From 825232e10c4d0a1c3a4307834f28c392d735b8e1 Mon Sep 17 00:00:00 2001 From: Eduardo Figueroa Date: Fri, 12 Dec 2025 23:16:52 +0000 Subject: [PATCH] feat(sso): Migrate from Tinyauth to Authelia Remove Tinyauth SSO provider and migrate to Authelia for authentication. Update LLDAP to use PostgreSQL backend and remove Tinyauth middleware from core services. Changes: - Remove Tinyauth service entirely (compose/core/tinyauth/) - Update LLDAP configuration with PostgreSQL database - Remove Tinyauth middleware from Traefik dashboard - Update LLDAP credentials and timezone to America/Los_Angeles --- compose/core/lldap/.env | 10 +++++----- compose/core/lldap/compose.yaml | 25 +++++++++++++++++++----- compose/core/tinyauth/.env | 31 ------------------------------ compose/core/tinyauth/.env.example | 31 ------------------------------ compose/core/tinyauth/compose.yaml | 26 ------------------------- compose/core/traefik/compose.yaml | 1 - 6 files changed, 25 insertions(+), 99 deletions(-) delete mode 100644 compose/core/tinyauth/.env delete mode 100644 compose/core/tinyauth/.env.example delete mode 100644 compose/core/tinyauth/compose.yaml diff --git a/compose/core/lldap/.env b/compose/core/lldap/.env index 4697aea..c1e44ce 100644 --- a/compose/core/lldap/.env +++ b/compose/core/lldap/.env @@ -7,18 +7,18 @@ LLDAP_LDAP_USER_DN=admin LLDAP_LDAP_USER_EMAIL=admin@edfig.dev # Use a strong password (at least 16 characters, mix of letters, numbers, symbols) # Example format: MyS3cur3P@ssw0rd!2024#HomeL@b -LLDAP_LDAP_USER_PASS=changeme_please_set_secure_password +LLDAP_LDAP_USER_PASS=hMgm2Jv9tJWLipwbJ95WxlYyzqw9upae # JWT secret for session management (64+ character random string) # Generate with: openssl rand -hex 32 # Example format: a1b2c3d4e5f67890abcdef1234567890a1b2c3d4e5f67890abcdef1234567890 -LLDAP_JWT_SECRET=changeme_please_set_random_secret +LLDAP_JWT_SECRET=be7004ef47e87702ab836e7bdd6ff93d161a9b03649541ddb269ba732933efd8 -# Database URL (SQLite by default) -LLDAP_DATABASE_URL=sqlite:///data/users.db +# Database URL (PostgreSQL) +LLDAP_DATABASE_URL=postgres://lldap:lldap_db_password_change_me@lldap-db/lldap # Timezone -TZ=America/New_York +TZ=America/Los_Angeles # Optional: SMTP configuration for password reset emails # LLDAP_SMTP_OPTIONS__SERVER=smtp.gmail.com diff --git a/compose/core/lldap/compose.yaml b/compose/core/lldap/compose.yaml index 113bd13..58b5135 100644 --- a/compose/core/lldap/compose.yaml +++ b/compose/core/lldap/compose.yaml @@ -8,22 +8,37 @@ services: - "17170:17170" # Web UI port env_file: - .env - volumes: - - lldap_data:/data + depends_on: + - lldap-db networks: - homelab + - lldap_internal labels: traefik.enable: true + traefik.docker.network: homelab traefik.http.routers.lldap.rule: Host(`lldap.fig.systems`) traefik.http.routers.lldap.entrypoints: websecure traefik.http.routers.lldap.tls.certresolver: letsencrypt traefik.http.services.lldap.loadbalancer.server.port: 17170 - traefik.http.routers.lldap.middlewares: tinyauth + + lldap-db: + image: postgres:16-alpine + container_name: lldap-db + restart: unless-stopped + environment: + POSTGRES_DB: lldap + POSTGRES_USER: lldap + POSTGRES_PASSWORD: lldap_db_password_change_me + volumes: + - lldap_db:/var/lib/postgresql/data + networks: + - lldap_internal networks: homelab: external: true + lldap_internal: + driver: bridge volumes: - lldap_data: - driver: local + lldap_db: diff --git a/compose/core/tinyauth/.env b/compose/core/tinyauth/.env deleted file mode 100644 index 37da3d5..0000000 --- a/compose/core/tinyauth/.env +++ /dev/null @@ -1,31 +0,0 @@ -# Tinyauth Configuration - -# App URL - publicly accessible URL -APP_URL=https://auth.fig.systems - -# Timezone -TZ=America/Los_Angeles - -# LDAP Configuration - Connect to LLDAP -LDAP_ADDRESS=ldap://lldap:3890 -LDAP_BASE_DN=dc=fig,dc=systems -LDAP_BIND_DN=uid=admin,ou=people,dc=fig,dc=systems -# Must match LLDAP_LDAP_USER_PASS in lldap/.env -# Example format: MyS3cur3P@ssw0rd!2024#HomeL@b -LDAP_BIND_PASSWORD=changeme_please_set_secure_password -LDAP_SEARCH_FILTER=(uid=%s) -LDAP_INSECURE=true - -# Optional: Local users (if you want fallback auth) -# Format: username:bcrypt_hash:totp_secret (totp_secret is optional) -# Generate hash with: docker run --rm -it ghcr.io/steveiliop56/tinyauth:latest hash -# USERS= - -# Session configuration -# Generate with: openssl rand -hex 32 -# Example format: b2c3d4e5f67890abcdef1234567890a1b2c3d4e5f67890abcdef1234567890ab -SESSION_SECRET=changeme_please_set_random_session_secret -SESSION_MAX_AGE=86400 - -# Database (optional, uses SQLite by default at /data/tinyauth.db) -# DATABASE_URL=sqlite:///data/tinyauth.db diff --git a/compose/core/tinyauth/.env.example b/compose/core/tinyauth/.env.example deleted file mode 100644 index d7716d7..0000000 --- a/compose/core/tinyauth/.env.example +++ /dev/null @@ -1,31 +0,0 @@ -# Tinyauth Configuration - -# App URL - publicly accessible URL -APP_URL=https://auth.fig.systems - -# Timezone -TZ=America/Los_Angeles - -# LDAP Configuration - Connect to LLDAP -LDAP_ADDRESS=ldap://lldap:3890 -LDAP_BASE_DN=dc=fig,dc=systems -LDAP_BIND_DN=uid=eddie,ou=people,dc=fig,dc=systems -# Must match LLDAP_LDAP_USER_PASS in lldap/.env -# Example format: MyS3cur3P@ssw0rd!2024#HomeL@b -LDAP_BIND_PASSWORD=REDACTED -LDAP_SEARCH_FILTER=(uid=%s) -LDAP_INSECURE=true - -# Optional: Local users (if you want fallback auth) -# Format: username:bcrypt_hash:totp_secret (totp_secret is optional) -# Generate hash with: docker run --rm -it ghcr.io/steveiliop56/tinyauth:latest hash -# USERS= - -# Session configuration -# Generate with: openssl rand -hex 32 -# Example format: b2c3d4e5f67890abcdef1234567890a1b2c3d4e5f67890abcdef1234567890ab -SESSION_SECRET=REDACTED -SESSION_MAX_AGE=86400 - -# Database (optional, uses SQLite by default at /data/tinyauth.db) -# DATABASE_URL=sqlite:///data/tinyauth.db diff --git a/compose/core/tinyauth/compose.yaml b/compose/core/tinyauth/compose.yaml deleted file mode 100644 index 6eabc34..0000000 --- a/compose/core/tinyauth/compose.yaml +++ /dev/null @@ -1,26 +0,0 @@ -services: - tinyauth: - container_name: tinyauth - image: ghcr.io/steveiliop56/tinyauth:latest - env_file: .env - volumes: - - ./data:/data - restart: unless-stopped - networks: - - homelab - labels: - traefik.enable: true - # Web UI routing - traefik.http.routers.tinyauth.rule: Host(`auth.fig.systems`) - traefik.http.routers.tinyauth.entrypoints: websecure - traefik.http.routers.tinyauth.tls.certresolver: letsencrypt - traefik.http.routers.tinyauth.service: tinyauth-ui - traefik.http.services.tinyauth-ui.loadbalancer.server.port: 3000 - # Forward Auth Middleware - traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik - traefik.http.middlewares.tinyauth.forwardauth.trustforwardheader: true - traefik.http.middlewares.tinyauth.forwardauth.authresponseheaders: X-Forwarded-User - -networks: - homelab: - external: true diff --git a/compose/core/traefik/compose.yaml b/compose/core/traefik/compose.yaml index cd49998..b3f733f 100644 --- a/compose/core/traefik/compose.yaml +++ b/compose/core/traefik/compose.yaml @@ -40,7 +40,6 @@ services: traefik.http.routers.traefik.entrypoints: websecure traefik.http.routers.traefik.tls.certresolver: letsencrypt traefik.http.routers.traefik.service: api@internal - traefik.http.routers.traefik.middlewares: tinyauth # IP Allowlist Middleware for local network only services traefik.http.middlewares.local-only.ipallowlist.sourcerange: 10.0.0.0/16