vh/NetAlertX
1
0
Fork 0
mirror of https://github.com/jokob-sk/NetAlertX.git synced 2025-12-07 09:36:05 -08:00
Code Issues Actions Packages Projects Releases Wiki Activity

📚Docs
Some checks are pending
docker / docker_dev (push) Waiting to run
Details

Browse Source
This commit is contained in:
jokob-sk
2024-09-12 07:55:20 +10:00
parent dcc43d1f3c
commit 24f7935891
3 changed files with 277 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
dockerfiles/README.md
View File

@@ -41,6 +41,7 @@ docker run -d --rm --network=host \
| `PORT` |Port of the web interface | `20211` |
| `LISTEN_ADDR` |Set the specific IP Address for the listener address for the nginx webserver (web interface). This could be useful when using multiple subnets to hide the web interface from all untrusted networks. | `0.0.0.0` |
|`TZ` |Time zone to display stats correctly. Find your time zone [here](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) | `Europe/Berlin` |
|`APP_CONF_OVERRIDE` | JSON override for settings, e.g. `{"SCAN_SUBNETS":"['192.168.1.0/24 --interface=eth1']","UI_dark_mode":"True"}` (Experimental 🧪) | `N/A` |
|`ALWAYS_FRESH_INSTALL` | Setting to `true` will delete the content of the `/db` & `/config` folders. For testing purposes. Can be coupled with [watchtower](https://github.com/containrrr/watchtower) to have an always freshly installed `netalertx`/`-dev` image. | `N/A` |
### Docker paths

275
docs/AUTHELIA.md Executable file
View File

@@ -0,0 +1,275 @@
(DRAFT) Authelia support
```yaml
theme: dark
default_2fa_method: "totp"
server:
address: 0.0.0.0:9091
endpoints:
enable_expvars: false
enable_pprof: false
authz:
forward-auth:
implementation: 'ForwardAuth'
authn_strategies:
- name: 'HeaderAuthorization'
schemes:
- 'Basic'
- name: 'CookieSession'
ext-authz:
implementation: 'ExtAuthz'
authn_strategies:
- name: 'HeaderAuthorization'
schemes:
- 'Basic'
- name: 'CookieSession'
auth-request:
implementation: 'AuthRequest'
authn_strategies:
- name: 'HeaderAuthRequestProxyAuthorization'
schemes:
- 'Basic'
- name: 'CookieSession'
legacy:
implementation: 'Legacy'
authn_strategies:
- name: 'HeaderLegacy'
- name: 'CookieSession'
disable_healthcheck: false
tls:
key: ""
certificate: ""
client_certificates: []
headers:
csp_template: ""
log:
## Level of verbosity for logs: info, debug, trace.
level: info
###############################################################
# The most important section
###############################################################
access_control:
## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'.
default_policy: deny
networks:
- name: internal
networks:
- '192.168.0.0/18'
- '10.10.10.0/8' # Zerotier
- name: private
networks:
- '172.16.0.0/12'
rules:
- networks:
- private
domain:
- '*'
policy: bypass
- networks:
- internal
domain:
- '*'
policy: bypass
- domain:
# exclude itself from auth, should not happen as we use Traefik middleware on a case-by-case screnario
- 'auth.MYDOMAIN1.TLD'
- 'authelia.MYDOMAIN1.TLD'
- 'auth.MYDOMAIN2.TLD'
- 'authelia.MYDOMAIN2.TLD'
policy: bypass
- domain:
#All subdomains match
- 'MYDOMAIN1.TLD'
- '*.MYDOMAIN1.TLD'
policy: two_factor
- domain:
# This will not work yet as Authelio does not support multi-domain authentication
- 'MYDOMAIN2.TLD'
- '*.MYDOMAIN2.TLD'
policy: two_factor
############################################################
identity_validation:
reset_password:
jwt_secret: "[REDACTED]"
identity_providers:
oidc:
enable_client_debug_messages: true
enforce_pkce: public_clients_only
hmac_secret: [REDACTED]
lifespans:
authorize_code: 1m
id_token: 1h
refresh_token: 90m
access_token: 1h
cors:
endpoints:
- authorization
- token
- revocation
- introspection
- userinfo
allowed_origins:
- "*"
allowed_origins_from_client_redirect_uris: false
jwks:
- key: [REDACTED]
certificate_chain:
clients:
- client_id: portainer
client_name: Portainer
# generate secret with "authelia crypto hash generate pbkdf2 --random --random.length 32 --random.charset alphanumeric"
# Random Password: [REDACTED]
# Digest: [REDACTED]
client_secret: [REDACTED]
token_endpoint_auth_method: 'client_secret_post'
public: false
authorization_policy: two_factor
consent_mode: pre-configured #explicit
pre_configured_consent_duration: '6M' #Must be re-authorised every 6 Months
scopes:
- openid
#- groups #Currently not supported in Authelia V
- email
- profile
redirect_uris:
- https://portainer.MYDOMAIN1.LTD
userinfo_signed_response_alg: none
- client_id: openproject
client_name: OpenProject
# generate secret with "authelia crypto hash generate pbkdf2 --random --random.length 32 --random.charset alphanumeric"
# Random Password: [REDACTED]
# Digest: [REDACTED]
client_secret: [REDACTED]
token_endpoint_auth_method: 'client_secret_basic'
public: false
authorization_policy: two_factor
consent_mode: pre-configured #explicit
pre_configured_consent_duration: '6M' #Must be re-authorised every 6 Months
scopes:
- openid
#- groups #Currently not supported in Authelia V
- email
- profile
redirect_uris:
- https://op.MYDOMAIN.TLD
#grant_types:
# - refresh_token
# - authorization_code
#response_types:
# - code
#response_modes:
# - form_post
# - query
# - fragment
userinfo_signed_response_alg: none
##################################################################
telemetry:
metrics:
enabled: false
address: tcp://0.0.0.0:9959
totp:
disable: false
issuer: authelia.com
algorithm: sha1
digits: 6
period: 30 ## The period in seconds a one-time password is valid for.
skew: 1
secret_size: 32
webauthn:
disable: false
timeout: 60s ## Adjust the interaction timeout for Webauthn dialogues.
display_name: Authelia
attestation_conveyance_preference: indirect
user_verification: preferred
ntp:
address: "pool.ntp.org"
version: 4
max_desync: 5s
disable_startup_check: false
disable_failure: false
authentication_backend:
password_reset:
disable: false
custom_url: ""
refresh_interval: 5m
file:
path: /config/users_database.yml
watch: true
password:
algorithm: argon2
argon2:
variant: argon2id
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
password_policy:
standard:
enabled: false
min_length: 8
max_length: 0
require_uppercase: true
require_lowercase: true
require_number: true
require_special: true
## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings.
zxcvbn:
enabled: false
min_score: 3
regulation:
max_retries: 3
find_time: 2m
ban_time: 5m
session:
name: authelia_session
secret: [REDACTED]
expiration: 60m
inactivity: 15m
cookies:
- domain: 'MYDOMAIN1.LTD'
authelia_url: 'https://auth.MYDOMAIN1.LTD'
name: 'authelia_session'
default_redirection_url: 'https://MYDOMAIN1.LTD'
- domain: 'MYDOMAIN2.LTD'
authelia_url: 'https://auth.MYDOMAIN2.LTD'
name: 'authelia_session_other'
default_redirection_url: 'https://MYDOMAIN2.LTD'
storage:
encryption_key: [REDACTED]
local:
path: /config/db.sqlite3
notifier:
disable_startup_check: true
smtp:
address: MYOTHERDOMAIN.LTD:465
timeout: 5s
username: "USER@DOMAIN"
password: "[REDACTED]"
sender: "Authelia <postmaster@MYOTHERDOMAIN.LTD>"
identifier: NAME@MYOTHERDOMAIN.LTD
subject: "[Authelia] {title}"
startup_check_address: postmaster@MYOTHERDOMAIN.LTD
```

1
docs/README.md
View File

@@ -63,6 +63,7 @@ There is also an in-app Help / FAQ section that should be answering frequently a
- [Version history (legacy)](/docs/VERSIONS_HISTORY.md)
- [Reverse proxy (Nginx, Apache, SWAG)](/docs/REVERSE_PROXY.md)
- [Setting up Authelia](/docs/AUTHELIA.md) (DRAFT)
#### 👩💻For Developers👨💻