TrueCharts Authelia

Last Edit: 2024.08.28

Overview

Setup the TrueCharts Authelia application, and connect it to LDAP, on TrueNAS Scale.

Assumptions

WARNING: TrueCharts Depreciated

TrueCharts has unfortunately been depreciated with the pending removal of Kubernetes from TrueNAS Scale. Consider another solution, do not start a fresh deployment of TrueCharts applications. Refer to the following resources for more details.

LDAP User

Authelia needs a user account to login to the LDAP server as, create one and grant it permission to manage user passwords. Connect to the LDAP instance with the interface of choice, this section will use Light LDAP as demonstration.

After creating the user, note the username and password for use in the Authelia app configuration.

Create User

Create a new user for authelia.

SettingValueDescription
User NameautheliaUser ID for logging into the LDAP server.
Email[email protected]Email address for the user.
Display NameAutheliaDisplay name for user, very fancy.
PasswordGenerateSecurePasswordGenerate a secure password and save it for Authelia configuration.

Select Submit to create the new user.

LLDAP create authelia user.

Add Group

Add the new authelia user to a group that has the ability to edit user passwords. In LLDAP this can be done with the lldap_password_manager group. On other LDAP servers, use a group with read and write permissions for users.

On management interfaces like LLDAP and phpLDAPadmin, navigate to the group for Authelia. Add the authelia user as a group member.

LLDAP add authelia user to lldap-password-manager group.

Install Authelia

Navigate to the Applications page in the TrueNAS Scale dashboard, Apps on the main navigation.

Switch to the Available Applications tab in the Applications page.

Using the search tool, find the authelia application. Verify Authelia is from the TrueCharts catalog and is on the Enterprise train.

Select Install to begin configuration and installation of the application. Configuration options not mentioned in this section can be left as default.

Application Name

SettingValueDescription
Application NameautheliaName for the application.
Version Number#.#.#Version to use, latest by default.

App Configuration

SettingValueDescription
Domainexample.comRoot domain Authelia will be providing authentication for.
Default Redirection URLhttps://auth.example.comDefault redirect URL for authenticating with Authelia. Will be whatever ingress domain is configured for Authelia.
ThemeDarkSave your eyes with the dark theme.

Password Policy Configuration

SettingValueDescription
EnabletrueToggle password policy.
StandardfalseBasic strength policy - length, case, numbers, symbols.
zxcvbntrueUse zxcvbn to test password strength.
Min Score3Minimum required zxcvbn rating. Value from 0-4.

Authentication Backend Provider

Connect Authelia to an LDAP server. This section will assume the use

SettingValueDescription
Disable Reset PasswordfalseEnable to disable password reset functionality.
Reset Interval5mInterval to refresh data from backend.
LDAP Backend ConfigurationtrueEnable the LDAP backend.
ImplemenetationCustomUse custom with Light LDAP.
URLldap://lldap-ldap.ix-lldap.svc.cluster.local:3890TrueNAS cluster url for LDAP server.
Connection Timeout5sTime before giving up.
Start TLSfalseEnable to use StartTLS when connecting to the LDAP server.
TLS Server NameOptionally, configure server name for incorrect urls.
Skip Certificate VerificationfalseEnable when using self-signed certs.
Minimum TLS VersionTLS1.2Minimum TLS version required for secure LDAP server connections.
Base DNDC=example,DC=comSet this to your network domain name, as configured with LLDAP.
Username AttributeuidWhat to use as username.
Additional Users DNOU=peopleScope of users on the LDAP server.
Users Filter(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))How to filter users from the LDAP server.
Additional Groups DNOU=groupsScope of groups on the LDAP server.
Groups Filter(member={dn})How should user groups be fetched.
Group Name AttributecnWhere to find group name.
Mail AttributemailAttribute to use for email address.
Display Name AttributedisplayNameAttribute to use for display names.
Admin UserUID=authelia,OU=people,DC=example,DC=comLDAP user created for Authelia.
PasswordGenerateSecurePasswordLDAP Authelia user password generated previously.

SMTP Provider

Setup an SMTP provider to send password reset and welcome emails to users. Refer to your email providers SMTP documentation for host, port, and app-password information.

Common email provider SMTP documentation:

SettingValueDescription
Filesystem ProviderfalseEnable this when SMTP is not used. One notification provider is required for Authelia to function.
SMTP ProvidertrueEnable to use SMTP.
Hostsmtp.example.comSMTP server of the provider.
Port587SMTP connection port.
Timeout5sConnection timeout.
Username[email protected]Login address to use.
PasswordProviderAppPasswordGenerate an app-password with your provider.
Sender[email protected]Email address to send email as.
IdentifierlocalhostHELO identifier.
Subject[Authelia] {title}Email subject line {title} is dynamic.
Startup Check Address[email protected]Email address to send tests to.
Disable Require TLSfalseKeep it off.
Disable HTML EmailstrueEnable to use plain text when sending emails.
TLS Server NameOptionally, configure server name for incorrect urls.
Skip Certificate VerificationfalseEnable when using self-signed certs.
Minimum TLS VersionTLS1.2Minimum TLS version required for SMTP connections.

Access Control Configuration

When defining access rules manually for all applications, set default policy to deny.

SettingValueDescription
Default Policyone_factorDefault authentication required.
NetworksOptional, define networks for use within rule configuration.
RulesDifferent rules from the default policy for specific network elements.

Networking and Services

SettingValueDescription
Main Service
Service TypeClusterIP (Do Not Expose Ports)Set this to cluster IP to expose Authelia via ingress.
Port9091Default Authelia port.

Ingress

SettingValueDescription
Main Ingress
Enable IngresstrueUse ingress for Authelia, verify ClusterIP was used for the network.
HostNameauth.example.comHostname for Authelia, use the same hostname as configured for the default redirect URL.
Path/Root path.
Path TypePrefixPrefix path.
Cert-Manager clusterIssuercertCluster issuer for automatic certificates.
Traefik MiddlewaresNone, Authelia will be a middleware.

Save

Verify you have checked the TrueCharts documentation for Authelia and Save. The application will begin installation and deploy. Navigate to the Installed Applications tab to monitor the status.

Add Traefik Middleware

Authelia Middleware

Within the Traefik application confiugration, find the Middlewares section. Add a new forward auth provider to Traefik for Authelia. The identifier Name defined here will be used when assigning this middleware to applications, auth in this example.

SettingValueDescription
forwardAuthAddAdd a new forwardAuth provider.
NameauthIdentifier when assigning this middleware to applications.
Addresshttp://authelia.ix-authelia.svc.cluster.local:9091/api/verify?rd=https://auth.example.com/Replace example.com with the system domain.
Trust Forward HeadertrueTrust X-Forwarded-* headers from Authelia response.
TLS--
Insecure Skip VerifyfalseLeave off, disables TLS certificate validation.
Auth Response Headers RegexRegex to match headers from Authelia response. Leave blank and define authResponseHeaders.
authResponseHeadersAddAdd 4 auth response headers that have the following values. Refer to the Authelia documentation on trusted headers.
-Remote-UserUsername of the user.
-Remote-GroupGroups user is a member of.
-Remote-NameUser display name.
-Remote-EmailUser email address.

Save the configuration for Authelia to be added as a middleware to Traefik.

Middleware Usage

With the Authelia middleware added to Traefik, configure each application you want protected by Authelia to use the auth middleware. Open an applications configuration and find the Ingress settings.

The following demonstrates Authelia as the middleware for the Traefik dashboard ingress. Authentication with Authelia will be required to access this ingress, utilizing the default policy or defined rules.

Ingress

SettingValueDescription
Main Ingress
Enable IngresstrueToggle ingress state.
HostNametraefik.example.comIngress host on the server domain.
Path/Root path.
Path TypePrefixPrefix path.
Cert-Manager clusterIssuercertCluster issuer for automatic certificates.
Traefik MiddlewaresauthUse Name identifier assigned to Authelia in the Traefik middleware setup.

Traefik ingress with auth middleware.

References

1 2 3 4 5