added nas/traefik

2024-03-24 02:26:04 +00:00 · 2024-03-24 02:26:04 +00:00 · 728e01bc79
commit 728e01bc79
parent 484492c4c0
7 changed files with 448 additions and 0 deletions
--- a/nas/traefik/config/configuration.yml.example
+++ b/nas/traefik/config/configuration.yml.example
@ -0,0 +1,61 @@
+---
+###############################################################
+#                   Authelia configuration                    #
+###############################################################
+
+# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
+jwt_secret: a_very_important_secret
+default_redirection_url: https://public.example.com
+
+
+log:
+  level: debug
+
+totp:
+  issuer: authelia.com
+
+# duo_api:
+#  hostname: api-123456789.example.com
+#  integration_key: ABCDEF
+#  # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
+#  secret_key: 1234567890abcdefghifjkl
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+
+access_control:
+  default_policy: deny
+  rules:
+    # Rules applied to everyone
+    - domain: public.example.com
+      policy: bypass
+    - domain: traefik.example.com
+      policy: one_factor
+    - domain: secure.example.com
+      policy: two_factor
+
+session:
+  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
+  secret: unsecure_session_secret
+  domain: domain.tld
+  same_site: lax
+  expiration: 1h
+  inactivity: 5m
+  remember_me_duration:  1M
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+storage:
+  encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  disable_startup_check: false
+  filesystem:
+    filename: /config/notification.txt
+    
--- a/nas/traefik/config/users_database.yml.example
+++ b/nas/traefik/config/users_database.yml.example
@ -0,0 +1,20 @@
+---
+###############################################################
+#                         Users Database                      #
+###############################################################
+
+# This file can be used if you do not have an LDAP set up.
+
+# List of users
+users:
+  authelia:
+    disabled: false
+    displayname: "Authelia User"
+    # Password is authelia
+    # To generate a password: docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'password'
+    password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/"  # yamllint disable-line rule:line-length
+    email: authelia@authelia.com
+    groups:
+      - admins
+      - dev
+...
--- a/nas/traefik/custom/example-tls.yml
+++ b/nas/traefik/custom/example-tls.yml
@ -0,0 +1,20 @@
+http:
+  routers:
+    example-tls-router:
+      rule: "Host(`example-tls.domain.tld`)"
+      service: example-tls-service
+      # Optionally, you can add TLS configuration here if your router is serving HTTPS
+
+  services:
+    example-tls-service:
+      loadBalancer:
+        servers:
+          - url: "https://192.168.0.146"
+        passHostHeader: true
+        # Skip TLS verification for the self-signed certificate
+        serversTransport: "example-tls-servers-transport"
+
+  # Define the serversTransport to skip TLS verification
+  serversTransports:
+    example-tls-servers-transport:
+      insecureSkipVerify: true
--- a/nas/traefik/custom/example.yml
+++ b/nas/traefik/custom/example.yml
@ -0,0 +1,13 @@
+
+http:
+  routers:
+   example-router:
+      rule: "Host(`example.domain.tld`)"
+      service: example-service
+
+  services:
+    example-service:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.0.197:8081"
+        passHostHeader: true
--- a/nas/traefik/custom/nas.yml
+++ b/nas/traefik/custom/nas.yml
@ -0,0 +1,12 @@
+http:
+  routers:
+   example-router:
+      rule: "Host(`nas.dudenhoeffer.casa`)"
+      service: nas-service
+
+  services:
+    nas-service:
+      loadBalancer:
+        servers:
+          - url: "http://127.0.0.1:5000"
+        passHostHeader: true
--- a/nas/traefik/docker-compose.yml
+++ b/nas/traefik/docker-compose.yml
@ -0,0 +1,92 @@
+---
+services:
+  traefik:
+    image: traefik:latest
+    container_name: traefik
+    hostname: traefik
+    restart: unless-stopped
+
+    dns: 1.1.1.1
+
+    environment:
+      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
+      - CLOUDFLARE_DNS_API_TOKEN=${CLOUDFLARE_KEY}
+
+    ports:
+      - mode: host
