elfateh/launchpad-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove Authelia configuration and related files; add Basic Authentication setup in Traefik

Browse Source
This commit is contained in:
Mohmmed Elfateh Sabry
2025-08-11 15:51:13 +03:00
parent 91ca7bfdc7
commit 97f5ec4fbc
6 changed files with 14 additions and 438 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
.env.example
View File

@@ -9,18 +9,11 @@ TZ=Your/Timezone
# Your email address for Let's Encrypt certificate notifications
ACME_EMAIL=admin@your-domain.com
## Authelia Configuration
# Generate with: openssl rand -hex 32
AUTHELIA_JWT_SECRET=your_jwt_secret_here_at_least_32_chars_generate_this
AUTHELIA_SESSION_SECRET=your_session_secret_here_at_least_32_chars_generate_this
AUTHELIA_STORAGE_ENCRYPTION_KEY=your_storage_encryption_key_32+_chars
# SMTP Configuration for Authelia (optional)
AUTHELIA_SMTP_HOST=smtp.gmail.com
AUTHELIA_SMTP_PORT=587
AUTHELIA_SMTP_USER=your_email@gmail.com
AUTHELIA_SMTP_PASS=your_app_password
AUTHELIA_SMTP_FROM=Authelia <noreply@your-domain.com>
## Basic Authentication
# Generate password hash with: echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
# Or use online generator: https://hostingcanada.org/htpasswd-generator/
# Format: username:$$2y$$10$$hashed_password
BASIC_AUTH_USERS=admin:$$2y$$05$$HIIpotyLuLRMBX3sfUs6E.YM3lP9cpF7hK7sHaSXGs6mw/RS6MXCa
## Umami (PostgreSQL)
# Database user for Umami analytics

16
.github/workflows/deploy.yml vendored
View File

@@ -6,7 +6,6 @@ on:
branches: [ "main" ]
paths:
- "docker-compose.yml"
- "authelia/**"
- ".github/workflows/deploy.yml"
workflow_dispatch:
@@ -80,6 +79,9 @@ jobs:
# --- ACME / Let's Encrypt (email only) ---
ACME_EMAIL=${{ secrets.ACME_EMAIL }}
# --- Basic Authentication ---
BASIC_AUTH_USERS=${{ secrets.BASIC_AUTH_USERS }}
# --- Namecheap DNS API ---
NAMECHEAP_API_USER=${{ secrets.NAMECHEAP_API_USER }}
NAMECHEAP_API_KEY=${{ secrets.NAMECHEAP_API_KEY }}
@@ -96,17 +98,6 @@ jobs:
# --- Grafana ---
GRAFANA_ADMIN_USER=${{ secrets.GRAFANA_ADMIN_USER }}
GRAFANA_ADMIN_PASS=${{ secrets.GRAFANA_ADMIN_PASS }}
# --- Authelia ---
AUTHELIA_JWT_SECRET=${{ secrets.AUTHELIA_JWT_SECRET }}
AUTHELIA_SESSION_SECRET=${{ secrets.AUTHELIA_SESSION_SECRET }}
AUTHELIA_STORAGE_ENCRYPTION_KEY=${{ secrets.AUTHELIA_STORAGE_ENCRYPTION_KEY }}
# (Optional SMTP if configured)
AUTHELIA_SMTP_HOST=${{ secrets.AUTHELIA_SMTP_HOST }}
AUTHELIA_SMTP_PORT=${{ secrets.AUTHELIA_SMTP_PORT }}
AUTHELIA_SMTP_USER=${{ secrets.AUTHELIA_SMTP_USER }}
AUTHELIA_SMTP_PASS=${{ secrets.AUTHELIA_SMTP_PASS }}
AUTHELIA_SMTP_FROM=${{ secrets.AUTHELIA_SMTP_FROM }}
ENVVARS
EOF
@@ -142,7 +133,6 @@ jobs:
echo "Traefik: https://traefik.gate.${{ secrets.DOMAIN }}"
echo "Portainer: https://portainer.gate.${{ secrets.DOMAIN }}"
echo "Uptime Kuma: https://uptime.gate.${{ secrets.DOMAIN }}"
echo "Authelia: https://auth.gate.${{ secrets.DOMAIN }}"
echo "Grafana: https://grafana.gate.${{ secrets.DOMAIN }}"
echo "Prometheus: https://prometheus.gate.${{ secrets.DOMAIN }}"
echo "Umami: https://umami.gate.${{ secrets.DOMAIN }}"

