Added authelia and set up 2fa for nginx authentication, added ldap module in icinga

pillars/roles/firewalld/ssh.sls

@@ -2,3 +2,5 @@ firewalld:
   70_internal:
     service:
       ssh: []
+    port:
+      23454/tcp: []

pillars/roles/nginx/authelia.sls

@@ -0,0 +1,6 @@
+nginx:
+  authelia:
+    auth: none
+    https:
+      port: 8080
+      prot: http

pillars/roles/nginx/authtypes.txt

@@ -1,4 +1,4 @@
 blocked: can't access
 none: public access
-simple: file-based auth
+ldap: standard directory based auth - not implemented
-ldap: directory based auth - not implemented
+2fa: two-factor directory based auth

pillars/roles/nginx/deluge.sls

@@ -1,6 +1,6 @@
 nginx:
   deluge:
-    auth: none
+    auth: 2fa
     https:
       port: 8112
       prot: http

pillars/roles/nginx/freeipa_server.sls

@@ -1,6 +1,6 @@
 nginx:
   ipa:
-    auth: blocked
+    auth: 2fa
     https:
       port: 8443
       prot: https

pillars/roles/nginx/headphones.sls

@@ -1,6 +1,6 @@
 nginx:
   headphones:
-    auth: blocked
+    auth: 2fa
     https:
       port: 8181
       prot: http

pillars/roles/nginx/icinga.sls

@@ -1,6 +1,6 @@
 nginx:
   icinga:
-    auth: blocked
+    auth: 2fa
     https:
       port: 8080
       prot: http

pillars/roles/nginx/jackett.sls

@@ -1,6 +1,6 @@
 nginx:
   jackett:
-    auth: blocked
+    auth: 2fa
     https:
       port: 9117
       prot: http

pillars/roles/nginx/pass.sls

@@ -1,6 +1,6 @@
 nginx:
   pass:
-    auth: none
+    auth: 2fa
     https:
       port: 8080
       prot: http

pillars/roles/nginx/pkg-cache.sls

@@ -1,6 +1,6 @@
 nginx:
   pkg:
-    auth: blocked
+    auth: 2fa
     https:
       port: 8000
       prot: http

pillars/roles/nginx/plexmediaserver.sls

@@ -1,6 +1,6 @@
 nginx:
   plex:
-    auth: none
+    auth: 2fa
     https:
       port: 32400
       prot: http

pillars/roles/nginx/radarr.sls

@@ -1,6 +1,6 @@
 nginx:
   radarr:
-    auth: blocked
+    auth: 2fa
     https:
       port: 7878
       prot: http

pillars/roles/nginx/sonarr.sls

@@ -1,6 +1,6 @@
 nginx:
   sonarr:
-    auth: blocked
+    auth: 2fa
     https:
       port: 8989
       prot: http

pillars/roles/nginx/sync.sls

@@ -1,6 +1,6 @@
 nginx:
   sync:
-    auth: blocked
+    auth: 2fa
     https:
       port: 8080
       prot: http

pillars/servers/env/server/authelia.sls

@@ -0,0 +1 @@
+env: prod

pillars/servers/env/server/centipa.sls

@@ -0,0 +1 @@
+env: prod

pillars/servers/env/server/debianipa.sls

@@ -0,0 +1 @@
+env: prod

pillars/servers/maintainer/server/authelia.sls

@@ -0,0 +1,3 @@
+maintainer:
+  - masaufuku
+

pillars/servers/maintainer/server/centipa.sls

@@ -0,0 +1,3 @@
+maintainer:
+  - masaufuku
+

pillars/servers/maintainer/server/debianipa.sls

@@ -0,0 +1,3 @@
+maintainer:
+  - masaufuku
+

pillars/servers/roles/server/authelia.sls

@@ -0,0 +1,7 @@
+grains:
+  roles:
+    - server
+    - ssh
+    - saltminion
+    - authelia
+    - nginx-proxy

pillars/servers/roles/server/centipa.sls

@@ -0,0 +1,5 @@
+grains:
+  roles:
+    - server
+    - ssh
+    - saltminion

pillars/servers/roles/server/debianipa.sls

@@ -0,0 +1,6 @@
+grains:
+  roles:
+    - server
+    - ssh
+    - saltminion
+    - freeipa_server

states/basepkgs/init.sls

@@ -2,6 +2,7 @@
 basepkgs:
   pkg.installed:
     - pkgs:
+      - sudo
       - nano
       - wget
       - openssh
@@ -13,6 +14,7 @@ basepkgs:
 basepkgs:
   pkg.installed:
     - pkgs:
+      - sudo
       - nano
       - wget
       - openssh-server
@@ -23,6 +25,7 @@ basepkgs:
 basepkgs:
   pkg.installed:
     - pkgs:
+      - sudo
       - nano
       - wget
       - openssh-server

states/bashrc/init.sls

@@ -18,6 +18,12 @@
     - force: true
     - makedirs: true
 
+/root/.profile:
+  file.symlink:
+    - target: /etc/saltbashrc
+    - force: true
+    - makedirs: true
+
 #change to local admin user and remove constraint when that's properly set up
 {% if grains['os_family'] == 'Debian' %}
 /home/masau/.bashrc:

states/roles/maintain/authelia/authelia.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Runs authelia
+
+[Service]
+ExecStart=/bin/authelia /etc/authelia/config.yml
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

states/roles/maintain/authelia/config.yml

@@ -0,0 +1,174 @@
+###############################################################
+#                   Authelia configuration                    #
+###############################################################
+
+# The port to listen on
+port: 8080
+
+# Log level
+#
+# Level of verbosity for logs
+logs_level: debug
+
+# LDAP configuration
+#
+# Example: for user john, the DN will be cn=john,ou=users,dc=example,dc=com
+ldap:
+  # The url of the ldap server
+  url: ldap://ipa.actcur.com
+
+  # The base dn for every entries
+  base_dn: dc=actcur,dc=com
+
+  # An additional dn to define the scope to all users
+  additional_users_dn: cn=users,cn=accounts
+
+  # The users filter.
+  # {0} is the matcher replaced by username.
+  # 'cn={0}' by default.
+  users_filter: uid={0}
+
+  # An additional dn to define the scope of groups
+  additional_groups_dn: cn=groups,cn=accounts
+
+  # The groups filter.
+  # {0} is the matcher replaced by user dn.
+  # 'member={0}' by default.
+  groups_filter: (&(member={0})(objectclass=groupofnames))
+
+  # The attribute holding the name of the group
+  group_name_attribute: cn
+
+  # The attribute holding the mail address of the user
+  mail_attribute: mail
+
+  # The username and password of the admin user.
+  user: uid=authelia_admin,cn=users,cn=accounts,dc=actcur,dc=com
+  password: "{%- include 'secure/passwords/authelia_admin_password.txt' -%}"
+
+
+# Access Control
+#
+# Access control is a set of rules you can use to restrict user access to certain
+# resources.
+# Any (apply to anyone), per-user or per-group rules can be defined.
+#
+# If 'access_control' is not defined, ACL rules are disabled and the `allow` default
+# policy is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
+# the rules defined.
+#
+# Note: One can use the wildcard * to match any subdomain.
+# It must stand at the beginning of the pattern. (example: *.mydomain.com)
+#
+# Note: You must put the pattern in simple quotes when using the wildcard for the YAML
+# to be syntaxically correct.
+#
+# Definition: A `rule` is an object with the following keys: `domain`, `policy`
+# and `resources`.
+# - `domain` defines which domain or set of domains the rule applies to.
+# - `policy` is the policy to apply to resources. It must be either `allow` or `deny`.
+# - `resources` is a list of regular expressions that matches a set of resources to
+# apply the policy to.
+#
+# Note: Rules follow an order of priority defined as follows:
+# In each category (`any`, `groups`, `users`), the latest rules have the highest
+# priority. In other words, it means that if a given resource matches two rules in the
+# same category, the latest one overrides the first one.
+# Each category has also its own priority. That is, `users` has the highest priority, then
+# `groups` and `any` has the lowest priority. It means if two rules in different categories
+# match a given resource, the one in the category with the highest priority overrides the
+# other one.
+#
+access_control:
+  # Default policy can either be `allow` or `deny`.
+  # It is the policy applied to any resource if it has not been overriden
+  # in the `any`, `groups` or `users` category.
+  default_policy: deny
+
+  # The rules that apply to anyone.
+  # The value is a list of rules.
+  any:
+    - domain: '*'
+      policy: allow
+
+  # Group-based rules. The key is a group name and the value
+  # is a list of rules.
+  groups:
+    domain_admins:
+      # All resources in all domains
+      - domain: '*.actcur.com'
+        policy: allow
+
+
+# Configuration of session cookies
+#
+# The session cookies identify the user once logged in.
+session:
+  # The secret to encrypt the session cookie.
+  secret: "{%- include 'secure/passwords/authelia_secret_password.txt' -%}"
+
+  # The time before the cookie expires.
+  expiration: 3600000
+
+  # The domain to protect.
+  # Note: the authenticator must also be in that domain. If empty, the cookie
+  # is restricted to the subdomain of the issuer.
+  domain: actcur.com
+
+  # The redis connection details
+  redis:
+    host: 127.0.0.1
+    port: 6379
+
+# Configuration of the authentication regulation mechanism.
+#
+# This mechanism prevents attackers from brute forcing the first factor.
+# It bans the user if too many attempts are done in a short period of
+# time.
+regulation:
+  # The number of failed login attempts before user is banned.
+  # Set it to 0 for disabling regulation.
+  max_retries: 3
+
+  # The length of time between login attempts before user is banned.
+  find_time: 120
+
+  # The length of time before a banned user can login again.
+  ban_time: 300
+
+# Configuration of the storage backend used to store data and secrets.
+#
+# You must use only an available configuration: local, mongo
+storage:
+  # The directory where the DB files will be saved
+  #local: /var/lib/authelia/store
+
+  # Settings to connect to mongo server
+  mongo:
+    url: mongodb://127.0.0.1/authelia
+
+# Configuration of the notification system.
+#
+# Notifications are sent to users when they require a password reset, a u2f
+# registration or a TOTP registration.
+# Use only an available configuration: filesystem, gmail
+notifier:
+  # Use your gmail account to send the notifications. You can use an app password.
+  #gmail:
+  #  username: username@gmail.com
+  #  password: password
+
+  # Use a SMTP server for sending notifications
+  #smtp:
+  #  username: test
+  #  password: test
+  #  secure: false
+  #  host: 'smtp.zoho.com'
+  #  port: 1025
+  smtp:
+    username: notifications@actcur.com
+    password: "{%- include 'secure/passwords/authelia_notifications_password.txt' -%}"
+    secure: true
+    host: 'smtp.zoho.com'
+    port: 465
+    sender: 'Actcur Authelia <notifications@actcur.com>'

states/roles/maintain/authelia/init.sls

@@ -0,0 +1,52 @@
+authelia_npm:
+  pkg.installed:
+    - name: npm
+
+install_authelia:
+  npm.installed:
+    - name: authelia
+    - force_reinstall: true
+
+authelia_mongodb:
+  pkg.installed:
+    - name: mongodb
+  service.running:
+    - name: mongodb
+    - enable: true
+
+authelia_redis:
+  pkg.installed:
+    - name: redis
+  service.running:
+    - name: redis
+    - enable: true
+
+#Note - authelia requires manual changes to handle from address atm
+#edit /usr/lib/node_modules/authelia/dist/src/server/lib/notifiers/SmtpNotifier.js
+#and change line 18 to:
+#const transporter = nodemailer.createTransport(smtpOptions,{from: options.from});
+#and remove line 33 (from: "authelia@authelia.com",
+
+authelia_config:
+  file.managed:
+    - name: /etc/authelia/config.yml
+    - source: salt://roles/maintain/authelia/config.yml
+    - user: root
+    - group: root
+    - mode: 644
+    - makedirs: true
+    - template: jinja
+
+"/lib/systemd/system/authelia.service":
+  file.managed:
+    - source: salt://roles/maintain/authelia/authelia.service
+    - user: root
+    - group: root
+    - mode: 644
+
+authelia_service:
+  service.running:
+    - name: authelia
+    - enable: true
+    - watch:
+      - file: authelia_config

states/roles/maintain/freeipa-server/init.sls

@@ -57,5 +57,6 @@ unset_dm_password:
 restart_apache:
   service.running:
     - name: httpd
+    - enable: false
     - watch:
       - cmd: install_cert

states/roles/maintain/icinga/init.sls

@@ -29,6 +29,7 @@ icinga-mysql-client:
     - user: root
     - group: root
     - mode: 644
+    - makedirs: true
 /etc/php/php.ini:
   file.managed:
     - source: salt://roles/maintain/icinga/php.ini

states/roles/maintain/icinga/php.ini

@@ -897,7 +897,7 @@ extension=gettext.so
 ;extension=iconv.so
 ;extension=imap.so
 ;extension=intl.so
-;extension=ldap.so
+extension=ldap.so
 ;extension=mcrypt.so
 ;extension=mysqli.so
 ;extension=odbc.so

states/roles/maintain/nginx-proxy/auth.conf

@@ -3,11 +3,36 @@
 {%- if auth == "none" %}
 
 #No authentication
-{%- elif auth == "simple" %}
-
-auth_basic "Restricted Content";
-auth_basic_user_file /etc/nginx/.htpasswd;
 {%- elif auth == "ldap" %}
 
 #Not Implemented
+{%- elif auth == "2fa" -%}
+#{{location}}
+  {%- if location == "1" %}
+  location /auth_verify {
+    internal;
+    proxy_pass_request_body off;
+    proxy_set_header  X-Original-URI $request_uri;
+    proxy_set_header  X-Real-IP $remote_addr;
+    proxy_set_header  Host $http_host;
+    proxy_set_header  Content-Length "";
+
+    proxy_pass        https://authelia.actcur.com/verify;
+  }
+
+  {% elif location == "2" %}
+    auth_request /auth_verify;
+
+    auth_request_set $redirect $upstream_http_redirect;
+    proxy_set_header Redirect $redirect;
+
+    auth_request_set $user $upstream_http_remote_user;
+    proxy_set_header X-Forwarded-User $user;
+
+    auth_request_set $groups $upstream_http_remote_groups;
+    proxy_set_header Remote-Groups $groups;
+
+    error_page 401 =302 https://authelia.actcur.com?redirect=$redirect;
+    error_page 403 = https://authelia.actcur.com/error/403;
+  {%- endif -%}
 {%- endif -%}

states/roles/maintain/nginx-proxy/local.conf

@@ -27,13 +27,18 @@ server {
   location / {
     proxy_pass $backend;
     proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-Protocol https;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
     proxy_set_header X-Forwarded-Ssl on;
 
 
     # re-write redirects to http as to https, example: /home
     proxy_redirect http:// https://;
   }
+
+  error_log /var/log/nginx/{{server}}_error.log;
+  access_log /var/log/nginx/{{server}}_access.log;
 }
 {%- endif -%}
 
@@ -62,6 +67,9 @@ server {
     proxy_redirect https:// http://;
 
   }
+
+  error_log /var/log/nginx/{{server}}_error.log;
+  access_log /var/log/nginx/{{server}}_access.log;
 }
 {% elif default == "yes" %}
 server {

states/roles/maintain/nginx-proxy/portal.conf

@@ -19,6 +19,9 @@ server {
   location / {
       root /srv/http;
   }
+
+  error_log /var/log/nginx/portal_error.log;
+  access_log /var/log/nginx/portal_access.log;
 }
 
 server {
@@ -36,6 +39,7 @@ server {
   location / {
     rewrite ^ https://$host$request_uri? permanent;
   }
+  
+  error_log /var/log/nginx/portal_error.log;
+  access_log /var/log/nginx/portal_access.log;
 }
-
-

states/roles/maintain/nginx-proxy/remote.conf

@@ -18,23 +18,29 @@ server {
   ssl_certificate_key /etc/nginx/certs/{{server}}.actcur.com/privkey.pem;
   ssl_session_cache shared:SSL:10m;
   client_max_body_size 1024m;
-    {% include 'roles/maintain/nginx-proxy/auth.conf' %}
 
   location /.well-known/acme-challenge/ {
     proxy_pass $certbot;
     proxy_set_header Host $host;
   }
 
+    {% set location="1" %}{% include 'roles/maintain/nginx-proxy/auth.conf' %}
+
 {%- if auth != "blocked" %}
 
   location / {
+    {% set location="2" %}{% include 'roles/maintain/nginx-proxy/auth.conf' %}
     proxy_pass $backend;
     proxy_set_header Host $host;
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
 
     # re-write redirects to http as to https, example: /home
     proxy_redirect http:// https://;
   }
 {%- endif %}
+  error_log /var/log/nginx/{{server}}_error.log;
+  access_log /var/log/nginx/{{server}}_access.log;
 }
 
 {%- if pillar['nginx'][server]['http'] is defined-%}
@@ -63,5 +69,8 @@ server {
     # re-write redirects to https as to http, example: /home
     proxy_redirect https:// http://;
   }
+
+  error_log /var/log/nginx/{{server}}_error.log;
+  access_log /var/log/nginx/{{server}}_access.log;
 }
 {%- endif -%}

states/systems/core/freeipa/enable.sls

@@ -0,0 +1,14 @@
+enable_freeipa:
+  grains.present:
+    - name: freeipa_enabled
+    - value: true
+    - force: true
+
+{% if grains['os_family'] == 'Arch' %}
+include:
+  - systems.core.freeipa
+  - systems.core.freeipa.manual
+{% else %}
+include:
+  - systems.core.freeipa.auto
+{% endif %}

states/systems/core/freeipa/init.sls

@@ -0,0 +1,78 @@
+{##only run if freeipa is enabled##}
+{%- if grains['freeipa_enabled'] is defined -%}
+  {%- if grains['freeipa_enabled'] == true %}
+{% set hostname=grains['host'] %}
+{% set ip=grains['fqdn_ip4'][0] %}
+install_sssd:
+  pkg.installed:
+    - name: sssd
+
+/etc/sssd/sssd.conf:
+  file.managed:
+    - source: salt://systems/core/freeipa/manual/sssd.conf
+    - user: root
+    - group: root
+    - mode: 600
+    - template: jinja
+    - context:
+      hostname: {{hostname}}
+
+/etc/nsswitch.conf:
+  file.managed:
+    - source: salt://systems/core/freeipa/manual/nsswitch.conf
+    - user: root
+    - group: root
+    - mode: 644
+
+/etc/nscd.conf:
+  file.managed:
+    - source: salt://systems/core/freeipa/manual/nscd.conf
+    - user: root
+    - group: root
+    - mode: 644
+
+/etc/krb5.conf:
+  file.managed:
+    - source: salt://systems/core/freeipa/manual/krb5.conf
+    - user: root
+    - group: root
+    - mode: 644
+
+/etc/pam.d:
+  file.recurse:
+    - source: salt://systems/core/freeipa/manual/pam.d/
+    - user: root
+    - group: root
+    - dir_mode: 755
+    - file_mode: 644
+
+/etc/sudoers.d/freeipa:
+  file.managed:
+    - source: salt://systems/core/freeipa/manual/sudoers
+    - user: root
+    - group: root
+    - mode: 644
+
+freeipa_sssd_service:
+  service.running:
+    - name: sssd
+    - enable: true
+    - watch:
+      - file: /etc/sssd/sssd.conf
+      - file: /etc/nsswitch.conf
+      - file: /etc/nscd.conf
+      - file: /etc/krb5.conf
+      - file: /etc/pam.d
+
+freeipa_nscd_service:
+  service.running:
+    - name: nscd
+    - enable: true
+    - watch:
+      - file: /etc/sssd/sssd.conf
+      - file: /etc/nsswitch.conf
+      - file: /etc/nscd.conf
+      - file: /etc/krb5.conf
+      - file: /etc/pam.d
+  {% endif %}
+{% endif %}

