Compare commits
34 Commits
Author | SHA1 | Date |
---|---|---|
Michael Grote | 296b488884 | |
Michael Grote | ef50051e32 | |
Michael Grote | 3dc1e2c99c | |
Michael Grote | 2eee598c15 | |
Michael Grote | fd5fb6c6aa | |
Michael Grote | e837137e72 | |
Michael Grote | e362db52ef | |
Michael Grote | c99e097625 | |
Michael Grote | 71570aed8f | |
Michael Grote | a0bf2cbbfb | |
Michael Grote | 14a761aebe | |
Michael Grote | 80953d819c | |
Michael Grote | 72d9c15633 | |
Michael Grote | c8e47739c4 | |
Michael Grote | ff9a451088 | |
Michael Grote | 716a3a15a2 | |
Michael Grote | 0fc7ff9080 | |
Michael Grote | 5a282d8c0f | |
Michael Grote | 905d25a641 | |
Michael Grote | 0c960b8086 | |
Michael Grote | 4d875f2d4c | |
Michael Grote | 920eb6bb69 | |
Michael Grote | 0dae6587fd | |
Michael Grote | eb8afc9caa | |
Michael Grote | a77f4c727c | |
Michael Grote | 8ae6086452 | |
Michael Grote | 7bce4e8157 | |
Michael Grote | 9721d501ca | |
Michael Grote | 43f2c00745 | |
Michael Grote | 21e6e05af0 | |
Michael Grote | f0a1f19bed | |
Michael Grote | 08c129d446 | |
Michael Grote | 24c63e7827 | |
Michael Grote | 10017f6003 |
|
@ -0,0 +1,69 @@
|
||||||
|
---
|
||||||
|
default_redirection_url: https://mgrote.net
|
||||||
|
jwt_secret: "{{ lookup('keepass', 'AUTHELIA_JWT_SECRET', 'password') }}"
|
||||||
|
|
||||||
|
server:
|
||||||
|
host: 0.0.0.0
|
||||||
|
port: 9091
|
||||||
|
|
||||||
|
log:
|
||||||
|
level: debug
|
||||||
|
|
||||||
|
totp:
|
||||||
|
issuer: authelia.com
|
||||||
|
|
||||||
|
access_control:
|
||||||
|
default_policy: deny
|
||||||
|
rules:
|
||||||
|
- domain: audio.mgrote.net
|
||||||
|
policy: bypass
|
||||||
|
- domain: munin.grote.lan
|
||||||
|
policy: one_factor
|
||||||
|
|
||||||
|
session:
|
||||||
|
domain: mgrote.net
|
||||||
|
secret: "{{ lookup('keepass', 'AUTHELIA_SESSION_SECRET', 'password') }}"
|
||||||
|
redis:
|
||||||
|
host: authelia-redis
|
||||||
|
port: 6379
|
||||||
|
|
||||||
|
regulation:
|
||||||
|
max_retries: 3
|
||||||
|
find_time: 120
|
||||||
|
ban_time: 300
|
||||||
|
|
||||||
|
notifier:
|
||||||
|
smtp:
|
||||||
|
username: info@mgrote.net
|
||||||
|
password: "{{ lookup('keepass', 'postfix_absender_passwort', 'password') }}"
|
||||||
|
host: smtp.strato.de
|
||||||
|
port: 587
|
||||||
|
sender: info@mgrote.net
|
||||||
|
|
||||||
|
authentication_backend:
|
||||||
|
password_reset:
|
||||||
|
disable: false
|
||||||
|
refresh_interval: 1m
|
||||||
|
ldap:
|
||||||
|
implementation: custom
|
||||||
|
url: ldap://lldap-app:3890
|
||||||
|
timeout: 5s
|
||||||
|
start_tls: false
|
||||||
|
base_dn: dc=grote,dc=lan
|
||||||
|
username_attribute: uid
|
||||||
|
additional_users_dn: ou=people
|
||||||
|
users_filter: (&({username_attribute}={input})(objectClass=person))
|
||||||
|
additional_groups_dn: ou=groups
|
||||||
|
groups_filter: (member={dn})
|
||||||
|
group_name_attribute: cn
|
||||||
|
mail_attribute: mail
|
||||||
|
display_name_attribute: displayName
|
||||||
|
user: uid=admin,ou=people,dc=grote,dc=lan
|
||||||
|
password: "{{ lookup('keepass', 'LLDAP_LDAP_USER_PASS', 'password') }}"
|
||||||
|
|
||||||
|
storage:
|
||||||
|
postgres:
|
||||||
|
host: authelia-postgres
|
||||||
|
database: authelia
|
||||||
|
username: authelia
|
||||||
|
password: "{{ lookup('keepass', 'AUTHELIA_STORAGE_POSTGRES_PASSWORD', 'password') }}"
|
|
@ -0,0 +1,80 @@
|
||||||
|
---
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
######## App ########
|
||||||
|
authelia:
|
||||||
|
container_name: authelia-app
|
||||||
|
image: docker.io/authelia/authelia:4
|
||||||
|
restart: always
|
||||||
|
networks:
|
||||||
|
- nw_aaa
|
||||||
|
- intern
|
||||||
|
- traefik
|
||||||
|
expose:
|
||||||
|
- 9091
|
||||||
|
ports:
|
||||||
|
- "9091:9091"
|
||||||
|
environment:
|
||||||
|
TZ: Europe/Berlin
|
||||||
|
AUTHELIA_STORAGE_ENCRYPTION_KEY: {{ lookup('keepass', 'AUTHELIA_STORAGE_ENCRYPTION_KEY', 'password') }}
|
||||||
|
volumes:
|
||||||
|
- ./config:/config
|
||||||
|
labels:
|
||||||
|
- com.centurylinklabs.watchtower.enable=true
|
||||||
|
- com.centurylinklabs.watchtower.depends-on=authelia-postgres,authelia-redis
|
||||||
|
|
||||||
|
- traefik.http.middlewares.authelia.forwardauth.address=http://authelia-app:9091/api/authz/forward-auth?authelia-url=http://auth.mgrote.net
|
||||||
|
- traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
|
||||||
|
- traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
|
||||||
|
|
||||||
|
- traefik.enable=true
|
||||||
|
- traefik.http.routers.authelia.rule=Host(`auth.mgrote.net`)
|
||||||
|
- traefik.http.routers.authelia.tls=true
|
||||||
|
- traefik.http.routers.authelia.tls.certresolver=resolver_letsencrypt
|
||||||
|
- traefik.http.routers.authelia.entrypoints=entry_https
|
||||||
|
- traefik.http.services.authelia.loadbalancer.server.port=9091
|
||||||
|
|
||||||
|
|
||||||
|
######## PostGreSQL ########
|
||||||
|
db:
|
||||||
|
container_name: "authelia-postgres"
|
||||||
|
image: postgres:13
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
- POSTGRES_USER=authelia
|
||||||
|
- POSTGRES_PASSWORD={{ lookup('keepass', 'AUTHELIA_STORAGE_POSTGRES_PASSWORD', 'password') }}
|
||||||
|
- TZ=Europe/Berlin
|
||||||
|
volumes:
|
||||||
|
- postgres:/var/lib/postgresql/data
|
||||||
|
networks:
|
||||||
|
- intern
|
||||||
|
labels:
|
||||||
|
- com.centurylinklabs.watchtower.enable=false
|
||||||
|
- com.centurylinklabs.watchtower.monitor-only=true
|
||||||
|
######## Redis ########
|
||||||
|
redis:
|
||||||
|
image: redis:alpine
|
||||||
|
container_name: authelia-redis
|
||||||
|
volumes:
|
||||||
|
- redis:/data
|
||||||
|
networks:
|
||||||
|
- intern
|
||||||
|
expose:
|
||||||
|
- 6379
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
- TZ=Europe/Berlin
|
||||||
|
labels:
|
||||||
|
- com.centurylinklabs.watchtower.enable=true
|
||||||
|
|
||||||
|
|
||||||
|
networks:
|
||||||
|
nw_aaa:
|
||||||
|
external: true
|
||||||
|
intern:
|
||||||
|
traefik:
|
||||||
|
external: true
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
postgres:
|
||||||
|
redis:
|
Binary file not shown.
