diff --git a/docker-compose/traefik/configuration.yml b/docker-compose/traefik/configuration.yml new file mode 100644 index 00000000..942eb23c --- /dev/null +++ b/docker-compose/traefik/configuration.yml @@ -0,0 +1,51 @@ +--- +server.host: 0.0.0.0 +server.port: 9091 +log: + level: debug + +jwt_secret: c50498e29383564cd50bdeda9b74a3bf + +totp: + issuer: totp.mgrote.net + +authentication_backend: + file: + path: /config/users_database.yml + +access_control: + default_policy: deny + rules: + - domain: wiki.mgrote.net + policy: one_factor + +session: + name: authelia_session + secret: unsecure_session_secret + expiration: 3600 # 1 hour + inactivity: 300 # 5 minutes + domain: mgrote.net # Should match whatever your root protected domain is + + redis: + host: authelia-redis + port: 6379 + +regulation: + max_retries: 3 + find_time: 120 + ban_time: 300 + +storage: + encryption_key: f30ebde68b2c85c1b3fe2d16d9884190 + local: + path: /data/db.sqlite3 + # db auf mariadb ändern + +#notifier: +# smtp: +# username: apikey +# password: secret +# host: smtp.sendgrid.net +# port: 587 +# sender: no-reply@mydomain.com +#configuration diff --git a/docker-compose/traefik/docker-compose.yml.j2 b/docker-compose/traefik/docker-compose.yml.j2 index c7fa3b9b..a3f94e85 100644 --- a/docker-compose/traefik/docker-compose.yml.j2 +++ b/docker-compose/traefik/docker-compose.yml.j2 @@ -24,35 +24,37 @@ services: interval: 30s timeout: 10s retries: 3 - -######## nforwardauth ######## - nforwardauth: +######## authelia ######## + authelia: + image: authelia/authelia:4.38.17 + container_name: authelia restart: unless-stopped pull_policy: missing - image: "nosduco/nforwardauth:v1.4.0" - container_name: traefik-nforwardauth environment: - TOKEN_SECRET: "{{ lookup('viczem.keepass.keepass', 'nforwardauth_token_secret', 'password') }}" - AUTH_HOST: auth.mgrote.net - labels: - traefik.enable: true - traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`) - - traefik.http.middlewares.nforwardauth.forwardauth.address: http://nforwardauth:3000 - - traefik.http.services.nforwardauth.loadbalancer.server.port: 3000 - traefik.http.routers.nforwardauth.tls: true - traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt - traefik.http.routers.nforwardauth.entrypoints: entry_https + TZ: Europe/Berlin volumes: - - "./passwd:/passwd:ro" # Mount local passwd file at /passwd as read only - networks: - - traefik - healthcheck: - test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://127.0.0.1:3000/login"] - interval: 10s - timeout: 5s - retries: 3 + - ./configuration.yml:/config/configuration.yml + - authelia_data:/data + labels: + traefik.enable: true' + traefik.http.routers.authelia.rule: Host(`auth.mgrote.net`) + traefik.http.services.authelia.loadbalancer.server.port: 80 + traefik.http.routers.authelia.tls: true + traefik.http.routers.authelia.tls.certresolver: resolver_letsencrypt + traefik.http.routers.authelia.entrypoints: entry_https + traefik.http.middlewares.authelia.forwardauth.address: http://authelia-service:9091/api/verify?rd=https://auth.mgrote.net' + traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: true' + traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email' + depends_on: + - authelia-redis + + authelia-redis: # version!!!! + image: redis:7 + container_name: authelia-redis + restart: unless-stopped + pull_policy: missing + environment: + TZ: Europe/Berlin ######## Networks ######## networks: @@ -61,7 +63,18 @@ networks: ######## Volumes ######## volumes: acme_data: + authelia_data: # passwd # echo ":$(mkpasswd -m sha-512 )" + + + +# TODO +# ldap user: https://www.authelia.com/configuration/first-factor/ldap/ +# test mit whoami +# doku: https://ruanbekker.hashnode.dev/sso-with-authelia-using-traefik-on-docker +# healtchecks +# munin +# keepass aufraumen diff --git a/docker-compose/traefik/passwd.j2 b/docker-compose/traefik/passwd.j2 deleted file mode 100644 index 3ddd2039..00000000 --- a/docker-compose/traefik/passwd.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ lookup('viczem.keepass.keepass', 'nforwardauth-mg-hash', 'password') }}