From 6bd6311e912b442121f6c49d651b774b5d8d7bd4 Mon Sep 17 00:00:00 2001 From: Florian Hoss Date: Sun, 4 Dec 2022 09:35:12 +0100 Subject: [PATCH] Update Traefik config --- Docker/traefik & authelia/README.md | 3 - .../authelia/configuration.yml | 49 ------- Docker/traefik & authelia/docker-compose.yml | 76 ----------- Docker/traefik & authelia/traefik/config.yml | 57 --------- Docker/traefik & authelia/traefik/traefik.yml | 28 ---- Docker/traefik & grafana & authelia/README.md | 7 + .../authelia/configuration.yml | 60 +++++++++ .../authelia/user_database.yml | 2 +- .../docker-compose.yml | 120 ++++++++++++++++++ .../secrets/acme.json | 0 .../secrets/authelia_jwt | 1 + .../secrets/authelia_session | 1 + .../secrets/authelia_smtp | 1 + .../secrets/authelia_storage | 1 + .../secrets/hetzner_key | 1 + .../traefik/dynamic.yaml | 42 ++++++ .../traefik/static.yaml | 51 ++++++++ 17 files changed, 286 insertions(+), 214 deletions(-) delete mode 100644 Docker/traefik & authelia/README.md delete mode 100644 Docker/traefik & authelia/authelia/configuration.yml delete mode 100644 Docker/traefik & authelia/docker-compose.yml delete mode 100644 Docker/traefik & authelia/traefik/config.yml delete mode 100644 Docker/traefik & authelia/traefik/traefik.yml create mode 100644 Docker/traefik & grafana & authelia/README.md create mode 100644 Docker/traefik & grafana & authelia/authelia/configuration.yml rename Docker/{traefik & authelia => traefik & grafana & authelia}/authelia/user_database.yml (92%) create mode 100644 Docker/traefik & grafana & authelia/docker-compose.yml create mode 100644 Docker/traefik & grafana & authelia/secrets/acme.json create mode 100644 Docker/traefik & grafana & authelia/secrets/authelia_jwt create mode 100644 Docker/traefik & grafana & authelia/secrets/authelia_session create mode 100644 Docker/traefik & grafana & authelia/secrets/authelia_smtp create mode 100644 Docker/traefik & grafana & authelia/secrets/authelia_storage create mode 100644 Docker/traefik & grafana & authelia/secrets/hetzner_key create mode 100644 Docker/traefik & grafana & authelia/traefik/dynamic.yaml create mode 100644 Docker/traefik & grafana & authelia/traefik/static.yaml diff --git a/Docker/traefik & authelia/README.md b/Docker/traefik & authelia/README.md deleted file mode 100644 index b56683b..0000000 --- a/Docker/traefik & authelia/README.md +++ /dev/null @@ -1,3 +0,0 @@ -## How to generate password hash for user_database.yml - -```docker run authelia/authelia:latest authelia hash-password 'yourpassword'``` \ No newline at end of file diff --git a/Docker/traefik & authelia/authelia/configuration.yml b/Docker/traefik & authelia/authelia/configuration.yml deleted file mode 100644 index 3ed65a0..0000000 --- a/Docker/traefik & authelia/authelia/configuration.yml +++ /dev/null @@ -1,49 +0,0 @@ -server: - host: 0.0.0.0 - port: 9091 -log: - level: warn -theme: dark -default_redirection_url: https://example.com -totp: - issuer: authelia.com - -authentication_backend: - file: - path: /config/users_database.yml - password: - algorithm: argon2id - iterations: 1 - salt_length: 16 - parallelism: 8 - memory: 64 - -access_control: - default_policy: deny - rules: - - domain: [ two.example.com ] - policy: two_factor - - domain: [ one.example.com ] - policy: one_factor - -session: - name: authelia_session - expiration: 3600 # 1 hour - inactivity: 300 # 5 minutes - domain: example.com - -regulation: - max_retries: 3 - find_time: 120 - ban_time: 300 - -storage: - local: - path: /config/db.sqlite3 - -notifier: - smtp: - username: example@example.com - host: smtp.gmail.com - port: 465 - sender: example@example.com \ No newline at end of file diff --git a/Docker/traefik & authelia/docker-compose.yml b/Docker/traefik & authelia/docker-compose.yml deleted file mode 100644 index bbb3b87..0000000 --- a/Docker/traefik & authelia/docker-compose.yml +++ /dev/null @@ -1,76 +0,0 @@ -version: "3.9" - -networks: - proxy: - external: true - monitor: - external: true - -secrets: - inwx_username: - file: ./secrets/inwx_username - inwx_password: - file: ./secrets/inwx_password - jwt: - file: ./secrets/authelia_jwt - duo: - file: ./secrets/authelia_duo - session: - file: ./secrets/authelia_session - storage: - file: ./secrets/authelia_storage - smtp: - file: ./secrets/authelia_smtp - -services: - authelia: - image: authelia/authelia:4 - container_name: authelia - secrets: - - jwt - - duo - - session - - storage - - smtp - environment: - - TZ=Europe/Berlin - - AUTHELIA_JWT_SECRET_FILE=/run/secrets/jwt - - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/duo - - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/session - - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/smtp - - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/storage - healthcheck: - disable: true - volumes: - - ./authelia:/config - restart: always - expose: - - 9091 - networks: - - proxy - - traefik: - image: traefik:2.5 - container_name: traefik - restart: always - security_opt: - - no-new-privileges:true - ports: - - "80:80" - - "443:443" - secrets: - - inwx_username - - inwx_password - environment: - - TZ=Europe/Berlin - - INWX_USERNAME_FILE=/run/secrets/inwx_username - - INWX_PASSWORD_FILE=/run/secrets/inwx_password - volumes: - - /etc/localtime:/etc/localtime:ro - - /var/run/docker.sock:/var/run/docker.sock:ro - - ./traefik/traefik.toml:/traefik.toml:ro - - ./traefik/inwx.json:/inwx.json - - ./traefik/config.toml:/config.toml - networks: - - proxy - - monitor diff --git a/Docker/traefik & authelia/traefik/config.yml b/Docker/traefik & authelia/traefik/config.yml deleted file mode 100644 index 0d411f5..0000000 --- a/Docker/traefik & authelia/traefik/config.yml +++ /dev/null @@ -1,57 +0,0 @@ -tls: - options: - default: - minVersion: VersionTLS12 - cipherSuites: - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - curvePreferences: - - CurveP521 - - CurveP384 - sniStrict: true - -http: - routers: - traefik: - rule: "Host(`proxy.example.com`)" - middlewares: - - authelia - - secHeaders - tls: - certResolver: inwx - service: api@internal - authelia: - rule: "Host(`auth.example.com`)" - middlewares: - - secHeaders - tls: - certResolver: inwx - service: authelia - - middlewares: - secHeaders: - headers: - browserXssFilter: true - contentTypeNosniff: true - frameDeny: true - sslRedirect: true - forceSTSHeader: true - stsIncludeSubdomains: true - stsPreload: true - stsSeconds: 31536000 - customFrameOptionsValue: "SAMEORIGIN" - customRequestHeaders: - X-Forwarded-Proto: https - authelia: - forwardAuth: - address: "http://authelia:9091/api/verify?rd=https://auth.example.com" - - services: - authelia: - loadBalancer: - servers: - - url: "http://authelia:9091" diff --git a/Docker/traefik & authelia/traefik/traefik.yml b/Docker/traefik & authelia/traefik/traefik.yml deleted file mode 100644 index a3f5f6f..0000000 --- a/Docker/traefik & authelia/traefik/traefik.yml +++ /dev/null @@ -1,28 +0,0 @@ -api: - dashboard: true - -entryPoints: - http: - address: ":80" - http: - redirections: - entryPoint: - to: https - scheme: https - https: - address: ":443" - -serversTransport: - insecureSkipVerify: true - -providers: - file: - filename: /config.yml - -certificatesResolvers: - inwx: - acme: - email: example@example.com - storage: inwx.json - dnsChallenge: - provider: inwx \ No newline at end of file diff --git a/Docker/traefik & grafana & authelia/README.md b/Docker/traefik & grafana & authelia/README.md new file mode 100644 index 0000000..7f9639a --- /dev/null +++ b/Docker/traefik & grafana & authelia/README.md @@ -0,0 +1,7 @@ +# Traefik & Grafana & Authelia + +Make sure to create empty secrets/acme.json file to store certs. + +## How to generate password hash for user_database.yml + +`docker run authelia/authelia:latest authelia hash-password 'yourpassword'` diff --git a/Docker/traefik & grafana & authelia/authelia/configuration.yml b/Docker/traefik & grafana & authelia/authelia/configuration.yml new file mode 100644 index 0000000..8e431d1 --- /dev/null +++ b/Docker/traefik & grafana & authelia/authelia/configuration.yml @@ -0,0 +1,60 @@ +--- +############################################################### +# Authelia configuration # +############################################################### + +default_redirection_url: https://home.example.de + +server: + host: authelia + port: 9091 + +log: + level: warn + +theme: auto + +authentication_backend: + password_reset: + disable: true + file: + path: /config/users_database.yml + +access_control: + default_policy: deny + rules: + - domain: home.example.de + policy: one_factor + +totp: + disable: true + issuer: authelia.com + +webauthn: + disable: false + +session: + name: authelia_example + expiration: 3600 + inactivity: 300 + domain: example.de + + redis: + host: authelia-redis + port: 6379 + +regulation: + max_retries: 3 + find_time: 120 + ban_time: 300 + +storage: + local: + path: /config/db.sqlite3 + +notifier: + smtp: + username: example@gmail.com + host: smtp.gmail.com + port: 587 + sender: mail@example.de diff --git a/Docker/traefik & authelia/authelia/user_database.yml b/Docker/traefik & grafana & authelia/authelia/user_database.yml similarity index 92% rename from Docker/traefik & authelia/authelia/user_database.yml rename to Docker/traefik & grafana & authelia/authelia/user_database.yml index 5697986..904ed4e 100644 --- a/Docker/traefik & authelia/authelia/user_database.yml +++ b/Docker/traefik & grafana & authelia/authelia/user_database.yml @@ -4,4 +4,4 @@ users: password: "$argon2id$v=19$m=65536$3oc26byQuSkQqksq$zM1QiTvVPrMfV6BVLs2t4gM+af5IN7euO0VB6+Q8ZFs" email: example@example.com groups: - - admins \ No newline at end of file + - admins diff --git a/Docker/traefik & grafana & authelia/docker-compose.yml b/Docker/traefik & grafana & authelia/docker-compose.yml new file mode 100644 index 0000000..fd6b1fd --- /dev/null +++ b/Docker/traefik & grafana & authelia/docker-compose.yml @@ -0,0 +1,120 @@ +version: "3.9" + +networks: + proxy: + external: true + metrics: + external: false + authelia: + external: false + +secrets: + jwt: + file: ./secrets/authelia_jwt + session: + file: ./secrets/authelia_session + storage: + file: ./secrets/authelia_storage + smtp: + file: ./secrets/authelia_smtp + hetzner: + file: ./secrets/hetzner_key + +volumes: + redis: + +services: + authelia: + image: authelia/authelia:latest + container_name: authelia + restart: always + secrets: + - jwt + - session + - storage + - smtp + environment: + - TZ=Europe/Berlin + - AUTHELIA_JWT_SECRET_FILE=/run/secrets/jwt + - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/session + - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/smtp + - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/storage + volumes: + - /etc/localtime:/etc/localtime:ro + - ./authelia:/config + labels: + - "traefik.enable=true" + - "traefik.http.routers.authelia.entrypoints=websecure" + healthcheck: + disable: true + expose: + - 9091 + networks: + - proxy + - authelia + + authelia-redis: + image: redis:alpine + container_name: authelia-redis + restart: always + environment: + - TZ=Europe/Berlin + volumes: + - redis:/data + expose: + - 6379 + networks: + - authelia + + traefik: + image: traefik:2.9 + container_name: traefik + restart: always + secrets: + - hetzner + environment: + - TZ=Europe/Berlin + - HETZNER_API_KEY_FILE=/run/secrets/hetzner + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + - ./traefik/static.yaml:/etc/traefik/traefik.yaml + - ./traefik/dynamic.yaml:/dynamic.yaml + - ./secrets/acme.json:/acme.json + ports: + - "80:80" + - "443:443" + - "127.0.0.1:8080:8080" + networks: + - proxy + - metrics + + prometheus: + image: prom/prometheus:latest + container_name: prometheus + restart: always + volumes: + - "./prometheus:/etc/prometheus" + expose: + - "9090:9090" + networks: + - metrics + + grafana: + image: grafana/grafana:latest + container_name: grafana + restart: always + user: "1000" + environment: + - GF_SECURITY_ADMIN_USER=flohoss + - GF_LOG_LEVEL=error + - GF_SERVER_ROOT_URL=https://metrics.tp.unjx.de + - GF_AUTH_ANONYMOUS_ENABLED=true + - GF_AUTH_ANONYMOUS_ORG_ROLE=Editor + - GF_LIVE_ALLOWED_ORIGINS=* + volumes: + - ./grafana:/var/lib/grafana + ports: + - "127.0.0.1:3000:3000" + networks: + - metrics diff --git a/Docker/traefik & grafana & authelia/secrets/acme.json b/Docker/traefik & grafana & authelia/secrets/acme.json new file mode 100644 index 0000000..e69de29 diff --git a/Docker/traefik & grafana & authelia/secrets/authelia_jwt b/Docker/traefik & grafana & authelia/secrets/authelia_jwt new file mode 100644 index 0000000..96236f8 --- /dev/null +++ b/Docker/traefik & grafana & authelia/secrets/authelia_jwt @@ -0,0 +1 @@ +example \ No newline at end of file diff --git a/Docker/traefik & grafana & authelia/secrets/authelia_session b/Docker/traefik & grafana & authelia/secrets/authelia_session new file mode 100644 index 0000000..96236f8 --- /dev/null +++ b/Docker/traefik & grafana & authelia/secrets/authelia_session @@ -0,0 +1 @@ +example \ No newline at end of file diff --git a/Docker/traefik & grafana & authelia/secrets/authelia_smtp b/Docker/traefik & grafana & authelia/secrets/authelia_smtp new file mode 100644 index 0000000..96236f8 --- /dev/null +++ b/Docker/traefik & grafana & authelia/secrets/authelia_smtp @@ -0,0 +1 @@ +example \ No newline at end of file diff --git a/Docker/traefik & grafana & authelia/secrets/authelia_storage b/Docker/traefik & grafana & authelia/secrets/authelia_storage new file mode 100644 index 0000000..96236f8 --- /dev/null +++ b/Docker/traefik & grafana & authelia/secrets/authelia_storage @@ -0,0 +1 @@ +example \ No newline at end of file diff --git a/Docker/traefik & grafana & authelia/secrets/hetzner_key b/Docker/traefik & grafana & authelia/secrets/hetzner_key new file mode 100644 index 0000000..ac86428 --- /dev/null +++ b/Docker/traefik & grafana & authelia/secrets/hetzner_key @@ -0,0 +1 @@ +example_hetzner_key \ No newline at end of file diff --git a/Docker/traefik & grafana & authelia/traefik/dynamic.yaml b/Docker/traefik & grafana & authelia/traefik/dynamic.yaml new file mode 100644 index 0000000..e9b5095 --- /dev/null +++ b/Docker/traefik & grafana & authelia/traefik/dynamic.yaml @@ -0,0 +1,42 @@ +http: + middlewares: + authelia: + forwardAuth: + address: "http://authelia:9091/api/verify?rd=https%3A%2F%2Fauthelia.unjx.de%2F" + trustForwardHeader: true + authResponseHeaders: + - "Remote-User" + - "Remote-Groups" + - "Remote-Email" + - "Remote-Name" + florianhoss: + redirectRegex: + regex: "^https://fhoss.de|www.fhoss.de|www.florianhoss.de(/?.*)" + replacement: "https://florianhoss.de${1}" + permanent: true + helmuthoss: + redirectRegex: + regex: "^https://www.helmuthoss.de(/?.*)" + replacement: "https://helmuthoss.de${1}" + permanent: true + secure-headers: + headers: + frameDeny: true + browserXssFilter: true + contentTypeNosniff: true + forceSTSHeader: true + stsIncludeSubdomains: true + stsPreload: true + stsSeconds: 63072000 + customFrameOptionsValue: "SAMEORIGIN" + referrerPolicy: "strict-origin" +tls: + options: + default: + sniStrict: true + minVersion: "VersionTLS12" + cipherSuites: + - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" + - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" diff --git a/Docker/traefik & grafana & authelia/traefik/static.yaml b/Docker/traefik & grafana & authelia/traefik/static.yaml new file mode 100644 index 0000000..bad18b5 --- /dev/null +++ b/Docker/traefik & grafana & authelia/traefik/static.yaml @@ -0,0 +1,51 @@ +global: + checkNewVersion: true + sendAnonymousUsage: false +serversTransport: + insecureSkipVerify: true +entryPoints: + web: + address: ":80" + forwardedHeaders: + trustedIPs: ["172.19.0.0/16"] + insecure: false + proxyProtocol: + trustedIPs: ["172.19.0.0/16"] + insecure: false + http: + redirections: + entryPoint: + to: websecure + scheme: https + websecure: + address: ":443" + forwardedHeaders: + trustedIPs: ["172.19.0.0/16"] + insecure: false + proxyProtocol: + trustedIPs: ["172.19.0.0/16"] + insecure: false + http: + middlewares: ["secure-headers@file"] + tls: + certResolver: "hetzner" +providers: + file: + filename: "dynamic.yaml" + watch: true + docker: + exposedByDefault: false + network: "proxy" + defaultRule: 'Host(`{{ index .Labels "com.docker.compose.service"}}.unjx.de`)' +api: + dashboard: true + insecure: true +metrics: + prometheus: {} +certificatesResolvers: + hetzner: + acme: + email: "mail@example.de" + storage: "acme.json" + dnsChallenge: + provider: "hetzner"