thomas/docker-server
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: thomas:master
Branches Tags
thomas:master
..
compare: thomas:dbef6df612dc5c5afee102dc7c9214b3f831cd2c
Branches Tags
thomas:master

1 Commits
master ... dbef6df612

Author SHA1 Message Date
Thomas Lovén
dbef6df612 Fix authelia login redirection 2020-01-27 16:34:59 +01:00
7 changed files with 89 additions and 237 deletions
Expand all files Collapse all files

15
.gitignore vendored
View File

@@ -1,10 +1,7 @@
**/*
!.gitignore
traefik/acme.json
traefik/certs/
traefik/traefik.log
!README.md
!docker-compose.yaml
!traefik/traefik.yaml
!traefik/config/*
!authelia/configuration.yaml
authelia/db.sqlite3
authelia/notification.txt
authelia/users_database.yml

69
README.md
View File

@@ -2,71 +2,16 @@
Configuration for traefik 2 and authelia
## Environment variables
This setup uses two global environment variables: `PRIVATE_DOMAIN` and `PUBLIC_DOMAIN`. Those are two registered domain names I use for public and private services.
### Authelia preprocessor
The authelia configuration contains some sensitive values, but authelia cannot read them from env variables like traefic can.
Instead, a special service - `authelia-config` runs before authelia start, and preprocesses the configuration file.
There is also an `.env` file which defines a few more variables:
```
AUTHELIA_JWT_SECRET=...
AUTHELIA_SESSION_SECRET=...
AUTHELIA_SESSION_DOMAIN=...
AUTHELIA_TOTP_ISSUER=...
TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL=...
```
The value of those depend on your setup and can be found in the Traefik and Authelia documentation.
## Networks
For the docker setup of my home server, I have create four specific docker networks
### LAN
A macvlan network with full network and internet access
Containers on this network will be provided an IP on my local home LAN and have direct access to it as if they were using the Host network setting.
Containers get IPs in the range 192.168.1.128-192.168.1.254
```
subnet: 192.168.1.0/23
range: 192.168.1.128/25
gateway: 192.168.0.1
parent: eno1
```
### IOT
A macvlan set to my VLAN for IOT things. Machines on this do not have access to the LAN or to the internet, with a few exceptions (ex. NTP server access).
Containers get IPs in the range 192.168.2.9-192.168.2.127
```
subnet: 192.168.2.0/24
range: 192.168.2.0/25
gateway: 192.168.2.1
parent: eno1:10
```
### GUEST
A macvlan set to my VLAN for guest WIFI. Machines on this have access to the internet, but not to the local LAN.
```
subnet: 192.168.5.0/24
range: 192.168.5.0/26
gateway: 192.168.2.1
parent: eno1:20
```
### WEB
A bridge network for containers that shall be accessible by web interface. Routed by Traefik.
- Local file `./authelia/configuration.yaml` is mapped to `/data/input` in `authelia-config`
- Volume `authelia-config` is mapped to `/data/output` in `authelia-config`
- `authelia-config` runs `gomplate` on `/data/input` and saves to `data/output/configuration.yaml`
- Volume `authelia-config` is mapped to `/etc/authelia` in `authelia`, where it reads its configuration
## Lessons learned
- Authelia will ONLY work with https. Both the authelia url itself and the one being authenticated must be https.
- The authorization link should NOT end with `/#/` or `/%2F/` or anything, just `/`. Otherwise it will not redirect you back after authorizing.
# Docker-compose pieces that depend on this
- [SSH entrypoint](/thomas/docker-ssh/)
- [Home Automation](/thomas/docker-ha/)
- [GIT server](/thomas/docker-git/)
- [Plex media server](/thomas/docker-plex/)

44
authelia/configuration.yml
View File

@@ -1,38 +1,42 @@
# log:
# level: debug
theme: auto
host: 0.0.0.0
port: 9091
logs_level: trace
jwt_secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-jwt-secret
authentication_backend:
file:
path: /config/users_database.yml
path: /opt/authelia/users_database.yml
# {{ env.Getenv "ROOT_DOMAIN" }}
session:
# domain: SET BY ENV VARIABLE AUTHELIA_SESSION_DOMAIN
# secret: SET BY ENV VARIABLE AUTHELIA_SESSION_SECRET
name: authelia_session
secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-token-secret
domain: {{ env.Getenv "PRIVATE_DOMAIN" }}
expiration: 604800
inactivity: 300
storage:
local:
path: /config/db.sqlite3
path: /opt/authelia/db.sqlite3
totp:
issuer: {{ env.Getenv "PRIVATE_DOMAIN" }}
access_control:
default_policy: two_factor
networks:
- name: internal
networks:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/18
rules:
# Allow free access from local network
- domain:
- "*.se"
- "*.com"
- domain: "*"
networks:
- internal
- 192.168.1.0/23
policy: bypass
regulation:
max_retries: 5
find_time: 120
ban_time: 180
notifier:
filesystem:
filename: /config/notification.txt
filename: /opt/authelia/notification.txt

