From b5c0439b04196d00fddcc89a019c101590432cc2 Mon Sep 17 00:00:00 2001 From: Amar Saljic Date: Sun, 26 Oct 2025 11:44:32 +0100 Subject: [PATCH] Changed folder structure; added authelia config files --- .gitignore | 1 + homelab/applications/authelia/compose.yaml | 23 +++ .../authelia/config/configuration.yml | 63 +++++++ .../authelia/config/users_database.yml | 0 homelab/applications/caddy/Caddyfile | 23 +++ homelab/applications/caddy/caddy.json | 155 ++++++++++++++++++ homelab/mikrotik/README.md | 1 + .../mikrotik}/arp-monitor.rsc | 0 homelab/mikrotik/config.toml | 39 +++++ homelab/mikrotik/mqtt.rsc | 15 ++ homelab/vps/wg_monitor.sh | 86 ++++++++++ 11 files changed, 406 insertions(+) create mode 100644 homelab/applications/authelia/compose.yaml create mode 100644 homelab/applications/authelia/config/configuration.yml create mode 100644 homelab/applications/authelia/config/users_database.yml create mode 100644 homelab/applications/caddy/Caddyfile create mode 100644 homelab/applications/caddy/caddy.json create mode 100644 homelab/mikrotik/README.md rename {mikrotik => homelab/mikrotik}/arp-monitor.rsc (100%) create mode 100644 homelab/mikrotik/config.toml create mode 100644 homelab/mikrotik/mqtt.rsc create mode 100644 homelab/vps/wg_monitor.sh diff --git a/.gitignore b/.gitignore index e43b0f9..e991c1f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .DS_Store +*/secrets diff --git a/homelab/applications/authelia/compose.yaml b/homelab/applications/authelia/compose.yaml new file mode 100644 index 0000000..cfd72b0 --- /dev/null +++ b/homelab/applications/authelia/compose.yaml @@ -0,0 +1,23 @@ +services: + authelia: + image: authelia/authelia:latest + container_name: authelia + volumes: + # Config files are still mounted as volumes + - ./config/configuration.yml:/config/configuration.yml:ro + - ./config/users_database.yml:/config/users_database.yml:ro + + # Persistent SQLite database directory + - ./db:/config/db + ports: + - '9091:9091' + environment: + - TZ=Etc/UTC + + restart: always + healthcheck: + test: ["CMD", "authelia", "healthcheck"] + interval: 5s + timeout: 5s + retries: 5 + start_period: 5s \ No newline at end of file diff --git a/homelab/applications/authelia/config/configuration.yml b/homelab/applications/authelia/config/configuration.yml new file mode 100644 index 0000000..0e50cdd --- /dev/null +++ b/homelab/applications/authelia/config/configuration.yml @@ -0,0 +1,63 @@ +server: + host: 0.0.0.0 + port: 9091 + endpoints: + authz: + forward-auth: + implementation: 'ForwardAuth' + +log: + level: info + +# --- Storage --- +storage: + sqlite: + path: /config/db/authelia.sqlite.db + +# --- Authentication --- +authentication_backend: + file: + path: /config/users_database.yml + password: + algorithm: argon2id + iterations: 1 + memory: 2097152 + parallelism: 4 + salt_length: 16 + key_length: 32 + password_reset: + disable: true + password_change: + disable: false + +# --- Session --- +session: + cookies: + - domain: 'saljic.me' + authelia_url: 'https://auth.saljic.me' + default_redirection_url: 'https://auth.saljic.me' + # name: authelia_session + # expiration: 1h + # inactivity: 5m + +# --- Notifier (No Mail) --- +notifier: + filesystem: + filename: /config/db/notifications.log + +# --- Access Control --- +access_control: + default_policy: deny + rules: + - domain: "*.saljic.me" + policy: one_factor + +# --- Password policies --- +password_policy: + standard: + enabled: true + min_length: 8 + require_uppercase: true + require_lowercase: true + require_number: true + require_special: true \ No newline at end of file diff --git a/homelab/applications/authelia/config/users_database.yml b/homelab/applications/authelia/config/users_database.yml new file mode 100644 index 0000000..e69de29 diff --git a/homelab/applications/caddy/Caddyfile b/homelab/applications/caddy/Caddyfile new file mode 100644 index 0000000..5c83aeb --- /dev/null +++ b/homelab/applications/caddy/Caddyfile @@ -0,0 +1,23 @@ +# --- Authelia Portal --- +# This is the login page itself. It does NOT have forward_auth. +auth.saljic.me { + # Proxy to the Authelia Docker container on port 9091 + reverse_proxy localhost:9091 +} + +# --- Home Assistant (Protected App) --- +ha.saljic.me { + # 1. Apply authentication using Caddy's 'forward_auth' + forward_auth localhost:9091 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Name Remote-Email + } + + # 2. If auth is successful, proxy to your Home Assistant instance + reverse_proxy 10.10.10.6:8123 +} + +# --- Immich --- +tagebuch.saljic.me { + reverse_proxy 10.10.10.6:2283 +} \ No newline at end of file diff --git a/homelab/applications/caddy/caddy.json b/homelab/applications/caddy/caddy.json new file mode 100644 index 0000000..b2f88c7 --- /dev/null +++ b/homelab/applications/caddy/caddy.json @@ -0,0 +1,155 @@ +{ + "admin": { + "listen": "127.0.0.1:2019" + }, + "apps": { + "http": { + "servers": { + "srv0": { + "listen": [ + ":443" + ], + "logs": { + "default_logger_name": "default" + }, + "routes": [ + { + "handle": [ + { + "handler": "reverse_proxy", + "upstreams": [ + { + "dial": "10.10.10.6:8123" + } + ] + } + ], + "match": [ + { + "host": [ + "ha.saljic.me" + ], + "remote_ip": { + "ranges": [ + "217.82.27.57" + ] + } + } + ] + }, + { + "handle": [ + { + "error": "Unauthorized", + "handler": "error", + "status_code": "401" } + ], + "match": [ + { + "host": [ + "ha.saljic.me" + ], + "not": [ + { + "remote_ip": { + "ranges": [ + "217.82.27.57" + ] + } + } + ] + } + ] + }, + { + "handle": [ + { + "handler": "reverse_proxy", + "upstreams": [ + { + "dial": "10.10.10.6:8000" + } + ] + } + ], + "match": [ + { + "host": [ + "baby.saljic.me" + ], + "remote_ip": { + "ranges": [ + "217.82.27.57" + ] + } + } + ] + }, + { "handle": [ + { + "error": "Unauthorized", + "handler": "error", + "status_code": "401" + } + ], + "match": [ + { + "host": [ + "baby.saljic.me" + ], + "not": [ + { + "remote_ip": { + "ranges": [ + "217.82.27.57" + ] + } + } + ] + } + ] + }, + { + "handle": [ + { + "handler": "reverse_proxy", + "upstreams": [ + { + "dial": "10.10.10.6:2283" + } + ] + } + ], + "match": [ + { + "host": [ + "tagebuch.saljic.me" + ] + } + ] + } + ] + } + } + } + }, + "logging": { + "logs": { + "default": { + "encoder": { + "format": "json" + }, + "level": "INFO", + "writer": { + "filename": "/var/log/caddy/access.log", + "output": "file", + "roll_gzip": false, + "roll_keep": 5, + "roll_keep_days": 60, + "roll_local_time": false, + "roll_size_mb": 100 + } + } + } + } +} \ No newline at end of file diff --git a/homelab/mikrotik/README.md b/homelab/mikrotik/README.md new file mode 100644 index 0000000..16d1d2b --- /dev/null +++ b/homelab/mikrotik/README.md @@ -0,0 +1 @@ +Installation instructions for Bonjour reflection: https://github.com/nberlee/bonjour-reflector/blob/main/docs/RouterOS/README.md \ No newline at end of file diff --git a/mikrotik/arp-monitor.rsc b/homelab/mikrotik/arp-monitor.rsc similarity index 100% rename from mikrotik/arp-monitor.rsc rename to homelab/mikrotik/arp-monitor.rsc diff --git a/homelab/mikrotik/config.toml b/homelab/mikrotik/config.toml new file mode 100644 index 0000000..a02ee65 --- /dev/null +++ b/homelab/mikrotik/config.toml @@ -0,0 +1,39 @@ +net_interface = "eth0" + +[devices] + + [devices."B0:22:7A:91:01:CB"] + description = "HP Printer" + origin_pool = 10 + shared_pools = [30] + + [devices."48:A6:B8:A5:BC:7E"] + description = "Sonos One #1" + origin_pool = 10 + shared_pools = [30] + + [devices."48:A6:B8:A5:BB:7C"] + description = "Sonos One #2" + origin_pool = 10 + shared_pools = [30] + + [devices."48:A6:B8:B0:4C:80"] + description = "Sonos Arc" + origin_pool = 10 + shared_pools = [30] + + [devices."F0:B3:EC:05:48:3D"] + description = "Apple TV" + origin_pool = 10 + shared_pools = [30] + +[vlan] + + [vlan.10] + ip_source = "10.10.10.2" + + [vlan.20] + ip_source = "10.10.20.2" + + [vlan.30] + ip_source = "10.10.30.2" \ No newline at end of file diff --git a/homelab/mikrotik/mqtt.rsc b/homelab/mikrotik/mqtt.rsc new file mode 100644 index 0000000..d6fa426 --- /dev/null +++ b/homelab/mikrotik/mqtt.rsc @@ -0,0 +1,15 @@ +:local cpuLoad [/system/resource/get cpu-load] +:local cpuTemperature [/system health get [find name="temperature"] value] + +:local sfp1Info [/interface ethernet monitor sfp-sfpplus1 once as-value] +:local sfpTemperature ($sfp1Info->"sfp-temperature") + +:local pppoeClientInfo [/interface pppoe-client monitor [find name="pppoe-telekom"] once as-value] +:local pppoeUptime ($pppoeClientInfo->"uptime") + +:local totalRAM [/system/resource/get total-memory] +:local freeRAM [/system/resource/get free-memory] +:local usedRAM ($totalRAM - $freeRAM) +:local ramUtilization (($usedRAM * 100) / $totalRAM) + +/iot mqtt publish message="{\"cpu\": \"$cpuLoad\", \"ram\": \"$ramUtilization\", \"cpu_temp\": \"$cpuTemperature\", \"sfp_temp\": \"$sfpTemperature\", \"pppoe_telekom_uptime\": \"$pppoeUptime\"}" broker="mosquitto" topic="mikrotik-info" \ No newline at end of file diff --git a/homelab/vps/wg_monitor.sh b/homelab/vps/wg_monitor.sh new file mode 100644 index 0000000..4d43c08 --- /dev/null +++ b/homelab/vps/wg_monitor.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# IP address to ping +IP="10.10.10.6" + +# Number of ping attempts +COUNT=5 + +# Log file +LOG_FILE="/var/log/wg_monitor.log" + +# Function to log messages with timestamp +log_message() { + # Create log file if it doesn't exist and set proper permissions + if [ ! -f "$LOG_FILE" ]; then + touch "$LOG_FILE" + chmod 644 "$LOG_FILE" + fi + local message="$(date '+%Y-%m-%d %H:%M:%S') - $1" + echo "$message" >> "$LOG_FILE" + echo "$message" # Also print to console for debugging +} + +# Always log script start +log_message "Script started - pinging $IP" + +# Ping the IP address +echo "Executing ping command..." +ping_result=$(ping -c $COUNT -W 5 $IP 2>&1) +exit_code=$? + +echo "Ping exit code: $exit_code" +echo "Ping result:" +echo "$ping_result" + +# Check if ping failed completely +if [ $exit_code -eq 1 ]; then + log_message "Ping failed with exit code 1" + + # Extract packet loss percentage + packet_loss=$(echo "$ping_result" | grep -o '[0-9]*% packet loss' | grep -o '[0-9]*') + + echo "Packet loss: $packet_loss%" + log_message "Packet loss detected: $packet_loss%" + + # If 100% packet loss, restart WireGuard + if [ "$packet_loss" = "100" ]; then + log_message "100% packet loss detected for $IP. Restarting WireGuard interface wg0..." + + # Stop WireGuard interface + echo "Stopping WireGuard..." + /usr/bin/wg-quick down wg0 + down_result=$? + + if [ $down_result -eq 0 ]; then + log_message "WireGuard interface wg0 stopped successfully" + else + log_message "Failed to stop WireGuard interface wg0 (exit code: $down_result)" + fi + + sleep 2 + + # Start WireGuard interface + echo "Starting WireGuard..." + /usr/bin/wg-quick up wg0 + up_result=$? + + if [ $up_result -eq 0 ]; then + log_message "WireGuard interface wg0 started successfully" + else + log_message "Failed to start WireGuard interface wg0 (exit code: $up_result)" + fi + else + log_message "Ping failed but not 100% packet loss ($packet_loss%)" + fi +elif [ $exit_code -eq 0 ]; then + # Ping successful + log_message "Ping to $IP successful" + echo "Ping successful" +else + log_message "Ping command failed with exit code $exit_code" + echo "Ping failed with exit code $exit_code" +fi + +log_message "Script completed" +echo "Script completed" \ No newline at end of file