From f540d1c46b205ed9370ee743eae1e7fb1727fc00 Mon Sep 17 00:00:00 2001 From: Matan Horovitz Date: Fri, 17 Nov 2023 16:51:09 +0200 Subject: [PATCH] Pruned services; added Grafana auth --- authelia/configuration.yml | 102 ++++++++++++++++++++++++++++++------- docker-compose.yml | 69 +++++++++---------------- 2 files changed, 107 insertions(+), 64 deletions(-) diff --git a/authelia/configuration.yml b/authelia/configuration.yml index de43974..d336633 100644 --- a/authelia/configuration.yml +++ b/authelia/configuration.yml @@ -82,12 +82,19 @@ access_control: policy: bypass resources: # Match only /share/ url's - Filebrowser's shares - - "^*/share/.*" + - '^/share([/?].*)?$' - domain: - "git.pukeko.xyz" policy: bypass resources: - "^/public([/?].*)?$" + - ".*/shmick/study.git" + - domain: + - "photos.pukeko.xyz" + policy: bypass + resources: + - "^.*/s/.*$" + - '^/s([/?].*)?$' - domain: - "*.pukeko.xyz" policy: two_factor @@ -99,6 +106,9 @@ session: inactivity: 5m remember_me_duration: 1M domain: "pukeko.xyz" + redis: + host: authelia_redis + port: 6379 regulation: max_retries: 3 find_time: 2m @@ -123,6 +133,35 @@ notifier: disable_html_emails: false identity_providers: oidc: + issuer_private_key: | + -----BEGIN RSA PRIVATE KEY----- + MIIEogIBAAKCAQEAnkzvqdtgIl71Bd7fIarSCDLI/dhTyl8G+xdmoH9wH3dGqbbn + m0SV280wVRVEkGEJIohqXY+DMNrLiqvPvCTxjYAyqinjHqQFsEgtDsQ7rqpoi2U/ + 3HvAdF+2obQvFz5w5urkXKyLTfkFU7+tvjiJhCYvAoUZA/Bx0LcK8Hh0OhuwN0L9 + 9Rq7VK0HlC5TlP1nRCUZYEDNLR0mKcKqCuAST8m5FucF/ZQaanF9anphgRavbUfp + EyKvnbPGZLPf4IjbRQbxfwyNqRcDjNaP4ytjAAY4+F6aSdZePos08IzC8qemgqEm + /iKVn9XUcgwZ/EjITLoEbzoFUJV91H0CiyfuBwIDAQABAoIBAHWMGddekGdVbcrb + MYOVjfsKgxeEQMwgflWLjeiWWRL0hiNWL2urpUAfgMldTpmLhLYA6ELrY3auscAa + Ttqd8ESrsnOLQRyqnZLGNbcmXk8YOSNxntdBiaqgvEQdQW6YLkw6ljJ+6b6PsLX8 + uq5q2yqnE/diEC5NqKZclaH1QBE4/R+iDRXuAgrHvArv9uL0pD+lrms7dEfHcewn + vKzv3+AKv0maGQ+aZyh3i0xPvmMqiT8ddvRmSqq60aCtCrVezJ8rd1D7IxLQ3t/T + uR0jwCf8kPS8KNcPgGb5RuJ4Up+8IywU8PSiReIugD+wyvVxWLTcMCEXd7qITofR + pWF447ECgYEAwpSRc26hEo9JX0yBAP5dqBKdW8BJzxjCjWJ5N1KmZFppuymyJ7I0 + 2aGUM8ffm8uiecJpMmnzUuF9v2/SjcsDghcslSn9qczajBI4x1Xic1272HjstrfO + 9HSoGf1M1Rn7tHFFoM/ydELMkTacxvZa6i3d+UmZ3OBDheGTj1c4lK8CgYEA0ES1 + ln+JRGW+sMBEhP6VZgGXkwgLJzMCDJQ1riNfYy/UxFldXB2Tz7+pAVYUndRsMh+u + DHcBFe9ENnYMDfba434NqyhmWEeXgtJ1ICu1nunltTtM458zB84OGt9j8mmCTedW + HxfyE0YGYgVF47n7fc+h5QB/3BapK7diOUYtQikCgYBcQZbJFT33j8ppDdvofbIo + O1MyqnQUZhfwcy0n5t8Pm7Kf1AAtRBg8y5h6CJ1jv+Q0ONIp3gRJWrKFbt507jmm + l5hCzRsBRCim2wjisjzhGCM1WvhZFcNhMmJ1mByyuVQXVNF/krjRGM7nVu50g1/N + wpuJU7VI/WfmdXLCNseT7wKBgCvxk28B0fDAlw+sQcjd/p/bTiQT2maW+KO20ezA + Qewnt3kGchBxnTKEeiByDT+QBpQ84vh2U6BRL89d8QUxRNYjTrcCezW9RVaxGU2E + a3nwWCt5K6wLdzT6YTeCUxBe+sN9QEqnPsiaSdZ8zlZSc6IEIWC0TkYd8evrcaos + CHihAoGAFt+od36TPiYgczaoWJ2dlLz6xLnPn/nhrSICxJhdBtCywT1uxH0THaiA + NiAwc5R8fJUPBuIdd0ur/mgAV8VTcXsY/mvihrHnqCKinQKdCt1yukpFhvs68AyP + O+iDoe3R22OcCFg+wuEMGDPspkNtuKV0j0UvqtaDuWqWZNOyYCU= + -----END RSA PRIVATE KEY----- + clients: - id: portainer description: Portainer CE @@ -130,18 +169,14 @@ identity_providers: pre_configured_consent_duration: 100y redirect_uris: - https://portain.pukeko.xyz/ + - id: gitea description: Gitea secret: '3s4as%cU$cKH2&MiXwzC#h8GJCY2eoS%#7&*9qC&H$ujv%qD8P6rWvrtbM8$f2#zM^phWUAz%2Bk7gCGJf#nA&i3BKvwG79&5hdp&mgddhdSFt&3BpX%a2Sv*Z#mK^J3' pre_configured_consent_duration: 100y redirect_uris: - https://git.pukeko.xyz/user/oauth2/Authelia/callback - - id: wekan - description: Wekan - secret: '6BekdjG2Rs25MGg!NU#VEbScrQDriT2z6#wDgRK2KS4fsq5bB8hA@z8RSqs5y&pm%f94*xTw2@4&3Qv2Vg2%hv6Vq9&GNLcJfGdUxb&KM!Y@@My&ujqG3%j^Xdqs8bF^' - pre_configured_consent_duration: 100y - redirect_uris: - - https://tasks.pukeko.xyz/_oauth/oidc + - id: wikijs description: WikiJS secret: 'mT#!fwRZ3$pE5g2rG4CCNKLkg4zg7&3L92e9LGemfYMbr92gPos&Js*4DU#&^*EUJ#PrP*y#W$W7^i2#zqJPhiK$3$z9uDNXYA$h9Urcuo8!Ggcq^#C6dow^s*VxV&WU' @@ -150,20 +185,31 @@ identity_providers: pre_configured_consent_duration: 100y redirect_uris: - https://wiki.pukeko.xyz/login/a8755bfb-8a4e-49b7-b31b-43ac5638367a/callback - userinfo_signing_algorithm: none - scopes: - - openid - - email - - profile - - groups - response_modes: - - form_post - - id: grafana - description: Grafana - secret: '8Jx#U^%NXEvD#jc@A35wH!6PT8^DYo7pXftCKe3P%C%*xN9FQn26ec^kTxkuhA*9fZx@7*P65Y*L2Ty#Z*7n*f3#^$R!8TSuQ3THW*t#seL#iE7MatYEowb$GvU!8Y!5' + + - id: wikijs_study + description: WikiJS-Study + secret: 'jPdRbutexLB9aTanEthKiTXVtzcYsM3N9DmwbBKXdSikMRYWKLAMffETp9ads6cTAgkBMNu9Cp8aujFdXcEkpEeq5cMHc3KoiS64HHCK9CrVLH4PHdDFxLquGbd2h3Sz' + public: false + authorization_policy: two_factor pre_configured_consent_duration: 100y redirect_uris: - - https://flight.pukeko.xyz/ + - https://logos.pukeko.xyz/login/2a01989c-e0f5-431a-95f1-c3e0383f67ce/callback + + - id: grafana + description: Grafana + secret: 'P6x3vpNvZcLCZnmwts7E3sEYmtnLVx2cmjPafyFjNRHRsJmcBajaGYzdYjEB4iZemmCTK5H5QAxqg8fSmjMkydKkYcynDgbCciR3tdz3XbcKgRX3LpDVFHqejEKLPz7n' + public: false + authorization_policy: two_factor + pre_configured_consent_duration: 100y + redirect_uris: + - https://flight.pukeko.xyz/login/generic_oauth + scopes: + - openid + - profile + - groups + - email + userinfo_signing_algorithm: none + - id: vikunja description: Vikunja secret: 'ryKVwXhfHeAQKJJHwejEpK66pAuTGvY2saZArKTFZPjWVs2fKNHDAwah8TbPP44LGKYPBYJxU5Ua5H4Su87DAY4ktpAz6UfmpB9XnXCPoACtBrwBgykjoC6cUzXJRc7t' @@ -178,3 +224,21 @@ identity_providers: - email - profile - groups + + - id: docspell + description: Docspell + secret: 'tEf47Me$YsXG8K4%63$%!kbMqbgVnc*bAq2i4SPERay#T!&ajc35m&D%C#uRMiaSv@cRFxwMcqo%SwEq*49G9HufJ&d#^f*&MK9hzU6s&7C2^XmfGC8Up7YeegnH#VhP' + pre_configured_consent_duration: 100y + authorization_policy: one_factor + redirect_uris: + - https://docs.pukeko.xyz/api/v1/open/auth/openid/authelia/resume + scopes: + - openid + - email + - profile + - groups + userinfo_signing_algorithm: none + response_types: + - code + grant_types: + - authorization_code diff --git a/docker-compose.yml b/docker-compose.yml index 7f25616..fc6bfce 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,7 +1,6 @@ -version: "3.3" services: traefik: - image: "traefik:v2.6" + image: "traefik:v2.10.4" container_name: "traefik" privileged: true command: @@ -10,14 +9,14 @@ services: - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--entrypoints.web.address=:80" - - "--entrypoints.websecure.address=:443" - - "--entrypoints.web.http.redirections.entrypoint.to=websecure" - - "--certificatesresolvers.pukekoresolver.acme.dnschallenge=true" - - "--certificatesresolvers.pukekoresolver.acme.dnschallenge.provider=cloudflare" - #- "--certificatesresolvers.pukekoresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" - - "--certificatesresolvers.pukekoresolver.acme.email=matanhorovitz@protonmail.com" - - "--certificatesresolvers.pukekoresolver.acme.storage=/letsencrypt/acme.json" - - "--certificatesresolvers.pukekoresolver.acme.dnschallenge.resolvers=1.1.1.1:53" + - "--entrypoints.pukekos.address=:443" + - "--entrypoints.web.http.redirections.entrypoint.to=pukekos" + - "--certificatesresolvers.takaheresolver.acme.dnschallenge=true" + - "--certificatesresolvers.takaheresolver.acme.dnschallenge.provider=cloudflare" + # - "--certificatesresolvers.takaheresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" + - "--certificatesresolvers.takaheresolver.acme.email=matanhorovitz@protonmail.com" + - "--certificatesresolvers.takaheresolver.acme.storage=/certs/acme.json" + - "--certificatesresolvers.takaheresolver.acme.dnschallenge.resolvers=1.1.1.1:53" ports: - "80:80" - "443:443" @@ -27,43 +26,38 @@ services: - CF_API_EMAIL=matanhorovitz@protonmail.com - CF_DNS_API_TOKEN=0dFNYA8qtzVhVtGi4nEb7_aclTOdGthYm5Q7N05n volumes: - - "./letsencrypt:/letsencrypt" + - "./certs:/certs" - "/var/run/docker.sock:/var/run/docker.sock" networks: - network - internal - arr_network - filebrowser_network - - fotoprism_network - gitea_network - - gitea_public_instance_network - - grocy_network - vaultwarden_network - vikunja_network - - freshrss_network - - homer_study_network - - jekyll_network - jellyfin_network - joplin_network - - paperless-ngx_network - photoprism_network - - podgrab_network - portainer_network - prometheus_network - qbittorrent_network - syncthing_network - wikijs_network - wikijs_study_instance_network + - wireguard_network restart: unless-stopped labels: - "traefik.enable=true" - - "traefik.http.routers.domain.entrypoints=websecure" + - "traefik.http.routers.domain.entrypoints=pukekos" - "traefik.http.routers.domain.rule=Host(`pukeko.xyz`)" - - "traefik.http.routers.domain.tls.certresolver=pukekoresolver" + - "traefik.http.routers.domain.tls.certresolver=takaheresolver" - "traefik.http.routers.domain.middlewares=domain" - 'traefik.http.middlewares.domain.redirectregex.regex=^https://pukeko.xyz/(.*)' - 'traefik.http.middlewares.domain.redirectregex.replacement=https://dash.pukeko.xyz/$${1}' - "traefik.http.middlewares.domain.redirectregex.permanent=true" + - "traefik.tls.stores.default.defaultgeneratedcert.resolver=takaheresolver" + - "traefik.tls.stores.default.defaultgeneratedcert.domain.main=pukeko.xyz" # user: 1001:1001 homer: image: b4bz/homer @@ -78,10 +72,10 @@ services: restart: unless-stopped labels: - "traefik.enable=true" - - "traefik.http.routers.homer.entrypoints=websecure" + - "traefik.http.routers.homer.entrypoints=pukekos" - "traefik.http.routers.homer.rule=Host(`dash.pukeko.xyz`)" - "traefik.http.routers.homer.service=homer-traefik@docker" - - "traefik.http.routers.homer.tls.certresolver=pukekoresolver" + - "traefik.http.routers.homer.tls.certresolver=takaheresolver" - "traefik.http.routers.homer.middlewares=authelia@docker" networks: - internal @@ -90,7 +84,7 @@ services: container_name: authelia environment: - TZ=Asia/Jerusalem - - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/run/secrets/private_key + # - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/run/secrets/private_key volumes: - ./authelia:/config restart: unless-stopped @@ -100,10 +94,10 @@ services: labels: - 'traefik.enable=true' - 'traefik.http.routers.authelia.rule=Host(`auth.pukeko.xyz`)' - - 'traefik.http.routers.authelia.entrypoints=websecure' + - 'traefik.http.routers.authelia.entrypoints=pukekos' - "traefik.http.routers.authelia.service=authelia-traefik@docker" - 'traefik.http.routers.authelia.tls=true' - - "traefik.http.routers.authelia.tls.certresolver=pukekoresolver" + - "traefik.http.routers.authelia.tls.certresolver=takaheresolver" - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.pukeko.xyz/' - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true' - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email' @@ -114,8 +108,6 @@ services: - internal expose: - 9091 - environment: - - TZ=Asia/Jerusalem redis: image: redis:alpine container_name: authelia_redis @@ -126,9 +118,6 @@ services: expose: - 6379 restart: unless-stopped - environment: - - TZ=Asia/Jerusalem - - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/run/secrets/private_key secrets: hmac: file: ./authelia/secrets/hmac @@ -143,26 +132,14 @@ networks: external: true filebrowser_network: external: true - fotoprism_network: - external: true - freshrss_network: - external: true gitea_network: external: true - gitea_public_instance_network: - external: true - grocy_network: - external: true - homer_study_network: - external: true - jekyll_network: - external: true + #jekyll_network: + # external: true jellyfin_network: external: true joplin_network: external: true - paperless-ngx_network: - external: true photoprism_network: external: true podgrab_network: @@ -179,6 +156,8 @@ networks: external: true wikijs_study_instance_network: external: true + wireguard_network: + external: true qbittorrent_network: external: true syncthing_network: