feat(sso): Migrate from Tinyauth to Authelia

Remove Tinyauth SSO provider and migrate to Authelia for authentication. Update LLDAP to use PostgreSQL backend and remove Tinyauth middleware from core services. Changes: - Remove Tinyauth service entirely (compose/core/tinyauth/) - Update LLDAP configuration with PostgreSQL database - Remove Tinyauth middleware from Traefik dashboard - Update LLDAP credentials and timezone to America/Los_Angeles
2025-12-12 23:16:52 +00:00 · 2025-12-12 23:16:52 +00:00 · 825232e10c
commit 825232e10c
parent d24baf3fd4
6 changed files with 25 additions and 99 deletions
--- a/compose/core/lldap/.env
+++ b/compose/core/lldap/.env
@ -7,18 +7,18 @@ LLDAP_LDAP_USER_DN=admin
 LLDAP_LDAP_USER_EMAIL=admin@edfig.dev
 # Use a strong password (at least 16 characters, mix of letters, numbers, symbols)
 # Example format: MyS3cur3P@ssw0rd!2024#HomeL@b
-LLDAP_LDAP_USER_PASS=changeme_please_set_secure_password
+LLDAP_LDAP_USER_PASS=hMgm2Jv9tJWLipwbJ95WxlYyzqw9upae

 # JWT secret for session management (64+ character random string)
 # Generate with: openssl rand -hex 32
 # Example format: a1b2c3d4e5f67890abcdef1234567890a1b2c3d4e5f67890abcdef1234567890
-LLDAP_JWT_SECRET=changeme_please_set_random_secret
+LLDAP_JWT_SECRET=be7004ef47e87702ab836e7bdd6ff93d161a9b03649541ddb269ba732933efd8

-# Database URL (SQLite by default)
-LLDAP_DATABASE_URL=sqlite:///data/users.db
+# Database URL (PostgreSQL)
+LLDAP_DATABASE_URL=postgres://lldap:lldap_db_password_change_me@lldap-db/lldap

 # Timezone
-TZ=America/New_York
+TZ=America/Los_Angeles

 # Optional: SMTP configuration for password reset emails
 # LLDAP_SMTP_OPTIONS__SERVER=smtp.gmail.com
--- a/compose/core/lldap/compose.yaml
+++ b/compose/core/lldap/compose.yaml
@ -8,22 +8,37 @@ services:
      - "17170:17170"   # Web UI port
    env_file:
      - .env
-    volumes:
-      - lldap_data:/data
+    depends_on:
+      - lldap-db
    networks:
      - homelab
+      - lldap_internal
    labels:
      traefik.enable: true
+      traefik.docker.network: homelab
      traefik.http.routers.lldap.rule: Host(`lldap.fig.systems`)
      traefik.http.routers.lldap.entrypoints: websecure
      traefik.http.routers.lldap.tls.certresolver: letsencrypt
      traefik.http.services.lldap.loadbalancer.server.port: 17170
-      traefik.http.routers.lldap.middlewares: tinyauth
+
+  lldap-db:
+    image: postgres:16-alpine
+    container_name: lldap-db
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: lldap
+      POSTGRES_USER: lldap
+      POSTGRES_PASSWORD: lldap_db_password_change_me
+    volumes:
+      - lldap_db:/var/lib/postgresql/data
+    networks:
+      - lldap_internal