After Width: | Height: | Size: 23 KiB |
|
@ -33,7 +33,7 @@ services:
|
||||||
target: "_blank"
|
target: "_blank"
|
||||||
subtitle: "Modem"
|
subtitle: "Modem"
|
||||||
|
|
||||||
- name: "Infra"
|
- name: "Infra - Apps"
|
||||||
icon: "fas fa-cloud"
|
icon: "fas fa-cloud"
|
||||||
items:
|
items:
|
||||||
- name: "Apt-Cacher-NG"
|
- name: "Apt-Cacher-NG"
|
||||||
|
@ -67,7 +67,7 @@ services:
|
||||||
target: "_blank"
|
target: "_blank"
|
||||||
subtitle: "Package-Registry"
|
subtitle: "Package-Registry"
|
||||||
|
|
||||||
- name: "Infra"
|
- name: "Infra - OS"
|
||||||
icon: "fas fa-cloud"
|
icon: "fas fa-cloud"
|
||||||
items:
|
items:
|
||||||
- name: "ProxMox Virtual Environment - Production"
|
- name: "ProxMox Virtual Environment - Production"
|
||||||
|
@ -95,6 +95,15 @@ services:
|
||||||
target: "_blank"
|
target: "_blank"
|
||||||
subtitle: "network device configuration backup tool"
|
subtitle: "network device configuration backup tool"
|
||||||
|
|
||||||
|
- name: "AAA"
|
||||||
|
icon: "fas fa-cloud"
|
||||||
|
items:
|
||||||
|
- name: "lldap"
|
||||||
|
logo: "assets/icons/lldap.png"
|
||||||
|
url: "http://docker10.grote.lan:17170"
|
||||||
|
target: "_blank"
|
||||||
|
subtitle: "LDAP"
|
||||||
|
|
||||||
- name: "Internet-MGMT"
|
- name: "Internet-MGMT"
|
||||||
icon: "fas fa-cloud"
|
icon: "fas fa-cloud"
|
||||||
items:
|
items:
|
||||||
|
|
|
@ -0,0 +1,77 @@
|
||||||
|
version: "3"
|
||||||
|
services:
|
||||||
|
######## App ########
|
||||||
|
lldap:
|
||||||
|
image: nitnelave/lldap:stable
|
||||||
|
container_name: lldap-app
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
# For LDAP
|
||||||
|
- "3890:3890"
|
||||||
|
# For the web front-end
|
||||||
|
- "17170:17170"
|
||||||
|
networks:
|
||||||
|
- intern
|
||||||
|
- nw_aaa
|
||||||
|
- traefik
|
||||||
|
volumes:
|
||||||
|
- /etc/localtime:/etc/localtime:ro
|
||||||
|
- /etc/timezone:/etc/timezone:ro
|
||||||
|
- "lldap:/data"
|
||||||
|
environment:
|
||||||
|
- UID=1000
|
||||||
|
- GID=1000
|
||||||
|
- LLDAP_JWT_SECRET={{ lookup('keepass', 'LLDAP_JWT_SECRET', 'password') }}
|
||||||
|
- LLDAP_LDAP_USER_PASS={{ lookup('keepass', 'LLDAP_LDAP_USER_PASS', 'password') }}
|
||||||
|
#- LLDAP_USER_DN="LLDAP-ADMIN"
|
||||||
|
- LLDAP_LDAP_BASE_DN=dc=grote,dc=lan
|
||||||
|
- LLDAP_DATABASE_URL=mysql://lldap-db-user:{{ lookup('keepass', 'LLDAP_MYSQL_PASSWORD', 'password') }}@lldap-db/lldap
|
||||||
|
- LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_reset=true
|
||||||
|
- LLDAP_SMTP_OPTIONS__SERVER=smtp.strato.de
|
||||||
|
- LLDAP_SMTP_OPTIONS__PORT=587
|
||||||
|
- LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=STARTTLS
|
||||||
|
- LLDAP_SMTP_OPTIONS__USER=info@mgrote.net
|
||||||
|
- LLDAP_SMTP_OPTIONS__PASSWORD={{ lookup('keepass', 'postfix_absender_passwort', 'password') }}
|
||||||
|
- LLDAP_SMTP_OPTIONS__FROM="LLDAP Admin <info@mgrote.net>"
|
||||||
|
- LLDAP_SMTP_OPTIONS__REPLY_TO="Do not reply <info@mgrote.net>"
|
||||||
|
#- LLDAP_KEY_FILE={{ lookup('keepass', 'LLDAP_KEY_FILE', 'password') }}
|
||||||
|
#- LLDAP_VERBOSE=true
|
||||||
|
- LLDAP_HTTP_URL="http://docker10.grote.lan:17170" # The public URL of the server, for password reset links.
|
||||||
|
labels:
|
||||||
|
- com.centurylinklabs.watchtower.enable=true
|
||||||
|
- com.centurylinklabs.watchtower.depends-on=lldap-db
|
||||||
|
######## DB ########
|
||||||
|
nextcloud-db:
|
||||||
|
image: mariadb:10
|
||||||
|
container_name: lldap-db
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- /etc/localtime:/etc/localtime:ro
|
||||||
|
- /etc/timezone:/etc/timezone:ro
|
||||||
|
- db:/var/lib/mysql
|
||||||
|
environment:
|
||||||
|
- MYSQL_ROOT_PASSWORD={{ lookup('keepass', 'LLDAP_MYSQL_ROOT_PASSWORD', 'password') }}
|
||||||
|
- MYSQL_PASSWORD={{ lookup('keepass', 'LLDAP_MYSQL_PASSWORD', 'password') }}
|
||||||
|
- MYSQL_DATABASE=lldap
|
||||||
|
- MYSQL_USER=lldap-db-user
|
||||||
|
- MYSQL_INITDB_SKIP_TZINFO=1
|
||||||
|
networks:
|
||||||
|
- intern
|
||||||
|
labels:
|
||||||
|
- com.centurylinklabs.watchtower.enable=true
|
||||||
|
|
||||||
|
######## Volumes ########
|
||||||
|
volumes:
|
||||||
|
lldap:
|
||||||
|
db:
|
||||||
|
######## Networks ########
|
||||||
|
networks:
|
||||||
|
nw_aaa:
|
||||||
|
external: true
|
||||||
|
intern:
|
||||||
|
traefik:
|
||||||
|
external: true
|
||||||
|
|
||||||
|
|
||||||
|
## (example with "password"): - LLDAP_SMTP_OPTIONS__PASSWORD
|
||||||
|
## Whether to enabled password reset via email, from LLDAP.
|
|
@ -36,6 +36,18 @@ services:
|
||||||
labels:
|
labels:
|
||||||
- com.centurylinklabs.watchtower.enable=true
|
- com.centurylinklabs.watchtower.enable=true
|
||||||
|
|
||||||
|
- traefik.http.middlewares.authelia.forwardauth.address=http://authelia-app:9091/api/authz/forward-auth?authelia-url=http://auth.mgrote.net
|
||||||
|
- traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
|
||||||
|
- traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
|
||||||
|
|
||||||
|
- traefik.enable=true
|
||||||
|
- traefik.http.routers.authelia.rule=Host(`auth.mgrote.net`)
|
||||||
|
- traefik.http.routers.authelia.tls=true
|
||||||
|
- traefik.http.routers.authelia.tls.certresolver=resolver_letsencrypt
|
||||||
|
- traefik.http.routers.authelia.entrypoints=entry_https
|
||||||
|
- traefik.http.services.authelia.loadbalancer.server.port=9091
|
||||||
|
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
db:
|
db:
|
||||||
logs:
|
logs:
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
version: "3"
|
|
||||||
services:
|
services:
|
||||||
watchtower:
|
watchtower:
|
||||||
restart: always
|
restart: always
|
||||||
|
@ -6,13 +5,12 @@ services:
|
||||||
image: containrrr/watchtower
|
image: containrrr/watchtower
|
||||||
volumes:
|
volumes:
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
- /etc/localtime:/etc/localtime:ro
|
||||||
environment:
|
environment:
|
||||||
- TZ=Europe/Berlin
|
|
||||||
- WATCHTOWER_CLEANUP=true
|
- WATCHTOWER_CLEANUP=true
|
||||||
- WATCHTOWER_INCLUDE_RESTARTING=true
|
- WATCHTOWER_INCLUDE_RESTARTING=true
|
||||||
- WATCHTOWER_INCLUDE_STOPPED=true
|
- WATCHTOWER_INCLUDE_STOPPED=true
|
||||||
- WATCHTOWER_REVIVE_STOPPED=false
|
- WATCHTOWER_REVIVE_STOPPED=false
|
||||||
- WATCHTOWER_POLL_INTERVAL=86400 # (24 hours)
|
|
||||||
- WATCHTOWER_LABEL_ENABLE=true
|
- WATCHTOWER_LABEL_ENABLE=true
|
||||||
- WATCHTOWER_NOTIFICATIONS=email
|
- WATCHTOWER_NOTIFICATIONS=email
|
||||||
- WATCHTOWER_NOTIFICATION_EMAIL_FROM=info@mgrote.net
|
- WATCHTOWER_NOTIFICATION_EMAIL_FROM=info@mgrote.net
|
||||||
|
@ -23,6 +21,7 @@ services:
|
||||||
- WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD={{ lookup('keepass', 'postfix_absender_passwort', 'password') }}
|
- WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD={{ lookup('keepass', 'postfix_absender_passwort', 'password') }}
|
||||||
- WATCHTOWER_NOTIFICATION_EMAIL_DELAY=2
|
- WATCHTOWER_NOTIFICATION_EMAIL_DELAY=2
|
||||||
- WATCHTOWER_NO_STARTUP_MESSAGE=true
|
- WATCHTOWER_NO_STARTUP_MESSAGE=true
|
||||||
|
- WATCHTOWER_SCHEDULE=0 20 3 * * * # jeden Tag um 03:20
|
||||||
labels:
|
labels:
|
||||||
- com.centurylinklabs.watchtower.enable=true
|
- com.centurylinklabs.watchtower.enable=true
|
||||||
|
|
||||||
|
|
|
@ -77,7 +77,12 @@
|
||||||
state: present
|
state: present
|
||||||
- name: blocky
|
- name: blocky
|
||||||
state: present
|
state: present
|
||||||
|
- name: lldap
|
||||||
|
state: absent
|
||||||
|
network: traefik
|
||||||
|
- name: authelia
|
||||||
|
state: absent
|
||||||
|
network: nw_aaa
|
||||||
#### mgrote.set_permissions
|
#### mgrote.set_permissions
|
||||||
dir_permissions:
|
dir_permissions:
|
||||||
- path: /mnt/httpd
|
- path: /mnt/httpd
|
||||||
|
|
BIN
keepass_db.kdbx
BIN
keepass_db.kdbx
Binary file not shown.
Loading…
Reference in New Issue