Update Traefik config

Docker/traefik & authelia/README.md

@@ -1,3 +0,0 @@
-## How to generate password hash for user_database.yml
-
-```docker run authelia/authelia:latest authelia hash-password 'yourpassword'```

Docker/traefik & authelia/authelia/configuration.yml

@@ -1,49 +0,0 @@
-server:
-  host: 0.0.0.0
-  port: 9091
-log:
-  level: warn
-theme: dark
-default_redirection_url: https://example.com
-totp:
-  issuer: authelia.com
-
-authentication_backend:
-  file:
-    path: /config/users_database.yml
-    password:
-      algorithm: argon2id
-      iterations: 1
-      salt_length: 16
-      parallelism: 8
-      memory: 64
-
-access_control:
-  default_policy: deny
-  rules:
-    - domain: [ two.example.com ]
-      policy: two_factor
-    - domain: [ one.example.com ]
-      policy: one_factor
-
-session:
-  name: authelia_session
-  expiration: 3600  # 1 hour
-  inactivity: 300  # 5 minutes
-  domain: example.com
-
-regulation:
-  max_retries: 3
-  find_time: 120
-  ban_time: 300
-
-storage:
-  local:
-    path: /config/db.sqlite3
-
-notifier:
-  smtp:
-    username: example@example.com
-    host: smtp.gmail.com
-    port: 465
-    sender: example@example.com

Docker/traefik & authelia/docker-compose.yml

@@ -1,76 +0,0 @@
-version: "3.9"
-
-networks:
-  proxy:
-    external: true
-  monitor:
-    external: true
-
-secrets:
-  inwx_username:
-    file: ./secrets/inwx_username
-  inwx_password:
-    file: ./secrets/inwx_password
-  jwt:
-    file: ./secrets/authelia_jwt
-  duo:
-    file: ./secrets/authelia_duo
-  session:
-    file: ./secrets/authelia_session
-  storage:
-    file: ./secrets/authelia_storage
-  smtp:
-    file: ./secrets/authelia_smtp
-
-services:
-  authelia:
-    image: authelia/authelia:4
-    container_name: authelia
-    secrets:
-      - jwt
-      - duo
-      - session
-      - storage
-      - smtp
-    environment:
-      - TZ=Europe/Berlin
-      - AUTHELIA_JWT_SECRET_FILE=/run/secrets/jwt
-      - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/duo
-      - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/session
-      - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/smtp
-      - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/storage
-    healthcheck:
-      disable: true
-    volumes:
-      - ./authelia:/config
-    restart: always
-    expose:
-      - 9091
-    networks:
-      - proxy
-
-  traefik:
-    image: traefik:2.5
-    container_name: traefik
-    restart: always
-    security_opt:
-      - no-new-privileges:true
-    ports:
-      - "80:80"
-      - "443:443"
-    secrets:
-      - inwx_username
-      - inwx_password
-    environment:
-      - TZ=Europe/Berlin
-      - INWX_USERNAME_FILE=/run/secrets/inwx_username
-      - INWX_PASSWORD_FILE=/run/secrets/inwx_password
-    volumes:
-      - /etc/localtime:/etc/localtime:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./traefik/traefik.toml:/traefik.toml:ro
-      - ./traefik/inwx.json:/inwx.json
-      - ./traefik/config.toml:/config.toml
-    networks:
-      - proxy
-      - monitor

Docker/traefik & authelia/traefik/config.yml

@@ -1,57 +0,0 @@
-tls:
-  options:
-    default:
-      minVersion: VersionTLS12
-      cipherSuites:
-        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-        - TLS_AES_128_GCM_SHA256
-        - TLS_AES_256_GCM_SHA384
-        - TLS_CHACHA20_POLY1305_SHA256
-      curvePreferences:
-        - CurveP521
-        - CurveP384
-      sniStrict: true
-
-http:
-  routers:
-    traefik:
-      rule: "Host(`proxy.example.com`)"
-      middlewares:
-        - authelia
-        - secHeaders
-      tls:
-        certResolver: inwx
-      service: api@internal
-    authelia:
-      rule: "Host(`auth.example.com`)"
-      middlewares:
-        - secHeaders
-      tls:
-        certResolver: inwx
-      service: authelia
-
-  middlewares:
-    secHeaders:
-      headers:
-        browserXssFilter: true
-        contentTypeNosniff: true
-        frameDeny: true
-        sslRedirect: true
-        forceSTSHeader: true
-        stsIncludeSubdomains: true
-        stsPreload: true
-        stsSeconds: 31536000
-        customFrameOptionsValue: "SAMEORIGIN"
-        customRequestHeaders:
-          X-Forwarded-Proto: https
-    authelia:
-      forwardAuth:
-        address: "http://authelia:9091/api/verify?rd=https://auth.example.com"
-
-  services:
-    authelia:
-      loadBalancer:
-        servers:
-          - url: "http://authelia:9091"

Docker/traefik & authelia/traefik/traefik.yml

@@ -1,28 +0,0 @@
-api:
-  dashboard: true
-
-entryPoints:
-  http:
-    address: ":80"
-    http:
-      redirections:
-        entryPoint:
-          to: https
-          scheme: https
-  https:
-    address: ":443"
-
-serversTransport:
-  insecureSkipVerify: true
-
-providers:
-  file:
-    filename: /config.yml
-
-certificatesResolvers:
-  inwx:
-    acme:
-      email: example@example.com
-      storage: inwx.json
-      dnsChallenge:
-        provider: inwx

Docker/traefik & grafana & authelia/README.md

@@ -0,0 +1,7 @@
+# Traefik & Grafana & Authelia
+
+Make sure to create empty secrets/acme.json file to store certs.
+
+## How to generate password hash for user_database.yml
+
+`docker run authelia/authelia:latest authelia hash-password 'yourpassword'`

Docker/traefik & grafana & authelia/authelia/configuration.yml

@@ -0,0 +1,60 @@
+---
+###############################################################
+#                   Authelia configuration                    #
+###############################################################
+
+default_redirection_url: https://home.example.de
+
+server:
+  host: authelia
+  port: 9091
+
+log:
+  level: warn
+
+theme: auto
+
+authentication_backend:
+  password_reset:
+    disable: true
+  file:
+    path: /config/users_database.yml
+
+access_control:
+  default_policy: deny
+  rules:
+    - domain: home.example.de
+      policy: one_factor
+
+totp:
+  disable: true
+  issuer: authelia.com
+
+webauthn:
+  disable: false
+
+session:
+  name: authelia_example
+  expiration: 3600
+  inactivity: 300
+  domain: example.de
+
+  redis:
+    host: authelia-redis
+    port: 6379
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+storage:
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  smtp:
+    username: example@gmail.com
+    host: smtp.gmail.com
+    port: 587
+    sender: mail@example.de

Docker/traefik & grafana & authelia/docker-compose.yml

@@ -0,0 +1,120 @@
+version: "3.9"
+
+networks:
+  proxy:
+    external: true
+  metrics:
+    external: false
+  authelia:
+    external: false
+
+secrets:
+  jwt:
+    file: ./secrets/authelia_jwt
+  session:
+    file: ./secrets/authelia_session
+  storage:
+    file: ./secrets/authelia_storage
+  smtp:
+    file: ./secrets/authelia_smtp
+  hetzner:
+    file: ./secrets/hetzner_key
+
+volumes:
+  redis:
+
+services:
+  authelia:
+    image: authelia/authelia:latest
+    container_name: authelia
+    restart: always
+    secrets:
+      - jwt
+      - session
+      - storage
+      - smtp
+    environment:
+      - TZ=Europe/Berlin
+      - AUTHELIA_JWT_SECRET_FILE=/run/secrets/jwt
+      - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/session
+      - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/smtp
+      - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/storage
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - ./authelia:/config
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.authelia.entrypoints=websecure"
+    healthcheck:
+      disable: true
+    expose:
+      - 9091
+    networks:
+      - proxy
+      - authelia
+
+  authelia-redis:
+    image: redis:alpine
+    container_name: authelia-redis
+    restart: always
+    environment:
+      - TZ=Europe/Berlin
+    volumes:
+      - redis:/data
+    expose:
+      - 6379
+    networks:
+      - authelia
+
+  traefik:
+    image: traefik:2.9
+    container_name: traefik
+    restart: always
+    secrets:
+      - hetzner
+    environment:
+      - TZ=Europe/Berlin
+      - HETZNER_API_KEY_FILE=/run/secrets/hetzner
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik/static.yaml:/etc/traefik/traefik.yaml
+      - ./traefik/dynamic.yaml:/dynamic.yaml
+      - ./secrets/acme.json:/acme.json
+    ports:
+      - "80:80"
+      - "443:443"
+      - "127.0.0.1:8080:8080"
+    networks:
+      - proxy
+      - metrics
+
+  prometheus:
+    image: prom/prometheus:latest
+    container_name: prometheus
+    restart: always
+    volumes:
+      - "./prometheus:/etc/prometheus"
+    expose:
+      - "9090:9090"
+    networks:
+      - metrics
+
+  grafana:
+    image: grafana/grafana:latest
+    container_name: grafana
+    restart: always
+    user: "1000"
+    environment:
+      - GF_SECURITY_ADMIN_USER=flohoss
+      - GF_LOG_LEVEL=error
+      - GF_SERVER_ROOT_URL=https://metrics.tp.unjx.de
+      - GF_AUTH_ANONYMOUS_ENABLED=true
+      - GF_AUTH_ANONYMOUS_ORG_ROLE=Editor
+      - GF_LIVE_ALLOWED_ORIGINS=*
+    volumes:
+      - ./grafana:/var/lib/grafana
+    ports:
+      - "127.0.0.1:3000:3000"
+    networks:
+      - metrics

Docker/traefik & grafana & authelia/secrets/authelia_jwt

@@ -0,0 +1 @@
+example

Docker/traefik & grafana & authelia/secrets/authelia_session

@@ -0,0 +1 @@
+example

Docker/traefik & grafana & authelia/secrets/authelia_smtp

@@ -0,0 +1 @@
+example

Docker/traefik & grafana & authelia/secrets/authelia_storage

@@ -0,0 +1 @@
+example

Docker/traefik & grafana & authelia/secrets/hetzner_key

@@ -0,0 +1 @@
+example_hetzner_key

Docker/traefik & grafana & authelia/traefik/dynamic.yaml

@@ -0,0 +1,42 @@
+http:
+  middlewares:
+    authelia:
+      forwardAuth:
+        address: "http://authelia:9091/api/verify?rd=https%3A%2F%2Fauthelia.unjx.de%2F"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "Remote-User"
+          - "Remote-Groups"
+          - "Remote-Email"
+          - "Remote-Name"
+    florianhoss:
+      redirectRegex:
+        regex: "^https://fhoss.de|www.fhoss.de|www.florianhoss.de(/?.*)"
+        replacement: "https://florianhoss.de${1}"
+        permanent: true
+    helmuthoss:
+      redirectRegex:
+        regex: "^https://www.helmuthoss.de(/?.*)"
+        replacement: "https://helmuthoss.de${1}"
+        permanent: true
+    secure-headers:
+      headers:
+        frameDeny: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 63072000
+        customFrameOptionsValue: "SAMEORIGIN"
+        referrerPolicy: "strict-origin"
+tls:
+  options:
+    default:
+      sniStrict: true
+      minVersion: "VersionTLS12"
+      cipherSuites:
+        - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+        - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+        - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
+        - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"

Docker/traefik & grafana & authelia/traefik/static.yaml

@@ -0,0 +1,51 @@
+global:
+  checkNewVersion: true
+  sendAnonymousUsage: false
+serversTransport:
+  insecureSkipVerify: true
+entryPoints:
+  web:
+    address: ":80"
+    forwardedHeaders:
+      trustedIPs: ["172.19.0.0/16"]
+      insecure: false
+    proxyProtocol:
+      trustedIPs: ["172.19.0.0/16"]
+      insecure: false
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+    forwardedHeaders:
+      trustedIPs: ["172.19.0.0/16"]
+      insecure: false
+    proxyProtocol:
+      trustedIPs: ["172.19.0.0/16"]
+      insecure: false
+    http:
+      middlewares: ["secure-headers@file"]
+      tls:
+        certResolver: "hetzner"
+providers:
+  file:
+    filename: "dynamic.yaml"
+    watch: true
+  docker:
+    exposedByDefault: false
+    network: "proxy"
+    defaultRule: 'Host(`{{ index .Labels "com.docker.compose.service"}}.unjx.de`)'
+api:
+  dashboard: true
+  insecure: true
+metrics:
+  prometheus: {}
+certificatesResolvers:
+  hetzner:
+    acme:
+      email: "mail@example.de"
+      storage: "acme.json"
+      dnsChallenge:
+        provider: "hetzner"