Add analytics. Invert gitignore

Add links to other repos
Some comments
2021-12-04 23:13:12 +01:00 · 2021-09-05 16:22:51 +02:00 · 2021-09-03 10:59:26 +02:00 · 2021-08-21 23:29:17 +02:00 · 2021-08-21 23:14:25 +02:00
5 changed files with 105 additions and 22 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,12 +1,10 @@
-.env
+**/*
 !.gitignore
-traefik/acme.json
+!README.md
-traefik/certs/
+!docker-compose.yaml
 traefik/traefik.log
 traefik/config/old.yaml
-authelia/db.sqlite3
+!traefik/traefik.yaml
-authelia/notification.txt
+!traefik/config/*
 authelia/users_database.yml
-homer/
+!authelia/configuration.yaml
--- a/README.md
+++ b/README.md
@@ -2,17 +2,71 @@
 Configuration for traefik 2 and authelia
 ## Environment variables
-### Authelia preprocessor
+This setup uses two global environment variables: `PRIVATE_DOMAIN` and `PUBLIC_DOMAIN`. Those are two registered domain names I use for public and private services.
 The authelia configuration contains some sensitive values, but authelia cannot read them from env variables like traefic can.
 Instead, a special service - `authelia-config` runs before authelia start, and preprocesses the configuration file.
- Local file `./authelia/configuration.yaml` is mapped to `/data/input` in `authelia-config`
+There is also an `.env` file which defines a few more variables:
- Volume `authelia-config` is mapped to `/data/output` in `authelia-config`
+```
- `authelia-config` runs `gomplate` on `/data/input` and saves to `data/output/configuration.yaml`
+AUTHELIA_JWT_SECRET=...
- Volume `authelia-config` is mapped to `/etc/authelia` in `authelia`, where it reads its configuration
+AUTHELIA_SESSION_SECRET=...
 AUTHELIA_SESSION_DOMAIN=...
 AUTHELIA_TOTP_ISSUER=...
 TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL=...
 ```
 The value of those depend on your setup and can be found in the Traefik and Authelia documentation.
 ## Networks
 For the docker setup of my home server, I have create four specific docker networks
 ### LAN
 A macvlan network with full network and internet access
 Containers on this network will be provided an IP on my local home LAN and have direct access to it as if they were using the Host network setting.
 Containers get IPs in the range 192.168.1.128-192.168.1.254
 ```
 subnet: 192.168.1.0/23
 range: 192.168.1.128/25
 gateway: 192.168.0.1
 parent: eno1
 ```
 ### IOT
 A macvlan set to my VLAN for IOT things. Machines on this do not have access to the LAN or to the internet, with a few exceptions (ex. NTP server access).
 Containers get IPs in the range 192.168.2.9-192.168.2.127
 ```
 subnet: 192.168.2.0/24
 range: 192.168.2.0/25
 gateway: 192.168.2.1
 parent: eno1:10
 ```
 ### GUEST
 A macvlan set to my VLAN for guest WIFI. Machines on this have access to the internet, but not to the local LAN.
 ```
 subnet: 192.168.5.0/24
 range: 192.168.5.0/26
 gateway: 192.168.2.1
 parent: eno1:20
 ```
 ### WEB
 A bridge network for containers that shall be accessible by web interface. Routed by Traefik.
 ## Lessons learned
 - Authelia will ONLY work with https. Both the authelia url itself and the one being authenticated must be https.
 - The authorization link should NOT end with `/#/` or `/%2F/` or anything, just `/`. Otherwise it will not redirect you back after authorizing.
 # Docker-compose pieces that depend on this
 - [SSH entrypoint](/thomas/docker-ssh/)
 - [Home Automation](/thomas/docker-ha/)
 - [GIT server](/thomas/docker-git/)
 - [Plex media server](/thomas/docker-plex/)
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -2,14 +2,14 @@ version: "2.4"
 networks:
  web:
-    # All containers that are router through traefik needs to be on this network
+    # All containers that are routed through traefik needs to be on this network
    external: true
 volumes:
  authelia-config:
    # Used for pre-processing of authelia configuration
 services:
  # Autheal will restart any container that has the label
  # autoheal: true
  # and fail their healthcheck
  autoheal:
    container_name: autoheal
    restart: always
@@ -17,10 +17,14 @@ services:
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
  # Traefik reverse proxy. Routes http and ssh trafic to the righ containers
  # Controlled by container labels, see bottom of this compose file
  traefik:
    container_name: traefik
    image: traefik
    restart: always
    depends_on:
      - authelia
    environment:
      - EMAIL
      - PRIVATE_DOMAIN
@@ -39,8 +43,10 @@ services:
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik:/data
      - /var/log/traefik:/log
    healthcheck:
      # Sometimes, traefik loses connection to authelia. The only thing that works then is a restart, handled by autoheal.
      # I haven't checked for quite a while if this is still a problem, but might as well leave it in there.
      test: ["CMD", "wget", "-O", "-", "authelia:9091/api/state"]
    labels:
      traefik.enable: true
@@ -50,6 +56,7 @@ services:
      traefik.http.routers.traefik.tls.certResolver: le
      autoheal: "true"
  # Authelia handles access control with 2FA
  authelia:
    container_name: authelia
    image: authelia/authelia
@@ -75,6 +82,7 @@ services:
      traefik.http.routers.authelia.entrypoints: websecure
      autoheal: "true"
  # Homer provides a dashboard for all services. Configured through ./homer/config.yml
  homer:
    container_name: homer
    image: b4bz/homer
@@ -91,6 +99,7 @@ services:
      traefik.http.routers.homer.rule: Host(`${PRIVATE_DOMAIN}`) || Host(`www.${PRIVATE_DOMAIN}`)
      traefik.http.routers.homer.tls.certResolver: le
  # Dozzle is an easy way to view docker logs through a web interface
  dozzle:
    image: amir20/dozzle
    restart: always
@@ -104,6 +113,19 @@ services:
      traefik.http.routers.dozzle.tls.certResolver: le
      traefik.http.routers.dozzle.middlewares: auth@file
  analytics:
    image: gregyankovoy/goaccess
    volumes:
      - ./analytics:/config
      - /var/log/traefik:/opt/log
    networks:
      web:
    labels:
      traefik.enable: true
      traefik.http.routers.analytics.rule: Host(`analytics.${PRIVATE_DOMAIN}`)
      traefik.http.routers.analytics.tls.certResolver: le
      traefik.http.routers.analytics.middlewares: auth@file
 # labels:
 #   The following three labels are always needed. Make sure to replace <SERVICE> with a unique name
--- a/traefik/config/network.yaml
+++ b/traefik/config/network.yaml
@@ -6,10 +6,12 @@ http:
      loadBalancer:
        servers:
          - url: http://192.168.0.1:80
    proxmox:
      loadBalancer:
        servers:
          - url: https://192.168.0.10:8006
    prusa:
      loadBalancer:
        servers:
@@ -24,6 +26,7 @@ http:
        - auth
      tls:
        certResolver: le
    proxmox:
      service: proxmox
      rule: Host(`proxmox.{{ env "PRIVATE_DOMAIN" }}`)
@@ -31,6 +34,7 @@ http:
        - auth
      tls:
        certResolver: le
    prusa:
      service: prusa
      rule: Host(`prusa.{{env "PRIVATE_DOMAIN"}}`)
--- a/traefik/traefik.yaml
+++ b/traefik/traefik.yaml
@@ -13,6 +13,10 @@ providers:
 log:
  filePath: /data/traefik.log
  level: INFO
  # level: DEBUG
 accessLog:
  filePath: /log/access.log
 entryPoints:
  web:
@@ -23,8 +27,9 @@ entryPoints:
 certificatesResolvers:
  le:
    acme:
      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory
      # email: SET BY ENV VARIABLE TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL
      storage: /data/acme.json
      httpChallenge:
        entrypoint: web
      # UNCOMMENT NEXT ROW FOR EXPERIMENTATION
      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory
Author	SHA1	Message	Date
Thomas Lovén	ead848575f	Add analytics. Invert gitignore	2021-12-04 23:13:12 +01:00
Thomas Lovén	4d87b20740	Add links to other repos	2021-09-05 16:22:51 +02:00
Thomas Lovén	fe64c0e4c5	Some comments	2021-09-03 10:59:26 +02:00
Thomas Lovén	7fb637509b	Add network description to readme.	2021-08-21 23:29:17 +02:00
Thomas Lovén	71a8127105	Update readme	2021-08-21 23:14:25 +02:00