Compare commits
34 Commits
Author | SHA1 | Date |
---|---|---|
Michael Grote | 296b488884 | |
Michael Grote | ef50051e32 | |
Michael Grote | 3dc1e2c99c | |
Michael Grote | 2eee598c15 | |
Michael Grote | fd5fb6c6aa | |
Michael Grote | e837137e72 | |
Michael Grote | e362db52ef | |
Michael Grote | c99e097625 | |
Michael Grote | 71570aed8f | |
Michael Grote | a0bf2cbbfb | |
Michael Grote | 14a761aebe | |
Michael Grote | 80953d819c | |
Michael Grote | 72d9c15633 | |
Michael Grote | c8e47739c4 | |
Michael Grote | ff9a451088 | |
Michael Grote | 716a3a15a2 | |
Michael Grote | 0fc7ff9080 | |
Michael Grote | 5a282d8c0f | |
Michael Grote | 905d25a641 | |
Michael Grote | 0c960b8086 | |
Michael Grote | 4d875f2d4c | |
Michael Grote | 920eb6bb69 | |
Michael Grote | 0dae6587fd | |
Michael Grote | eb8afc9caa | |
Michael Grote | a77f4c727c | |
Michael Grote | 8ae6086452 | |
Michael Grote | 7bce4e8157 | |
Michael Grote | 9721d501ca | |
Michael Grote | 43f2c00745 | |
Michael Grote | 21e6e05af0 | |
Michael Grote | f0a1f19bed | |
Michael Grote | 08c129d446 | |
Michael Grote | 24c63e7827 | |
Michael Grote | 10017f6003 |
|
@ -0,0 +1,69 @@
|
|||
---
|
||||
default_redirection_url: https://mgrote.net
|
||||
jwt_secret: "{{ lookup('keepass', 'AUTHELIA_JWT_SECRET', 'password') }}"
|
||||
|
||||
server:
|
||||
host: 0.0.0.0
|
||||
port: 9091
|
||||
|
||||
log:
|
||||
level: debug
|
||||
|
||||
totp:
|
||||
issuer: authelia.com
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
rules:
|
||||
- domain: audio.mgrote.net
|
||||
policy: bypass
|
||||
- domain: munin.grote.lan
|
||||
policy: one_factor
|
||||
|
||||
session:
|
||||
domain: mgrote.net
|
||||
secret: "{{ lookup('keepass', 'AUTHELIA_SESSION_SECRET', 'password') }}"
|
||||
redis:
|
||||
host: authelia-redis
|
||||
port: 6379
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 120
|
||||
ban_time: 300
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
username: info@mgrote.net
|
||||
password: "{{ lookup('keepass', 'postfix_absender_passwort', 'password') }}"
|
||||
host: smtp.strato.de
|
||||
port: 587
|
||||
sender: info@mgrote.net
|
||||
|
||||
authentication_backend:
|
||||
password_reset:
|
||||
disable: false
|
||||
refresh_interval: 1m
|
||||
ldap:
|
||||
implementation: custom
|
||||
url: ldap://lldap-app:3890
|
||||
timeout: 5s
|
||||
start_tls: false
|
||||
base_dn: dc=grote,dc=lan
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=people
|
||||
users_filter: (&({username_attribute}={input})(objectClass=person))
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: (member={dn})
|
||||
group_name_attribute: cn
|
||||
mail_attribute: mail
|
||||
display_name_attribute: displayName
|
||||
user: uid=admin,ou=people,dc=grote,dc=lan
|
||||
password: "{{ lookup('keepass', 'LLDAP_LDAP_USER_PASS', 'password') }}"
|
||||
|
||||
storage:
|
||||
postgres:
|
||||
host: authelia-postgres
|
||||
database: authelia
|
||||
username: authelia
|
||||
password: "{{ lookup('keepass', 'AUTHELIA_STORAGE_POSTGRES_PASSWORD', 'password') }}"
|
|
@ -0,0 +1,80 @@
|
|||
---
|
||||
version: "3.8"
|
||||
services:
|
||||
######## App ########
|
||||
authelia:
|
||||
container_name: authelia-app
|
||||
image: docker.io/authelia/authelia:4
|
||||
restart: always
|
||||
networks:
|
||||
- nw_aaa
|
||||
- intern
|
||||
- traefik
|
||||
expose:
|
||||
- 9091
|
||||
ports:
|
||||
- "9091:9091"
|
||||
environment:
|
||||
TZ: Europe/Berlin
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY: {{ lookup('keepass', 'AUTHELIA_STORAGE_ENCRYPTION_KEY', 'password') }}
|
||||
volumes:
|
||||
- ./config:/config
|
||||
labels:
|
||||
- com.centurylinklabs.watchtower.enable=true
|
||||
- com.centurylinklabs.watchtower.depends-on=authelia-postgres,authelia-redis
|
||||
|
||||
- traefik.http.middlewares.authelia.forwardauth.address=http://authelia-app:9091/api/authz/forward-auth?authelia-url=http://auth.mgrote.net
|
||||
- traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
|
||||
- traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
|
||||
