properly got pi traefik/authelia working, need to migrate nuc to that setup.

switch pihole to technitium dns server

nuc/cloudflare-dns/.gitignore

@@ -0,0 +1 @@
+config.json

nuc/cloudflare-dns/config.json.example

@@ -0,0 +1,25 @@
+{
+    "cloudflare": [
+      {
+        "authentication": {
+          "api_token": "api_token_here", // Either api_token or api_key
+          "api_key": {
+            "api_key": "api_key_here",
+            "account_email": "email@address.com"
+          }
+        },
+        "zone_id": "XXXXX",
+        "zone_friendly": "domain.tld",
+        "subdomains": [
+          {
+            "name": "home",
+            "proxied": false
+          }
+        ]
+      }
+     ],
+    "a": true,
+    "aaaa": true,
+    "purgeUnknownRecords": false,
+    "ttl": 300
+  }

nuc/cloudflare-dns/docker-compose.yml

@@ -0,0 +1,14 @@
+version: '3.9'
+services:
+  cloudflare-ddns:
+    image: timothyjmiller/cloudflare-ddns:latest
+    container_name: cloudflare-ddns
+    security_opt:
+      - no-new-privileges:true
+    network_mode: 'host'
+    environment:
+      - PUID=1000
+      - PGID=1000
+    volumes:
+      - ./config.json:/config.json
+    restart: unless-stopped

nuc/dns-server/.env.example

@@ -0,0 +1,5 @@
+# DOMAIN_ROOT is the root domain that this service will register as with Traefik
+DOMAIN_ROOT=domain.tld
+
+# WEB_UI_PASSWORD is the password for the web ui interface.  If unset, it will be randomly generated and retrievable from the logs.
+WEB_UI_PASSWORD=password

nuc/dns-server/docker-compose.yml

@@ -0,0 +1,67 @@
+version: "3"
+services:
+  dns-server:
+    container_name: dns-server
+    hostname: dns-server
+    image: technitium/dns-server:latest
+    # For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting them
+    # network_mode: "host"
+    ports:
+      # - "5380:5380/tcp" #DNS web console (HTTP)
+      # - "53443:53443/tcp" #DNS web console (HTTPS)
+      - "53:53/udp" #DNS service
+      - "53:53/tcp" #DNS service
+      # - "853:853/udp" #DNS-over-QUIC service
+      # - "853:853/tcp" #DNS-over-TLS service
+      # - "443:443/udp" #DNS-over-HTTPS service (HTTP/3)
+      # - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2)
+      # - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal)
+      # - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy)
+      # - "67:67/udp" #DHCP service      
+    environment:
+      - DOMAIN_ROOT=${DOMAIN_ROOT} #The root domain name used by this DNS Server to identify itself.
+      - DNS_SERVER_DOMAIN=dns.${DOMAIN_ROOT} #The primary domain name used by this DNS Server to identify itself.
+      # - DNS_SERVER_ADMIN_PASSWORD=${WEB_UI_PASSWORD} #DNS web console admin user password.
+      # - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user.
+      # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled.
+      # - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol.
+      # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
+      # - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console.
+      # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console.
+      # - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
+      # - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworks.
+      # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworks` recursion option.
+      # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworks` recursion option.
+      # - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
+      # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
+      # - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs.
+      # - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses.
+      # - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
+      # - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging.
+
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.dns-server.rule=Host(`dns.${DOMAIN_ROOT}`)'
+      - 'traefik.http.middlewares.dns-server.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/'  # yamllint disable-line rule:line-length
+      - 'traefik.http.middlewares.dns-server.forwardauth.trustForwardHeader=true'
+      - 'traefik.http.middlewares.dns-server.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'  # yamllint disable-line rule:line-length
+      - 'traefik.http.services.dns-server.loadbalancer.server.port=5380'
+ 
+    volumes:
+      - dns-config:/etc/dns
+    restart: unless-stopped
+    sysctls:
+      - net.ipv4.ip_local_port_range=1024 65000
+
+    networks:
+      - web
+ 
+volumes:
+  dns-config:
+    name: dns-config
+    driver: local
+
+
+networks:
+  web:
+    external: true

nuc/mort/docker-compose.yml

@@ -33,7 +33,7 @@ services:
     labels:
       - "traefik.enable=true"
       - "traefik.http.services.bobross-receiver-mort.loadbalancer.server.port=8080"
-      - "traefik.http.routers.bobross-receiver-mort.rule=Host(`bobross-receiver-mort.dudenhoeffer.casa`)"
+      - "traefik.http.routers.bobross-receiver-mort.rule=Host(`bobross-receiver-mort.dudenhoeffer.casa`) || Host(`mort.dudenhoeffer.casa`)"
       - 'traefik.http.routers.bobross-receiver-mort.middlewares=authelia@docker'
 
