Cleaning up network configuration; Authelia bypasses
This commit is contained in:
@@ -28,24 +28,48 @@ access_control:
|
||||
# Dumb redirect to dash.pukeko.xyz - do not auth
|
||||
- domain: "pukeko.xyz"
|
||||
policy: bypass
|
||||
# Allow access from internal network
|
||||
- domain:
|
||||
- "*.pukeko.xyz"
|
||||
networks:
|
||||
# Home
|
||||
- 192.168.0.0/24
|
||||
# traefik_internal
|
||||
- 172.19.0.0/16
|
||||
# Wireguard
|
||||
- 10.8.0.0/24
|
||||
policy: bypass
|
||||
# Allow access to container's /api address
|
||||
- domain:
|
||||
- "*.pukeko.xyz"
|
||||
resources:
|
||||
- "^/api.*"
|
||||
policy: bypass
|
||||
# Allow access to specific subdomains with family group
|
||||
- domain: "photos.pukeko.xyz"
|
||||
policy: one_factor
|
||||
subject: "group:family"
|
||||
- domain: "tv.pukeko.xyz"
|
||||
policy: one_factor
|
||||
subject: "group:family"
|
||||
- domain: "movies.pukeko.xyz"
|
||||
policy: one_factor
|
||||
subject: "group:family"
|
||||
# Allow access to shares within Filebrowser
|
||||
- domain: "cloud.pukeko.xyz"
|
||||
policy: bypass
|
||||
resources:
|
||||
# Match only /share/ url's - Filebrowser's shares
|
||||
- "^*/share/.*"
|
||||
- domain:
|
||||
- "git.pukeko.xyz"
|
||||
policy: bypass
|
||||
resources:
|
||||
- "^/public([/?].*)?$"
|
||||
- domain:
|
||||
- "*.pukeko.xyz"
|
||||
policy: two_factor
|
||||
# Allow access to public Git repository
|
||||
session:
|
||||
name: authelia_session
|
||||
secret: M22162530
|
||||
|
||||
@@ -11,6 +11,11 @@ users:
|
||||
email: yhorovitz@gmail.com
|
||||
groups:
|
||||
- family
|
||||
matan:
|
||||
password: $argon2id$v=19$m=65536,t=1,p=8$aDNUbCtTSEpJdkJnL1B5aQ$lSTiaRsWgPpTqYSGissf4umr0VQPPulynH9igqiMVFg
|
||||
displayname: Matan Horovitz
|
||||
groups:
|
||||
- family
|
||||
shmick:
|
||||
password: $argon2id$v=19$m=524288,t=1,p=8$OXZDU0NqS3J1VVBhWkdGMg$yvlKAog0MTtP95VpXgeWFnyiX5uNGK23vDqmcP8lLAU
|
||||
displayname: Shmickonon Shmickovski
|
||||
|
||||
@@ -12,6 +12,7 @@ services:
|
||||
- "--providers.docker.exposedbydefault=false"
|
||||
- "--entrypoints.web.address=:80"
|
||||
- "--entrypoints.websecure.address=:443"
|
||||
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
|
||||
- "--certificatesresolvers.pukekoresolver.acme.dnschallenge=true"
|
||||
- "--certificatesresolvers.pukekoresolver.acme.dnschallenge.provider=cloudflare"
|
||||
#- "--certificatesresolvers.pukekoresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||
@@ -30,7 +31,8 @@ services:
|
||||
- "./letsencrypt:/letsencrypt"
|
||||
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
||||
networks:
|
||||
- traefik_network
|
||||
- network
|
||||
- internal
|
||||
- arr_network
|
||||
- filebrowser_network
|
||||
- gitea_network
|
||||
@@ -54,17 +56,17 @@ services:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.domain.entrypoints=websecure"
|
||||
- "traefik.http.routers.domain.rule=Host(`pukeko.xyz`)"
|
||||
- "traefik.http.routers.domain.service=noop@internal"
|
||||
- "traefik.http.routers.domain.tls.certresolver=pukekoresolver"
|
||||
- "traefik.http.routers.domain.middlewares=domain"
|
||||
- 'traefik.http.middlewares.domain.redirectregex.regex=^https://pukeko.xyz/(.*)'
|
||||
- 'traefik.http.middlewares.domain.redirectregex.replacement=https://dash.pukeko.xyz/$${1}'
|
||||
- "traefik.http.middlewares.domain.redirectregex.permanent=true"
|
||||
# user: 1001:1001
|
||||
homer:
|
||||
image: b4bz/homer
|
||||
container_name: homer
|
||||
volumes:
|
||||
- /Red-Vol/Media/Containers/homer/assets/:/www/assets
|
||||
- ./homer/:/www/assets
|
||||
ports:
|
||||
- 4957:8080
|
||||
environment:
|
||||
@@ -79,7 +81,7 @@ services:
|
||||
- "traefik.http.routers.homer.tls.certresolver=pukekoresolver"
|
||||
- "traefik.http.routers.homer.middlewares=authelia@docker"
|
||||
networks:
|
||||
- traefik_network
|
||||
- internal
|
||||
authelia:
|
||||
image: authelia/authelia:latest
|
||||
container_name: authelia
|
||||
@@ -103,19 +105,17 @@ services:
|
||||
- 'traefik.http.middlewares.authelia-basic.forwardauth.address=http://authelia:9091/api/verify?auth=basic'
|
||||
- 'traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true'
|
||||
- 'traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
|
||||
expose:
|
||||
- 9091
|
||||
networks:
|
||||
- traefik_network
|
||||
- internal
|
||||
secrets:
|
||||
hmac:
|
||||
file: ./authelia/secrets/hmac
|
||||
private_key:
|
||||
file: ./authelia/secrets/issuer_private_key
|
||||
networks:
|
||||
traefik_network:
|
||||
network:
|
||||
driver: bridge
|
||||
traefik_internal:
|
||||
internal:
|
||||
driver: bridge
|
||||
arr_network:
|
||||
external: true
|
||||
|
||||
Reference in New Issue
Block a user