From 97f5ec4fbccbf133f28bff99a4e2432167a5f8b2 Mon Sep 17 00:00:00 2001 From: Mohmmed Elfateh Sabry <59346303+elfateh4@users.noreply.github.com> Date: Mon, 11 Aug 2025 15:51:13 +0300 Subject: [PATCH] Remove Authelia configuration and related files; add Basic Authentication setup in Traefik --- .env.example | 17 +-- .github/workflows/deploy.yml | 16 +-- authelia/README.md | 237 ----------------------------------- authelia/configuration.yml | 103 --------------- authelia/users_database.yml | 33 ----- docker-compose.yml | 46 +------ 6 files changed, 14 insertions(+), 438 deletions(-) delete mode 100644 authelia/README.md delete mode 100644 authelia/configuration.yml delete mode 100644 authelia/users_database.yml diff --git a/.env.example b/.env.example index 3984f3f..b54daaa 100644 --- a/.env.example +++ b/.env.example @@ -9,18 +9,11 @@ TZ=Your/Timezone # Your email address for Let's Encrypt certificate notifications ACME_EMAIL=admin@your-domain.com -## Authelia Configuration -# Generate with: openssl rand -hex 32 -AUTHELIA_JWT_SECRET=your_jwt_secret_here_at_least_32_chars_generate_this -AUTHELIA_SESSION_SECRET=your_session_secret_here_at_least_32_chars_generate_this -AUTHELIA_STORAGE_ENCRYPTION_KEY=your_storage_encryption_key_32+_chars - -# SMTP Configuration for Authelia (optional) -AUTHELIA_SMTP_HOST=smtp.gmail.com -AUTHELIA_SMTP_PORT=587 -AUTHELIA_SMTP_USER=your_email@gmail.com -AUTHELIA_SMTP_PASS=your_app_password -AUTHELIA_SMTP_FROM=Authelia +## Basic Authentication +# Generate password hash with: echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g +# Or use online generator: https://hostingcanada.org/htpasswd-generator/ +# Format: username:$$2y$$10$$hashed_password +BASIC_AUTH_USERS=admin:$$2y$$05$$HIIpotyLuLRMBX3sfUs6E.YM3lP9cpF7hK7sHaSXGs6mw/RS6MXCa ## Umami (PostgreSQL) # Database user for Umami analytics diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index a91e4ae..769b640 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -6,7 +6,6 @@ on: branches: [ "main" ] paths: - "docker-compose.yml" - - "authelia/**" - ".github/workflows/deploy.yml" workflow_dispatch: @@ -80,6 +79,9 @@ jobs: # --- ACME / Let's Encrypt (email only) --- ACME_EMAIL=${{ secrets.ACME_EMAIL }} + # --- Basic Authentication --- + BASIC_AUTH_USERS=${{ secrets.BASIC_AUTH_USERS }} + # --- Namecheap DNS API --- NAMECHEAP_API_USER=${{ secrets.NAMECHEAP_API_USER }} NAMECHEAP_API_KEY=${{ secrets.NAMECHEAP_API_KEY }} @@ -96,17 +98,6 @@ jobs: # --- Grafana --- GRAFANA_ADMIN_USER=${{ secrets.GRAFANA_ADMIN_USER }} GRAFANA_ADMIN_PASS=${{ secrets.GRAFANA_ADMIN_PASS }} - - # --- Authelia --- - AUTHELIA_JWT_SECRET=${{ secrets.AUTHELIA_JWT_SECRET }} - AUTHELIA_SESSION_SECRET=${{ secrets.AUTHELIA_SESSION_SECRET }} - AUTHELIA_STORAGE_ENCRYPTION_KEY=${{ secrets.AUTHELIA_STORAGE_ENCRYPTION_KEY }} - # (Optional SMTP if configured) - AUTHELIA_SMTP_HOST=${{ secrets.AUTHELIA_SMTP_HOST }} - AUTHELIA_SMTP_PORT=${{ secrets.AUTHELIA_SMTP_PORT }} - AUTHELIA_SMTP_USER=${{ secrets.AUTHELIA_SMTP_USER }} - AUTHELIA_SMTP_PASS=${{ secrets.AUTHELIA_SMTP_PASS }} - AUTHELIA_SMTP_FROM=${{ secrets.AUTHELIA_SMTP_FROM }} ENVVARS EOF @@ -142,7 +133,6 @@ jobs: echo "Traefik: https://traefik.gate.${{ secrets.DOMAIN }}" echo "Portainer: https://portainer.gate.${{ secrets.DOMAIN }}" echo "Uptime Kuma: https://uptime.gate.${{ secrets.DOMAIN }}" - echo "Authelia: https://auth.gate.${{ secrets.DOMAIN }}" echo "Grafana: https://grafana.gate.${{ secrets.DOMAIN }}" echo "Prometheus: https://prometheus.gate.${{ secrets.DOMAIN }}" echo "Umami: https://umami.gate.${{ secrets.DOMAIN }}" diff --git a/authelia/README.md b/authelia/README.md deleted file mode 100644 index 461a1c8..0000000 --- a/authelia/README.md +++ /dev/null @@ -1,237 +0,0 @@ -# Authelia Setup Guide - -This guide walks you through setting up Authelia authentication for your Launchpad Gateway. - -## Overview - -Authelia provides: -- 🔐 **Single Sign-On (SSO)** for all your services -- 🛡️ **Two-Factor Authentication (2FA)** with TOTP/WebAuthn -- 🌐 **Forward Authentication** integration with Traefik -- 👥 **User Management** with file-based or LDAP backends -- 📧 **Email Notifications** for password resets and 2FA setup - -## Quick Start - -### 1. Run the Setup Script - -**Windows (PowerShell):** -```powershell -.\setup-authelia.ps1 -``` - -**Linux/macOS (Bash):** -```bash -chmod +x setup-authelia.sh -./setup-authelia.sh -``` - -### 2. Configure Your Environment - -Edit `.env` file with your actual values: -```env -DOMAIN=your-domain.com -TZ=America/New_York -ACME_EMAIL=admin@your-domain.com -AUTHELIA_JWT_SECRET=your_generated_jwt_secret -AUTHELIA_SESSION_SECRET=your_generated_session_secret -``` - -### 3. Update Authelia Configuration - -Edit `authelia/configuration.yml`: -- Replace all instances of `example.com` with your actual domain -- Update SMTP settings if you want email notifications -- Adjust access control rules as needed - -### 4. Set Up Users - -Edit `authelia/users_database.yml`: -- Change the default password for `admin` user -- Add your own users -- Generate password hashes using: - ```bash - docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'your-password' - ``` - -### 5. Start Services - -```bash -docker-compose up -d -``` - -## Access URLs - -After setup, your services will be available at: -- **Authelia Portal**: `https://auth.gate.YOUR_DOMAIN` -- **Traefik Dashboard**: `https://traefik.gate.YOUR_DOMAIN` (requires authentication) -- **Portainer**: `https://portainer.gate.YOUR_DOMAIN` (requires authentication) -- **Uptime Kuma**: `https://uptime.gate.YOUR_DOMAIN` (requires authentication) - -## Default Credentials - -**⚠️ CHANGE THESE IMMEDIATELY!** -- **Username**: `admin` -- **Password**: `authelia` - -## Configuration Files - -### `authelia/configuration.yml` -Main Authelia configuration with: -- Server settings -- Authentication backend (file-based by default) -- Access control rules -- Session configuration -- TOTP/WebAuthn settings - -### `authelia/users_database.yml` -User database when using file-based authentication: -- User credentials (hashed passwords) -- User groups -- Email addresses -- Display names - -## Access Control Rules - -The default configuration includes: -- **Bypass**: Authelia portal itself -- **Two-Factor**: Admin services (Traefik, Portainer) for `admins` group -- **One-Factor**: Other services for any authenticated user - -### Example Rules - -```yaml -access_control: - rules: - # Public access - - domain: 'public.gate.example.com' - policy: 'bypass' - - # Admin-only with 2FA - - domain: - - 'traefik.gate.example.com' - - 'portainer.gate.example.com' - policy: 'two_factor' - subject: - - 'group:admins' - - # Authenticated users - - domain: '*.gate.example.com' - policy: 'one_factor' -``` - -## Adding New Protected Services - -To protect a new service with Authelia: - -1. Add the service to your `docker-compose.yml` -2. Add the Authelia middleware to the service labels: - ```yaml - labels: - - traefik.http.routers.myservice.middlewares=authelia,security-headers - ``` - -## SMTP Configuration - -For email notifications (password reset, 2FA setup), configure SMTP in `configuration.yml`: - -```yaml -notifier: - smtp: - address: 'smtp://smtp.gmail.com:587' - username: 'your-email@gmail.com' - password: 'your-app-password' - sender: 'Authelia ' -``` - -## Troubleshooting - -### Common Issues - -1. **"middleware authelia@docker not found"** - - Ensure Authelia container is running - - Check that middleware is defined in Authelia labels - -2. **Login page not loading** - - Verify DNS resolves to your server - - Check SSL certificate is valid - - Ensure Authelia container is healthy - -3. **Authentication fails** - - Check user exists in `users_database.yml` - - Verify password hash is correct - - Check Authelia logs: `docker-compose logs authelia` - -### Logs - -Check Authelia logs: -```bash -docker-compose logs -f authelia -``` - -Check Traefik logs: -```bash -docker-compose logs -f traefik -``` - -## Security Considerations - -1. **Change Default Passwords**: Update all default credentials immediately -2. **Use Strong Secrets**: Generate cryptographically secure JWT and session secrets -3. **Enable 2FA**: Configure TOTP or WebAuthn for sensitive services -4. **Regular Updates**: Keep Authelia and other containers updated -5. **Monitor Logs**: Regularly review authentication logs -6. **Backup Configuration**: Keep secure backups of your configuration files - -## Advanced Configuration - -### LDAP Integration - -To use LDAP instead of file-based authentication, update `configuration.yml`: - -```yaml -authentication_backend: - ldap: - implementation: 'custom' - address: 'ldap://your-ldap-server:389' - base_dn: 'dc=example,dc=com' - # ... additional LDAP settings -``` - -### External Database - -To use PostgreSQL or MySQL instead of SQLite: - -```yaml -storage: - postgres: - address: 'tcp://postgres:5432' - database: 'authelia' - username: 'authelia' - password: 'your-password' -``` - -### OIDC Provider - -To use Authelia as an OIDC provider for other applications: - -```yaml -identity_providers: - oidc: - hmac_secret: 'your-hmac-secret' - issuer_private_key: | - -----BEGIN RSA PRIVATE KEY----- - ... - -----END RSA PRIVATE KEY----- - clients: - - id: 'myapp' - secret: 'hashed-client-secret' - redirect_uris: - - 'https://myapp.example.com/callback' -``` - -## Support - -- [Authelia Documentation](https://www.authelia.com/) -- [Traefik Integration Guide](https://www.authelia.com/integration/proxies/traefik/) -- [Community Discord](https://discord.gg/authelia) diff --git a/authelia/configuration.yml b/authelia/configuration.yml deleted file mode 100644 index 2d62617..0000000 --- a/authelia/configuration.yml +++ /dev/null @@ -1,103 +0,0 @@ ---- -# Minimal validated Authelia configuration - -server: - address: 'tcp://:9091' - endpoints: - authz: - forward-auth: - implementation: 'ForwardAuth' - -log: - level: 'info' - format: 'text' - -theme: 'light' - -identity_validation: - reset_password: - jwt_secret: '${AUTHELIA_JWT_SECRET}' - -totp: - disable_reuse_security_policy: false - issuer: 'Authelia' - algorithm: 'sha1' - digits: 6 - period: 30 - skew: 1 - secret_size: 32 - -webauthn: - disable: false - display_name: 'Authelia' - attestation_conveyance_preference: 'indirect' - selection_criteria: - user_verification: 'preferred' - timeout: '60s' - -authentication_backend: - password_reset: - disable: false - custom_url: '' - refresh_interval: '5m' - file: - path: '/config/users_database.yml' - watch: false - search: - email: false - case_insensitive: false - password: - algorithm: 'argon2' - argon2: - variant: 'argon2id' - iterations: 3 - memory: 65536 - parallelism: 4 - key_length: 32 - salt_length: 16 - -access_control: - default_policy: 'two_factor' - networks: - - name: 'internal' - networks: - - '10.0.0.0/8' - - '172.16.0.0/12' - - '192.168.0.0/16' - rules: - - domain: 'auth.gate.3launchpad.com' - policy: 'bypass' - - domain: - - 'traefik.gate.3launchpad.com' - - 'portainer.gate.3launchpad.com' - policy: 'two_factor' - subject: - - 'group:admins' - - domain: '*.gate.3launchpad.com' - policy: 'one_factor' - -session: - name: 'authelia_session' - secret: '${AUTHELIA_SESSION_SECRET}' - expiration: 1h - inactivity: 5m - remember_me: 1M - cookies: - - domain: 'gate.3launchpad.com' - authelia_url: 'https://auth.gate.3launchpad.com' - default_redirection_url: 'https://gate.3launchpad.com' - -regulation: - max_retries: 3 - find_time: '2m' - ban_time: '5m' - -storage: - encryption_key: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}' - local: - path: '/config/db.sqlite3' - -notifier: - disable_startup_check: false - filesystem: - filename: '/config/notification.txt' diff --git a/authelia/users_database.yml b/authelia/users_database.yml deleted file mode 100644 index 33bdf4e..0000000 --- a/authelia/users_database.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -# Users Database -# This file can be used if you do not have an LDAP set up. - -users: - # User: admin - # Password: authelia (this is the default, CHANGE IT!) - # Groups: admins, dev - admin: - disabled: false - displayname: "Administrator" - password: "$argon2id$v=19$m=65536,t=3,p=4$2SnGOL1xXgWpTNOWBQlzow$UOUhz5sJXvQY3G2u/Af0Q4v/xK+RMJ5oCQ5nJaI3u0I" - email: admin@example.com - groups: - - admins - - dev - - # User: user - # Password: password (CHANGE THIS!) - # Groups: dev - user: - disabled: false - displayname: "Regular User" - password: "$argon2id$v=19$m=65536,t=3,p=4$2SnGOL1xXgWpTNOWBQlzow$eYGKYBDNGQOBJBj7ExFVSSUzEbqJpJp8GlJ2X5QbO0I" - email: user@example.com - groups: - - dev - -# To generate password hashes, you can use: -# docker run --rm authelia/authelia:latest authelia crypto hash generate --help -# -# Example: -# docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'your-password-here' diff --git a/docker-compose.yml b/docker-compose.yml index 676eb12..d7d4a52 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,8 +4,6 @@ networks: traefik_proxy: name: traefik_proxy - internal: - name: internal volumes: traefik_letsencrypt: @@ -80,12 +78,15 @@ services: - traefik.http.middlewares.security-headers.headers.referrerPolicy=no-referrer-when-downgrade - traefik.http.middlewares.security-headers.headers.frameDeny=true + # Basic Auth middleware + - traefik.http.middlewares.basic-auth.basicauth.users=${BASIC_AUTH_USERS} + # Traefik dashboard (protected) - traefik.http.routers.traefik.rule=Host(`traefik.gate.${DOMAIN}`) - traefik.http.routers.traefik.entrypoints=websecure - traefik.http.routers.traefik.tls.certresolver=le - traefik.http.routers.traefik.service=api@internal - - traefik.http.routers.traefik.middlewares=security-headers + - traefik.http.routers.traefik.middlewares=basic-auth,security-headers ## ───────────────────────────────────────────── ## Portainer — Docker control plane @@ -103,44 +104,9 @@ services: - traefik.http.routers.portainer.rule=Host(`portainer.gate.${DOMAIN}`) - traefik.http.routers.portainer.entrypoints=websecure - traefik.http.routers.portainer.tls.certresolver=le - - traefik.http.routers.portainer.middlewares=authelia,security-headers + - traefik.http.routers.portainer.middlewares=basic-auth,security-headers - traefik.http.services.portainer.loadbalancer.server.port=9000 - ## ───────────────────────────────────────────── - ## Authelia — authentication and authorization - ## ───────────────────────────────────────────── - authelia: - image: authelia/authelia:latest - container_name: authelia - restart: unless-stopped - networks: [traefik_proxy, internal] - volumes: - - ./authelia:/config - environment: - TZ: "${TZ}" - AUTHELIA_JWT_SECRET: "${AUTHELIA_JWT_SECRET}" - AUTHELIA_SESSION_SECRET: "${AUTHELIA_SESSION_SECRET}" - AUTHELIA_STORAGE_ENCRYPTION_KEY: "${AUTHELIA_STORAGE_ENCRYPTION_KEY}" - DOMAIN: "${DOMAIN}" - healthcheck: - test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:9091/api/health || exit 1"] - interval: 30s - timeout: 10s - retries: 5 - start_period: 60s - labels: - - traefik.enable=true - - traefik.http.routers.authelia.rule=Host(`auth.gate.${DOMAIN}`) - - traefik.http.routers.authelia.entrypoints=websecure - - traefik.http.routers.authelia.tls.certresolver=le - - traefik.http.routers.authelia.middlewares=security-headers - - traefik.http.services.authelia.loadbalancer.server.port=9091 - - # ForwardAuth middleware for protecting other services - - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth - - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true - - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name - ## ───────────────────────────────────────────── ## Uptime Kuma — status page / checks ## ───────────────────────────────────────────── @@ -156,5 +122,5 @@ services: - traefik.http.routers.kuma.rule=Host(`uptime.gate.${DOMAIN}`) - traefik.http.routers.kuma.entrypoints=websecure - traefik.http.routers.kuma.tls.certresolver=le - - traefik.http.routers.kuma.middlewares=authelia,security-headers + - traefik.http.routers.kuma.middlewares=basic-auth,security-headers - traefik.http.services.kuma.loadbalancer.server.port=3001