|
||||
- traefik.enable=true
|
||||
- traefik.http.routers.authelia.rule=Host(`auth.mgrote.net`)
|
||||
- traefik.http.routers.authelia.tls=true
|
||||
- traefik.http.routers.authelia.tls.certresolver=resolver_letsencrypt
|
||||
- traefik.http.routers.authelia.entrypoints=entry_https
|
||||
- traefik.http.services.authelia.loadbalancer.server.port=9091
|
||||
|
||||
|
||||
######## PostGreSQL ########
|
||||
db:
|
||||
container_name: "authelia-postgres"
|
||||
image: postgres:13
|
||||
restart: always
|
||||
environment:
|
||||
- POSTGRES_USER=authelia
|
||||
- POSTGRES_PASSWORD={{ lookup('keepass', 'AUTHELIA_STORAGE_POSTGRES_PASSWORD', 'password') }}
|
||||
- TZ=Europe/Berlin
|
||||
volumes:
|
||||
- postgres:/var/lib/postgresql/data
|
||||
networks:
|
||||
- intern
|
||||
labels:
|
||||
- com.centurylinklabs.watchtower.enable=false
|
||||
- com.centurylinklabs.watchtower.monitor-only=true
|
||||
######## Redis ########
|
||||
redis:
|
||||
image: redis:alpine
|
||||
container_name: authelia-redis
|
||||
volumes:
|
||||
- redis:/data
|
||||
networks:
|
||||
- intern
|
||||
expose:
|
||||
- 6379
|
||||
restart: always
|
||||
environment:
|
||||
- TZ=Europe/Berlin
|
||||
labels:
|
||||
- com.centurylinklabs.watchtower.enable=true
|
||||
|
||||
|
||||
networks:
|
||||
nw_aaa:
|
||||
external: true
|
||||
intern:
|
||||
traefik:
|
||||
external: true
|
||||
|
||||
volumes:
|
||||
postgres:
|
||||
redis:
|
Binary file not shown.
After Width: | Height: | Size: 23 KiB |
|
@ -33,7 +33,7 @@ services:
|
|||
target: "_blank"
|
||||
subtitle: "Modem"
|
||||
|
||||
- name: "Infra"
|
||||
- name: "Infra - Apps"
|
||||
icon: "fas fa-cloud"
|
||||
items:
|
||||
- name: "Apt-Cacher-NG"
|
||||
|
@ -67,7 +67,7 @@ services:
|
|||
target: "_blank"
|
||||
subtitle: "Package-Registry"
|
||||
|
||||
- name: "Infra"
|
||||
- name: "Infra - OS"
|
||||
icon: "fas fa-cloud"
|
||||
items:
|
||||
- name: "ProxMox Virtual Environment - Production"
|
||||
|
@ -95,6 +95,15 @@ services:
|
|||
target: "_blank"
|
||||
subtitle: "network device configuration backup tool"
|
||||
|
||||
- name: "AAA"
|
||||
icon: "fas fa-cloud"
|
||||
items:
|
||||
- name: "lldap"
|
||||
logo: "assets/icons/lldap.png"
|
||||
url: "http://docker10.grote.lan:17170"
|
||||
target: "_blank"
|
||||
subtitle: "LDAP"
|
||||
|
||||
- name: "Internet-MGMT"
|
||||
icon: "fas fa-cloud"
|
||||
items:
|
||||
|
|
|
@ -0,0 +1,77 @@
|
|||
version: "3"
|
||||
services:
|
||||
######## App ########
|
||||
lldap:
|
||||
image: nitnelave/lldap:stable
|
||||
container_name: lldap-app
|
||||
restart: always
|
||||
ports:
|
||||
# For LDAP
|
||||
- "3890:3890"
|
||||
# For the web front-end
|
||||
- "17170:17170"
|
||||
networks:
|
||||
- intern
|
||||
- nw_aaa
|
||||
- traefik
|
||||
volumes:
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
- "lldap:/data"
|
||||
environment:
|
||||
- UID=1000
|
||||
- GID=1000
|
||||
- LLDAP_JWT_SECRET={{ lookup('keepass', 'LLDAP_JWT_SECRET', 'password') }}
|
||||
- LLDAP_LDAP_USER_PASS={{ lookup('keepass', 'LLDAP_LDAP_USER_PASS', 'password') }}
|
||||
#- LLDAP_USER_DN="LLDAP-ADMIN"
|
||||
- LLDAP_LDAP_BASE_DN=dc=grote,dc=lan
|
||||
- LLDAP_DATABASE_URL=mysql://lldap-db-user:{{ lookup('keepass', 'LLDAP_MYSQL_PASSWORD', 'password') }}@lldap-db/lldap
|
||||
- LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_reset=true
|
||||
- LLDAP_SMTP_OPTIONS__SERVER=smtp.strato.de
|
||||
- LLDAP_SMTP_OPTIONS__PORT=587
|
||||
- LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=STARTTLS
|
||||
- LLDAP_SMTP_OPTIONS__USER=info@mgrote.net
|
||||
- LLDAP_SMTP_OPTIONS__PASSWORD={{ lookup('keepass', 'postfix_absender_passwort', 'password') }}
|
||||
- LLDAP_SMTP_OPTIONS__FROM="LLDAP Admin <info@mgrote.net>"
|
||||
- LLDAP_SMTP_OPTIONS__REPLY_TO="Do not reply <info@mgrote.net>"
|
||||
#- LLDAP_KEY_FILE={{ lookup('keepass', 'LLDAP_KEY_FILE', 'password') }}
|
||||
#- LLDAP_VERBOSE=true
|
||||
- LLDAP_HTTP_URL="http://docker10.grote.lan:17170" # The public URL of the server, for password reset links.
