diff --git a/authelia/authelia.log b/authelia/authelia.log deleted file mode 100644 index e69de29..0000000 diff --git a/authelia/compose.yml b/authelia/compose.yml deleted file mode 100644 index ca968a3..0000000 --- a/authelia/compose.yml +++ /dev/null @@ -1,33 +0,0 @@ -services: - authelia: - image: authelia/authelia - container_name: authelia - environment: - TZ: America/Chicago - networks: - - authelia - - reverse-proxy - restart: unless-stopped - healthcheck: - disable: true - volumes: - - ./config:/config - - ./config/users_database.yml:/etc/authelia/users_database.yml - - ./authelia.log:/etc/authelia/authelia.log - - redis: - image: redis:alpine - container_name: redis - environment: - TZ: America/Chicago - networks: - - authelia - restart: unless-stopped - volumes: - - ./redis:/data - -networks: - authelia: - name: authelia - reverse-proxy: - external: true diff --git a/authelia/config/configuration.yml b/authelia/config/configuration.yml deleted file mode 100755 index 4207beb..0000000 --- a/authelia/config/configuration.yml +++ /dev/null @@ -1,111 +0,0 @@ ---- -############################################################### -# Authelia configuration # -############################################################### - -theme: dark - -server: - address: 'tcp://:9091' - endpoints: - authz: - forward-auth: - implementation: 'ForwardAuth' - -log: - level: 'info' - format: 'text' - file_path: '/etc/authelia/authelia.log' - keep_stdout: false - -totp: - issuer: 'authelia.com' - -identity_validation: - reset_password: - jwt_secret: '2b8a78f3ac1784ef6aab3899c663e1010c60d3a9de694550879da349fe222923' - -authentication_backend: - file: - path: '/etc/authelia/users_database.yml' - -access_control: - default_policy: deny - networks: - - name: internal - networks: - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - rules: - # bypass all domains and subdomains from local ips - - domain: - - 'aknlw.com' - - 'akanealw.com' - - '*.akanealw.com' - networks: - - 'internal' - policy: bypass - # bypass api for subdomains - - domain: - - '*.akanealw.com' - resources: - - '^/api([/?].*)?$' - - '^/add([/?].*)?$' - - '^/public([/?].*)?$' - policy: bypass - # bypass specific subdomains - - domain: - - 'aknlw.com' - - 'bitwarden.akanealw.com' - - 'gitea.akanealw.com' - - 'nextcloud.akanealw.com' - policy: bypass - # bypass filebrowser shares - - domain: - - 'filebrowser.akanealw.com' - resources: - - '^/api([/?].*)?$' - - '^/share([/?].*)?$' - - '^/static([/?].*)?$' - policy: bypass - # two_factor subdomains - - domain: - - 'akanealw.com' - - '*.akanealw.com' - policy: two_factor - -session: - secret: 'ffc343d98b87910edcddb1f0dac4b492b62e29b5eafa92f1c213f37c4669f243' - - cookies: - - name: 'authelia_session' - domain: 'akanealw.com' - authelia_url: 'https://auth.akanealw.com' - default_redirection_url: 'https://akanealw.com' - expiration: '1 hour' - inactivity: '5 minutes' - -regulation: - max_retries: 3 - find_time: '2 minutes' - ban_time: '5 minutes' - -storage: - encryption_key: 'cbd7570c1795cba61f05baf419b7cee23fa144d512bda2ea57ba300afa6b33bf' - local: - path: '/etc/authelia/db.sqlite3' - -notifier: - smtp: - username: 'akanealw@gmail.com' - password: 'hbpusnyzhdlfryor' - address: 'smtp://smtp.gmail.com:587' - sender: 'akanealw@gmail.com' - -ntp: - address: 'udp://time.windows.com:123' - version: 3 - max_desync: '3s' - disable_startup_check: false - disable_failure: false diff --git a/authelia/config/users_database.yml b/authelia/config/users_database.yml