diff --git a/charts/premium/authelia/docs/Setup-Guide.md b/charts/premium/authelia/docs/Setup-Guide.md index 1a160649309..c4e69888141 100644 --- a/charts/premium/authelia/docs/Setup-Guide.md +++ b/charts/premium/authelia/docs/Setup-Guide.md @@ -2,7 +2,7 @@ title: Authelia + LLDAP + Traefik ForwardAuth Setup guide --- -This quick guide should take you through the steps necessary to setup `Authelia` as your `forwardAuth` for `Traefik`. We'll be using `LLDAP` as the backend for `Authelia` since it's lightweight and simple enough for most users. A more complete video is available on our YouTube Channel +This quick guide should take you through the steps necessary to setup `Authelia` as your `forwardAuth` for `Traefik`. We'll be using `LLDAP` as the backend for `Authelia` since it's lightweight and simple enough for most users. A more complete video is available on our YouTube Channel. ## Prerequisites @@ -18,28 +18,28 @@ LLDAP is a `Stable` train chart and therefore isn't supported at the same level ::: -- Follow the steps included in the [Installation Notes](https://truecharts.org/charts/stable/lldap/installation-notes) for [LLDAP](https://truecharts.org/charts/stable/lldap/). Pretty straightforward. Change `dc=example,dc=com` to your domain, i.e. `dc=MYDOMAIN,dc=net` and then change your password. Also make sure you have the `system` train enabled and `CloudnativePG` operator installed, since you'll need it for `LLDAP` and `Authelia` +- Follow the easy steps included in the [Installation Notes](https://truecharts.org/charts/stable/lldap/installation-notes) for [LLDAP](https://truecharts.org/charts/stable/lldap/). Change `dc=example,dc=com` to your domain, i.e. `dc=MYDOMAIN,dc=net` and then change your password. Also, make sure you have the `system` train enabled and `CloudnativePG` operator installed, since you'll need it for `LLDAP` and `Authelia`. ![LLDAP Config](./img/LLDAPCatalogConfig.png) -- I've set the services to `ClusterIP` since I'll be using ingress +- Ensure you've set the services to `ClusterIP` since you'll be using ingress -- Once in `LLDAP`, create a user inside the `lldap_password_manager` group and change your default `admin` password. That `lldap_password_manager` user will be used to bind to `Authelia`. I've created a user called `Steven` +- Once in `LLDAP`, create a user inside the `lldap_password_manager` group and change your default `admin` password. That `lldap_password_manager` user will be used to bind to `Authelia`. Here I've created a user called `Steven`, but you can use anything - Create an `admin` group and add `Steven` to it. We will allow users of this group to access the site with Authelia later in the guide. ## Setup Authelia -- The setup for Authelia is very specific, and the logs won't tell you where you've messed up, but there's precise steps used to integrate `LLDAP` into `Authelia`. The info comes from the [LLDAP Authelia Docs](https://truecharts.org/charts/stable/lldap/authelia) and the upstream repo. +- The setup for Authelia is very specific and the logs won't tell you where you've messed up, but there's precise steps used to integrate `LLDAP` into `Authelia`. The info comes from the [LLDAP Authelia Docs](https://truecharts.org/charts/stable/lldap/authelia) and the upstream repo. ### App Configuration - Domain: `mydomain.com` - Your domain without https:// -- Default Redirection URL: `https://auth.mydomain.com` - Can be anything, but we'll stick to auth.mydomain.com. As well, this will be the ingress URL for `Authelia` +- Default Redirection URL: `https://auth.mydomain.com` - Can be anything, but we'll stick to auth.mydomain.com. As well, this will be the ingress URL for `Authelia`. ### LDAP Backend Configuration -`Click Enable` then ensure everything is as below or you won't be able to connect to the LLDAP backend +Click `Enable` then ensure everything is as below or you won't be able to connect to the LLDAP backend: - Implementation: `Custom` (that's the default) - URL: `ldap://lldap-ldap.ix-lldap.svc.cluster.local:3890` @@ -63,18 +63,18 @@ LLDAP is a `Stable` train chart and therefore isn't supported at the same level #### SMTP Configuration -Check your mail provider for this, generally Gmail gives you an app specific password for your email account and uses `smtp.gmail.com` and port `587` +Check your mail provider for this, generally Gmail gives you an app specific password for your email account and uses `smtp.gmail.com` and port `587`. ### Access Control Configuration -- This section is to set rules to connect to `Authelia` and which users can go where. This is a basic general rule where users of the `admin` group (Steven) can access all the site using a wildcard. +This section is to set rules to connect to `Authelia` and defines which users can go where. This is a basic general rule where users of the `admin` group (Steven) can access all of the site using a wildcard. Set the default `deny`. Then click `Add` next to `Rules` to get the screen below. ![AutheliaAccessControl](./img/AutheliaAccessControl.png) -- Add your `Domain` and a `Wildcard` for your subdomains. -- Set policy to `one_factor` or `two_factor`, up to you. +- Add your `Domain` and a `Wildcard` for your subdomains +- Set policy to `one_factor` or `two_factor`, up to you - Click `Add Subject` and add a subject of `group:admin` since `Steven` is part of that group. Please see [Authelia Rules](./authelia-rules) for more advanced rules. @@ -94,7 +94,7 @@ Please see [Authelia Rules](./authelia-rules) for more advanced rules. ![TraefikForwardAuth](./img/TraefikForwardAuth.png) - Name your `forwardauth` something you'll remember, since that's the middleware you'll add to your ingress going forward. Most people use `auth` -- Address: `http://authelia.ix-authelia.svc.cluster.local:9091/api/verify?rd=https://auth.mydomain.com/` and replace the last part based on `mydomain.com`, and if you've changed ports/names you can get that from `Heavyscript` +- Address: `http://authelia.ix-authelia.svc.cluster.local:9091/api/verify?rd=https://auth.mydomain.com/` and replace the last part based on `mydomain.com`, and if you've changed ports/names you can get that from [`HeavyScript`](https://truecharts.org/manual/SCALE/guides/getting-started/#heavyscript) - Check `trustForwardHeader` - Add the following `authResponseHeaders` (press `Add` 4 times) - `Remote-User` diff --git a/charts/premium/authelia/docs/authelia-rules.md b/charts/premium/authelia/docs/authelia-rules.md index b435988063c..bd3950f075a 100644 --- a/charts/premium/authelia/docs/authelia-rules.md +++ b/charts/premium/authelia/docs/authelia-rules.md @@ -12,13 +12,13 @@ It is important that rules are created in the correct order in Authelia. Rules a :::note[DEFAULT POLICY] -For theses rules to work as intended, your default access control policy must be set to `deny`. +For these rules to work as intended, your default access control policy must be set to `deny`. ::: All rules requiring Authelia authentication were configured with `two_factor` (2FA). If you do not want 2FA on some or all rules replace the Policy with `one_factor`. -In this guide we assume you have a group `admin` and a group `user` in ldap. +In this guide we assume you have a group `admin` and a group `user` in LDAP. Members of the `admin` group will have access to everything. Members of the `user` group will only have access to a select set of apps you choose. @@ -54,7 +54,7 @@ These rules will protect the Vaultwarden admin page with Authelia but bypass whe ### Rule 1 -This rule will allow users of the `admin` group to access the vaulwarden admin page. +This rule will allow users of the `admin` group to access the Vaultwarden admin page. Domain: `vaultwarden.domain.tld` @@ -70,7 +70,7 @@ Resources: `^*/admin.*$` ### Rule 2 -This rule will prevent users not in the `admin` group to access the vaulwarden admin page. +This rule will prevent users not in the `admin` group to access the Vaultwarden admin page. This is necessary even if the your default policy is set to `deny` because of the `bypass` rule below. Domain: `vaultwarden.domain.tld` diff --git a/charts/premium/clusterissuer/docs/how-to.md b/charts/premium/clusterissuer/docs/how-to.md index a8aedac7a2a..1316edb327f 100644 --- a/charts/premium/clusterissuer/docs/how-to.md +++ b/charts/premium/clusterissuer/docs/how-to.md @@ -60,7 +60,7 @@ The recommended `API Token` permissions are below: ![clusterissuer edit dialog](./img/clusterissuer-appconfig.png) -More detail can be found on the upstream [Cert-Manager](https://cert-manager.io/) documentaition for [Cloudflare](https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/). +More detail can be found on the upstream [Cert-Manager](https://cert-manager.io/) documentation for [Cloudflare](https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/). ### Route 53 DNS Provider diff --git a/charts/premium/metallb-config/docs/setup-guide.md b/charts/premium/metallb-config/docs/setup-guide.md index 4eaa30dd688..a59227f82a6 100644 --- a/charts/premium/metallb-config/docs/setup-guide.md +++ b/charts/premium/metallb-config/docs/setup-guide.md @@ -93,8 +93,8 @@ If you have an IP conflict with a previously assigned address it will show as `< :::caution -Known Issue: On the SCALE Installed Applications page, the **Open** buttons on each app card will still open a URL to your app using your SCALE Host IP, rather than the MetalLB-Assigned IP. This may be resolved in the future. +Known Issue: On the SCALE Installed Applications page, the **Open** buttons on each app card will still open a URL to your app using your SCALE Host IP, rather than the MetalLB-Assigned IP. You may need to refresh the page in your browser, bypassing your browser's cache by doing `CTRL + F5`. This may be resolved in the future. ::: -For details on other configuration options, please reference the [MetaLB documentation](https://metallb.universe.tf/configuration/) +For details on other configuration options, please reference the [MetaLB documentation](https://metallb.universe.tf/configuration/). \ No newline at end of file diff --git a/charts/premium/traefik/docs/how-to.md b/charts/premium/traefik/docs/how-to.md index a19eb757d6a..947227ae7e5 100644 --- a/charts/premium/traefik/docs/how-to.md +++ b/charts/premium/traefik/docs/how-to.md @@ -7,7 +7,7 @@ To support this, we supply a separate Traefik "ingress" app, which has been pre- :::notice -The current TrueCharts implementation of Traefik doesn't support TCP/UDP Ingress, only HTTP/HTTPS +The current TrueCharts implementation of Traefik doesn't support TCP/UDP Ingress, only HTTP/HTTPS. ::: @@ -17,9 +17,9 @@ The current TrueCharts implementation of Traefik doesn't support TCP/UDP Ingress In order to set up Traefik, you will be required to change the default TrueNAS WebUI access ports. These ports are by default set to port `80` for HTTP and port `443` for HTTPS. -This is necessary as we will be setting Traefik up to function as a reverse proxy, and receive traffic on these host ports. +This is necessary as we will be setting Traefik up to function as a reverse proxy, and to receive traffic on these host ports. -In the TrueNAS Menu, navigate to **System** > **General**. Click the **Settings** button at the top right of the GUI component. +In the TrueNAS Menu, navigate to **System Settings** > **General**. Click the **Settings** button at the top right of the GUI component. Under these **GUI Settings**, change: - Web Interface HTTP Port to port `81` @@ -44,7 +44,7 @@ Ensure you are accessing your WebUI from the new ports before proceeding. ::: -### Installing the Traefik Scale App +### Installing the Traefik SCALE App :::note @@ -52,8 +52,8 @@ Traefik is part of the `premium` train, so make sure you have it enabled as spec ::: -In the TrueNAS Menu, navigate to **Apps** > **Available Applications**. Use the search bar to search for or manually -find the Traefik app in the list of apps, and click **Install** +In the TrueNAS Menu, navigate to **Apps** > **Discover Apps**. Use the search bar to search for or manually +find the Traefik app in the list of apps, and click **Install**. The setup of Traefik is relatively straight-forward. Most of the settings remain unchanged from default, except for these two: @@ -61,7 +61,7 @@ The setup of Traefik is relatively straight-forward. Most of the settings remain - At the bottom, check the warning checkbox. Continue to section 12, and select **Next**. Traefik will now be installed. -After installation you can access the Traefik dashboard using your host IP address followed by `:9000`, or by simply clicking "Web Portal" on the application's entry under **Apps** > **Installed Applications**. +After installation you can access the Traefik dashboard using your host IP address followed by `:9000`, or by simply clicking `Open` on the application's entry under **Apps** > **Installed Applications**. ## Video Guide diff --git a/charts/premium/traefik/docs/traefik-basicAuth-middleware.md b/charts/premium/traefik/docs/traefik-basicAuth-middleware.md index 025cd8d6b56..b586d9e55d8 100644 --- a/charts/premium/traefik/docs/traefik-basicAuth-middleware.md +++ b/charts/premium/traefik/docs/traefik-basicAuth-middleware.md @@ -2,7 +2,7 @@ title: Add Traefik Basic Auth to Apps --- -Our `traefik` chart has the ability to add various `middlewares` to the chart can add extra functionality to your setup. You can see the full list of `middlewares` inside the `traefik` menu options. In this guide we'll go over setting up the `Basic Auth` traefik middleware. +Our `traefik` chart has the ability to add various `middlewares` to the chart that can add extra functionality to your setup. You can see the full list of `middlewares` inside the `traefik` menu options. In this guide we'll go over setting up the `Basic Auth` traefik middleware. ## Prerequisites @@ -14,7 +14,7 @@ Once `traefik` is installed, scroll down to the `Middlewares` section ![BasicAuth](./img/BasicAuth.png) -When there, you can fill out the `Configure basicAuth` section with as follows +When there, you can fill out the `Configure basicAuth` section with what follows: - Name the `basicAuth`, most people choose `basic` - Add as name users as necessary, choosing a specific `Username` and `Password` for each user.