 networks:
  homelab:
    external: true
+  lldap_internal:
+    driver: bridge

 volumes:
-  lldap_data:
-    driver: local
+  lldap_db:
--- a/compose/core/tinyauth/.env
+++ b/compose/core/tinyauth/.env
@ -1,31 +0,0 @@
-# Tinyauth Configuration
-
-# App URL - publicly accessible URL
-APP_URL=https://auth.fig.systems
-
-# Timezone
-TZ=America/Los_Angeles
-
-# LDAP Configuration - Connect to LLDAP
-LDAP_ADDRESS=ldap://lldap:3890
-LDAP_BASE_DN=dc=fig,dc=systems
-LDAP_BIND_DN=uid=admin,ou=people,dc=fig,dc=systems
-# Must match LLDAP_LDAP_USER_PASS in lldap/.env
-# Example format: MyS3cur3P@ssw0rd!2024#HomeL@b
-LDAP_BIND_PASSWORD=changeme_please_set_secure_password
-LDAP_SEARCH_FILTER=(uid=%s)
-LDAP_INSECURE=true
-
-# Optional: Local users (if you want fallback auth)
-# Format: username:bcrypt_hash:totp_secret (totp_secret is optional)
-# Generate hash with: docker run --rm -it ghcr.io/steveiliop56/tinyauth:latest hash <password>
-# USERS=
-
-# Session configuration
-# Generate with: openssl rand -hex 32
-# Example format: b2c3d4e5f67890abcdef1234567890a1b2c3d4e5f67890abcdef1234567890ab
-SESSION_SECRET=changeme_please_set_random_session_secret
-SESSION_MAX_AGE=86400
-
-# Database (optional, uses SQLite by default at /data/tinyauth.db)
-# DATABASE_URL=sqlite:///data/tinyauth.db
--- a/compose/core/tinyauth/.env.example
+++ b/compose/core/tinyauth/.env.example
@ -1,31 +0,0 @@
-# Tinyauth Configuration
-
-# App URL - publicly accessible URL
-APP_URL=https://auth.fig.systems
-
-# Timezone
-TZ=America/Los_Angeles
-
-# LDAP Configuration - Connect to LLDAP
-LDAP_ADDRESS=ldap://lldap:3890
-LDAP_BASE_DN=dc=fig,dc=systems
-LDAP_BIND_DN=uid=eddie,ou=people,dc=fig,dc=systems
-# Must match LLDAP_LDAP_USER_PASS in lldap/.env
-# Example format: MyS3cur3P@ssw0rd!2024#HomeL@b
-LDAP_BIND_PASSWORD=REDACTED
-LDAP_SEARCH_FILTER=(uid=%s)
-LDAP_INSECURE=true
-
-# Optional: Local users (if you want fallback auth)
-# Format: username:bcrypt_hash:totp_secret (totp_secret is optional)
-# Generate hash with: docker run --rm -it ghcr.io/steveiliop56/tinyauth:latest hash <password>
-# USERS=
-
-# Session configuration
-# Generate with: openssl rand -hex 32
-# Example format: b2c3d4e5f67890abcdef1234567890a1b2c3d4e5f67890abcdef1234567890ab
-SESSION_SECRET=REDACTED
-SESSION_MAX_AGE=86400
-
-# Database (optional, uses SQLite by default at /data/tinyauth.db)
-# DATABASE_URL=sqlite:///data/tinyauth.db
--- a/compose/core/tinyauth/compose.yaml
+++ b/compose/core/tinyauth/compose.yaml
@ -1,26 +0,0 @@
-services:
-  tinyauth:
-    container_name: tinyauth
-    image: ghcr.io/steveiliop56/tinyauth:latest
-    env_file: .env
-    volumes:
-      - ./data:/data
-    restart: unless-stopped
-    networks:
-      - homelab
-    labels:
-      traefik.enable: true
-      # Web UI routing
-      traefik.http.routers.tinyauth.rule: Host(`auth.fig.systems`)
-      traefik.http.routers.tinyauth.entrypoints: websecure
-      traefik.http.routers.tinyauth.tls.certresolver: letsencrypt
-      traefik.http.routers.tinyauth.service: tinyauth-ui
-      traefik.http.services.tinyauth-ui.loadbalancer.server.port: 3000
-      # Forward Auth Middleware
-      traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik
-      traefik.http.middlewares.tinyauth.forwardauth.trustforwardheader: true
-      traefik.http.middlewares.tinyauth.forwardauth.authresponseheaders: X-Forwarded-User
-
-networks:
-  homelab:
-    external: true
--- a/compose/core/traefik/compose.yaml
+++ b/compose/core/traefik/compose.yaml
@ -40,7 +40,6 @@ services:
      traefik.http.routers.traefik.entrypoints: websecure
      traefik.http.routers.traefik.tls.certresolver: letsencrypt
      traefik.http.routers.traefik.service: api@internal
-      traefik.http.routers.traefik.middlewares: tinyauth

      # IP Allowlist Middleware for local network only services
      traefik.http.middlewares.local-only.ipallowlist.sourcerange: 10.0.0.0/16