docker-server/README.md

# Server

Configuration for traefik 2 and authelia

## Environment variables

This setup uses two global environment variables: `PRIVATE_DOMAIN` and `PUBLIC_DOMAIN`. Those are two registered domain names I use for public and private services.

There is also an `.env` file which defines a few more variables:
```
AUTHELIA_JWT_SECRET=...
AUTHELIA_SESSION_SECRET=...
AUTHELIA_SESSION_DOMAIN=...
AUTHELIA_TOTP_ISSUER=...
TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL=...
```

The value of those depend on your setup and can be found in the Traefik and Authelia documentation.

## Networks
For the docker setup of my home server, I have create four specific docker networks

### LAN
A macvlan network with full network and internet access
Containers on this network will be provided an IP on my local home LAN and have direct access to it as if they were using the Host network setting.

Containers get IPs in the range 192.168.1.128-192.168.1.254

```
subnet: 192.168.1.0/23
range: 192.168.1.128/25
gateway: 192.168.0.1
parent: eno1
```

### IOT
A macvlan set to my VLAN for IOT things. Machines on this do not have access to the LAN or to the internet, with a few exceptions (ex. NTP server access).

Containers get IPs in the range 192.168.2.9-192.168.2.127

```
subnet: 192.168.2.0/24
range: 192.168.2.0/25
gateway: 192.168.2.1
parent: eno1:10
```

### GUEST
A macvlan set to my VLAN for guest WIFI. Machines on this have access to the internet, but not to the local LAN.

```
subnet: 192.168.5.0/24
range: 192.168.5.0/26
gateway: 192.168.2.1
parent: eno1:20
```

### WEB
A bridge network for containers that shall be accessible by web interface. Routed by Traefik.

## Lessons learned

- Authelia will ONLY work with https. Both the authelia url itself and the one being authenticated must be https.
- The authorization link should NOT end with `/#/` or `/%2F/` or anything, just `/`. Otherwise it will not redirect you back after authorizing.