diff --git a/nuc/cloudflare-dns/.gitignore b/nuc/cloudflare-dns/.gitignore new file mode 100644 index 0000000..0cffcb3 --- /dev/null +++ b/nuc/cloudflare-dns/.gitignore @@ -0,0 +1 @@ +config.json \ No newline at end of file diff --git a/nuc/cloudflare-dns/config.json.example b/nuc/cloudflare-dns/config.json.example new file mode 100644 index 0000000..905fcec --- /dev/null +++ b/nuc/cloudflare-dns/config.json.example @@ -0,0 +1,25 @@ +{ + "cloudflare": [ + { + "authentication": { + "api_token": "api_token_here", // Either api_token or api_key + "api_key": { + "api_key": "api_key_here", + "account_email": "email@address.com" + } + }, + "zone_id": "XXXXX", + "zone_friendly": "domain.tld", + "subdomains": [ + { + "name": "home", + "proxied": false + } + ] + } + ], + "a": true, + "aaaa": true, + "purgeUnknownRecords": false, + "ttl": 300 + } \ No newline at end of file diff --git a/nuc/cloudflare-dns/docker-compose.yml b/nuc/cloudflare-dns/docker-compose.yml new file mode 100644 index 0000000..d8e234c --- /dev/null +++ b/nuc/cloudflare-dns/docker-compose.yml @@ -0,0 +1,14 @@ +version: '3.9' +services: + cloudflare-ddns: + image: timothyjmiller/cloudflare-ddns:latest + container_name: cloudflare-ddns + security_opt: + - no-new-privileges:true + network_mode: 'host' + environment: + - PUID=1000 + - PGID=1000 + volumes: + - ./config.json:/config.json + restart: unless-stopped \ No newline at end of file diff --git a/nuc/dns-server/.env.example b/nuc/dns-server/.env.example new file mode 100644 index 0000000..1539c55 --- /dev/null +++ b/nuc/dns-server/.env.example @@ -0,0 +1,5 @@ +# DOMAIN_ROOT is the root domain that this service will register as with Traefik +DOMAIN_ROOT=domain.tld + +# WEB_UI_PASSWORD is the password for the web ui interface. If unset, it will be randomly generated and retrievable from the logs. +WEB_UI_PASSWORD=password diff --git a/nuc/dns-server/docker-compose.yml b/nuc/dns-server/docker-compose.yml new file mode 100644 index 0000000..3273299 --- /dev/null +++ b/nuc/dns-server/docker-compose.yml @@ -0,0 +1,67 @@ +version: "3" +services: + dns-server: + container_name: dns-server + hostname: dns-server + image: technitium/dns-server:latest + # For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting them + # network_mode: "host" + ports: + # - "5380:5380/tcp" #DNS web console (HTTP) + # - "53443:53443/tcp" #DNS web console (HTTPS) + - "53:53/udp" #DNS service + - "53:53/tcp" #DNS service + # - "853:853/udp" #DNS-over-QUIC service + # - "853:853/tcp" #DNS-over-TLS service + # - "443:443/udp" #DNS-over-HTTPS service (HTTP/3) + # - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2) + # - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal) + # - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy) + # - "67:67/udp" #DHCP service + environment: + - DOMAIN_ROOT=${DOMAIN_ROOT} #The root domain name used by this DNS Server to identify itself. + - DNS_SERVER_DOMAIN=dns.${DOMAIN_ROOT} #The primary domain name used by this DNS Server to identify itself. + # - DNS_SERVER_ADMIN_PASSWORD=${WEB_UI_PASSWORD} #DNS web console admin user password. + # - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user. + # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled. + # - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol. + # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol. + # - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console. + # - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx. + # - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworks. + # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworks` recursion option. + # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworks` recursion option. + # - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone. + # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests. + # - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs. + # - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses. + # - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson. + # - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging. + + labels: + - 'traefik.enable=true' + - 'traefik.http.routers.dns-server.rule=Host(`dns.${DOMAIN_ROOT}`)' + - 'traefik.http.middlewares.dns-server.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/' # yamllint disable-line rule:line-length + - 'traefik.http.middlewares.dns-server.forwardauth.trustForwardHeader=true' + - 'traefik.http.middlewares.dns-server.