commit dc098d434eb1c4fdca3553daabf40dde97ee95f3
Author: Thomas Lovén <thomasloven@gmail.com>
Date:   Sat Jan 25 15:05:38 2020 +0100

    Initial commit

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..af68123
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,7 @@
+traefik/acme.json
+traefik/certs/
+traefik/traefik.log
+
+authelia/db.sqlite3
+authelia/notification.txt
+authelia/users_database.yml
diff --git a/authelia/configuration.yml b/authelia/configuration.yml
new file mode 100644
index 0000000..471e929
--- /dev/null
+++ b/authelia/configuration.yml
@@ -0,0 +1,36 @@
+host: 0.0.0.0
+port: 9091
+logs_level: trace
+jwt_secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-jwt-secret
+authentication_backend:
+  file:
+    path: /opt/authelia/users_database.yml
+
+    # {{ env.Getenv "ROOT_DOMAIN" }}
+session:
+  name: authelia_session
+  secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-token-secret
+  domain: {{ env.Getenv "PRIVATE_DOMAIN" }}
+  expiration: 3600
+  inactivity: 300
+
+storage:
+  local:
+    path: /opt/authelia/db.sqlite3
+
+totp:
+  issuer: {{ env.Getenv "PRIVATE_DOMAIN" }}
+
+access_control:
+  default_policy: one_factor
+
+
+regulation:
+  max_retries: 1000
+  find_time: 120
+  ban_time: 300
+
+notifier:
+  filesystem:
+    filename: /opt/authelia/notification.txt
+
diff --git a/docker-compose.yaml b/docker-compose.yaml
new file mode 100644
index 0000000..b36f19a
--- /dev/null
+++ b/docker-compose.yaml
@@ -0,0 +1,98 @@
+version: "3.5"
+
+networks:
+  web:
+    external: false
+    name: web
+
+volumes:
+  authelia-config:
+
+services:
+  proxy:
+    container_name: traefik
+    image: traefik:v2.1
+    restart: always
+    environment:
+      - EMAIL
+      - PRIVATE_DOMAIN
+      - PUBLIC_DOMAIN
+    networks:
+      - web
+    command:
+      - "--configFile=/data/traefik.yaml"
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8080:8080"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+      - "./traefik:/data"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
+
+      - "traefik.http.routers.traefik.rule=Host(`traefik.${PRIVATE_DOMAIN}`)"
+      - "traefik.http.routers.traefik.middlewares=auth@file"
+      - "traefik.http.routers.traefik.tls.certResolver=le"
+
+      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.http-catchall.entrypoints=web"
+      - "traefik.http.routers.http-catchall.middlewares=redir@file"
+
+  authelia-config:
+    image: hairyhenderson/gomplate
+    environment:
+      - PRIVATE_DOMAIN
+      - PUBLIC_DOMAIN
+    volumes:
+      - ./authelia/configuration.yml:/data/input:ro
+      - authelia-config:/data/output
+    command: '--file=/data/input --out=/data/output/configuration.yml'
+  authelia:
+    container_name: authelia
+    image: authelia/authelia
+    restart: always
+    links:
+      - authelia-config
+    volumes:
+      - ./authelia:/opt/authelia
+      - authelia-config:/etc/authelia/
+    environment:
+      - ENVIRONMENT=dev
+      - NODE_TLS_REJECT_UNAUTHORIZED=1
+    networks:
+      - web
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.authelia.rule=Host(`auth.${PRIVATE_DOMAIN}`)"
+      - "traefik.http.routers.authelia.tls=true"
+      - "traefik.http.routers.authelia.tls.certResolver=le"
+      - "traefik.http.routers.authelia.entrypoints=websecure"
+
+# whoami-http:
+#   image: containous/whoami
+#   networks:
+#     - web
+#   labels:
+#     - "traefik.enable=true"
+#     - "traefik.http.routers.whoami2.rule=Host(`wai-http.${PRIVATE_DOMAIN}`)"
+#
+# whoami-https:
+#   image: containous/whoami
+#   networks:
+#     - web
+#   labels:
+#     - "traefik.enable=true"
+#     - "traefik.http.routers.whoami.rule=Host(`wai-https.${PRIVATE_DOMAIN}`)"
+#     - "traefik.http.routers.whoami.tls.certResolver=le"
+
+# whoami-auth:
+#   image: containous/whoami
+#   networks:
+#     - web
+#   labels:
+#     - "traefik.enable=true"
+#     - "traefik.http.routers.wai.rule=Host(`wai-auth.${PRIVATE_DOMAIN}`)"
+#     - "traefik.http.routers.wai.tls.certResolver=le"
+#     - "traefik.http.routers.wai.middlewares=auth@file"
diff --git a/traefik/tls.yaml b/traefik/tls.yaml
new file mode 100644
index 0000000..fd7e1a0
--- /dev/null
+++ b/traefik/tls.yaml
@@ -0,0 +1,28 @@
+http:
+  middlewares:
+    redir:
+      redirectScheme:
+        scheme: https
+        permanent: true
+    auth:
+      forwardAuth:
+        address: http://authelia:9091/api/verify?rd=https://auth.{{ env "PRIVATE_DOMAIN" }}/%23/
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-Forwarded-User
+        insecureSkipVerify: true
+
+  services:
+    hass:
+      loadBalancer:
+        servers:
+          - url: http://192.168.0.10:8123
+
+  routers:
+    hass:
+      service: hass
+      rule: Host(`avagen.{{ env "PRIVATE_DOMAIN" }}`)
+      middleware: redir
+      tls:
+        certResolver: le
+
diff --git a/traefik/traefik.yaml b/traefik/traefik.yaml
new file mode 100644
index 0000000..12b614a
--- /dev/null
+++ b/traefik/traefik.yaml
@@ -0,0 +1,26 @@
+api:
+  insecure: true
+
+providers:
+  file:
+    filename: /data/tls.yaml
+  docker:
+    exposedByDefault: false
+
+log:
+  filePath: /data/traefik.log
+  level: DEBUG
+
+entryPoints:
+  web:
+    address: :80
+  websecure:
+    address: :443
+
+certificatesResolvers:
+  le:
+    acme:
+      email: '{{ env "EMAIL" }}'
+      storage: /data/acme.json
+      httpChallenge:
+        entrypoint: web