150
docker-compose.yaml
View File

@@ -1,150 +1,90 @@
version: "2.4"
version: "3.5"
networks:
web:
# All containers that are routed through traefik needs to be on this network
external: true
# All containers that are router through traefik needs to be on this network
external: false
name: web
volumes:
authelia-config:
# Used for pre-processing of authelia configuration
services:
# Autheal will restart any container that has the label
# autoheal: true
# and fail their healthcheck
autoheal:
container_name: autoheal
restart: always
image: willfarrell/autoheal
volumes:
- /var/run/docker.sock:/var/run/docker.sock
# Traefik reverse proxy. Routes http and ssh trafic to the righ containers
# Controlled by container labels, see bottom of this compose file
traefik:
proxy:
container_name: traefik
image: traefik
image: traefik:v2.1
restart: always
depends_on:
- authelia
environment:
- EMAIL
- PRIVATE_DOMAIN
- PUBLIC_DOMAIN
- TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL
networks:
web:
ipv4_address: 172.18.1.2
- web
command:
- "--configFile=/data/traefik.yaml"
ports:
- 80:80
- 443:443
# Open port 8080 for debugging emergencies
- 8080:8080
# - 8080:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./traefik:/data
- /var/log/traefik:/log
healthcheck:
# Sometimes, traefik loses connection to authelia. The only thing that works then is a restart, handled by autoheal.
# I haven't checked for quite a while if this is still a problem, but might as well leave it in there.
test: ["CMD", "wget", "-O", "-", "authelia:9091/api/state"]
labels:
traefik.enable: true
traefik.http.services.traefik.loadbalancer.server.port: 8080
traefik.http.routers.traefik.rule: Host(`traefik.${PRIVATE_DOMAIN}`)
traefik.http.routers.traefik.middlewares: auth@file
traefik.http.routers.traefik.tls.certResolver: le
autoheal: "true"
# Authelia handles access control with 2FA
authelia-config:
# Preprocess authelia configuration through gomplate
image: hairyhenderson/gomplate
environment:
- PRIVATE_DOMAIN
- PUBLIC_DOMAIN
volumes:
- ./authelia/configuration.yml:/data/input:ro
- authelia-config:/data/output
command: '--file=/data/input --out=/data/output/configuration.yml'
authelia:
container_name: authelia
image: authelia/authelia
restart: always
depends_on:
# config preprocessor should run first
- authelia-config
volumes:
- ./authelia:/config
- ./authelia:/opt/authelia
- authelia-config:/etc/authelia/
environment:
# - ENVIRONMENT=dev
- ENVIRONMENT=dev
- NODE_TLS_REJECT_UNAUTHORIZED=1
- AUTHELIA_JWT_SECRET
- AUTHELIA_SESSION_SECRET
- AUTHELIA_SESSION_DOMAIN
- AUTHELIA_TOTP_ISSUER
- TZ=Europe/Stockholm
networks:
web:
healthcheck:
test: ["CMD", "wget", "-O", "-", "127.0.0.1:9091/api/state"]
- web
labels:
traefik.enable: true
traefik.http.routers.authelia.rule: Host(`auth.${PRIVATE_DOMAIN}`)
traefik.http.routers.authelia.tls.certResolver: le
traefik.http.routers.authelia.entrypoints: websecure
autoheal: "true"
# Homer provides a dashboard for all services. Configured through ./homer/config.yml
homer:
container_name: homer
image: b4bz/homer
restart: always
volumes:
- ./homer:/www/assets
environment:
UID: 1000
GID: 1001
networks:
web:
labels:
traefik.enable: true
traefik.http.routers.homer.rule: Host(`${PRIVATE_DOMAIN}`) || Host(`www.${PRIVATE_DOMAIN}`)
traefik.http.routers.homer.tls.certResolver: le
# Dozzle is an easy way to view docker logs through a web interface
dozzle:
image: amir20/dozzle
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
web:
labels:
traefik.enable: true
traefik.http.routers.dozzle.rule: Host(`logs.${PRIVATE_DOMAIN}`)
traefik.http.routers.dozzle.tls.certResolver: le
traefik.http.routers.dozzle.middlewares: auth@file
analytics:
image: gregyankovoy/goaccess
volumes:
- ./analytics:/config
- /var/log/traefik:/opt/log
networks:
web:
labels:
traefik.enable: true
traefik.http.routers.analytics.rule: Host(`analytics.${PRIVATE_DOMAIN}`)
traefik.http.routers.analytics.tls.certResolver: le
traefik.http.routers.analytics.middlewares: auth@file
# whoami-https:
# image: containous/whoami
# networks:
# - web
# labels:
# The following three labels are always needed. Make sure to replace <SERVICE> with a unique name
# traefik.enable: true
# traefik.http.routers.<SERVICE>.tls.certResolver: le
# traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PRIVATE_DOMAIN}`)
# traefik.http.routers.wait-https.rule: Host(`wai-https.${PRIVATE_DOMAIN}`)
# traefik.http.routers.wait-https.tls.certResolver: le
# Alternatives:
# traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PUBLIC_DOMAIN}`)
# traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PRIVATE_DOMAIN}`) || HOST(`<SERVICE>.${PUBLIC_DOMAIN}`)
# Require authentication:
# traefik.http.routers.<SERVICE>.middlewares: auth@file
# If more than one port is exposed by the container:
# traefik.http.services.<SERVICE>.loadbalancer.server.port: <PORT>
# If container uses more than one network:
# traefik.docker.network: web
# Restart automatically if healthchech fails:
# autoheal: "true"
# whoami-auth:
# image: containous/whoami
# networks:
# - web
# labels:
# traefik.enable: true
# traefik.http.routers.wai-auth.rule: Host(`wai-auth.${PRIVATE_DOMAIN}`)
# traefik.http.routers.wai-auth.tls.certResolver: le
# traefik.http.routers.wai-auth.middlewares: auth@file

18
traefik/config/network.yaml
View File

@@ -6,17 +6,10 @@ http:
loadBalancer:
servers:
- url: http://192.168.0.1:80
proxmox:
loadBalancer:
servers:
- url: https://192.168.0.10:8006
prusa:
loadBalancer:
servers:
- url: http://192.168.0.14
- url: http://192.168.0.10:8006
routers:
pfsense:
@@ -26,7 +19,6 @@ http:
- auth
tls:
certResolver: le
proxmox:
service: proxmox
rule: Host(`proxmox.{{ env "PRIVATE_DOMAIN" }}`)
@@ -35,11 +27,3 @@ http:
tls:
certResolver: le
prusa:
service: prusa
rule: Host(`prusa.{{env "PRIVATE_DOMAIN"}}`)
middlewares:
- auth
tls:
certResolver: le

11
traefik/config/security.yaml
View File

@@ -13,8 +13,7 @@ http:
# Catch all requests to the http entrypoint and redirect them to https
service: http-catchall
rule: hostregexp(`{host:.+}`)
entryPoints:
- web
entrypoint: web
middlewares:
- redir
@@ -29,11 +28,3 @@ http:
# Go through authelia for authorization
forwardAuth:
address: http://authelia:9091/api/verify?rd=https://auth.{{ env "PRIVATE_DOMAIN" }}/
trustForwardHeader: true
authResponseHeaders:
- X-Remote-User
- Remote-User
- X-Remote-Groups
- Remote-Groups
tls:
insecureSkipVerify: true

13
traefik/traefik.yaml
View File

@@ -1,9 +1,6 @@
api:
insecure: true
serversTransport:
insecureSkipVerify: true
providers:
file:
directory: /data/config
@@ -12,11 +9,7 @@ providers:
log:
filePath: /data/traefik.log
level: INFO
# level: DEBUG
accessLog:
filePath: /log/access.log
level: DEBUG
entryPoints:
web:
@@ -27,9 +20,7 @@ entryPoints:
certificatesResolvers:
le:
acme:
# email: SET BY ENV VARIABLE TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL
email: '{{ env "EMAIL" }}'
storage: /data/acme.json
httpChallenge:
entrypoint: web
# UNCOMMENT NEXT ROW FOR EXPERIMENTATION
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory