Cleaning up network configuration; Authelia bypasses
This commit is contained in:
@@ -28,24 +28,48 @@ access_control:
|
|||||||
# Dumb redirect to dash.pukeko.xyz - do not auth
|
# Dumb redirect to dash.pukeko.xyz - do not auth
|
||||||
- domain: "pukeko.xyz"
|
- domain: "pukeko.xyz"
|
||||||
policy: bypass
|
policy: bypass
|
||||||
|
# Allow access from internal network
|
||||||
- domain:
|
- domain:
|
||||||
- "*.pukeko.xyz"
|
- "*.pukeko.xyz"
|
||||||
networks:
|
networks:
|
||||||
|
# Home
|
||||||
- 192.168.0.0/24
|
- 192.168.0.0/24
|
||||||
|
# traefik_internal
|
||||||
|
- 172.19.0.0/16
|
||||||
|
# Wireguard
|
||||||
|
- 10.8.0.0/24
|
||||||
|
policy: bypass
|
||||||
|
# Allow access to container's /api address
|
||||||
|
- domain:
|
||||||
|
- "*.pukeko.xyz"
|
||||||
|
resources:
|
||||||
|
- "^/api.*"
|
||||||
policy: bypass
|
policy: bypass
|
||||||
# Allow access to specific subdomains with family group
|
# Allow access to specific subdomains with family group
|
||||||
- domain: "photos.pukeko.xyz"
|
- domain: "photos.pukeko.xyz"
|
||||||
policy: one_factor
|
policy: one_factor
|
||||||
subject: "group:family"
|
subject: "group:family"
|
||||||
|
- domain: "tv.pukeko.xyz"
|
||||||
|
policy: one_factor
|
||||||
|
subject: "group:family"
|
||||||
|
- domain: "movies.pukeko.xyz"
|
||||||
|
policy: one_factor
|
||||||
|
subject: "group:family"
|
||||||
# Allow access to shares within Filebrowser
|
# Allow access to shares within Filebrowser
|
||||||
- domain: "cloud.pukeko.xyz"
|
- domain: "cloud.pukeko.xyz"
|
||||||
policy: bypass
|
policy: bypass
|
||||||
resources:
|
resources:
|
||||||
# Match only /share/ url's - Filebrowser's shares
|
# Match only /share/ url's - Filebrowser's shares
|
||||||
- "^*/share/.*"
|
- "^*/share/.*"
|
||||||
|
- domain:
|
||||||
|
- "git.pukeko.xyz"
|
||||||
|
policy: bypass
|
||||||
|
resources:
|
||||||
|
- "^/public([/?].*)?$"
|
||||||
- domain:
|
- domain:
|
||||||
- "*.pukeko.xyz"
|
- "*.pukeko.xyz"
|
||||||
policy: two_factor
|
policy: two_factor
|
||||||
|
# Allow access to public Git repository
|
||||||
session:
|
session:
|
||||||
name: authelia_session
|
name: authelia_session
|
||||||
secret: M22162530
|
secret: M22162530
|
||||||
|
|||||||
@@ -11,6 +11,11 @@ users:
|
|||||||
email: yhorovitz@gmail.com
|
email: yhorovitz@gmail.com
|
||||||
groups:
|
groups:
|
||||||
- family
|
- family
|
||||||
|
matan:
|
||||||
|
password: $argon2id$v=19$m=65536,t=1,p=8$aDNUbCtTSEpJdkJnL1B5aQ$lSTiaRsWgPpTqYSGissf4umr0VQPPulynH9igqiMVFg
|
||||||
|
displayname: Matan Horovitz
|
||||||
|
groups:
|
||||||
|
- family
|
||||||
shmick:
|
shmick:
|
||||||
password: $argon2id$v=19$m=524288,t=1,p=8$OXZDU0NqS3J1VVBhWkdGMg$yvlKAog0MTtP95VpXgeWFnyiX5uNGK23vDqmcP8lLAU
|
password: $argon2id$v=19$m=524288,t=1,p=8$OXZDU0NqS3J1VVBhWkdGMg$yvlKAog0MTtP95VpXgeWFnyiX5uNGK23vDqmcP8lLAU
|
||||||
displayname: Shmickonon Shmickovski
|
displayname: Shmickonon Shmickovski
|
||||||
|
|||||||
@@ -12,6 +12,7 @@ services:
|
|||||||
- "--providers.docker.exposedbydefault=false"
|
- "--providers.docker.exposedbydefault=false"
|
||||||
- "--entrypoints.web.address=:80"
|
- "--entrypoints.web.address=:80"
|
||||||
- "--entrypoints.websecure.address=:443"
|
- "--entrypoints.websecure.address=:443"
|
||||||
|
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
|
||||||
- "--certificatesresolvers.pukekoresolver.acme.dnschallenge=true"
|
- "--certificatesresolvers.pukekoresolver.acme.dnschallenge=true"
|
||||||
- "--certificatesresolvers.pukekoresolver.acme.dnschallenge.provider=cloudflare"
|
- "--certificatesresolvers.pukekoresolver.acme.dnschallenge.provider=cloudflare"
|
||||||
#- "--certificatesresolvers.pukekoresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
|
#- "--certificatesresolvers.pukekoresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||||
@@ -30,7 +31,8 @@ services:
|
|||||||
- "./letsencrypt:/letsencrypt"
|
- "./letsencrypt:/letsencrypt"
|
||||||
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
||||||
networks:
|
networks:
|
||||||
- traefik_network
|
- network
|
||||||
|
- internal
|
||||||
- arr_network
|
- arr_network
|
||||||
- filebrowser_network
|
- filebrowser_network
|
||||||
- gitea_network
|
- gitea_network
|
||||||
@@ -54,17 +56,17 @@ services:
|
|||||||
- "traefik.enable=true"
|
- "traefik.enable=true"
|
||||||
- "traefik.http.routers.domain.entrypoints=websecure"
|
- "traefik.http.routers.domain.entrypoints=websecure"
|
||||||
- "traefik.http.routers.domain.rule=Host(`pukeko.xyz`)"
|
- "traefik.http.routers.domain.rule=Host(`pukeko.xyz`)"
|
||||||
- "traefik.http.routers.domain.service=noop@internal"
|
|
||||||
- "traefik.http.routers.domain.tls.certresolver=pukekoresolver"
|
- "traefik.http.routers.domain.tls.certresolver=pukekoresolver"
|
||||||
- "traefik.http.routers.domain.middlewares=domain"
|
- "traefik.http.routers.domain.middlewares=domain"
|
||||||
- 'traefik.http.middlewares.domain.redirectregex.regex=^https://pukeko.xyz/(.*)'
|
- 'traefik.http.middlewares.domain.redirectregex.regex=^https://pukeko.xyz/(.*)'
|
||||||
- 'traefik.http.middlewares.domain.redirectregex.replacement=https://dash.pukeko.xyz/$${1}'
|
- 'traefik.http.middlewares.domain.redirectregex.replacement=https://dash.pukeko.xyz/$${1}'
|
||||||
- "traefik.http.middlewares.domain.redirectregex.permanent=true"
|
- "traefik.http.middlewares.domain.redirectregex.permanent=true"
|
||||||
|
# user: 1001:1001
|
||||||
homer:
|
homer:
|
||||||
image: b4bz/homer
|
image: b4bz/homer
|
||||||
container_name: homer
|
container_name: homer
|
||||||
volumes:
|
volumes:
|
||||||
- /Red-Vol/Media/Containers/homer/assets/:/www/assets
|
- ./homer/:/www/assets
|
||||||
ports:
|
ports:
|
||||||
- 4957:8080
|
- 4957:8080
|
||||||
environment:
|
environment:
|
||||||
@@ -79,7 +81,7 @@ services:
|
|||||||
- "traefik.http.routers.homer.tls.certresolver=pukekoresolver"
|
- "traefik.http.routers.homer.tls.certresolver=pukekoresolver"
|
||||||
- "traefik.http.routers.homer.middlewares=authelia@docker"
|
- "traefik.http.routers.homer.middlewares=authelia@docker"
|
||||||
networks:
|
networks:
|
||||||
- traefik_network
|
- internal
|
||||||
authelia:
|
authelia:
|
||||||
image: authelia/authelia:latest
|
image: authelia/authelia:latest
|
||||||
container_name: authelia
|
container_name: authelia
|
||||||
@@ -103,19 +105,17 @@ services:
|
|||||||
- 'traefik.http.middlewares.authelia-basic.forwardauth.address=http://authelia:9091/api/verify?auth=basic'
|
- 'traefik.http.middlewares.authelia-basic.forwardauth.address=http://authelia:9091/api/verify?auth=basic'
|
||||||
- 'traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true'
|
- 'traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true'
|
||||||
- 'traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
|
- 'traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
|
||||||
expose:
|
|
||||||
- 9091
|
|
||||||
networks:
|
networks:
|
||||||
- traefik_network
|
- internal
|
||||||
secrets:
|
secrets:
|
||||||
hmac:
|
hmac:
|
||||||
file: ./authelia/secrets/hmac
|
file: ./authelia/secrets/hmac
|
||||||
private_key:
|
private_key:
|
||||||
file: ./authelia/secrets/issuer_private_key
|
file: ./authelia/secrets/issuer_private_key
|
||||||
networks:
|
networks:
|
||||||
traefik_network:
|
network:
|
||||||
driver: bridge
|
driver: bridge
|
||||||
traefik_internal:
|
internal:
|
||||||
driver: bridge
|
driver: bridge
|
||||||
arr_network:
|
arr_network:
|
||||||
external: true
|
external: true
|
||||||
|
|||||||
Reference in New Issue
Block a user