+        protocol: tcp
+        published: 80
+        target: 80
+      - mode: host
+        protocol: tcp
+        published: 443
+        target: 443
+
+    volumes:
+      - /volume1/docker/traefik/traefik.yml:/etc/traefik/traefik.yml:ro
+      - /volume1/docker/traefik/custom:/etc/traefik/custom:ro
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - certs:/letsencrypt
+
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.traefik.rule=Host(`traefik.nas.dudenhoeffer.casa`)'
+      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - 'entrypoints.websecure.http.tls=true'
+      - 'entrypoints.websecure.http.tls.certResolver=letsencrypt'
+      - 'entrypoints.websecure.http.tls.domains[0].main=nas.dudenhoeffer.casa'
+      - 'entrypoints.websecure.http.tls.domains[0].sans=*.nas.dudenhoeffer.casa'
+      - "traefik.http.routers.traefik.service=api@internal"
+      - 'traefik.http.routers.traefik.middlewares=strip'
+      - 'traefik.http.middlewares.strip.stripprefix.prefixes=/traefik'
+      - 'traefik.http.services.traefik.loadbalancer.server.port=8080'
+      - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https://login.nas.dudenhoeffer.casa/'
+      - 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
+      - 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
+      - 'certificatesresolvers.letsencrypt.acme.dnschallenge=true'
+      - 'certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare'
+      - 'certificatesresolvers.letsencrypt.acme.email=${CLOUDFLARE_EMAIL}'
+      - 'certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json'
+
+    networks:
+      - web
+
+  authelia:
+    image: authelia/authelia
+    container_name: authelia
+    volumes:
+      - authelia_config:/config
+      - /volume1/docker/authelia/configuration.yml:/config/configuration.yml:ro
+      - /volume1/docker/authelia/users_database.yml:/config/users_database.yml:ro
+
+    environment:
+      - TZ=${TIMEZONE}
+
+    networks:
+      - web
+
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.authelia.rule=Host(`login.nas.dudenhoeffer.casa`)'
+      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.nas.dudenhoeffer.casa/'  # yamllint disable-line rule:line-length
+      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
+      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'  # yamllint disable-line rule:line-length
+      - 'traefik.http.services.authelia.loadbalancer.server.port=9091'
+
+    restart: unless-stopped
+    healthcheck:
+      ## In production the healthcheck section should be commented.
+      disable: true
+
+networks:
+  web:
+    external: true
+
+volumes:
+  certs:
+    name: certs
+    driver: local
+
+  authelia_config:
+    name: authelia_config
+    driver: local
--- a/nas/traefik/traefik.yml.example
+++ b/nas/traefik/traefik.yml.example
@ -0,0 +1,230 @@
+################################################################
+#
+# Configuration sample for Traefik v2.
+#
+# For Traefik v1: https://github.com/traefik/traefik/blob/v1.7/traefik.sample.toml
+#
+################################################################
+
+################################################################
+# Global configuration
+################################################################
+global:
+  checkNewVersion: true
+  sendAnonymousUsage: true
+
+################################################################
+# EntryPoints configuration
+################################################################
+
+# EntryPoints definition
+#
+# Optional
+#
+entryPoints:
+  web:
+    address: :80
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: :443
+    http:
+      tls:
+        certResolver: letsencrypt
+        domains:
+          - main: domain.tld
+            sans: 
+              - "*.domain.tld"
+      middlewares:
+        - "authelia@docker"
+  
+################################################################
+# Traefik logs configuration
+################################################################
+
+# Traefik logs
+# Enabled by default and log to stdout
+#
+# Optional
+#
+log:
+  # Log level
+  #
+  # Optional
+  # Default: "ERROR"
+  #
+  level: DEBUG
+
+  # Sets the filepath for the traefik log. If not specified, stdout will be used.
+  # Intermediate directories are created if necessary.
+  #
+  # Optional
+  # Default: os.Stdout
+  #
+#  filePath: log/traefik.log
+
+  # Format is either "json" or "common".
+  #
+  # Optional
+  # Default: "common"
+  #
+#  format: json
+
+################################################################
+# Access logs configuration
+################################################################
+
+# Enable access logs
+# By default it will write to stdout and produce logs in the textual
+# Common Log Format (CLF), extended with additional fields.
+#
+# Optional
+#
+accessLog: 
+  # Sets the file path for the access log. If not specified, stdout will be used.
+  # Intermediate directories are created if necessary.
+  #
+  # Optional
+  # Default: os.Stdout
+  #
+#  filePath: /path/to/log/log.txt
+  filePath: "/etc/traefik/access.log"
+  format: common
+
+  # Format is either "json" or "common".
+  #
+  # Optional
+  # Default: "common"
+  #
+#  format: json
+
+################################################################
+# API and dashboard configuration
+################################################################
+
+# Enable API and dashboard
+#
+# Optional
+#
+api:
+  # Enable the API in insecure mode
+  #
+  # Optional
+  # Default: false
+  #
+  insecure: true
+
+  # Enabled Dashboard
+  #
+  # Optional
+  # Default: true
+  #
+  dashboard: true
+
+################################################################
+# Ping configuration
+################################################################
+
+# Enable ping
+ping:
+  # Name of the related entry point
+  #
+  # Optional
+  # Default: "traefik"
+  #
+  entryPoint: traefik
+
+################################################################
+# Docker configuration backend
+################################################################
+
+providers:
+  # Enable Docker configuration backend
+  docker:
+    # Docker server endpoint. Can be a tcp or a unix socket endpoint.
+    #
+    # Required
+    # Default: "unix:///var/run/docker.sock"
+    #
+    endpoint: unix:///tmp/docker.sock
+
+    # Default host rule.
+    #
+    # Optional
+    # Default: "Host(`{{ normalize .Name }}`)"
+    #
+    defaultRule: Host(`{{ normalize .Name }}.domain.tld`)
+
+    # Expose containers by default in traefik
+    #
+    # Optional
+    # Default: true
+    #
+    exposedByDefault: true
+
+    network: home-proxy
+
+  file:
+    directory: /etc/traefik/custom
+    watch: true
+
+#tls:
+#  stores:
+#    default:
+#      defaultCertificate:
+#        certFile: /certs/star.domain.tld.crt
+#        keyFile: /certs/star.domain.tld..key
+#  certificates:
+#    - certFile: /certs/star.domain.tld..crt
+#      keyFile: /certs/star.domain.tld..key
+#      stores:
+#        - default
+#
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+     email: email@address.com
+     storage: /letsencrypt/acme.json
+     dnsChallenge:
+       provider: cloudflare
+        # Used to make sure the dns challenge is propagated to the rights dns servers
+        #       resolvers:
+        # - "1.1.1.1:53"
+        # - "1.0.0.1:53"
+        #
+experimental:
+  plugins:
+    traefik-real-ip:
+      moduleName: "github.com/soulbalz/traefik-real-ip"
+      version: "v1.0.3" 
+      
+http:
+  middlewares:
+    my-traefik-real-ip:
+      plugin:
+        traefik-real-ip:
+          excludednets:
+            - 1.1.1.1/24
+    authelia:
+      forwardAuth:
+        address: https://authelia:9091/api/verify?rd=https%3A%2F%2Flogin.dudenhoeffer.casa%2F
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "Remote-User"
+          - "Remote-Groups"
+          - "Remote-Email"
+          - "Remote-Name"
+    authelia-basic:
+      forwardAuth:
+        address: https://authelia:9091/api/verify?auth=basic
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "Remote-User"
+          - "Remote-Groups"
+          - "Remote-Email"
+          - "Remote-Name"
+