Adds OIDC example with Authelia

docker-compose-examples/grist-traefik-oidc-auth/configs/authelia/users_database.yml

@@ -0,0 +1,14 @@
+# Primary users file.
+
+# Passwords are generated using 'authelia crypto hash generate argon2'
+# E.g:
+#     docker run authelia/authelia:4 authelia crypto hash generate argon2 --password "test"
+# See https://www.authelia.com/reference/guides/passwords/#yaml-format
+
+users:
+  test:
+    disabled: false
+    displayname: 'Test'
+    password: '$argon2id$v=19$m=65536,t=3,p=4$j1Jub3z0jWBmXNOjNpRK5w$d5176FINCAuzdT3uehQqMS08FC4fadAGrqyZL+0W+p4'
+    email: 'test@example.org'
+    groups: []

docker-compose-examples/grist-traefik-oidc-auth/configs/traefik-config.yml

@@ -0,0 +1,35 @@
+providers:
+  # Enables reading docker label config values
+  docker: {}
+  # Read additional config from this file.
+  file:
+    directory: "/etc/traefik/dynamic"
+
+entrypoints:
+  # Defines a secure entrypoint using TLS encryption
+  websecure:
+    address: ":443"
+    http:
+      tls: true
+  # Defines an insecure entrypoint that redirects to the secure one.
+  web:
+    address: ":80"
+    http:
+      # Redirects HTTP to HTTPS
+      redirections:
+        entrypoint:
+          to: "websecure"
+          scheme: "https"
+
+# Enables automatic certificate renewal
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: "my_email@example.com"
+      storage: /acme/acme.json
+      tlschallenge: true
+
+# Enables the web UI
+# This is disabled by default for security, but can be useful to debugging traefik.
+api:
+  # insecure: true

docker-compose-examples/grist-traefik-oidc-auth/configs/traefik-dynamic-config.yml

@@ -0,0 +1,36 @@
+http:
+  # Declaring the user list
+  middlewares:
+    grist-basic-auth:
+      basicAuth:
+        # The header that Grist will listen for authenticated usernames on.
+        headerField: "X-Forwarded-User"
+        # This is the list of users, in the format username:password.
+        # Passwords can be created using `htpasswd`
+        # E.g: `htpasswd -nB test@example.org`
+        users:
+          # The default username is "test@example.org". The default password is "test".
+          - "test@example.org:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
+  routers:
+    # General router for almost all Grist traffic.
+    general:
+      entrypoints:
+        - web
+        - websecure
+      rule: "HostRegexp(`.*`)"
+      service: grist@docker
+      tls:
+        certresolver: letsencrypt
+
+    # Separate Traefik router for the login pages.
+    # This allows a user to visit the site without hitting the basic auth login page.
+    login:
+      entrypoints:
+        - web
+        - websecure
+      rule: "PathPrefix(`/auth/login`) || PathPrefix(`/_oauth`)"
+      middlewares:
+        - grist-basic-auth
+      service: grist@docker
+      tls:
+        certresolver: letsencrypt

docker-compose-examples/grist-traefik-oidc-auth/docker-compose.yml

@@ -0,0 +1,83 @@
+# This is an example of Grist using Authelia and Traefik for OIDC authentication and https encryption.
+
+# At a minimum, the following should be changed before hosting this example on the internet:
+# - An SMTP notifier should be setup to allow Authelia to send emails, instead of logging to a file.
+# - DNS should be setup appropriately
+
+# Users are defined in ./configs/authelia/user-database.yml
+
+# See https://support.getgrist.com for more information.
+
+secrets:
+  # These secrets are used by Authelia
+  JWT_SECRET:
+    file: ./secrets/JWT_SECRET
+  SESSION_SECRET:
+    file: ./secrets/SESSION_SECRET
+  STORAGE_ENCRYPTION_KEY:
+    file: ./secrets/STORAGE_ENCRYPTION_KEY
+  STORAGE_PASSWORD:
+    file: ./secrets/STORAGE_PASSWORD
+
+services:
+#  grist:
+#    image: gristlabs/grist:latest
+#    environment:
+#      # Use Python 3 instead of 2.
+#      PYTHON_VERSION: 3
+#      # Sets the header to look at for authentication
+#      GRIST_FORWARD_AUTH_HEADER: X-Forwarded-User
+#      # Forces Grist to only use a single team called 'Example'
+#      GRIST_SINGLE_ORG: my-grist-team   # alternatively, GRIST_ORG_IN_PATH: "true" for multi-team operation
+#      # Force users to login (disable anonymous access)
+#      GRIST_FORCE_LOGIN: true
+#      # Base URL Grist redirects to when navigating. Change this to your domain.
+#      APP_HOME_URL: https://localhost
+#      # Default email for the "Admin" account
+#      GRIST_DEFAULT_EMAIL: test@example.org
+#    volumes:
+#      # Where to store persistent data, such as documents.
+#      - ./grist_local_data:/persist
+#    labels:
+#      - "traefik.http.services.grist.loadbalancer.server.port=8484"
+
+#  traefik:
+#    image: traefik:latest
+#    ports:
+#      # HTTP Ports
+#      - "80:80"
+#      - "443:443"
+#      # The Web UI (enabled by --api.insecure=true)
+#      # - "8080:8080"
+#    volumes:
+#      # Set the config file for traefik - this is loaded automatically.
+#      - ./configs/traefik-config.yml:/etc/traefik/traefik.yml
+#      # Set the config file for the dynamic config, such as middleware.
+#      - ./configs/traefik-dynamic-config.yml:/etc/traefik/dynamic/dynamic-config.yml
+#      # You may want to put state somewhere other than /tmp :-)
+#      - /tmp/grist/acme:/acme
+#      # Traefik needs docker access when configured via docker labels.
+#      - /var/run/docker.sock:/var/run/docker.sock
+#    depends_on:
+#      - grist
+  authelia:
+    image: authelia/authelia:4
+    ports:
+      - 9091:9091
+    secrets:
+      - JWT_SECRET
+      - SESSION_SECRET
+      - STORAGE_ENCRYPTION_KEY
+    environment:
+      AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
+      AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
+      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
+      APP_DOMAIN: 'grist.localhost'
+    volumes:
+      - ./configs/authelia:/config
+    command:
+      - 'authelia'
+      - '--config=/config/configuration.yml'
+      - '--config.experimental.filters=template'
+
+

docker-compose-examples/grist-traefik-oidc-auth/generateSecureSecrets.sh

@@ -0,0 +1,18 @@
+# Helper script to securely generate random secrets for Authelia.
+
+# If this doesn't work on your platform, here are some alternate snippets for secure string generation:
+# Python:
+# python -c "import secrets; print(secrets.token_urlsafe(32))"
+# Javascript / Node:
+# node -e "console.log(crypto.randomBytes(32).toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''))"
+
+SCRIPT_DIR=$(dirname $0)
+
+function generateSecureString {
+  xxd -l"$1" -ps /dev/urandom | xxd -r -ps | base64 \
+    | tr -d = | tr + - | tr / _ | tr -d \\n
+}
+
+generateSecureString 64 > "$SCRIPT_DIR/secrets/JWT_SECRET"
+generateSecureString 64 > "$SCRIPT_DIR/secrets/SESSION_SECRET"
+generateSecureString 64 > "$SCRIPT_DIR/secrets/STORAGE_ENCRYPTION_KEY"