eddie/homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

feat(sso): Migrate from Tinyauth to Authelia

Browse source 
Remove Tinyauth SSO provider and migrate to Authelia for authentication.
Update LLDAP to use PostgreSQL backend and remove Tinyauth middleware
from core services.

Changes:
- Remove Tinyauth service entirely (compose/core/tinyauth/)
- Update LLDAP configuration with PostgreSQL database
- Remove Tinyauth middleware from Traefik dashboard
- Update LLDAP credentials and timezone to America/Los_Angeles
This commit is contained in:
Eduardo Figueroa 2025-12-12 23:16:52 +00:00
parent d24baf3fd4
commit 825232e10c
6 changed files with 25 additions and 99 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
compose/core/lldap/.env
View file

@ -7,18 +7,18 @@ LLDAP_LDAP_USER_DN=admin
LLDAP_LDAP_USER_EMAIL=admin@edfig.dev LLDAP_LDAP_USER_EMAIL=admin@edfig.dev
# Use a strong password (at least 16 characters, mix of letters, numbers, symbols) # Use a strong password (at least 16 characters, mix of letters, numbers, symbols)
# Example format: MyS3cur3P@ssw0rd!2024#HomeL@b # Example format: MyS3cur3P@ssw0rd!2024#HomeL@b
LLDAP_LDAP_USER_PASS=changeme_please_set_secure_password LLDAP_LDAP_USER_PASS=hMgm2Jv9tJWLipwbJ95WxlYyzqw9upae
# JWT secret for session management (64+ character random string) # JWT secret for session management (64+ character random string)
# Generate with: openssl rand -hex 32 # Generate with: openssl rand -hex 32
# Example format: a1b2c3d4e5f67890abcdef1234567890a1b2c3d4e5f67890abcdef1234567890 # Example format: a1b2c3d4e5f67890abcdef1234567890a1b2c3d4e5f67890abcdef1234567890
LLDAP_JWT_SECRET=changeme_please_set_random_secret LLDAP_JWT_SECRET=be7004ef47e87702ab836e7bdd6ff93d161a9b03649541ddb269ba732933efd8
# Database URL (SQLite by default) # Database URL (PostgreSQL)
LLDAP_DATABASE_URL=sqlite:///data/users.db LLDAP_DATABASE_URL=postgres://lldap:lldap_db_password_change_me@lldap-db/lldap
# Timezone # Timezone
TZ=America/New_York TZ=America/Los_Angeles
# Optional: SMTP configuration for password reset emails # Optional: SMTP configuration for password reset emails
# LLDAP_SMTP_OPTIONS__SERVER=smtp.gmail.com # LLDAP_SMTP_OPTIONS__SERVER=smtp.gmail.com

25
compose/core/lldap/compose.yaml
View file

@ -8,22 +8,37 @@ services:
- "17170:17170" # Web UI port - "17170:17170" # Web UI port
env_file: env_file:
- .env - .env
volumes: depends_on:
- lldap_data:/data - lldap-db
networks: networks:
- homelab - homelab
- lldap_internal
labels: labels:
traefik.enable: true traefik.enable: true
traefik.docker.network: homelab
traefik.http.routers.lldap.rule: Host(`lldap.fig.systems`) traefik.http.routers.lldap.rule: Host(`lldap.fig.systems`)
traefik.http.routers.lldap.entrypoints: websecure traefik.http.routers.lldap.entrypoints: websecure
traefik.http.routers.lldap.tls.certresolver: letsencrypt traefik.http.routers.lldap.tls.certresolver: letsencrypt
traefik.http.services.lldap.loadbalancer.server.port: 17170 traefik.http.services.lldap.loadbalancer.server.port: 17170
traefik.http.routers.lldap.middlewares: tinyauth
lldap-db:
image: postgres:16-alpine
container_name: lldap-db
restart: unless-stopped
environment:
POSTGRES_DB: lldap
POSTGRES_USER: lldap
POSTGRES_PASSWORD: lldap_db_password_change_me
volumes:
- lldap_db:/var/lib/postgresql/data
networks:
- lldap_internal
networks: networks:
homelab: homelab:
external: true external: true
lldap_internal:
driver: bridge
volumes: volumes:
lldap_data: lldap_db:
driver: local

31
compose/core/tinyauth/.env
View file

@ -1,31 +0,0 @@
# Tinyauth Configuration
# App URL - publicly accessible URL
APP_URL=https://auth.fig.systems
# Timezone
TZ=America/Los_Angeles
# LDAP Configuration - Connect to LLDAP
LDAP_ADDRESS=ldap://lldap:3890
LDAP_BASE_DN=dc=fig,dc=systems
LDAP_BIND_DN=uid=admin,ou=people,dc=fig,dc=systems
# Must match LLDAP_LDAP_USER_PASS in lldap/.env
# Example format: MyS3cur3P@ssw0rd!2024#HomeL@b
LDAP_BIND_PASSWORD=changeme_please_set_secure_password
LDAP_SEARCH_FILTER=(uid=%s)
LDAP_INSECURE=true
# Optional: Local users (if you want fallback auth)
# Format: username:bcrypt_hash:totp_secret (totp_secret is optional)
# Generate hash with: docker run --rm -it ghcr.io/steveiliop56/tinyauth:latest hash <password>
# USERS=
# Session configuration
# Generate with: openssl rand -hex 32
# Example format: b2c3d4e5f67890abcdef1234567890a1b2c3d4e5f67890abcdef1234567890ab
SESSION_SECRET=changeme_please_set_random_session_secret
SESSION_MAX_AGE=86400
# Database (optional, uses SQLite by default at /data/tinyauth.db)
# DATABASE_URL=sqlite:///data/tinyauth.db

31
compose/core/tinyauth/.env.example
View file

@ -1,31 +0,0 @@
# Tinyauth Configuration
# App URL - publicly accessible URL
APP_URL=https://auth.fig.systems
# Timezone
TZ=America/Los_Angeles
# LDAP Configuration - Connect to LLDAP
LDAP_ADDRESS=ldap://lldap:3890
LDAP_BASE_DN=dc=fig,dc=systems
LDAP_BIND_DN=uid=eddie,ou=people,dc=fig,dc=systems
# Must match LLDAP_LDAP_USER_PASS in lldap/.env
# Example format: MyS3cur3P@ssw0rd!2024#HomeL@b
LDAP_BIND_PASSWORD=REDACTED
LDAP_SEARCH_FILTER=(uid=%s)
LDAP_INSECURE=true
# Optional: Local users (if you want fallback auth)
# Format: username:bcrypt_hash:totp_secret (totp_secret is optional)
# Generate hash with: docker run --rm -it ghcr.io/steveiliop56/tinyauth:latest hash <password>
# USERS=
# Session configuration
# Generate with: openssl rand -hex 32
# Example format: b2c3d4e5f67890abcdef1234567890a1b2c3d4e5f67890abcdef1234567890ab
SESSION_SECRET=REDACTED
SESSION_MAX_AGE=86400
# Database (optional, uses SQLite by default at /data/tinyauth.db)
# DATABASE_URL=sqlite:///data/tinyauth.db

26
compose/core/tinyauth/compose.yaml
View file

@ -1,26 +0,0 @@
services:
tinyauth:
container_name: tinyauth
image: ghcr.io/steveiliop56/tinyauth:latest
env_file: .env
volumes:
- ./data:/data
restart: unless-stopped
networks:
- homelab
labels:
traefik.enable: true
# Web UI routing
traefik.http.routers.tinyauth.rule: Host(`auth.fig.systems`)
traefik.http.routers.tinyauth.entrypoints: websecure
traefik.http.routers.tinyauth.tls.certresolver: letsencrypt
traefik.http.routers.tinyauth.service: tinyauth-ui
traefik.http.services.tinyauth-ui.loadbalancer.server.port: 3000
# Forward Auth Middleware
traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik
traefik.http.middlewares.tinyauth.forwardauth.trustforwardheader: true
traefik.http.middlewares.tinyauth.forwardauth.authresponseheaders: X-Forwarded-User
networks:
homelab:
external: true

1
compose/core/traefik/compose.yaml
View file

@ -40,7 +40,6 @@ services:
traefik.http.routers.traefik.entrypoints: websecure traefik.http.routers.traefik.entrypoints: websecure
traefik.http.routers.traefik.tls.certresolver: letsencrypt traefik.http.routers.traefik.tls.certresolver: letsencrypt
traefik.http.routers.traefik.service: api@internal traefik.http.routers.traefik.service: api@internal
traefik.http.routers.traefik.middlewares: tinyauth
# IP Allowlist Middleware for local network only services # IP Allowlist Middleware for local network only services
traefik.http.middlewares.local-only.ipallowlist.sourcerange: 10.0.0.0/16 traefik.http.middlewares.local-only.ipallowlist.sourcerange: 10.0.0.0/16