     extra_hosts:

pi/dns-server/.env.example

@@ -0,0 +1,5 @@
+# DOMAIN_ROOT is the root domain that this service will register as with Traefik
+DOMAIN_ROOT=domain.tld
+
+# WEB_UI_PASSWORD is the password for the web ui interface.  If unset, it will be randomly generated and retrievable from the logs.
+WEB_UI_PASSWORD=password

pi/dns-server/docker-compose.yml

@@ -0,0 +1,67 @@
+version: "3"
+services:
+  dns-server:
+    container_name: dns-server
+    hostname: dns-server
+    image: technitium/dns-server:latest
+    # For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting them
+    # network_mode: "host"
+    ports:
+      # - "5380:5380/tcp" #DNS web console (HTTP)
+      # - "53443:53443/tcp" #DNS web console (HTTPS)
+      - "53:53/udp" #DNS service
+      - "53:53/tcp" #DNS service
+      # - "853:853/udp" #DNS-over-QUIC service
+      # - "853:853/tcp" #DNS-over-TLS service
+      # - "443:443/udp" #DNS-over-HTTPS service (HTTP/3)
+      # - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2)
+      # - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal)
+      # - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy)
+      # - "67:67/udp" #DHCP service      
+    environment:
+      - DOMAIN_ROOT=${DOMAIN_ROOT} #The root domain name used by this DNS Server to identify itself.
+      - DNS_SERVER_DOMAIN=dns.pi.dudenhoeffer.casa #The primary domain name used by this DNS Server to identify itself.
+      # - DNS_SERVER_ADMIN_PASSWORD=${WEB_UI_PASSWORD} #DNS web console admin user password.
+      # - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user.
+      # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled.
+      # - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol.
+      # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
+      # - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console.
+      # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console.
+      # - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
+      # - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworks.
+      # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworks` recursion option.
+      # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworks` recursion option.
+      # - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
+      # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
+      # - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs.
+      # - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses.
+      # - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
+      # - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging.
+
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.dns-server.rule=Host(`dns.${DOMAIN_ROOT}`)'
+      - 'traefik.http.middlewares.dns-server.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/'  # yamllint disable-line rule:line-length
+      - 'traefik.http.middlewares.dns-server.forwardauth.trustForwardHeader=true'
+      - 'traefik.http.middlewares.dns-server.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'  # yamllint disable-line rule:line-length
+      - 'traefik.http.services.dns-server.loadbalancer.server.port=5380'
+ 
+    volumes:
+      - dns-config:/etc/dns
+    restart: unless-stopped
+    sysctls:
+      - net.ipv4.ip_local_port_range=1024 65000
+
+    networks:
+      - web
+ 
+volumes:
+  dns-config:
+    name: dns-config
+    driver: local
+
+
+networks:
+  web:
+    external: true

pi/traefik/.env.example

@@ -0,0 +1,18 @@
+# DOMAIN_ROOT is the root domain that this service will register as with Traefik
+DOMAIN_ROOT=domain.tld
+
+# USER_ID is the user id to run the service as. 0 for root
+USER_ID=1000
+
+# GROUP_ID is the group id to run the service as. 0 for root
+GROUP_ID=1000
+
+# TIMEZONE is the timezone the server is in
+TIMEZONE=America/New_York
+
+# CLOUDFLARE_EMAIL is the email for the cloudflare credentials
+CLOUDFLARE_EMAIL=email@address.com
+
+# CLOUDFLARE_KEY is the key for your cloudflare credentials
+CLOUDFLARE_KEY=XXXX
+

pi/traefik/config/.gitignore

@@ -0,0 +1,2 @@
+configuration.yml
+users_database.yml

pi/traefik/config/configuration.yml.example

@@ -0,0 +1,61 @@
+---
+###############################################################
+#                   Authelia configuration                    #
+###############################################################
+
+# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
+jwt_secret: a_very_important_secret
+default_redirection_url: https://public.example.com
+
+
+log:
+  level: debug
+
+totp:
+  issuer: authelia.com
+
+# duo_api:
+#  hostname: api-123456789.example.com
+#  integration_key: ABCDEF
+#  # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
+#  secret_key: 1234567890abcdefghifjkl
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+
+access_control:
+  default_policy: deny
+  rules:
+    # Rules applied to everyone
+    - domain: public.example.com
+      policy: bypass
+    - domain: traefik.example.com
+      policy: one_factor
+    - domain: secure.example.com
+      policy: two_factor
+
+session:
+  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
+  secret: unsecure_session_secret
+  domain: domain.tld
+  same_site: lax
+  expiration: 1h
+  inactivity: 5m
+  remember_me_duration:  1M
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+storage:
+  encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  disable_startup_check: false
+  filesystem:
+    filename: /config/notification.txt
+    

