diff --git a/authelia/configuration.yml b/authelia/configuration.yml deleted file mode 100644 index d336633..0000000 --- a/authelia/configuration.yml +++ /dev/null @@ -1,244 +0,0 @@ -server.host: 0.0.0.0 -server.port: 9091 -server: - read_buffer_size: 4096 - write_buffer_size: 4096 - path: "authelia" -log.level: debug -jwt_secret: M22162530 -totp: - issuer: authelia.com - period: 30 - skew: 1 -default_redirection_url: https://pukeko.xyz/ -authentication_backend: - disable_reset_password: false - file: - path: /config/users_database.yml - password: - algorithm: argon2id - iterations: 1 - key_length: 32 - salt_length: 16 - memory: 512 - parallelism: 8 -access_control: - default_policy: deny - rules: -# Dumb redirect to dash.pukeko.xyz - do not auth - - domain: "pukeko.xyz" - policy: bypass -# Allow access from internal network - - domain: - - "*.pukeko.xyz" - networks: - #Docker main subnet - - 150.200.0.1/24 - #Docker subnet A - - 150.201.0.1/24 - #Docker subnet B - - 150.202.0.1/24 - # Home - - 192.168.0.0/24 - # Wireguard - - 10.8.0.0/16 - policy: bypass -# Allow access to container's /api address - - domain: - - "*.pukeko.xyz" - resources: - - "^/api.*" - policy: bypass -# Allow access to specific subdomains with family group - - domain: "dash.pukeko.xyz" - policy: one_factor - subject: "group:family" - - domain: "cloud.pukeko.xyz" - policy: one_factor - subject: "group:family" - - domain: "photos.pukeko.xyz" - policy: one_factor - subject: "group:family" - - domain: "tv.pukeko.xyz" - policy: one_factor - subject: "group:family" - - domain: "movies.pukeko.xyz" - policy: one_factor - subject: "group:family" - - domain: "subtitles.pukeko.xyz" - policy: one_factor - subject: "group:family" - - domain: "torrent.pukeko.xyz" - policy: one_factor - subject: "group:family" - - domain: "news.pukeko.xyz" - policy: one_factor - subject: "group:family" - - domain: "tasks.pukeko.xyz" - policy: one_factor - subject: "group:family" -# Allow access to shares within Filebrowser - - domain: "cloud.pukeko.xyz" - policy: bypass - resources: -# Match only /share/ url's - Filebrowser's shares - - '^/share([/?].*)?$' - - domain: - - "git.pukeko.xyz" - policy: bypass - resources: - - "^/public([/?].*)?$" - - ".*/shmick/study.git" - - domain: - - "photos.pukeko.xyz" - policy: bypass - resources: - - "^.*/s/.*$" - - '^/s([/?].*)?$' - - domain: - - "*.pukeko.xyz" - policy: two_factor -# Allow access to public Git repository -session: - name: authelia_session - secret: M22162530 - expiration: 1h - inactivity: 5m - remember_me_duration: 1M - domain: "pukeko.xyz" - redis: - host: authelia_redis - port: 6379 -regulation: - max_retries: 3 - find_time: 2m - ban_time: 5m -storage: - encryption_key: "D3$RQ2N%S*t@q*hA@i53yb7aG5eSRgpFYqXU@Na3E^j&UB*JGEG#eRoT$vs8#h#mNM3BDA549JNabVaM7vM6pZ89YxE*a68zZ%^RCx@GV362V6$jo*mA!X5%y7M9Ru*F" - local: - path: /config/db.sqlite3 -notifier: - disable_startup_check: false - smtp: - host: smtp.zoho.com - port: 587 - timeout: 5s - username: "matan@pukeko.xyz" - password: "DjazsDaEzrU9" - sender: matan@pukeko.xyz - identifier: localhost - subject: "[Authelia] {authelia}" - startup_check_address: test@authelia.com - disable_require_tls: false - disable_html_emails: false -identity_providers: - oidc: - issuer_private_key: | - -----BEGIN RSA PRIVATE KEY----- - MIIEogIBAAKCAQEAnkzvqdtgIl71Bd7fIarSCDLI/dhTyl8G+xdmoH9wH3dGqbbn - m0SV280wVRVEkGEJIohqXY+DMNrLiqvPvCTxjYAyqinjHqQFsEgtDsQ7rqpoi2U/ - 3HvAdF+2obQvFz5w5urkXKyLTfkFU7+tvjiJhCYvAoUZA/Bx0LcK8Hh0OhuwN0L9 - 9Rq7VK0HlC5TlP1nRCUZYEDNLR0mKcKqCuAST8m5FucF/ZQaanF9anphgRavbUfp - EyKvnbPGZLPf4IjbRQbxfwyNqRcDjNaP4ytjAAY4+F6aSdZePos08IzC8qemgqEm - /iKVn9XUcgwZ/EjITLoEbzoFUJV91H0CiyfuBwIDAQABAoIBAHWMGddekGdVbcrb - MYOVjfsKgxeEQMwgflWLjeiWWRL0hiNWL2urpUAfgMldTpmLhLYA6ELrY3auscAa - Ttqd8ESrsnOLQRyqnZLGNbcmXk8YOSNxntdBiaqgvEQdQW6YLkw6ljJ+6b6PsLX8 - uq5q2yqnE/diEC5NqKZclaH1QBE4/R+iDRXuAgrHvArv9uL0pD+lrms7dEfHcewn - vKzv3+AKv0maGQ+aZyh3i0xPvmMqiT8ddvRmSqq60aCtCrVezJ8rd1D7IxLQ3t/T - uR0jwCf8kPS8KNcPgGb5RuJ4Up+8IywU8PSiReIugD+wyvVxWLTcMCEXd7qITofR - pWF447ECgYEAwpSRc26hEo9JX0yBAP5dqBKdW8BJzxjCjWJ5N1KmZFppuymyJ7I0 - 2aGUM8ffm8uiecJpMmnzUuF9v2/SjcsDghcslSn9qczajBI4x1Xic1272HjstrfO - 9HSoGf1M1Rn7tHFFoM/ydELMkTacxvZa6i3d+UmZ3OBDheGTj1c4lK8CgYEA0ES1 - ln+JRGW+sMBEhP6VZgGXkwgLJzMCDJQ1riNfYy/UxFldXB2Tz7+pAVYUndRsMh+u - DHcBFe9ENnYMDfba434NqyhmWEeXgtJ1ICu1nunltTtM458zB84OGt9j8mmCTedW - HxfyE0YGYgVF47n7fc+h5QB/3BapK7diOUYtQikCgYBcQZbJFT33j8ppDdvofbIo - O1MyqnQUZhfwcy0n5t8Pm7Kf1AAtRBg8y5h6CJ1jv+Q0ONIp3gRJWrKFbt507jmm - l5hCzRsBRCim2wjisjzhGCM1WvhZFcNhMmJ1mByyuVQXVNF/krjRGM7nVu50g1/N - wpuJU7VI/WfmdXLCNseT7wKBgCvxk28B0fDAlw+sQcjd/p/bTiQT2maW+KO20ezA - Qewnt3kGchBxnTKEeiByDT+QBpQ84vh2U6BRL89d8QUxRNYjTrcCezW9RVaxGU2E - a3nwWCt5K6wLdzT6YTeCUxBe+sN9QEqnPsiaSdZ8zlZSc6IEIWC0TkYd8evrcaos - CHihAoGAFt+od36TPiYgczaoWJ2dlLz6xLnPn/nhrSICxJhdBtCywT1uxH0THaiA - NiAwc5R8fJUPBuIdd0ur/mgAV8VTcXsY/mvihrHnqCKinQKdCt1yukpFhvs68AyP - O+iDoe3R22OcCFg+wuEMGDPspkNtuKV0j0UvqtaDuWqWZNOyYCU= - -----END RSA PRIVATE KEY----- - - clients: - - id: portainer - description: Portainer CE - secret: '8zDD%J3Z66A4uL%!N*G@@Uo5b6z2JbgQ3fxCr39o%LXE%Yb@6SAegGGU#!v*o3Z5u$2WJ#YC6TwEb723rZ$bbtmNJ#35Nsq7E!i9v$jU223$C@!Z&Nkwa&^Yg#DmDxk5' - pre_configured_consent_duration: 100y - redirect_uris: - - https://portain.pukeko.xyz/ - - - id: gitea - description: Gitea - secret: '3s4as%cU$cKH2&MiXwzC#h8GJCY2eoS%#7&*9qC&H$ujv%qD8P6rWvrtbM8$f2#zM^phWUAz%2Bk7gCGJf#nA&i3BKvwG79&5hdp&mgddhdSFt&3BpX%a2Sv*Z#mK^J3' - pre_configured_consent_duration: 100y - redirect_uris: - - https://git.pukeko.xyz/user/oauth2/Authelia/callback - - - id: wikijs - description: WikiJS - secret: 'mT#!fwRZ3$pE5g2rG4CCNKLkg4zg7&3L92e9LGemfYMbr92gPos&Js*4DU#&^*EUJ#PrP*y#W$W7^i2#zqJPhiK$3$z9uDNXYA$h9Urcuo8!Ggcq^#C6dow^s*VxV&WU' - public: false - authorization_policy: two_factor - pre_configured_consent_duration: 100y - redirect_uris: - - https://wiki.pukeko.xyz/login/a8755bfb-8a4e-49b7-b31b-43ac5638367a/callback - - - id: wikijs_study - description: WikiJS-Study - secret: 'jPdRbutexLB9aTanEthKiTXVtzcYsM3N9DmwbBKXdSikMRYWKLAMffETp9ads6cTAgkBMNu9Cp8aujFdXcEkpEeq5cMHc3KoiS64HHCK9CrVLH4PHdDFxLquGbd2h3Sz' - public: false - authorization_policy: two_factor - pre_configured_consent_duration: 100y - redirect_uris: - - https://logos.pukeko.xyz/login/2a01989c-e0f5-431a-95f1-c3e0383f67ce/callback - - - id: grafana - description: Grafana - secret: 'P6x3vpNvZcLCZnmwts7E3sEYmtnLVx2cmjPafyFjNRHRsJmcBajaGYzdYjEB4iZemmCTK5H5QAxqg8fSmjMkydKkYcynDgbCciR3tdz3XbcKgRX3LpDVFHqejEKLPz7n' - public: false - authorization_policy: two_factor - pre_configured_consent_duration: 100y - redirect_uris: - - https://flight.pukeko.xyz/login/generic_oauth - scopes: - - openid - - profile - - groups - - email - userinfo_signing_algorithm: none - - - id: vikunja - description: Vikunja - secret: 'ryKVwXhfHeAQKJJHwejEpK66pAuTGvY2saZArKTFZPjWVs2fKNHDAwah8TbPP44LGKYPBYJxU5Ua5H4Su87DAY4ktpAz6UfmpB9XnXCPoACtBrwBgykjoC6cUzXJRc7t' - pre_configured_consent_duration: 100y - authorization_policy: one_factor - redirect_uris: - - https://tasks.pukeko.xyz/auth/openid/ - - https://tasks.pukeko.xyz/auth/openid/authelia - - https://tasks.pukeko.xyz/api/oidc/authorization - scopes: - - openid - - email - - profile - - groups - - - id: docspell - description: Docspell - secret: 'tEf47Me$YsXG8K4%63$%!kbMqbgVnc*bAq2i4SPERay#T!&ajc35m&D%C#uRMiaSv@cRFxwMcqo%SwEq*49G9HufJ&d#^f*&MK9hzU6s&7C2^XmfGC8Up7YeegnH#VhP' - pre_configured_consent_duration: 100y - authorization_policy: one_factor - redirect_uris: - - https://docs.pukeko.xyz/api/v1/open/auth/openid/authelia/resume - scopes: - - openid - - email - - profile - - groups - userinfo_signing_algorithm: none - response_types: - - code - grant_types: - - authorization_code diff --git a/authelia/openid.yml b/authelia/openid.yml deleted file mode 100644 index c7b3410..0000000 --- a/authelia/openid.yml +++ /dev/null @@ -1,62 +0,0 @@ -identity_providers: - oidc: - hmac_secret: &R#&e^xYwijUmr5d$5$Wa^Ki@g3%@6Ehykih#u@qUtFK9%rHy9H6soBr^86^4p!H*q!u4D7Pq6j&pXUz2jVrF992mejt&5s3mvG^q8Ls7UZCyo8rd&$BVTx@y#s%yf5U #Bitwarden - issuer_private_key: | - --- KEY START -MIIEogIBAAKCAQEAnkzvqdtgIl71Bd7fIarSCDLI/dhTyl8G+xdmoH9wH3dGqbbn -m0SV280wVRVEkGEJIohqXY+DMNrLiqvPvCTxjYAyqinjHqQFsEgtDsQ7rqpoi2U/ -3HvAdF+2obQvFz5w5urkXKyLTfkFU7+tvjiJhCYvAoUZA/Bx0LcK8Hh0OhuwN0L9 -9Rq7VK0HlC5TlP1nRCUZYEDNLR0mKcKqCuAST8m5FucF/ZQaanF9anphgRavbUfp -EyKvnbPGZLPf4IjbRQbxfwyNqRcDjNaP4ytjAAY4+F6aSdZePos08IzC8qemgqEm -/iKVn9XUcgwZ/EjITLoEbzoFUJV91H0CiyfuBwIDAQABAoIBAHWMGddekGdVbcrb -MYOVjfsKgxeEQMwgflWLjeiWWRL0hiNWL2urpUAfgMldTpmLhLYA6ELrY3auscAa -Ttqd8ESrsnOLQRyqnZLGNbcmXk8YOSNxntdBiaqgvEQdQW6YLkw6ljJ+6b6PsLX8 -uq5q2yqnE/diEC5NqKZclaH1QBE4/R+iDRXuAgrHvArv9uL0pD+lrms7dEfHcewn -vKzv3+AKv0maGQ+aZyh3i0xPvmMqiT8ddvRmSqq60aCtCrVezJ8rd1D7IxLQ3t/T -uR0jwCf8kPS8KNcPgGb5RuJ4Up+8IywU8PSiReIugD+wyvVxWLTcMCEXd7qITofR -pWF447ECgYEAwpSRc26hEo9JX0yBAP5dqBKdW8BJzxjCjWJ5N1KmZFppuymyJ7I0 -2aGUM8ffm8uiecJpMmnzUuF9v2/SjcsDghcslSn9qczajBI4x1Xic1272HjstrfO -9HSoGf1M1Rn7tHFFoM/ydELMkTacxvZa6i3d+UmZ3OBDheGTj1c4lK8CgYEA0ES1 -ln+JRGW+sMBEhP6VZgGXkwgLJzMCDJQ1riNfYy/UxFldXB2Tz7+pAVYUndRsMh+u -DHcBFe9ENnYMDfba434NqyhmWEeXgtJ1ICu1nunltTtM458zB84OGt9j8mmCTedW -HxfyE0YGYgVF47n7fc+h5QB/3BapK7diOUYtQikCgYBcQZbJFT33j8ppDdvofbIo -O1MyqnQUZhfwcy0n5t8Pm7Kf1AAtRBg8y5h6CJ1jv+Q0ONIp3gRJWrKFbt507jmm -l5hCzRsBRCim2wjisjzhGCM1WvhZFcNhMmJ1mByyuVQXVNF/krjRGM7nVu50g1/N -wpuJU7VI/WfmdXLCNseT7wKBgCvxk28B0fDAlw+sQcjd/p/bTiQT2maW+KO20ezA -Qewnt3kGchBxnTKEeiByDT+QBpQ84vh2U6BRL89d8QUxRNYjTrcCezW9RVaxGU2E -a3nwWCt5K6wLdzT6YTeCUxBe+sN9QEqnPsiaSdZ8zlZSc6IEIWC0TkYd8evrcaos -CHihAoGAFt+od36TPiYgczaoWJ2dlLz6xLnPn/nhrSICxJhdBtCywT1uxH0THaiA -NiAwc5R8fJUPBuIdd0ur/mgAV8VTcXsY/mvihrHnqCKinQKdCt1yukpFhvs68AyP -O+iDoe3R22OcCFg+wuEMGDPspkNtuKV0j0UvqtaDuWqWZNOyYCU= - --- KEY END - access_token_lifespan: 1h - authorize_code_lifespan: 1m - id_token_lifespan: 1h - refresh_token_lifespan: 90m - enable_client_debug_messages: false - clients: - - id: portainer - description: Container management interface - secret: 8zDD%J3Z66A4uL%!N*G@@Uo5b6z2JbgQ3fxCr39o%LXE%Yb@6SAegGGU#!v*o3Z5u$2WJ#YC6TwEb723rZ$bbtmNJ#35Nsq7E!i9v$jU223$C@!Z&Nkwa&^Yg#DmDxk5 #Bitwarden - public: false - authorization_policy: two_factor - audience: [] - scopes: - - openid - - groups - - email - - profile - redirect_uris: - - https://oidc.example.com:8080/oauth2/callback - grant_types: - - refresh_token - - authorization_code - response_types: - - code - response_modes: - - form_post - - query - - fragment - userinfo_signing_algorithm: none - - diff --git a/authelia/users_database.yml b/authelia/users_database.yml index ec37ad4..91c00ed 100644 --- a/authelia/users_database.yml +++ b/authelia/users_database.yml @@ -1,43 +1,7 @@ users: - ishgamad: - password: $argon2id$v=19$m=65536,t=1,p=8$aDNUbCtTSEpJdkJnL1B5aQ$lSTiaRsWgPpTqYSGissf4umr0VQPPulynH9igqiMVFg - displayname: Omer Horovitz - email: ishgamad@gmail.com + admin: + password: some-argon2-encrypted-pass + displayname: Potato potato + email: potato@potato.com groups: - - family - joe: - password: $argon2id$v=19$m=65536,t=1,p=8$aDNUbCtTSEpJdkJnL1B5aQ$lSTiaRsWgPpTqYSGissf4umr0VQPPulynH9igqiMVFg - displayname: Jospeh Horovitz - email: yhorovitz@gmail.com - groups: - - family - matan: - password: $argon2id$v=19$m=65536,t=1,p=8$aDNUbCtTSEpJdkJnL1B5aQ$lSTiaRsWgPpTqYSGissf4umr0VQPPulynH9igqiMVFg - displayname: Matan Horovitz - groups: - - family - shmick: - password: $argon2id$v=19$m=524288,t=1,p=8$OXZDU0NqS3J1VVBhWkdGMg$yvlKAog0MTtP95VpXgeWFnyiX5uNGK23vDqmcP8lLAU - displayname: Shmickonon Shmickovski - email: matanhorovitz@protonmail.com - groups: - - admins - - dev - sigal: - password: $argon2id$v=19$m=65536,t=1,p=8$aDNUbCtTSEpJdkJnL1B5aQ$lSTiaRsWgPpTqYSGissf4umr0VQPPulynH9igqiMVFg - displayname: Sigal Horovitz - email: sigalh666@gmail.com - groups: - - family - tieke: - password: $argon2id$v=19$m=65536,t=1,p=8$Q1lhdTgzZU9KUGRYaElPRg$HsXPgSjC0gmpbXjrvg1kb6FJdrSZlO8dL2jxvXRY9vc - displayname: Guest User - email: "" - groups: - - guest - yuval: - password: $argon2id$v=19$m=65536,t=1,p=8$aDNUbCtTSEpJdkJnL1B5aQ$lSTiaRsWgPpTqYSGissf4umr0VQPPulynH9igqiMVFg - displayname: Yuval Horovitz - email: iamJUSTICEo3o@gmail.com - groups: - - family + - potato diff --git a/docker-compose.yml b/docker-compose.yml deleted file mode 100644 index fc6bfce..0000000 --- a/docker-compose.yml +++ /dev/null @@ -1,164 +0,0 @@ -services: - traefik: - image: "traefik:v2.10.4" - container_name: "traefik" - privileged: true - command: - - "--log.level=DEBUG" - - "--api.insecure=true" - - "--providers.docker=true" - - "--providers.docker.exposedbydefault=false" - - "--entrypoints.web.address=:80" - - "--entrypoints.pukekos.address=:443" - - "--entrypoints.web.http.redirections.entrypoint.to=pukekos" - - "--certificatesresolvers.takaheresolver.acme.dnschallenge=true" - - "--certificatesresolvers.takaheresolver.acme.dnschallenge.provider=cloudflare" - # - "--certificatesresolvers.takaheresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" - - "--certificatesresolvers.takaheresolver.acme.email=matanhorovitz@protonmail.com" - - "--certificatesresolvers.takaheresolver.acme.storage=/certs/acme.json" - - "--certificatesresolvers.takaheresolver.acme.dnschallenge.resolvers=1.1.1.1:53" - ports: - - "80:80" - - "443:443" - - "8282:8080" - environment: - - CF_API_KEY=12fd3e74bd60d39d192ff0e51fa2f6af90402 - - CF_API_EMAIL=matanhorovitz@protonmail.com - - CF_DNS_API_TOKEN=0dFNYA8qtzVhVtGi4nEb7_aclTOdGthYm5Q7N05n - volumes: - - "./certs:/certs" - - "/var/run/docker.sock:/var/run/docker.sock" - networks: - - network - - internal - - arr_network - - filebrowser_network - - gitea_network - - vaultwarden_network - - vikunja_network - - jellyfin_network - - joplin_network - - photoprism_network - - portainer_network - - prometheus_network - - qbittorrent_network - - syncthing_network - - wikijs_network - - wikijs_study_instance_network - - wireguard_network - restart: unless-stopped - labels: - - "traefik.enable=true" - - "traefik.http.routers.domain.entrypoints=pukekos" - - "traefik.http.routers.domain.rule=Host(`pukeko.xyz`)" - - "traefik.http.routers.domain.tls.certresolver=takaheresolver" - - "traefik.http.routers.domain.middlewares=domain" - - 'traefik.http.middlewares.domain.redirectregex.regex=^https://pukeko.xyz/(.*)' - - 'traefik.http.middlewares.domain.redirectregex.replacement=https://dash.pukeko.xyz/$${1}' - - "traefik.http.middlewares.domain.redirectregex.permanent=true" - - "traefik.tls.stores.default.defaultgeneratedcert.resolver=takaheresolver" - - "traefik.tls.stores.default.defaultgeneratedcert.domain.main=pukeko.xyz" - # user: 1001:1001 - homer: - image: b4bz/homer - container_name: homer - volumes: - - ./homer/:/www/assets - ports: - - 4957:8080 - environment: - - UID=1000 - - GID=1000 - restart: unless-stopped - labels: - - "traefik.enable=true" - - "traefik.http.routers.homer.entrypoints=pukekos" - - "traefik.http.routers.homer.rule=Host(`dash.pukeko.xyz`)" - - "traefik.http.routers.homer.service=homer-traefik@docker" - - "traefik.http.routers.homer.tls.certresolver=takaheresolver" - - "traefik.http.routers.homer.middlewares=authelia@docker" - networks: - - internal - authelia: - image: authelia/authelia:latest - container_name: authelia - environment: - - TZ=Asia/Jerusalem - # - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/run/secrets/private_key - volumes: - - ./authelia:/config - restart: unless-stopped - secrets: - - hmac - - private_key - labels: - - 'traefik.enable=true' - - 'traefik.http.routers.authelia.rule=Host(`auth.pukeko.xyz`)' - - 'traefik.http.routers.authelia.entrypoints=pukekos' - - "traefik.http.routers.authelia.service=authelia-traefik@docker" - - 'traefik.http.routers.authelia.tls=true' - - "traefik.http.routers.authelia.tls.certresolver=takaheresolver" - - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.pukeko.xyz/' - - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true' - - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email' - - 'traefik.http.middlewares.authelia-basic.forwardauth.address=http://authelia:9091/api/verify?auth=basic' - - 'traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true' - - 'traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email' - networks: - - internal - expose: - - 9091 - redis: - image: redis:alpine - container_name: authelia_redis - volumes: - - ./redis:/data - networks: - - internal - expose: - - 6379 - restart: unless-stopped -secrets: - hmac: - file: ./authelia/secrets/hmac - private_key: - file: ./authelia/secrets/issuer_private_key -networks: - network: - driver: bridge - internal: - driver: bridge - arr_network: - external: true - filebrowser_network: - external: true - gitea_network: - external: true - #jekyll_network: - # external: true - jellyfin_network: - external: true - joplin_network: - external: true - photoprism_network: - external: true - podgrab_network: - external: true - portainer_network: - external: true - prometheus_network: - external: true - vaultwarden_network: - external: true - vikunja_network: - external: true - wikijs_network: - external: true - wikijs_study_instance_network: - external: true - wireguard_network: - external: true - qbittorrent_network: - external: true - syncthing_network: - external: true diff --git a/docker-compose.yml.j2 b/docker-compose.yml.j2 new file mode 100644 index 0000000..0047615 --- /dev/null +++ b/docker-compose.yml.j2 @@ -0,0 +1,99 @@ +services: + + traefik: + image: "traefik:latest" + container_name: "traefik" + privileged: true + command: + - "--log.level=INFO" + - "--api.insecure=true" + - "--providers.docker=true" + - "--providers.docker.exposedbydefault=false" + - "--entrypoints.web.address=:80" + - "--entrypoints.web_secure.address=:443" + - "--entrypoints.web.http.redirections.entrypoint.to=web_secure" + - "--certificatesresolvers.certresolver.acme.dnschallenge=true" + - "--certificatesresolvers.certresolver.acme.dnschallenge.provider=cloudflare" +# - "--certificatesresolvers.certresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" + - "--certificatesresolvers.certresolver.acme.email={{ CF_API_EMAIL }}" + - "--certificatesresolvers.certresolver.acme.storage=/certs/acme.json" + - "--certificatesresolvers.certresolver.acme.dnschallenge.resolvers=1.1.1.1:53" + ports: + - "80:80" + - "443:443" + - "8282:8080" + environment: + - CF_API_KEY={{ CF_API_KEY }} + - CF_API_EMAIL={{ CF_API_EMAIL }} + - CF_DNS_API_TOKEN={{ CF_API_TOKEN }} + volumes: + - "./certs:/certs" + - "/var/run/docker.sock:/var/run/docker.sock" + networks: + - network + - ddclient_network + - prometheus_network + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.domain.entrypoints=web_secure" + - "traefik.http.routers.domain.rule=Host(`{{ DOMAIN }}`)" + - "traefik.http.routers.domain.tls.certresolver=certresolver" + - "traefik.http.routers.domain.middlewares=domain" + - 'traefik.http.middlewares.domain.redirectregex.regex=^https://{{ DOMAIN }}/(.*)' + - 'traefik.http.middlewares.domain.redirectregex.replacement=https://dash.{{ DOMAIN }}/$${1}' + - "traefik.http.middlewares.domain.redirectregex.permanent=true" + - "traefik.tls.stores.default.defaultgeneratedcert.resolver=certresolver" + - "traefik.tls.stores.default.defaultgeneratedcert.domain.main={{ DOMAIN }}" + + authelia: + image: authelia/authelia:latest + container_name: authelia + environment: + - TZ=Asia/Jerusalem + volumes: + - ./authelia:/config + restart: unless-stopped + secrets: + - hmac + - private_key + labels: + - 'traefik.enable=true' + - 'traefik.http.routers.authelia.rule=Host(`auth.{{ DOMAIN }}`)' + - 'traefik.http.routers.authelia.entrypoints=web_secure' + - "traefik.http.routers.authelia.service=authelia-traefik@docker" + - 'traefik.http.routers.authelia.tls=true' + - "traefik.http.routers.authelia.tls.certresolver=certresolver" + - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.{{ DOMAIN }}/' + - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true' + - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email' + - 'traefik.http.middlewares.authelia-basic.forwardauth.address=http://authelia:9091/api/verify?auth=basic' + - 'traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true' + - 'traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email' + networks: + - internal + redis: + image: redis:alpine + container_name: authelia_redis + restart: unless-stopped + volumes: + - ./redis:/data + networks: + - internal +~ + +secrets: + hmac: + file: ./authelia/secrets/hmac + private_key: + file: ./authelia/secrets/issuer_private_key + +networks: + network: + driver: bridge + internal: + driver: bridge + ddclient_network: + external: true + prometheus_network: + external: true