diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 2870d4d..8fbe194 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -6,7 +6,6 @@ on: branches: [ "main" ] paths: - "docker-compose.yml" - - "authelia/**" - "crowdsec/**" - "prometheus/**" - "grafana/**" diff --git a/authelia/.gitignore b/authelia/.gitignore deleted file mode 100644 index 1bd3a40..0000000 --- a/authelia/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -# Ignore Authelia runtime/state files -# SQLite database and notification artifacts stored after switching to directory bind mount -/db.sqlite3 -/notification.txt diff --git a/authelia/configuration.yml b/authelia/configuration.yml deleted file mode 100644 index dd10703..0000000 --- a/authelia/configuration.yml +++ /dev/null @@ -1,117 +0,0 @@ -# authelia/configuration.yml -# Authelia v4 for: auth.gate.3launchpad.com -# Behind Traefik (forward-auth), Redis sessions, SQLite storage. - -######################################################### -# Server & Logging -######################################################### -server: - address: "tcp://0.0.0.0:9091" - buffers: - read: 4096 - write: 4096 - -log: - level: info - -theme: auto - -# Where to send users if they hit a protected resource without a Referer -default_redirection_url: "https://traefik.gate.3launchpad.com/" - -######################################################### -# Secrets (use env vars in production) -######################################################### -# Prefer env vars: -# AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY -jwt_secret: "changeme_jwt_secret" - -######################################################### -# Authentication Backend (local file) -######################################################### -authentication_backend: - file: - path: /config/users_database.yml - password: - algorithm: argon2id - iterations: 3 - memory: 64 - parallelism: 4 - salt_length: 16 - key_length: 32 - -######################################################### -# Access Control -######################################################### -access_control: - default_policy: deny - rules: - - domain: "status.gate.3launchpad.com" - policy: bypass - - - domain: "traefik.gate.3launchpad.com" - subject: ["group:admins"] - policy: two_factor - - - domain: "portainer.gate.3launchpad.com" - subject: ["group:admins"] - policy: two_factor - - - domain_regex: "(grafana|prometheus|umami)\\.gate\\.3launchpad\\.com" - subject: - - "group:admins" - - "group:devs" - policy: one_factor - - - domain: "*.gate.3launchpad.com" - subject: - - "group:users" - - "group:admins" - - "group:devs" - policy: one_factor - -######################################################### -# Session (cookies + Redis) -######################################################### -session: - name: authelia_session - domain: "gate.3launchpad.com" - same_site: lax - expiration: 1h - inactivity: 30m - remember_me_duration: 1M - secret: "changeme_session_secret" - redis: - host: redis - port: 6379 - -######################################################### -# Regulation (anti-bruteforce) -######################################################### -regulation: - max_retries: 3 - find_time: 2m - ban_time: 10m - -######################################################### -# Storage (SQLite on persistent volume) -######################################################### -storage: - encryption_key: "changeme_storage_key" - local: - path: /config/db.sqlite3 - -######################################################### -# Notifier -######################################################### -notifier: - filesystem: - filename: /config/notification.txt - -######################################################### -# 2FA: TOTP -######################################################### -totp: - issuer: "3launchpad.com" - period: 30 - skew: 1 diff --git a/authelia/users_database.yml b/authelia/users_database.yml deleted file mode 100644 index 156f4d2..0000000 --- a/authelia/users_database.yml +++ /dev/null @@ -1,23 +0,0 @@ -# authelia/users_database.yml -# User database for Authelia authentication -# Passwords are hashed with argon2id algorithm -# Use: authelia crypto hash generate argon2 --password 'your_password' - -users: - # Admin user with full access - admin: - displayname: "Administrator" - password: "$argon2id$v=19$m=65536,t=3,p=4$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t1MF//X73A" # password: admin123 - email: admin@3launchpad.com - groups: - - admins - - users - - # Developer user with dev and user access - developer: - displayname: "Developer" - password: "$argon2id$v=19$m=65536,t=3,p=4$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t1MF//X73A" # password: dev123 - email: dev@3launchpad.com - groups: - - devs - - users \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 52c57d7..afd726b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -14,7 +14,6 @@ volumes: traefik_logs: portainer_data: umami_db_data: - authelia_data: prometheus_data: grafana_data: uptime_kuma_data: @@ -85,17 +84,12 @@ services: - traefik.http.middlewares.security-headers.headers.referrerPolicy=no-referrer-when-downgrade - traefik.http.middlewares.security-headers.headers.frameDeny=true - # Authelia ForwardAuth (reusable) - - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.gate.${DOMAIN} - - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true - - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email - # Traefik dashboard (protected) - traefik.http.routers.traefik.rule=Host(`traefik.gate.${DOMAIN}`) - traefik.http.routers.traefik.entrypoints=websecure - traefik.http.routers.traefik.tls.certresolver=le - traefik.http.routers.traefik.service=api@internal - - traefik.http.routers.traefik.middlewares=authelia,security-headers + - traefik.http.routers.traefik.middlewares=security-headers ## ───────────────────────────────────────────── ## Portainer — Docker control plane @@ -113,7 +107,7 @@ services: - traefik.http.routers.portainer.rule=Host(`portainer.gate.${DOMAIN}`) - traefik.http.routers.portainer.entrypoints=websecure - traefik.http.routers.portainer.tls.certresolver=le - - traefik.http.routers.portainer.middlewares=authelia,security-headers + - traefik.http.routers.portainer.middlewares=security-headers - traefik.http.services.portainer.loadbalancer.server.port=9000 ## ───────────────────────────────────────────── @@ -148,41 +142,9 @@ services: - traefik.http.routers.umami.rule=Host(`umami.gate.${DOMAIN}`) - traefik.http.routers.umami.entrypoints=websecure - traefik.http.routers.umami.tls.certresolver=le - - traefik.http.routers.umami.middlewares=authelia,security-headers + - traefik.http.routers.umami.middlewares=security-headers - traefik.http.services.umami.loadbalancer.server.port=3000 - ## ───────────────────────────────────────────── - ## Authelia + Redis — SSO/MFA - ## ───────────────────────────────────────────── - authelia: - image: authelia/authelia:latest - container_name: authelia - restart: unless-stopped - depends_on: [redis] - environment: - TZ: "${TZ}" - volumes: - # Mount entire config directory so individual file binds are not hidden by a named volume. - # NOTE: The previous setup mounted a named volume at /config which masked the two file binds - # causing Traefik -> Authelia timeouts (missing configuration). Persisted runtime files (db, notifications) - # will live in this folder on the host; ensure db.sqlite3 is gitignored. - - ./authelia:/config - networks: [traefik_proxy, internal] - labels: - - traefik.enable=true - - traefik.http.routers.authelia.rule=Host(`auth.gate.${DOMAIN}`) - - traefik.http.routers.authelia.entrypoints=websecure - - traefik.http.routers.authelia.tls.certresolver=le - - traefik.http.routers.authelia.middlewares=security-headers - - traefik.http.routers.authelia.service=authelia-svc - - traefik.http.services.authelia-svc.loadbalancer.server.port=9091 - - redis: - image: redis:7-alpine - container_name: authelia-redis - restart: unless-stopped - networks: [internal] - ## ───────────────────────────────────────────── ## Uptime Kuma — status page / checks ## ───────────────────────────────────────────── @@ -198,7 +160,7 @@ services: - traefik.http.routers.kuma.rule=Host(`status.gate.${DOMAIN}`) - traefik.http.routers.kuma.entrypoints=websecure - traefik.http.routers.kuma.tls.certresolver=le - - traefik.http.routers.kuma.middlewares=authelia,security-headers + - traefik.http.routers.kuma.middlewares=security-headers - traefik.http.services.kuma.loadbalancer.server.port=3001 ## ───────────────────────────────────────────── @@ -217,7 +179,7 @@ services: - traefik.http.routers.prom.rule=Host(`prometheus.gate.${DOMAIN}`) - traefik.http.routers.prom.entrypoints=websecure - traefik.http.routers.prom.tls.certresolver=le - - traefik.http.routers.prom.middlewares=authelia,security-headers + - traefik.http.routers.prom.middlewares=security-headers - traefik.http.services.prom.loadbalancer.server.port=9090 cadvisor: @@ -262,5 +224,5 @@ services: - traefik.http.routers.grafana.rule=Host(`grafana.gate.${DOMAIN}`) - traefik.http.routers.grafana.entrypoints=websecure - traefik.http.routers.grafana.tls.certresolver=le - - traefik.http.routers.grafana.middlewares=authelia,security-headers + - traefik.http.routers.grafana.middlewares=security-headers - traefik.http.services.grafana.loadbalancer.server.port=3000