feat: support for authentik forward auth

Author: netr0m

README.md

@@ -67,6 +67,23 @@ infra_wazuh_api_password: ~
 
 ### Recommended configuration changes
 
+#### Configure authentik as a forward proxy authentication provider
+
+- Make sure to [Configure authentik as a "Forward Auth" proxy](./docs/authentik.md#configure-authentik-as-a-forward-auth-proxy) as well
+
+```yml
+# Enable authentik deployment
+infra_use_authentik: true
+# Enable for the various services
+infra_graylog_use_authentik: true
+infra_pihole_use_authentik: true
+infra_unifi_use_authentik: true
+infra_uptimekuma_use_authentik: true
+infra_vaultwarden_use_authentik: true
+infra_wazuh_use_authentik: true
+infra_wireguard_use_authentik: true
+```
+
 #### Set the Pi-Hole admin portal password
 ```yml
 # Password for Pihole web UI. Autogenerated if not set.

defaults/main/graylog.yml

@@ -7,6 +7,12 @@ infra_graylog_db_version: 5.0
 # Version of the opensearch Docker image to use
 infra_graylog_opensearch_version: 2.4.0
 
+## authentik forward auth proxy
+# whether to use authentik as an auth proxy
+infra_graylog_use_authentik: false
+# which middleware to use. must exist in the traefik config.
+infra_graylog_auth_mwr: "{{ infra_default_traefik_auth_mwr }}"
+
 ## graylog secrets
 # Password for the graylog MongoDB user (infra_graylog_db_user)
 infra_graylog_db_password: ~
@@ -122,6 +128,8 @@ infra_graylog_log_options:
   max-size: 20m
   max-file: '5'
   compress: 'true'
+# Traefik middlewares for the graylog container
+infra_graylog_traefik_middlewares: "{{ infra_default_traefik_middlewares }}"
 
 ## Docker volume configs
 # Name of the graylog config Docker volume

defaults/main/main.yml

@@ -73,4 +73,11 @@ infra_use_godns: false
 infra_use_uptimekuma: true
 # Configure wazuh
 infra_use_wazuh: false
+
+## Traefik (from netr0m.svc)
+# Default middlewares for services behind traefik
+infra_default_traefik_middlewares:
+  - infra-default-mwr@file
+# Default middleware for forward auth proxying
+infra_default_traefik_auth_mwr: authentik-auth-mwr@file
 ...

defaults/main/pihole.yml

@@ -3,6 +3,12 @@
 # Version of the pihole Docker image to use (see 'infra_pihole_container_image')
 infra_pihole_version: 2024.07.0
 
+## authentik forward auth proxy
+# whether to use authentik as an auth proxy
+infra_pihole_use_authentik: false
+# which middleware to use. must exist in the traefik config.
+infra_pihole_auth_mwr: "{{ infra_default_traefik_auth_mwr }}"
+
 ## Pihole secrets
 # Password for the web UI
 infra_pihole_password: ~
@@ -76,6 +82,8 @@ infra_pihole_port_web: 8053
 infra_pihole_port_dns: 53
 # Max. wait time for pihole compose deployment
 infra_pihole_compose_wait_timeout: 300
+# Traefik middlewares for the pihole container
+infra_pihole_traefik_middlewares: "{{ infra_default_traefik_middlewares }}"
 
 ## Docker volume configs
 # Name of the data Docker volume

defaults/main/unifi.yml

@@ -5,6 +5,12 @@ infra_unifi_version: 9.0.114
 # Version of the MongoDB Docker image to use
 infra_unifi_db_version: 8.0
 
+## authentik forward auth proxy
+# whether to use authentik as an auth proxy
+infra_unifi_use_authentik: false
+# which middleware to use. must exist in the traefik config.
+infra_unifi_auth_mwr: "{{ infra_default_traefik_auth_mwr }}"
+
 ## Unifi secrets
 # Password for the unifi MongoDB user (infra_unifi_db_user)
 infra_unifi_db_password: ~
@@ -90,6 +96,8 @@ infra_unifi_port_discovery: 10001
 infra_unifi_port_l2_discovery: 1900
 # Syslog port for the unifi server
 infra_unifi_port_syslog: 5514
+# Traefik middlewares for the unifi container
+infra_unifi_traefik_middlewares: "{{ infra_default_traefik_middlewares }}"
 
 ## Docker volume configs
 # Name of the config Docker volume

defaults/main/uptimekuma.yml

@@ -3,6 +3,12 @@
 # Version of the uptime-kuma Docker image to use (see 'infra_uptimekuma_container_image')
 infra_uptimekuma_version: 1.23.11-alpine
 
+## authentik forward auth proxy
+# whether to use authentik as an auth proxy
+infra_uptimekuma_use_authentik: false
+# which middleware to use. must exist in the traefik config.
+infra_uptimekuma_auth_mwr: "{{ infra_default_traefik_auth_mwr }}"
+
 ## uptime-kuma settings. See https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
 infra_uptimekuma_settings: {}
 
@@ -39,6 +45,8 @@ infra_uptimekuma_fqdn: "{{ infra_uptimekuma_container_hostname }}.{{ infra_domai
 infra_uptimekuma_restart_policy: "{{ infra_restart_policy }}"
 # Memory limit for the uptime-kuma container
 infra_uptimekuma_container_memory: 1g
+# Traefik middlewares for the uptime-kuma container
+infra_uptimekuma_traefik_middlewares: "{{ infra_default_traefik_middlewares }}"
 
 ## Docker volume configs
 # Name of the redis data Docker volume

defaults/main/vaultwarden.yml

@@ -3,6 +3,12 @@
 # Version of the vaultwarden Docker image to use (see 'infra_vaultwarden_container_image')
 infra_vaultwarden_version: 1.33.2
 
+## authentik forward auth proxy
+# whether to use authentik as an auth proxy
+infra_vaultwarden_use_authentik: false
+# which middleware to use. must exist in the traefik config.
+infra_vaultwarden_auth_mwr: "{{ infra_default_traefik_auth_mwr }}"
+
 ## Vaultwarden settings. See https://github.com/dani-garcia/vaultwarden/wiki
 infra_vaultwarden_settings:
   EXTENDED_LOGGING: 'true'
@@ -48,6 +54,8 @@ infra_vaultwarden_fqdn: "{{ infra_vaultwarden_container_hostname }}.{{ infra_dom
 infra_vaultwarden_restart_policy: "{{ infra_restart_policy }}"
 # Memory limit for the vaultwarden container
 infra_vaultwarden_container_memory: 1g
+# Traefik middlewares for the vaultwarden container
+infra_vaultwarden_traefik_middlewares: "{{ infra_default_traefik_middlewares }}"
 
 ## Docker volume configs
 # Name of the data Docker volume

defaults/main/wazuh.yml

@@ -5,6 +5,12 @@ infra_wazuh_version: 4.11.0
 # Version of the wazuh Docker image to use (see 'infra_wazuh_cert_tool_container_image')
 infra_wazuh_cert_tool_version: 0.0.2
 
+## authentik forward auth proxy
+# whether to use authentik as an auth proxy
+infra_wazuh_use_authentik: false
+# which middleware to use. must exist in the traefik config.
+infra_wazuh_auth_mwr: "{{ infra_default_traefik_auth_mwr }}"
+
 ## wazuh secrets
 # Password for the wazuh indexer 'admin' user (infra_wazuh_indexer_admin_user)
 infra_wazuh_indexer_admin_password: ~
@@ -145,6 +151,8 @@ infra_wazuh_ulimit_memlock_hard: -1
 infra_wazuh_ulimit_nofile_soft: 65536
 # hard ulimit for nofile
 infra_wazuh_ulimit_nofile_hard: 65536
+# Traefik middlewares for the wazuh container
+infra_wazuh_traefik_middlewares: "{{ infra_default_traefik_middlewares }}"
 
 ## Docker volume configs
 # Name of the manager api config Docker volume

defaults/main/wireguard.yml

@@ -5,6 +5,12 @@ infra_wireguard_version: latest
 # Version of the wireguard-ui Docker image to use (see 'infra_wireguard_ui_container_image')
 infra_wireguard_ui_version: latest
 
+## authentik forward auth proxy
+# whether to use authentik as an auth proxy
+infra_wireguard_ui_use_authentik: false
+# which middleware to use. must exist in the traefik config.
+infra_wireguard_auth_mwr: "{{ infra_default_traefik_auth_mwr }}"
+
 ## Wireguard secrets
 # Session secret used to encrypt wireguard-ui session cookies
 infra_wireguard_ui_session_secret: ~
@@ -99,6 +105,9 @@ infra_wireguard_container_dns_servers:
   - 1.0.0.1
 # Whether to use Pihole for Wireguard DNS. Requires 'infra_use_pihole' to be true
 infra_wireguard_use_pihole_dns: "{{ infra_use_pihole }}"
+# Traefik middlewares for the wireguard-ui container
+infra_wireguard_ui_traefik_middlewares: "{{ infra_default_traefik_middlewares }}"
+
 
 ## Docker volume configs
 # Name of the config files' Docker volume

docs/authentik.md

@@ -0,0 +1,24 @@
+# Authentik
+
+## Initial configuration
+1. After deploying, navigate to the Authentik dashboard (e.g. `https://authentik.<DOMAIN>.<tld>/if/flow/initial-setup/`. See `infra_authentik_fqdn`)
+2. Create the admin user
+
+## Configure authentik as a "Forward Auth" proxy
+
+Firstly, navigate to the [Admin interface](https://authentik.<DOMAIN>.<tld>/if/admin/)
+
+### Create the Application and Application Provider
+1. Under [Applications](https://authentik.<DOMAIN>.<tld>/if/admin/#/core/applications), click "Create with wizard"
+2. Provide a name for the application (e.g., "Traefik"), and click "Next"
+3. Select "Proxy Provider" as the Provider Type, and click "Next"
+4. Under "Authorization flow", select the "explicit-auth" option
+5. Select "Forward auth (domain level)", and enter the "Authentication URL" (e.g., `authentik.<DOMAIN>.<tld>`) and "Cookie domain" (e.g. `<DOMAIN>.<tld>`). Click "Next"
+6. For "Bindings", click "Next" (leave as-is)
+7. Click "Submit" to create the Application and Provider
+
+### Configure the Outpost
+1. Navigate to [Outposts](https://authentik.<DOMAIN>.<tld>/if/admin/#/outpost/outposts), 
+2. Click the "Edit" button for the "authentik Embedded Outpost"
+3. Highlight the Application you created above (left-hand side), and click the right arrow icon to select the Application
+4. Click "Update" to save the change

tasks/deploy_graylog.yml

@@ -7,6 +7,11 @@
     group: "{{ infra_graylog_directory_group }}"
     mode: "{{ infra_graylog_directory_mode }}"
 
+- name: Add Authentik auth middleware
+  when: infra_graylog_use_authentik
+  ansible.builtin.set_fact:
+    infra_graylog_traefik_middlewares: "{{ infra_graylog_traefik_middlewares + [infra_graylog_auth_mwr] }}"
+
 - name: Manage service files
   block:
     - name: Write graylog DB password secret to file

tasks/deploy_pihole.yml

@@ -15,6 +15,11 @@
     group: "{{ infra_pihole_dnsmasq_d_directory_group }}"
     mode: "{{ infra_pihole_dnsmasq_d_directory_mode }}"
 
+- name: Add Authentik auth middleware
+  when: infra_pihole_use_authentik
+  ansible.builtin.set_fact:
+    infra_pihole_traefik_middlewares: "{{ infra_pihole_traefik_middlewares + [infra_pihole_auth_mwr] }}"
+
 - name: Query for docker network details of '{{ svc_docker_network_name }}'
   community.docker.docker_network_info:
     name: "{{ svc_docker_network_name }}"

tasks/deploy_unifi.yml

@@ -7,6 +7,11 @@
     group: "{{ infra_unifi_directory_group }}"
     mode: "{{ infra_unifi_directory_mode }}"
 
+- name: Add Authentik auth middleware
+  when: infra_unifi_use_authentik
+  ansible.builtin.set_fact:
+    infra_unifi_traefik_middlewares: "{{ infra_unifi_traefik_middlewares + [infra_unifi_auth_mwr] }}"
+
 - name: Manage service files
   block:
     - name: Write unifi DB password secret to file

tasks/deploy_uptimekuma.yml

@@ -7,6 +7,11 @@
     group: "{{ infra_uptimekuma_directory_group }}"
     mode: "{{ infra_uptimekuma_directory_mode }}"
 
+- name: Add Authentik auth middleware
+  when: infra_uptimekuma_use_authentik
+  ansible.builtin.set_fact:
+    infra_uptimekuma_traefik_middlewares: "{{ infra_uptimekuma_traefik_middlewares + [infra_uptimekuma_auth_mwr] }}"
+
 - name: Manage service files
   block:
