Configuration cleanup

README.md

@@ -0,0 +1,17 @@
+# Server
+
+Configuration for traefik 2 and authelia
+
+
+### Authelia preprocessor
+The authelia configuration contains some sensitive values, but authelia cannot read them from env variables like traefic can.
+Instead, a special service - `authelia-config` runs before authelia start, and preprocesses the configuration file.
+
+- Local file `./authelia/configuration.yaml` is mapped to `/data/input` in `authelia-config`
+- Volume `authelia-config` is mapped to `/data/output` in `authelia-config`
+- `authelia-config` runs `gomplate` on `/data/input` and saves to `data/output/configuration.yaml`
+- `Volume `authelia-config` is mapped to `/etc/authelia` in `authelia`, where it reads its configuration
+
+## Lessons learned
+
+- Authelia will ONLY work with https. Both the authelia url itself and the one being authenticated must be https.

docker-compose.yaml

@@ -2,11 +2,13 @@ version: "3.5"
 
 networks:
   web:
+    # All containers that are router through traefik needs to be on this network
     external: false
     name: web
 
 volumes:
   authelia-config:
+    # Used for pre-processing of authelia configuration
 
 services:
   proxy:
@@ -22,25 +24,23 @@ services:
     command:
       - "--configFile=/data/traefik.yaml"
     ports: 
-      - "80:80"
+      - 80:80
-      - "443:443"
+      - 443:443
-      - "8080:8080"
+      # Open port 8080 for debugging emergencies
+    # - 8080:8080
     volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock"
+      - /var/run/docker.sock:/var/run/docker.sock
-      - "./traefik:/data"
+      - ./traefik:/data
     labels:
-      - "traefik.enable=true"
+      traefik.enable: true
-      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
+      traefik.http.services.traefik.loadbalancer.server.port: 8080
 
-      - "traefik.http.routers.traefik.rule=Host(`traefik.${PRIVATE_DOMAIN}`)"
+      traefik.http.routers.traefik.rule: Host(`traefik.${PRIVATE_DOMAIN}`)
-      - "traefik.http.routers.traefik.middlewares=auth@file"
+      traefik.http.routers.traefik.middlewares: auth@file
-      - "traefik.http.routers.traefik.tls.certResolver=le"
+      traefik.http.routers.traefik.tls.certResolver: le
-
-      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
-      - "traefik.http.routers.http-catchall.entrypoints=web"
-      - "traefik.http.routers.http-catchall.middlewares=redir@file"
 
   authelia-config:
+    # Preprocess authelia configuration through gomplate
     image: hairyhenderson/gomplate
     environment:
       - PRIVATE_DOMAIN
@@ -53,7 +53,8 @@ services:
     container_name: authelia
     image: authelia/authelia
     restart: always
-    links:
+    depends_on:
+      # config preprocessor should run first
       - authelia-config
     volumes:
       - ./authelia:/opt/authelia
@@ -64,35 +65,26 @@ services:
     networks:
       - web
     labels:
-      - "traefik.enable=true"
+      traefik.enable: true
-      - "traefik.http.routers.authelia.rule=Host(`auth.${PRIVATE_DOMAIN}`)"
+      traefik.http.routers.authelia.rule: Host(`auth.${PRIVATE_DOMAIN}`)
-      - "traefik.http.routers.authelia.tls=true"
+      traefik.http.routers.authelia.tls.certResolver: le
-      - "traefik.http.routers.authelia.tls.certResolver=le"
+      traefik.http.routers.authelia.entrypoints: websecure
-      - "traefik.http.routers.authelia.entrypoints=websecure"
 
-# whoami-http:
-#   image: containous/whoami
-#   networks:
-#     - web
-#   labels:
-#     - "traefik.enable=true"
-#     - "traefik.http.routers.whoami2.rule=Host(`wai-http.${PRIVATE_DOMAIN}`)"
-#
 # whoami-https:
 #   image: containous/whoami
 #   networks:
 #     - web
 #   labels:
-#     - "traefik.enable=true"
+#     traefik.enable: true
-#     - "traefik.http.routers.whoami.rule=Host(`wai-https.${PRIVATE_DOMAIN}`)"
+#     traefik.http.routers.wait-https.rule: Host(`wai-https.${PRIVATE_DOMAIN}`)
-#     - "traefik.http.routers.whoami.tls.certResolver=le"
+#     traefik.http.routers.wait-https.tls.certResolver: le
 
 # whoami-auth:
 #   image: containous/whoami
 #   networks:
 #     - web
 #   labels:
-#     - "traefik.enable=true"
+#     traefik.enable: true
-#     - "traefik.http.routers.wai.rule=Host(`wai-auth.${PRIVATE_DOMAIN}`)"
+#     traefik.http.routers.wai-auth.rule: Host(`wai-auth.${PRIVATE_DOMAIN}`)
-#     - "traefik.http.routers.wai.tls.certResolver=le"
+#     traefik.http.routers.wai-auth.tls.certResolver: le
-#     - "traefik.http.routers.wai.middlewares=auth@file"
+#     traefik.http.routers.wai-auth.middlewares: auth@file

traefik/config/network.yaml

@@ -0,0 +1,29 @@
+# This file contains routing rules for netwok services that are not running on the same host as traefik
+
+http:
+  services:
+    pfsense:
+      loadBalancer:
+        servers:
+          - url: http://192.168.0.1:80
+    proxmox:
+      loadBalancer:
+        servers:
+          - url: http://192.168.0.10:8006
+
+  routers:
+    pfsense:
+      service: pfsense
+      rule: Host(`pfsense.{{ env "PRIVATE_DOMAIN" }}`)
+      middlewares:
+        - auth
+      tls:
+        certResolver: le
+    proxmox:
+      service: proxmox
+      rule: Host(`proxmox.{{ env "PRIVATE_DOMAIN" }}`)
+      middlewares:
+        - auth
+      tls:
+        certResolver: le
+

traefik/config/security.yaml

@@ -0,0 +1,35 @@
+# This file contains services for security and authorization
+
+http:
+  services:
+    http-catchall:
+      # A dummy service for the http-catchall rule
+      loadBalancer:
+        servers:
+          - url: http://dummy-url
+
+  routers:
+    http-catchall:
+      # Catch all requests to the http entrypoint and redirect them to https
+      service: http-catchall
+      rule: hostregexp(`{host:.+}`)
+      entrypoint: web
+      middlewares:
+        - redir
+
+  middlewares:
+    redir:
+      # Redirect to https
+      redirectScheme:
+        scheme: https
+        permanent: true
+
+    auth:
+      # Go through authelia for authorization
+      forwardAuth:
+        address: http://authelia:9091/api/verify?rd=https://auth.{{ env "PRIVATE_DOMAIN" }}/%23/
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-Forwarded-User
+        insecureSkipVerify: true
+

traefik/tls.yaml

@@ -1,100 +0,0 @@
-http:
-  middlewares:
-    redir:
-      redirectScheme:
-        scheme: https
-        permanent: true
-    auth:
-      forwardAuth:
-        address: http://authelia:9091/api/verify?rd=https://auth.{{ env "PRIVATE_DOMAIN" }}/%23/
-        trustForwardHeader: true
-        authResponseHeaders:
-          - X-Forwarded-User
-        insecureSkipVerify: true
-
-  services:
-    hass:
-      loadBalancer:
-        servers:
-          - url: http://192.168.0.10:8123
-    plex:
-      loadBalancer:
-        servers:
-          - url: http://192.168.0.10:32400
-    portainer:
-      loadBalancer:
-        servers:
-          - url: http://192.168.0.10:9000
-    deconz:
-      loadBalancer:
-        servers:
-          - url: http://192.168.0.10:8082
-    proxmox:
-      loadBalancer:
-        servers:
-          - url: http://192.168.0.10:8006
-    nextcloud:
-      loadBalancer:
-        servers:
-          - url: http://192.168.0.10:8083
-      # client_max_body_size 10G
-      # client_body_buffer_size 400M
-      # proxy_hide_header Content-Security-Policy
-      # proxy_hide_header X-Frame-Options
-    keeweb:
-      loadBalancer:
-        servers:
-          - url: http://192.168.0.10:8084
-    grafana:
-      loadBalancer:
-        servers:
-          - url: http://192.168.0.10:3000
-
-  routers:
-    hass:
-      service: hass
-      rule: Host(`avagen.{{ env "PRIVATE_DOMAIN" }}`)
-      tls:
-        certResolver: le
-    plex:
-      service: plex
-      rule: Host(`plex.{{ env "PRIVATE_DOMAIN" }}`)
-      tls:
-        certResolver: le
-    portainer:
-      service: portainer
-      rule: Host(`portainer.{{ env "PRIVATE_DOMAIN" }}`)
-      middlewares:
-        - auth
-      tls:
-        certResolver: le
-    deconz:
-      service: deconz
-      rule: Host(`deconz.{{ env "PRIVATE_DOMAIN" }}`)
-      middlewares:
-        - auth
-      tls:
-        certResolver: le
-    proxmox:
-      service: proxmox
-      rule: Host(`proxmox.{{ env "PRIVATE_DOMAIN" }}`)
-      middlewares:
-        - auth
-      tls:
-        certResolver: le
-    cloud:
-      service: nextcloud
-      rule: Host(`cloud.{{ env "PRIVATE_DOMAIN" }}`)
-      tls:
-        certResolver: le
-    pwd:
-      service: keeweb
-      rule: Host(`pwd.{{ env "PRIVATE_DOMAIN" }}`)
-      tls:
-        certResolver: le
-    grafana:
-      service: grafana
-      rule: Host(`grafana.{{ env "PRIVATE_DOMAIN" }}`)
-      tls:
-        certResolver: le
-

traefik/traefik.yaml

@@ -3,7 +3,7 @@ api:
 
 providers:
   file:
-    filename: /data/tls.yaml
+    directory: /data/config
   docker:
     exposedByDefault: false