Add analytics. Invert gitignore

.gitignore

@@ -1,7 +1,10 @@
-traefik/acme.json
+**/*
-traefik/certs/
+!.gitignore
-traefik/traefik.log
 
-authelia/db.sqlite3
+!README.md
-authelia/notification.txt
+!docker-compose.yaml
-authelia/users_database.yml
+
+!traefik/traefik.yaml
+!traefik/config/*
+
+!authelia/configuration.yaml

README.md

@@ -2,16 +2,71 @@
 
 Configuration for traefik 2 and authelia
 
+## Environment variables
 
-### Authelia preprocessor
+This setup uses two global environment variables: `PRIVATE_DOMAIN` and `PUBLIC_DOMAIN`. Those are two registered domain names I use for public and private services.
-The authelia configuration contains some sensitive values, but authelia cannot read them from env variables like traefic can.
-Instead, a special service - `authelia-config` runs before authelia start, and preprocesses the configuration file.
 
-- Local file `./authelia/configuration.yaml` is mapped to `/data/input` in `authelia-config`
+There is also an `.env` file which defines a few more variables:
-- Volume `authelia-config` is mapped to `/data/output` in `authelia-config`
+```
-- `authelia-config` runs `gomplate` on `/data/input` and saves to `data/output/configuration.yaml`
+AUTHELIA_JWT_SECRET=...
-- `Volume `authelia-config` is mapped to `/etc/authelia` in `authelia`, where it reads its configuration
+AUTHELIA_SESSION_SECRET=...
+AUTHELIA_SESSION_DOMAIN=...
+AUTHELIA_TOTP_ISSUER=...
+TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL=...
+```
+
+The value of those depend on your setup and can be found in the Traefik and Authelia documentation.
+
+## Networks
+For the docker setup of my home server, I have create four specific docker networks
+
+### LAN
+A macvlan network with full network and internet access
+Containers on this network will be provided an IP on my local home LAN and have direct access to it as if they were using the Host network setting.
+
+Containers get IPs in the range 192.168.1.128-192.168.1.254
+
+```
+subnet: 192.168.1.0/23
+range: 192.168.1.128/25
+gateway: 192.168.0.1
+parent: eno1
+```
+
+### IOT
+A macvlan set to my VLAN for IOT things. Machines on this do not have access to the LAN or to the internet, with a few exceptions (ex. NTP server access).
+
+Containers get IPs in the range 192.168.2.9-192.168.2.127
+
+```
+subnet: 192.168.2.0/24
+range: 192.168.2.0/25
+gateway: 192.168.2.1
+parent: eno1:10
+```
+
+### GUEST
+A macvlan set to my VLAN for guest WIFI. Machines on this have access to the internet, but not to the local LAN.
+
+```
+subnet: 192.168.5.0/24
+range: 192.168.5.0/26
+gateway: 192.168.2.1
+parent: eno1:20
+```
+
+### WEB
+A bridge network for containers that shall be accessible by web interface. Routed by Traefik.
 
 ## Lessons learned
 
 - Authelia will ONLY work with https. Both the authelia url itself and the one being authenticated must be https.
+- The authorization link should NOT end with `/#/` or `/%2F/` or anything, just `/`. Otherwise it will not redirect you back after authorizing.
+
+
+# Docker-compose pieces that depend on this
+
+- [SSH entrypoint](/thomas/docker-ssh/)
+- [Home Automation](/thomas/docker-ha/)
+- [GIT server](/thomas/docker-git/)
+- [Plex media server](/thomas/docker-plex/)

authelia/configuration.yml

@@ -1,42 +1,38 @@
-host: 0.0.0.0
+# log:
-port: 9091
+#   level: debug
-logs_level: trace
+
-jwt_secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-jwt-secret
+theme: auto
 authentication_backend:
   file:
-    path: /opt/authelia/users_database.yml
+    path: /config/users_database.yml
 
-    # {{ env.Getenv "ROOT_DOMAIN" }}
 session:
-  name: authelia_session
+  # domain: SET BY ENV VARIABLE AUTHELIA_SESSION_DOMAIN
-  secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-token-secret
+  # secret: SET BY ENV VARIABLE AUTHELIA_SESSION_SECRET
-  domain: {{ env.Getenv "PRIVATE_DOMAIN" }}
-  expiration: 604800
-  inactivity: 300
 
 storage:
   local:
-    path: /opt/authelia/db.sqlite3
+    path: /config/db.sqlite3
-
-totp:
-  issuer: {{ env.Getenv "PRIVATE_DOMAIN" }}
 
 access_control:
   default_policy: two_factor
+  networks:
+    - name: internal
+      networks:
+        - 10.0.0.0/8
+        - 172.16.0.0/12
+        - 192.168.0.0/18
 
   rules:
-    - domain: "*"
+    # Allow free access from local network
+    - domain:
+      - "*.se"
+      - "*.com"
       networks:
-        - 192.168.1.0/23
+        - internal
       policy: bypass
 
-
-regulation:
-  max_retries: 5
-  find_time: 120
-  ban_time: 180
-
 notifier:
   filesystem:
-    filename: /opt/authelia/notification.txt
+    filename: /config/notification.txt
 

docker-compose.yaml

@@ -1,90 +1,150 @@
-version: "3.5"
+version: "2.4"
 
 networks:
   web:
-    # All containers that are router through traefik needs to be on this network
+    # All containers that are routed through traefik needs to be on this network
-    external: false
+    external: true
-    name: web
-
-volumes:
-  authelia-config:
-    # Used for pre-processing of authelia configuration
 
 services:
-  proxy:
+
-    container_name: traefik
+  # Autheal will restart any container that has the label
-    image: traefik:v2.1
+  # autoheal: true
+  # and fail their healthcheck
+  autoheal:
+    container_name: autoheal
     restart: always
+    image: willfarrell/autoheal
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  # Traefik reverse proxy. Routes http and ssh trafic to the righ containers
+  # Controlled by container labels, see bottom of this compose file
+  traefik:
+    container_name: traefik
+    image: traefik
+    restart: always
+    depends_on:
+      - authelia
     environment:
       - EMAIL
       - PRIVATE_DOMAIN
       - PUBLIC_DOMAIN
+      - TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL
     networks:
-      - web
+      web:
+        ipv4_address: 172.18.1.2
     command:
       - "--configFile=/data/traefik.yaml"
     ports:
       - 80:80
       - 443:443
       # Open port 8080 for debugging emergencies
-    # - 8080:8080
+      - 8080:8080
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - ./traefik:/data
+      - /var/log/traefik:/log
+    healthcheck:
+      # Sometimes, traefik loses connection to authelia. The only thing that works then is a restart, handled by autoheal.
+      # I haven't checked for quite a while if this is still a problem, but might as well leave it in there.
+      test: ["CMD", "wget", "-O", "-", "authelia:9091/api/state"]
     labels:
       traefik.enable: true
       traefik.http.services.traefik.loadbalancer.server.port: 8080
-
       traefik.http.routers.traefik.rule: Host(`traefik.${PRIVATE_DOMAIN}`)
       traefik.http.routers.traefik.middlewares: auth@file
       traefik.http.routers.traefik.tls.certResolver: le
+      autoheal: "true"
 
-  authelia-config:
+  # Authelia handles access control with 2FA
-    # Preprocess authelia configuration through gomplate
-    image: hairyhenderson/gomplate
-    environment:
-      - PRIVATE_DOMAIN
-      - PUBLIC_DOMAIN
-    volumes:
-      - ./authelia/configuration.yml:/data/input:ro
-      - authelia-config:/data/output
-    command: '--file=/data/input --out=/data/output/configuration.yml'
   authelia:
     container_name: authelia
     image: authelia/authelia
     restart: always
-    depends_on:
-      # config preprocessor should run first
-      - authelia-config
     volumes:
-      - ./authelia:/opt/authelia
+      - ./authelia:/config
-      - authelia-config:/etc/authelia/
     environment:
-      - ENVIRONMENT=dev
+      # - ENVIRONMENT=dev
       - NODE_TLS_REJECT_UNAUTHORIZED=1
+      - AUTHELIA_JWT_SECRET
+      - AUTHELIA_SESSION_SECRET
+      - AUTHELIA_SESSION_DOMAIN
+      - AUTHELIA_TOTP_ISSUER
+      - TZ=Europe/Stockholm
     networks:
-      - web
+      web:
+    healthcheck:
+      test: ["CMD", "wget", "-O", "-", "127.0.0.1:9091/api/state"]
     labels:
       traefik.enable: true
       traefik.http.routers.authelia.rule: Host(`auth.${PRIVATE_DOMAIN}`)
       traefik.http.routers.authelia.tls.certResolver: le
       traefik.http.routers.authelia.entrypoints: websecure
+      autoheal: "true"
 
-# whoami-https:
+  # Homer provides a dashboard for all services. Configured through ./homer/config.yml
-#   image: containous/whoami
+  homer:
-#   networks:
+    container_name: homer
-#     - web
+    image: b4bz/homer
-#   labels:
+    restart: always
-#     traefik.enable: true
+    volumes:
-#     traefik.http.routers.wait-https.rule: Host(`wai-https.${PRIVATE_DOMAIN}`)
+      - ./homer:/www/assets
-#     traefik.http.routers.wait-https.tls.certResolver: le
+    environment:
+      UID: 1000
+      GID: 1001
+    networks:
+      web:
+    labels:
+      traefik.enable: true
+      traefik.http.routers.homer.rule: Host(`${PRIVATE_DOMAIN}`) || Host(`www.${PRIVATE_DOMAIN}`)
+      traefik.http.routers.homer.tls.certResolver: le
 
-# whoami-auth:
+  # Dozzle is an easy way to view docker logs through a web interface
-#   image: containous/whoami
+  dozzle:
-#   networks:
+    image: amir20/dozzle
-#     - web
+    restart: always
-#   labels:
+    volumes:
-#     traefik.enable: true
+      - /var/run/docker.sock:/var/run/docker.sock
-#     traefik.http.routers.wai-auth.rule: Host(`wai-auth.${PRIVATE_DOMAIN}`)
+    networks:
-#     traefik.http.routers.wai-auth.tls.certResolver: le
+      web:
-#     traefik.http.routers.wai-auth.middlewares: auth@file
+    labels:
+      traefik.enable: true
+      traefik.http.routers.dozzle.rule: Host(`logs.${PRIVATE_DOMAIN}`)
+      traefik.http.routers.dozzle.tls.certResolver: le
+      traefik.http.routers.dozzle.middlewares: auth@file
+
+  analytics:
+    image: gregyankovoy/goaccess
+    volumes:
+      - ./analytics:/config
+      - /var/log/traefik:/opt/log
+    networks:
+      web:
+    labels:
+      traefik.enable: true
+      traefik.http.routers.analytics.rule: Host(`analytics.${PRIVATE_DOMAIN}`)
+      traefik.http.routers.analytics.tls.certResolver: le
+      traefik.http.routers.analytics.middlewares: auth@file
+
+
+# labels:
+#   The following three labels are always needed. Make sure to replace <SERVICE> with a unique name
+#   traefik.enable: true
+#   traefik.http.routers.<SERVICE>.tls.certResolver: le
+#   traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PRIVATE_DOMAIN}`)
+
+#   Alternatives:
+#   traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PUBLIC_DOMAIN}`)
+#   traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PRIVATE_DOMAIN}`) || HOST(`<SERVICE>.${PUBLIC_DOMAIN}`)
+
+#   Require authentication:
+#   traefik.http.routers.<SERVICE>.middlewares: auth@file
+
+#   If more than one port is exposed by the container:
+#   traefik.http.services.<SERVICE>.loadbalancer.server.port: <PORT>
+
+#   If container uses more than one network:
+#   traefik.docker.network: web
+
+#   Restart automatically if healthchech fails:
+#   autoheal: "true"

traefik/config/network.yaml

@@ -6,10 +6,17 @@ http:
       loadBalancer:
         servers:
           - url: http://192.168.0.1:80
+
     proxmox:
       loadBalancer:
         servers:
-          - url: http://192.168.0.10:8006
+          - url: https://192.168.0.10:8006
+          
+    prusa:
+      loadBalancer:
+        servers:
+          - url: http://192.168.0.14
+          
 
   routers:
     pfsense:
@@ -19,6 +26,7 @@ http:
         - auth
       tls:
         certResolver: le
+
     proxmox:
       service: proxmox
       rule: Host(`proxmox.{{ env "PRIVATE_DOMAIN" }}`)
@@ -27,3 +35,11 @@ http:
       tls:
         certResolver: le
 
+    prusa:
+      service: prusa
+      rule: Host(`prusa.{{env "PRIVATE_DOMAIN"}}`)
+      middlewares:
+        - auth
+      tls:
+        certResolver: le
+

traefik/config/security.yaml

@@ -13,7 +13,8 @@ http:
       # Catch all requests to the http entrypoint and redirect them to https
       service: http-catchall
       rule: hostregexp(`{host:.+}`)
-      entrypoint: web
+      entryPoints:
+        - web
       middlewares:
         - redir
 
@@ -27,9 +28,12 @@ http:
     auth:
       # Go through authelia for authorization
       forwardAuth:
-        address: http://authelia:9091/api/verify?rd=https://auth.{{ env "PRIVATE_DOMAIN" }}/%23/
+        address: http://authelia:9091/api/verify?rd=https://auth.{{ env "PRIVATE_DOMAIN" }}/
         trustForwardHeader: true
         authResponseHeaders:
-          - X-Forwarded-User
+          - X-Remote-User
-        insecureSkipVerify: true
+          - Remote-User
-
+          - X-Remote-Groups
+          - Remote-Groups
+        tls:
+          insecureSkipVerify: true

traefik/traefik.yaml

@@ -1,6 +1,9 @@
 api:
   insecure: true
 
+serversTransport:
+  insecureSkipVerify: true
+
 providers:
   file:
     directory: /data/config
@@ -9,7 +12,11 @@ providers:
 
 log:
   filePath: /data/traefik.log
-  level: DEBUG
+  level: INFO
+  # level: DEBUG
+
+accessLog:
+  filePath: /log/access.log
 
 entryPoints:
   web:
@@ -20,7 +27,9 @@ entryPoints:
 certificatesResolvers:
   le:
     acme:
-      email: '{{ env "EMAIL" }}'
+      # email: SET BY ENV VARIABLE TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL
       storage: /data/acme.json
       httpChallenge:
         entrypoint: web
+      # UNCOMMENT NEXT ROW FOR EXPERIMENTATION
+      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory