labs

Zero to Auth

Authentik reverse proxy auth from scratch with Letsencrypt and Traefik on TrueNAS-SCALE

Setup Letsencrypt on TrueNAS-SCALE

Add email to root account
- Credentials>Local users>root>edit
Setup acme dns authenticator
- Credentials>Certificates>Acme DNS Authenticators>Add
- name: cloudflare
- authenticator: cloudflare
- email: blank
- token: token from cloudflare
  - cloudflare>login>account>profile>api tokens to left>create token>create custom token
  - name: eg TrueNAS-SCALE
  - permissions:
    - Zone Zone Read
    - Zone DNS Edit

Add csr

Credentials>Certificates>Certificate Signing Requests>Add
- name: eg example_com_csr
- Fill in required fields (use something like homelab for organization)
- Subject Alternate Names: *.example.com
- Save
- Create Acme Certificate
  - credentials>certificates>Certificate Signing Requests>example_com_csr>click the wrench
    - identifier: example_com_cert
    - ACME Server Directory URI: Production
    - Authenticator: Cloudflare

Add Truecharts to TrueNAS-SCALE

When opening the Apps menu item on TrueNAS-SCALE for the first time, you get prompted to setup a new pool for Apps. This will create a new dataset on the selected pool called “ix-applications”, which will contain all docker containers and most application data, unless specified otherwise.

Apps>Manage Catalogs [Add Catalog]
- Name: truecharts
- Repository: https://github.com/truecharts/catalog
- Preferred Trains: stable
- Branch: main

Setup Traefik on TrueNAS-SCALE

Change Ports for TrueNAS web interface to 83 and 444

IMPORTANT!

After changinging the port for the web interface, TrueNAS UI can only be access on the new ports! E.G. http://truenas_ip_or_hostname:83
- System Settings>General>GUI>Settings
  - Web Interface HTTP Port: 83
  - Web Interface HTTPS Port: 444
Install Traefik
- Apps>Available Applications>traefik>Install
  - web Entrypoint Configuration
    
    Entrypoints Port *
    80
  - websecure Entrypoint Configuration
    
    Entrypoints Port *
    443

Setup Authentik behind Traefik on TrueNAS-SCALE

Configure Authentik app in TrueNAS-SCALE:
- In the ingress section add a host with slash path for each domain that authentik will run on
  
  Configure Hosts [Add]
  
  Host
  
  HostName *
```
auth.example.com
```
  Configure Paths [Add]
  
  Host
  
  Path *
```
/
```
  Path Type *
```
prefix
```
- Add a catch-all for subdomains to hit the outpost path (for logouts, etc)
  
  Configure Hosts [Add]
  
  Host
  
  HostName *
```
*.example.com
```
  Configure Paths [Add]
  
  Host
  
  Path *
```
/outpost.goauthentik.io/
```
  Path Type *
```
prefix
```
- Add host to tls settings
  
  Configure TLS-Settings [Add]
  
  Host
  
  Configure Certificate Hosts [Add]
  
  Host*
```
auth.example.com
```
  Select TrueNAS-SCALE Certificate
```
example_com_cert   ˅
```

Configure Middleware in Traefik on TrueNAS-SCALE

Apps>traefik>edit
- Middlewares>forwardAuth>Add
- name: authentik
- address: http://authentik-http.ix-authentik.svc.cluster.local:10230/outpost.goauthentik.io/auth/traefik
- Configure authResponseHeaders>Add (x11)
  - X-authentik-username
  - X-authentik-groups
  - X-authentik-email
  - X-authentik-name
  - X-authentik-uid
  - X-authentik-jwt
  - X-authentik-meta-jwks
  - X-authentik-meta-outpost
  - X-authentik-meta-provider
  - X-authentik-meta-app
  - X-authentik-meta-version

Create and Configure Application and Proxy Provider in Authentik:

Applications>Applications>Create
- name, e.g.: speedtest
- slug, e.g.: speedtest
- provider>create provider>
  - select type>Proxy Provider>next
  - name, e.g.: speedtest
  - For ability to restrict app to users or groups select Forward auth (single application)
    - External host, eg: https://speedtest.example.com
  - Click Finish
- Provider>Select>speedtest
- Click Create

Add Application to outpost

Applications>Outposts>authentik Embedded Outpost>Edit
- CTL+CLICK to highlight new application speetest(https://speedtest.example.com)

Secure App in TrueNAS-SCALE using authentik middleware

Apps>Available Applications>openspeedtest
- Enable Ingress
  
  Main Ingress
  - Enable ingress
  Configure Hosts [Add]
```
speedtest.example.com
```
  Configure TLS-Settings [Add]
```
example_com_cert   ˅
```
- Add Middleware
  
  Configure Traefik Middlewares [Add]
  
  Name *
```
authentik
```

This site is open source. Improve this page.

labs

Zero to Auth

Setup Letsencrypt on TrueNAS-SCALE

Add email to root account

Setup acme dns authenticator

token: token from cloudflare

Add csr

Credentials>Certificates>Certificate Signing Requests>Add

Create Acme Certificate

Add Truecharts to TrueNAS-SCALE

Apps>Manage Catalogs [Add Catalog]

Setup Traefik on TrueNAS-SCALE

Change Ports for TrueNAS web interface to 83 and 444

IMPORTANT!

System Settings>General>GUI>Settings

Install Traefik

web Entrypoint Configuration

websecure Entrypoint Configuration

Setup Authentik behind Traefik on TrueNAS-SCALE

Configure Authentik app in TrueNAS-SCALE:

In the ingress section add a host with slash path for each domain that authentik will run on

Configure Hosts [Add]

Host

Configure Paths [Add]

Host

Add a catch-all for subdomains to hit the outpost path (for logouts, etc)

Configure Hosts [Add]

Host

Configure Paths [Add]

Host

Add host to tls settings

Configure TLS-Settings [Add]

Host

Configure Certificate Hosts [Add]

Host*

Select TrueNAS-SCALE Certificate

Configure Middleware in Traefik on TrueNAS-SCALE

Create and Configure Application and Proxy Provider in Authentik:

Add Application to outpost

Secure App in TrueNAS-SCALE using authentik middleware

Apps>Available Applications>openspeedtest

Enable Ingress

Main Ingress

Configure Hosts [Add]

Configure TLS-Settings [Add]

Add Middleware

Configure Traefik Middlewares [Add]

Name *