Add analytics. Invert gitignore

.gitignore

@@ -1,10 +1,10 @@
-traefik/acme.json
-traefik/certs/
-traefik/traefik.log
-traefik/config/old.yaml
+**/*
+!.gitignore
 
-authelia/db.sqlite3
-authelia/notification.txt
-authelia/users_database.yml
+!README.md
+!docker-compose.yaml
 
-homer/
+!traefik/traefik.yaml
+!traefik/config/*
+
+!authelia/configuration.yaml

README.md

@@ -2,17 +2,71 @@
 
 Configuration for traefik 2 and authelia
 
+## Environment variables
 
-### Authelia preprocessor
-The authelia configuration contains some sensitive values, but authelia cannot read them from env variables like traefic can.
-Instead, a special service - `authelia-config` runs before authelia start, and preprocesses the configuration file.
+This setup uses two global environment variables: `PRIVATE_DOMAIN` and `PUBLIC_DOMAIN`. Those are two registered domain names I use for public and private services.
 
-- Local file `./authelia/configuration.yaml` is mapped to `/data/input` in `authelia-config`
-- Volume `authelia-config` is mapped to `/data/output` in `authelia-config`
-- `authelia-config` runs `gomplate` on `/data/input` and saves to `data/output/configuration.yaml`
-- Volume `authelia-config` is mapped to `/etc/authelia` in `authelia`, where it reads its configuration
+There is also an `.env` file which defines a few more variables:
+```
+AUTHELIA_JWT_SECRET=...
+AUTHELIA_SESSION_SECRET=...
+AUTHELIA_SESSION_DOMAIN=...
+AUTHELIA_TOTP_ISSUER=...
+TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL=...
+```
+
+The value of those depend on your setup and can be found in the Traefik and Authelia documentation.
+
+## Networks
+For the docker setup of my home server, I have create four specific docker networks
+
+### LAN
+A macvlan network with full network and internet access
+Containers on this network will be provided an IP on my local home LAN and have direct access to it as if they were using the Host network setting.
+
+Containers get IPs in the range 192.168.1.128-192.168.1.254
+
+```
+subnet: 192.168.1.0/23
+range: 192.168.1.128/25
+gateway: 192.168.0.1
+parent: eno1
+```
+
+### IOT
+A macvlan set to my VLAN for IOT things. Machines on this do not have access to the LAN or to the internet, with a few exceptions (ex. NTP server access).
+
+Containers get IPs in the range 192.168.2.9-192.168.2.127
+
+```
+subnet: 192.168.2.0/24
+range: 192.168.2.0/25
+gateway: 192.168.2.1
+parent: eno1:10
+```
+
+### GUEST
+A macvlan set to my VLAN for guest WIFI. Machines on this have access to the internet, but not to the local LAN.
+
+```
+subnet: 192.168.5.0/24
+range: 192.168.5.0/26
+gateway: 192.168.2.1
+parent: eno1:20
+```
+
+### WEB
+A bridge network for containers that shall be accessible by web interface. Routed by Traefik.
 
 ## Lessons learned
 
 - Authelia will ONLY work with https. Both the authelia url itself and the one being authenticated must be https.
 - The authorization link should NOT end with `/#/` or `/%2F/` or anything, just `/`. Otherwise it will not redirect you back after authorizing.
+
+
+# Docker-compose pieces that depend on this
+
+- [SSH entrypoint](/thomas/docker-ssh/)
+- [Home Automation](/thomas/docker-ha/)
+- [GIT server](/thomas/docker-git/)
+- [Plex media server](/thomas/docker-plex/)

authelia/configuration.yml

@@ -1,42 +1,38 @@
-host: 0.0.0.0
-port: 9091
-logs_level: trace
-jwt_secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-jwt-secret
+# log:
+#   level: debug
+
+theme: auto
 authentication_backend:
   file:
-    path: /opt/authelia/users_database.yml
+    path: /config/users_database.yml
 
 session:
-  name: authelia_session
-  secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-token-secret
-  domain: {{ env.Getenv "PRIVATE_DOMAIN" }}
-  expiration: 604800
-  inactivity: 172800
+  # domain: SET BY ENV VARIABLE AUTHELIA_SESSION_DOMAIN
+  # secret: SET BY ENV VARIABLE AUTHELIA_SESSION_SECRET
 
 storage:
   local:
-    path: /opt/authelia/db.sqlite3
-
-totp:
-  issuer: {{ env.Getenv "PRIVATE_DOMAIN" }}
+    path: /config/db.sqlite3
 
 access_control:
-  default_policy: one_factor
+  default_policy: two_factor
+  networks:
+    - name: internal
+      networks:
+        - 10.0.0.0/8
+        - 172.16.0.0/12
+        - 192.168.0.0/18
 
   rules:
     # Allow free access from local network
-    - domain: "*"
+    - domain:
+      - "*.se"
+      - "*.com"
       networks:
-        - 192.168.1.0/23
+        - internal
       policy: bypass
 
-
-regulation:
-  max_retries: 5
-  find_time: 120
-  ban_time: 180
-
 notifier:
   filesystem:
-    filename: /opt/authelia/notification.txt
+    filename: /config/notification.txt
 

docker-compose.yaml

@@ -2,14 +2,14 @@ version: "2.4"
 
 networks:
   web:
-    # All containers that are router through traefik needs to be on this network
+    # All containers that are routed through traefik needs to be on this network
     external: true
 
-volumes:
-  authelia-config:
-    # Used for pre-processing of authelia configuration
-
 services:
+
+  # Autheal will restart any container that has the label
+  # autoheal: true
+  # and fail their healthcheck
   autoheal:
     container_name: autoheal
     restart: always
@@ -17,16 +17,22 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
 
+  # Traefik reverse proxy. Routes http and ssh trafic to the righ containers
+  # Controlled by container labels, see bottom of this compose file
   traefik:
     container_name: traefik
     image: traefik
     restart: always
+    depends_on:
+      - authelia
     environment:
       - EMAIL
       - PRIVATE_DOMAIN
       - PUBLIC_DOMAIN
+      - TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL
     networks:
       web:
+        ipv4_address: 172.18.1.2
     command:
       - "--configFile=/data/traefik.yaml"
     ports:
@@ -37,8 +43,10 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - ./traefik:/data
+      - /var/log/traefik:/log
     healthcheck:
       # Sometimes, traefik loses connection to authelia. The only thing that works then is a restart, handled by autoheal.
+      # I haven't checked for quite a while if this is still a problem, but might as well leave it in there.
       test: ["CMD", "wget", "-O", "-", "authelia:9091/api/state"]
     labels:
       traefik.enable: true
@@ -48,29 +56,21 @@ services:
       traefik.http.routers.traefik.tls.certResolver: le
       autoheal: "true"
 
-  authelia-config:
-    # Preprocess authelia configuration through gomplate
-    image: hairyhenderson/gomplate
-    environment:
-      - PRIVATE_DOMAIN
-      - PUBLIC_DOMAIN
-    volumes:
-      - ./authelia/configuration.yml:/data/input:ro
-      - authelia-config:/data/output
-    command: '--file=/data/input --out=/data/output/configuration.yml'
+  # Authelia handles access control with 2FA
   authelia:
     container_name: authelia
     image: authelia/authelia
     restart: always
-    depends_on:
-      # config preprocessor should run first
-      - authelia-config
     volumes:
-      - ./authelia:/opt/authelia
-      - authelia-config:/etc/authelia/
+      - ./authelia:/config
     environment:
-      - ENVIRONMENT=dev
+      # - ENVIRONMENT=dev
       - NODE_TLS_REJECT_UNAUTHORIZED=1
+      - AUTHELIA_JWT_SECRET
+      - AUTHELIA_SESSION_SECRET
+      - AUTHELIA_SESSION_DOMAIN
+      - AUTHELIA_TOTP_ISSUER
+      - TZ=Europe/Stockholm
     networks:
       web:
     healthcheck:
@@ -82,6 +82,7 @@ services:
       traefik.http.routers.authelia.entrypoints: websecure
       autoheal: "true"
 
+  # Homer provides a dashboard for all services. Configured through ./homer/config.yml
   homer:
     container_name: homer
     image: b4bz/homer
@@ -95,26 +96,55 @@ services:
       web:
     labels:
       traefik.enable: true
-      traefik.http.routers.homer.rule: Host(`${PRIVATE_DOMAIN}`)
+      traefik.http.routers.homer.rule: Host(`${PRIVATE_DOMAIN}`) || Host(`www.${PRIVATE_DOMAIN}`)
       traefik.http.routers.homer.tls.certResolver: le
-      traefik.http.routers.homer.entrypoints: websecure
 
-# whoami-https:
-#   image: containous/whoami
-#   networks:
-#     web:
-#   labels:
-#     traefik.enable: true
-#     traefik.http.routers.wait-https.rule: Host(`wai-https.${PRIVATE_DOMAIN}`)
-#     traefik.http.routers.wait-https.tls.certResolver: le
+  # Dozzle is an easy way to view docker logs through a web interface
+  dozzle:
+    image: amir20/dozzle
+    restart: always
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      web:
+    labels:
+      traefik.enable: true
+      traefik.http.routers.dozzle.rule: Host(`logs.${PRIVATE_DOMAIN}`)
+      traefik.http.routers.dozzle.tls.certResolver: le
+      traefik.http.routers.dozzle.middlewares: auth@file
 
-# whoami-auth:
-#   image: containous/whoami
-#   networks:
-#     web:
-#     macvlan:
-#   labels:
-#     traefik.enable: true
-#     traefik.http.routers.wai-auth.rule: Host(`wai-auth.${PRIVATE_DOMAIN}`)
-#     traefik.http.routers.wai-auth.tls.certResolver: le
-#     traefik.http.routers.wai-auth.middlewares: auth@file
+  analytics:
+    image: gregyankovoy/goaccess
+    volumes:
+      - ./analytics:/config
+      - /var/log/traefik:/opt/log
+    networks:
+      web:
+    labels:
+      traefik.enable: true
+      traefik.http.routers.analytics.rule: Host(`analytics.${PRIVATE_DOMAIN}`)
+      traefik.http.routers.analytics.tls.certResolver: le
+      traefik.http.routers.analytics.middlewares: auth@file
+
+
+# labels:
+#   The following three labels are always needed. Make sure to replace <SERVICE> with a unique name
+#   traefik.enable: true
+#   traefik.http.routers.<SERVICE>.tls.certResolver: le
+#   traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PRIVATE_DOMAIN}`)
+
+#   Alternatives:
+#   traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PUBLIC_DOMAIN}`)
+#   traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PRIVATE_DOMAIN}`) || HOST(`<SERVICE>.${PUBLIC_DOMAIN}`)
+
+#   Require authentication:
+#   traefik.http.routers.<SERVICE>.middlewares: auth@file
+
+#   If more than one port is exposed by the container:
+#   traefik.http.services.<SERVICE>.loadbalancer.server.port: <PORT>
+
+#   If container uses more than one network:
+#   traefik.docker.network: web
+
+#   Restart automatically if healthchech fails:
+#   autoheal: "true"

traefik/config/network.yaml

@@ -6,10 +6,17 @@ http:
       loadBalancer:
         servers:
           - url: http://192.168.0.1:80
+
     proxmox:
       loadBalancer:
         servers:
-          - url: http://192.168.0.10:8006
+          - url: https://192.168.0.10:8006
+          
+    prusa:
+      loadBalancer:
+        servers:
+          - url: http://192.168.0.14
+          
 
   routers:
     pfsense:
@@ -19,6 +26,7 @@ http:
         - auth
       tls:
         certResolver: le
+
     proxmox:
       service: proxmox
       rule: Host(`proxmox.{{ env "PRIVATE_DOMAIN" }}`)
@@ -27,3 +35,11 @@ http:
       tls:
         certResolver: le
 
+    prusa:
+      service: prusa
+      rule: Host(`prusa.{{env "PRIVATE_DOMAIN"}}`)
+      middlewares:
+        - auth
+      tls:
+        certResolver: le
+

traefik/config/security.yaml

@@ -13,7 +13,8 @@ http:
       # Catch all requests to the http entrypoint and redirect them to https
       service: http-catchall
       rule: hostregexp(`{host:.+}`)
-      entrypoint: web
+      entryPoints:
+        - web
       middlewares:
         - redir
 

traefik/traefik.yaml

@@ -12,7 +12,11 @@ providers:
 
 log:
   filePath: /data/traefik.log
-  level: DEBUG
+  level: INFO
+  # level: DEBUG
+
+accessLog:
+  filePath: /log/access.log
 
 entryPoints:
   web:
@@ -23,7 +27,9 @@ entryPoints:
 certificatesResolvers:
   le:
     acme:
-      email: '{{ env "EMAIL" }}'
+      # email: SET BY ENV VARIABLE TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL
       storage: /data/acme.json
       httpChallenge:
         entrypoint: web
+      # UNCOMMENT NEXT ROW FOR EXPERIMENTATION
+      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory