diff --git a/.gitignore b/.gitignore index dee5946..75339bf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +.env + traefik/acme.json traefik/certs/ traefik/traefik.log diff --git a/authelia/configuration.yml b/authelia/configuration.yml index e867cfa..d46f5c6 100644 --- a/authelia/configuration.yml +++ b/authelia/configuration.yml @@ -1,42 +1,38 @@ -host: 0.0.0.0 -port: 9091 -logs_level: trace -jwt_secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-jwt-secret +# log: +# level: debug + +theme: auto authentication_backend: file: - path: /opt/authelia/users_database.yml + path: /config/users_database.yml session: - name: authelia_session - secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-token-secret - domain: {{ env.Getenv "PRIVATE_DOMAIN" }} - expiration: 604800 - inactivity: 172800 + # domain: SET BY ENV VARIABLE AUTHELIA_SESSION_DOMAIN + # secret: SET BY ENV VARIABLE AUTHELIA_SESSION_SECRET storage: local: - path: /opt/authelia/db.sqlite3 - -totp: - issuer: {{ env.Getenv "PRIVATE_DOMAIN" }} + path: /config/db.sqlite3 access_control: - default_policy: one_factor + default_policy: two_factor + networks: + - name: internal + networks: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/18 rules: # Allow free access from local network - - domain: "*" + - domain: + - "*.se" + - "*.com" networks: - - 192.168.1.0/23 + - internal policy: bypass - -regulation: - max_retries: 5 - find_time: 120 - ban_time: 180 - notifier: filesystem: - filename: /opt/authelia/notification.txt + filename: /config/notification.txt diff --git a/docker-compose.yaml b/docker-compose.yaml index a25a9f9..e0d2ed7 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -27,6 +27,7 @@ services: - PUBLIC_DOMAIN networks: web: + ipv4_address: 172.18.1.2 command: - "--configFile=/data/traefik.yaml" ports: @@ -48,29 +49,20 @@ services: traefik.http.routers.traefik.tls.certResolver: le autoheal: "true" - authelia-config: - # Preprocess authelia configuration through gomplate - image: hairyhenderson/gomplate - environment: - - PRIVATE_DOMAIN - - PUBLIC_DOMAIN - volumes: - - ./authelia/configuration.yml:/data/input:ro - - authelia-config:/data/output - command: '--file=/data/input --out=/data/output/configuration.yml' authelia: container_name: authelia image: authelia/authelia restart: always - depends_on: - # config preprocessor should run first - - authelia-config volumes: - - ./authelia:/opt/authelia - - authelia-config:/etc/authelia/ + - ./authelia:/config environment: - - ENVIRONMENT=dev + # - ENVIRONMENT=dev - NODE_TLS_REJECT_UNAUTHORIZED=1 + - AUTHELIA_JWT_SECRET + - AUTHELIA_SESSION_SECRET + - AUTHELIA_SESSION_DOMAIN + - AUTHELIA_TOTP_ISSUER + - TZ=Europe/Stockholm networks: web: healthcheck: @@ -95,26 +87,41 @@ services: web: labels: traefik.enable: true - traefik.http.routers.homer.rule: Host(`${PRIVATE_DOMAIN}`) + traefik.http.routers.homer.rule: Host(`${PRIVATE_DOMAIN}`) || Host(`www.${PRIVATE_DOMAIN}`) traefik.http.routers.homer.tls.certResolver: le - traefik.http.routers.homer.entrypoints: websecure -# whoami-https: -# image: containous/whoami -# networks: -# web: -# labels: -# traefik.enable: true -# traefik.http.routers.wait-https.rule: Host(`wai-https.${PRIVATE_DOMAIN}`) -# traefik.http.routers.wait-https.tls.certResolver: le + dozzle: + image: amir20/dozzle + restart: always + volumes: + - /var/run/docker.sock:/var/run/docker.sock + networks: + web: + labels: + traefik.enable: true + traefik.http.routers.dozzle.rule: Host(`logs.${PRIVATE_DOMAIN}`) + traefik.http.routers.dozzle.tls.certResolver: le + traefik.http.routers.dozzle.middlewares: auth@file -# whoami-auth: -# image: containous/whoami -# networks: -# web: -# macvlan: -# labels: -# traefik.enable: true -# traefik.http.routers.wai-auth.rule: Host(`wai-auth.${PRIVATE_DOMAIN}`) -# traefik.http.routers.wai-auth.tls.certResolver: le -# traefik.http.routers.wai-auth.middlewares: auth@file + +# labels: +# The following three labels are always needed. Make sure to replace with a unique name +# traefik.enable: true +# traefik.http.routers..tls.certResolver: le +# traefik.http.routers..rule: Host(`.${PRIVATE_DOMAIN}`) + +# Alternatives: +# traefik.http.routers..rule: Host(`.${PUBLIC_DOMAIN}`) +# traefik.http.routers..rule: Host(`.${PRIVATE_DOMAIN}`) || HOST(`.${PUBLIC_DOMAIN}`) + +# Require authentication: +# traefik.http.routers..middlewares: auth@file + +# If more than one port is exposed by the container: +# traefik.http.services..loadbalancer.server.port: + +# If container uses more than one network: +# traefik.docker.network: web + +# Restart automatically if healthchech fails: +# autoheal: "true"