thomas/docker-server
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Simplify authelia config. Add dozzle for log viewing.

Browse Source
This commit is contained in:
Thomas Lovén 2021-08-21 22:51:25 +02:00
parent e8cd50c857
commit fb3b89079c
3 changed files with 65 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,3 +1,5 @@
.env
traefik/acme.json traefik/acme.json
traefik/certs/ traefik/certs/
traefik/traefik.log traefik/traefik.log

44
authelia/configuration.yml
View File

@ -1,42 +1,38 @@
host: 0.0.0.0 # log:
port: 9091 # level: debug
logs_level: trace
jwt_secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-jwt-secret theme: auto
authentication_backend: authentication_backend:
file: file:
path: /opt/authelia/users_database.yml path: /config/users_database.yml
session: session:
name: authelia_session # domain: SET BY ENV VARIABLE AUTHELIA_SESSION_DOMAIN
secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-token-secret # secret: SET BY ENV VARIABLE AUTHELIA_SESSION_SECRET
domain: {{ env.Getenv "PRIVATE_DOMAIN" }}
expiration: 604800
inactivity: 172800
storage: storage:
local: local:
path: /opt/authelia/db.sqlite3 path: /config/db.sqlite3
totp:
issuer: {{ env.Getenv "PRIVATE_DOMAIN" }}
access_control: access_control:
default_policy: one_factor default_policy: two_factor
networks:
- name: internal
networks:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/18
rules: rules:
# Allow free access from local network # Allow free access from local network
- domain: "*" - domain:
- "*.se"
- "*.com"
networks: networks:
- 192.168.1.0/23 - internal
policy: bypass policy: bypass
regulation:
max_retries: 5
find_time: 120
ban_time: 180
notifier: notifier:
filesystem: filesystem:
filename: /opt/authelia/notification.txt filename: /config/notification.txt

75
docker-compose.yaml
View File

@ -27,6 +27,7 @@ services:
- PUBLIC_DOMAIN - PUBLIC_DOMAIN
networks: networks:
web: web:
ipv4_address: 172.18.1.2
command: command:
- "--configFile=/data/traefik.yaml" - "--configFile=/data/traefik.yaml"
ports: ports:
@ -48,29 +49,20 @@ services:
traefik.http.routers.traefik.tls.certResolver: le traefik.http.routers.traefik.tls.certResolver: le
autoheal: "true" autoheal: "true"
authelia-config:
# Preprocess authelia configuration through gomplate
image: hairyhenderson/gomplate
environment:
- PRIVATE_DOMAIN
- PUBLIC_DOMAIN
volumes:
- ./authelia/configuration.yml:/data/input:ro
- authelia-config:/data/output
command: '--file=/data/input --out=/data/output/configuration.yml'
authelia: authelia:
container_name: authelia container_name: authelia
image: authelia/authelia image: authelia/authelia
restart: always restart: always
depends_on:
# config preprocessor should run first
- authelia-config
volumes: volumes:
- ./authelia:/opt/authelia - ./authelia:/config
- authelia-config:/etc/authelia/
environment: environment:
- ENVIRONMENT=dev # - ENVIRONMENT=dev
- NODE_TLS_REJECT_UNAUTHORIZED=1 - NODE_TLS_REJECT_UNAUTHORIZED=1
- AUTHELIA_JWT_SECRET
- AUTHELIA_SESSION_SECRET
- AUTHELIA_SESSION_DOMAIN
- AUTHELIA_TOTP_ISSUER
- TZ=Europe/Stockholm
networks: networks:
web: web:
healthcheck: healthcheck:
@ -95,26 +87,41 @@ services:
web: web:
labels: labels:
traefik.enable: true traefik.enable: true
traefik.http.routers.homer.rule: Host(`${PRIVATE_DOMAIN}`) traefik.http.routers.homer.rule: Host(`${PRIVATE_DOMAIN}`) || Host(`www.${PRIVATE_DOMAIN}`)
traefik.http.routers.homer.tls.certResolver: le traefik.http.routers.homer.tls.certResolver: le
traefik.http.routers.homer.entrypoints: websecure
# whoami-https: dozzle:
# image: containous/whoami image: amir20/dozzle
# networks: restart: always
# web: volumes:
# labels: - /var/run/docker.sock:/var/run/docker.sock
# traefik.enable: true networks:
# traefik.http.routers.wait-https.rule: Host(`wai-https.${PRIVATE_DOMAIN}`) web:
# traefik.http.routers.wait-https.tls.certResolver: le labels:
traefik.enable: true
traefik.http.routers.dozzle.rule: Host(`logs.${PRIVATE_DOMAIN}`)
traefik.http.routers.dozzle.tls.certResolver: le
traefik.http.routers.dozzle.middlewares: auth@file
# whoami-auth:
# image: containous/whoami
# networks:
# web:
# macvlan:
# labels: # labels:
# The following three labels are always needed. Make sure to replace <SERVICE> with a unique name
# traefik.enable: true # traefik.enable: true
# traefik.http.routers.wai-auth.rule: Host(`wai-auth.${PRIVATE_DOMAIN}`) # traefik.http.routers.<SERVICE>.tls.certResolver: le
# traefik.http.routers.wai-auth.tls.certResolver: le # traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PRIVATE_DOMAIN}`)
# traefik.http.routers.wai-auth.middlewares: auth@file
# Alternatives:
# traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PUBLIC_DOMAIN}`)
# traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PRIVATE_DOMAIN}`) || HOST(`<SERVICE>.${PUBLIC_DOMAIN}`)
# Require authentication:
# traefik.http.routers.<SERVICE>.middlewares: auth@file
# If more than one port is exposed by the container:
# traefik.http.services.<SERVICE>.loadbalancer.server.port: <PORT>
# If container uses more than one network:
# traefik.docker.network: web
# Restart automatically if healthchech fails:
# autoheal: "true"