Merge branch 'master' into rsync_mirror_logging
This commit is contained in:
commit
7bb78b485a
7 changed files with 154 additions and 32 deletions
80
docker-compose/traefik/configuration.yml.j2
Normal file
80
docker-compose/traefik/configuration.yml.j2
Normal file
|
@ -0,0 +1,80 @@
|
||||||
|
---
|
||||||
|
# geklaut von: https://ruanbekker.hashnode.dev/sso-with-authelia-using-traefik-on-docker + https://www.reddit.com/r/selfhosted/comments/158quyz/authelia_ldap_groups/
|
||||||
|
|
||||||
|
server.address: "0.0.0.0:9091"
|
||||||
|
|
||||||
|
log:
|
||||||
|
level: debug
|
||||||
|
|
||||||
|
identity_validation:
|
||||||
|
reset_password:
|
||||||
|
jwt_secret: {{ lookup('viczem.keepass.keepass', 'authelia_jwt_secret', 'password') }}
|
||||||
|
totp:
|
||||||
|
issuer: totp.mgrote.net
|
||||||
|
|
||||||
|
access_control:
|
||||||
|
default_policy: deny
|
||||||
|
rules:
|
||||||
|
- domain: wiki.mgrote.net
|
||||||
|
policy: one_factor
|
||||||
|
subject:
|
||||||
|
- 'group:authelia_wiki'
|
||||||
|
|
||||||
|
session:
|
||||||
|
name: authelia_session
|
||||||
|
secret: {{ lookup('viczem.keepass.keepass', 'authelia_session_secret', 'password') }}
|
||||||
|
expiration: 3600
|
||||||
|
inactivity: 300
|
||||||
|
cookies:
|
||||||
|
- name: mgrote.net
|
||||||
|
domain: mgrote.net
|
||||||
|
authelia_url: https://auth.mgrote.net
|
||||||
|
|
||||||
|
redis:
|
||||||
|
host: authelia-redis
|
||||||
|
port: 6379
|
||||||
|
|
||||||
|
regulation:
|
||||||
|
max_retries: 3
|
||||||
|
find_time: 120
|
||||||
|
ban_time: 300
|
||||||
|
|
||||||
|
storage:
|
||||||
|
encryption_key: {{ lookup('viczem.keepass.keepass', 'authelia_storage_encryption_key', 'password') }}
|
||||||
|
mysql:
|
||||||
|
database: authelia
|
||||||
|
address: 'tcp://authelia-db:3306'
|
||||||
|
username: authelia
|
||||||
|
password: {{ lookup('viczem.keepass.keepass', 'authelia_mysql_password', 'password') }}
|
||||||
|
|
||||||
|
notifier:
|
||||||
|
smtp:
|
||||||
|
address: postfix:25
|
||||||
|
sender: no-reply-authelia@mgrote.net
|
||||||
|
disable_require_tls: true
|
||||||
|
|
||||||
|
# ldap
|
||||||
|
# https://github.com/lldap/lldap/blob/main/example_configs/authelia_config.yml
|
||||||
|
authentication_backend:
|
||||||
|
password_reset:
|
||||||
|
disable: true
|
||||||
|
refresh_interval: 1m
|
||||||
|
ldap:
|
||||||
|
implementation: custom
|
||||||
|
address: ldap://ldap.mgrote.net:3890
|
||||||
|
timeout: 5s
|
||||||
|
start_tls: false
|
||||||
|
base_dn: dc=mgrote,dc=net
|
||||||
|
additional_users_dn: ou=people
|
||||||
|
users_filter: "(&({username_attribute}={input})(objectClass=person))"
|
||||||
|
additional_groups_dn: ou=groups
|
||||||
|
groups_filter: "(&(member={dn})(objectclass=groupOfUniqueNames))"
|
||||||
|
attributes:
|
||||||
|
display_name: displayName
|
||||||
|
username: uid
|
||||||
|
group_name: cn
|
||||||
|
mail: mail
|
||||||
|
user: uid=authelia_bind_user,ou=people,dc=mgrote,dc=net
|
||||||
|
password: '{{ lookup('viczem.keepass.keepass', 'lldap_authelia_bind_user', 'password') }}'
|
||||||
|
|
||||||
|
# Details/Doku: https://wiki.mgrote.net/pages/_Technik/hardware/rest/fpv/software/rest/ldap/
|
|
@ -1,3 +1,5 @@
|
||||||
|
# Details/Doku: https://wiki.mgrote.net/pages/_Technik/hardware/rest/fpv/software/rest/ldap/
|
