thomas/docker-server
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: thomas:f0709ed83b098785013980d3335f33c3410dc3b6
Branches Tags
thomas:master
..
compare: thomas:e8cd50c85783501edbbfa1d789c5e6c0649ab079
Branches Tags
thomas:master

No commits in common. "f0709ed83b098785013980d3335f33c3410dc3b6" and "e8cd50c85783501edbbfa1d789c5e6c0649ab079" have entirely different histories.
f0709ed83b ... e8cd50c857

6 changed files with 64 additions and 84 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,5 +1,3 @@
.env
traefik/acme.json
traefik/certs/
traefik/traefik.log

44
authelia/configuration.yml
View File

@ -1,38 +1,42 @@
# log:
# level: debug
theme: auto
host: 0.0.0.0
port: 9091
logs_level: trace
jwt_secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-jwt-secret
authentication_backend:
file:
path: /config/users_database.yml
path: /opt/authelia/users_database.yml
session:
# domain: SET BY ENV VARIABLE AUTHELIA_SESSION_DOMAIN
# secret: SET BY ENV VARIABLE AUTHELIA_SESSION_SECRET
name: authelia_session
secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-token-secret
domain: {{ env.Getenv "PRIVATE_DOMAIN" }}
expiration: 604800
inactivity: 172800
storage:
local:
path: /config/db.sqlite3
path: /opt/authelia/db.sqlite3
totp:
issuer: {{ env.Getenv "PRIVATE_DOMAIN" }}
access_control:
default_policy: two_factor
networks:
- name: internal
networks:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/18
default_policy: one_factor
rules:
# Allow free access from local network
- domain:
- "*.se"
- "*.com"
- domain: "*"
networks:
- internal
- 192.168.1.0/23
policy: bypass
regulation:
max_retries: 5
find_time: 120
ban_time: 180
notifier:
filesystem:
filename: /config/notification.txt
filename: /opt/authelia/notification.txt

76
docker-compose.yaml
View File

@ -25,10 +25,8 @@ services:
- EMAIL
- PRIVATE_DOMAIN
- PUBLIC_DOMAIN
- TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL
networks:
web:
ipv4_address: 172.18.1.2
command:
- "--configFile=/data/traefik.yaml"
ports:
@ -50,20 +48,29 @@ services:
traefik.http.routers.traefik.tls.certResolver: le
autoheal: "true"
authelia-config:
# Preprocess authelia configuration through gomplate
image: hairyhenderson/gomplate
environment:
- PRIVATE_DOMAIN
- PUBLIC_DOMAIN
volumes:
- ./authelia/configuration.yml:/data/input:ro
- authelia-config:/data/output
command: '--file=/data/input --out=/data/output/configuration.yml'
authelia:
container_name: authelia
image: authelia/authelia
restart: always
depends_on:
# config preprocessor should run first
- authelia-config
volumes:
- ./authelia:/config
- ./authelia:/opt/authelia
- authelia-config:/etc/authelia/
environment:
# - ENVIRONMENT=dev
- ENVIRONMENT=dev
- NODE_TLS_REJECT_UNAUTHORIZED=1
- AUTHELIA_JWT_SECRET
- AUTHELIA_SESSION_SECRET
- AUTHELIA_SESSION_DOMAIN
- AUTHELIA_TOTP_ISSUER
- TZ=Europe/Stockholm
networks:
web:
healthcheck:
@ -88,41 +95,26 @@ services:
web:
labels:
traefik.enable: true
traefik.http.routers.homer.rule: Host(`${PRIVATE_DOMAIN}`) || Host(`www.${PRIVATE_DOMAIN}`)
traefik.http.routers.homer.rule: Host(`${PRIVATE_DOMAIN}`)
traefik.http.routers.homer.tls.certResolver: le
traefik.http.routers.homer.entrypoints: websecure
dozzle:
image: amir20/dozzle
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
web:
labels:
traefik.enable: true
traefik.http.routers.dozzle.rule: Host(`logs.${PRIVATE_DOMAIN}`)
traefik.http.routers.dozzle.tls.certResolver: le
traefik.http.routers.dozzle.middlewares: auth@file
# whoami-https:
# image: containous/whoami
# networks:
# web:
# labels:
# The following three labels are always needed. Make sure to replace <SERVICE> with a unique name
# traefik.enable: true
# traefik.http.routers.<SERVICE>.tls.certResolver: le
# traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PRIVATE_DOMAIN}`)
# traefik.http.routers.wait-https.rule: Host(`wai-https.${PRIVATE_DOMAIN}`)
# traefik.http.routers.wait-https.tls.certResolver: le
# Alternatives:
# traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PUBLIC_DOMAIN}`)
# traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PRIVATE_DOMAIN}`) || HOST(`<SERVICE>.${PUBLIC_DOMAIN}`)
# Require authentication:
# traefik.http.routers.<SERVICE>.middlewares: auth@file
# If more than one port is exposed by the container:
# traefik.http.services.<SERVICE>.loadbalancer.server.port: <PORT>
# If container uses more than one network:
# traefik.docker.network: web
# Restart automatically if healthchech fails:
# autoheal: "true"
# whoami-auth:
# image: containous/whoami
# networks:
# web:
# macvlan:
# labels:
# traefik.enable: true
# traefik.http.routers.wai-auth.rule: Host(`wai-auth.${PRIVATE_DOMAIN}`)
# traefik.http.routers.wai-auth.tls.certResolver: le
# traefik.http.routers.wai-auth.middlewares: auth@file

14
traefik/config/network.yaml
View File

@ -9,12 +9,7 @@ http:
proxmox:
loadBalancer:
servers:
- url: https://192.168.0.10:8006
prusa:
loadBalancer:
servers:
- url: http://192.168.0.14
- url: http://192.168.0.10:8006
routers:
pfsense:
@ -31,11 +26,4 @@ http:
- auth
tls:
certResolver: le
prusa:
service: prusa
rule: Host(`prusa.{{env "PRIVATE_DOMAIN"}}`)
middlewares:
- auth
tls:
certResolver: le

3
traefik/config/security.yaml
View File

@ -13,8 +13,7 @@ http:
# Catch all requests to the http entrypoint and redirect them to https
service: http-catchall
rule: hostregexp(`{host:.+}`)
entryPoints:
- web
entrypoint: web
middlewares:
- redir

5
traefik/traefik.yaml
View File

@ -12,7 +12,7 @@ providers:
log:
filePath: /data/traefik.log
level: INFO
level: DEBUG
entryPoints:
web:
@ -23,8 +23,7 @@ entryPoints:
certificatesResolvers:
le:
acme:
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory
# email: SET BY ENV VARIABLE TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL
email: '{{ env "EMAIL" }}'
storage: /data/acme.json
httpChallenge:
entrypoint: web