Update deploy workflow branch and add Authelia configuration and user database

.github/workflows/deploy.yml

@@ -3,7 +3,7 @@ name: Deploy Gateway to VPS
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "disbaled" ]
     paths:
       - "docker-compose.yml"
       - ".github/workflows/deploy.yml"

authelia/configuration.yml

@@ -0,0 +1,58 @@
+---
+# Authelia configuration
+# This is a minimal configuration for getting started with Authelia
+
+server:
+  port: 9091
+  endpoints:
+    authz:
+      forward-auth:
+        implementation: 'ForwardAuth'
+
+authentication_backend:
+  file:
+    path: '/config/users_database.yml'
+
+access_control:
+  default_policy: 'deny'
+  rules:
+    - domain: 'pgadmin.gate.${DOMAIN}'
+      policy: 'two_factor'
+    - domain: '*.gate.${DOMAIN}'
+      policy: 'one_factor'
+
+session:
+  name: 'authelia_session'
+  secret: '${AUTHELIA_SESSION_SECRET}'
+  cookies:
+    - domain: 'gate.${DOMAIN}'
+      authelia_url: 'https://auth.gate.${DOMAIN}'
+      default_redirection_url: 'https://login.gate.${DOMAIN}'
+
+storage:
+  postgres:
+    host: 'authelia-db'
+    port: 5432
+    database: 'authelia'
+    username: 'authelia'
+    password: '${AUTHELIA_DB_PASSWORD}'
+
+notifier:
+  smtp:
+    username: 'authelia'
+    password: 'dummy_password'
+    host: 'smtp.example.com'
+    port: 587
+    sender: 'authelia@example.com'
+
+jwt_secret: '${AUTHELIA_JWT_SECRET}'
+
+api:
+  endpoints:
+    reset_password:
+      disable: false
+
+regulations:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300

authelia/users_database.yml

@@ -0,0 +1,10 @@
+---
+# Authelia users database
+# This is a simple file-based user database for testing
+
+users:
+  admin:
+    displayname: "Administrator"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$abcdefghijklmnopqrstuvwx$abcdefghijklmnopqrstuvwxabcdefghijklmnopqrstuvwx"  # Dummy hash for 'password'
+    email: admin@example.com
+    groups: []

docker-compose.yml

@@ -12,6 +12,8 @@ volumes:
   uptime_kuma_data:
   umami_data:
   pgadmin_data:
+  authelia_config:
+  authelia_db_data:
 
 ########################
 # Services
@@ -102,28 +104,60 @@ services:
       - traefik.http.middlewares.security-headers.headers.browserXssFilter=true
       - traefik.http.middlewares.security-headers.headers.contentTypeNosniff=true
       - traefik.http.middlewares.security-headers.headers.referrerPolicy=no-referrer-when-downgrade
-      - traefik.http.middlewares.security-headers.headers.frameDeny=true
 
-      # Basic Auth middleware
+      # # Basic Auth middleware
-      - traefik.http.middlewares.basic-auth.basicauth.users=${BASIC_AUTH_USERS}
+      # - traefik.http.middlewares.basic-auth.basicauth.users=${BASIC_AUTH_USERS}
 
-      # Umami Analytics middleware (commented out until real website ID is available)
+      # Authelia middleware
-      # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.umamiHost=umami:3000
+      - traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth
-      # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.websiteId=${UMAMI_WEBSITE_ID}
+      - traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true
-      # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.forwardPath=umami
+      - traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name
-      # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.scriptInjection=true
-      # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.scriptInjectionMode=tag
-      # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.autoTrack=true
-      # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.doNotTrack=false
-      # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.cache=false
-      # - traefik.http.middlewares.umami-analytics.plugin.traefik-umami-plugin.serverSideTracking=false
 
       # Traefik dashboard (protected)
       - traefik.http.routers.traefik.rule=Host(`traefik.gate.${DOMAIN}`)
       - traefik.http.routers.traefik.entrypoints=websecure
       - traefik.http.routers.traefik.tls.certresolver=le
       - traefik.http.routers.traefik.service=api@internal
-      - traefik.http.routers.traefik.middlewares=basic-auth,security-headers
+      - traefik.http.routers.traefik.middlewares=authelia@docker,security-headers
+
+  ## ─────────────────────────────────────────────
+  ## Authelia — authentication and authorization
+  ## ─────────────────────────────────────────────
+  authelia:
+    image: authelia/authelia:latest
+    container_name: authelia
+    restart: unless-stopped
+    networks: [traefik_proxy]
+    volumes:
+      - authelia_config:/config
+    environment:
+      TZ: "${TZ}"
+      AUTHELIA_DB_PASSWORD: "${AUTHELIA_DB_PASSWORD}"
+      AUTHELIA_JWT_SECRET: "${AUTHELIA_JWT_SECRET}"
+      AUTHELIA_SESSION_SECRET: "${AUTHELIA_SESSION_SECRET}"
+    depends_on:
+      - authelia-db
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.authelia.rule=Host(`auth.gate.${DOMAIN}`)
+      - traefik.http.routers.authelia.entrypoints=websecure
+      - traefik.http.routers.authelia.tls.certresolver=le
+      - traefik.http.services.authelia.loadbalancer.server.port=9091
+
+  ## ─────────────────────────────────────────────
+  ## Authelia Database — PostgreSQL
+  ## ─────────────────────────────────────────────
+  authelia-db:
+    image: postgres:15-alpine
+    container_name: authelia-db
+    restart: unless-stopped
+    networks: [traefik_proxy]
+    environment:
+      POSTGRES_DB: authelia
+      POSTGRES_USER: authelia
+      POSTGRES_PASSWORD: ${AUTHELIA_DB_PASSWORD}
+    volumes:
+      - authelia_db_data:/var/lib/postgresql/data
 
   ## ─────────────────────────────────────────────
   ## Portainer — Docker control plane