|
||||
labels:
|
||||
- com.centurylinklabs.watchtower.enable=true
|
||||
- com.centurylinklabs.watchtower.depends-on=lldap-db
|
||||
######## DB ########
|
||||
nextcloud-db:
|
||||
image: mariadb:10
|
||||
container_name: lldap-db
|
||||
restart: always
|
||||
volumes:
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
- db:/var/lib/mysql
|
||||
environment:
|
||||
- MYSQL_ROOT_PASSWORD={{ lookup('keepass', 'LLDAP_MYSQL_ROOT_PASSWORD', 'password') }}
|
||||
- MYSQL_PASSWORD={{ lookup('keepass', 'LLDAP_MYSQL_PASSWORD', 'password') }}
|
||||
- MYSQL_DATABASE=lldap
|
||||
- MYSQL_USER=lldap-db-user
|
||||
- MYSQL_INITDB_SKIP_TZINFO=1
|
||||
networks:
|
||||
- intern
|
||||
labels:
|
||||
- com.centurylinklabs.watchtower.enable=true
|
||||
|
||||
######## Volumes ########
|
||||
volumes:
|
||||
lldap:
|
||||
db:
|
||||
######## Networks ########
|
||||
networks:
|
||||
nw_aaa:
|
||||
external: true
|
||||
intern:
|
||||
traefik:
|
||||
external: true
|
||||
|
||||
|
||||
## (example with "password"): - LLDAP_SMTP_OPTIONS__PASSWORD
|
||||
## Whether to enabled password reset via email, from LLDAP.
|
|
@ -36,6 +36,18 @@ services:
|
|||
labels:
|
||||
- com.centurylinklabs.watchtower.enable=true
|
||||
|
||||
- traefik.http.middlewares.authelia.forwardauth.address=http://authelia-app:9091/api/authz/forward-auth?authelia-url=http://auth.mgrote.net
|
||||
- traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
|
||||
- traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
|
||||
|
||||
- traefik.enable=true
|
||||
- traefik.http.routers.authelia.rule=Host(`auth.mgrote.net`)
|
||||
- traefik.http.routers.authelia.tls=true
|
||||
- traefik.http.routers.authelia.tls.certresolver=resolver_letsencrypt
|
||||
- traefik.http.routers.authelia.entrypoints=entry_https
|
||||
- traefik.http.services.authelia.loadbalancer.server.port=9091
|
||||
|
||||
|
||||
volumes:
|
||||
db:
|
||||
logs:
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
version: "3"
|
||||
services:
|
||||
watchtower:
|
||||
restart: always
|
||||
|
@ -6,13 +5,12 @@ services:
|
|||
image: containrrr/watchtower
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
environment:
|
||||
- TZ=Europe/Berlin
|
||||
- WATCHTOWER_CLEANUP=true
|
||||
- WATCHTOWER_INCLUDE_RESTARTING=true
|
||||
- WATCHTOWER_INCLUDE_STOPPED=true
|
||||
- WATCHTOWER_REVIVE_STOPPED=false
|
||||
- WATCHTOWER_POLL_INTERVAL=86400 # (24 hours)
|
||||
- WATCHTOWER_LABEL_ENABLE=true
|
||||
- WATCHTOWER_NOTIFICATIONS=email
|
||||
- WATCHTOWER_NOTIFICATION_EMAIL_FROM=info@mgrote.net
|
||||
|
@ -23,6 +21,7 @@ services:
|
|||
- WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD={{ lookup('keepass', 'postfix_absender_passwort', 'password') }}
|
||||
- WATCHTOWER_NOTIFICATION_EMAIL_DELAY=2
|
||||
- WATCHTOWER_NO_STARTUP_MESSAGE=true
|
||||
- WATCHTOWER_SCHEDULE=0 20 3 * * * # jeden Tag um 03:20
|
||||
labels:
|
||||
- com.centurylinklabs.watchtower.enable=true
|
||||
|
||||
|
|
|
@ -77,7 +77,12 @@
|
|||
state: present
|
||||
- name: blocky
|
||||
state: present
|
||||
|
||||
- name: lldap
|
||||
state: absent
|
||||
network: traefik
|
||||
- name: authelia
|
||||
state: absent
|
||||
network: nw_aaa
|
||||
#### mgrote.set_permissions
|
||||
dir_permissions:
|
||||
- path: /mnt/httpd
|
||||
|
|
BIN
keepass_db.kdbx
BIN
keepass_db.kdbx
Binary file not shown.
Loading…
Reference in New Issue