thomas/docker-server
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Configuration cleanup

Browse Source
This commit is contained in:
Thomas Lovén 2020-01-27 12:45:53 +01:00
parent 834f7d0f2b
commit f222773a25
6 changed files with 110 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
README.md Normal file
View File

@ -0,0 +1,17 @@
# Server
Configuration for traefik 2 and authelia
### Authelia preprocessor
The authelia configuration contains some sensitive values, but authelia cannot read them from env variables like traefic can.
Instead, a special service - `authelia-config` runs before authelia start, and preprocesses the configuration file.
- Local file `./authelia/configuration.yaml` is mapped to `/data/input` in `authelia-config`
- Volume `authelia-config` is mapped to `/data/output` in `authelia-config`
- `authelia-config` runs `gomplate` on `/data/input` and saves to `data/output/configuration.yaml`
- `Volume `authelia-config` is mapped to `/etc/authelia` in `authelia`, where it reads its configuration
## Lessons learned
- Authelia will ONLY work with https. Both the authelia url itself and the one being authenticated must be https.

64
docker-compose.yaml
View File

@ -2,11 +2,13 @@ version: "3.5"
networks:
web:
# All containers that are router through traefik needs to be on this network
external: false
name: web
volumes:
authelia-config:
# Used for pre-processing of authelia configuration
services:
proxy:
@ -21,26 +23,24 @@ services:
- web
command:
- "--configFile=/data/traefik.yaml"
ports:
- "80:80"
- "443:443"
- "8080:8080"
ports:
- 80:80
- 443:443
# Open port 8080 for debugging emergencies
# - 8080:8080
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "./traefik:/data"
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik:/data
labels:
- "traefik.enable=true"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
traefik.enable: true
traefik.http.services.traefik.loadbalancer.server.port: 8080
- "traefik.http.routers.traefik.rule=Host(`traefik.${PRIVATE_DOMAIN}`)"
- "traefik.http.routers.traefik.middlewares=auth@file"
- "traefik.http.routers.traefik.tls.certResolver=le"
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redir@file"
traefik.http.routers.traefik.rule: Host(`traefik.${PRIVATE_DOMAIN}`)
traefik.http.routers.traefik.middlewares: auth@file
traefik.http.routers.traefik.tls.certResolver: le
authelia-config:
# Preprocess authelia configuration through gomplate
image: hairyhenderson/gomplate
environment:
- PRIVATE_DOMAIN
@ -53,7 +53,8 @@ services:
container_name: authelia
image: authelia/authelia
restart: always
links:
depends_on:
# config preprocessor should run first
- authelia-config
volumes:
- ./authelia:/opt/authelia
@ -64,35 +65,26 @@ services:
networks:
- web
labels:
- "traefik.enable=true"
- "traefik.http.routers.authelia.rule=Host(`auth.${PRIVATE_DOMAIN}`)"
- "traefik.http.routers.authelia.tls=true"
- "traefik.http.routers.authelia.tls.certResolver=le"
- "traefik.http.routers.authelia.entrypoints=websecure"
traefik.enable: true
traefik.http.routers.authelia.rule: Host(`auth.${PRIVATE_DOMAIN}`)
traefik.http.routers.authelia.tls.certResolver: le
traefik.http.routers.authelia.entrypoints: websecure
# whoami-http:
# image: containous/whoami
# networks:
# - web
# labels:
# - "traefik.enable=true"
# - "traefik.http.routers.whoami2.rule=Host(`wai-http.${PRIVATE_DOMAIN}`)"
#
# whoami-https:
# image: containous/whoami
# networks:
# - web
# labels:
# - "traefik.enable=true"
# - "traefik.http.routers.whoami.rule=Host(`wai-https.${PRIVATE_DOMAIN}`)"
# - "traefik.http.routers.whoami.tls.certResolver=le"
# traefik.enable: true
# traefik.http.routers.wait-https.rule: Host(`wai-https.${PRIVATE_DOMAIN}`)
# traefik.http.routers.wait-https.tls.certResolver: le
# whoami-auth:
# image: containous/whoami
# networks:
# - web
# labels:
# - "traefik.enable=true"
# - "traefik.http.routers.wai.rule=Host(`wai-auth.${PRIVATE_DOMAIN}`)"
# - "traefik.http.routers.wai.tls.certResolver=le"
# - "traefik.http.routers.wai.middlewares=auth@file"
# traefik.enable: true
# traefik.http.routers.wai-auth.rule: Host(`wai-auth.${PRIVATE_DOMAIN}`)
# traefik.http.routers.wai-auth.tls.certResolver: le
# traefik.http.routers.wai-auth.middlewares: auth@file

29
traefik/config/network.yaml Normal file
View File

@ -0,0 +1,29 @@
# This file contains routing rules for netwok services that are not running on the same host as traefik
http:
services:
pfsense:
loadBalancer:
servers:
- url: http://192.168.0.1:80
proxmox:
loadBalancer:
servers:
- url: http://192.168.0.10:8006
routers:
pfsense:
service: pfsense
rule: Host(`pfsense.{{ env "PRIVATE_DOMAIN" }}`)
middlewares:
- auth
tls:
certResolver: le
proxmox:
service: proxmox
rule: Host(`proxmox.{{ env "PRIVATE_DOMAIN" }}`)
middlewares:
- auth
tls:
certResolver: le

35
traefik/config/security.yaml Normal file
View File

@ -0,0 +1,35 @@
# This file contains services for security and authorization
http:
services:
http-catchall:
# A dummy service for the http-catchall rule
loadBalancer:
servers:
- url: http://dummy-url
routers:
http-catchall:
# Catch all requests to the http entrypoint and redirect them to https
service: http-catchall
rule: hostregexp(`{host:.+}`)
entrypoint: web
middlewares:
- redir
middlewares:
redir:
# Redirect to https
redirectScheme:
scheme: https
permanent: true
auth:
# Go through authelia for authorization
forwardAuth:
address: http://authelia:9091/api/verify?rd=https://auth.{{ env "PRIVATE_DOMAIN" }}/%23/
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-User
insecureSkipVerify: true

100
traefik/tls.yaml
View File

@ -1,100 +0,0 @@
http:
middlewares:
redir:
redirectScheme:
scheme: https
permanent: true
auth:
forwardAuth:
address: http://authelia:9091/api/verify?rd=https://auth.{{ env "PRIVATE_DOMAIN" }}/%23/
trustForwardHeader: true
authResponseHeaders:
- X-Forwarded-User
insecureSkipVerify: true
services:
hass:
loadBalancer:
servers:
- url: http://192.168.0.10:8123
plex:
loadBalancer:
servers:
- url: http://192.168.0.10:32400
portainer:
loadBalancer:
servers:
- url: http://192.168.0.10:9000
deconz:
loadBalancer:
servers:
- url: http://192.168.0.10:8082
proxmox:
loadBalancer:
servers:
- url: http://192.168.0.10:8006
nextcloud:
loadBalancer:
servers:
- url: http://192.168.0.10:8083
# client_max_body_size 10G
# client_body_buffer_size 400M
# proxy_hide_header Content-Security-Policy
# proxy_hide_header X-Frame-Options
keeweb:
loadBalancer:
servers:
- url: http://192.168.0.10:8084
grafana:
loadBalancer:
servers:
- url: http://192.168.0.10:3000
routers:
hass:
service: hass
rule: Host(`avagen.{{ env "PRIVATE_DOMAIN" }}`)
tls:
certResolver: le
plex:
service: plex
rule: Host(`plex.{{ env "PRIVATE_DOMAIN" }}`)
tls:
certResolver: le
portainer:
service: portainer
rule: Host(`portainer.{{ env "PRIVATE_DOMAIN" }}`)
middlewares:
- auth
tls:
certResolver: le
deconz:
service: deconz
rule: Host(`deconz.{{ env "PRIVATE_DOMAIN" }}`)
middlewares:
- auth
tls:
certResolver: le
proxmox:
service: proxmox
rule: Host(`proxmox.{{ env "PRIVATE_DOMAIN" }}`)
middlewares:
- auth
tls:
certResolver: le
cloud:
service: nextcloud
rule: Host(`cloud.{{ env "PRIVATE_DOMAIN" }}`)
tls:
certResolver: le
pwd:
service: keeweb
rule: Host(`pwd.{{ env "PRIVATE_DOMAIN" }}`)
tls:
certResolver: le
grafana:
service: grafana
rule: Host(`grafana.{{ env "PRIVATE_DOMAIN" }}`)
tls:
certResolver: le

2
traefik/traefik.yaml
View File

@ -3,7 +3,7 @@ api:
providers:
file:
filename: /data/tls.yaml
directory: /data/config
docker:
exposedByDefault: false