deleted file mode 100644 index 6f5135b..0000000 --- a/authelia/config/users_database.yml +++ /dev/null @@ -1,13 +0,0 @@ -############################################################### -# Users Database # -############################################################### - -# This file can be used if you do not have an LDAP set up. - -# List of users -users: - akanealw: - disabled: false - displayname: 'akanealw' - password: '$argon2id$v=19$m=65536,t=3,p=4$6AmaGZ36i4TJLeDyEXCVMg$UX7fUbNh5mc1e0hPu+0L1RzlCZJuUQCUp5xViiB7MAc' - email: 'akanealw@gmail.com' diff --git a/caddy/.env b/caddy/.env deleted file mode 100644 index 063997f..0000000 --- a/caddy/.env +++ /dev/null @@ -1,2 +0,0 @@ -CROWDSEC_API_KEY=uok9y/eKet7rhXxxGvgUNmMiKsAxxh2JJd4rsGvCDoE -DNS_PROVIDER_TOKEN=BI5kO2I9fHAqso_OClKxbUM6xTCodH2OfQ60yNp3 \ No newline at end of file diff --git a/caddy/Dockerfile b/caddy/Dockerfile deleted file mode 100644 index a4f25eb..0000000 --- a/caddy/Dockerfile +++ /dev/null @@ -1,13 +0,0 @@ -ARG CADDY_VERSION=2 - -FROM caddy:${CADDY_VERSION}-builder-alpine AS builder - -RUN xcaddy build \ - --with github.com/mholt/caddy-l4 \ - --with github.com/hslatman/caddy-crowdsec-bouncer/http@main \ - --with github.com/hslatman/caddy-crowdsec-bouncer/layer4@main \ - --with github.com/caddy-dns/cloudflare - -FROM caddy:${CADDY_VERSION} AS caddy - -COPY --from=builder /usr/bin/caddy /usr/bin/caddy diff --git a/caddy/caddy/Caddyfile b/caddy/caddy/Caddyfile deleted file mode 100755 index ee040b6..0000000 --- a/caddy/caddy/Caddyfile +++ /dev/null @@ -1,721 +0,0 @@ -# -------------------------------------------------- -# global options -# -------------------------------------------------- -{ - acme_ca https://acme-v02.api.letsencrypt.org/directory - - admin :2019 - log { - output file /var/log/caddy/caddy.log - level info - } - - servers { - trusted_proxies static private_ranges - } - - crowdsec { - api_url http://crowdsec:8080 - api_key uok9y/eKet7rhXxxGvgUNmMiKsAxxh2JJd4rsGvCDoE - ticker_interval 15s - #disable_streaming - #enable_hard_fails - } -} - -# -------------------------------------------------- -# cloudflare tls snippet for sites -# -------------------------------------------------- - -(cloudflare) { - tls { - dns cloudflare BI5kO2I9fHAqso_OClKxbUM6xTCodH2OfQ60yNp3 - resolvers 1.1.1.1 1.0.0.1 - } -} - -# -------------------------------------------------- -# auth snippet for authelia -# -------------------------------------------------- - -(auth) { - forward_auth authelia:9091 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } -} - -# -------------------------------------------------- -# akanealw.com root domain -# -------------------------------------------------- - -akanealw.com { - import cloudflare - @akanealwcom host akanealw.com - handle @akanealwcom { - import auth - reverse_proxy 192.168.1.30:3005 - } -} - -# -------------------------------------------------- -# authelia subdomain -# -------------------------------------------------- - -auth.akanealw.com { - import cloudflare - reverse_proxy authelia:9091 -} - -# -------------------------------------------------- -# *.akanealw.com subdomains -# -------------------------------------------------- - -*.akanealw.com { - -# -------------------------------------------------- -# external subdomains without authelia -# -# -# @ host .akanealw.com -# handle @ { -# reverse_proxy 192.168.1. -# } -# -# -# @ host .akanealw.com -# handle @ { -# reverse_proxy https://192.168.1. { -# transport http { -# tls_insecure_skip_verify -# } -# } -# } -# -# -------------------------------------------------- - - @internal client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1/8 - @external not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1/8 - import cloudflare - - - @bitwarden host bitwarden.akanealw.com - handle @bitwarden { - reverse_proxy 192.168.1.30:8089 - } - - @giteadocker host gitea-docker.akanealw.com - handle @giteadocker { - reverse_proxy 192.168.1.30:3100 - } - - @gitea host gitea.akanealw.com - handle @gitea { - reverse_proxy 192.168.1.50:3000 - } - - @jellyfin host jellyfin.akanealw.com - handle @jellyfin { - reverse_proxy 192.168.1.30:8096 - } - - @headscale host headscale.akanealw.com - handle @headscale { - reverse_proxy 192.168.1.32:8080 - } - - @nextcloud host nextcloud.akanealw.com - handle @nextcloud { - reverse_proxy https://192.168.1.30:443 { - transport http { - tls_insecure_skip_verify - } - } - } - -# -------------------------------------------------- -# external subdomains with authelia -# -# -# @ host .akanealw.com -# handle @ { -# import auth -# reverse_proxy 192.168.1. -# } -# -# @ host .akanealw.com -# handle @ { -# import auth -# reverse_proxy https://192.168.1. { -# transport http { -# tls_insecure_skip_verify -# } -# } -# } -# -# -# -------------------------------------------------- - - @docmost host docmost.akanealw.com - handle @docmost { - import auth - reverse_proxy 192.168.1.30:3300 - } - - @memos host memos.akanealw.com - handle @memos { - import auth - reverse_proxy 192.168.1.30:5230 - } - - @whoami host whoami.akanealw.com - handle @whoami { - import auth - reverse_proxy whoami:80 - } - - @wallos host wallos.akanealw.com - handle @wallos { - import auth - reverse_proxy 192.168.1.30:8389 - } - - @homepage host www.akanealw.com - handle @homepage { - import auth - reverse_proxy 192.168.1.30:3005 - } - - @filebrowser host filebrowser.akanealw.com - handle @filebrowser { - import auth - reverse_proxy 192.168.1.30:8484 - } - - @archive host archive.akanealw.com - handle @archive { - import auth - reverse_proxy 192.168.1.30:8283 - } - - @archivebox host archivebox.akanealw.com - handle @archivebox { - import auth - reverse_proxy 192.168.1.30:8283 - } - - @codeserver host codeserver.akanealw.com - handle @codeserver { - import auth - reverse_proxy 192.168.1.50:3001 - } - - @freshrss host freshrss.akanealw.com - handle @freshrss { - import auth - reverse_proxy 192.168.1.30:8088 - } - - @jackett host jackett.akanealw.com - handle @jackett { - import auth - reverse_proxy 192.168.1.30:9117 - } - - @jdownloader host jdownloader.akanealw.com - handle @jdownloader { - import auth - reverse_proxy 192.168.1.30:5800 - } - - @jellyseerr host jellyseerr.akanealw.com - handle @jellyseerr { - import auth - reverse_proxy 192.168.1.30:5056 - } - - @kavita host kavita.akanealw.com - handle @kavita { - import auth - reverse_proxy 192.168.1.30:5002 - } - - @lidarr host lidarr.akanealw.com - handle @lidarr { - import auth - reverse_proxy 192.168.1.30:8686 - } - - @metube host metube.akanealw.com - handle @metube { - import auth - reverse_proxy 192.168.1.30:8082 - } - - @mstream host mstream.akanealw.com - handle @mstream { - import auth - reverse_proxy 192.168.1.30:3001 - } - - @nzbhydra host nzbhydra.akanealw.com - handle @nzbhydra { - import auth - reverse_proxy 192.168.1.30:5076 - } - - @olivetin host olivetin.akanealw.com - handle @olivetin { - import auth - reverse_proxy 192.168.1.30:1337 - } - - @opengist host opengist.akanealw.com - handle @opengist { - import auth - reverse_proxy 192.168.1.30:6157 - } - - @paperless host paperless.akanealw.com - handle @paperless { - import auth - reverse_proxy 192.168.1.30:8112 - } - - @prowlarr host prowlarr.akanealw.com - handle @prowlarr { - import auth - reverse_proxy 192.168.1.30:9696 - } - - @qbittorrent host qbittorrent.akanealw.com - handle @qbittorrent { - import auth - reverse_proxy 192.168.1.30:8282 - } - - @radarr host radarr.akanealw.com - handle @radarr { - import auth - reverse_proxy 192.168.1.30:7878 - } - - @sabnzbd host sabnzbd.akanealw.com - handle @sabnzbd { - import auth - reverse_proxy 192.168.1.30:8181 - } - - @shlinkweb host shlink.akanealw.com - handle @shlinkweb { - import auth - reverse_proxy 192.168.1.30:8381 - } - - @sonarr host sonarr.akanealw.com - handle @sonarr { - import auth - reverse_proxy 192.168.1.30:8989 - } - - @spdf host spdf.akanealw.com - handle @spdf { - import auth - reverse_proxy 192.168.1.30:8086 - } - - @ittools host it-tools.akanealw.com - handle @ittools { - import auth - reverse_proxy 192.168.1.30:8383 - } - - @wikidocs host wiki.akanealw.com - handle @wikidocs { - import auth - reverse_proxy 192.168.1.30:8022 - } - - -# -------------------------------------------------- -# internal only subdomains -# -# -# @ host .akanealw.com -# handle @ { -# handle @internal { -# reverse_proxy 192.168.1. -# } -# respond "ip range not allowed" -# } -# -# -# @ host .akanealw.com -# handle @ { -# handle @internal { -# reverse_proxy https://192.168.1. { -# transport http { -# tls_insecure_skip_verify -# } -# } -# } -# respond "ip range not allowed" -# } -# -# -# -------------------------------------------------- - - @localshare host localshare.akanealw.com - handle @localshare { - handle @internal { - reverse_proxy 192.168.1.30:8385 - } - respond "ip range not allowed" - } - - @checkmk host checkmk.akanealw.com - handle @checkmk { - handle @internal { - reverse_proxy 192.168.1.30:8888 - } - respond "ip range not allowed" - } - - @linkwarden host linkwarden.akanealw.com - handle @linkwarden { - handle @internal { - reverse_proxy 192.168.1.30:3232 - } - respond "ip range not allowed" - } - - @adguardhome host adguardhome.akanealw.com - handle @adguardhome { - handle @internal { - reverse_proxy 192.168.1.1:3000 - } - respond "ip range not allowed" - } - - @adguard1 host adguardserver1.akanealw.com - handle @adguard1 { - handle @internal { - reverse_proxy 192.168.1.2:80 - } - respond "ip range not allowed" - } - - @adguard2 host adguardserver2.akanealw.com - handle @adguard2 { - handle @internal { - reverse_proxy 192.168.1.3:80 - } - respond "ip range not allowed" - } - - @bale host bale.akanealw.com - handle @bale { - handle @internal { - reverse_proxy 192.168.1.51:8080 - } - respond "ip range not allowed" - } - - @cronicle host cronicle.akanealw.com - handle @cronicle { - handle @internal { - reverse_proxy 192.168.1.30:3012 - } - respond "ip range not allowed" - } - - @devdockge host dev-dockge.akanealw.com - handle @devdockge { - handle @internal { - reverse_proxy 192.168.1.35:5001 - } - respond "ip range not allowed" - } - - @devdozzle host dev-dozzle.akanealw.com - handle @devdozzle { - handle @internal { - reverse_proxy 192.168.1.35:8080 - } - respond "ip range not allowed" - } - - @dockerdockge host dockerserver-dockge.akanealw.com - handle @dockerdockge { - handle @internal { - reverse_proxy 192.168.1.30:5001 - } - respond "ip range not allowed" - } - - @dockerdozzle host dockerserver-dozzle.akanealw.com - handle @dockerdozzle { - handle @internal { - reverse_proxy 192.168.1.30:8080 - } - respond "ip range not allowed" - } - - @dockertestdockge host dockerservertest-dockge.akanealw.com - handle @dockertestdockge { - handle @internal { - reverse_proxy 192.168.1.33:5001 - } - respond "ip range not allowed" - } - - @dockertestdozzle host dockerservertest-dozzle.akanealw.com - handle @dockertestdozzle { - handle @internal { - reverse_proxy 192.168.1.33:8080 - } - respond "ip range not allowed" - } - - @reverseproxydockge host reverseproxy-dockge.akanealw.com - handle @reverseproxydockge { - handle @internal { - reverse_proxy 192.168.1.4:5001 - } - respond "ip range not allowed" - } - - @reverseproxydozzle host reverseproxy-dozzle.akanealw.com - handle @reverseproxydozzle { - handle @internal { - reverse_proxy 192.168.1.4:8080 - } - respond "ip range not allowed" - } - - @files host files.akanealw.com - handle @files { - handle @internal { - redir / /files{uri} - reverse_proxy 192.168.1.50:80 - } - respond "ip range not allowed" - } - - @icons host icons.akanealw.com - handle @icons { - handle @internal { - rewrite * /files/icons{uri} - reverse_proxy 192.168.1.50:80 - } - respond "ip range not allowed" - } - - @peanut host peanut.akanealw.com - handle @peanut { - handle @internal { - reverse_proxy 192.168.1.30:8980 - } - respond "ip range not allowed" - } - - @photoprism host photoprism.akanealw.com - handle @photoprism { - handle @internal { - reverse_proxy 192.168.1.30:2342 - } - respond "ip range not allowed" - } - - @photoprismdadandmom host photos.akanealw.com - handle @photoprismdadandmom { - handle @internal { - reverse_proxy 192.168.1.25:2342 - } - respond "ip range not allowed" - } - - @proxmox1 host proxmox1.akanealw.com - handle @proxmox1 { - handle @internal { - reverse_proxy https://192.168.1.51:8006 { - transport http { - tls_insecure_skip_verify - } - } - } - respond "ip range not allowed" - } - - @proxmox2 host proxmox2.akanealw.com - handle @proxmox2 { - handle @internal { - reverse_proxy https://192.168.1.52:8006 { - transport http { - tls_insecure_skip_verify - } - } - } - respond "ip range not allowed" - } - - @proxmoxbackup host proxmoxbackup.akanealw.com - handle @proxmoxbackup { - handle @internal { - reverse_proxy https://192.168.1.51:8007 { - transport http { - tls_insecure_skip_verify - } - } - } - respond "ip range not allowed" - } - - @proxmoxbackup2 host proxmoxbackup2.akanealw.com - handle @proxmoxbackup2 { - handle @internal { - reverse_proxy https://192.168.1.52:8007 { - transport http { - tls_insecure_skip_verify - } - } - } - respond "ip range not allowed" - } - - @router host router.akanealw.com - handle @router { - handle @internal { - reverse_proxy http://192.168.1.1:80 - } - respond "ip range not allowed" - } - - @rssbridge host rss-bridge.akanealw.com - handle @rssbridge { - handle @internal { - reverse_proxy 192.168.1.30:3006 - } - respond "ip range not allowed" - } - - @invidious host invidious.akanealw.com - handle @invidious { - handle @internal { - reverse_proxy 192.168.1.30:3000 - } - respond "ip range not allowed" - } - - @scripts host scripts.akanealw.com - handle @scripts { - handle @internal { - redir / /scripts{uri} - reverse_proxy 192.168.1.50:80 - } - respond "ip range not allowed" - } - - @speedtest host speedtest.akanealw.com - handle @speedtest { - handle @internal { - reverse_proxy 192.168.1.30:8765 - } - respond "ip range not allowed" - } - - @dockersyncthing host dockerserver-syncthing.akanealw.com - handle @dockersyncthing { - handle @internal { - reverse_proxy https://192.168.1.30:8384 { - transport http { - tls_insecure_skip_verify - } - } - } - respond "ip range not allowed" - } - - @gamingpcsyncthing host gamingpc-syncthing.akanealw.com - handle @gamingpcsyncthing { - handle @internal { - reverse_proxy https://192.168.1.11:8384 { - transport http { - tls_insecure_skip_verify - } - } - } - respond "ip range not allowed" - } - - @laptoppcsyncthing host laptoppc-syncthing.akanealw.com - handle @laptoppcsyncthing { - handle @internal { - reverse_proxy https://192.168.1.12:8384 { - transport http { - tls_insecure_skip_verify - } - } - } - respond "ip range not allowed" - } - - @webmin host webmin.akanealw.com - handle @webmin { - handle @internal { - reverse_proxy https://192.168.1.51:10000 { - transport http { - tls_insecure_skip_verify - } - } - } - respond "ip range not allowed" - } - - @wireguardui host wireguardui.akanealw.com - handle @wireguardui { - handle @internal { - reverse_proxy 192.168.1.4:5000 - } - respond "ip range not allowed" - } - - @zabbix host zabbix.akanealw.com - handle @zabbix { - handle @internal { - reverse_proxy 192.168.1.44:8080 - } - respond "ip range not allowed" - } - - @adguardwg host adguard-wg.akanealw.com - handle @adguardwg { - handle @internal { - reverse_proxy 192.168.1.4:3000 - } - respond "ip range not allowed" - } - -} - - -# -------------------------------------------------- -# aknlw.com root domain -# -------------------------------------------------- - -aknlw.com { - import cloudflare - @shlink host aknlw.com - handle @shlink { - reverse_proxy 192.168.1.30:8380 - } -} - -# -------------------------------------------------- -# *.aknlw.com subdomains -# -------------------------------------------------- - -repo.aknlw.com { - import cloudflare - reverse_proxy 192.168.1.50:3000 -} diff --git a/caddy/compose.yml b/caddy/compose.yml deleted file mode 100644 index 905efb3..0000000 --- a/caddy/compose.yml +++ /dev/null @@ -1,53 +0,0 @@ -services: - caddy: - container_name: caddy - build: - context: ./ - target: caddy - environment: - - DNS_PROVIDER_TOKEN=${DNS_PROVIDER_TOKEN} - - CROWDSEC_API_KEY=${CROWDSEC_API_KEY} - security_opt: - - no-new-privileges:true - networks: - - crowdsec - - reverse-proxy - ports: - - 80:80 - - 443:443 - - 2019:2019 - restart: unless-stopped - volumes: - - ./caddy/data:/data - - ./caddy:/etc/caddy - - ./caddy/logs:/var/log/caddy - - crowdsec: - image: docker.io/crowdsecurity/crowdsec:latest - container_name: crowdsec - environment: - - GID=1000 - - COLLECTIONS=crowdsecurity/caddy crowdsecurity/http-cve crowdsecurity/whitelist-good-actors - - BOUNCER_KEY_CADDY=${CROWDSEC_API_KEY} - security_opt: - - no-new-privileges=true - networks: - - crowdsec - - reverse-proxy - restart: unless-stopped - volumes: - - ./crowdsec/db:/var/lib/crowdsec/data/ - - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml - - ./caddy/logs:/var/log/caddy:ro - - whoami: - image: traefik/whoami - container_name: whoami - networks: - - reverse-proxy - -networks: - crowdsec: - name: crowdsec - reverse-proxy: - external: true diff --git a/caddy/crowdsec/acquis.yaml b/caddy/crowdsec/acquis.yaml deleted file mode 100644 index 1478756..0000000 --- a/caddy/crowdsec/acquis.yaml +++ /dev/null @@ -1,4 +0,0 @@ -filenames: - - /var/log/caddy/*.log -labels: - type: caddy \ No newline at end of file