Configuration cleanup

2020-01-27 12:47:49 +01:00
6 changed files with 110 additions and 137 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,17 @@
 # Server
 Configuration for traefik 2 and authelia
 ### Authelia preprocessor
 The authelia configuration contains some sensitive values, but authelia cannot read them from env variables like traefic can.
 Instead, a special service - `authelia-config` runs before authelia start, and preprocesses the configuration file.
 - Local file `./authelia/configuration.yaml` is mapped to `/data/input` in `authelia-config`
 - Volume `authelia-config` is mapped to `/data/output` in `authelia-config`
 - `authelia-config` runs `gomplate` on `/data/input` and saves to `data/output/configuration.yaml`
 - Volume `authelia-config` is mapped to `/etc/authelia` in `authelia`, where it reads its configuration
 ## Lessons learned
 - Authelia will ONLY work with https. Both the authelia url itself and the one being authenticated must be https.
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -2,11 +2,13 @@ version: "3.5"
 networks:
  web:
    # All containers that are router through traefik needs to be on this network
    external: false
    name: web
 volumes:
  authelia-config:
    # Used for pre-processing of authelia configuration
 services:
  proxy:
@ -22,25 +24,23 @@ services:
    command:
      - "--configFile=/data/traefik.yaml"
    ports: 
-      - "80:80"
+      - 80:80
-      - "443:443"
+      - 443:443
-      - "8080:8080"
+      # Open port 8080 for debugging emergencies
    # - 8080:8080
    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock"
+      - /var/run/docker.sock:/var/run/docker.sock
-      - "./traefik:/data"
+      - ./traefik:/data
    labels:
-      - "traefik.enable=true"
+      traefik.enable: true
-      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
+      traefik.http.services.traefik.loadbalancer.server.port: 8080
-      - "traefik.http.routers.traefik.rule=Host(`traefik.${PRIVATE_DOMAIN}`)"
+      traefik.http.routers.traefik.rule: Host(`traefik.${PRIVATE_DOMAIN}`)
-      - "traefik.http.routers.traefik.middlewares=auth@file"
+      traefik.http.routers.traefik.middlewares: auth@file
-      - "traefik.http.routers.traefik.tls.certResolver=le"
+      traefik.http.routers.traefik.tls.certResolver: le
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redir@file"
  authelia-config:
    # Preprocess authelia configuration through gomplate
    image: hairyhenderson/gomplate
    environment:
      - PRIVATE_DOMAIN
@ -53,7 +53,8 @@ services:
    container_name: authelia
    image: authelia/authelia
    restart: always
-    links:
+    depends_on:
      # config preprocessor should run first
      - authelia-config
    volumes:
      - ./authelia:/opt/authelia
@ -64,35 +65,26 @@ services:
    networks:
      - web
    labels:
-      - "traefik.enable=true"
+      traefik.enable: true
-      - "traefik.http.routers.authelia.rule=Host(`auth.${PRIVATE_DOMAIN}`)"
+      traefik.http.routers.authelia.rule: Host(`auth.${PRIVATE_DOMAIN}`)
-      - "traefik.http.routers.authelia.tls=true"
+      traefik.http.routers.authelia.tls.certResolver: le
-      - "traefik.http.routers.authelia.tls.certResolver=le"
+      traefik.http.routers.authelia.entrypoints: websecure
      - "traefik.http.routers.authelia.entrypoints=websecure"
 # whoami-http:
 #   image: containous/whoami
 #   networks:
 #     - web
 #   labels:
 #     - "traefik.enable=true"
 #     - "traefik.http.routers.whoami2.rule=Host(`wai-http.${PRIVATE_DOMAIN}`)"
 #
 # whoami-https:
 #   image: containous/whoami
 #   networks:
 #     - web
 #   labels:
-#     - "traefik.enable=true"
+#     traefik.enable: true
-#     - "traefik.http.routers.whoami.rule=Host(`wai-https.${PRIVATE_DOMAIN}`)"
+#     traefik.http.routers.wait-https.rule: Host(`wai-https.${PRIVATE_DOMAIN}`)
-#     - "traefik.http.routers.whoami.tls.certResolver=le"
+#     traefik.http.routers.wait-https.tls.certResolver: le
 # whoami-auth:
 #   image: containous/whoami
 #   networks:
 #     - web
 #   labels:
-#     - "traefik.enable=true"
+#     traefik.enable: true
-#     - "traefik.http.routers.wai.rule=Host(`wai-auth.${PRIVATE_DOMAIN}`)"
+#     traefik.http.routers.wai-auth.rule: Host(`wai-auth.${PRIVATE_DOMAIN}`)
-#     - "traefik.http.routers.wai.tls.certResolver=le"
+#     traefik.http.routers.wai-auth.tls.certResolver: le
-#     - "traefik.http.routers.wai.middlewares=auth@file"
+#     traefik.http.routers.wai-auth.middlewares: auth@file
--- a/traefik/config/network.yaml
+++ b/traefik/config/network.yaml
@ -0,0 +1,29 @@
 # This file contains routing rules for netwok services that are not running on the same host as traefik
 http:
  services:
    pfsense:
      loadBalancer:
        servers:
          - url: http://192.168.0.1:80
    proxmox:
      loadBalancer:
        servers:
          - url: http://192.168.0.10:8006
  routers:
    pfsense:
      service: pfsense
      rule: Host(`pfsense.{{ env "PRIVATE_DOMAIN" }}`)
      middlewares:
        - auth
      tls:
        certResolver: le
    proxmox:
      service: proxmox
      rule: Host(`proxmox.{{ env "PRIVATE_DOMAIN" }}`)
      middlewares:
        - auth
      tls:
        certResolver: le
--- a/traefik/config/security.yaml
+++ b/traefik/config/security.yaml
@ -0,0 +1,35 @@
 # This file contains services for security and authorization
 http:
  services:
    http-catchall:
      # A dummy service for the http-catchall rule
      loadBalancer:
        servers:
          - url: http://dummy-url
  routers:
    http-catchall:
      # Catch all requests to the http entrypoint and redirect them to https
      service: http-catchall
      rule: hostregexp(`{host:.+}`)
      entrypoint: web
      middlewares:
        - redir
  middlewares:
    redir:
      # Redirect to https
      redirectScheme:
        scheme: https
        permanent: true
    auth:
      # Go through authelia for authorization
      forwardAuth:
        address: http://authelia:9091/api/verify?rd=https://auth.{{ env "PRIVATE_DOMAIN" }}/%23/
        trustForwardHeader: true
        authResponseHeaders:
          - X-Forwarded-User
        insecureSkipVerify: true
--- a/traefik/tls.yaml
+++ b/traefik/tls.yaml
@ -1,100 +0,0 @@
 http:
  middlewares:
    redir:
      redirectScheme:
        scheme: https
        permanent: true
    auth:
      forwardAuth:
        address: http://authelia:9091/api/verify?rd=https://auth.{{ env "PRIVATE_DOMAIN" }}/%23/
        trustForwardHeader: true
        authResponseHeaders:
          - X-Forwarded-User
        insecureSkipVerify: true
  services:
    hass:
      loadBalancer:
        servers:
          - url: http://192.168.0.10:8123
    plex:
      loadBalancer:
        servers:
          - url: http://192.168.0.10:32400
    portainer:
      loadBalancer:
        servers:
          - url: http://192.168.0.10:9000
    deconz:
      loadBalancer:
        servers:
          - url: http://192.168.0.10:8082
    proxmox:
      loadBalancer:
        servers:
          - url: http://192.168.0.10:8006
    nextcloud:
      loadBalancer:
        servers:
          - url: http://192.168.0.10:8083
      # client_max_body_size 10G
      # client_body_buffer_size 400M
      # proxy_hide_header Content-Security-Policy
      # proxy_hide_header X-Frame-Options
    keeweb:
      loadBalancer:
        servers:
          - url: http://192.168.0.10:8084
    grafana:
      loadBalancer:
        servers:
          - url: http://192.168.0.10:3000
  routers:
    hass:
      service: hass
      rule: Host(`avagen.{{ env "PRIVATE_DOMAIN" }}`)
      tls:
        certResolver: le
    plex:
      service: plex
      rule: Host(`plex.{{ env "PRIVATE_DOMAIN" }}`)
      tls:
        certResolver: le
    portainer:
      service: portainer
      rule: Host(`portainer.{{ env "PRIVATE_DOMAIN" }}`)
      middlewares:
        - auth
      tls:
        certResolver: le
    deconz:
      service: deconz
      rule: Host(`deconz.{{ env "PRIVATE_DOMAIN" }}`)
      middlewares:
        - auth
      tls:
        certResolver: le
    proxmox:
      service: proxmox
      rule: Host(`proxmox.{{ env "PRIVATE_DOMAIN" }}`)
      middlewares:
        - auth
      tls:
        certResolver: le
    cloud:
      service: nextcloud
      rule: Host(`cloud.{{ env "PRIVATE_DOMAIN" }}`)
      tls:
        certResolver: le
    pwd:
      service: keeweb
      rule: Host(`pwd.{{ env "PRIVATE_DOMAIN" }}`)
      tls:
        certResolver: le
    grafana:
      service: grafana
      rule: Host(`grafana.{{ env "PRIVATE_DOMAIN" }}`)
      tls:
        certResolver: le
--- a/traefik/traefik.yaml
+++ b/traefik/traefik.yaml
@ -3,7 +3,7 @@ api:
 providers:
  file:
-    filename: /data/tls.yaml
+    directory: /data/config
  docker:
    exposedByDefault: false