From 9078296de6a7303eaa33ea8916f37179ef532952 Mon Sep 17 00:00:00 2001
From: Matan Horovitz <matanhorovitz@protonmail.com>
Date: Mon, 21 Mar 2022 11:47:32 +0200
Subject: [PATCH] Cleaning up network configuration; Authelia bypasses

---
 authelia/configuration.yml  | 24 ++++++++++++++++++++++++
 authelia/users_database.yml |  5 +++++
 docker-compose.yml          | 18 +++++++++---------
 3 files changed, 38 insertions(+), 9 deletions(-)

diff --git a/authelia/configuration.yml b/authelia/configuration.yml
index c0d804f..cb184b7 100644
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -28,24 +28,48 @@ access_control:
 #   Dumb redirect to dash.pukeko.xyz - do not auth
     - domain: "pukeko.xyz"
       policy: bypass
+#   Allow access from internal network
     - domain:
       - "*.pukeko.xyz"
       networks:
+        # Home
         - 192.168.0.0/24
+        # traefik_internal
+        - 172.19.0.0/16
+        # Wireguard
+        - 10.8.0.0/24 
+      policy: bypass
+#   Allow access to container's /api address
+    - domain:
+      - "*.pukeko.xyz"
+      resources:
+      - "^/api.*"
       policy: bypass
 #   Allow access to specific subdomains with family group
     - domain: "photos.pukeko.xyz"
       policy: one_factor
       subject: "group:family"
+    - domain: "tv.pukeko.xyz"
+      policy: one_factor
+      subject: "group:family"
+    - domain: "movies.pukeko.xyz"
+      policy: one_factor
+      subject: "group:family"
 #   Allow access to shares within Filebrowser
     - domain: "cloud.pukeko.xyz"
       policy: bypass
       resources:
 #     Match only /share/ url's - Filebrowser's shares
       - "^*/share/.*"
+    - domain:
+      - "git.pukeko.xyz"
+      policy: bypass
+      resources:
+      - "^/public([/?].*)?$"
     - domain:
       - "*.pukeko.xyz"
       policy: two_factor 
+#     Allow access to public Git repository
 session:
   name: authelia_session
   secret: M22162530
diff --git a/authelia/users_database.yml b/authelia/users_database.yml
index 0760ee0..ec37ad4 100644
--- a/authelia/users_database.yml
+++ b/authelia/users_database.yml
@@ -11,6 +11,11 @@ users:
     email: yhorovitz@gmail.com
     groups:
     - family
+  matan:
+    password: $argon2id$v=19$m=65536,t=1,p=8$aDNUbCtTSEpJdkJnL1B5aQ$lSTiaRsWgPpTqYSGissf4umr0VQPPulynH9igqiMVFg
+    displayname: Matan Horovitz
+    groups:
+    - family
   shmick:
     password: $argon2id$v=19$m=524288,t=1,p=8$OXZDU0NqS3J1VVBhWkdGMg$yvlKAog0MTtP95VpXgeWFnyiX5uNGK23vDqmcP8lLAU
     displayname: Shmickonon Shmickovski
diff --git a/docker-compose.yml b/docker-compose.yml
index 1e2d383..5de47cd 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -12,6 +12,7 @@ services:
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:80"
       - "--entrypoints.websecure.address=:443"
+      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
       - "--certificatesresolvers.pukekoresolver.acme.dnschallenge=true"
       - "--certificatesresolvers.pukekoresolver.acme.dnschallenge.provider=cloudflare"
         #- "--certificatesresolvers.pukekoresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
@@ -30,7 +31,8 @@ services:
       - "./letsencrypt:/letsencrypt"
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
     networks:
-      - traefik_network
+      - network
+      - internal
       - arr_network
       - filebrowser_network
       - gitea_network
@@ -54,17 +56,17 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.domain.entrypoints=websecure"
       - "traefik.http.routers.domain.rule=Host(`pukeko.xyz`)"
-      - "traefik.http.routers.domain.service=noop@internal"
       - "traefik.http.routers.domain.tls.certresolver=pukekoresolver"
       - "traefik.http.routers.domain.middlewares=domain"
       - 'traefik.http.middlewares.domain.redirectregex.regex=^https://pukeko.xyz/(.*)'
       - 'traefik.http.middlewares.domain.redirectregex.replacement=https://dash.pukeko.xyz/$${1}'
       - "traefik.http.middlewares.domain.redirectregex.permanent=true"
+        #    user: 1001:1001
   homer:
     image: b4bz/homer
     container_name: homer
     volumes:
-      - /Red-Vol/Media/Containers/homer/assets/:/www/assets
+      - ./homer/:/www/assets
     ports:
       - 4957:8080
     environment:
@@ -79,7 +81,7 @@ services:
       - "traefik.http.routers.homer.tls.certresolver=pukekoresolver"
       - "traefik.http.routers.homer.middlewares=authelia@docker"
     networks:
-      - traefik_network
+      - internal
   authelia:
     image: authelia/authelia:latest
     container_name: authelia
@@ -103,19 +105,17 @@ services:
       - 'traefik.http.middlewares.authelia-basic.forwardauth.address=http://authelia:9091/api/verify?auth=basic'
       - 'traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true'
       - 'traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
-    expose:
-      - 9091
     networks:
-      - traefik_network
+      - internal
 secrets:
   hmac:
     file: ./authelia/secrets/hmac
   private_key:
     file: ./authelia/secrets/issuer_private_key
 networks:
-  traefik_network:
+  network:
     driver: bridge
-  traefik_internal:
+  internal:
     driver: bridge
   arr_network:
     external: true