Changed folder structure; added authelia config files
This commit is contained in:
Amar Saljic
23
homelab/applications/authelia/compose.yaml
Normal file
23
homelab/applications/authelia/compose.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
services:
|
||||
authelia:
|
||||
image: authelia/authelia:latest
|
||||
container_name: authelia
|
||||
volumes:
|
||||
# Config files are still mounted as volumes
|
||||
- ./config/configuration.yml:/config/configuration.yml:ro
|
||||
- ./config/users_database.yml:/config/users_database.yml:ro
|
||||
|
||||
# Persistent SQLite database directory
|
||||
- ./db:/config/db
|
||||
ports:
|
||||
- '9091:9091'
|
||||
environment:
|
||||
- TZ=Etc/UTC
|
||||
|
||||
restart: always
|
||||
healthcheck:
|
||||
test: ["CMD", "authelia", "healthcheck"]
|
||||
interval: 5s
|
||||
timeout: 5s
|
||||
retries: 5
|
||||
start_period: 5s
|
||||
63
homelab/applications/authelia/config/configuration.yml
Normal file
63
homelab/applications/authelia/config/configuration.yml
Normal file
@ -0,0 +1,63 @@
|
||||
server:
|
||||
host: 0.0.0.0
|
||||
port: 9091
|
||||
endpoints:
|
||||
authz:
|
||||
forward-auth:
|
||||
implementation: 'ForwardAuth'
|
||||
|
||||
log:
|
||||
level: info
|
||||
|
||||
# --- Storage ---
|
||||
storage:
|
||||
sqlite:
|
||||
path: /config/db/authelia.sqlite.db
|
||||
|
||||
# --- Authentication ---
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users_database.yml
|
||||
password:
|
||||
algorithm: argon2id
|
||||
iterations: 1
|
||||
memory: 2097152
|
||||
parallelism: 4
|
||||
salt_length: 16
|
||||
key_length: 32
|
||||
password_reset:
|
||||
disable: true
|
||||
password_change:
|
||||
disable: false
|
||||
|
||||
# --- Session ---
|
||||
session:
|
||||
cookies:
|
||||
- domain: 'saljic.me'
|
||||
authelia_url: 'https://auth.saljic.me'
|
||||
default_redirection_url: 'https://auth.saljic.me'
|
||||
# name: authelia_session
|
||||
# expiration: 1h
|
||||
# inactivity: 5m
|
||||
|
||||
# --- Notifier (No Mail) ---
|
||||
notifier:
|
||||
filesystem:
|
||||
filename: /config/db/notifications.log
|
||||
|
||||
# --- Access Control ---
|
||||
access_control:
|
||||
default_policy: deny
|
||||
rules:
|
||||
- domain: "*.saljic.me"
|
||||
policy: one_factor
|
||||
|
||||
# --- Password policies ---
|
||||
password_policy:
|
||||
standard:
|
||||
enabled: true
|
||||
min_length: 8
|
||||
require_uppercase: true
|
||||
require_lowercase: true
|
||||
require_number: true
|
||||
require_special: true
|
||||
23
homelab/applications/caddy/Caddyfile
Normal file
23
homelab/applications/caddy/Caddyfile
Normal file
@ -0,0 +1,23 @@
|
||||
# --- Authelia Portal ---
|
||||
# This is the login page itself. It does NOT have forward_auth.
|
||||
auth.saljic.me {
|
||||
# Proxy to the Authelia Docker container on port 9091
|
||||
reverse_proxy localhost:9091
|
||||
}
|
||||
|
||||
# --- Home Assistant (Protected App) ---
|
||||
ha.saljic.me {
|
||||
# 1. Apply authentication using Caddy's 'forward_auth'
|
||||
forward_auth localhost:9091 {
|
||||
uri /api/authz/forward-auth
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
|
||||
# 2. If auth is successful, proxy to your Home Assistant instance
|
||||
reverse_proxy 10.10.10.6:8123
|
||||
}
|
||||
|
||||
# --- Immich ---
|
||||
tagebuch.saljic.me {
|
||||
reverse_proxy 10.10.10.6:2283
|
||||
}
|
||||
155
homelab/applications/caddy/caddy.json
Normal file
155
homelab/applications/caddy/caddy.json
Normal file
@ -0,0 +1,155 @@
|
||||
{
|
||||
"admin": {
|
||||
"listen": "127.0.0.1:2019"
|
||||
},
|
||||
"apps": {
|
||||
"http": {
|
||||
"servers": {
|
||||
"srv0": {
|
||||
"listen": [
|
||||
":443"
|
||||
],
|
||||
"logs": {
|
||||
"default_logger_name": "default"
|
||||
},
|
||||
"routes": [
|
||||
{
|
||||
"handle": [
|
||||
{
|
||||
"handler": "reverse_proxy",
|
||||
"upstreams": [
|
||||
{
|
||||
"dial": "10.10.10.6:8123"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"match": [
|
||||
{
|
||||
"host": [
|
||||
"ha.saljic.me"
|
||||
],
|
||||
"remote_ip": {
|
||||
"ranges": [
|
||||
"217.82.27.57"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"handle": [
|
||||
{
|
||||
"error": "Unauthorized",
|
||||
"handler": "error",
|
||||
"status_code": "401" }
|
||||
],
|
||||
"match": [
|
||||
{
|
||||
"host": [
|
||||
"ha.saljic.me"
|
||||
],
|
||||
"not": [
|
||||
{
|
||||
"remote_ip": {
|
||||
"ranges": [
|
||||
"217.82.27.57"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"handle": [
|
||||
{
|
||||
"handler": "reverse_proxy",
|
||||
"upstreams": [
|
||||
{
|
||||
"dial": "10.10.10.6:8000"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"match": [
|
||||
{
|
||||
"host": [
|
||||
"baby.saljic.me"
|
||||
],
|
||||
"remote_ip": {
|
||||
"ranges": [
|
||||
"217.82.27.57"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{ "handle": [
|
||||
{
|
||||
"error": "Unauthorized",
|
||||
"handler": "error",
|
||||
"status_code": "401"
|
||||
}
|
||||
],
|
||||
"match": [
|
||||
{
|
||||
"host": [
|
||||
"baby.saljic.me"
|
||||
],
|
||||
"not": [
|
||||
{
|
||||
"remote_ip": {
|
||||
"ranges": [
|
||||
"217.82.27.57"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"handle": [
|
||||
{
|
||||
"handler": "reverse_proxy",
|
||||
"upstreams": [
|
||||
{
|
||||
"dial": "10.10.10.6:2283"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"match": [
|
||||
{
|
||||
"host": [
|
||||
"tagebuch.saljic.me"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"logging": {
|
||||
"logs": {
|
||||
"default": {
|
||||
"encoder": {
|
||||
"format": "json"
|
||||
},
|
||||
"level": "INFO",
|
||||
"writer": {
|
||||
"filename": "/var/log/caddy/access.log",
|
||||
"output": "file",
|
||||
"roll_gzip": false,
|
||||
"roll_keep": 5,
|
||||
"roll_keep_days": 60,
|
||||
"roll_local_time": false,
|
||||
"roll_size_mb": 100
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user