Instantiate TFA

traefik-forward-auth/.env-dist

@@ -1,26 +1,32 @@
 TRAEFIK_FORWARD_AUTH_BASE_IMAGE=thomseddon/traefik-forward-auth:2
 
+## Set central auth specific domain that will handle auth for all other domains:
+TRAEFIK_FORWARD_AUTH_HOST=auth.example.com
+TRAEFIK_FORWARD_AUTH_HTTPS_PORT=443
+
+# The name of this instance. If there is only one instance, use 'default'.
+TRAEFIK_FORWARD_AUTH_INSTANCE=
+
 ## Oauth secret: CHANGE THIS:
 ## use `openssl rand -base64 45`
 TRAEFIK_FORWARD_AUTH_SECRET=
 
 TRAEFIK_FORWARD_AUTH_LOG_LEVEL=debug
 
-## Set central auth specific domain that will handle auth for all other domains:
-TRAEFIK_FORWARD_AUTH_HOST=auth.example.com
-TRAEFIK_FORWARD_AUTH_HTTPS_PORT=443
-
-## Set your gitea domain (only used for helping construct the other URLs)
-TRAEFIK_FORWARD_AUTH_GITEA_DOMAIN=git.example.com
+## Set your forgejo domain (only used for helping construct the other URLs)
+TRAEFIK_FORWARD_AUTH_FORGEJO_DOMAIN=git.example.com
 
 ## Set cookie domain as the root domain for all subdomains:
 TRAEFIK_FORWARD_AUTH_COOKIE_DOMAIN=example.com
 
+## Set cookie name:
+TRAEFIK_FORWARD_AUTH_COOKIE_NAME=_forward_auth
+
 TRAEFIK_FORWARD_AUTH_COOKIE_LIFETIME=43200
 TRAEFIK_FORWARD_AUTH_LOGOUT_REDIRECT=
 
-## Select the OAuth provider you want to use: (gitea, github, or google are provided)
-TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER=gitea
+## Select the OAuth provider you want to use: (forgejo, github, or google are provided)
+TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER=forgejo
 
 ## OAuth provider config:
 TRAEFIK_FORWARD_AUTH_DEFAULT_PROVIDER=generic-oauth
@@ -33,10 +39,10 @@ TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_SCOPE=
 TRAEFIK_FORWARD_AUTH_PROVIDERS_GOOGLE_CLIENT_ID=
 TRAEFIK_FORWARD_AUTH_PROVIDERS_GOOGLE_CLIENT_SECRET=
 
-## Example for Gitea:
+## Example for Forgejo:
 ## Create new Oauth2 app here: https://git.example.com/user/settings/applications
 #TRAEFIK_FORWARD_AUTH_DEFAULT_PROVIDER=generic-oauth
-## Change the domain to your own gitea instance URL (keep the paths unchanged):
+## Change the domain to your own forgejo instance URL (keep the paths unchanged):
 #TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_AUTH_URL=https://git.example.com/login/oauth/authorize
 #TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_TOKEN_URL=https://git.example.com/login/oauth/access_token
 #TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_USER_URL=https://git.example.com/api/v1/user

traefik-forward-auth/Makefile

@@ -1,21 +1,35 @@
 ROOT_DIR = ..
 include ${ROOT_DIR}/_scripts/Makefile.projects
+include ${ROOT_DIR}/_scripts/Makefile.instance
 
 .PHONY: config-hook
 config-hook:
 	@${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_HOST "Enter the traefik-foward-auth host domain name" auth.${ROOT_DOMAIN}
+	@${BIN}/reconfigure ${ENV_FILE} TRAEFIK_FORWARD_AUTH_INSTANCE=$${instance:-default}
 	@${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_COOKIE_DOMAIN "Enter the cookie domain name (ie ROOT domain)" ${ROOT_DOMAIN}
+	@${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_COOKIE_NAME "Enter the cookie name" "_forward_auth_${CONTEXT_INSTANCE}"
 	@${BIN}/reconfigure_password ${ENV_FILE} TRAEFIK_FORWARD_AUTH_SECRET 45
 	@echo
 	@ENV_FILE=${ENV_FILE} ROOT_DIR=${ROOT_DIR} bash ./configure_https_port.sh || true
 
 	@echo
-	@${BIN}/reconfigure_choose ${ENV_FILE} TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER "Select the OAuth provider to use" "gitea" "github" "google" "discord"
-	@test "gitea" == $$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER) && ENV_FILE=${ENV_FILE} ROOT_DIR=${ROOT_DIR} bash ./configure_gitea.sh || true
-	@test "github" == $$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER) && ENV_FILE=${ENV_FILE} ROOT_DIR=${ROOT_DIR} bash ./configure_github.sh || true
-	@test "google" == $$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER) && ENV_FILE=${ENV_FILE} ROOT_DIR=${ROOT_DIR} bash ./configure_google.sh || true
-	@test "discord" == $$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER) && ENV_FILE=${ENV_FILE} ROOT_DIR=${ROOT_DIR} bash ./configure_discord.sh || true
+	@${BIN}/reconfigure_choose ${ENV_FILE} TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER "Select the OAuth provider to use" "forgejo" "github" "google" "discord"
+	@ENV_FILE=${ENV_FILE} ROOT_DIR=${ROOT_DIR} bash ./configure_$$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_SELECTED_PROVIDER).sh 
+	@echo
 
+.PHONY: override-hook
+override-hook:
+#### This sets the override template variables for docker-compose.instance.yaml:
+#### The template dynamically renders to docker-compose.override_{DOCKER_CONTEXT}_{INSTANCE}.yaml
+#### These settings are used to automatically generate the service container labels, and traefik config, inside the template.
+#### The variable arguments have three forms: `=` `=:` `=@`
+####   name=VARIABLE_NAME    # sets the template 'name' field to the value of VARIABLE_NAME found in the .env file
+####                         # (this hardcodes the value into docker-compose.override.yaml)
+####   name=:VARIABLE_NAME   # sets the template 'name' field to the literal string 'VARIABLE_NAME'
+####                         # (this hardcodes the string into docker-compose.override.yaml)
+####   name=@VARIABLE_NAME   # sets the template 'name' field to the literal string '${VARIABLE_NAME}'
+####                         # (used for regular docker-compose expansion of env vars by name.)
+	@${BIN}/docker_compose_override ${ENV_FILE} project=:traefik-forward-auth instance=@TRAEFIK_FORWARD_AUTH_INSTANCE traefik_host=@TRAEFIK_FORWARD_AUTH_HOST
 
 .PHONY: shell
 shell:

traefik-forward-auth/configure_gitea.sh → traefik-forward-auth/configure_forgejo.sh

@@ -6,28 +6,28 @@ source ${BIN}/funcs.sh
 ROOT_DOMAIN=$(get_root_domain)
 DOCKER_CONTEXT=$(${BIN}/docker_context)
 
-${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_GITEA_DOMAIN "Enter your gitea domain name" git.${ROOT_DOMAIN}
+${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_FORGEJO_DOMAIN "Enter your forgejo domain name" git.${ROOT_DOMAIN}
 
-GITEA_DOMAIN=$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_GITEA_DOMAIN)
+FORGEJO_DOMAIN=$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_FORGEJO_DOMAIN)
 HTTPS_PORT=$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_HTTPS_PORT)
 
 ${BIN}/reconfigure ${ENV_FILE} \
-      TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_AUTH_URL="https://${GITEA_DOMAIN}${HTTPS_PORT}/login/oauth/authorize" \
-      TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_TOKEN_URL="https://${GITEA_DOMAIN}${HTTPS_PORT}/login/oauth/access_token" \
-      TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_USER_URL="https://${GITEA_DOMAIN}${HTTPS_PORT}/api/v1/user"
+      TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_AUTH_URL="https://${FORGEJO_DOMAIN}${HTTPS_PORT}/login/oauth/authorize" \
+      TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_TOKEN_URL="https://${FORGEJO_DOMAIN}${HTTPS_PORT}/login/oauth/access_token" \
+      TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_USER_URL="https://${FORGEJO_DOMAIN}${HTTPS_PORT}/api/v1/user"
 
 echo ""
-echo "Opening Gitea applications page... (login as root)"
-echo "https://${GITEA_DOMAIN}${HTTPS_PORT}/user/settings/applications"
+echo "Opening Forgejo applications page... (login as root)"
+echo "https://${FORGEJO_DOMAIN}${HTTPS_PORT}/user/settings/applications"
 echo "You should now create a new OAuth2 application: "
 echo "Set the 'Application Name' the same as AUTH_HOST (or whatever you like)"
 echo "Set the 'Redirect URL' using https://AUTH_HOST/_oauth, eg. https://auth.${ROOT_DOMAIN}/_oauth"
 
-xdg-open https://${GITEA_DOMAIN}${HTTPS_PORT}/user/settings/applications
+xdg-open https://${FORGEJO_DOMAIN}${HTTPS_PORT}/user/settings/applications
 
 ${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_CLIENT_ID "Copy and Paste the OAuth2 client ID here"
 
 ${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET "Copy and Paste the OAuth2 client secret here"
-${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_LOGOUT_REDIRECT "Enter the logout redirect URL" https://${GITEA_DOMAIN}$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_HTTPS_PORT)/logout
+${BIN}/reconfigure_ask ${ENV_FILE} TRAEFIK_FORWARD_AUTH_LOGOUT_REDIRECT "Enter the logout redirect URL" https://${FORGEJO_DOMAIN}$(${BIN}/dotenv -f ${ENV_FILE} get TRAEFIK_FORWARD_AUTH_HTTPS_PORT)/logout
 
 ${BIN}/reconfigure ${ENV_FILE} TRAEFIK_FORWARD_AUTH_DEFAULT_PROVIDER=generic-oauth

traefik-forward-auth/docker-compose.instance.yaml

@@ -0,0 +1,43 @@
+#! This is a ytt template file for docker-compose.override.yaml
+#! References:
+#!   https://carvel.dev/ytt
+#!   https://docs.docker.com/compose/extends/#adding-and-overriding-configuration
+#!   https://github.com/enigmacurry/d.rymcg.tech#overriding-docker-composeyaml-per-instance
+
+#! ### Standard project vars:
+#@ load("@ytt:data", "data")
+#@ project = data.values.project
+#@ instance = data.values.instance
+#@ context = data.values.context
+#@ traefik_host = data.values.traefik_host
+#@ enabled_middlewares = []
+
+#@yaml/text-templated-strings
+services:
+  traefik-forward-auth:
+    #@ service = "traefik-forward-auth"
+    labels:
+      #! Services must opt-in to be proxied by Traefik:
+      - "traefik.enable=true"
+
+      #! 'router' is the fully qualified key in traefik for this router/service: project + instance + service
+      #! #@ router = "{}-{}-{}".format(project,instance,service)
+      #@ router = "traefik-forward-auth"
+
+      #! The host matching router rule:
+      - "traefik.http.routers.(@= router @).rule=Host(`(@= traefik_host @)`)"
+      - "traefik.http.routers.(@= router @).entrypoints=websecure"
+      - "traefik.http.routers.(@= router @).middlewares=traefik-forward-auth"
+      - "traefik.http.routers.(@= router @).tls=true"
+
+      #! #@ enabled_middlewares.append("{}-forwardAuth".format(router))
+      - "traefik.http.middlewares.(@= router @).forwardAuth.address=http://127.0.0.1:4181"
+      - "traefik.http.middlewares.(@= router @).forwardAuth.authResponseHeaders=X-Forwarded-User"
+
+      #! Override the default port that the app binds to:
+      #! You don't normally need to do this, as long as your image has
+      #! an EXPOSE directive in it, Traefik will autodetect it, but this is how you can override it:
+      - "traefik.http.services.(@= router @).loadbalancer.server.port=4181"
+
+      #! Apply all middlewares (do this at the end!)
+      - "traefik.http.routers.(@= router @).middlewares=(@= ','.join(enabled_middlewares) @)"

traefik-forward-auth/docker-compose.yaml

@@ -3,7 +3,7 @@ services:
     build:
       context: traefik-forward-auth
       args:
-        BASE_IMAGE: ${TRAEFIK_FORWARD_AUTH_BASE_IMAGE}
+        BASE_IMAGE: ${TRAEFIK_FORWARD_AUTH_BASE_IMAGE:-thomseddon/traefik-forward-auth:2}
         STEP_CA_ENABLED: ${TRAEFIK_FORWARD_AUTH_STEP_CA_ENABLED}
         STEP_CA_ENDPOINT: ${TRAEFIK_FORWARD_AUTH_STEP_CA_ENDPOINT}
         STEP_CA_FINGERPRINT: ${TRAEFIK_FORWARD_AUTH_STEP_CA_FINGERPRINT}
@@ -16,6 +16,8 @@ services:
       - LOG_LEVEL=${TRAEFIK_FORWARD_AUTH_LOG_LEVEL}
       - AUTH_HOST=${TRAEFIK_FORWARD_AUTH_HOST}${TRAEFIK_FORWARD_AUTH_HTTPS_PORT}
       - COOKIE_DOMAIN=${TRAEFIK_FORWARD_AUTH_COOKIE_DOMAIN}
+      - COOKIE_NAME=${TRAEFIK_FORWARD_AUTH_COOKIE_NAME}
+      - CSRF_COOKIE_NAME=${TRAEFIK_FORWARD_AUTH_COOKIE_NAME}_csrf
       - DEFAULT_PROVIDER=${TRAEFIK_FORWARD_AUTH_DEFAULT_PROVIDER}
       - PROVIDERS_GENERIC_OAUTH_AUTH_URL=${TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_AUTH_URL}
       - PROVIDERS_GENERIC_OAUTH_TOKEN_URL=${TRAEFIK_FORWARD_AUTH_PROVIDERS_GENERIC_OAUTH_TOKEN_URL}
@@ -30,16 +32,7 @@ services:
     command:
       - "--rule.http-options-requests.action=allow"
       - "--rule.http-options-requests.rule=Method(`OPTIONS`)"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
-      - "traefik.http.middlewares.traefik-forward-auth.forwardAuth.address=http://127.0.0.1:4181"
-      - "traefik.http.middlewares.traefik-forward-auth.forwardAuth.authResponseHeaders=X-Forwarded-User"
-
-      - "traefik.http.routers.traefik-forward-auth.rule=Host(`${TRAEFIK_FORWARD_AUTH_HOST}`)"
-      - "traefik.http.routers.traefik-forward-auth.entrypoints=websecure"
-      - "traefik.http.routers.traefik-forward-auth.tls=true"
-      - "traefik.http.routers.traefik-forward-auth.middlewares=traefik-forward-auth"
+    labels: []
     ports:
       - 127.0.0.1:4181:4181
     restart: always

traefik-forward-auth/traefik-forward-auth/Dockerfile

@@ -14,5 +14,5 @@ RUN ([[ "$STEP_CA_ENABLED" == "true" ]] && [[ "$STEP_CA_ZERO_CERTS" != "true" ]]
     cat /root/.step/certs/root_ca.crt >> /etc/ssl/certs/ca-certificates.crt) || true
 
 ## Copy Step-CA certificate store into the otherwise unmodified base image:
-FROM ${BASE_IMAGE}
+FROM ${BASE_IMAGE:-thomseddon/traefik-forward-auth:2}
 COPY --from=step_ca /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs

traefik/Dockerfile

@@ -29,7 +29,7 @@ RUN git clone https://${CERT_AUTH_MODULE}.git /plugins-local/src/github.com/fame
 RUN git clone https://${MTLS_HEADER_MODULE}.git /plugins-local/src/github.com/pnxs/traefik-plugin-mtls-header \
       --depth 1 --single-branch --branch ${MTLS_HEADER_GIT_BRANCH}
 
-FROM ${TRAEFIK_IMAGE}
+FROM ${TRAEFIK_IMAGE:--traefik:v3.1}
 ARG TRAEFIK_UID TRAEFIK_GID TRAEFIK_DOCKER_GID
 COPY --from=plugins /plugins-local /plugins-local
 COPY entrypoint.sh  /entrypoint_ensure_config.sh

traefik/docker-compose.yaml

@@ -122,7 +122,7 @@ services:
     build:
       context: .
       args:
-        TRAEFIK_IMAGE: ${TRAEFIK_IMAGE}
+        TRAEFIK_IMAGE: ${TRAEFIK_IMAGE:-traefik:v3.1}
         BLOCKPATH_MODULE: ${TRAEFIK_BLOCKPATH_MODULE}
         BLOCKPATH_GIT_BRANCH: master
         REFERER_MODULE: ${TRAEFIK_REFERER_MODULE}
@@ -240,7 +240,7 @@ services:
   error-pages:
     profiles:
       - error-pages
-    image: ${TRAEFIK_ERROR_PAGES_IMAGE}
+    image: ${TRAEFIK_ERROR_PAGES_IMAGE:-tarampampam/error-pages:2.25.0}
     environment:
       TEMPLATE_NAME: ${TRAEFIK_ERROR_PAGES_TEMPLATE}
     labels: