replace nforwardauth with authelia #231
3 changed files with 89 additions and 26 deletions
51
docker-compose/traefik/configuration.yml
Normal file
51
docker-compose/traefik/configuration.yml
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
---
|
||||||
|
server.host: 0.0.0.0
|
||||||
|
server.port: 9091
|
||||||
|
log:
|
||||||
|
level: debug
|
||||||
|
|
||||||
|
jwt_secret: c50498e29383564cd50bdeda9b74a3bf
|
||||||
|
|
||||||
|
totp:
|
||||||
|
issuer: totp.mgrote.net
|
||||||
|
|
||||||
|
authentication_backend:
|
||||||
|
file:
|
||||||
|
path: /config/users_database.yml
|
||||||
|
|
||||||
|
access_control:
|
||||||
|
default_policy: deny
|
||||||
|
rules:
|
||||||
|
- domain: wiki.mgrote.net
|
||||||
|
policy: one_factor
|
||||||
|
|
||||||
|
session:
|
||||||
|
name: authelia_session
|
||||||
|
secret: unsecure_session_secret
|
||||||
|
expiration: 3600 # 1 hour
|
||||||
|
inactivity: 300 # 5 minutes
|
||||||
|
domain: mgrote.net # Should match whatever your root protected domain is
|
||||||
|
|
||||||
|
redis:
|
||||||
|
host: authelia-redis
|
||||||
|
port: 6379
|
||||||
|
|
||||||
|
regulation:
|
||||||
|
max_retries: 3
|
||||||
|
find_time: 120
|
||||||
|
ban_time: 300
|
||||||
|
|
||||||
|
storage:
|
||||||
|
encryption_key: f30ebde68b2c85c1b3fe2d16d9884190
|
||||||
|
local:
|
||||||
|
path: /data/db.sqlite3
|
||||||
|
# db auf mariadb ändern
|
||||||
|
|
||||||
|
#notifier:
|
||||||
|
# smtp:
|
||||||
|
# username: apikey
|
||||||
|
# password: secret
|
||||||
|
# host: smtp.sendgrid.net
|
||||||
|
# port: 587
|
||||||
|
# sender: no-reply@mydomain.com
|
||||||
|
#configuration
|
|
@ -24,35 +24,37 @@ services:
|
||||||
interval: 30s
|
interval: 30s
|
||||||
timeout: 10s
|
timeout: 10s
|
||||||
retries: 3
|
retries: 3
|
||||||
|
######## authelia ########
|
||||||
######## nforwardauth ########
|
authelia:
|
||||||
nforwardauth:
|
image: authelia/authelia:4.38.17
|
||||||
|
container_name: authelia
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
pull_policy: missing
|
pull_policy: missing
|
||||||
image: "nosduco/nforwardauth:v1.4.0"
|
|
||||||
container_name: traefik-nforwardauth
|
|
||||||
environment:
|
environment:
|
||||||
TOKEN_SECRET: "{{ lookup('viczem.keepass.keepass', 'nforwardauth_token_secret', 'password') }}"
|
TZ: Europe/Berlin
|
||||||
AUTH_HOST: auth.mgrote.net
|
|
||||||
labels:
|
|
||||||
traefik.enable: true
|
|
||||||
traefik.http.routers.nforwardauth.rule: Host(`auth.mgrote.net`)
|
|
||||||
|
|
||||||
traefik.http.middlewares.nforwardauth.forwardauth.address: http://nforwardauth:3000
|
|
||||||
|
|
||||||
traefik.http.services.nforwardauth.loadbalancer.server.port: 3000
|
|
||||||
traefik.http.routers.nforwardauth.tls: true
|
|
||||||
traefik.http.routers.nforwardauth.tls.certresolver: resolver_letsencrypt
|
|
||||||
traefik.http.routers.nforwardauth.entrypoints: entry_https
|
|
||||||
volumes:
|
volumes:
|
||||||
- "./passwd:/passwd:ro" # Mount local passwd file at /passwd as read only
|
- ./configuration.yml:/config/configuration.yml
|
||||||
networks:
|
- authelia_data:/data
|
||||||
- traefik
|
labels:
|
||||||
healthcheck:
|
traefik.enable: true'
|
||||||
test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://127.0.0.1:3000/login"]
|
traefik.http.routers.authelia.rule: Host(`auth.mgrote.net`)
|
||||||
interval: 10s
|
traefik.http.services.authelia.loadbalancer.server.port: 80
|
||||||
timeout: 5s
|
traefik.http.routers.authelia.tls: true
|
||||||
retries: 3
|
traefik.http.routers.authelia.tls.certresolver: resolver_letsencrypt
|
||||||
|
traefik.http.routers.authelia.entrypoints: entry_https
|
||||||
|
traefik.http.middlewares.authelia.forwardauth.address: http://authelia-service:9091/api/verify?rd=https://auth.mgrote.net'
|
||||||
|
traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: true'
|
||||||
|
traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email'
|
||||||
|
depends_on:
|
||||||
|
- authelia-redis
|
||||||
|
|
||||||
|
authelia-redis: # version!!!!
|
||||||
|
image: redis:7
|
||||||
|
container_name: authelia-redis
|
||||||
|
restart: unless-stopped
|
||||||
|
pull_policy: missing
|
||||||
|
environment:
|
||||||
|
TZ: Europe/Berlin
|
||||||
|
|
||||||
######## Networks ########
|
######## Networks ########
|
||||||
networks:
|
networks:
|
||||||
|
@ -61,7 +63,18 @@ networks:
|
||||||
######## Volumes ########
|
######## Volumes ########
|
||||||
volumes:
|
volumes:
|
||||||
acme_data:
|
acme_data:
|
||||||
|
authelia_data:
|
||||||
|
|
||||||
|
|
||||||
# passwd
|
# passwd
|
||||||
# echo "<user>:$(mkpasswd -m sha-512 <password>)"
|
# echo "<user>:$(mkpasswd -m sha-512 <password>)"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# TODO
|
||||||
|
# ldap user: https://www.authelia.com/configuration/first-factor/ldap/
|
||||||
|
# test mit whoami
|
||||||
|
# doku: https://ruanbekker.hashnode.dev/sso-with-authelia-using-traefik-on-docker
|
||||||
|
# healtchecks
|
||||||
|
# munin
|
||||||
|
# keepass aufraumen
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
{{ lookup('viczem.keepass.keepass', 'nforwardauth-mg-hash', 'password') }}
|
|
Loading…
Reference in a new issue