Update Traefik config

This commit is contained in:
Florian Hoss 2022-12-04 09:35:12 +01:00
parent ab392e56f5
commit 6bd6311e91
17 changed files with 286 additions and 214 deletions

View file

@ -1,3 +0,0 @@
## How to generate password hash for user_database.yml
```docker run authelia/authelia:latest authelia hash-password 'yourpassword'```

View file

@ -1,49 +0,0 @@
server:
host: 0.0.0.0
port: 9091
log:
level: warn
theme: dark
default_redirection_url: https://example.com
totp:
issuer: authelia.com
authentication_backend:
file:
path: /config/users_database.yml
password:
algorithm: argon2id
iterations: 1
salt_length: 16
parallelism: 8
memory: 64
access_control:
default_policy: deny
rules:
- domain: [ two.example.com ]
policy: two_factor
- domain: [ one.example.com ]
policy: one_factor
session:
name: authelia_session
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
domain: example.com
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
local:
path: /config/db.sqlite3
notifier:
smtp:
username: example@example.com
host: smtp.gmail.com
port: 465
sender: example@example.com

View file

@ -1,76 +0,0 @@
version: "3.9"
networks:
proxy:
external: true
monitor:
external: true
secrets:
inwx_username:
file: ./secrets/inwx_username
inwx_password:
file: ./secrets/inwx_password
jwt:
file: ./secrets/authelia_jwt
duo:
file: ./secrets/authelia_duo
session:
file: ./secrets/authelia_session
storage:
file: ./secrets/authelia_storage
smtp:
file: ./secrets/authelia_smtp
services:
authelia:
image: authelia/authelia:4
container_name: authelia
secrets:
- jwt
- duo
- session
- storage
- smtp
environment:
- TZ=Europe/Berlin
- AUTHELIA_JWT_SECRET_FILE=/run/secrets/jwt
- AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/duo
- AUTHELIA_SESSION_SECRET_FILE=/run/secrets/session
- AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/smtp
- AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/storage
healthcheck:
disable: true
volumes:
- ./authelia:/config
restart: always
expose:
- 9091
networks:
- proxy
traefik:
image: traefik:2.5
container_name: traefik
restart: always
security_opt:
- no-new-privileges:true
ports:
- "80:80"
- "443:443"
secrets:
- inwx_username
- inwx_password
environment:
- TZ=Europe/Berlin
- INWX_USERNAME_FILE=/run/secrets/inwx_username
- INWX_PASSWORD_FILE=/run/secrets/inwx_password
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/traefik.toml:/traefik.toml:ro
- ./traefik/inwx.json:/inwx.json
- ./traefik/config.toml:/config.toml
networks:
- proxy
- monitor

View file

@ -1,57 +0,0 @@
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
http:
routers:
traefik:
rule: "Host(`proxy.example.com`)"
middlewares:
- authelia
- secHeaders
tls:
certResolver: inwx
service: api@internal
authelia:
rule: "Host(`auth.example.com`)"
middlewares:
- secHeaders
tls:
certResolver: inwx
service: authelia
middlewares:
secHeaders:
headers:
browserXssFilter: true
contentTypeNosniff: true
frameDeny: true
sslRedirect: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
customFrameOptionsValue: "SAMEORIGIN"
customRequestHeaders:
X-Forwarded-Proto: https
authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https://auth.example.com"
services:
authelia:
loadBalancer:
servers:
- url: "http://authelia:9091"

View file

@ -1,28 +0,0 @@
api:
dashboard: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
file:
filename: /config.yml
certificatesResolvers:
inwx:
acme:
email: example@example.com
storage: inwx.json
dnsChallenge:
provider: inwx

View file

@ -0,0 +1,7 @@
# Traefik & Grafana & Authelia
Make sure to create empty secrets/acme.json file to store certs.
## How to generate password hash for user_database.yml
`docker run authelia/authelia:latest authelia hash-password 'yourpassword'`

View file

@ -0,0 +1,60 @@
---
###############################################################
# Authelia configuration #
###############################################################
default_redirection_url: https://home.example.de
server:
host: authelia
port: 9091
log:
level: warn
theme: auto
authentication_backend:
password_reset:
disable: true
file:
path: /config/users_database.yml
access_control:
default_policy: deny
rules:
- domain: home.example.de
policy: one_factor
totp:
disable: true
issuer: authelia.com
webauthn:
disable: false
session:
name: authelia_example
expiration: 3600
inactivity: 300
domain: example.de
redis:
host: authelia-redis
port: 6379
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
local:
path: /config/db.sqlite3
notifier:
smtp:
username: example@gmail.com
host: smtp.gmail.com
port: 587
sender: mail@example.de

View file

@ -4,4 +4,4 @@ users:
password: "$argon2id$v=19$m=65536$3oc26byQuSkQqksq$zM1QiTvVPrMfV6BVLs2t4gM+af5IN7euO0VB6+Q8ZFs"
email: example@example.com
groups:
- admins
- admins

View file

@ -0,0 +1,120 @@
version: "3.9"
networks:
proxy:
external: true
metrics:
external: false
authelia:
external: false
secrets:
jwt:
file: ./secrets/authelia_jwt
session:
file: ./secrets/authelia_session
storage:
file: ./secrets/authelia_storage
smtp:
file: ./secrets/authelia_smtp
hetzner:
file: ./secrets/hetzner_key
volumes:
redis:
services:
authelia:
image: authelia/authelia:latest
container_name: authelia
restart: always
secrets:
- jwt
- session
- storage
- smtp
environment:
- TZ=Europe/Berlin
- AUTHELIA_JWT_SECRET_FILE=/run/secrets/jwt
- AUTHELIA_SESSION_SECRET_FILE=/run/secrets/session
- AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/smtp
- AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/storage
volumes:
- /etc/localtime:/etc/localtime:ro
- ./authelia:/config
labels:
- "traefik.enable=true"
- "traefik.http.routers.authelia.entrypoints=websecure"
healthcheck:
disable: true
expose:
- 9091
networks:
- proxy
- authelia
authelia-redis:
image: redis:alpine
container_name: authelia-redis
restart: always
environment:
- TZ=Europe/Berlin
volumes:
- redis:/data
expose:
- 6379
networks:
- authelia
traefik:
image: traefik:2.9
container_name: traefik
restart: always
secrets:
- hetzner
environment:
- TZ=Europe/Berlin
- HETZNER_API_KEY_FILE=/run/secrets/hetzner
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/static.yaml:/etc/traefik/traefik.yaml
- ./traefik/dynamic.yaml:/dynamic.yaml
- ./secrets/acme.json:/acme.json
ports:
- "80:80"
- "443:443"
- "127.0.0.1:8080:8080"
networks:
- proxy
- metrics
prometheus:
image: prom/prometheus:latest
container_name: prometheus
restart: always
volumes:
- "./prometheus:/etc/prometheus"
expose:
- "9090:9090"
networks:
- metrics
grafana:
image: grafana/grafana:latest
container_name: grafana
restart: always
user: "1000"
environment:
- GF_SECURITY_ADMIN_USER=flohoss
- GF_LOG_LEVEL=error
- GF_SERVER_ROOT_URL=https://metrics.tp.unjx.de
- GF_AUTH_ANONYMOUS_ENABLED=true
- GF_AUTH_ANONYMOUS_ORG_ROLE=Editor
- GF_LIVE_ALLOWED_ORIGINS=*
volumes:
- ./grafana:/var/lib/grafana
ports:
- "127.0.0.1:3000:3000"
networks:
- metrics

View file

@ -0,0 +1 @@
example

View file

@ -0,0 +1 @@
example

View file

@ -0,0 +1 @@
example

View file

@ -0,0 +1 @@
example

View file

@ -0,0 +1 @@
example_hetzner_key

View file

@ -0,0 +1,42 @@
http:
middlewares:
authelia:
forwardAuth:
address: "http://authelia:9091/api/verify?rd=https%3A%2F%2Fauthelia.unjx.de%2F"
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"
- "Remote-Email"
- "Remote-Name"
florianhoss:
redirectRegex:
regex: "^https://fhoss.de|www.fhoss.de|www.florianhoss.de(/?.*)"
replacement: "https://florianhoss.de${1}"
permanent: true
helmuthoss:
redirectRegex:
regex: "^https://www.helmuthoss.de(/?.*)"
replacement: "https://helmuthoss.de${1}"
permanent: true
secure-headers:
headers:
frameDeny: true
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 63072000
customFrameOptionsValue: "SAMEORIGIN"
referrerPolicy: "strict-origin"
tls:
options:
default:
sniStrict: true
minVersion: "VersionTLS12"
cipherSuites:
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"

View file

@ -0,0 +1,51 @@
global:
checkNewVersion: true
sendAnonymousUsage: false
serversTransport:
insecureSkipVerify: true
entryPoints:
web:
address: ":80"
forwardedHeaders:
trustedIPs: ["172.19.0.0/16"]
insecure: false
proxyProtocol:
trustedIPs: ["172.19.0.0/16"]
insecure: false
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
forwardedHeaders:
trustedIPs: ["172.19.0.0/16"]
insecure: false
proxyProtocol:
trustedIPs: ["172.19.0.0/16"]
insecure: false
http:
middlewares: ["secure-headers@file"]
tls:
certResolver: "hetzner"
providers:
file:
filename: "dynamic.yaml"
watch: true
docker:
exposedByDefault: false
network: "proxy"
defaultRule: 'Host(`{{ index .Labels "com.docker.compose.service"}}.unjx.de`)'
api:
dashboard: true
insecure: true
metrics:
prometheus: {}
certificatesResolvers:
hetzner:
acme:
email: "mail@example.de"
storage: "acme.json"
dnsChallenge:
provider: "hetzner"