     - name: Write uptimekuma environment variables to file

tasks/deploy_vaultwarden.yml

@@ -7,6 +7,11 @@
     group: "{{ infra_vaultwarden_directory_group }}"
     mode: "{{ infra_vaultwarden_directory_mode }}"
 
+- name: Add Authentik auth middleware
+  when: infra_vaultwarden_use_authentik
+  ansible.builtin.set_fact:
+    infra_vaultwarden_traefik_middlewares: "{{ infra_vaultwarden_traefik_middlewares + [infra_vaultwarden_auth_mwr] }}"
+
 - name: Manage service files
   block:
     - name: Write vaultwarden environment variables to file

tasks/deploy_wazuh.yml

@@ -15,6 +15,11 @@
     group: "{{ infra_wazuh_config_directory_group }}"
     mode: "{{ infra_wazuh_config_directory_mode }}"
 
+- name: Add Authentik auth middleware
+  when: infra_wazuh_use_authentik
+  ansible.builtin.set_fact:
+    infra_wazuh_traefik_middlewares: "{{ infra_wazuh_traefik_middlewares + [infra_wazuh_auth_mwr] }}"
+
 - name: Check if initial setup
   block:
     - name: Stat init file

tasks/deploy_wireguard.yml

@@ -7,6 +7,11 @@
     group: "{{ infra_wireguard_directory_group }}"
     mode: "{{ infra_wireguard_directory_mode }}"
 
+- name: Add Authentik auth middleware
+  when: infra_wireguard_ui_use_authentik
+  ansible.builtin.set_fact:
+    infra_wireguard_ui_traefik_middlewares: "{{ infra_wireguard_ui_traefik_middlewares + [infra_wireguard_auth_mwr] }}"
+
 - name: Add Pihole as a DNS server for wireguard
   when: infra_wireguard_use_pihole_dns and infra_use_pihole
   block:

templates/compose/graylog.yml.j2

@@ -80,7 +80,7 @@ services:
       traefik.http.services.{{ infra_graylog_service_name }}-svc.loadbalancer.server.scheme: http
       traefik.http.routers.{{ infra_graylog_service_name }}-rtr.service: {{ infra_graylog_service_name }}-svc
       traefik.http.middlewares.{{ infra_graylog_service_name }}-mwr.headers.customrequestheaders.X-Graylog-Server-URL: http://{{ infra_graylog_fqdn }}/
-      traefik.http.routers.{{ infra_graylog_service_name }}-rtr.middlewares: {{ infra_graylog_service_name }}-mwr,lan-mwr@file
+      traefik.http.routers.{{ infra_graylog_service_name }}-rtr.middlewares: {{ infra_graylog_service_name }}-mwr,{{ infra_graylog_traefik_middlewares | join(',') }}
       docker-volume-backup.stop-during-backup: "{{ infra_graylog_service_name }}"
     networks:
       - default

templates/compose/pihole.yml.j2

@@ -44,7 +44,7 @@ services:
       traefik.http.services.{{ infra_pihole_service_name }}-web-svc.loadbalancer.server.port: 80
       traefik.http.services.{{ infra_pihole_service_name }}-web-svc.loadbalancer.server.scheme: http
       traefik.http.routers.{{ infra_pihole_service_name }}-web-rtr.service: {{ infra_pihole_service_name }}-web-svc
-      traefik.http.routers.{{ infra_pihole_service_name }}-web-rtr.middlewares: lan-mwr@file
+      traefik.http.routers.{{ infra_pihole_service_name }}-web-rtr.middlewares: {{ infra_pihole_traefik_middlewares | join(',') }}
       # DNS/tcp shared router
       traefik.tcp.services.pihole-dns-tcp-svc.loadbalancer.server.port: 53
       # DNS-TLS/tcp

templates/compose/unifi.yml.j2

@@ -46,7 +46,7 @@ services:
       traefik.http.services.{{ infra_unifi_service_name }}-svc.loadbalancer.server.port: 8443
       traefik.http.services.{{ infra_unifi_service_name }}-svc.loadbalancer.server.scheme: https
       traefik.http.routers.{{ infra_unifi_service_name }}-rtr.service: {{ infra_unifi_service_name }}-svc
-      traefik.http.routers.{{ infra_unifi_service_name }}-rtr.middlewares: lan-mwr@file
+      traefik.http.routers.{{ infra_unifi_service_name }}-rtr.middlewares: {{ infra_unifi_traefik_middlewares | join(',') }}
       docker-volume-backup.stop-during-backup: "{{ infra_unifi_service_name }}"
     networks:
       - default

templates/compose/uptimekuma.yml.j2

@@ -20,7 +20,7 @@ services:
       traefik.http.services.{{ infra_uptimekuma_service_name }}-svc.loadbalancer.server.port: 3001
       traefik.http.services.{{ infra_uptimekuma_service_name }}-svc.loadbalancer.server.scheme: http
       traefik.http.routers.{{ infra_uptimekuma_service_name }}-rtr.service: {{ infra_uptimekuma_service_name }}-svc
-      traefik.http.routers.{{ infra_uptimekuma_service_name }}-rtr.middlewares: lan-mwr@file
+      traefik.http.routers.{{ infra_uptimekuma_service_name }}-rtr.middlewares: {{ infra_uptimekuma_traefik_middlewares | join(',') }}
       docker-volume-backup.stop-during-backup: "{{ infra_uptimekuma_service_name }}"
     networks:
       {{ svc_docker_network_name }}:

templates/compose/vaultwarden.yml.j2

@@ -20,7 +20,7 @@ services:
       traefik.http.services.{{ infra_vaultwarden_service_name }}-svc.loadbalancer.server.port: 80
       traefik.http.services.{{ infra_vaultwarden_service_name }}-svc.loadbalancer.server.scheme: http
       traefik.http.routers.{{ infra_vaultwarden_service_name }}-rtr.service: {{ infra_vaultwarden_service_name }}-svc
-      traefik.http.routers.{{ infra_vaultwarden_service_name }}-rtr.middlewares: lan-mwr@file
+      traefik.http.routers.{{ infra_vaultwarden_service_name }}-rtr.middlewares: {{ infra_uptimekuma_traefik_middlewares | join(',') }}
       docker-volume-backup.stop-during-backup: "{{ infra_vaultwarden_service_name }}"
     networks:
       {{ svc_docker_network_name }}:

templates/compose/wazuh.yml.j2

@@ -104,7 +104,7 @@ services:
       traefik.http.services.{{ infra_wazuh_service_name }}-svc.loadbalancer.server.port: 5601
       traefik.http.services.{{ infra_wazuh_service_name }}-svc.loadbalancer.server.scheme: https
       traefik.http.routers.{{ infra_wazuh_service_name }}-rtr.service: {{ infra_wazuh_service_name }}-svc
-      traefik.http.routers.{{ infra_wazuh_service_name }}-rtr.middlewares: lan-mwr@file
+      traefik.http.routers.{{ infra_wazuh_service_name }}-rtr.middlewares: {{ infra_wazuh_traefik_middlewares | join(',') }}
       docker-volume-backup.stop-during-backup: "{{ infra_wazuh_service_name }}"
     networks:
       - default

templates/compose/wireguard.yml.j2

@@ -49,7 +49,7 @@ services:
       traefik.http.services.{{ infra_wireguard_ui_service_name }}-svc.loadbalancer.server.port: 5000
       traefik.http.services.{{ infra_wireguard_ui_service_name }}-svc.loadbalancer.server.scheme: http
       traefik.http.routers.{{ infra_wireguard_ui_service_name }}-rtr.service: {{ infra_wireguard_ui_service_name }}-svc
-      traefik.http.routers.{{ infra_wireguard_ui_service_name }}-rtr.middlewares: lan-mwr@file
+      traefik.http.routers.{{ infra_wireguard_ui_service_name }}-rtr.middlewares: {{ infra_uptimekuma_traefik_middlewares | join(',') }}
     network_mode: service:{{ infra_wireguard_service_name }}
     cap_add:
       - NET_ADMIN

vars/main/main.yml

@@ -5,7 +5,30 @@ infra_docker_volume_shared_labels:
   netr0m.ansible-role: infra
 
 # Additional middlewares to include in the traefik config
-svc_traefik_extra_middlewares_infra: {}
+svc_traefik_extra_middlewares_infra:
+  infra-default-mwr:
+    chain:
+      middlewares:
+        - lan-mwr
+        - rate-limit-mwr
+        # - sec-headers-mwr
+  authentik-auth-mwr:
+    forwardAuth:
+      address: https://{{ infra_authentik_fqdn }}/outpost.goauthentik.io/auth/traefik
+      trustForwardHeader: true
+      authResponseHeaders:
+        - X-authentik-username
+        - X-authentik-groups
+        - X-authentik-entitlements
+        - X-authentik-email
+        - X-authentik-name
+        - X-authentik-uid
+        - X-authentik-jwt
+        - X-authentik-meta-jwks
+        - X-authentik-meta-outpost
+        - X-authentik-meta-provider
+        - X-authentik-meta-app
+        - X-authentik-meta-version
 
 # Additional entrypoints to include in the traefik config
 svc_traefik_extra_entrypoints: