F-10: automated Authelia repo<->host drift check
New services/authelia-diff.sh compares the access_control: section of the repo baseline against the live host configuration.yml. OIDC clients, identity providers, and secret values stay out of scope by design. Exit codes: 0 ok, 1 drift, 2 file missing, 3 section missing, 4 tool missing. posture-check.sh gains check_authelia_config_drift, which calls the diff script and reports drift as warning (not critical). SKIP_AUTHELIA_DRIFT=1 opts out; AUTHELIA_DIFF_SCRIPT overrides the path. WORKFLOW.md gets a dedicated "Ausnahme: Authelia configuration.yml" section analogous to the Traefik dynamic-config exception, with the mandatory repo->host merge workflow and the env-variable contract. Smoke-tested locally: identical files rc=0, ACL change rc=1 with proper unified diff, non-ACL change (session.default_redirection_url) correctly ignored. Operator follow-up: set up a read-only repo mirror at /mnt/user/services/homelab-infra/ so the check finds a current baseline. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -10,6 +10,8 @@ TMP_DIR="${TMP_DIR:-/tmp/kallilab-posture-check}"
|
||||
ALLOW_DISK1_NTFS="${ALLOW_DISK1_NTFS:-0}"
|
||||
ALERT_STATE_PATH="${ALERT_STATE_PATH:-/mnt/user/services/posture-check/last-alert.state}"
|
||||
ALERT_REPEAT_SECONDS="${ALERT_REPEAT_SECONDS:-86400}"
|
||||
SKIP_AUTHELIA_DRIFT="${SKIP_AUTHELIA_DRIFT:-0}"
|
||||
AUTHELIA_DIFF_SCRIPT="${AUTHELIA_DIFF_SCRIPT:-/mnt/user/services/homelab-infra/services/authelia-diff.sh}"
|
||||
|
||||
mkdir -p "$TMP_DIR"
|
||||
RESULTS_FILE="$TMP_DIR/results.$$"
|
||||
@@ -219,6 +221,41 @@ check_nvme_smart() {
|
||||
fi
|
||||
}
|
||||
|
||||
check_authelia_config_drift() {
|
||||
if [ "$SKIP_AUTHELIA_DRIFT" = "1" ]; then
|
||||
add_result "ok" "authelia_config_drift" "Authelia drift check skipped via SKIP_AUTHELIA_DRIFT=1"
|
||||
return
|
||||
fi
|
||||
|
||||
if [ ! -x "$AUTHELIA_DIFF_SCRIPT" ] && [ ! -f "$AUTHELIA_DIFF_SCRIPT" ]; then
|
||||
add_result "warning" "authelia_config_drift" "Authelia diff script missing: $AUTHELIA_DIFF_SCRIPT"
|
||||
return
|
||||
fi
|
||||
|
||||
local output
|
||||
local rc
|
||||
output="$(bash "$AUTHELIA_DIFF_SCRIPT" 2>&1)"
|
||||
rc=$?
|
||||
|
||||
case "$rc" in
|
||||
0)
|
||||
add_result "ok" "authelia_config_drift" "Authelia repo baseline matches host config (access_control)"
|
||||
;;
|
||||
1)
|
||||
add_result "warning" "authelia_config_drift" "Authelia repo<->host drift in access_control; run authelia-diff.sh for details"
|
||||
;;
|
||||
2)
|
||||
add_result "warning" "authelia_config_drift" "Authelia diff aborted: $output"
|
||||
;;
|
||||
3)
|
||||
add_result "warning" "authelia_config_drift" "Authelia diff: section missing in repo or host: $output"
|
||||
;;
|
||||
*)
|
||||
add_result "warning" "authelia_config_drift" "Authelia diff returned unexpected rc=$rc: $output"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
send_ntfy() {
|
||||
local severity="$1"
|
||||
local topic="$2"
|
||||
@@ -388,6 +425,7 @@ main() {
|
||||
done
|
||||
|
||||
check_nvme_smart
|
||||
check_authelia_config_drift
|
||||
write_json
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user