diff --git a/.env b/.env deleted file mode 100644 index 0f6eaa3..0000000 --- a/.env +++ /dev/null @@ -1,13 +0,0 @@ -#GLOBAL SETTINGS -COMPOSE_HTTP_TIMEOUT=120 -COMPOSE_IGNORE_ORPHANS=1 -DOCKER_CONFIGS=. -DOCKERGID=999 -DOCKERHOSTNAME=ReverseProxy -DOCKERLOGGING_MAXFILE=10 -DOCKERLOGGING_MAXSIZE=200k -SERVERIP=192.168.1.91 -PGID=1000 -PUID=1000 -UMASK=000 -TZ=America/Chicago diff --git a/authelia/compose.yml b/authelia/compose.yml new file mode 100644 index 0000000..6c21429 --- /dev/null +++ b/authelia/compose.yml @@ -0,0 +1,31 @@ +services: + authelia: + image: 'authelia/authelia' + container_name: 'authelia' + volumes: + - './config:/config' + networks: + - authelia + - reverse-proxy + restart: 'unless-stopped' + healthcheck: + disable: true + environment: + TZ: 'America/Chicago' + + redis: + image: 'redis:alpine' + container_name: 'redis' + volumes: + - './redis:/data' + networks: + - authelia + restart: 'unless-stopped' + environment: + TZ: 'America/Chicago' + +networks: + authelia: + name: authelia + reverse-proxy: + external: true diff --git a/authelia/config/configuration.yml b/authelia/config/configuration.yml new file mode 100644 index 0000000..43f7055 --- /dev/null +++ b/authelia/config/configuration.yml @@ -0,0 +1,124 @@ +--- +############################################################### +# Authelia configuration # +############################################################### + +theme: dark + +server: + address: 'tcp://:9091' + endpoints: + authz: + forward-auth: + implementation: 'ForwardAuth' + +log: + level: 'info' + +totp: + issuer: 'authelia.com' + +identity_validation: + reset_password: + jwt_secret: '2b8a78f3ac1784ef6aab3899c663e1010c60d3a9de694550879da349fe222923' + +authentication_backend: + file: + path: '/config/users_database.yml' + +# access_control: +# default_policy: 'deny' +# rules: +# # Rules applied to everyone +# - domain: 'public.example.com' +# policy: 'bypass' +# - domain: 'traefik.example.com' +# policy: 'one_factor' +# - domain: 'secure.example.com' +# policy: 'two_factor' + +access_control: + default_policy: deny + networks: + - name: internal + networks: + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + rules: + ## bypass all domains and subdomains from local ips + - domain: + - aknlw.com + - akanealw.com + - "*.akanealw.com" + networks: + - 'internal' + policy: bypass + # bypass api for subdomains + - domain: + - "*.akanealw.com" + resources: + - "^/api([/?].*)?$" + - "^/add([/?].*)?$" + - "^/public([/?].*)?$" + policy: bypass + # bypass specific subdomains + - domain: + - aknlw.com + - bitwarden.akanealw.com + - gitea.akanealw.com + - nextcloud.akanealw.com + policy: bypass + # bypass filebrowser shares + - domain: + - "filebrowser.akanealw.com" + resources: + - "^/api([/?].*)?$" + - "^/share([/?].*)?$" + - "^/static([/?].*)?$" + policy: bypass + # two_factor subdomains + - domain: + - akanealw.com + - "*.akanealw.com" + policy: two_factor + +session: + secret: 'ffc343d98b87910edcddb1f0dac4b492b62e29b5eafa92f1c213f37c4669f243' + + cookies: + - name: 'authelia_session' + domain: 'akanealw.com' + authelia_url: 'https://auth.akanealw.com' + default_redirection_url: 'https://akanealw.com' + expiration: '1 hour' + inactivity: '5 minutes' + + redis: + host: 'redis' + port: 6379 + password: 'bc4eb8df73776ba7716aeb60c0023ef6136b80680bb8ea1cf6c51a326dea2c43' + +regulation: + max_retries: 3 + find_time: '2 minutes' + ban_time: '5 minutes' + +storage: + encryption_key: 'cbd7570c1795cba61f05baf419b7cee23fa144d512bda2ea57ba300afa6b33bf' + local: + path: '/config/db.sqlite3' + +notifier: + smtp: + username: 'akanealw@gmail.com' + password: 'qlvmffuzpscltdgz' + address: 'smtp://smtp.gmail.com:587' + sender: 'akanealw@gmail.com' + +ntp: + address: 'udp://time.windows.com:123' + version: 3 + max_desync: '3s' + disable_startup_check: false + disable_failure: false diff --git a/authelia/config/users_database.yml b/authelia/config/users_database.yml new file mode 100644 index 0000000..c92a691 --- /dev/null +++ b/authelia/config/users_database.yml @@ -0,0 +1,16 @@ +############################################################### +# Users Database # +############################################################### + +# This file can be used if you do not have an LDAP set up. + +# List of users +users: + akanealw: + disabled: false + displayname: 'akanealw' + password: '$argon2id$v=19$m=65536,t=3,p=4$OdUFS5B8+7p5cuaE7TJ1Ig$fiMUt1PjTo65xltKyDfcwiu1yOPlO3G2X04CZCQFWig' + email: 'akanealw@gmail.com' + groups: + - 'admins' + - 'dev' diff --git a/pangolin/compose.yml b/pangolin/compose.yml new file mode 100644 index 0000000..3a3635c --- /dev/null +++ b/pangolin/compose.yml @@ -0,0 +1,48 @@ +services: + pangolin: + image: fosrl/pangolin:1.3.1 + container_name: pangolin + restart: unless-stopped + networks: + - reverse-proxy + volumes: + - ./config:/app/config + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"] + interval: "10s" + timeout: "10s" + retries: 15 + + traefik: + image: traefik:v3.3.6 + container_name: traefik + restart: unless-stopped + environment: + CLOUDFLARE_DNS_API_TOKEN: "JSXyIqcHpMvDiIoZfQmlH7R2f6dKW92O8Buz_x3X" + networks: + - reverse-proxy + ports: + - 443:443 + - 80:80 + depends_on: + pangolin: + condition: service_healthy + command: + - --configFile=/etc/traefik/traefik_config.yml + volumes: + - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration + - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates + - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs + + whoami: + image: traefik/whoami + container_name: whoami + networks: + - reverse-proxy + +networks: + authentik: + name: authentik + reverse-proxy: + external: true + \ No newline at end of file diff --git a/pangolin/docker-compose.yml b/pangolin/docker-compose.yml deleted file mode 100644 index 3da1f58..0000000 --- a/pangolin/docker-compose.yml +++ /dev/null @@ -1,150 +0,0 @@ -services: - authentik-server: - image: ghcr.io/goauthentik/server:2025.2.2 - container_name: authentik-server - command: server - environment: - - AUTHENTIK_REDIS__HOST=authentik-redis - - AUTHENTIK_POSTGRESQL__HOST=authentik-postgres - - AUTHENTIK_POSTGRESQL__USER=authentik - - AUTHENTIK_POSTGRESQL__NAME=authentik - - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD} - - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY} - - AUTHENTIK_EMAIL__HOST=${AUTHENTIK_EMAIL__HOST} - - AUTHENTIK_EMAIL__PORT=${AUTHENTIK_EMAIL__PORT} - - AUTHENTIK_EMAIL__USERNAME=${AUTHENTIK_EMAIL__USERNAME} - - AUTHENTIK_EMAIL__PASSWORD=${AUTHENTIK_EMAIL__PASSWORD} - - AUTHENTIK_EMAIL__USE_TLS=${AUTHENTIK_EMAIL__USE_TLS} - - AUTHENTIK_EMAIL__USE_SSL=${AUTHENTIK_EMAIL__USE_SSL} - - AUTHENTIK_EMAIL__TIMEOUT=${AUTHENTIK_EMAIL__TIMEOUT} - - AUTHENTIK_EMAIL__FROM=${AUTHENTIK_EMAIL__FROM} - ports: - - 9000:9000 - - 9443:9443 - networks: - - authentik - - reverse-proxy - volumes: - - ./config/authentik/media:/media - - ./config/authentik/custom-templates:/templates - depends_on: - - authentik-postgres - - authentik-redis - restart: unless-stopped - - authentik-worker: - image: ghcr.io/goauthentik/server:2025.2.2 - container_name: authentik-worker - command: worker - environment: - - AUTHENTIK_REDIS__HOST=authentik-redis - - AUTHENTIK_POSTGRESQL__HOST=authentik-postgres - - AUTHENTIK_POSTGRESQL__USER=authentik - - AUTHENTIK_POSTGRESQL__NAME=authentik - - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD} - - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY} - - AUTHENTIK_EMAIL__HOST=${AUTHENTIK_EMAIL__HOST} - - AUTHENTIK_EMAIL__PORT=${AUTHENTIK_EMAIL__PORT} - - AUTHENTIK_EMAIL__USERNAME=${AUTHENTIK_EMAIL__USERNAME} - - AUTHENTIK_EMAIL__PASSWORD=${AUTHENTIK_EMAIL__PASSWORD} - - AUTHENTIK_EMAIL__USE_TLS=${AUTHENTIK_EMAIL__USE_TLS} - - AUTHENTIK_EMAIL__USE_SSL=${AUTHENTIK_EMAIL__USE_SSL} - - AUTHENTIK_EMAIL__TIMEOUT=${AUTHENTIK_EMAIL__TIMEOUT} - - AUTHENTIK_EMAIL__FROM=${AUTHENTIK_EMAIL__FROM} - networks: - - authentik - - reverse-proxy - user: root - volumes: - - /run/docker.sock:/run/docker.sock - - ./config/authentik/media:/media - - ./config/authentik/certs:/certs - - ./config/authentik/custom-templates:/templates - depends_on: - - authentik-postgres - - authentik-redis - restart: unless-stopped - - authentik-redis: - image: docker.io/library/redis:7.4.2 - container_name: authentik-redis - command: --save 60 1 --loglevel warning - healthcheck: - test: ["CMD-SHELL", "redis-cli ping | grep PONG"] - start_period: 20s - interval: 30s - retries: 5 - timeout: 3s - networks: - - authentik - volumes: - - ./config/authentik/redis:/data - restart: unless-stopped - - authentik-postgres: - image: docker.io/library/postgres:17.4 - container_name: authentik-postgres - environment: - - POSTGRES_USER=authentik - - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - - POSTGRES_DB=authentik - - TZ=${TZ} - healthcheck: - test: ['CMD-SHELL', 'pg_isready -U "authentik"'] - start_period: 30s - interval: 10s - timeout: 10s - retries: 5 - networks: - - authentik - volumes: - - ./config/authentik/postgres:/var/lib/postgresql/data - restart: unless-stopped - - pangolin: - image: fosrl/pangolin:1.3.1 - container_name: pangolin - restart: unless-stopped - networks: - - reverse-proxy - volumes: - - ./config:/app/config - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"] - interval: "10s" - timeout: "10s" - retries: 15 - - traefik: - image: traefik:v3.3.6 - container_name: traefik - restart: unless-stopped - environment: - CLOUDFLARE_DNS_API_TOKEN: "JSXyIqcHpMvDiIoZfQmlH7R2f6dKW92O8Buz_x3X" - networks: - - reverse-proxy - ports: - - 443:443 - - 80:80 - depends_on: - pangolin: - condition: service_healthy - command: - - --configFile=/etc/traefik/traefik_config.yml - volumes: - - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration - - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates - - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs - - whoami: - image: traefik/whoami - container_name: whoami - networks: - - reverse-proxy - -networks: - authentik: - name: authentik - reverse-proxy: - external: true - \ No newline at end of file