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length + - 'traefik.http.services.dns-server.loadbalancer.server.port=5380' + + volumes: + - dns-config:/etc/dns + restart: unless-stopped + sysctls: + - net.ipv4.ip_local_port_range=1024 65000 + + networks: + - web + +volumes: + dns-config: + name: dns-config + driver: local + + +networks: + web: + external: true diff --git a/nuc/mort/docker-compose.yml b/nuc/mort/docker-compose.yml index eb66647..be70f60 100644 --- a/nuc/mort/docker-compose.yml +++ b/nuc/mort/docker-compose.yml @@ -33,7 +33,7 @@ services: labels: - "traefik.enable=true" - "traefik.http.services.bobross-receiver-mort.loadbalancer.server.port=8080" - - "traefik.http.routers.bobross-receiver-mort.rule=Host(`bobross-receiver-mort.dudenhoeffer.casa`)" + - "traefik.http.routers.bobross-receiver-mort.rule=Host(`bobross-receiver-mort.dudenhoeffer.casa`) || Host(`mort.dudenhoeffer.casa`)" - 'traefik.http.routers.bobross-receiver-mort.middlewares=authelia@docker' extra_hosts: diff --git a/pi/dns-server/.env.example b/pi/dns-server/.env.example new file mode 100644 index 0000000..1539c55 --- /dev/null +++ b/pi/dns-server/.env.example @@ -0,0 +1,5 @@ +# DOMAIN_ROOT is the root domain that this service will register as with Traefik +DOMAIN_ROOT=domain.tld + +# WEB_UI_PASSWORD is the password for the web ui interface. If unset, it will be randomly generated and retrievable from the logs. +WEB_UI_PASSWORD=password diff --git a/pi/dns-server/docker-compose.yml b/pi/dns-server/docker-compose.yml new file mode 100644 index 0000000..f3db66b --- /dev/null +++ b/pi/dns-server/docker-compose.yml @@ -0,0 +1,67 @@ +version: "3" +services: + dns-server: + container_name: dns-server + hostname: dns-server + image: technitium/dns-server:latest + # For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting them + # network_mode: "host" + ports: + # - "5380:5380/tcp" #DNS web console (HTTP) + # - "53443:53443/tcp" #DNS web console (HTTPS) + - "53:53/udp" #DNS service + - "53:53/tcp" #DNS service + # - "853:853/udp" #DNS-over-QUIC service + # - "853:853/tcp" #DNS-over-TLS service + # - "443:443/udp" #DNS-over-HTTPS service (HTTP/3) + # - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2) + # - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal) + # - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy) + # - "67:67/udp" #DHCP service + environment: + - DOMAIN_ROOT=${DOMAIN_ROOT} #The root domain name used by this DNS Server to identify itself. + - DNS_SERVER_DOMAIN=dns.pi.dudenhoeffer.casa #The primary domain name used by this DNS Server to identify itself. + # - DNS_SERVER_ADMIN_PASSWORD=${WEB_UI_PASSWORD} #DNS web console admin user password. + # - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user. + # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled. + # - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol. + # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol. + # - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console. + # - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx. + # - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworks. + # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworks` recursion option. + # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworks` recursion option. + # - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone. + # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests. + # - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs. + # - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses. + # - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson. + # - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging. + + labels: + - 'traefik.enable=true' + - 'traefik.http.routers.dns-server.rule=Host(`dns.${DOMAIN_ROOT}`)' + - 'traefik.http.middlewares.dns-server.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/' # yamllint disable-line rule:line-length + - 'traefik.http.middlewares.dns-server.forwardauth.trustForwardHeader=true' + - 'traefik.http.middlewares.dns-server.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length + - 'traefik.http.services.dns-server.loadbalancer.server.port=5380' + + volumes: + - dns-config:/etc/dns + restart: unless-stopped + sysctls: + - net.ipv4.ip_local_port_range=1024 65000 + + networks: + - web + +volumes: + dns-config: + name: dns-config + driver: local + + +networks: + web: + external: true diff --git a/pi/traefik/.env.example b/pi/traefik/.env.example new file mode 100644 index 0000000..1cae42d --- /dev/null +++ b/pi/traefik/.env.example @@ -0,0 +1,18 @@ +# DOMAIN_ROOT is the root domain that this service will register as with Traefik +DOMAIN_ROOT=domain.tld + +# USER_ID is the user id to run the service as. 0 for root +USER_ID=1000 + +# GROUP_ID is the group id to run the service as. 0 for root +GROUP_ID=1000 + +# TIMEZONE is the timezone the server is in +TIMEZONE=America/New_York + +# CLOUDFLARE_EMAIL is the email for the cloudflare credentials +CLOUDFLARE_EMAIL=email@address.com + +# CLOUDFLARE_KEY is the key for your cloudflare credentials +CLOUDFLARE_KEY=XXXX + diff --git a/pi/traefik/config/.gitignore b/pi/traefik/config/.gitignore new file mode 100644 index 0000000..c3ca83e --- /dev/null +++ b/pi/traefik/config/.gitignore @@ -0,0 +1,2 @@ +configuration.yml +users_database.yml diff --git a/pi/traefik/config/configuration.yml.example b/pi/traefik/config/configuration.yml.example new file mode 100644 index 0000000..f3f7782 --- /dev/null +++ b/pi/traefik/config/configuration.yml.example @@ -0,0 +1,61 @@ +--- +############################################################### +# Authelia configuration # +############################################################### + +# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE +jwt_secret: a_very_important_secret +default_redirection_url: https://public.example.com + + +log: + level: debug + +totp: + issuer: authelia.com + +# duo_api: +# hostname: api-123456789.example.com +# integration_key: ABCDEF +# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE +# secret_key: 1234567890abcdefghifjkl + +authentication_backend: + file: + path: /config/users_database.yml + +access_control: + default_policy: deny + rules: + # Rules applied to everyone + - domain: public.example.com + policy: bypass + - domain: traefik.example.com + policy: one_factor + - domain: secure.example.com + policy: two_factor + +session: + # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE + secret: unsecure_session_secret + domain: domain.tld + same_site: lax + expiration: 1h + inactivity: 5m + remember_me_duration: 1M + +regulation: + max_retries: 3 + find_time: 120 + ban_time: 300 + +storage: + encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this + local: + path: /config/db.sqlite3 + +notifier: + disable_startup_check: false + filesystem: + filename: /config/notification.txt + \ No newline at end of file diff --git a/pi/traefik/config/users_database.yml.example b/pi/traefik/config/users_database.yml.example new file mode 100644 index 0000000..251ddbc --- /dev/null +++ b/pi/traefik/config/users_database.yml.example @@ -0,0 +1,20 @@ +--- +############################################################### +# Users Database # +############################################################### + +# This file can be used if you do not have an LDAP set up. + +# List of users +users: + authelia: + disabled: false + displayname: "Authelia User" + # Password is authelia + # To generate a password: docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'password' + password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length + email: authelia@authelia.com + groups: + - admins + - dev +... \ No newline at end of file diff --git a/pi/traefik/docker-compose.yml b/pi/traefik/docker-compose.yml new file mode 100644 index 0000000..e36e5d9 --- /dev/null +++ b/pi/traefik/docker-compose.yml @@ -0,0 +1,94 @@ +--- +version: "3.8" +services: + traefik: + image: traefik:latest + container_name: traefik + hostname: traefik + restart: unless-stopped + + + environment: + - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL} + - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_KEY} + - DOMAIN_ROOT=${DOMAIN_ROOT} + + ports: + - mode: host + protocol: tcp + published: 80 + target: 80 + - mode: host + protocol: tcp + published: 443 + target: 443 + + volumes: + - ./traefik.yml:/etc/traefik/traefik.yml:ro + - ./custom:/etc/traefik/custom:ro + - /var/run/docker.sock:/tmp/docker.sock:ro + - certs:/letsencrypt + + labels: + - 'traefik.enable=true' + - 'traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_ROOT}`)' + - "traefik.http.routers.traefik.entrypoints=websecure" + - 'entrypoints.websecure.http.tls=true' + - 'entrypoints.websecure.http.tls.certResolver=letsencrypt' + - 'entrypoints.websecure.http.tls.domains[0].main=${DOMAIN_ROOT}' + - 'entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN_ROOT}' + - "traefik.http.routers.traefik.service=api@internal" + - 'traefik.http.routers.traefik.middlewares=strip' + - 'traefik.http.middlewares.strip.stripprefix.prefixes=/traefik' + - 'traefik.http.services.traefik.loadbalancer.server.port=8080' + - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/' + - 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true' + - 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' + - 'certificatesresolvers.letsencrypt.acme.dnschallenge=true' + - 'certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare' + - 'certificatesresolvers.letsencrypt.acme.email=${CLOUDFLARE_EMAIL}' + - 'certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json' + + networks: + - web + + authelia: + image: authelia/authelia + container_name: authelia + volumes: + - authelia_config:/config + - ./config/configuration.yml:/config/configuration.yml:ro + - ./config/users_database.yml:/config/users_database.yml:ro + + environment: + - DOMAIN_ROOT=${DOMAIN_ROOT} + - TZ=${TIMEZONE} + + networks: + - web + + labels: + - 'traefik.enable=true' + - 'traefik.http.routers.authelia.rule=Host(`login.${DOMAIN_ROOT}`)' + - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/' # yamllint disable-line rule:line-length + - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true' + - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length + - 'traefik.http.services.authelia.loadbalancer.server.port=9091' + + restart: unless-stopped + healthcheck: + ## In production the healthcheck section should be commented. + disable: true + +networks: + web: + external: true + +volumes: + certs: + name: certs + driver: local + + authelia_config: + name: authelia_config + driver: local diff --git a/pi/traefik/traefik.yml.example b/pi/traefik/traefik.yml.example new file mode 100644 index 0000000..d1810f7 --- /dev/null +++ b/pi/traefik/traefik.yml.example @@ -0,0 +1,230 @@ +################################################################ +# +# Configuration sample for Traefik v2. +# +# For Traefik v1: https://github.com/traefik/traefik/blob/v1.7/traefik.sample.toml +# +################################################################ + +################################################################ +# Global configuration +################################################################ +global: + checkNewVersion: true + sendAnonymousUsage: true + +################################################################ +# EntryPoints configuration +################################################################ + +# EntryPoints definition +# +# Optional +# +entryPoints: + web: + address: :80 + http: + redirections: + entryPoint: + to: websecure + scheme: https + websecure: + address: :443 + http: + tls: + certResolver: letsencrypt + domains: + - main: domain.tld + sans: + - "*.domain.tld" + middlewares: + - "authelia@docker" + +################################################################ +# Traefik logs configuration +################################################################ + +# Traefik logs +# Enabled by default and log to stdout +# +# Optional +# +log: + # Log level + # + # Optional + # Default: "ERROR" + # + level: DEBUG + + # Sets the filepath for the traefik log. If not specified, stdout will be used. + # Intermediate directories are created if necessary. + # + # Optional + # Default: os.Stdout + # +# filePath: log/traefik.log + + # Format is either "json" or "common". + # + # Optional + # Default: "common" + # +# format: json + +################################################################ +# Access logs configuration +################################################################ + +# Enable access logs +# By default it will write to stdout and produce logs in the textual +# Common Log Format (CLF), extended with additional fields. +# +# Optional +# +accessLog: + # Sets the file path for the access log. If not specified, stdout will be used. + # Intermediate directories are created if necessary. + # + # Optional + # Default: os.Stdout + # +# filePath: /path/to/log/log.txt + filePath: "/etc/traefik/access.log" + format: common + + # Format is either "json" or "common". + # + # Optional + # Default: "common" + # +# format: json + +################################################################ +# API and dashboard configuration +################################################################ + +# Enable API and dashboard +# +# Optional +# +api: + # Enable the API in insecure mode + # + # Optional + # Default: false + # + insecure: true + + # Enabled Dashboard + # + # Optional + # Default: true + # + dashboard: true + +################################################################ +# Ping configuration +################################################################ + +# Enable ping +ping: + # Name of the related entry point + # + # Optional + # Default: "traefik" + # + entryPoint: traefik + +################################################################ +# Docker configuration backend +################################################################ + +providers: + # Enable Docker configuration backend + docker: + # Docker server endpoint. Can be a tcp or a unix socket endpoint. + # + # Required + # Default: "unix:///var/run/docker.sock" + # + endpoint: unix:///tmp/docker.sock + + # Default host rule. + # + # Optional + # Default: "Host(`{{ normalize .Name }}`)" + # + defaultRule: Host(`{{ normalize .Name }}.domain.tld`) + + # Expose containers by default in traefik + # + # Optional + # Default: true + # + exposedByDefault: true + + network: home-proxy + + file: + directory: /etc/traefik/custom + watch: true + +#tls: +# stores: +# default: +# defaultCertificate: +# certFile: /certs/star.domain.tld.crt +# keyFile: /certs/star.domain.tld..key +# certificates: +# - certFile: /certs/star.domain.tld..crt +# keyFile: /certs/star.domain.tld..key +# stores: +# - default +# + +certificatesResolvers: + letsencrypt: + acme: + email: email@address.com + storage: /letsencrypt/acme.json + dnsChallenge: + provider: cloudflare + # Used to make sure the dns challenge is propagated to the rights dns servers + # resolvers: + # - "1.1.1.1:53" + # - "1.0.0.1:53" + # +experimental: + plugins: + traefik-real-ip: + moduleName: "github.com/soulbalz/traefik-real-ip" + version: "v1.0.3" + +http: + middlewares: + my-traefik-real-ip: + plugin: + traefik-real-ip: + excludednets: + - 1.1.1.1/24 + authelia: + forwardAuth: + address: https://authelia:9091/api/verify?rd=https%3A%2F%2Flogin.dudenhoeffer.casa%2F + trustForwardHeader: true + authResponseHeaders: + - "Remote-User" + - "Remote-Groups" + - "Remote-Email" + - "Remote-Name" + authelia-basic: + forwardAuth: + address: https://authelia:9091/api/verify?auth=basic + trustForwardHeader: true + authResponseHeaders: + - "Remote-User" + - "Remote-Groups" + - "Remote-Email" + - "Remote-Name" +