replace nforwardauth with authelia #231
3 changed files with 89 additions and 26 deletions
51
docker-compose/traefik/configuration.yml
Normal file
51
docker-compose/traefik/configuration.yml
Normal file
|
@ -0,0 +1,51 @@
|
|||
---
|
||||
server.host: 0.0.0.0
|
||||
server.port: 9091
|
||||
log:
|
||||
level: debug
|
||||
|
||||
jwt_secret: c50498e29383564cd50bdeda9b74a3bf
|
||||
|
||||
totp:
|
||||
issuer: totp.mgrote.net
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users_database.yml
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
rules:
|
||||
- domain: wiki.mgrote.net
|
||||
policy: one_factor
|
||||
|
||||
session:
|
||||
name: authelia_session
|
||||
secret: unsecure_session_secret
|
||||
expiration: 3600 # 1 hour
|
||||
inactivity: 300 # 5 minutes
|
||||
domain: mgrote.net # Should match whatever your root protected domain is
|
||||
|
||||
redis:
|
||||
host: authelia-redis
|
||||
port: 6379
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 120
|
||||
ban_time: 300
|
||||
|
||||
storage:
|
||||
encryption_key: f30ebde68b2c85c1b3fe2d16d9884190
|
||||
local:
|
||||
path: /data/db.sqlite3
|
||||
# db auf mariadb ändern
|
||||
|
||||
#notifier:
|
||||
# smtp:
|
||||
# username: apikey
|
||||
# password: secret
|
||||
# host: smtp.sendgrid.net
|
||||
# port: 587
|
||||
# sender: no-reply@mydomain.com
|
||||
#configuration
|
|
@ -24,35 +24,37 @@ services:
|
|||
interval: 30s
|
||||
timeout: 10s
|
||||
retries: 3
|
||||
|
||||
######## nforwardauth ########
|
||||
nforwardauth:
|
||||
######## authelia ########
|
||||
authelia:
|
||||
image: authelia/authelia:4.38.17
|
||||
container_name: authelia
|
||||
restart: unless-stopped
|
||||
pull_policy: missing
|
||||
image: "nosduco/nforwardauth:v1.4.0"
|
||||
container_name: traefik-nforwardauth
|
||||
environment:
|
||||
TOKEN_SECRET: "{{ lookup('viczem.keepass.keepass', 'nforwardauth_token_secret', 'password') }}"
|
||||
AUTH_HOST: auth.mgrote.net
|
||||
labels:
|
||||
traefik.enable: true
|
||||
traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`)
|
||||
|
||||
traefik.http.middlewares.nforwardauth.forwardauth.address: http://nforwardauth:3000
|
||||
|
||||
traefik.http.services.nforwardauth.loadbalancer.server.port: 3000
|
||||
traefik.http.routers.nforwardauth.tls: true
|
||||
traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt
|
||||
traefik.http.routers.nforwardauth.entrypoints: entry_https
|
||||
TZ: Europe/Berlin
|
||||
volumes:
|
||||
- "./passwd:/passwd:ro" # Mount local passwd file at /passwd as read only
|
||||
networks:
|
||||
- traefik
|
||||
healthcheck:
|
||||
test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://127.0.0.1:3000/login"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 3
|
||||
- ./configuration.yml:/config/configuration.yml
|
||||
- authelia_data:/data
|
||||
labels:
|
||||
traefik.enable: true'
|
||||
traefik.http.routers.authelia.rule: Host(`auth.mgrote.net`)
|
||||
traefik.http.services.authelia.loadbalancer.server.port: 80
|
||||
traefik.http.routers.authelia.tls: true
|
||||
traefik.http.routers.authelia.tls.certresolver: resolver_letsencrypt
|
||||
traefik.http.routers.authelia.entrypoints: entry_https
|
||||
traefik.http.middlewares.authelia.forwardauth.address: http://authelia-service:9091/api/verify?rd=https://auth.mgrote.net'
|
||||
traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: true'
|
||||
traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email'
|
||||
depends_on:
|
||||
- authelia-redis
|
||||
|
||||
authelia-redis: # version!!!!
|
||||
image: redis:7
|
||||
container_name: authelia-redis
|
||||
restart: unless-stopped
|
||||
pull_policy: missing
|
||||
environment:
|
||||
TZ: Europe/Berlin
|
||||
|
||||
######## Networks ########
|
||||
networks:
|
||||
|
@ -61,7 +63,18 @@ networks:
|
|||
######## Volumes ########
|
||||
volumes:
|
||||
acme_data:
|
||||
authelia_data:
|
||||
|
||||
|
||||
# passwd
|
||||
# echo "<user>:$(mkpasswd -m sha-512 <password>)"
|
||||
|
||||
|
||||
|
||||
# TODO
|
||||
# ldap user: https://www.authelia.com/configuration/first-factor/ldap/
|
||||
# test mit whoami
|
||||
# doku: https://ruanbekker.hashnode.dev/sso-with-authelia-using-traefik-on-docker
|
||||
# healtchecks
|
||||
# munin
|
||||
# keepass aufraumen
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
{{ lookup('viczem.keepass.keepass', 'nforwardauth-mg-hash', 'password') }}
|
Loading…
Reference in a new issue