states/systems/core/freeipa/manual/init.sls

@@ -1,48 +1,5 @@
 {% set hostname=grains['host'] %}
 {% set ip=grains['fqdn_ip4'][0] %}
-install_sssd:
-  pkg.installed:
-    - name: sssd
-
-/etc/sssd/sssd.conf:
-  file.managed:
-    - source: salt://productionize/freeipa/manual/sssd.conf
-    - user: root
-    - group: root
-    - mode: 600
-    - template: jinja
-    - context:
-      hostname: {{hostname}}
-
-/etc/nsswitch.conf:
-  file.managed:
-    - source: salt://productionize/freeipa/manual/nsswitch.conf
-    - user: root
-    - group: root
-    - mode: 644
-
-/etc/nscd.conf:
-  file.managed:
-    - source: salt://productionize/freeipa/manual/nscd.conf
-    - user: root
-    - group: root
-    - mode: 644
-
-/etc/krb5.conf:
-  file.managed:
-    - source: salt://productionize/freeipa/manual/krb5.conf
-    - user: root
-    - group: root
-    - mode: 644
-
-/etc/pam.d:
-  file.recurse:
-    - source: salt://productionize/freeipa/manual/pam.d/
-    - user: root
-    - group: root
-    - dir_mode: 755
-    - file_mode: 644
-
 freeipa_sshpass:
   pkg.installed:
     - name: sshpass
@@ -70,24 +27,20 @@ unset_salt_ipa_password:
     - value: "False"
     - false_unsets: true
 
-freeipa_sssd_service:
+freeipa_setup_sssd_service_down:
+  service.dead:
+    - name: sssd
+
+freeipa_setup_sssd_service:
   service.running:
     - name: sssd
     - enable: true
-    - watch:
-      - file: /etc/sssd/sssd.conf
-      - file: /etc/nsswitch.conf
-      - file: /etc/nscd.conf
-      - file: /etc/krb5.conf
-      - file: /etc/pam.d
 
-freeipa_nscd_service:
+freeipa_setup_nscd_service_down:
+  service.dead:
+    - name: nscd
+
+freeipa_setup_nscd_service:
   service.running:
     - name: nscd
     - enable: true
-    - watch:
-      - file: /etc/sssd/sssd.conf
-      - file: /etc/nsswitch.conf
-      - file: /etc/nscd.conf
-      - file: /etc/krb5.conf
-      - file: /etc/pam.d

states/systems/core/freeipa/manual/sudoers

@@ -0,0 +1,2 @@
+%domain_admins ALL=(ALL) ALL
+%server_admins ALL=(ALL) ALL

states/top.sls

@@ -10,6 +10,7 @@
     - match: grain_pcre
     - repos.aur
     - systems.arch.mirrors
+    - systems.core.freeipa
   '*':
     - update
     - basepkgs