From 508cc197f70816234c7f1f7aba0518861d87380f Mon Sep 17 00:00:00 2001 From: AcidUK Date: Mon, 14 Oct 2019 20:04:34 +0100 Subject: [PATCH] initial commit --- authelia.yml | 29 +++++++++++ files/acme.json | 0 files/config.minimal.yml | 105 +++++++++++++++++++++++++++++++++++++++ files/traefik.toml | 47 ++++++++++++++++++ files/users_database.yml | 7 +++ httpbin.yml | 21 ++++++++ traefik.yml | 27 ++++++++++ 7 files changed, 236 insertions(+) create mode 100644 authelia.yml create mode 100644 files/acme.json create mode 100644 files/config.minimal.yml create mode 100644 files/traefik.toml create mode 100644 files/users_database.yml create mode 100644 httpbin.yml create mode 100644 traefik.yml diff --git a/authelia.yml b/authelia.yml new file mode 100644 index 0000000..d0d2e9b --- /dev/null +++ b/authelia.yml @@ -0,0 +1,29 @@ +version: '3' + +services: + authelia: + image: clems4ever/authelia:master + container_name: authelia + restart: always + volumes: + - ./files/config.minimal.yml:/etc/authelia/config.yml:ro + - ./files/users_database.yml:/etc/authelia/users_database.yml:rw + - /tmp/authelia:/tmp/authelia + environment: + - NODE_TLS_REJECT_UNAUTHORIZED=1 + labels: + - "traefik.frontend.rule=Host:auth.personal.domain" + - "traefik.docker.network=traefik" + - "traefik.enable=true" + expose: + - 8080 + networks: + - web + - mail + +networks: + web: + external: + name: traefik + mail: + external: true diff --git a/files/acme.json b/files/acme.json new file mode 100644 index 0000000..e69de29 diff --git a/files/config.minimal.yml b/files/config.minimal.yml new file mode 100644 index 0000000..c350008 --- /dev/null +++ b/files/config.minimal.yml @@ -0,0 +1,105 @@ +############################################################### +# Authelia minimal configuration # +############################################################### + +#logs_level: debug + +authentication_backend: + file: + path: /etc/authelia/users_database.yml + +session: + secret: change_this_for_your_server + domain: personal.domain + +# Configuration of the storage backend used to store data and secrets. i.e. totp data +storage: + local: + path: /etc/authelia/storage + +# TOTP Issuer Name +# +# This will be the issuer name displayed in Google Authenticator +# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names +totp: + issuer: personal.domain + +# Access Control +# +# Access control is a set of rules you can use to restrict user access to certain +# resources. +access_control: + # Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`. + default_policy: one_factor + + rules: + - domain: public.personal.domain + policy: bypass + - domain: httpbin.personal.domain + policy: bypass + - domain: auth.cusack.cloud + policy: bypass + - domain: firewall.personal.domain + policy: two_factor + - domain: proxmox.personal.domain + policy: two_factor +# resources: +# - '^/api/.*$' +# - '^/notifications/.*$' + policy: bypass + +# - domain: who.example.com +# policy: two_factor + +# Configuration of the authentication regulation mechanism. +regulation: + # Set it to 0 to disable max_retries. + max_retries: 5 + + # The user is banned if the authenticaction failed `max_retries` times in a `find_time` seconds window. + find_time: 120 + + # The length of time before a banned user can login again. + ban_time: 180 + +# Configuration of session cookies +# +# The session cookies identify the user once logged in. +session: + # The name of the session cookie. (default: authelia_session). + name: authelia_session + + # The secret to encrypt the session cookie. + secret: change_this_for_your_server + + # The time in ms before the cookie expires and session is reset. + expiration: 604800000 # 1 week + + # The inactivity time in ms before the session is reset. + inactivity: 300000 # 5 minutes + + # The domain to protect. + # Note: the authenticator must also be in that domain. If empty, the cookie + # is restricted to the subdomain on the issuer. + domain: personal.domain + + +# Default redirection URL +# +# Note: this parameter is optional. If not provided, user won't +# be redirected upon successful authentication. +#default_redirection_url: https://authelia.example.domain + +#notifier: + # For testing purpose, notifications can be sent in a file +# filesystem: +# filename: /tmp/authelia/notification.txt + +notifier: + smtp: +# username: +# password: + secure: false + host: mail + port: 25 + sender: docker@your-mail-server diff --git a/files/traefik.toml b/files/traefik.toml new file mode 100644 index 0000000..d1bfb6d --- /dev/null +++ b/files/traefik.toml @@ -0,0 +1,47 @@ +#debug = true +#logLevel = "DEBUG" +defaultEntryPoints = ["http", "https"] +InsecureSkipVerify = true +[entryPoints] + [entryPoints.http] + address = ":80" + #[entryPoints.http.redirect] + #entryPoint = "https" + [entryPoints.https] + address = ":443" + [entryPoints.https.tls] + [entryPoints.https.auth.forward] + address = "http://authelia:8080/api/verify?rd=https://auth.personal.domain/%23/" +[retry] +[api] +[ping] +[docker] +domain = "personal.domain" +exposedByDefault = false +watch = true +[acme] +email = "your@email.address" +storage = "acme.json" +entryPoint = "https" +onHostRule = true +[acme.httpChallenge] +entryPoint = "http" +[file] + [backends] + [backends.pfsense] + [backends.pfsense.servers.server0] + url = "https://pfsense.lab.personal.domain:8443" + [backends.proxmox] + [backends.proxmox.servers.server0] + url = "https://192.168.0.250:8006" + [frontends] + [frontends.pfsense] + backend = "pfsense" + passHostHeader = true + [frontends.pfsense.routes.example] + rule = "Host:firewall.cusack.cloud" + [frontends.proxmox] + backend = "proxmox" + passHostHeader = true + [frontends.proxmox.routes.example] + rule = "Host:proxmox.cusack.cloud" diff --git a/files/users_database.yml b/files/users_database.yml new file mode 100644 index 0000000..c6985aa --- /dev/null +++ b/files/users_database.yml @@ -0,0 +1,7 @@ +users: + testuser: ## I have set the password below to 'test' for you + password: '{CRYPT}$6$rounds=500000$Bui4ldW5hXOI9qwJ$IUHQPCusUKpTs/OrfE9UuGb1Giqaa5OZA.mqIpH.Hh8RGFsEBHViCwQDx6DfkGUiF60pqNubFBugfTvCJIDNw1' + email: your@email.address + groups: + - admins + - dev diff --git a/httpbin.yml b/httpbin.yml new file mode 100644 index 0000000..695a255 --- /dev/null +++ b/httpbin.yml @@ -0,0 +1,21 @@ +version: '3' + +services: + httpbin: + container_name: httpbin + image: kennethreitz/httpbin + restart: always + ports: + - 5100:80 + labels: + - "traefik.frontend.rule=Host:httpbin.personal.cloud" + - "traefik.docker.network=traefik" + - "traefik.enable=true" + networks: + - web + +networks: + web: + external: + name: traefik + diff --git a/traefik.yml b/traefik.yml new file mode 100644 index 0000000..14ac7ad --- /dev/null +++ b/traefik.yml @@ -0,0 +1,27 @@ +version: '3' + +services: + traefik: + container_name: traefik + restart: always + ports: + - '8080:8080' + - '80:80' + - '443:443' + volumes: + - './files/traefik.toml:/etc/traefik/traefik.toml' + - './files/acme.json:/acme.json' + - '/var/run/docker.sock:/var/run/docker.sock' + image: traefik:v1.7.16 + labels: + - "traefik.frontend.rule=Host:traefik.personal.domain" + - "traefik.docker.network=traefik" + - "traefik.enable=true" + - "traefik.port=8080" + - "traefik.protocol=http" + networks: + traefik: + +networks: + traefik: + external: true