Simplify authelia config. Add dozzle for log viewing.

2021-08-21 22:51:25 +02:00 · 2021-08-21 22:51:25 +02:00 · fb3b89079c
commit fb3b89079c
parent e8cd50c857
3 changed files with 65 additions and 60 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,5 @@
+.env
+
 traefik/acme.json
 traefik/certs/
 traefik/traefik.log
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@ -1,42 +1,38 @@
-host: 0.0.0.0
-port: 9091
-logs_level: trace
-jwt_secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-jwt-secret
+# log:
+#   level: debug
+
+theme: auto
 authentication_backend:
  file:
-    path: /opt/authelia/users_database.yml
+    path: /config/users_database.yml

 session:
-  name: authelia_session
-  secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-token-secret
-  domain: {{ env.Getenv "PRIVATE_DOMAIN" }}
-  expiration: 604800
-  inactivity: 172800
+  # domain: SET BY ENV VARIABLE AUTHELIA_SESSION_DOMAIN
+  # secret: SET BY ENV VARIABLE AUTHELIA_SESSION_SECRET

 storage:
  local:
-    path: /opt/authelia/db.sqlite3
-
-totp:
-  issuer: {{ env.Getenv "PRIVATE_DOMAIN" }}
+    path: /config/db.sqlite3

 access_control:
-  default_policy: one_factor
+  default_policy: two_factor
+  networks:
+    - name: internal
+      networks:
+        - 10.0.0.0/8
+        - 172.16.0.0/12
+        - 192.168.0.0/18

  rules:
    # Allow free access from local network
-    - domain: "*"
+    - domain:
+      - "*.se"
+      - "*.com"
      networks:
-        - 192.168.1.0/23
+        - internal
      policy: bypass

-
-regulation:
-  max_retries: 5
-  find_time: 120
-  ban_time: 180
-
 notifier:
  filesystem:
-    filename: /opt/authelia/notification.txt
+    filename: /config/notification.txt

--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -27,6 +27,7 @@ services:
      - PUBLIC_DOMAIN
    networks:
      web:
+        ipv4_address: 172.18.1.2
    command:
      - "--configFile=/data/traefik.yaml"
    ports:
@ -48,29 +49,20 @@ services:
      traefik.http.routers.traefik.tls.certResolver: le
      autoheal: "true"

-  authelia-config:
-    # Preprocess authelia configuration through gomplate
-    image: hairyhenderson/gomplate
-    environment:
-      - PRIVATE_DOMAIN
-      - PUBLIC_DOMAIN
-    volumes:
-      - ./authelia/configuration.yml:/data/input:ro
-      - authelia-config:/data/output
-    command: '--file=/data/input --out=/data/output/configuration.yml'
  authelia:
    container_name: authelia
    image: authelia/authelia
    restart: always
-    depends_on:
-      # config preprocessor should run first
-      - authelia-config
    volumes:
-      - ./authelia:/opt/authelia
-      - authelia-config:/etc/authelia/
+      - ./authelia:/config
    environment:
-      - ENVIRONMENT=dev
+      # - ENVIRONMENT=dev
      - NODE_TLS_REJECT_UNAUTHORIZED=1
+      - AUTHELIA_JWT_SECRET
+      - AUTHELIA_SESSION_SECRET
+      - AUTHELIA_SESSION_DOMAIN
+      - AUTHELIA_TOTP_ISSUER
+      - TZ=Europe/Stockholm
    networks:
      web:
    healthcheck:
@ -95,26 +87,41 @@ services:
      web:
    labels:
      traefik.enable: true
-      traefik.http.routers.homer.rule: Host(`${PRIVATE_DOMAIN}`)
+      traefik.http.routers.homer.rule: Host(`${PRIVATE_DOMAIN}`) || Host(`www.${PRIVATE_DOMAIN}`)
      traefik.http.routers.homer.tls.certResolver: le
-      traefik.http.routers.homer.entrypoints: websecure

-# whoami-https:
-#   image: containous/whoami
-#   networks:
-#     web:
-#   labels:
-#     traefik.enable: true
-#     traefik.http.routers.wait-https.rule: Host(`wai-https.${PRIVATE_DOMAIN}`)
-#     traefik.http.routers.wait-https.tls.certResolver: le
+  dozzle:
+    image: amir20/dozzle
+    restart: always
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      web:
+    labels:
+      traefik.enable: true
+      traefik.http.routers.dozzle.rule: Host(`logs.${PRIVATE_DOMAIN}`)
+      traefik.http.routers.dozzle.tls.certResolver: le
+      traefik.http.routers.dozzle.middlewares: auth@file
+

-# whoami-auth:
-#   image: containous/whoami
-#   networks:
-#     web:
-#     macvlan:
 # labels:
+#   The following three labels are always needed. Make sure to replace <SERVICE> with a unique name
 #   traefik.enable: true
-#     traefik.http.routers.wai-auth.rule: Host(`wai-auth.${PRIVATE_DOMAIN}`)
-#     traefik.http.routers.wai-auth.tls.certResolver: le
-#     traefik.http.routers.wai-auth.middlewares: auth@file
+#   traefik.http.routers.<SERVICE>.tls.certResolver: le
+#   traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PRIVATE_DOMAIN}`)
+
+#   Alternatives:
+#   traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PUBLIC_DOMAIN}`)
+#   traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PRIVATE_DOMAIN}`) || HOST(`<SERVICE>.${PUBLIC_DOMAIN}`)
+
+#   Require authentication:
+#   traefik.http.routers.<SERVICE>.middlewares: auth@file
+
+#   If more than one port is exposed by the container:
+#   traefik.http.services.<SERVICE>.loadbalancer.server.port: <PORT>
+
+#   If container uses more than one network:
+#   traefik.docker.network: web
+
+#   Restart automatically if healthchech fails:
+#   autoheal: "true"