||||||
|
|
||||||
services:
|
services:
|
||||||
######## traefik ########
|
######## traefik ########
|
||||||
traefik:
|
traefik:
|
||||||
|
@ -25,43 +27,90 @@ services:
|
||||||
timeout: 10s
|
timeout: 10s
|
||||||
retries: 3
|
retries: 3
|
||||||
|
|
||||||
######## nforwardauth ########
|
######## authelia ########
|
||||||
nforwardauth:
|
authelia:
|
||||||
|
image: authelia/authelia:4.38.17
|
||||||
|
container_name: authelia
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
pull_policy: missing
|
pull_policy: missing
|
||||||
image: "nosduco/nforwardauth:v1.4.0"
|
|
||||||
container_name: traefik-nforwardauth
|
|
||||||
environment:
|
environment:
|
||||||
TOKEN_SECRET: "{{ lookup('viczem.keepass.keepass', 'nforwardauth_token_secret', 'password') }}"
|
TZ: Europe/Berlin
|
||||||
AUTH_HOST: auth.mgrote.net
|
volumes:
|
||||||
|
- ./configuration.yml:/config/configuration.yml
|
||||||
|
- ./users_database.yml:/config/users_database.yml
|
||||||
|
- authelia_data:/data
|
||||||
labels:
|
labels:
|
||||||
traefik.enable: true
|
traefik.enable: true
|
||||||
traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`)
|
traefik.http.routers.authelia.rule: Host(`auth.mgrote.net`)
|
||||||
|
traefik.http.services.authelia.loadbalancer.server.port: 9091
|
||||||
traefik.http.middlewares.nforwardauth.forwardauth.address: http://nforwardauth:3000
|
traefik.http.routers.authelia.tls: true
|
||||||
|
traefik.http.routers.authelia.tls.certresolver: resolver_letsencrypt
|
||||||
traefik.http.services.nforwardauth.loadbalancer.server.port: 3000
|
traefik.http.routers.authelia.entrypoints: entry_https
|
||||||
traefik.http.routers.nforwardauth.tls: true
|
traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/verify?rd=https://auth.mgrote.net
|
||||||
traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt
|
traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: true
|
||||||
traefik.http.routers.nforwardauth.entrypoints: entry_https
|
traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email
|
||||||
volumes:
|
depends_on:
|
||||||
- "./passwd:/passwd:ro" # Mount local passwd file at /passwd as read only
|
- authelia-redis
|
||||||
networks:
|
networks:
|
||||||
- traefik
|
- traefik
|
||||||
|
- postfix
|
||||||
|
- authelia
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://127.0.0.1:3000/login"]
|
test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://authelia:9091"]
|
||||||
interval: 10s
|
interval: 30s
|
||||||
timeout: 5s
|
timeout: 10s
|
||||||
retries: 3
|
retries: 3
|
||||||
|
|
||||||
|
authelia-redis:
|
||||||
|
image: "redis:7.4.1"
|
||||||
|
container_name: authelia-redis
|
||||||
|
restart: unless-stopped
|
||||||
|
pull_policy: missing
|
||||||
|
environment:
|
||||||
|
TZ: Europe/Berlin
|
||||||
|
networks:
|
||||||
|
- authelia
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD", "redis-cli", "--no-auth-warning", "ping"]
|
||||||
|
interval: 5s
|
||||||
|
timeout: 2s
|
||||||
|
retries: 3
|
||||||
|
|
||||||
|
######## Datenbank ########
|
||||||
|
authelia-db:
|
||||||
|
image: "mariadb:11.5.2"
|
||||||
|
container_name: authelia-db
|
||||||
|
command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
|
||||||
|
restart: unless-stopped
|
||||||
|
pull_policy: missing
|
||||||
|
volumes:
|
||||||
|
- /etc/localtime:/etc/localtime:ro
|
||||||
|
- /etc/timezone:/etc/timezone:ro
|
||||||
|
- db:/var/lib/mysql
|
||||||
|
environment:
|
||||||
|
MYSQL_ROOT_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'authelia_mysql_root_password', 'password') }}"
|
||||||
|
MYSQL_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'authelia_mysql_password', 'password') }}"
|
||||||
|
MYSQL_DATABASE: authelia
|
||||||
|
MYSQL_USER: authelia
|
||||||
|
MYSQL_INITDB_SKIP_TZINFO: 1
|
||||||
|
networks:
|
||||||
|
- authelia
|
||||||
|
healthcheck:
|
||||||
|
test: ["CMD", "mariadb-show", "authelia", "-h", "localhost", "-u", "authelia", "-p{{ lookup('viczem.keepass.keepass', 'authelia_mysql_password', 'password') }}"]
|
||||||
|
interval: 30s
|
||||||
|
timeout: 10s
|
||||||
|
retries: 3
|
||||||
|
|
||||||
|
|
||||||
######## Networks ########
|
######## Networks ########
|
||||||
networks:
|
networks:
|
||||||
|
authelia:
|
||||||
traefik:
|
traefik:
|
||||||
external: true
|
external: true
|
||||||
|
postfix:
|
||||||
|
external: true
|
||||||
######## Volumes ########
|
######## Volumes ########
|
||||||
volumes:
|
volumes:
|
||||||
acme_data:
|
acme_data:
|
||||||
|
authelia_data:
|
||||||
|
db:
|
||||||
# passwd
|
|
||||||
# echo "<user>:$(mkpasswd -m sha-512 <password>)"
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
{{ lookup('viczem.keepass.keepass', 'nforwardauth-mg-hash', 'password') }}
|
|
|
@ -40,9 +40,3 @@ api:
|
||||||
dashboard: true # unter Port 8081 erreichbar
|
dashboard: true # unter Port 8081 erreichbar
|
||||||
|
|
||||||
ping: {} # für healthcheck
|
ping: {} # für healthcheck
|
||||||
|
|
||||||
#experimental:
|
|
||||||
# plugins:
|
|
||||||
# ldapAuth:
|
|
||||||
# moduleName: "github.com/wiltonsr/ldapAuth"
|
|
||||||
# version: "v0.1.4"
|
|
||||||
|
|
|
@ -26,7 +26,7 @@ services:
|
||||||
traefik.http.routers.wiki.entrypoints: entry_https
|
traefik.http.routers.wiki.entrypoints: entry_https
|
||||||
traefik.http.services.wiki.loadbalancer.server.port: 80
|
traefik.http.services.wiki.loadbalancer.server.port: 80
|
||||||
|
|
||||||
traefik.http.routers.wiki.middlewares: nforwardauth
|
traefik.http.routers.wiki.middlewares: authelia
|
||||||
|
|
||||||
######## Networks ########
|
######## Networks ########
|
||||||
networks:
|
networks:
|
||||||
|
|
|
@ -104,7 +104,7 @@ munin_node_plugins:
|
||||||
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/http/http_response
|
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/http/http_response
|
||||||
config: |
|
config: |
|
||||||
[http_response]
|
[http_response]
|
||||||
env.sites https://git.mgrote.net http://ldap.mgrote.net:17170 https://docker10.mgrote.net:8443 https://registry.mgrote.net/ui/ http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://s3.mgrote.net
|
env.sites https://git.mgrote.net http://ldap.mgrote.net:17170 https://docker10.mgrote.net:8443 https://registry.mgrote.net/ui/ http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://s3.mgrote.net https://auth.mgrote.net
|
||||||
env.max_time 20
|
env.max_time 20
|
||||||
env.short_label true
|
env.short_label true
|
||||||
env.follow_redirect true
|
env.follow_redirect true
|
||||||
|
|
BIN
keepass_db.kdbx
BIN
keepass_db.kdbx
Binary file not shown.
Loading…
Reference in a new issue