initial commit

2023-12-24 18:54:49 +00:00
commit 34cca63376
31 changed files with 1112 additions and 0 deletions
--- a/traefik/.env.example
+++ b/traefik/.env.example
@@ -0,0 +1,26 @@
+# DOMAIN_ROOT is the root domain that this service will register as with Traefik
+DOMAIN_ROOT=domain.tld
+
+# USER_ID is the user id to run the service as. 0 for root
+USER_ID=1000
+
+# GROUP_ID is the group id to run the service as. 0 for root
+GROUP_ID=1000
+
+# TIMEZONE is the timezone the server is in
+TIMZEONE=America/New_York
+
+# CLOUDFLARE_EMAIL is the email for the cloudflare credentials
+CLOUDFLARE_EMAIL=email@address.com
+
+# CLOUDFLARE_KEY is the key for your cloudflare credentials
+CLOUDFLARE_KEY=XXXX
+
+# AUTH_JWT_SECRET is the secret used for authelia's json web tokens.  (can just be a random string)
+AUTH_JWT_SECRET=SOMErandomSTRING
+
+# AUTH_SESSION_SECRET is the secret (random string) used to encrypt session data in redis
+AUTH_SESSION_SECRET=SOMEotherRANDOMstring
+
+# AUTH_STORAGE_KEY is the secret (random string) used to encrypt the data at rest
+AUTH_STORAGE_KEY=ANOTHERrandomSTRING
--- a/traefik/docker-compose.yml
+++ b/traefik/docker-compose.yml
@@ -0,0 +1,87 @@
+---
+version: "3.8"
+services:
+  traefik:
+    image: traefik:latest
+    container_name: traefik
+    hostname: traefik
+
+  
+    environment:
+      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
+      - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_KEY}
+      - DOMAIN_ROOT=${DOMAIN_ROOT}
+      
+    ports:
+      - mode: host
+        protocol: tcp
+        published: 80
+        target: 80
+      - mode: host
+        protocol: tcp
+        published: 443
+        target: 443
+
+    volumes:
+      - ./traefik.yml:/etc/traefik/traefik.yml:ro
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - certs:/letsencrypt
+
+    networks:
+      - home-proxy
+
+
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_ROOT}`)'
+      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - 'entrypoints.websecure.http.tls=true'
+      - 'entrypoints.websecure.http.tls.certResolver=letsencrypt'
+      - 'entrypoints.websecure.http.tls.domains[0].main=${DOMAIN_ROOT}'
+      - 'entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN_ROOT}'
+      - "traefik.http.routers.traefik.service=api@internal"
+      - 'traefik.http.routers.traefik.middlewares=strip'
+      - 'traefik.http.middlewares.strip.stripprefix.prefixes=/traefik'
+      - 'traefik.http.services.traefik.loadbalancer.server.port=8080'
+      - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/'
+      - 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
+      - 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
+      - 'certificatesresolvers.letsencrypt.acme.dnschallenge=true'
+      - 'certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare'
+      - 'certificatesresolvers.letsencrypt.acme.email=${CLOUDFLARE_EMAIL}'
+      - 'certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json'
+
+
+
+  authelia:
+    image: docker.io/authelia/authelia:latest
+    container_name: authelia
+    restart: unless-stopped
+    networks:
+      - home-proxy
+    environment:
+      - TZ=${TIMEZONE}
+      - AUTHELIA_JWT_SECRET=${AUTH_JWT_SECRET}
+      - AUTHELIA_SESSION_SECRET=${AUTH_SESSION_SECRET}
+      - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTH_STORAGE_KEY}
+      - DOMAIN_ROOT=${DOMAIN_ROOT}
+
+    volumes:
+      - authelia_config:/config
+
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.authelia.rule=Host(`login.${DOMAIN_ROOT}`)'
+      - 'traefik.http.services.authelia.loadbalancer.server.port=9091'
+
+volumes:
+  certs:
+    external: true
+
+  authelia_config:
+    external: true
+
+    
+networks:
+  home-proxy:
+    external: true
--- a/traefik/traefik.yml.example
+++ b/traefik/traefik.yml.example