237
authelia/README.md
View File

@@ -1,237 +0,0 @@
# Authelia Setup Guide
This guide walks you through setting up Authelia authentication for your Launchpad Gateway.
## Overview
Authelia provides:
- 🔐 **Single Sign-On (SSO)** for all your services
- 🛡️ **Two-Factor Authentication (2FA)** with TOTP/WebAuthn
- 🌐 **Forward Authentication** integration with Traefik
- 👥 **User Management** with file-based or LDAP backends
- 📧 **Email Notifications** for password resets and 2FA setup
## Quick Start
### 1. Run the Setup Script
**Windows (PowerShell):**
```powershell
.\setup-authelia.ps1
```
**Linux/macOS (Bash):**
```bash
chmod +x setup-authelia.sh
./setup-authelia.sh
```
### 2. Configure Your Environment
Edit `.env` file with your actual values:
```env
DOMAIN=your-domain.com
TZ=America/New_York
ACME_EMAIL=admin@your-domain.com
AUTHELIA_JWT_SECRET=your_generated_jwt_secret
AUTHELIA_SESSION_SECRET=your_generated_session_secret
```
### 3. Update Authelia Configuration
Edit `authelia/configuration.yml`:
- Replace all instances of `example.com` with your actual domain
- Update SMTP settings if you want email notifications
- Adjust access control rules as needed
### 4. Set Up Users
Edit `authelia/users_database.yml`:
- Change the default password for `admin` user
- Add your own users
- Generate password hashes using:
```bash
docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'your-password'
```
### 5. Start Services
```bash
docker-compose up -d
```
## Access URLs
After setup, your services will be available at:
- **Authelia Portal**: `https://auth.gate.YOUR_DOMAIN`
- **Traefik Dashboard**: `https://traefik.gate.YOUR_DOMAIN` (requires authentication)
- **Portainer**: `https://portainer.gate.YOUR_DOMAIN` (requires authentication)
- **Uptime Kuma**: `https://uptime.gate.YOUR_DOMAIN` (requires authentication)
## Default Credentials
**⚠️ CHANGE THESE IMMEDIATELY!**
- **Username**: `admin`
- **Password**: `authelia`
## Configuration Files
### `authelia/configuration.yml`
Main Authelia configuration with:
- Server settings
- Authentication backend (file-based by default)
- Access control rules
- Session configuration
- TOTP/WebAuthn settings
### `authelia/users_database.yml`
User database when using file-based authentication:
- User credentials (hashed passwords)
- User groups
- Email addresses
- Display names
## Access Control Rules
The default configuration includes:
- **Bypass**: Authelia portal itself
- **Two-Factor**: Admin services (Traefik, Portainer) for `admins` group
- **One-Factor**: Other services for any authenticated user
### Example Rules
```yaml
access_control:
rules:
# Public access
- domain: 'public.gate.example.com'
policy: 'bypass'
# Admin-only with 2FA
- domain:
- 'traefik.gate.example.com'
- 'portainer.gate.example.com'
policy: 'two_factor'
subject:
- 'group:admins'
# Authenticated users
- domain: '*.gate.example.com'
policy: 'one_factor'
```
## Adding New Protected Services
To protect a new service with Authelia:
1. Add the service to your `docker-compose.yml`
2. Add the Authelia middleware to the service labels:
```yaml
labels:
- traefik.http.routers.myservice.middlewares=authelia,security-headers
```
## SMTP Configuration
For email notifications (password reset, 2FA setup), configure SMTP in `configuration.yml`:
```yaml
notifier:
smtp:
address: 'smtp://smtp.gmail.com:587'
username: 'your-email@gmail.com'
password: 'your-app-password'
sender: 'Authelia <noreply@your-domain.com>'
```
## Troubleshooting
### Common Issues
1. **"middleware authelia@docker not found"**
- Ensure Authelia container is running
- Check that middleware is defined in Authelia labels
2. **Login page not loading**
- Verify DNS resolves to your server
- Check SSL certificate is valid
- Ensure Authelia container is healthy
3. **Authentication fails**
- Check user exists in `users_database.yml`
- Verify password hash is correct
- Check Authelia logs: `docker-compose logs authelia`
### Logs
Check Authelia logs:
```bash
docker-compose logs -f authelia
```
Check Traefik logs:
```bash
docker-compose logs -f traefik
```
## Security Considerations
1. **Change Default Passwords**: Update all default credentials immediately
2. **Use Strong Secrets**: Generate cryptographically secure JWT and session secrets
3. **Enable 2FA**: Configure TOTP or WebAuthn for sensitive services
4. **Regular Updates**: Keep Authelia and other containers updated
5. **Monitor Logs**: Regularly review authentication logs
6. **Backup Configuration**: Keep secure backups of your configuration files
## Advanced Configuration
### LDAP Integration
To use LDAP instead of file-based authentication, update `configuration.yml`:
```yaml
authentication_backend:
ldap:
implementation: 'custom'
address: 'ldap://your-ldap-server:389'
base_dn: 'dc=example,dc=com'
# ... additional LDAP settings
```
### External Database
To use PostgreSQL or MySQL instead of SQLite:
```yaml
storage:
postgres:
address: 'tcp://postgres:5432'
database: 'authelia'
username: 'authelia'
password: 'your-password'
```
### OIDC Provider
To use Authelia as an OIDC provider for other applications:
```yaml
identity_providers:
oidc:
hmac_secret: 'your-hmac-secret'
issuer_private_key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
clients:
- id: 'myapp'
secret: 'hashed-client-secret'
redirect_uris:
- 'https://myapp.example.com/callback'
```
## Support
- [Authelia Documentation](https://www.authelia.com/)
- [Traefik Integration Guide](https://www.authelia.com/integration/proxies/traefik/)
- [Community Discord](https://discord.gg/authelia)

103
authelia/configuration.yml
View File

@@ -1,103 +0,0 @@
---
# Minimal validated Authelia configuration
server:
address: 'tcp://:9091'
endpoints:
authz:
forward-auth:
implementation: 'ForwardAuth'
log:
level: 'info'
format: 'text'
theme: 'light'
identity_validation:
reset_password:
jwt_secret: '${AUTHELIA_JWT_SECRET}'
totp:
disable_reuse_security_policy: false
issuer: 'Authelia'
algorithm: 'sha1'
digits: 6
period: 30
skew: 1
secret_size: 32
webauthn:
disable: false
display_name: 'Authelia'
attestation_conveyance_preference: 'indirect'
selection_criteria:
user_verification: 'preferred'
timeout: '60s'
authentication_backend:
password_reset:
disable: false
custom_url: ''
refresh_interval: '5m'
file:
path: '/config/users_database.yml'
watch: false
search:
email: false
case_insensitive: false
password:
algorithm: 'argon2'
argon2:
variant: 'argon2id'
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
access_control:
default_policy: 'two_factor'
networks:
- name: 'internal'
networks:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
rules:
- domain: 'auth.gate.3launchpad.com'
policy: 'bypass'
- domain:
- 'traefik.gate.3launchpad.com'
- 'portainer.gate.3launchpad.com'
policy: 'two_factor'
subject:
- 'group:admins'
- domain: '*.gate.3launchpad.com'
policy: 'one_factor'
session:
name: 'authelia_session'
secret: '${AUTHELIA_SESSION_SECRET}'
expiration: 1h
inactivity: 5m
remember_me: 1M
cookies:
- domain: 'gate.3launchpad.com'
authelia_url: 'https://auth.gate.3launchpad.com'
default_redirection_url: 'https://gate.3launchpad.com'
regulation:
max_retries: 3
find_time: '2m'
ban_time: '5m'
storage:
encryption_key: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}'
local:
path: '/config/db.sqlite3'
notifier:
disable_startup_check: false
filesystem:
filename: '/config/notification.txt'

33
authelia/users_database.yml
View File

@@ -1,33 +0,0 @@
---
# Users Database
# This file can be used if you do not have an LDAP set up.
users:
# User: admin
# Password: authelia (this is the default, CHANGE IT!)
# Groups: admins, dev
admin:
disabled: false
displayname: "Administrator"
password: "$argon2id$v=19$m=65536,t=3,p=4$2SnGOL1xXgWpTNOWBQlzow$UOUhz5sJXvQY3G2u/Af0Q4v/xK+RMJ5oCQ5nJaI3u0I"
email: admin@example.com
groups:
- admins
- dev
# User: user
# Password: password (CHANGE THIS!)
# Groups: dev
user:
disabled: false
displayname: "Regular User"
password: "$argon2id$v=19$m=65536,t=3,p=4$2SnGOL1xXgWpTNOWBQlzow$eYGKYBDNGQOBJBj7ExFVSSUzEbqJpJp8GlJ2X5QbO0I"
email: user@example.com
groups:
- dev
# To generate password hashes, you can use:
# docker run --rm authelia/authelia:latest authelia crypto hash generate --help
#
# Example:
# docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'your-password-here'

46
docker-compose.yml
View File

@@ -4,8 +4,6 @@
networks:
traefik_proxy:
name: traefik_proxy
internal:
name: internal
volumes:
traefik_letsencrypt:
@@ -80,12 +78,15 @@ services:
- traefik.http.middlewares.security-headers.headers.referrerPolicy=no-referrer-when-downgrade
- traefik.http.middlewares.security-headers.headers.frameDeny=true
# Basic Auth middleware
- traefik.http.middlewares.basic-auth.basicauth.users=${BASIC_AUTH_USERS}
# Traefik dashboard (protected)
- traefik.http.routers.traefik.rule=Host(`traefik.gate.${DOMAIN}`)
- traefik.http.routers.traefik.entrypoints=websecure
- traefik.http.routers.traefik.tls.certresolver=le
- traefik.http.routers.traefik.service=api@internal
- traefik.http.routers.traefik.middlewares=security-headers
- traefik.http.routers.traefik.middlewares=basic-auth,security-headers
## ─────────────────────────────────────────────
## Portainer — Docker control plane
@@ -103,44 +104,9 @@ services:
- traefik.http.routers.portainer.rule=Host(`portainer.gate.${DOMAIN}`)
- traefik.http.routers.portainer.entrypoints=websecure
- traefik.http.routers.portainer.tls.certresolver=le
- traefik.http.routers.portainer.middlewares=authelia,security-headers
- traefik.http.routers.portainer.middlewares=basic-auth,security-headers
- traefik.http.services.portainer.loadbalancer.server.port=9000
## ─────────────────────────────────────────────
## Authelia — authentication and authorization
## ─────────────────────────────────────────────
authelia:
image: authelia/authelia:latest
container_name: authelia
restart: unless-stopped
networks: [traefik_proxy, internal]
volumes:
- ./authelia:/config
environment:
TZ: "${TZ}"
AUTHELIA_JWT_SECRET: "${AUTHELIA_JWT_SECRET}"
AUTHELIA_SESSION_SECRET: "${AUTHELIA_SESSION_SECRET}"
AUTHELIA_STORAGE_ENCRYPTION_KEY: "${AUTHELIA_STORAGE_ENCRYPTION_KEY}"
DOMAIN: "${DOMAIN}"
healthcheck:
test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:9091/api/health || exit 1"]
interval: 30s
timeout: 10s
retries: 5
start_period: 60s
labels:
- traefik.enable=true
- traefik.http.routers.authelia.rule=Host(`auth.gate.${DOMAIN}`)
- traefik.http.routers.authelia.entrypoints=websecure
- traefik.http.routers.authelia.tls.certresolver=le
- traefik.http.routers.authelia.middlewares=security-headers
- traefik.http.services.authelia.loadbalancer.server.port=9091
# ForwardAuth middleware for protecting other services
- traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth
- traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name
## ─────────────────────────────────────────────
## Uptime Kuma — status page / checks
## ─────────────────────────────────────────────
@@ -156,5 +122,5 @@ services:
- traefik.http.routers.kuma.rule=Host(`uptime.gate.${DOMAIN}`)
- traefik.http.routers.kuma.entrypoints=websecure
- traefik.http.routers.kuma.tls.certresolver=le
- traefik.http.routers.kuma.middlewares=authelia,security-headers
- traefik.http.routers.kuma.middlewares=basic-auth,security-headers
- traefik.http.services.kuma.loadbalancer.server.port=3001