davide/fleet-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sec: new Authelia password + enforce 2FA for all services

Browse Source 
- Generate new unique password for Authelia (not shared with Gitea)
- Change access_control default_policy to two_factor
- Re-encrypt authelia-users secret with SOPS
This commit is contained in:
Davide Piu
2026-02-19 23:24:26 +00:00
parent 51bcdebca8
commit 08eb8255a8
2 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
clusters/lab/secrets/authelia-users.enc.yaml
View File

@@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
data: data:
users_database.yml: ENC[AES256_GCM,data:gS+TAE7aIpygr0A4z9TPBsXpACqxBw6uBbmv91UBn2+tsX5xINnCyNo56Cy0gHC66u1zZIqiOalLBwnwDOphc1SnEXX+RuYjzNLhpre0+i4F5GCCfz9I+pdjsPlojfYUpYw4jRX7haR09XCEtJBXwFUiJ3MXYkqSshSkFNIn+Ax6G5R34Q8h8lSuvrGf/f4yXtmBKI/6bS1wf241xemBXlFqIU0Ddt2nv8Milpz863Bn7h6j9pE8d4nnb9qJmrVXPS4TUrcmYO8zu0IvGZPq7xS01nl7573b1ZqU+SFqUFiFoWwjJzZUcqfbhoORQm7px1pGy2WPJIbkUtIgoSpggxOzVU6V4UVQ3sfpg68Q9bv9q+PJvTa7HTyawJuYumZMY9oBJIFo4fN7WzZvstlDURN8Uaw=,iv:F7Bl2WU0FDLYHQ2iMyRKnkUPFMy9yx9PcBhEpPgqO8I=,tag:w5WBC1EktgpuNVjt7oe9NA==,type:str] users_database.yml: ENC[AES256_GCM,data:YqAEnHxRZog7Ok5GeF32rCG57LrHwdlDDfI4mcdXL4W9nq0QQY+lfRv2weXh3vpCzi2c0Ibtp0Rj1QdOhZiD4hESDoJ+oeC+jpkU3OeyPlaPDYxs6pyGofbwAU9wakFg+gIx5hpfOSB+aaKS8T2JF7Br3s3bsp3S9ta6tJ4gieDJ1L6HYpeDOphfENd9FIabANWYCnB/s1v0Qh561RIQmXKUROMu8EkxyDtZ8iI4uzuNlpcaAhN8SHMUu03XJ5qPKv1x1CCh16OrjrUh3/rzD1ckC/ruRrK841NxsS2oJU8Z346emMl20PzFD/N3QdTGsD7OgiRLIv4FtkNFkAjWiEkT77WuEYSTdqrZX3fydXULyyX3tk8Xt8yJZYENI8B/hM34mak2hHdL97XZ240zPB6T5ho=,iv:KUyzBpaCO30zf49xtPK2DEhEdVXXaTAjQv4UBlI6MnM=,tag:XSO+uEprozm/7oz82MSlcA==,type:str]
kind: Secret kind: Secret
metadata: metadata:
annotations: annotations:
@@ -11,7 +11,7 @@ metadata:
name: authelia-users name: authelia-users
namespace: authelia namespace: authelia
stringData: stringData:
users_database.yml: ENC[AES256_GCM,data:JQD2vou4gwHEWuRtavX+H6EnCc7U4lzZImHGAG3PclGi81pIrZ0RdLV86s3WPGVt6XAtyPpdma0EBc0j53me1IIBxfyx74GXQPObTPcEuP+GIlaJzFBaZTzJbPeNCzPdfE8qNEslF9ot3ir6EI6fYLCZgPYHGiNCxRJUVDThVtwh1TBglGxviKzfW6CpEzx8ZykamN2pyvyHZN+pV3+5LCALNK9OlS1Fqt0gAyXEX+dTgXLPl3QYc4LSSDgfkTsifvbXlZ/b+zSiRP+vxhWnqnXm+T1FNb5DCHoHaM9GuDDJf5AsJQ==,iv:cOtPHG1JyiQuFjd7Hb4G3Fu/ltbKND/gJZ5PmUIzarQ=,tag:SaW3gwB8wwfsZcGGTfeHKA==,type:str] users_database.yml: ENC[AES256_GCM,data:7mwHzcM7jJVRAyMbfAtCsVeVqovyukhzfNym/7vlPfRNWbzYeUHujEh24YGtshZCwpNYr30EtPv6+O97ze5FYaPYJtHazcriNHk9mSq6iH4UQxZz98CNxbNU5zm4soQ8PyA//2ZKLR6ihSgJdopB4H+tpz5e2cat3rsjXEvj9So9QyL8CEnvnPL/5UrNxpAH/frf/uqpikdpenyffQ+FNQB7QRfA2dl3ss2127UoO563SKHAFkN5MyaDe3Ihwn7kH3OwuKBUcck15Br62KQ0GPOXKJ5wjO7NQsZFBvWbK+bvRGDcxg==,iv:T5CVa1JWS5R7vaE6Ukm42hbhnVu1dWGtHpHssfeYf3s=,tag:PEZt2+2NMKCq3WqFgZCh2g==,type:str]
name: authelia-users name: authelia-users
namespace: authelia namespace: authelia
type: Opaque type: Opaque
@@ -24,14 +24,14 @@ sops:
- recipient: age1aq4d879wuczrqj48nnw7ktsddrxfr8y8xaf0j0aqteswmsxnfs7sfs9phj - recipient: age1aq4d879wuczrqj48nnw7ktsddrxfr8y8xaf0j0aqteswmsxnfs7sfs9phj
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzVkkrWktMemtGdlo5cnl4 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1TXplbFVuRldFd2dNdllm
WURBcFZ6a1dUM3ZkVCs2bGhNb3gxVHBDWEU0Cml1K0FRTCtsaHRJNmMveHd0dEc4 cXhPbDAzOEd5Q0wxNEk0SXNQMGtjZEFWMW1jCjh2OGVXem4yRzEzSHFwZFV6SStY
MlRqYlo0aUFzRlF3OVRKV1loSmo0TTgKLS0tICtpZUdrbDJwY3c1WDhwaDlVdW5r RkhaSEFNMllnd3VwQk55MzR0d3JHS0kKLS0tIHZGWExrV2pjbStKVWFJdzRuQXpo
V1pXY1o4WmpkeWJxd3d1amVwTTBJN28K3y/ygmRFtrRd6I0ETVWoVAbBDJSGiITU bEIwUGZmR1JwVjF2eVMrU3FpTTBBZVkKV020ISvrp6bNuYvW/I4MPuqyMpPcnYD+
ADecKPFymgJ5Mf/HnH7FJFfnz3n54RQ2KIIe2S2JqsBT3XoQJVo/Bw== EdPhaJGaLZMiK/HrTw7v7MuAYic9ooan58OcSOzG/Y3DXqI8YGV3tg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-19T23:20:44Z" lastmodified: "2026-02-19T23:24:21Z"
mac: ENC[AES256_GCM,data:JutOjo3m2IMxAKFXKJu5FScH3cZV7Yk0ehQdW6pYI08bfSFoixtbzotkufeFmwWxFFFGdBo2XOhVF8hPrcAJHECGFRJzTpN/mV5t6cTXnjg/ow1mmFf2hOhXUFz4WRfa+qO5l6X+gSnSm+ZEzIhK0odQV1rZxiw7/Ug0ohAndBY=,iv:vm5VwqXi5rbE8GybdNwAuwKe3CTJuAe0j5sZ+/joSJs=,tag:1ECDZ9/H+pnIVnnaBp0w3Q==,type:str] mac: ENC[AES256_GCM,data:T7aDzu8LhusZJzofSxmd0XFtEKal3P+mQoTNigJ5Lm+VW+liqhumiAiRGcKT3Qfm1s1cDDrcbEa3zyPC5QmQB7sKKTOssb9DM4qfn/jAmAoLPixo/c0dlpdAHzMwHe22cuRGVbC+uF3I+yHEbeCdei34gNQTRtAVYaEfoK2A1FA=,iv:pNvdhnNUXXFuvT8r5cFFUuCgT6gJqVqUDV70lNE88c0=,tag:Qyg8ulH8G4Nahd0iuQjmpA==,type:str]
pgp: [] pgp: []
encrypted_regex: ^(data|stringData)$ encrypted_regex: ^(data|stringData)$
version: 3.9.4 version: 3.9.4

2
clusters/lab/security/authelia.yaml
View File

@@ -69,7 +69,7 @@ spec:
enabled: true enabled: true
path: /config/db.sqlite3 path: /config/db.sqlite3
access_control: access_control:
default_policy: one_factor default_policy: two_factor
authentication_backend: authentication_backend:
file: file:
enabled: true enabled: true