pi/traefik/config/users_database.yml.example

@@ -0,0 +1,20 @@
+---
+###############################################################
+#                         Users Database                      #
+###############################################################
+
+# This file can be used if you do not have an LDAP set up.
+
+# List of users
+users:
+  authelia:
+    disabled: false
+    displayname: "Authelia User"
+    # Password is authelia
+    # To generate a password: docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'password'
+    password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/"  # yamllint disable-line rule:line-length
+    email: authelia@authelia.com
+    groups:
+      - admins
+      - dev
+...

pi/traefik/docker-compose.yml

@@ -0,0 +1,94 @@
+---
+version: "3.8"
+services:
+  traefik:
+    image: traefik:latest
+    container_name: traefik
+    hostname: traefik
+    restart: unless-stopped
+
+   
+    environment:
+      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
+      - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_KEY}
+      - DOMAIN_ROOT=${DOMAIN_ROOT}
+      
+    ports:
+      - mode: host
+        protocol: tcp
+        published: 80
+        target: 80
+      - mode: host
+        protocol: tcp
+        published: 443
+        target: 443
+
+    volumes:
+      - ./traefik.yml:/etc/traefik/traefik.yml:ro
+      - ./custom:/etc/traefik/custom:ro
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - certs:/letsencrypt
+
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_ROOT}`)'
+      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - 'entrypoints.websecure.http.tls=true'
+      - 'entrypoints.websecure.http.tls.certResolver=letsencrypt'
+      - 'entrypoints.websecure.http.tls.domains[0].main=${DOMAIN_ROOT}'
+      - 'entrypoints.websecure.http.tls.domains[0].sans=*.${DOMAIN_ROOT}'
+      - "traefik.http.routers.traefik.service=api@internal"
+      - 'traefik.http.routers.traefik.middlewares=strip'
+      - 'traefik.http.middlewares.strip.stripprefix.prefixes=/traefik'
+      - 'traefik.http.services.traefik.loadbalancer.server.port=8080'
+      - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/'
+      - 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
+      - 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
+      - 'certificatesresolvers.letsencrypt.acme.dnschallenge=true'
+      - 'certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare'
+      - 'certificatesresolvers.letsencrypt.acme.email=${CLOUDFLARE_EMAIL}'
+      - 'certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json'
+
+    networks:
+      - web
+
+  authelia:
+    image: authelia/authelia
+    container_name: authelia
+    volumes:
+      - authelia_config:/config
+      - ./config/configuration.yml:/config/configuration.yml:ro
+      - ./config/users_database.yml:/config/users_database.yml:ro
+
+    environment:
+      - DOMAIN_ROOT=${DOMAIN_ROOT}
+      - TZ=${TIMEZONE}
+
+    networks:
+      - web
+
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.authelia.rule=Host(`login.${DOMAIN_ROOT}`)'
+      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.${DOMAIN_ROOT}/'  # yamllint disable-line rule:line-length
+      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
+      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'  # yamllint disable-line rule:line-length
+      - 'traefik.http.services.authelia.loadbalancer.server.port=9091'
+
+    restart: unless-stopped
+    healthcheck:
+      ## In production the healthcheck section should be commented.
+      disable: true
+
+networks:
+  web:
+    external: true
+
+volumes:
+  certs:
+    name: certs
+    driver: local
+
+  authelia_config:
+    name: authelia_config
+    driver: local

pi/traefik/traefik.yml.example

@@ -0,0 +1,230 @@
+################################################################
+#
+# Configuration sample for Traefik v2.
+#
+# For Traefik v1: https://github.com/traefik/traefik/blob/v1.7/traefik.sample.toml
+#
+################################################################
+
+################################################################
+# Global configuration
+################################################################
+global:
+  checkNewVersion: true
+  sendAnonymousUsage: true
+
+################################################################
+# EntryPoints configuration
+################################################################
+
+# EntryPoints definition
+#
+# Optional
+#
+entryPoints:
+  web:
+    address: :80
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: :443
+    http:
+      tls:
+        certResolver: letsencrypt
+        domains:
+          - main: domain.tld
+            sans: 
+              - "*.domain.tld"
+      middlewares:
+        - "authelia@docker"
+  
+################################################################
+# Traefik logs configuration
+################################################################
+
+# Traefik logs
+# Enabled by default and log to stdout
+#
+# Optional
+#
+log:
+  # Log level
+  #
+  # Optional
+  # Default: "ERROR"
+  #
+  level: DEBUG
+
+  # Sets the filepath for the traefik log. If not specified, stdout will be used.
+  # Intermediate directories are created if necessary.
+  #
+  # Optional
+  # Default: os.Stdout
+  #
+#  filePath: log/traefik.log
+
+  # Format is either "json" or "common".
+  #
+  # Optional
+  # Default: "common"
+  #
+#  format: json
+
+################################################################
+# Access logs configuration
+################################################################
+
+# Enable access logs
+# By default it will write to stdout and produce logs in the textual
+# Common Log Format (CLF), extended with additional fields.
+#
+# Optional
+#
+accessLog: 
+  # Sets the file path for the access log. If not specified, stdout will be used.
+  # Intermediate directories are created if necessary.
+  #
+  # Optional
+  # Default: os.Stdout
+  #
+#  filePath: /path/to/log/log.txt
+  filePath: "/etc/traefik/access.log"
+  format: common
+
+  # Format is either "json" or "common".
+  #
+  # Optional
+  # Default: "common"
+  #
+#  format: json
+
+################################################################
+# API and dashboard configuration
+################################################################
+
+# Enable API and dashboard
+#
+# Optional
+#
+api:
+  # Enable the API in insecure mode
+  #
+  # Optional
+  # Default: false
+  #
+  insecure: true
+
+  # Enabled Dashboard
+  #
+  # Optional
+  # Default: true
+  #
+  dashboard: true
+
+################################################################
+# Ping configuration
+################################################################
+
+# Enable ping
+ping:
+  # Name of the related entry point
+  #
+  # Optional
+  # Default: "traefik"
+  #
+  entryPoint: traefik
+
+################################################################
+# Docker configuration backend
+################################################################
+
+providers:
+  # Enable Docker configuration backend
+  docker:
+    # Docker server endpoint. Can be a tcp or a unix socket endpoint.
+    #
+    # Required
+    # Default: "unix:///var/run/docker.sock"
+    #
+    endpoint: unix:///tmp/docker.sock
+
+    # Default host rule.
+    #
+    # Optional
+    # Default: "Host(`{{ normalize .Name }}`)"
+    #
+    defaultRule: Host(`{{ normalize .Name }}.domain.tld`)
+
+    # Expose containers by default in traefik
+    #
+    # Optional
+    # Default: true
+    #
+    exposedByDefault: true
+
+    network: home-proxy
+
+  file:
+    directory: /etc/traefik/custom
+    watch: true
+
+#tls:
+#  stores:
+#    default:
+#      defaultCertificate:
+#        certFile: /certs/star.domain.tld.crt
+#        keyFile: /certs/star.domain.tld..key
+#  certificates:
+#    - certFile: /certs/star.domain.tld..crt
+#      keyFile: /certs/star.domain.tld..key
+#      stores:
+#        - default
+#
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+     email: email@address.com
+     storage: /letsencrypt/acme.json
+     dnsChallenge:
+       provider: cloudflare
+        # Used to make sure the dns challenge is propagated to the rights dns servers
+        #       resolvers:
+        # - "1.1.1.1:53"
+        # - "1.0.0.1:53"
+        #
+experimental:
+  plugins:
+    traefik-real-ip:
+      moduleName: "github.com/soulbalz/traefik-real-ip"
+      version: "v1.0.3" 
+      
+http:
+  middlewares:
+    my-traefik-real-ip:
+      plugin:
+        traefik-real-ip:
+          excludednets:
+            - 1.1.1.1/24
+    authelia:
+      forwardAuth:
+        address: https://authelia:9091/api/verify?rd=https%3A%2F%2Flogin.dudenhoeffer.casa%2F
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "Remote-User"
+          - "Remote-Groups"
+          - "Remote-Email"
+          - "Remote-Name"
+    authelia-basic:
+      forwardAuth:
+        address: https://authelia:9091/api/verify?auth=basic
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "Remote-User"
+          - "Remote-Groups"
+          - "Remote-Email"
+          - "Remote-Name"
+