Merge branch 'master' into rsync_mirror_logging
This commit is contained in:
commit
7bb78b485a
7 changed files with 154 additions and 32 deletions
80
docker-compose/traefik/configuration.yml.j2
Normal file
80
docker-compose/traefik/configuration.yml.j2
Normal file
|
@ -0,0 +1,80 @@
|
|||
---
|
||||
# geklaut von: https://ruanbekker.hashnode.dev/sso-with-authelia-using-traefik-on-docker + https://www.reddit.com/r/selfhosted/comments/158quyz/authelia_ldap_groups/
|
||||
|
||||
server.address: "0.0.0.0:9091"
|
||||
|
||||
log:
|
||||
level: debug
|
||||
|
||||
identity_validation:
|
||||
reset_password:
|
||||
jwt_secret: {{ lookup('viczem.keepass.keepass', 'authelia_jwt_secret', 'password') }}
|
||||
totp:
|
||||
issuer: totp.mgrote.net
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
rules:
|
||||
- domain: wiki.mgrote.net
|
||||
policy: one_factor
|
||||
subject:
|
||||
- 'group:authelia_wiki'
|
||||
|
||||
session:
|
||||
name: authelia_session
|
||||
secret: {{ lookup('viczem.keepass.keepass', 'authelia_session_secret', 'password') }}
|
||||
expiration: 3600
|
||||
inactivity: 300
|
||||
cookies:
|
||||
- name: mgrote.net
|
||||
domain: mgrote.net
|
||||
authelia_url: https://auth.mgrote.net
|
||||
|
||||
redis:
|
||||
host: authelia-redis
|
||||
port: 6379
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 120
|
||||
ban_time: 300
|
||||
|
||||
storage:
|
||||
encryption_key: {{ lookup('viczem.keepass.keepass', 'authelia_storage_encryption_key', 'password') }}
|
||||
mysql:
|
||||
database: authelia
|
||||
address: 'tcp://authelia-db:3306'
|
||||
username: authelia
|
||||
password: {{ lookup('viczem.keepass.keepass', 'authelia_mysql_password', 'password') }}
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: postfix:25
|
||||
sender: no-reply-authelia@mgrote.net
|
||||
disable_require_tls: true
|
||||
|
||||
# ldap
|
||||
# https://github.com/lldap/lldap/blob/main/example_configs/authelia_config.yml
|
||||
authentication_backend:
|
||||
password_reset:
|
||||
disable: true
|
||||
refresh_interval: 1m
|
||||
ldap:
|
||||
implementation: custom
|
||||
address: ldap://ldap.mgrote.net:3890
|
||||
timeout: 5s
|
||||
start_tls: false
|
||||
base_dn: dc=mgrote,dc=net
|
||||
additional_users_dn: ou=people
|
||||
users_filter: "(&({username_attribute}={input})(objectClass=person))"
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: "(&(member={dn})(objectclass=groupOfUniqueNames))"
|
||||
attributes:
|
||||
display_name: displayName
|
||||
username: uid
|
||||
group_name: cn
|
||||
mail: mail
|
||||
user: uid=authelia_bind_user,ou=people,dc=mgrote,dc=net
|
||||
password: '{{ lookup('viczem.keepass.keepass', 'lldap_authelia_bind_user', 'password') }}'
|
||||
|
||||
# Details/Doku: https://wiki.mgrote.net/pages/_Technik/hardware/rest/fpv/software/rest/ldap/
|
|
@ -1,3 +1,5 @@
|
|||
# Details/Doku: https://wiki.mgrote.net/pages/_Technik/hardware/rest/fpv/software/rest/ldap/
|
||||
|
||||
services:
|
||||
######## traefik ########
|
||||
traefik:
|
||||
|
@ -25,43 +27,90 @@ services:
|
|||
timeout: 10s
|
||||
retries: 3
|
||||
|
||||
######## nforwardauth ########
|
||||
nforwardauth:
|
||||
######## authelia ########
|
||||
authelia:
|
||||
image: authelia/authelia:4.38.17
|
||||
container_name: authelia
|
||||
restart: unless-stopped
|
||||
pull_policy: missing
|
||||
image: "nosduco/nforwardauth:v1.4.0"
|
||||
container_name: traefik-nforwardauth
|
||||
environment:
|
||||
TOKEN_SECRET: "{{ lookup('viczem.keepass.keepass', 'nforwardauth_token_secret', 'password') }}"
|
||||
AUTH_HOST: auth.mgrote.net
|
||||
TZ: Europe/Berlin
|
||||
volumes:
|
||||
- ./configuration.yml:/config/configuration.yml
|
||||
- ./users_database.yml:/config/users_database.yml
|
||||
- authelia_data:/data
|
||||
labels:
|
||||
traefik.enable: true
|
||||
traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`)
|
||||
|
||||
traefik.http.middlewares.nforwardauth.forwardauth.address: http://nforwardauth:3000
|
||||
|
||||
traefik.http.services.nforwardauth.loadbalancer.server.port: 3000
|
||||
traefik.http.routers.nforwardauth.tls: true
|
||||
traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt
|
||||
traefik.http.routers.nforwardauth.entrypoints: entry_https
|
||||
volumes:
|
||||
- "./passwd:/passwd:ro" # Mount local passwd file at /passwd as read only
|
||||
traefik.http.routers.authelia.rule: Host(`auth.mgrote.net`)
|
||||
traefik.http.services.authelia.loadbalancer.server.port: 9091
|
||||
traefik.http.routers.authelia.tls: true
|
||||
traefik.http.routers.authelia.tls.certresolver: resolver_letsencrypt
|
||||
traefik.http.routers.authelia.entrypoints: entry_https
|
||||
traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/verify?rd=https://auth.mgrote.net
|
||||
traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: true
|
||||
traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email
|
||||
depends_on:
|
||||
- authelia-redis
|
||||
networks:
|
||||
- traefik
|
||||
- postfix
|
||||
- authelia
|
||||
healthcheck:
|
||||
test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://127.0.0.1:3000/login"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://authelia:9091"]
|
||||
interval: 30s
|
||||
timeout: 10s
|
||||
retries: 3
|
||||
|
||||
authelia-redis:
|
||||
image: "redis:7.4.1"
|
||||
container_name: authelia-redis
|
||||
restart: unless-stopped
|
||||
pull_policy: missing
|
||||
environment:
|
||||
TZ: Europe/Berlin
|
||||
networks:
|
||||
- authelia
|
||||
healthcheck:
|
||||
test: ["CMD", "redis-cli", "--no-auth-warning", "ping"]
|
||||
interval: 5s
|
||||
timeout: 2s
|
||||
retries: 3
|
||||
|
||||
######## Datenbank ########
|
||||
authelia-db:
|
||||
image: "mariadb:11.5.2"
|
||||
container_name: authelia-db
|
||||
command: --transaction-isolation=READ-COMMITTED --log-bin=ROW --innodb_read_only_compressed=OFF
|
||||
restart: unless-stopped
|
||||
pull_policy: missing
|
||||
volumes:
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
- db:/var/lib/mysql
|
||||
environment:
|
||||
MYSQL_ROOT_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'authelia_mysql_root_password', 'password') }}"
|
||||
MYSQL_PASSWORD: "{{ lookup('viczem.keepass.keepass', 'authelia_mysql_password', 'password') }}"
|
||||
MYSQL_DATABASE: authelia
|
||||
MYSQL_USER: authelia
|
||||
MYSQL_INITDB_SKIP_TZINFO: 1
|
||||
networks:
|
||||
- authelia
|
||||
healthcheck:
|
||||
test: ["CMD", "mariadb-show", "authelia", "-h", "localhost", "-u", "authelia", "-p{{ lookup('viczem.keepass.keepass', 'authelia_mysql_password', 'password') }}"]
|
||||
interval: 30s
|
||||
timeout: 10s
|
||||
retries: 3
|
||||
|
||||
|
||||
######## Networks ########
|
||||
networks:
|
||||
authelia:
|
||||
traefik:
|
||||
external: true
|
||||
postfix:
|
||||
external: true
|
||||
######## Volumes ########
|
||||
volumes:
|
||||
acme_data:
|
||||
|
||||
|
||||
# passwd
|
||||
# echo "<user>:$(mkpasswd -m sha-512 <password>)"
|
||||
authelia_data:
|
||||
db:
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
{{ lookup('viczem.keepass.keepass', 'nforwardauth-mg-hash', 'password') }}
|
|
@ -40,9 +40,3 @@ api:
|
|||
dashboard: true # unter Port 8081 erreichbar
|
||||
|
||||
ping: {} # für healthcheck
|
||||
|
||||
#experimental:
|
||||
# plugins:
|
||||
# ldapAuth:
|
||||
# moduleName: "github.com/wiltonsr/ldapAuth"
|
||||
# version: "v0.1.4"
|
||||
|
|
|
@ -26,7 +26,7 @@ services:
|
|||
traefik.http.routers.wiki.entrypoints: entry_https
|
||||
traefik.http.services.wiki.loadbalancer.server.port: 80
|
||||
|
||||
traefik.http.routers.wiki.middlewares: nforwardauth
|
||||
traefik.http.routers.wiki.middlewares: authelia
|
||||
|
||||
######## Networks ########
|
||||
networks:
|
||||
|
|
|
@ -104,7 +104,7 @@ munin_node_plugins:
|
|||
src: https://git.mgrote.net/mirrors/munin-contrib/raw/branch/master/plugins/http/http_response
|
||||
config: |
|
||||
[http_response]
|
||||
env.sites https://git.mgrote.net http://ldap.mgrote.net:17170 https://docker10.mgrote.net:8443 https://registry.mgrote.net/ui/ http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://s3.mgrote.net
|
||||
env.sites https://git.mgrote.net http://ldap.mgrote.net:17170 https://docker10.mgrote.net:8443 https://registry.mgrote.net/ui/ http://munin.mgrote.net http://192.168.5.1 http://192.168.3.1 http://192.168.3.108:8080 http://192.168.3.204 http://docker10.mgrote.net:6483 https://miniflux.mgrote.net/ https://nextcloud.mgrote.net https://audio.mgrote.net/mg http://wiki.mgrote.net https://s3.mgrote.net https://auth.mgrote.net
|
||||
env.max_time 20
|
||||
env.short_label true
|
||||
env.follow_redirect true
|
||||
|
|
BIN
keepass_db.kdbx
BIN
keepass_db.kdbx
Binary file not shown.
Loading…
Reference in a new issue