From dd3781671d52784228d4132174a9d52725d159f9 Mon Sep 17 00:00:00 2001 From: Vladimir Mikhalev Date: Sun, 6 Oct 2024 13:07:35 -0400 Subject: [PATCH] Authelia with Let's Encrypt Using Docker Compose --- .env | 21 ++ .github/FUNDING.yml | 4 + .../workflows/00-deployment-verification.yml | 50 ++++ .gitignore | 278 ++++++++++++++++++ README.md | 80 +++++ ...lia-traefik-letsencrypt-docker-compose.yml | 200 +++++++++++++ config/configuration.yml | 53 ++++ config/secrets/JWT_SECRET | 1 + config/secrets/REDIS_PASSWORD | 1 + config/secrets/SESSION_SECRET | 1 + config/secrets/SMTP_PASSWORD | 1 + config/secrets/STORAGE_ENCRYPTION_KEY | 1 + config/secrets/STORAGE_PASSWORD | 1 + config/users_database.yml | 25 ++ generate-authelia-secrets.sh | 11 + 15 files changed, 728 insertions(+) create mode 100644 .env create mode 100644 .github/FUNDING.yml create mode 100644 .github/workflows/00-deployment-verification.yml create mode 100644 .gitignore create mode 100644 README.md create mode 100644 authelia-traefik-letsencrypt-docker-compose.yml create mode 100644 config/configuration.yml create mode 100644 config/secrets/JWT_SECRET create mode 100644 config/secrets/REDIS_PASSWORD create mode 100644 config/secrets/SESSION_SECRET create mode 100644 config/secrets/SMTP_PASSWORD create mode 100644 config/secrets/STORAGE_ENCRYPTION_KEY create mode 100644 config/secrets/STORAGE_PASSWORD create mode 100644 config/users_database.yml create mode 100755 generate-authelia-secrets.sh diff --git a/.env b/.env new file mode 100644 index 0000000..2517873 --- /dev/null +++ b/.env @@ -0,0 +1,21 @@ +# Traefik Variables +TRAEFIK_IMAGE_TAG=traefik:2.9 +TRAEFIK_LOG_LEVEL=WARN +TRAEFIK_ACME_EMAIL=callvaldemar@gmail.com +TRAEFIK_HOSTNAME=traefik.authelia.heyvaldemar.net +# Basic Authentication for Traefik Dashboard +# Username: traefikadmin +# Passwords must be encoded using MD5, SHA1, or BCrypt https://hostingcanada.org/htpasswd-generator/ +TRAEFIK_BASIC_AUTH=traefikadmin:$$2y$$10$$sMzJfirKC75x/hVpiINeZOiSm.Jkity9cn4KwNkRvO7hSQVFc5FLO + +# Authelia Variables +AUTHELIA_POSTGRES_IMAGE_TAG=postgres:16 +AUTHELIA_REDIS_IMAGE_TAG=bitnami/redis:7.4 +AUTHELIA_IMAGE_TAG=authelia/authelia:4.38 +AUTHELIA_DB_NAME=autheliadb +AUTHELIA_DB_USER=autheliadbuser +AUTHELIA_HOSTNAME=authelia.heyvaldemar.net +# Timezone inside container +# A list of these tz database names can be looked up at Wikipedia +# https://en.wikipedia.org/wiki/List_of_tz_database_time_zones +AUTHELIA_TIMEZONE=America/New_York diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..89b098c --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,4 @@ +github: heyvaldemar +patreon: heyvaldemar +ko_fi: heyvaldemar +custom: ['paypal.com/paypalme/heyValdemarCOM', 'buymeacoffee.com/heyValdemar', 'ko-fi.com/heyValdemar'] diff --git a/.github/workflows/00-deployment-verification.yml b/.github/workflows/00-deployment-verification.yml new file mode 100644 index 0000000..8405dac --- /dev/null +++ b/.github/workflows/00-deployment-verification.yml @@ -0,0 +1,50 @@ +name: Deployment Verification + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + deploy-and-test: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Create necessary Docker networks + run: | + docker network create authelia-network || true + docker network create traefik-network || true + + - name: Start up services using Docker Compose + run: docker compose -f authelia-traefik-letsencrypt-docker-compose.yml up -d + + - name: Modify /etc/hosts for internal routing + run: | + echo "127.0.0.1 authelia.heyvaldemar.net" | sudo tee -a /etc/hosts + echo "127.0.0.1 traefik.authelia.heyvaldemar.net" | sudo tee -a /etc/hosts + + - name: Print Docker Compose services status + run: docker ps + + - name: Wait for the application to be ready via Traefik + run: | + echo "Checking the routing and availability of application via Traefik..." + timeout 5m bash -c 'while ! curl -fsSLk "https://authelia.heyvaldemar.net"; do echo "Waiting for the application to be ready..."; sleep 10; done' + + - name: Inspect Network Configuration + run: | + docker network inspect authelia-network + docker network inspect traefik-network + + - name: Shutdown Docker Compose services + if: always() + run: docker compose -f authelia-traefik-letsencrypt-docker-compose.yml down diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..10344d5 --- /dev/null +++ b/.gitignore @@ -0,0 +1,278 @@ +# Created by https://www.toptal.com/developers/gitignore/api/git,macos,xcode,jekyll,packer,ansible,vagrant,windows,notepadpp,terraform,powershell,terragrunt,sublimetext,ansibletower,visualstudiocode,linux +# Edit at https://www.toptal.com/developers/gitignore?templates=git,macos,xcode,jekyll,packer,ansible,vagrant,windows,notepadpp,terraform,powershell,terragrunt,sublimetext,ansibletower,visualstudiocode,linux + +### Ansible ### +*.retry + +### AnsibleTower ### +# Ansible runtime and backups +*.original +*.tmp +*.bkp +*.*~ + +# Tower runtime roles +roles/** +!roles/requirements.yml + +# Exclude all binaries +*.bin +*.jar +*.tar +*.zip +*.gzip +*.tgz + + +### Git ### +# Created by git for backups. To disable backups in Git: +# $ git config --global mergetool.keepBackup false +*.orig + +# Created by git when using merge tools for conflicts +*.BACKUP.* +*.BASE.* +*.LOCAL.* +*.REMOTE.* +*_BACKUP_*.txt +*_BASE_*.txt +*_LOCAL_*.txt +*_REMOTE_*.txt + +### Jekyll ### +_site/ +.sass-cache/ +.jekyll-cache/ +.jekyll-metadata +# Ignore folders generated by Bundler +.bundle/ +vendor/ + +### Linux ### +*~ + +# temporary files which can be created if a process still has a handle open of a deleted file +.fuse_hidden* + +# KDE directory preferences +.directory + +# Linux trash folder which might appear on any partition or disk +.Trash-* + +# .nfs files are created when an open file is removed but is still being accessed +.nfs* + +### macOS ### +# General +.DS_Store +.AppleDouble +.LSOverride + +# Icon must end with two \r +Icon + + +# Thumbnails +._* + +# Files that might appear in the root of a volume +.DocumentRevisions-V100 +.fseventsd +.Spotlight-V100 +.TemporaryItems +.Trashes +.VolumeIcon.icns +.com.apple.timemachine.donotpresent + +# Directories potentially created on remote AFP share +.AppleDB +.AppleDesktop +Network Trash Folder +Temporary Items +.apdisk + +### macOS Patch ### +# iCloud generated files +*.icloud + +### NotepadPP ### +# Notepad++ backups # +*.bak + +### Packer ### +# Cache objects +packer_cache/ + +# Crash log +crash.log + +# https://www.packer.io/guides/hcl/variables +# Exclude all .pkrvars.hcl files, which are likely to contain sensitive data, +# such as password, private keys, and other secrets. These should not be part of +# version control as they are data points which are potentially sensitive and +# subject to change depending on the environment. +# +*.pkrvars.hcl + +# For built boxes +*.box + +### Packer Patch ### +# ignore temporary output files +output-*/ + +### PowerShell ### +# Exclude packaged modules + +# Exclude .NET assemblies from source +*.dll + +### SublimeText ### +# Cache files for Sublime Text +*.tmlanguage.cache +*.tmPreferences.cache +*.stTheme.cache + +# Workspace files are user-specific +*.sublime-workspace + +# Project files should be checked into the repository, unless a significant +# proportion of contributors will probably not be using Sublime Text +# *.sublime-project + +# SFTP configuration file +sftp-config.json +sftp-config-alt*.json + +# Package control specific files +Package Control.last-run +Package Control.ca-list +Package Control.ca-bundle +Package Control.system-ca-bundle +Package Control.cache/ +Package Control.ca-certs/ +Package Control.merged-ca-bundle +Package Control.user-ca-bundle +oscrypto-ca-bundle.crt +bh_unicode_properties.cache + +# Sublime-github package stores a github token in this file +# https://packagecontrol.io/packages/sublime-github +GitHub.sublime-settings + +### Terraform ### +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc + +### Terragrunt ### +# terragrunt cache directories +**/.terragrunt-cache/* + +# Terragrunt debug output file (when using `--terragrunt-debug` option) +# See: https://terragrunt.gruntwork.io/docs/reference/cli-options/#terragrunt-debug +terragrunt-debug.tfvars.json + +### Vagrant ### +# General +.vagrant/ + +# Log files (if you are creating logs in debug mode, uncomment this) +# *.log + +### Vagrant Patch ### + +### VisualStudioCode ### +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +!.vscode/*.code-snippets + +# Local History for Visual Studio Code +.history/ + +# Built Visual Studio Code Extensions +*.vsix + +### VisualStudioCode Patch ### +# Ignore all local history of files +.history +.ionide + +### Windows ### +# Windows thumbnail cache files +Thumbs.db +Thumbs.db:encryptable +ehthumbs.db +ehthumbs_vista.db + +# Dump file +*.stackdump + +# Folder config file +[Dd]esktop.ini + +# Recycle Bin used on file shares +$RECYCLE.BIN/ + +# Windows Installer files +*.cab +*.msi +*.msix +*.msm +*.msp + +# Windows shortcuts +*.lnk + +### Xcode ### +## User settings +xcuserdata/ + +## Xcode 8 and earlier +*.xcscmblueprint +*.xccheckout + +### Xcode Patch ### +*.xcodeproj/* +!*.xcodeproj/project.pbxproj +!*.xcodeproj/xcshareddata/ +!*.xcodeproj/project.xcworkspace/ +!*.xcworkspace/contents.xcworkspacedata +/*.gcno +**/xcshareddata/WorkspaceSettings.xcsettings + +# End of https://www.toptal.com/developers/gitignore/api/git,macos,xcode,jekyll,packer,ansible,vagrant,windows,notepadpp,terraform,powershell,terragrunt,sublimetext,ansibletower,visualstudiocode,linux \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..dbde6cd --- /dev/null +++ b/README.md @@ -0,0 +1,80 @@ +# Authelia with Let's Encrypt Using Docker Compose + +[![Deployment Verification](https://github.com/heyvaldemar/authelia-traefik-letsencrypt-docker-compose/actions/workflows/00-deployment-verification.yml/badge.svg)](https://github.com/heyvaldemar/authelia-traefik-letsencrypt-docker-compose/actions) + +The badge displayed on my repository indicates the status of the deployment verification workflow as executed on the latest commit to the main branch. + +**Passing**: This means the most recent commit has successfully passed all deployment checks, confirming that the Docker Compose setup functions correctly as designed. + +๐Ÿ“™ The complete installation guide is available on my [website](https://www.heyvaldemar.com/install-authelia-using-docker-compose/). + +โ— Create secret for storing Authelia using the command: + +`chmod +x generate-authelia-secrets.sh && ./generate-authelia-secrets.sh` + +โ— Change variables in the `.env`, `config/configuration.yml`, and `config/users_database.yml` files to meet your requirements. + +โ— Update the SMTP settings in `config/configuration.yml` to ensure Authelia functions properly. Authelia relies on these settings for sending email notifications for password resets, two-factor authentication setups, and more. + +๐Ÿ’ก Note that the `.env` file should be in the same directory as `authelia-traefik-letsencrypt-docker-compose.yml`. + +Create networks for your services before deploying the configuration using the commands: + +`docker network create traefik-network` + +`docker network create authelia-network` + +Deploy Authelia using Docker Compose: + +`docker compose -f authelia-traefik-letsencrypt-docker-compose.yml -p authelia up -d` + +# Enabling Authelia with Traefik + +To integrate Authelia for authentication in your container services managed by Traefik, follow the steps below. This will ensure secure access by requiring authentication through Authelia. + +## Step 1: Add Authelia Middleware + +Add the following label to your container configuration to enable Authelia. Replace `your-router-name` with the name of your specific router: + +`- "traefik.http.routers.your-router-name.middlewares=authelia@docker"` + +### Example + +If you are enabling Authelia on a service called "whoami", the label would look like this: + +`- "traefik.http.routers.whoami.middlewares=authelia@docker"` + +## Step 2: Adjust for Existing Middlewares + +If your service already uses other middlewares, append `authelia@docker` to the existing list, separated by a comma: + +`- "traefik.http.routers.your-router-name.middlewares=existing-middleware,authelia@docker"` + +# Author + +Iโ€™m Vladimir Mikhalev, the [Docker Captain](https://www.docker.com/captains/vladimir-mikhalev/), but my friends can call me Valdemar. + +๐ŸŒ My [website](https://www.heyvaldemar.com/) with detailed IT guides\ +๐ŸŽฌ Follow me on [YouTube](https://www.youtube.com/channel/UCf85kQ0u1sYTTTyKVpxrlyQ?sub_confirmation=1)\ +๐Ÿฆ Follow me on [Twitter](https://twitter.com/heyValdemar)\ +๐ŸŽจ Follow me on [Instagram](https://www.instagram.com/heyvaldemar/)\ +๐Ÿงต Follow me on [Threads](https://www.threads.net/@heyvaldemar)\ +๐Ÿ˜ Follow me on [Mastodon](https://mastodon.social/@heyvaldemar)\ +๐ŸงŠ Follow me on [Bluesky](https://bsky.app/profile/heyvaldemar.bsky.social)\ +๐ŸŽธ Follow me on [Facebook](https://www.facebook.com/heyValdemarFB/)\ +๐ŸŽฅ Follow me on [TikTok](https://www.tiktok.com/@heyvaldemar)\ +๐Ÿ’ป Follow me on [LinkedIn](https://www.linkedin.com/in/heyvaldemar/)\ +๐Ÿˆ Follow me on [GitHub](https://github.com/heyvaldemar) + +# Communication + +๐Ÿ‘พ Chat with IT pros on [Discord](https://discord.gg/AJQGCCBcqf)\ +๐Ÿ“ง Reach me at ask@sre.gg + +# Give Thanks + +๐Ÿ’Ž Support on [GitHub](https://github.com/sponsors/heyValdemar)\ +๐Ÿ† Support on [Patreon](https://www.patreon.com/heyValdemar)\ +๐Ÿฅค Support on [BuyMeaCoffee](https://www.buymeacoffee.com/heyValdemar)\ +๐Ÿช Support on [Ko-fi](https://ko-fi.com/heyValdemar)\ +๐Ÿ’– Support on [PayPal](https://www.paypal.com/paypalme/heyValdemarCOM) diff --git a/authelia-traefik-letsencrypt-docker-compose.yml b/authelia-traefik-letsencrypt-docker-compose.yml new file mode 100644 index 0000000..ab5ceaa --- /dev/null +++ b/authelia-traefik-letsencrypt-docker-compose.yml @@ -0,0 +1,200 @@ +# Authelia with Let's Encrypt Using Docker Compose + +# The complete installation guide is available on my website https://www.heyvaldemar.com/install-authelia-using-docker-compose/ + +# Create secret for storing Authelia using the command: +# `chmod +x generate-authelia-secrets.sh && ./generate-authelia-secrets.sh` + +# Change variables in the `.env`, `config/configuration.yml`, and `config/users_database.yml` files to meet your requirements. +# Update the SMTP settings in `config/configuration.yml` to ensure Authelia functions properly. +# Authelia relies on these settings for sending email notifications for password resets, two-factor authentication setups, and more. +# Note that the `.env` file should be in the same directory as `authelia-traefik-letsencrypt-docker-compose.yml`. + +# Create networks for your services before deploying the configuration using the commands: +# `docker network create traefik-network` +# `docker network create authelia-network` + +# Deploy Authelia using Docker Compose: +# `docker compose -f authelia-traefik-letsencrypt-docker-compose.yml -p authelia up -d` + +# # Enabling Authelia with Traefik +# To integrate Authelia for authentication in your container services managed by Traefik, follow the steps below. This will ensure secure access by requiring authentication through Authelia. + +# ## Step 1: Add Authelia Middleware +# Add the following label to your container configuration to enable Authelia. Replace `your-router-name` with the name of your specific router: +# `- "traefik.http.routers.your-router-name.middlewares=authelia@docker"` + +# ### Example +# If you are enabling Authelia on a service called "whoami", the label would look like this: +# `- "traefik.http.routers.whoami.middlewares=authelia@docker"` + +# ## Step 2: Adjust for Existing Middlewares +# If your service already uses other middlewares, append `authelia@docker` to the existing list, separated by a comma: +# `- "traefik.http.routers.your-router-name.middlewares=existing-middleware,authelia@docker"` + +# Author +# Iโ€™m Vladimir Mikhalev, the Docker Captain, but my friends can call me Valdemar. +# https://www.docker.com/captains/vladimir-mikhalev/ + +# My website with detailed IT guides: https://www.heyvaldemar.com/ +# Follow me on YouTube: https://www.youtube.com/channel/UCf85kQ0u1sYTTTyKVpxrlyQ?sub_confirmation=1 +# Follow me on Twitter: https://twitter.com/heyValdemar +# Follow me on Instagram: https://www.instagram.com/heyvaldemar/ +# Follow me on Threads: https://www.threads.net/@heyvaldemar +# Follow me on Mastodon: https://mastodon.social/@heyvaldemar +# Follow me on Bluesky: https://bsky.app/profile/heyvaldemar.bsky.social +# Follow me on Facebook: https://www.facebook.com/heyValdemarFB/ +# Follow me on TikTok: https://www.tiktok.com/@heyvaldemar +# Follow me on LinkedIn: https://www.linkedin.com/in/heyvaldemar/ +# Follow me on GitHub: https://github.com/heyvaldemar + +# Communication +# Chat with IT pros on Discord: https://discord.gg/AJQGCCBcqf +# Reach me at ask@sre.gg + +# Give Thanks +# Support on GitHub: https://github.com/sponsors/heyValdemar +# Support on Patreon: https://www.patreon.com/heyValdemar +# Support on BuyMeaCoffee: https://www.buymeacoffee.com/heyValdemar +# Support on Ko-fi: https://ko-fi.com/heyValdemar +# Support on PayPal: https://www.paypal.com/paypalme/heyValdemarCOM + +networks: + authelia-network: + external: true + traefik-network: + external: true + +volumes: + redis-data: + authelia-postgres: + authelia-postgres-backup: + authelia-database-backups: + traefik-certificates: + +services: + postgres: + image: ${AUTHELIA_POSTGRES_IMAGE_TAG} + volumes: + - authelia-postgres:/var/lib/postgresql/data + - ./config/secrets/STORAGE_PASSWORD:/run/secrets/storage_password + environment: + POSTGRES_DB: ${AUTHELIA_DB_NAME} + POSTGRES_USER: ${AUTHELIA_DB_USER} + POSTGRES_PASSWORD_FILE: /run/secrets/storage_password + networks: + - authelia-network + healthcheck: + test: ["CMD", "pg_isready", "-q", "-d", "${AUTHELIA_DB_NAME}", "-U", "${AUTHELIA_DB_USER}"] + interval: 10s + timeout: 5s + retries: 3 + start_period: 60s + restart: unless-stopped + + redis: + image: ${AUTHELIA_REDIS_IMAGE_TAG} + volumes: + - redis-data:/bitnami/redis/data + - ./config/secrets/REDIS_PASSWORD:/run/secrets/redis_password + environment: + REDIS_PASSWORD_FILE: /run/secrets/redis_password + networks: + - authelia-network + healthcheck: + test: ["CMD", "redis-cli", "ping"] + interval: 10s + timeout: 5s + retries: 3 + start_period: 60s + restart: unless-stopped + + authelia: + image: ${AUTHELIA_IMAGE_TAG} + volumes: + - ./config:/config + environment: + AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: /config/secrets/JWT_SECRET + AUTHELIA_SESSION_SECRET_FILE: /config/secrets/SESSION_SECRET + AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /config/secrets/SMTP_PASSWORD + AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /config/secrets/STORAGE_ENCRYPTION_KEY + AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /config/secrets/STORAGE_PASSWORD + AUTHELIA_SESSION_REDIS_PASSWORD_FILE: /config/secrets/REDIS_PASSWORD + TZ: ${AUTHELIA_TIMEZONE} + networks: + - authelia-network + - traefik-network + labels: + - "traefik.enable=true" + - "traefik.http.routers.authelia.rule=Host(`${AUTHELIA_HOSTNAME}`)" + - "traefik.http.routers.authelia.service=authelia" + - "traefik.http.routers.authelia.entrypoints=websecure" + - "traefik.http.services.authelia.loadbalancer.server.port=9091" + - "traefik.http.routers.authelia.tls=true" + - "traefik.http.routers.authelia.tls.certresolver=letsencrypt" + - "traefik.http.services.authelia.loadbalancer.passhostheader=true" + - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://${AUTHELIA_HOSTNAME}" + - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true" + - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" + - "traefik.docker.network=traefik-network" + restart: unless-stopped + depends_on: + postgres: + condition: service_healthy + redis: + condition: service_healthy + traefik: + condition: service_healthy + + traefik: + image: ${TRAEFIK_IMAGE_TAG} + command: + - "--log.level=${TRAEFIK_LOG_LEVEL}" + - "--accesslog=true" + - "--api.dashboard=true" + - "--api.insecure=true" + - "--ping=true" + - "--ping.entrypoint=ping" + - "--entryPoints.ping.address=:8082" + - "--entryPoints.web.address=:80" + - "--entryPoints.websecure.address=:443" + - "--providers.docker=true" + - "--providers.docker.endpoint=unix:///var/run/docker.sock" + - "--providers.docker.exposedByDefault=false" + - "--certificatesresolvers.letsencrypt.acme.tlschallenge=true" + - "--certificatesresolvers.letsencrypt.acme.email=${TRAEFIK_ACME_EMAIL}" + - "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/acme.json" + - "--metrics.prometheus=true" + - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0" + - "--global.checkNewVersion=true" + - "--global.sendAnonymousUsage=false" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - traefik-certificates:/etc/traefik/acme + networks: + - traefik-network + ports: + - "80:80" + - "443:443" + healthcheck: + test: ["CMD", "wget", "http://localhost:8082/ping","--spider"] + interval: 10s + timeout: 5s + retries: 3 + start_period: 5s + labels: + - "traefik.enable=true" + - "traefik.http.routers.dashboard.rule=Host(`${TRAEFIK_HOSTNAME}`)" + - "traefik.http.routers.dashboard.service=api@internal" + - "traefik.http.routers.dashboard.entrypoints=websecure" + - "traefik.http.services.dashboard.loadbalancer.server.port=8080" + - "traefik.http.routers.dashboard.tls=true" + - "traefik.http.routers.dashboard.tls.certresolver=letsencrypt" + - "traefik.http.services.dashboard.loadbalancer.passhostheader=true" + - "traefik.http.routers.dashboard.middlewares=authtraefik" + - "traefik.http.middlewares.authtraefik.basicauth.users=${TRAEFIK_BASIC_AUTH}" + - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)" + - "traefik.http.routers.http-catchall.entrypoints=web" + - "traefik.http.routers.http-catchall.middlewares=redirect-to-https" + - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https" + restart: unless-stopped diff --git a/config/configuration.yml b/config/configuration.yml new file mode 100644 index 0000000..e537380 --- /dev/null +++ b/config/configuration.yml @@ -0,0 +1,53 @@ +--- +############################################################### +# Authelia configuration # +############################################################### + +# Miscellaneous https://www.authelia.com/configuration/miscellaneous/introduction/ +theme: auto + +# Logs https://www.authelia.com/configuration/miscellaneous/logging/ +log: + level: 'debug' + +# First Factor https://www.authelia.com/configuration/first-factor/file/ +authentication_backend: + file: + path: '/config/users_database.yml' + +# Second Factor https://www.authelia.com/configuration/second-factor/introduction/ +totp: + issuer: 'authelia.com' + +# Security https://www.authelia.com/configuration/security/access-control/ +access_control: + default_policy: 'deny' + rules: + - domain: '*.heyvaldemar.net' + policy: 'two_factor' + +# Session https://www.authelia.com/configuration/session/introduction/ +session: + cookies: + - domain: 'heyvaldemar.net' + authelia_url: 'https://authelia.heyvaldemar.net' + + redis: + host: 'redis' + port: 6379 + +# Storage https://www.authelia.com/configuration/storage/postgres/ +storage: + postgres: + address: 'tcp://postgres:5432' + database: 'autheliadb' + username: 'autheliadbuser' + +# SMTP Notifier https://www.authelia.com/configuration/notifications/smtp/ +notifier: + disable_startup_check: true + smtp: + address: 'smtp://smtp-relay.gmail.com:587' + username: 'authelia@heyvaldemar.net' + sender: "Authelia " + subject: "[Authelia] {title}" diff --git a/config/secrets/JWT_SECRET b/config/secrets/JWT_SECRET new file mode 100644 index 0000000..7787247 --- /dev/null +++ b/config/secrets/JWT_SECRET @@ -0,0 +1 @@ +9NNTHBUeI2aPv4QVvavKPbME2qp77QMD8gSncjdJPDjwN5XTHq6ctWaNLqJLnzA7 \ No newline at end of file diff --git a/config/secrets/REDIS_PASSWORD b/config/secrets/REDIS_PASSWORD new file mode 100644 index 0000000..f6ee318 --- /dev/null +++ b/config/secrets/REDIS_PASSWORD @@ -0,0 +1 @@ +8KKRgCroPfzF07uCb3JJsGX86WFuDNwvXdnkzinJ2W1EQqSnmeIZb3bGczf5arpZ \ No newline at end of file diff --git a/config/secrets/SESSION_SECRET b/config/secrets/SESSION_SECRET new file mode 100644 index 0000000..d9bd372 --- /dev/null +++ b/config/secrets/SESSION_SECRET @@ -0,0 +1 @@ +SzwyXOEGAeuuQ8teeb84Jh0w746KZ94uVPplCJvDMM4REzS2R3jSKDb9K7OuE0zY \ No newline at end of file diff --git a/config/secrets/SMTP_PASSWORD b/config/secrets/SMTP_PASSWORD new file mode 100644 index 0000000..71a8e94 --- /dev/null +++ b/config/secrets/SMTP_PASSWORD @@ -0,0 +1 @@ +hHtQOKAVaHzxvSOfcihnku0TMqz59Ex2ArA8H8KwNxs9M29GRCZFy4c1wTbf4usF \ No newline at end of file diff --git a/config/secrets/STORAGE_ENCRYPTION_KEY b/config/secrets/STORAGE_ENCRYPTION_KEY new file mode 100644 index 0000000..d755992 --- /dev/null +++ b/config/secrets/STORAGE_ENCRYPTION_KEY @@ -0,0 +1 @@ +8Rwo7Ul98dxjdbtlUxdtYAsBTvIJOD8FRcvVk8lH7WdvVS0Lmt7XbSdjXN70QEVY \ No newline at end of file diff --git a/config/secrets/STORAGE_PASSWORD b/config/secrets/STORAGE_PASSWORD new file mode 100644 index 0000000..811a056 --- /dev/null +++ b/config/secrets/STORAGE_PASSWORD @@ -0,0 +1 @@ +bgqYqaUyDDuLqp21g2lJ8YetFIbF9Bz8oK945b6qdboX0Q2odExdHkGAlpHY0Tte \ No newline at end of file diff --git a/config/users_database.yml b/config/users_database.yml new file mode 100644 index 0000000..9796b8b --- /dev/null +++ b/config/users_database.yml @@ -0,0 +1,25 @@ +--- +############################################################### +# Users Database # +############################################################### + +# This file can be used if you do not have an LDAP set up. + +# User file database https://www.authelia.com/reference/guides/passwords/#yaml-format +# Generate passwords https://www.authelia.com/reference/guides/passwords/#passwords + +# List of users +users: + # Username + authelia: + disabled: false + displayname: "Authelia Admin" + # IMPORTANT: Replace the current password 'authelia' with a securely hashed password. + # Generate a hashed password by running: + # `docker run -it authelia/authelia:latest authelia crypto hash generate argon2` + # Then, update the password below with your newly hashed password. + password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length + email: autheliaadmin@heyvaldemar.net + groups: + - admins + - dev diff --git a/generate-authelia-secrets.sh b/generate-authelia-secrets.sh new file mode 100755 index 0000000..77af0d9 --- /dev/null +++ b/generate-authelia-secrets.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# Generate secure secrets for various services + +LC_ALL=C tr -cd '[:alnum:]' < /dev/urandom | fold -w 64 | head -n 1 | tr -d '\n' > config/secrets/JWT_SECRET && +LC_ALL=C tr -cd '[:alnum:]' < /dev/urandom | fold -w 64 | head -n 1 | tr -d '\n' > config/secrets/SESSION_SECRET && +LC_ALL=C tr -cd '[:alnum:]' < /dev/urandom | fold -w 64 | head -n 1 | tr -d '\n' > config/secrets/STORAGE_PASSWORD && +LC_ALL=C tr -cd '[:alnum:]' < /dev/urandom | fold -w 64 | head -n 1 | tr -d '\n' > config/secrets/STORAGE_ENCRYPTION_KEY && +LC_ALL=C tr -cd '[:alnum:]' < /dev/urandom | fold -w 64 | head -n 1 | tr -d '\n' > config/secrets/REDIS_PASSWORD && +LC_ALL=C tr -cd '[:alnum:]' < /dev/urandom | fold -w 64 | head -n 1 | tr -d '\n' > config/secrets/SMTP_PASSWORD + +echo "All secrets generated successfully."