Reinstall test on Debian 12 surfaced three rootless-only breakages (rooted was byte-identical/fine): 1. pasta blocked by Debian's passt AppArmor profile (DENIED ptrace read -> can't open container netns -> rootless dockerd never starts). Default CFG_ROOTLESS_NET back to slirp4netns (reliable); pasta stays selectable for hosts that relax the profile. 2. de-sudo mis-assigned helpers by owner. /docker management layer (apps DB chowned to libreportal by install_sqlite, /docker/logs) is MANAGER-owned, not dockerinstall. Add runInstallWrite; move apps-DB sqlite3 -> runInstallOp and /docker/logs appends -> runInstallWrite. Revert ownership-SETUP scripts (libreportal_folders, app_folder) to runSystem — they must run as root to establish ownership during install. Container files (/docker/containers/<app>) stay runFileOp. 3. kernel hardening sysctls written to /etc/sysctl/99-custom.conf, which 'sysctl --system' does not read -> never applied. Write them to /etc/sysctl.d/99-libreportal-hardening.conf instead. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
209 lines
7.1 KiB
Bash
Executable File
209 lines
7.1 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Category : Security
|
|
# Description : Authelia - Authentication & SSO (c/u/s/r/i):
|
|
|
|
installAuthelia()
|
|
{
|
|
local config_variables="$1"
|
|
|
|
if [[ "$authelia" == *[cCtTuUsSrRiI]* ]]; then
|
|
dockerConfigSetupToContainer silent authelia;
|
|
local app_name=$CFG_AUTHELIA_APP_NAME
|
|
initializeAppVariables $app_name;
|
|
fi
|
|
|
|
if [[ "$authelia" == *[cC]* ]]; then
|
|
editAppConfig $app_name;
|
|
fi
|
|
|
|
if [[ "$authelia" == *[uU]* ]]; then
|
|
dockerUninstallApp $app_name;
|
|
fi
|
|
|
|
if [[ "$authelia" == *[sS]* ]]; then
|
|
dockerComposeDown $app_name;
|
|
fi
|
|
|
|
if [[ "$authelia" == *[rR]* ]]; then
|
|
dockerComposeRestart $app_name;
|
|
fi
|
|
|
|
if [[ "$authelia" == *[iI]* ]]; then
|
|
isHeader "Install $app_name"
|
|
|
|
# Pre-flight: bail out before touching any compose/config if the
|
|
# global prerequisites aren't met. CFG_AUTHELIA_REQUIRES lists
|
|
# what's needed (currently "domain,traefik"); the helper prints a
|
|
# clear list of what's missing so the user knows what to fix.
|
|
if ! appInstallCheckRequirements "$app_name" "$CFG_AUTHELIA_REQUIRES"; then
|
|
authelia=n
|
|
return 1
|
|
fi
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Setting up install folder and config file for $app_name."
|
|
echo ""
|
|
|
|
dockerConfigSetupToContainer "loud" "$app_name" "install" "$config_variables";
|
|
isSuccessful "Install folders and Config files have been setup for $app_name."
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Setting up the $app_name docker-compose.yml file."
|
|
echo ""
|
|
|
|
dockerComposeSetupFile $app_name;
|
|
|
|
local result=$(copyResource "$app_name" "configuration.yml" "config" | runInstallWrite -a "$logs_dir/$docker_log_file" 2>&1)
|
|
checkSuccess "Copying configuration.yml to $containers_dir$app_name/config"
|
|
|
|
local result=$(copyResource "$app_name" "users_database.yml" "config" | runInstallWrite -a "$logs_dir/$docker_log_file" 2>&1)
|
|
checkSuccess "Copying users_database.yml to $containers_dir$app_name/config"
|
|
|
|
local authelia_config_file="$containers_dir$app_name/config/configuration.yml"
|
|
runFileOp sed -i "s|AUTHELIA_THEME_PLACEHOLDER|$CFG_AUTHELIA_THEME|g" "$authelia_config_file"
|
|
runFileOp sed -i "s|AUTHELIA_DOMAIN_PLACEHOLDER|$domain_full|g" "$authelia_config_file"
|
|
runFileOp sed -i "s|AUTHELIA_HOST_PLACEHOLDER|$host_setup|g" "$authelia_config_file"
|
|
checkSuccess "Substituting Authelia configuration values (theme=$CFG_AUTHELIA_THEME domain=$domain_full host=$host_setup)"
|
|
|
|
local authelia_secrets_dir="$containers_dir$app_name/secrets"
|
|
runFileOp mkdir -p "$authelia_secrets_dir"
|
|
for secret_name in JWT_SECRET SESSION_SECRET STORAGE_ENCRYPTION_KEY; do
|
|
local secret_file="$authelia_secrets_dir/$secret_name"
|
|
if [[ ! -s "$secret_file" ]]; then
|
|
openssl rand -hex 64 | runFileWrite "$secret_file"
|
|
runFileOp chmod 600 "$secret_file"
|
|
fi
|
|
done
|
|
runFileOp chown -R "$docker_install_user":"$docker_install_user" "$authelia_secrets_dir"
|
|
checkSuccess "Generated Authelia secrets at $authelia_secrets_dir"
|
|
|
|
# Enable Authelia's telemetry/metrics endpoint only when
|
|
# CFG_AUTHELIA_MONITORING=true (toggles the libreportal-monitoring
|
|
# marker block in configuration.yml).
|
|
monitoringToggleAppConfig "$app_name" "config/configuration.yml";
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Updating file permissions before starting."
|
|
echo ""
|
|
|
|
fixPermissionsBeforeStart $app_name;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Running the docker-compose.yml to install and start $app_name"
|
|
echo ""
|
|
|
|
dockerComposeUpdateAndStartApp $app_name install;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Configuring Authelia admin account"
|
|
echo ""
|
|
|
|
local authelia_admin_user="${CFG_AUTHELIA_ADMIN_USERNAME:-admin}"
|
|
local authelia_admin_pass="${CFG_AUTHELIA_ADMIN_PASSWORD:-authelia}"
|
|
local authelia_users_file="$containers_dir$app_name/config/users_database.yml"
|
|
local authelia_attempts=0
|
|
while ((authelia_attempts < 30)); do
|
|
if runFileOp docker exec authelia-service authelia --version >/dev/null 2>&1; then
|
|
break
|
|
fi
|
|
sleep 2
|
|
((authelia_attempts++))
|
|
done
|
|
|
|
if ((authelia_attempts >= 30)); then
|
|
isNotice "Authelia container did not become responsive in time — admin left at default (admin / authelia)."
|
|
else
|
|
local authelia_hash
|
|
authelia_hash=$(runFileOp docker exec authelia-service authelia crypto hash generate argon2 --password "$authelia_admin_pass" 2>/dev/null \
|
|
| grep -oE '\$argon2[^[:space:]]+')
|
|
if [[ -z "$authelia_hash" ]]; then
|
|
isNotice "Could not generate Authelia password hash — admin left at default (admin / authelia)."
|
|
else
|
|
runFileWrite "$authelia_users_file" <<EOF
|
|
---
|
|
users:
|
|
${authelia_admin_user}:
|
|
disabled: false
|
|
displayname: "Admin"
|
|
password: "${authelia_hash}"
|
|
email: ${authelia_admin_user}@${domain_full:-example.com}
|
|
groups:
|
|
- admins
|
|
EOF
|
|
runFileOp chown "$docker_install_user":"$docker_install_user" "$authelia_users_file"
|
|
isSuccessful "Configured Authelia admin (user: $authelia_admin_user)."
|
|
dockerComposeRestart "$app_name";
|
|
fi
|
|
fi
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Running Application specific updates (if required)"
|
|
echo ""
|
|
|
|
appUpdateSpecifics $app_name;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Running Headscale setup (if required)"
|
|
echo ""
|
|
|
|
setupHeadscale $app_name;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Adding $app_name to the Apps Database table."
|
|
echo ""
|
|
|
|
databaseInstallApp $app_name;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Updating WebUI config file."
|
|
echo ""
|
|
|
|
webuiContainerSetup $app_name install;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Refreshing monitoring integration."
|
|
echo ""
|
|
|
|
# Self-correcting: adds Authelia's scrape target + dashboard to
|
|
# Prometheus/Grafana when CFG_AUTHELIA_MONITORING=true, removes them
|
|
# when it's off. No-ops with a notice if either app isn't installed.
|
|
monitoringRefreshAll;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. You can find $app_name files at $containers_dir$app_name"
|
|
echo ""
|
|
echo " You can now navigate to your new service using one of the options below : "
|
|
echo ""
|
|
|
|
menuShowFinalMessages $app_name;
|
|
|
|
echo ""
|
|
isNotice "Authelia admin login:"
|
|
echo ""
|
|
echo " Username : ${authelia_admin_user}"
|
|
echo " Password : ${authelia_admin_pass}"
|
|
echo ""
|
|
|
|
menu_number=0
|
|
#sleep 3s
|
|
cd
|
|
fi
|
|
authelia=n
|
|
}
|