From 47e640b9691816122a3e3ee5893031a39ee2757f Mon Sep 17 00:00:00 2001 From: elfateh4 Date: Mon, 1 Dec 2025 19:10:10 +0100 Subject: [PATCH] Update deploy workflow branch and add Authelia configuration and user database --- .github/workflows/deploy.yml | 2 +- authelia/configuration.yml | 58 +++++++++++++++++++++++++++++++++ authelia/users_database.yml | 10 ++++++ docker-compose.yml | 62 ++++++++++++++++++++++++++++-------- 4 files changed, 117 insertions(+), 15 deletions(-) create mode 100644 authelia/configuration.yml create mode 100644 authelia/users_database.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 7ffe301..661625a 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -3,7 +3,7 @@ name: Deploy Gateway to VPS on: push: - branches: [ "main" ] + branches: [ "disbaled" ] paths: - "docker-compose.yml" - ".github/workflows/deploy.yml" diff --git a/authelia/configuration.yml b/authelia/configuration.yml new file mode 100644 index 0000000..3c0a237 --- /dev/null +++ b/authelia/configuration.yml @@ -0,0 +1,58 @@ +--- +# Authelia configuration +# This is a minimal configuration for getting started with Authelia + +server: + port: 9091 + endpoints: + authz: + forward-auth: + implementation: 'ForwardAuth' + +authentication_backend: + file: + path: '/config/users_database.yml' + +access_control: + default_policy: 'deny' + rules: + - domain: 'pgadmin.gate.${DOMAIN}' + policy: 'two_factor' + - domain: '*.gate.${DOMAIN}' + policy: 'one_factor' + +session: + name: 'authelia_session' + secret: '${AUTHELIA_SESSION_SECRET}' + cookies: + - domain: 'gate.${DOMAIN}' + authelia_url: 'https://auth.gate.${DOMAIN}' + default_redirection_url: 'https://login.gate.${DOMAIN}' + +storage: + postgres: + host: 'authelia-db' + port: 5432 + database: 'authelia' + username: 'authelia' + password: '${AUTHELIA_DB_PASSWORD}' + +notifier: + smtp: + username: 'authelia' + password: 'dummy_password' + host: 'smtp.example.com' + port: 587 + sender: 'authelia@example.com' + +jwt_secret: '${AUTHELIA_JWT_SECRET}' + +api: + endpoints: + reset_password: + disable: false + +regulations: + max_retries: 3 + find_time: 120 + ban_time: 300 \ No newline at end of file diff --git a/authelia/users_database.yml b/authelia/users_database.yml new file mode 100644 index 0000000..d0bf72f --- /dev/null +++ b/authelia/users_database.yml @@ -0,0 +1,10 @@ +--- +# Authelia users database +# This is a simple file-based user database for testing + +users: + admin: + displayname: "Administrator" + password: "$argon2id$v=19$m=65536,t=3,p=4$abcdefghijklmnopqrstuvwx$abcdefghijklmnopqrstuvwxabcdefghijklmnopqrstuvwx" # Dummy hash for 'password' + email: admin@example.com + groups: [] \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index f8b1bc5..ca4fbca 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -12,6 +12,8 @@ volumes: uptime_kuma_data: umami_data: pgadmin_data: + authelia_config: + authelia_db_data: ######################## # Services @@ -102,28 +104,60 @@ services: - traefik.http.middlewares.security-headers.headers.browserXssFilter=true - traefik.http.middlewares.security-headers.headers.contentTypeNosniff=true - traefik.http.middlewares.security-headers.headers.referrerPolicy=no-referrer-when-downgrade - - traefik.http.middlewares.security-headers.headers.frameDeny=true - # Basic Auth middleware - - traefik.http.middlewares.basic-auth.basicauth.users=${BASIC_AUTH_USERS} + # # Basic Auth middleware + # - traefik.http.middlewares.basic-auth.basicauth.users=${BASIC_AUTH_USERS} - # Umami Analytics middleware (commented out until real website ID is available) - # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.umamiHost=umami:3000 - # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.websiteId=${UMAMI_WEBSITE_ID} - # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.forwardPath=umami - # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.scriptInjection=true - # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.scriptInjectionMode=tag - # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.autoTrack=true - # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.doNotTrack=false - # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.cache=false - # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.serverSideTracking=false + # Authelia middleware + - traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth + - traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true + - traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name # Traefik dashboard (protected) - traefik.http.routers.traefik.rule=Host(`traefik.gate.${DOMAIN}`) - traefik.http.routers.traefik.entrypoints=websecure - traefik.http.routers.traefik.tls.certresolver=le - traefik.http.routers.traefik.service=api@internal - - traefik.http.routers.traefik.middlewares=basic-auth,security-headers + - traefik.http.routers.traefik.middlewares=authelia@docker,security-headers + + ## ───────────────────────────────────────────── + ## Authelia — authentication and authorization + ## ───────────────────────────────────────────── + authelia: + image: authelia/authelia:latest + container_name: authelia + restart: unless-stopped + networks: [traefik_proxy] + volumes: + - authelia_config:/config + environment: + TZ: "${TZ}" + AUTHELIA_DB_PASSWORD: "${AUTHELIA_DB_PASSWORD}" + AUTHELIA_JWT_SECRET: "${AUTHELIA_JWT_SECRET}" + AUTHELIA_SESSION_SECRET: "${AUTHELIA_SESSION_SECRET}" + depends_on: + - authelia-db + labels: + - traefik.enable=true + - traefik.http.routers.authelia.rule=Host(`auth.gate.${DOMAIN}`) + - traefik.http.routers.authelia.entrypoints=websecure + - traefik.http.routers.authelia.tls.certresolver=le + - traefik.http.services.authelia.loadbalancer.server.port=9091 + + ## ───────────────────────────────────────────── + ## Authelia Database — PostgreSQL + ## ───────────────────────────────────────────── + authelia-db: + image: postgres:15-alpine + container_name: authelia-db + restart: unless-stopped + networks: [traefik_proxy] + environment: + POSTGRES_DB: authelia + POSTGRES_USER: authelia + POSTGRES_PASSWORD: ${AUTHELIA_DB_PASSWORD} + volumes: + - authelia_db_data:/var/lib/postgresql/data ## ───────────────────────────────────────────── ## Portainer — Docker control plane