"${ARCH}".tar.gz > authelia-"${OS}"-"${ARCH}".tar.gz.sha256 diff --git a/BREAKING.md b/BREAKING.md index 9e0bd5f59..920deb55e 100644 --- a/BREAKING.md +++ b/BREAKING.md @@ -6,6 +6,20 @@ recommended not to use the 'latest' Docker image tag blindly but pick a version and read this documentation before upgrading. This is where you will get information about breaking changes and about what you should do to overcome those changes. +## Breaking in v4.20.0 +* Authelia's Docker volumes have been refactored. All data should reside within a single volume of `/config`. +All examples have been updated to reflect this change. The entrypoint for the container changed from +`authelia --config /etc/authelia/configuration.yml` to `authelia --config /config/configuration.yml`. + +Users migrating to v4.20.0 have two options: +1. Change your container mappings to point to `/config` also change any associated paths in your `configuration.yml` to +represent the new `/config` mappings. +2. Change your container entry point back to `authelia --config /etc/authelia/configuration.yml` + * **Docker Compose:** `command: authelia --config /etc/authelia/configuration.yml` + * **Docker Run:** `docker run -d -v /path/on/host:/etc/authelia authelia/authelia:latest authelia --config /etc/authelia/configuration.yml` + +The team recommends option 1 to unify/simplify troubleshooting for support related issues. + ## Breaking in v4.18.0 * Secrets stored directly in ENV are now removed from Authelia. They have been replaced with file secrets. If you still have not moved feel free to contact the team for assistance, otherwise the diff --git a/Dockerfile b/Dockerfile index 557136b74..3dd5b73e7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,7 +22,7 @@ RUN apk --no-cache add gcc musl-dev WORKDIR /go/src/app -COPY go.mod go.sum ./ +COPY go.mod go.sum config.template.yml ./ COPY --from=builder-frontend /node/src/app/build public_html RUN go mod download @@ -32,7 +32,9 @@ COPY internal internal # Prepare static files to be embedded in Go binary RUN go get -u aletheia.icu/broccoli && \ -cd internal/server && \ +cd internal/configuration && \ +go generate . && \ +cd ../server && \ go generate . # Set the build version and time @@ -51,15 +53,14 @@ FROM alpine:3.12.0 RUN apk --no-cache add ca-certificates tzdata -WORKDIR /usr/app +WORKDIR /app COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./ EXPOSE 9091 -VOLUME /etc/authelia -VOLUME /var/lib/authelia +VOLUME /config -ENV PATH="/usr/app:${PATH}" +ENV PATH="/app:${PATH}" -CMD ["./authelia", "--config", "/etc/authelia/configuration.yml"] +CMD ["authelia", "--config", "/config/configuration.yml"] diff --git a/Dockerfile.arm32v7 b/Dockerfile.arm32v7 index 2a4673e0a..25c2ddea8 100644 --- a/Dockerfile.arm32v7 +++ b/Dockerfile.arm32v7 @@ -25,7 +25,7 @@ RUN apk --no-cache add curl && \ WORKDIR /go/src/app -COPY go.mod go.sum ./ +COPY go.mod go.sum config.template.yml ./ COPY --from=builder-frontend /node/src/app/build public_html RUN go mod download @@ -35,7 +35,9 @@ COPY internal internal # Prepare static files to be embedded in Go binary RUN go get -u aletheia.icu/broccoli && \ -cd internal/server && \ +cd internal/configuration && \ +go generate . && \ +cd ../server && \ go generate . # Set the build version and time @@ -57,15 +59,14 @@ COPY ./qemu-arm-static /usr/bin/qemu-arm-static RUN apk --no-cache add ca-certificates tzdata && \ rm /usr/bin/qemu-arm-static -WORKDIR /usr/app +WORKDIR /app COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./ EXPOSE 9091 -VOLUME /etc/authelia -VOLUME /var/lib/authelia +VOLUME /config -ENV PATH="/usr/app:${PATH}" +ENV PATH="/app:${PATH}" -CMD ["./authelia", "--config", "/etc/authelia/configuration.yml"] +CMD ["authelia", "--config", "/config/configuration.yml"] diff --git a/Dockerfile.arm64v8 b/Dockerfile.arm64v8 index 396b59ff9..a42a95bea 100644 --- a/Dockerfile.arm64v8 +++ b/Dockerfile.arm64v8 @@ -25,7 +25,7 @@ RUN apk --no-cache add curl && \ WORKDIR /go/src/app -COPY go.mod go.sum ./ +COPY go.mod go.sum config.template.yml ./ COPY --from=builder-frontend /node/src/app/build public_html RUN go mod download @@ -35,7 +35,9 @@ COPY internal internal # Prepare static files to be embedded in Go binary RUN go get -u aletheia.icu/broccoli && \ -cd internal/server && \ +cd internal/configuration && \ +go generate . && \ +cd ../server && \ go generate . # Set the build version and time @@ -57,15 +59,14 @@ COPY ./qemu-aarch64-static /usr/bin/qemu-aarch64-static RUN apk --no-cache add ca-certificates tzdata && \ rm /usr/bin/qemu-aarch64-static -WORKDIR /usr/app +WORKDIR /app COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./ EXPOSE 9091 -VOLUME /etc/authelia -VOLUME /var/lib/authelia +VOLUME /config -ENV PATH="/usr/app:${PATH}" +ENV PATH="/app:${PATH}" -CMD ["./authelia", "--config", "/etc/authelia/configuration.yml"] +CMD ["authelia", "--config", "/config/configuration.yml"] diff --git a/Dockerfile.coverage b/Dockerfile.coverage index 96558929b..98aec8710 100644 --- a/Dockerfile.coverage +++ b/Dockerfile.coverage @@ -22,7 +22,7 @@ RUN apk --no-cache add gcc musl-dev WORKDIR /go/src/app -COPY go.mod go.sum ./ +COPY go.mod go.sum config.template.yml ./ COPY --from=builder-frontend /node/src/app/build public_html RUN go mod download @@ -32,7 +32,9 @@ COPY internal internal # Prepare static files to be embedded in Go binary RUN go get -u aletheia.icu/broccoli && \ -cd internal/server && \ +cd internal/configuration && \ +go generate . && \ +cd ../server && \ go generate . # Set the build version and time @@ -51,15 +53,14 @@ FROM alpine:3.12.0 RUN apk --no-cache add ca-certificates tzdata -WORKDIR /usr/app +WORKDIR /app COPY --from=builder-backend /go/src/app/cmd/authelia/authelia ./ EXPOSE 9091 -VOLUME /etc/authelia -VOLUME /var/lib/authelia +VOLUME /config -ENV PATH="/usr/app:${PATH}" +ENV PATH="/app:${PATH}" -CMD ["./authelia", "-test.coverprofile=/app/coverage.txt", "COVERAGE", "--config", "/etc/authelia/configuration.yml"] +CMD ["authelia", "-test.coverprofile=/authelia/coverage.txt", "COVERAGE", "--config", "/config/configuration.yml"] diff --git a/cmd/authelia-scripts/cmd_build.go b/cmd/authelia-scripts/cmd_build.go index 9c955d6e1..21aa96695 100644 --- a/cmd/authelia-scripts/cmd_build.go +++ b/cmd/authelia-scripts/cmd_build.go @@ -56,6 +56,15 @@ func generateEmbeddedAssets() { panic(err) } + cmd = utils.CommandWithStdout("go", "generate", ".") + cmd.Dir = "internal/configuration" + + err = cmd.Run() + + if err != nil { + panic(err) + } + cmd = utils.CommandWithStdout("go", "generate", ".") cmd.Dir = "internal/server" diff --git a/compose/lite/configuration.yml b/compose/lite/authelia/configuration.yml similarity index 93% rename from compose/lite/configuration.yml rename to compose/lite/authelia/configuration.yml index dc88a91c6..e7e56357e 100644 --- a/compose/lite/configuration.yml +++ b/compose/lite/authelia/configuration.yml @@ -19,7 +19,7 @@ totp: authentication_backend: file: - path: /etc/authelia/users_database.yml + path: /config/users_database.yml access_control: default_policy: deny @@ -53,7 +53,7 @@ regulation: storage: local: - path: /var/lib/authelia/db.sqlite3 + path: /config/db.sqlite3 notifier: smtp: diff --git a/compose/lite/users_database.yml b/compose/lite/authelia/users_database.yml similarity index 100% rename from compose/lite/users_database.yml rename to compose/lite/authelia/users_database.yml diff --git a/compose/lite/docker-compose.yml b/compose/lite/docker-compose.yml index 884f4e246..d0e9f7619 100644 --- a/compose/lite/docker-compose.yml +++ b/compose/lite/docker-compose.yml @@ -9,9 +9,7 @@ services: image: authelia/authelia container_name: authelia volumes: - - ./authelia:/var/lib/authelia - - ./configuration.yml:/etc/authelia/configuration.yml:ro - - ./users_database.yml:/etc/authelia/users_database.yml + - ./authelia:/config networks: - net labels: diff --git a/compose/local/configuration.yml b/compose/local/configuration.yml deleted file mode 100644 index 4c56917fd..000000000 --- a/compose/local/configuration.yml +++ /dev/null @@ -1,45 +0,0 @@ -############################################################### -# Authelia configuration # -############################################################### - -host: 0.0.0.0 -port: 9091 -log_level: debug -jwt_secret: a_very_important_secret -default_redirection_url: https://public.example.com -totp: - issuer: authelia.com - -authentication_backend: - file: - path: /etc/authelia/users_database.yml - -access_control: - default_policy: deny - rules: - - domain: public.example.com - policy: bypass - - domain: traefik.example.com - policy: one_factor - - domain: secure.example.com - policy: two_factor - -session: - name: authelia_session - secret: unsecure_session_secret - expiration: 3600 # 1 hour - inactivity: 300 # 5 minutes - domain: example.com # Should match whatever your root protected domain is - -regulation: - max_retries: 3 - find_time: 120 - ban_time: 300 - -storage: - local: - path: /var/lib/authelia/db.sqlite3 - -notifier: - filesystem: - filename: /var/lib/authelia/notification.txt \ No newline at end of file diff --git a/compose/local/docker-compose.yml b/compose/local/docker-compose.yml index 83b4eb568..4c3908e6f 100644 --- a/compose/local/docker-compose.yml +++ b/compose/local/docker-compose.yml @@ -9,9 +9,7 @@ services: image: authelia/authelia container_name: authelia volumes: - - ./authelia:/var/lib/authelia - - ./configuration.yml:/etc/authelia/configuration.yml:ro - - ./users_database.yml:/etc/authelia/users_database.yml + - ./authelia:/config networks: - net labels: diff --git a/compose/local/users_database.yml b/compose/local/users_database.yml deleted file mode 100644 index 3feabf738..000000000 --- a/compose/local/users_database.yml +++ /dev/null @@ -1,14 +0,0 @@ -############################################################### -# Users Database # -############################################################### - -# This file can be used if you do not have an LDAP set up. - -# List of users -users: - : - password: "" - email: @example.com - groups: - - admins - - dev \ No newline at end of file diff --git a/config.template.yml b/config.template.yml index b327433cd..6025f0666 100644 --- a/config.template.yml +++ b/config.template.yml @@ -5,8 +5,8 @@ # The host and port to listen on host: 0.0.0.0 port: 9091 -# tls_key: /var/lib/authelia/ssl/key.pem -# tls_cert: /var/lib/authelia/ssl/cert.pem +# tls_key: /config/ssl/key.pem +# tls_cert: /config/ssl/cert.pem # Configuration options specific to the internal http server server: @@ -22,7 +22,7 @@ server: # Level of verbosity for logs: info, debug, trace log_level: debug ## File path where the logs will be written. If not set logs are written to stdout. -# log_file_path: /var/log/authelia +# log_file_path: /config/authelia.log # The secret used to generate JWT tokens when validating user identity by # email confirmation. @@ -169,7 +169,7 @@ authentication_backend: # https://docs.authelia.com/configuration/authentication/file.html#password-hash-algorithm-tuning # ## file: - ## path: ./users_database.yml + ## path: /config/users_database.yml ## password: ## algorithm: argon2id ## iterations: 1 @@ -345,7 +345,7 @@ regulation: storage: # The directory where the DB files will be saved ## local: - ## path: /var/lib/authelia/db.sqlite3 + ## path: /config/db.sqlite3 # Settings to connect to MySQL server mysql: @@ -377,7 +377,7 @@ notifier: # For testing purpose, notifications can be sent in a file ## filesystem: - ## filename: /tmp/authelia/notification.txt + ## filename: /config/notification.txt # Use a SMTP server for sending notifications. Authelia uses PLAIN or LOGIN method to authenticate. # [Security] By default Authelia will: diff --git a/docs/configuration/authentication/file.md b/docs/configuration/authentication/file.md index be2ccfff5..72e8718c4 100644 --- a/docs/configuration/authentication/file.md +++ b/docs/configuration/authentication/file.md @@ -33,7 +33,7 @@ authentication_backend: # https://docs.authelia.com/configuration/authentication/file.html#password-hash-algorithm-tuning file: - path: /var/lib/authelia/users.yml + path: /config/users.yml password: algorithm: argon2id iterations: 1 diff --git a/docs/configuration/miscellaneous.md b/docs/configuration/miscellaneous.md index 8796a0a76..a248a2ba0 100644 --- a/docs/configuration/miscellaneous.md +++ b/docs/configuration/miscellaneous.md @@ -28,8 +28,8 @@ Authelia can use TLS. Provide the certificate and the key with the following configuration options: ```yaml -tls_key: /var/lib/authelia/ssl/key.pem -tls_cert: /var/lib/authelia/ssl/cert.pem +tls_key: /config/ssl/key.pem +tls_cert: /config/ssl/cert.pem ``` ## Log @@ -55,7 +55,7 @@ Logs can be stored in a file when file path is provided. Otherwise logs are written to standard output. ```yaml -log_file_path: /var/log/authelia.log +log_file_path: /config/authelia.log ``` diff --git a/docs/configuration/notifier/filesystem.md b/docs/configuration/notifier/filesystem.md index c3267c9e0..ae9547a76 100644 --- a/docs/configuration/notifier/filesystem.md +++ b/docs/configuration/notifier/filesystem.md @@ -23,5 +23,5 @@ notifier: # For testing purpose, notifications can be sent in a file. filesystem: - filename: /tmp/authelia/notification.txt + filename: /config/notification.txt ``` diff --git a/docs/configuration/notifier/smtp.md b/docs/configuration/notifier/smtp.md index 2036e1bc5..c95731c41 100644 --- a/docs/configuration/notifier/smtp.md +++ b/docs/configuration/notifier/smtp.md @@ -23,7 +23,7 @@ notifier: # For testing purpose, notifications can be sent in a file. ## filesystem: - ## filename: /tmp/authelia/notification.txt + ## filename: /config/notification.txt # Use a SMTP server for sending notifications. Authelia uses PLAIN or LOGIN method to authenticate. # [Security] By default Authelia will: diff --git a/docs/configuration/secrets.md b/docs/configuration/secrets.md index b33e5b9dd..ec6774762 100644 --- a/docs/configuration/secrets.md +++ b/docs/configuration/secrets.md @@ -107,8 +107,7 @@ services: - smtp - ldap volumes: - - /path/to/authelia:/var/lib/authelia - - /path/to/authelia/configuration.yml:/etc/authelia/configuration.yml:ro + - /path/to/authelia:/config networks: - net expose: @@ -129,7 +128,7 @@ services: This example assumes secrets are stored in `/path/to/authelia/secrets/{secretname}` on the host and are exposed with bind mounted secret files in a `docker-compose.yml` file -at `/etc/authelia/secrets/`: +at `/config/secrets/`: ```yaml version: '3.8' @@ -143,22 +142,20 @@ services: image: authelia/authelia container_name: authelia volumes: - - /path/to/authelia:/var/lib/authelia - - /path/to/authelia/configuration.yml:/etc/authelia/configuration.yml:ro - - /path/to/authelia/secrets:/etc/authelia/secrets + - /path/to/authelia:/config networks: - net expose: - 9091 restart: unless-stopped environment: - - AUTHELIA_JWT_SECRET_FILE=/etc/authelia/secrets/jwt - - AUTHELIA_DUO_API_SECRET_KEY_FILE=/etc/authelia/secrets/duo - - AUTHELIA_SESSION_SECRET_FILE=/etc/authelia/secrets/session - - AUTHELIA_SESSION_REDIS_PASSWORD_FILE=/etc/authelia/secrets/redis - - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/etc/authelia/secrets/mysql - - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/etc/authelia/secrets/smtp - - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/etc/authelia/secrets/ldap + - AUTHELIA_JWT_SECRET_FILE=/config/secrets/jwt + - AUTHELIA_DUO_API_SECRET_KEY_FILE=/config/secrets/duo + - AUTHELIA_SESSION_SECRET_FILE=/config/secrets/session + - AUTHELIA_SESSION_REDIS_PASSWORD_FILE=/config/secrets/redis + - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/config/secrets/mysql + - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/config/secrets/smtp + - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/config/secrets/ldap - TZ=Australia/Melbourne ``` @@ -233,17 +230,17 @@ spec: imagePullPolicy: IfNotPresent env: - name: AUTHELIA_JWT_SECRET_FILE - value: /usr/app/secrets/jwt + value: /app/secrets/jwt - name: AUTHELIA_DUO_API_SECRET_KEY_FILE - value: /usr/app/secrets/duo + value: /app/secrets/duo - name: AUTHELIA_SESSION_SECRET_FILE - value: /usr/app/secrets/session + value: /app/secrets/session - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE - value: /usr/app/secrets/ldap_password + value: /app/secrets/ldap_password - name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE - value: /usr/app/secrets/smtp_password + value: /app/secrets/smtp_password - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE - value: /usr/app/secrets/sql_password + value: /app/secrets/sql_password ports: - name: http containerPort: 80 @@ -272,9 +269,9 @@ spec: periodSeconds: 5 failureThreshold: 5 volumeMounts: - - mountPath: /etc/authelia + - mountPath: /config name: config-volume - - mountPath: /usr/app/secrets + - mountPath: /app/secrets name: secrets readOnly: true - mountPath: /etc/localtime diff --git a/docs/configuration/storage/sqlite.md b/docs/configuration/storage/sqlite.md index dda23b636..430075b6b 100644 --- a/docs/configuration/storage/sqlite.md +++ b/docs/configuration/storage/sqlite.md @@ -19,5 +19,5 @@ Just give the path to the sqlite database. It will be created if the file does n ```yaml storage: local: - path: /var/lib/authelia/db.sqlite3 + path: /config/db.sqlite3 ``` diff --git a/docs/deployment/deployment-ha.md b/docs/deployment/deployment-ha.md index 717165d1f..19f47912c 100644 --- a/docs/deployment/deployment-ha.md +++ b/docs/deployment/deployment-ha.md @@ -44,7 +44,7 @@ pay attention to the permissions of the configuration file. See ### Deploy With Docker - $ docker run -v /path/to/your/configuration.yml:/etc/authelia/configuration.yml -e TZ=Europe/Paris authelia/authelia + $ docker run -v /path/to/your/configuration.yml:/config/configuration.yml -e TZ=Europe/Paris authelia/authelia ## FAQ diff --git a/docs/deployment/supported-proxies/traefik1.x.md b/docs/deployment/supported-proxies/traefik1.x.md index fd1aa208c..0d84dc1fc 100644 --- a/docs/deployment/supported-proxies/traefik1.x.md +++ b/docs/deployment/supported-proxies/traefik1.x.md @@ -63,8 +63,7 @@ services: image: authelia/authelia container_name: authelia volumes: - - /path/to/authelia:/var/lib/authelia - - /path/to/authelia/config.yml:/etc/authelia/configuration.yml:ro + - /path/to/authelia:/config networks: - net labels: diff --git a/docs/deployment/supported-proxies/traefik2.x.md b/docs/deployment/supported-proxies/traefik2.x.md index cdb8531f3..aaf2deb55 100644 --- a/docs/deployment/supported-proxies/traefik2.x.md +++ b/docs/deployment/supported-proxies/traefik2.x.md @@ -66,8 +66,7 @@ services: image: authelia/authelia container_name: authelia volumes: - - /path/to/authelia:/var/lib/authelia - - /path/to/authelia/config.yml:/etc/authelia/configuration.yml:ro + - /path/to/authelia:/config networks: - net labels: diff --git a/go.sum b/go.sum index d33e759c5..dc85c53c2 100644 --- a/go.sum +++ b/go.sum @@ -25,6 +25,7 @@ github.com/DataDog/sketches-go v0.0.0-20190923095040-43f19ad77ff7 h1:qELHH0AWCvf github.com/DataDog/sketches-go v0.0.0-20190923095040-43f19ad77ff7/go.mod h1:Q5DbzQ+3AkgGwymQO7aZFNP7ns2lZKGtvRBzRXfdi60= github.com/Gurpartap/logrus-stack v0.0.0-20170710170904-89c00d8a28f4 h1:vdT7QwBhJJEVNFMBNhRSFDRCB6O16T28VhvqRgqFyn8= github.com/Gurpartap/logrus-stack v0.0.0-20170710170904-89c00d8a28f4/go.mod h1:SvXOG8ElV28oAiG9zv91SDe5+9PfIr7PPccpr8YyXNs= +github.com/OneOfOne/xxhash v1.2.2 h1:KMrpdQIwFcEqXDklaen+P1axHaj9BSKzvpUUfnHldSE= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/Workiva/go-datastructures v1.0.52 h1:PLSK6pwn8mYdaoaCZEMsXBpBotr4HHn9abU0yMQt0NI= github.com/Workiva/go-datastructures v1.0.52/go.mod h1:Z+F2Rca0qCsVYDS8z7bAGm8f3UkzuWYS/oBZz5a7VVA= @@ -54,6 +55,7 @@ github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= @@ -72,6 +74,7 @@ github.com/deckarep/golang-set v1.7.1 h1:SCQV0S6gTtp6itiFrTqI+pfmJ4LN85S1YzhDf9r github.com/deckarep/golang-set v1.7.1/go.mod h1:93vsz/8Wt4joVM7c2AVqh+YRMiUSc14yDtF28KmMOgQ= github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-rendezvous v0.0.0-20180401054734-3692eb46c031 h1:GqrUYGzmGuc00lpc+K0wwrqshfkKLwgYFJiCyOZFMVE= github.com/dgryski/go-rendezvous v0.0.0-20180401054734-3692eb46c031/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/duosecurity/duo_api_golang v0.0.0-20190308151101-6c680f768e74 h1:2MIhn2R6oXQbgW5yHfS+d6YqyMfXiu2L55rFZC4UD/M= @@ -82,36 +85,23 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 h1:JWuenKqqX8nojtoVVWjGfOF9635RETekkoH6Cc9SX0A= github.com/facebookgo/stack v0.0.0-20160209184415-751773369052/go.mod h1:UbMTZqLaRiH3MsBH8va0n7s1pQYcu3uTb8G4tygF4Zg= -github.com/fasthttp/router v1.1.6 h1:lBcXxp1ZNoNbSeh4+RvAaXKSEiHU6sGd+gEMpd5Xjog= -github.com/fasthttp/router v1.1.6/go.mod h1:E1mpv7mrQzAhiSQdqhRb+GBTC7MEV+bLFVmgzSA5oFM= -github.com/fasthttp/router v1.1.7 h1:1Wt3iK7yILMNUlgWg3kfqNW8cQhvMIgkqKUhh370wR4= -github.com/fasthttp/router v1.1.7/go.mod h1:GllqmaKtAsIvYwz5Nbu0qcbQQXBSVaeXw2KY3SmlbYM= -github.com/fasthttp/router v1.2.1 h1:8xVgc9j39HkI4KQcxcN3Kmo0K/1/GnGGbBeqjegtCJk= -github.com/fasthttp/router v1.2.1/go.mod h1:7KEYuV4ieG9kNJqqxnH0pwIdO69cJCVhVqZx3CpOURw= github.com/fasthttp/router v1.2.2 h1:znEzZbSKjKDzXwUHiq/HQ17brnKx9ZF6ZphYKGrfkVk= github.com/fasthttp/router v1.2.2/go.mod h1:7KEYuV4ieG9kNJqqxnH0pwIdO69cJCVhVqZx3CpOURw= -github.com/fasthttp/session/v2 v2.1.0 h1:X84Wx3S5hO2AM5B030yhus6+J3ROWY/wA76rye3K00s= -github.com/fasthttp/session/v2 v2.1.0/go.mod h1:VEaGPgnkB9J+/fy0nKqSU6VGS7hjVy1H7/zI+LCOgbo= github.com/fasthttp/session/v2 v2.1.1 h1:Cw+BZkfgfQ/IXYTYNtYXxj5Qg5WbArCrRQnfIok9OuM= github.com/fasthttp/session/v2 v2.1.1/go.mod h1:JBwLzecuSht7fkNJXvB5mvRoi2BhSiTZZ1+vKoWyjAE= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-asn1-ber/asn1-ber v1.3.1 h1:gvPdv/Hr++TRFCl0UbPFHC54P9N9jgsRPnmnr419Uck= -github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-asn1-ber/asn1-ber v1.5.0 h1:/S4hO/AO6tLMlPX0oftGSOcdGJJN/MuYzfgWRMn199E= github.com/go-asn1-ber/asn1-ber v1.5.0/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= -github.com/go-ldap/ldap/v3 v3.1.10 h1:7WsKqasmPThNvdl0Q5GPpbTDD/ZD98CfuawrMIuh7qQ= -github.com/go-ldap/ldap/v3 v3.1.10/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q= github.com/go-ldap/ldap/v3 v3.1.11 h1:EojIR9zHvfQS8LEz+EjvnPSvsfPYS3UioBezeOOskIA= github.com/go-ldap/ldap/v3 v3.1.11/go.mod h1:dtLsnBXnSLIsMRbCBuRpHflCGaYzZ5jn+x1q7XqMTKU= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= -github.com/go-redis/redis/v8 v8.0.0-beta.2 h1:9S28J9QMBotgI3tGgXbX1Wk9i8QYC3Orw4bTLoPrQeI= -github.com/go-redis/redis/v8 v8.0.0-beta.2/go.mod h1:o1M7JtsgfDYyv3o+gBn/jJ1LkqpnCrmil7PSppZGBak= +github.com/go-redis/redis/v8 v8.0.0-beta.4 h1:oIZMgBk2CHvLd1/rfn8sybGNwzTTmKEvRoXGz6ZiWnI= github.com/go-redis/redis/v8 v8.0.0-beta.4/go.mod h1:NlNCdZHGMxsMUjOkA1Xab/1SsVzAwI7WPBXbh1O7vHM= github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= @@ -226,8 +216,6 @@ github.com/kr/pty v1.1.1 h1:VkoXIwSboBpnk99O/KFauAEILuNHv5DVFKZMBN/gUgw= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/lib/pq v1.5.2 h1:yTSXVswvWUOQ3k1sd7vJfDrbSl8lKuscqFJRqjC0ifw= -github.com/lib/pq v1.5.2/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.6.0 h1:I5DPxhYJChW9KYc66se+oKFFQX6VuQrKiprsX6ivRZc= github.com/lib/pq v1.6.0/go.mod h1:4vXEAYvW1fRQ2/FhZ78H73A60MHw1geSm145z2mdY1g= github.com/lib/pq v1.7.0 h1:h93mCPfUSkaul3Ka/VG8uZdmW1uMHDGxzu0NWHuJmHY= @@ -304,12 +292,8 @@ github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6So github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= -github.com/savsgio/dictpool v0.0.0-20200414074025-215dfcb77c2c h1:EVgT3hCwdDn/HmAmzRLEAoK2qHhcO8AD22AvPAE1/mk= -github.com/savsgio/dictpool v0.0.0-20200414074025-215dfcb77c2c/go.mod h1:InhUgunRRHK3vhg8YZHIRnxyoQGvGxwOE1p55leevWU= github.com/savsgio/dictpool v0.0.0-20200608150529-6a3c1a8f6ab2 h1:V+VG/pzeMdwBlS21mJmNkBnQQmZWyuBgYRoz0SVxaVk= github.com/savsgio/dictpool v0.0.0-20200608150529-6a3c1a8f6ab2/go.mod h1:LTEdLD+Y+KR4yx9eRMIgciXZo4Od0doGWP/hjgfOlE0= -github.com/savsgio/gotils v0.0.0-20200413113635-8c468ce75cca h1:Qe7Mtuhjkk38HVpRtvWdziZJcwG3Qup1mfyvyOrcnyM= -github.com/savsgio/gotils v0.0.0-20200413113635-8c468ce75cca/go.mod h1:TWNAOTaVzGOXq8RbEvHnhzA/A2sLZzgn0m6URjnukY8= github.com/savsgio/gotils v0.0.0-20200608150037-a5f6f5aef16c h1:2nF5+FZ4/qp7pZVL7fR6DEaSTzuDmNaFTyqp92/hwF8= github.com/savsgio/gotils v0.0.0-20200608150037-a5f6f5aef16c/go.mod h1:TWNAOTaVzGOXq8RbEvHnhzA/A2sLZzgn0m6URjnukY8= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= @@ -324,6 +308,7 @@ github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1 github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72 h1:qLC7fQah7D6K1B0ujays3HV9gkFtllcxhzImRR7ArPQ= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2 h1:m8/z1t7/fwjysjQRYbP0RD+bUIF/8tJwPdEZsI83ACI= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= @@ -345,8 +330,6 @@ github.com/stretchr/testify v1.2.0/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.6.0 h1:jlIyCplCJFULU/01vCkhKuTyc3OorI3bJFuw6obfgho= -github.com/stretchr/testify v1.6.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s= @@ -361,8 +344,6 @@ github.com/tstranex/u2f v1.0.0/go.mod h1:eahSLaqAS0zsIEv80+vXT7WanXs7MQQDg3j3wGB github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= -github.com/valyala/fasthttp v1.13.1 h1:Z7kVhKP9NZz+tCSY7AVhCMPPAk7b+e5fq0l/BfdTlFc= -github.com/valyala/fasthttp v1.13.1/go.mod h1:ol1PCaL0dX20wC0htZ7sYCsvCYmrouYra0zHzaclZhE= github.com/valyala/fasthttp v1.14.0 h1:67bfuW9azCMwW/Jlq/C+VeihNpAuJMWkYPBig1gdi3A= github.com/valyala/fasthttp v1.14.0/go.mod h1:ol1PCaL0dX20wC0htZ7sYCsvCYmrouYra0zHzaclZhE= github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio= diff --git a/internal/authentication/configuration.gen.go b/internal/authentication/configuration.gen.go new file mode 100644 index 000000000..8c526bcab --- /dev/null +++ b/internal/authentication/configuration.gen.go @@ -0,0 +1,5 @@ +package authentication + +import "aletheia.icu/broccoli/fs" + +var cfg = fs.New(false, []byte("\x8b\xa1\x80\r\xff\x83\x02\x01\x02\xff\x84\x00\x01\xff\x82\x00\x00=\xff\x81\x03\x01\x02\xff\x82\x00\x01\x05\x01\x04Data\x01\n\x00\x01\x05Fpath\x01\f\x00\x01\x05Fname\x01\f\x00\x01\x05Fsize\x01\x04\x00\x01\x05Ftime\x01\x04\x00\x00\x00\xff\xf6\xff\x84\x00\x01\x01\xff\xaa\x1b\xe6\x00`\x1c\x87\xb1\xf3\xa4II\xda\xd3]\xbci`\x9e\xa9θ\x13\x91\xe6\x06\xb8A\xc2Z\x14F\x8fNn~P\xeb\xe7nAy@\x10C 7\xecwSb\xed\x15\xee>\x0f\xa3\xbe\x8b\xfc,\xb6\xa3\x98\xfe\xe7\x00Bj²\x90b\x0f\x19\xc4=\x92\x8b\xc2j\xb7\xden\x98Nd\xaa\x1d\xa2?J\xc9\xd3ŗ\xb9\x9cM+\u07bf\xfe\xcf{c\x85H9\xaf\xec97\xa6\xe4o\xeaƘ\xdfO\xf1\xf3\xdd\\\xd2Iٮ\u074b\xaa4i#\x17\xc5w=\x19\xd9\n\x02\xbf3o\xdc\x028\rp:\xf7\x011\x8fY\x88g\x87\x9c\b}\xf8\xa1\xc8mݞ?\x00\x01\x1busers_database.template.yml\x01\x1busers_database.template.yml\x01\xfe\x01\xce\x01\xfc\xbd\xcb\xdc\xf6\x00\x03")) diff --git a/internal/authentication/file_user_provider.go b/internal/authentication/file_user_provider.go index 18e38ad6b..32a57cdfd 100644 --- a/internal/authentication/file_user_provider.go +++ b/internal/authentication/file_user_provider.go @@ -3,6 +3,7 @@ package authentication import ( "fmt" "io/ioutil" + "os" "strings" "sync" @@ -11,6 +12,7 @@ import ( "gopkg.in/yaml.v2" "github.com/authelia/authelia/internal/configuration/schema" + "github.com/authelia/authelia/internal/logging" "github.com/authelia/authelia/internal/utils" ) @@ -38,6 +40,15 @@ type DatabaseModel struct { // NewFileUserProvider creates a new instance of FileUserProvider. func NewFileUserProvider(configuration *schema.FileAuthenticationBackendConfiguration) *FileUserProvider { + errs := checkDatabase(configuration.Path) + if errs != nil { + for _, err := range errs { + logging.Logger().Error(err) + } + + os.Exit(1) + } + database, err := readDatabase(configuration.Path) if err != nil { // Panic since the file does not exist when Authelia is starting. @@ -86,6 +97,46 @@ func checkPasswordHashes(database *DatabaseModel) error { return nil } +func checkDatabase(path string) []error { + _, err := os.Stat(path) + if err != nil { + errs := []error{ + fmt.Errorf("Unable to find database file: %v", path), + fmt.Errorf("Generating database file: %v", path), + } + + err := generateDatabaseFromTemplate(path) + if err != nil { + errs = append(errs, err) + } else { + errs = append(errs, fmt.Errorf("Generated database at: %v", path)) + } + + return errs + } + + return nil +} + +func generateDatabaseFromTemplate(path string) error { + f, err := cfg.Open("users_database.template.yml") + if err != nil { + return fmt.Errorf("Unable to open users_database.template.yml: %v", err) + } + + b, err := ioutil.ReadAll(f) + if err != nil { + return fmt.Errorf("Unable to read users_database.template.yml: %v", err) + } + + err = ioutil.WriteFile(path, b, 0600) + if err != nil { + return fmt.Errorf("Unable to generate %v: %v", path, err) + } + + return nil +} + func readDatabase(path string) (*DatabaseModel, error) { content, err := ioutil.ReadFile(path) if err != nil { diff --git a/internal/authentication/file_user_provider_test.go b/internal/authentication/file_user_provider_test.go index 2c9dbe1ff..7ce16def4 100644 --- a/internal/authentication/file_user_provider_test.go +++ b/internal/authentication/file_user_provider_test.go @@ -7,7 +7,9 @@ import ( "strings" "testing" + "aletheia.icu/broccoli/fs" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/authelia/authelia/internal/configuration/schema" ) @@ -32,6 +34,41 @@ func WithDatabase(content []byte, f func(path string)) { } } +func TestShouldErrorNoUserDBInEmbeddedFS(t *testing.T) { + oldCfg := cfg + cfg = fs.New(false, []byte("\x1b~\x00\x80\x8d\x94n\xc2|\x84J\xf7\xbfn\xfd\xf7w;.\x8d m\xb2&\xd1Z\xec\xb2\x05\xb9\xc00\x8a\xf7(\x80^78\t(\f\f\xc3p\xc2\xc1\x06[a\xa2\xb3\xa4P\xe5\xa14\xfb\x19\xb2cp\xf6\x90-Z\xb2\x11\xe0l\xa1\x80\\\x95Vh\t\xc5\x06\x16\xfa\x8c\xc0\"!\xa5\xcf\xf7$\x9a\xb2\a`\xc6\x18\xc8~\xce8\r\x16Z\x9d\xc3\xe3\xff\x00")) + errors := checkDatabase("./nonexistent.yml") + cfg = oldCfg + + require.Len(t, errors, 3) + + require.EqualError(t, errors[0], "Unable to find database file: ./nonexistent.yml") + require.EqualError(t, errors[1], "Generating database file: ./nonexistent.yml") + require.EqualError(t, errors[2], "Unable to open users_database.template.yml: file does not exist") +} + +func TestShouldErrorPermissionsOnLocalFS(t *testing.T) { + _ = os.Mkdir("/tmp/noperms/", 0000) + errors := checkDatabase("/tmp/noperms/users_database.yml") + + require.Len(t, errors, 3) + + require.EqualError(t, errors[0], "Unable to find database file: /tmp/noperms/users_database.yml") + require.EqualError(t, errors[1], "Generating database file: /tmp/noperms/users_database.yml") + require.EqualError(t, errors[2], "Unable to generate /tmp/noperms/users_database.yml: open /tmp/noperms/users_database.yml: permission denied") +} + +func TestShouldErrorAndGenerateUserDB(t *testing.T) { + errors := checkDatabase("./nonexistent.yml") + _ = os.Remove("./nonexistent.yml") + + require.Len(t, errors, 3) + + require.EqualError(t, errors[0], "Unable to find database file: ./nonexistent.yml") + require.EqualError(t, errors[1], "Generating database file: ./nonexistent.yml") + require.EqualError(t, errors[2], "Generated database at: ./nonexistent.yml") +} + func TestShouldCheckUserArgon2idPasswordIsCorrect(t *testing.T) { WithDatabase(UserDatabaseContent, func(path string) { config := DefaultFileAuthenticationBackendConfiguration diff --git a/internal/configuration/configuration.gen.go b/internal/configuration/configuration.gen.go new file mode 100644 index 000000000..6d41137ee --- /dev/null +++ b/internal/configuration/configuration.gen.go @@ -0,0 +1,5 @@ +package configuration + +import "aletheia.icu/broccoli/fs" + +var cfg = fs.New(false, []byte("\x1b~\x00\x80\x8d\x94n\xc2|\x84J\xf7\xbfn\xfd\xf7w;.\x8d m\xb2&\xd1Z\xec\xb2\x05\xb9\xc00\x8a\xf7(\x80^78\t(\f\f\xc3p\xc2\xc1\x06[a\xa2\xb3\xa4P\xe5\xa14\xfb\x19\xb2cp\xf6\x90-Z\xb2\x11\xe0l\xa1\x80\\\x95Vh\t\xc5\x06\x16\xfa\x8c\xc0\"!\xa5\xcf\xf7$\x9a\xb2\a`\xc6\x18\xc8~\xce8\r\x16Z\x9d\xc3\xe3\xff\x00")) diff --git a/internal/configuration/reader.go b/internal/configuration/reader.go index e89f7a8ce..6eeb868b9 100644 --- a/internal/configuration/reader.go +++ b/internal/configuration/reader.go @@ -15,6 +15,7 @@ import ( ) // Read a YAML configuration and create a Configuration object out of it. +//go:generate broccoli -src ../../config.template.yml -var=cfg -o configuration func Read(configPath string) (*schema.Configuration, []error) { if configPath == "" { return nil, []error{errors.New("No config file path provided")} @@ -22,7 +23,19 @@ func Read(configPath string) (*schema.Configuration, []error) { _, err := os.Stat(configPath) if err != nil { - return nil, []error{fmt.Errorf("Unable to find config file: %v", configPath)} + errs := []error{ + fmt.Errorf("Unable to find config file: %v", configPath), + fmt.Errorf("Generating config file: %v", configPath), + } + + err = generateConfigFromTemplate(configPath) + if err != nil { + errs = append(errs, err) + } else { + errs = append(errs, fmt.Errorf("Generated configuration at: %v", configPath)) + } + + return nil, errs } file, err := ioutil.ReadFile(configPath) @@ -67,3 +80,22 @@ func Read(configPath string) (*schema.Configuration, []error) { return &configuration, nil } + +func generateConfigFromTemplate(configPath string) error { + f, err := cfg.Open("config.template.yml") + if err != nil { + return fmt.Errorf("Unable to open config.template.yml: %v", err) + } + + b, err := ioutil.ReadAll(f) + if err != nil { + return fmt.Errorf("Unable to read config.template.yml: %v", err) + } + + err = ioutil.WriteFile(configPath, b, 0600) + if err != nil { + return fmt.Errorf("Unable to generate %v: %v", configPath, err) + } + + return nil +} diff --git a/internal/configuration/reader_test.go b/internal/configuration/reader_test.go index ecc5bfcc6..adaf053ef 100644 --- a/internal/configuration/reader_test.go +++ b/internal/configuration/reader_test.go @@ -7,6 +7,7 @@ import ( "sort" "testing" + "aletheia.icu/broccoli/fs" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -65,12 +66,39 @@ func TestShouldErrorNoConfigPath(t *testing.T) { require.EqualError(t, errors[0], "No config file path provided") } -func TestShouldErrorNoConfigFile(t *testing.T) { +func TestShouldErrorNoConfigFileInEmbeddedFS(t *testing.T) { + oldCfg := cfg + cfg = fs.New(false, []byte("\x1b~\x00\x80\x8d\x94n\xc2|\x84J\xf7\xbfn\xfd\xf7w;.\x8d m\xb2&\xd1Z\xec\xb2\x05\xb9\xc00\x8a\xf7(\x80^78\t(\f\f\xc3p\xc2\xc1\x06[a\xa2\xb3\xa4P\xe5\xa14\xfb\x19\xb2cp\xf6\x90-Z\xb2\x11\xe0l\xa1\x80\\\x95Vh\t\xc5\x06\x16\xfa\x8c\xc0\"!\xa5\xcf\xf7$\x9a\xb2\a`\xc6\x18\xc8~\xce8\r\x16Z\x9d\xc3\xe3\xff\x00")) _, errors := Read("./nonexistent.yml") + cfg = oldCfg - require.Len(t, errors, 1) + require.Len(t, errors, 3) require.EqualError(t, errors[0], "Unable to find config file: ./nonexistent.yml") + require.EqualError(t, errors[1], "Generating config file: ./nonexistent.yml") + require.EqualError(t, errors[2], "Unable to open config.template.yml: file does not exist") +} + +func TestShouldErrorPermissionsOnLocalFS(t *testing.T) { + _ = os.Mkdir("/tmp/noperms/", 0000) + _, errors := Read("/tmp/noperms/configuration.yml") + + require.Len(t, errors, 3) + + require.EqualError(t, errors[0], "Unable to find config file: /tmp/noperms/configuration.yml") + require.EqualError(t, errors[1], "Generating config file: /tmp/noperms/configuration.yml") + require.EqualError(t, errors[2], "Unable to generate /tmp/noperms/configuration.yml: open /tmp/noperms/configuration.yml: permission denied") +} + +func TestShouldErrorAndGenerateConfigFile(t *testing.T) { + _, errors := Read("./nonexistent.yml") + _ = os.Remove("./nonexistent.yml") + + require.Len(t, errors, 3) + + require.EqualError(t, errors[0], "Unable to find config file: ./nonexistent.yml") + require.EqualError(t, errors[1], "Generating config file: ./nonexistent.yml") + require.EqualError(t, errors[2], "Generated configuration at: ./nonexistent.yml") } func TestShouldErrorPermissionsConfigFile(t *testing.T) { diff --git a/internal/configuration/test_resources/config_bad_keys.yml b/internal/configuration/test_resources/config_bad_keys.yml index 8f1b55583..ea9a303e6 100644 --- a/internal/configuration/test_resources/config_bad_keys.yml +++ b/internal/configuration/test_resources/config_bad_keys.yml @@ -4,7 +4,7 @@ host: 127.0.0.1 port: 9091 -loggy_file: /etc/authelia/svc.log +loggy_file: /config/svc.log logs_level: debug default_redirection_url: https://home.example.com:8080/ diff --git a/internal/configuration/test_resources/config_bad_quoting.yml b/internal/configuration/test_resources/config_bad_quoting.yml index 1f41a8a5f..8027be8ab 100644 --- a/internal/configuration/test_resources/config_bad_quoting.yml +++ b/internal/configuration/test_resources/config_bad_quoting.yml @@ -13,7 +13,7 @@ totp: authentication_backend: file: - path: /etc/authelia/users_database.yml + path: /config/users_database.yml access_control: default_policy: deny diff --git a/internal/suites/BypassAll/configuration.yml b/internal/suites/BypassAll/configuration.yml index 01c8f94aa..dd0bb2469 100644 --- a/internal/suites/BypassAll/configuration.yml +++ b/internal/suites/BypassAll/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -12,7 +12,7 @@ jwt_secret: unsecure_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -23,7 +23,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite # The Duo Push Notification API configuration duo_api: diff --git a/internal/suites/BypassAll/docker-compose.yml b/internal/suites/BypassAll/docker-compose.yml index 947776084..5b8d56193 100644 --- a/internal/suites/BypassAll/docker-compose.yml +++ b/internal/suites/BypassAll/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './BypassAll/configuration.yml:/etc/authelia/configuration.yml:ro' - - './BypassAll/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './BypassAll/configuration.yml:/config/configuration.yml:ro' + - './BypassAll/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/Docker/configuration.yml b/internal/suites/Docker/configuration.yml index 1392772b1..a72593bb0 100644 --- a/internal/suites/Docker/configuration.yml +++ b/internal/suites/Docker/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -14,7 +14,7 @@ jwt_secret: very_important_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -25,7 +25,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite3 + path: /config/db.sqlite3 totp: issuer: example.com diff --git a/internal/suites/Docker/docker-compose.yml b/internal/suites/Docker/docker-compose.yml index 6a4cf3881..9aeff6891 100644 --- a/internal/suites/Docker/docker-compose.yml +++ b/internal/suites/Docker/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './Docker/configuration.yml:/etc/authelia/configuration.yml:ro' - - './Docker/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './Docker/configuration.yml:/config/configuration.yml:ro' + - './Docker/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/DuoPush/configuration.yml b/internal/suites/DuoPush/configuration.yml index 60451bf8d..6328189f7 100644 --- a/internal/suites/DuoPush/configuration.yml +++ b/internal/suites/DuoPush/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: trace @@ -14,7 +14,7 @@ jwt_secret: very_important_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -26,7 +26,7 @@ session: # Configuration of the storage backend used to store data and secrets. i.e. totp data storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite # TOTP Issuer Name # diff --git a/internal/suites/DuoPush/docker-compose.yml b/internal/suites/DuoPush/docker-compose.yml index 5913560d8..ea931e124 100644 --- a/internal/suites/DuoPush/docker-compose.yml +++ b/internal/suites/DuoPush/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './DuoPush/configuration.yml:/etc/authelia/configuration.yml:ro' - - './DuoPush/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './DuoPush/configuration.yml:/config/configuration.yml:ro' + - './DuoPush/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/HAProxy/configuration.yml b/internal/suites/HAProxy/configuration.yml index c9c34ffc1..991f10d04 100644 --- a/internal/suites/HAProxy/configuration.yml +++ b/internal/suites/HAProxy/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -12,7 +12,7 @@ jwt_secret: unsecure_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -23,7 +23,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite access_control: default_policy: bypass diff --git a/internal/suites/HAProxy/docker-compose.yml b/internal/suites/HAProxy/docker-compose.yml index 2c6ddf173..6553cdb15 100644 --- a/internal/suites/HAProxy/docker-compose.yml +++ b/internal/suites/HAProxy/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './HAProxy/configuration.yml:/etc/authelia/configuration.yml:ro' - - './HAProxy/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './HAProxy/configuration.yml:/config/configuration.yml:ro' + - './HAProxy/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/HighAvailability/configuration.yml b/internal/suites/HighAvailability/configuration.yml index 2f4f588b7..3c4d1b592 100644 --- a/internal/suites/HighAvailability/configuration.yml +++ b/internal/suites/HighAvailability/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug diff --git a/internal/suites/HighAvailability/docker-compose.yml b/internal/suites/HighAvailability/docker-compose.yml index 38bba3128..5cb53220f 100644 --- a/internal/suites/HighAvailability/docker-compose.yml +++ b/internal/suites/HighAvailability/docker-compose.yml @@ -2,5 +2,5 @@ version: '3' services: authelia-backend: volumes: - - './HighAvailability/configuration.yml:/etc/authelia/configuration.yml:ro' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './HighAvailability/configuration.yml:/config/configuration.yml:ro' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/LDAP/configuration.yml b/internal/suites/LDAP/configuration.yml index be6d7412e..80645ee4d 100644 --- a/internal/suites/LDAP/configuration.yml +++ b/internal/suites/LDAP/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -36,7 +36,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite3 + path: /config/db.sqlite3 totp: issuer: example.com diff --git a/internal/suites/LDAP/docker-compose.yml b/internal/suites/LDAP/docker-compose.yml index dfb0d559c..f60766d88 100644 --- a/internal/suites/LDAP/docker-compose.yml +++ b/internal/suites/LDAP/docker-compose.yml @@ -2,5 +2,5 @@ version: '3' services: authelia-backend: volumes: - - './LDAP/configuration.yml:/etc/authelia/configuration.yml:ro' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './LDAP/configuration.yml:/config/configuration.yml:ro' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/Mariadb/configuration.yml b/internal/suites/Mariadb/configuration.yml index a366c6fa8..7b8458870 100644 --- a/internal/suites/Mariadb/configuration.yml +++ b/internal/suites/Mariadb/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -14,7 +14,7 @@ jwt_secret: very_important_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret diff --git a/internal/suites/Mariadb/docker-compose.yml b/internal/suites/Mariadb/docker-compose.yml index 1bda82c09..0ef478773 100644 --- a/internal/suites/Mariadb/docker-compose.yml +++ b/internal/suites/Mariadb/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './Mariadb/configuration.yml:/etc/authelia/configuration.yml:ro' - - './Mariadb/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './Mariadb/configuration.yml:/config/configuration.yml:ro' + - './Mariadb/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/MySQL/configuration.yml b/internal/suites/MySQL/configuration.yml index 962c6b3a5..c752254c3 100644 --- a/internal/suites/MySQL/configuration.yml +++ b/internal/suites/MySQL/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -14,7 +14,7 @@ jwt_secret: very_important_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret diff --git a/internal/suites/MySQL/docker-compose.yml b/internal/suites/MySQL/docker-compose.yml index ad9179bac..e6e9b6041 100644 --- a/internal/suites/MySQL/docker-compose.yml +++ b/internal/suites/MySQL/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './MySQL/configuration.yml:/etc/authelia/configuration.yml:ro' - - './MySQL/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './MySQL/configuration.yml:/config/configuration.yml:ro' + - './MySQL/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/NetworkACL/configuration.yml b/internal/suites/NetworkACL/configuration.yml index be4c4640c..673160b89 100644 --- a/internal/suites/NetworkACL/configuration.yml +++ b/internal/suites/NetworkACL/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -12,7 +12,7 @@ jwt_secret: unsecure_password authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -24,7 +24,7 @@ session: # Configuration of the storage backend used to store data and secrets. i.e. totp data storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite # Access Control # diff --git a/internal/suites/NetworkACL/docker-compose.yml b/internal/suites/NetworkACL/docker-compose.yml index 34eb9a02e..dd1b1dedf 100644 --- a/internal/suites/NetworkACL/docker-compose.yml +++ b/internal/suites/NetworkACL/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './NetworkACL/configuration.yml:/etc/authelia/configuration.yml:ro' - - './NetworkACL/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './NetworkACL/configuration.yml:/config/configuration.yml:ro' + - './NetworkACL/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/OneFactorOnly/configuration.yml b/internal/suites/OneFactorOnly/configuration.yml index c82ace09a..5ae40fa93 100644 --- a/internal/suites/OneFactorOnly/configuration.yml +++ b/internal/suites/OneFactorOnly/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -14,7 +14,7 @@ jwt_secret: unsecure_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -25,7 +25,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite access_control: default_policy: deny diff --git a/internal/suites/OneFactorOnly/docker-compose.yml b/internal/suites/OneFactorOnly/docker-compose.yml index ab16e700c..7be2d0e5b 100644 --- a/internal/suites/OneFactorOnly/docker-compose.yml +++ b/internal/suites/OneFactorOnly/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './OneFactorOnly/configuration.yml:/etc/authelia/configuration.yml:ro' - - './OneFactorOnly/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './OneFactorOnly/configuration.yml:/config/configuration.yml:ro' + - './OneFactorOnly/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/PathPrefix/configuration.yml b/internal/suites/PathPrefix/configuration.yml index 3e1888d04..b2e7ca94e 100644 --- a/internal/suites/PathPrefix/configuration.yml +++ b/internal/suites/PathPrefix/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem server: path: auth @@ -15,7 +15,7 @@ jwt_secret: unsecure_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -26,7 +26,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite access_control: default_policy: bypass diff --git a/internal/suites/PathPrefix/docker-compose.yml b/internal/suites/PathPrefix/docker-compose.yml index 2d2c7d294..78be7a626 100644 --- a/internal/suites/PathPrefix/docker-compose.yml +++ b/internal/suites/PathPrefix/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './PathPrefix/configuration.yml:/etc/authelia/configuration.yml:ro' - - './PathPrefix/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './PathPrefix/configuration.yml:/config/configuration.yml:ro' + - './PathPrefix/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/Postgres/configuration.yml b/internal/suites/Postgres/configuration.yml index 2f9eff19d..f56739d87 100644 --- a/internal/suites/Postgres/configuration.yml +++ b/internal/suites/Postgres/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -14,7 +14,7 @@ jwt_secret: very_important_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret diff --git a/internal/suites/Postgres/docker-compose.yml b/internal/suites/Postgres/docker-compose.yml index 03168aa78..d3539af4f 100644 --- a/internal/suites/Postgres/docker-compose.yml +++ b/internal/suites/Postgres/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './Postgres/configuration.yml:/etc/authelia/configuration.yml:ro' - - './Postgres/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './Postgres/configuration.yml:/config/configuration.yml:ro' + - './Postgres/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/ShortTimeouts/configuration.yml b/internal/suites/ShortTimeouts/configuration.yml index 67b2d2c00..2954d7ebc 100644 --- a/internal/suites/ShortTimeouts/configuration.yml +++ b/internal/suites/ShortTimeouts/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -14,7 +14,7 @@ default_redirection_url: https://home.example.com:8080/ authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -25,7 +25,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite totp: issuer: example.com diff --git a/internal/suites/ShortTimeouts/docker-compose.yml b/internal/suites/ShortTimeouts/docker-compose.yml index fda2f1a9d..87edd07f3 100644 --- a/internal/suites/ShortTimeouts/docker-compose.yml +++ b/internal/suites/ShortTimeouts/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './ShortTimeouts/configuration.yml:/etc/authelia/configuration.yml:ro' - - './ShortTimeouts/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './ShortTimeouts/configuration.yml:/config/configuration.yml:ro' + - './ShortTimeouts/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/Standalone/configuration.yml b/internal/suites/Standalone/configuration.yml index 8e7dc51e7..b22fe06e2 100644 --- a/internal/suites/Standalone/configuration.yml +++ b/internal/suites/Standalone/configuration.yml @@ -3,14 +3,14 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: domain: example.com diff --git a/internal/suites/Standalone/docker-compose.yml b/internal/suites/Standalone/docker-compose.yml index 91c8a5272..e6e087992 100644 --- a/internal/suites/Standalone/docker-compose.yml +++ b/internal/suites/Standalone/docker-compose.yml @@ -5,8 +5,8 @@ services: - AUTHELIA_JWT_SECRET_FILE=/tmp/authelia/StandaloneSuite/jwt - AUTHELIA_SESSION_SECRET_FILE=/tmp/authelia/StandaloneSuite/session volumes: - - './Standalone/configuration.yml:/etc/authelia/configuration.yml:ro' - - './Standalone/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' + - './Standalone/configuration.yml:/config/configuration.yml:ro' + - './Standalone/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' - '/tmp:/tmp' user: ${USER_ID}:${GROUP_ID} \ No newline at end of file diff --git a/internal/suites/Traefik/configuration.yml b/internal/suites/Traefik/configuration.yml index cb6617eb5..59224cca4 100644 --- a/internal/suites/Traefik/configuration.yml +++ b/internal/suites/Traefik/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -12,7 +12,7 @@ jwt_secret: unsecure_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -23,7 +23,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite access_control: default_policy: bypass diff --git a/internal/suites/Traefik/docker-compose.yml b/internal/suites/Traefik/docker-compose.yml index 9737ffede..355eac407 100644 --- a/internal/suites/Traefik/docker-compose.yml +++ b/internal/suites/Traefik/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './Traefik/configuration.yml:/etc/authelia/configuration.yml:ro' - - './Traefik/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './Traefik/configuration.yml:/config/configuration.yml:ro' + - './Traefik/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/Traefik2/configuration.yml b/internal/suites/Traefik2/configuration.yml index cb6617eb5..59224cca4 100644 --- a/internal/suites/Traefik2/configuration.yml +++ b/internal/suites/Traefik2/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 9091 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug @@ -12,7 +12,7 @@ jwt_secret: unsecure_secret authentication_backend: file: - path: /var/lib/authelia/users.yml + path: /config/users.yml session: secret: unsecure_session_secret @@ -23,7 +23,7 @@ session: storage: local: - path: /var/lib/authelia/db.sqlite + path: /config/db.sqlite access_control: default_policy: bypass diff --git a/internal/suites/Traefik2/docker-compose.yml b/internal/suites/Traefik2/docker-compose.yml index 6a75bff9a..dcddd1d37 100644 --- a/internal/suites/Traefik2/docker-compose.yml +++ b/internal/suites/Traefik2/docker-compose.yml @@ -2,6 +2,6 @@ version: '3' services: authelia-backend: volumes: - - './Traefik2/configuration.yml:/etc/authelia/configuration.yml:ro' - - './Traefik2/users.yml:/var/lib/authelia/users.yml' - - './common/ssl:/var/lib/authelia/ssl:ro' \ No newline at end of file + - './Traefik2/configuration.yml:/config/configuration.yml:ro' + - './Traefik2/users.yml:/config/users.yml' + - './common/ssl:/config/ssl:ro' \ No newline at end of file diff --git a/internal/suites/example/compose/authelia/Dockerfile.backend b/internal/suites/example/compose/authelia/Dockerfile.backend index e7fed8176..745d2aaa9 100644 --- a/internal/suites/example/compose/authelia/Dockerfile.backend +++ b/internal/suites/example/compose/authelia/Dockerfile.backend @@ -8,12 +8,10 @@ RUN addgroup --gid ${GROUP_ID} dev && \ adduser --uid ${USER_ID} -G dev -D dev && \ apk --no-cache add gcc musl-dev git -RUN mkdir -p /etc/authelia && chown dev:dev /etc/authelia -RUN mkdir -p /var/lib/authelia && chown dev:dev /var/lib/authelia +RUN mkdir -p /config && chown dev:dev /config USER dev -VOLUME /etc/authelia -VOLUME /var/lib/authelia +VOLUME /config EXPOSE 9091 diff --git a/internal/suites/example/compose/authelia/docker-compose.backend.dist.yml b/internal/suites/example/compose/authelia/docker-compose.backend.dist.yml index a35b48dc1..c7994263e 100644 --- a/internal/suites/example/compose/authelia/docker-compose.backend.dist.yml +++ b/internal/suites/example/compose/authelia/docker-compose.backend.dist.yml @@ -12,7 +12,7 @@ services: - 'traefik.http.routers.authelia_backend.tls=true' - 'traefik.http.services.authelia_backend.loadbalancer.server.scheme=https' volumes: - - '../..:/app' + - '../..:/authelia' environment: - ENVIRONMENT=dev restart: always diff --git a/internal/suites/example/compose/authelia/resources/run-backend-dev.sh b/internal/suites/example/compose/authelia/resources/run-backend-dev.sh index 67fb450df..64b866cd9 100755 --- a/internal/suites/example/compose/authelia/resources/run-backend-dev.sh +++ b/internal/suites/example/compose/authelia/resources/run-backend-dev.sh @@ -4,6 +4,6 @@ set -e while true; do - dlv --listen 0.0.0.0:2345 --headless=true --continue --accept-multiclient debug cmd/authelia/*.go -- --config /etc/authelia/configuration.yml + dlv --listen 0.0.0.0:2345 --headless=true --continue --accept-multiclient debug cmd/authelia/*.go -- --config /config/configuration.yml sleep 10 done \ No newline at end of file diff --git a/internal/suites/example/kube/authelia/configs/configuration.yml b/internal/suites/example/kube/authelia/configs/configuration.yml index a21c83e86..ce9e1fa8a 100644 --- a/internal/suites/example/kube/authelia/configs/configuration.yml +++ b/internal/suites/example/kube/authelia/configs/configuration.yml @@ -3,8 +3,8 @@ ############################################################### port: 443 -tls_cert: /var/lib/authelia/ssl/cert.pem -tls_key: /var/lib/authelia/ssl/key.pem +tls_cert: /config/ssl/cert.pem +tls_key: /config/ssl/key.pem log_level: debug diff --git a/internal/suites/example/kube/authelia/deployment.yml b/internal/suites/example/kube/authelia/deployment.yml index 085c16b0a..2945205f0 100644 --- a/internal/suites/example/kube/authelia/deployment.yml +++ b/internal/suites/example/kube/authelia/deployment.yml @@ -23,23 +23,23 @@ spec: - containerPort: 443 volumeMounts: - name: config-volume - mountPath: /etc/authelia + mountPath: /config - name: ssl-volume - mountPath: /var/lib/authelia/ssl + mountPath: /config/ssl - name: secrets - mountPath: /usr/app/secrets + mountPath: /app/secrets readOnly: true env: # We set secrets directly here for ease of deployment but all secrets # should be stored in the Kube Vault in production. - name: AUTHELIA_JWT_SECRET_FILE - value: /usr/app/secrets/jwt_secret + value: /app/secrets/jwt_secret - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE - value: /usr/app/secrets/ldap_password + value: /app/secrets/ldap_password - name: AUTHELIA_SESSION_SECRET_FILE - value: /usr/app/secrets/session + value: /app/secrets/session - name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE - value: /usr/app/secrets/sql_password + value: /app/secrets/sql_password volumes: - name: config-volume configMap: diff --git a/internal/suites/example/swarm/docker-compose.yml b/internal/suites/example/swarm/docker-compose.yml index 0b53319d2..060fe16e3 100644 --- a/internal/suites/example/swarm/docker-compose.yml +++ b/internal/suites/example/swarm/docker-compose.yml @@ -5,7 +5,7 @@ services: # Used for Docker configs configs: - source: authelia - target: /etc/authelia/configuration.yml + target: /config/configuration.yml uid: '0' gid: '0' mode: 0444 @@ -14,7 +14,7 @@ services: # Where the authelia volume is to be mounted. To only use a single volume, the minimal config needs to be changed to read the users_database.yml also from this subdirectory. # Otherwise a second volume will need to be configured here to mount the users_database.yml. volumes: - - authelia:/etc/authelia/storage + - authelia:/config/storage networks: - overlay deploy: