thomas/docker-server
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: thomas:master
Branches Tags
thomas:master
..
compare: thomas:683da0dad1eae6132445f71cbc8b82391f72dc65
Branches Tags
thomas:master

1 Commits
master ... 683da0dad1

Author SHA1 Message Date
Thomas Lovén
683da0dad1 Fix authelia login redirection 2020-01-27 17:00:16 +01:00
7 changed files with 91 additions and 232 deletions
Expand all files Collapse all files

15
.gitignore vendored
View File

@@ -1,10 +1,7 @@
**/* traefik/acme.json
!.gitignore traefik/certs/
traefik/traefik.log
!README.md authelia/db.sqlite3
!docker-compose.yaml authelia/notification.txt
authelia/users_database.yml
!traefik/traefik.yaml
!traefik/config/*
!authelia/configuration.yaml

68
README.md
View File

@@ -2,71 +2,17 @@
Configuration for traefik 2 and authelia Configuration for traefik 2 and authelia
## Environment variables
This setup uses two global environment variables: `PRIVATE_DOMAIN` and `PUBLIC_DOMAIN`. Those are two registered domain names I use for public and private services. ### Authelia preprocessor
The authelia configuration contains some sensitive values, but authelia cannot read them from env variables like traefic can.
Instead, a special service - `authelia-config` runs before authelia start, and preprocesses the configuration file.
There is also an `.env` file which defines a few more variables: - Local file `./authelia/configuration.yaml` is mapped to `/data/input` in `authelia-config`
``` - Volume `authelia-config` is mapped to `/data/output` in `authelia-config`
AUTHELIA_JWT_SECRET=... - `authelia-config` runs `gomplate` on `/data/input` and saves to `data/output/configuration.yaml`
AUTHELIA_SESSION_SECRET=... - Volume `authelia-config` is mapped to `/etc/authelia` in `authelia`, where it reads its configuration
AUTHELIA_SESSION_DOMAIN=...
AUTHELIA_TOTP_ISSUER=...
TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL=...
```
The value of those depend on your setup and can be found in the Traefik and Authelia documentation.
## Networks
For the docker setup of my home server, I have create four specific docker networks
### LAN
A macvlan network with full network and internet access
Containers on this network will be provided an IP on my local home LAN and have direct access to it as if they were using the Host network setting.
Containers get IPs in the range 192.168.1.128-192.168.1.254
```
subnet: 192.168.1.0/23
range: 192.168.1.128/25
gateway: 192.168.0.1
parent: eno1
```
### IOT
A macvlan set to my VLAN for IOT things. Machines on this do not have access to the LAN or to the internet, with a few exceptions (ex. NTP server access).
Containers get IPs in the range 192.168.2.9-192.168.2.127
```
subnet: 192.168.2.0/24
range: 192.168.2.0/25
gateway: 192.168.2.1
parent: eno1:10
```
### GUEST
A macvlan set to my VLAN for guest WIFI. Machines on this have access to the internet, but not to the local LAN.
```
subnet: 192.168.5.0/24
range: 192.168.5.0/26
gateway: 192.168.2.1
parent: eno1:20
```
### WEB
A bridge network for containers that shall be accessible by web interface. Routed by Traefik.
## Lessons learned ## Lessons learned
- Authelia will ONLY work with https. Both the authelia url itself and the one being authenticated must be https. - Authelia will ONLY work with https. Both the authelia url itself and the one being authenticated must be https.
- The authorization link should NOT end with `/#/` or `/%2F/` or anything, just `/`. Otherwise it will not redirect you back after authorizing. - The authorization link should NOT end with `/#/` or `/%2F/` or anything, just `/`. Otherwise it will not redirect you back after authorizing.
# Docker-compose pieces that depend on this
- [SSH entrypoint](/thomas/docker-ssh/)
- [Home Automation](/thomas/docker-ha/)
- [GIT server](/thomas/docker-git/)
- [Plex media server](/thomas/docker-plex/)

44
authelia/configuration.yml
View File

@@ -1,38 +1,42 @@
# log: host: 0.0.0.0
# level: debug port: 9091
logs_level: trace
theme: auto jwt_secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-jwt-secret
authentication_backend: authentication_backend:
file: file:
path: /config/users_database.yml path: /opt/authelia/users_database.yml
# {{ env.Getenv "ROOT_DOMAIN" }}
session: session:
# domain: SET BY ENV VARIABLE AUTHELIA_SESSION_DOMAIN name: authelia_session
# secret: SET BY ENV VARIABLE AUTHELIA_SESSION_SECRET secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-token-secret
domain: {{ env.Getenv "PRIVATE_DOMAIN" }}
expiration: 604800
inactivity: 300
storage: storage:
local: local:
path: /config/db.sqlite3 path: /opt/authelia/db.sqlite3
totp:
issuer: {{ env.Getenv "PRIVATE_DOMAIN" }}
access_control: access_control:
default_policy: two_factor default_policy: two_factor
networks:
- name: internal
networks:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/18
rules: rules:
# Allow free access from local network - domain: "*"
- domain:
- "*.se"
- "*.com"
networks: networks:
- internal - 192.168.1.0/23
policy: bypass policy: bypass
regulation:
max_retries: 5
find_time: 120
ban_time: 180
notifier: notifier:
filesystem: filesystem:
filename: /config/notification.txt filename: /opt/authelia/notification.txt

150
docker-compose.yaml
View File

@@ -1,150 +1,90 @@
version: "2.4" version: "3.5"
networks: networks:
web: web:
# All containers that are routed through traefik needs to be on this network # All containers that are router through traefik needs to be on this network
external: true external: false
name: web
volumes:
authelia-config:
# Used for pre-processing of authelia configuration
services: services:
proxy:
# Autheal will restart any container that has the label
# autoheal: true
# and fail their healthcheck
autoheal:
container_name: autoheal
restart: always
image: willfarrell/autoheal
volumes:
- /var/run/docker.sock:/var/run/docker.sock
# Traefik reverse proxy. Routes http and ssh trafic to the righ containers
# Controlled by container labels, see bottom of this compose file
traefik:
container_name: traefik container_name: traefik
image: traefik image: traefik:v2.1
restart: always restart: always
depends_on:
- authelia
environment: environment:
- EMAIL - EMAIL
- PRIVATE_DOMAIN - PRIVATE_DOMAIN
- PUBLIC_DOMAIN - PUBLIC_DOMAIN
- TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL
networks: networks:
web: - web
ipv4_address: 172.18.1.2
command: command:
- "--configFile=/data/traefik.yaml" - "--configFile=/data/traefik.yaml"
ports: ports:
- 80:80 - 80:80
- 443:443 - 443:443
# Open port 8080 for debugging emergencies # Open port 8080 for debugging emergencies
- 8080:8080 # - 8080:8080
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock - /var/run/docker.sock:/var/run/docker.sock
- ./traefik:/data - ./traefik:/data
- /var/log/traefik:/log
healthcheck:
# Sometimes, traefik loses connection to authelia. The only thing that works then is a restart, handled by autoheal.
# I haven't checked for quite a while if this is still a problem, but might as well leave it in there.
test: ["CMD", "wget", "-O", "-", "authelia:9091/api/state"]
labels: labels:
traefik.enable: true traefik.enable: true
traefik.http.services.traefik.loadbalancer.server.port: 8080 traefik.http.services.traefik.loadbalancer.server.port: 8080
traefik.http.routers.traefik.rule: Host(`traefik.${PRIVATE_DOMAIN}`) traefik.http.routers.traefik.rule: Host(`traefik.${PRIVATE_DOMAIN}`)
traefik.http.routers.traefik.middlewares: auth@file traefik.http.routers.traefik.middlewares: auth@file
traefik.http.routers.traefik.tls.certResolver: le traefik.http.routers.traefik.tls.certResolver: le
autoheal: "true"
# Authelia handles access control with 2FA authelia-config:
# Preprocess authelia configuration through gomplate
image: hairyhenderson/gomplate
environment:
- PRIVATE_DOMAIN
- PUBLIC_DOMAIN
volumes:
- ./authelia/configuration.yml:/data/input:ro
- authelia-config:/data/output
command: '--file=/data/input --out=/data/output/configuration.yml'
authelia: authelia:
container_name: authelia container_name: authelia
image: authelia/authelia image: authelia/authelia
restart: always restart: always
depends_on:
# config preprocessor should run first
- authelia-config
volumes: volumes:
- ./authelia:/config - ./authelia:/opt/authelia
- authelia-config:/etc/authelia/
environment: environment:
# - ENVIRONMENT=dev - ENVIRONMENT=dev
- NODE_TLS_REJECT_UNAUTHORIZED=1 - NODE_TLS_REJECT_UNAUTHORIZED=1
- AUTHELIA_JWT_SECRET
- AUTHELIA_SESSION_SECRET
- AUTHELIA_SESSION_DOMAIN
- AUTHELIA_TOTP_ISSUER
- TZ=Europe/Stockholm
networks: networks:
web: - web
healthcheck:
test: ["CMD", "wget", "-O", "-", "127.0.0.1:9091/api/state"]
labels: labels:
traefik.enable: true traefik.enable: true
traefik.http.routers.authelia.rule: Host(`auth.${PRIVATE_DOMAIN}`) traefik.http.routers.authelia.rule: Host(`auth.${PRIVATE_DOMAIN}`)
traefik.http.routers.authelia.tls.certResolver: le traefik.http.routers.authelia.tls.certResolver: le
traefik.http.routers.authelia.entrypoints: websecure traefik.http.routers.authelia.entrypoints: websecure
autoheal: "true"
# Homer provides a dashboard for all services. Configured through ./homer/config.yml
homer:
container_name: homer
image: b4bz/homer
restart: always
volumes:
- ./homer:/www/assets
environment:
UID: 1000
GID: 1001
networks:
web:
labels:
traefik.enable: true
traefik.http.routers.homer.rule: Host(`${PRIVATE_DOMAIN}`) || Host(`www.${PRIVATE_DOMAIN}`)
traefik.http.routers.homer.tls.certResolver: le
# Dozzle is an easy way to view docker logs through a web interface
dozzle:
image: amir20/dozzle
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
web:
labels:
traefik.enable: true
traefik.http.routers.dozzle.rule: Host(`logs.${PRIVATE_DOMAIN}`)
traefik.http.routers.dozzle.tls.certResolver: le
traefik.http.routers.dozzle.middlewares: auth@file
analytics:
image: gregyankovoy/goaccess
volumes:
- ./analytics:/config
- /var/log/traefik:/opt/log
networks:
web:
labels:
traefik.enable: true
traefik.http.routers.analytics.rule: Host(`analytics.${PRIVATE_DOMAIN}`)
traefik.http.routers.analytics.tls.certResolver: le
traefik.http.routers.analytics.middlewares: auth@file
# whoami-https:
# image: containous/whoami
# networks:
# - web
# labels: # labels:
# The following three labels are always needed. Make sure to replace <SERVICE> with a unique name
# traefik.enable: true # traefik.enable: true
# traefik.http.routers.<SERVICE>.tls.certResolver: le # traefik.http.routers.wait-https.rule: Host(`wai-https.${PRIVATE_DOMAIN}`)
# traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PRIVATE_DOMAIN}`) # traefik.http.routers.wait-https.tls.certResolver: le
# Alternatives: # whoami-auth:
# traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PUBLIC_DOMAIN}`) # image: containous/whoami
# traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PRIVATE_DOMAIN}`) || HOST(`<SERVICE>.${PUBLIC_DOMAIN}`) # networks:
# - web
# Require authentication: # labels:
# traefik.http.routers.<SERVICE>.middlewares: auth@file # traefik.enable: true
# traefik.http.routers.wai-auth.rule: Host(`wai-auth.${PRIVATE_DOMAIN}`)
# If more than one port is exposed by the container: # traefik.http.routers.wai-auth.tls.certResolver: le
# traefik.http.services.<SERVICE>.loadbalancer.server.port: <PORT> # traefik.http.routers.wai-auth.middlewares: auth@file
# If container uses more than one network:
# traefik.docker.network: web
# Restart automatically if healthchech fails:
# autoheal: "true"

18
traefik/config/network.yaml
View File

@@ -6,17 +6,10 @@ http:
loadBalancer: loadBalancer:
servers: servers:
- url: http://192.168.0.1:80 - url: http://192.168.0.1:80
proxmox: proxmox:
loadBalancer: loadBalancer:
servers: servers:
- url: https://192.168.0.10:8006 - url: http://192.168.0.10:8006
prusa:
loadBalancer:
servers:
- url: http://192.168.0.14
routers: routers:
pfsense: pfsense:
@@ -26,7 +19,6 @@ http:
- auth - auth
tls: tls:
certResolver: le certResolver: le
proxmox: proxmox:
service: proxmox service: proxmox
rule: Host(`proxmox.{{ env "PRIVATE_DOMAIN" }}`) rule: Host(`proxmox.{{ env "PRIVATE_DOMAIN" }}`)
@@ -35,11 +27,3 @@ http:
tls: tls:
certResolver: le certResolver: le
prusa:
service: prusa
rule: Host(`prusa.{{env "PRIVATE_DOMAIN"}}`)
middlewares:
- auth
tls:
certResolver: le

9
traefik/config/security.yaml
View File

@@ -13,8 +13,7 @@ http:
# Catch all requests to the http entrypoint and redirect them to https # Catch all requests to the http entrypoint and redirect them to https
service: http-catchall service: http-catchall
rule: hostregexp(`{host:.+}`) rule: hostregexp(`{host:.+}`)
entryPoints: entrypoint: web
- web
middlewares: middlewares:
- redir - redir
@@ -31,9 +30,7 @@ http:
address: http://authelia:9091/api/verify?rd=https://auth.{{ env "PRIVATE_DOMAIN" }}/ address: http://authelia:9091/api/verify?rd=https://auth.{{ env "PRIVATE_DOMAIN" }}/
trustForwardHeader: true trustForwardHeader: true
authResponseHeaders: authResponseHeaders:
- X-Remote-User - X-Forwarded-User
- Remote-User
- X-Remote-Groups
- Remote-Groups
tls: tls:
insecureSkipVerify: true insecureSkipVerify: true

13
traefik/traefik.yaml
View File

@@ -1,9 +1,6 @@
api: api:
insecure: true insecure: true
serversTransport:
insecureSkipVerify: true
providers: providers:
file: file:
directory: /data/config directory: /data/config
@@ -12,11 +9,7 @@ providers:
log: log:
filePath: /data/traefik.log filePath: /data/traefik.log
level: INFO level: DEBUG
# level: DEBUG
accessLog:
filePath: /log/access.log
entryPoints: entryPoints:
web: web:
@@ -27,9 +20,7 @@ entryPoints:
certificatesResolvers: certificatesResolvers:
le: le:
acme: acme:
# email: SET BY ENV VARIABLE TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL email: '{{ env "EMAIL" }}'
storage: /data/acme.json storage: /data/acme.json
httpChallenge: httpChallenge:
entrypoint: web entrypoint: web
# UNCOMMENT NEXT ROW FOR EXPERIMENTATION
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory