Remove Authelia configuration and related files; add Basic Authentication setup in Traefik

2025-08-11 15:51:13 +03:00
parent 91ca7bfdc7
commit 97f5ec4fbc
6 changed files with 14 additions and 438 deletions
--- a/.env.example
+++ b/.env.example
@@ -9,18 +9,11 @@ TZ=Your/Timezone
 # Your email address for Let's Encrypt certificate notifications
 ACME_EMAIL=admin@your-domain.com
-## Authelia Configuration
+## Basic Authentication
-# Generate with: openssl rand -hex 32
+# Generate password hash with: echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
-AUTHELIA_JWT_SECRET=your_jwt_secret_here_at_least_32_chars_generate_this
+# Or use online generator: https://hostingcanada.org/htpasswd-generator/
-AUTHELIA_SESSION_SECRET=your_session_secret_here_at_least_32_chars_generate_this
+# Format: username:$$2y$$10$$hashed_password
-AUTHELIA_STORAGE_ENCRYPTION_KEY=your_storage_encryption_key_32+_chars
+BASIC_AUTH_USERS=admin:$$2y$$05$$HIIpotyLuLRMBX3sfUs6E.YM3lP9cpF7hK7sHaSXGs6mw/RS6MXCa
 # SMTP Configuration for Authelia (optional)
 AUTHELIA_SMTP_HOST=smtp.gmail.com
 AUTHELIA_SMTP_PORT=587
 AUTHELIA_SMTP_USER=your_email@gmail.com
 AUTHELIA_SMTP_PASS=your_app_password
 AUTHELIA_SMTP_FROM=Authelia <noreply@your-domain.com>
 ## Umami (PostgreSQL)
 # Database user for Umami analytics
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -6,7 +6,6 @@ on:
    branches: [ "main" ]
    paths:
      - "docker-compose.yml"
      - "authelia/**"
      - ".github/workflows/deploy.yml"
  workflow_dispatch:
@@ -80,6 +79,9 @@ jobs:
          # --- ACME / Let's Encrypt (email only) ---
          ACME_EMAIL=${{ secrets.ACME_EMAIL }}
          # --- Basic Authentication ---
          BASIC_AUTH_USERS=${{ secrets.BASIC_AUTH_USERS }}
          # --- Namecheap DNS API ---
          NAMECHEAP_API_USER=${{ secrets.NAMECHEAP_API_USER }}
          NAMECHEAP_API_KEY=${{ secrets.NAMECHEAP_API_KEY }}
@@ -96,17 +98,6 @@ jobs:
          # --- Grafana ---
          GRAFANA_ADMIN_USER=${{ secrets.GRAFANA_ADMIN_USER }}
          GRAFANA_ADMIN_PASS=${{ secrets.GRAFANA_ADMIN_PASS }}
          # --- Authelia ---
          AUTHELIA_JWT_SECRET=${{ secrets.AUTHELIA_JWT_SECRET }}
          AUTHELIA_SESSION_SECRET=${{ secrets.AUTHELIA_SESSION_SECRET }}
          AUTHELIA_STORAGE_ENCRYPTION_KEY=${{ secrets.AUTHELIA_STORAGE_ENCRYPTION_KEY }}
          # (Optional SMTP if configured)
          AUTHELIA_SMTP_HOST=${{ secrets.AUTHELIA_SMTP_HOST }}
          AUTHELIA_SMTP_PORT=${{ secrets.AUTHELIA_SMTP_PORT }}
          AUTHELIA_SMTP_USER=${{ secrets.AUTHELIA_SMTP_USER }}
          AUTHELIA_SMTP_PASS=${{ secrets.AUTHELIA_SMTP_PASS }}
          AUTHELIA_SMTP_FROM=${{ secrets.AUTHELIA_SMTP_FROM }}
          ENVVARS
          EOF
@@ -142,7 +133,6 @@ jobs:
          echo "Traefik:       https://traefik.gate.${{ secrets.DOMAIN }}"
          echo "Portainer:     https://portainer.gate.${{ secrets.DOMAIN }}"
          echo "Uptime Kuma:   https://uptime.gate.${{ secrets.DOMAIN }}"
          echo "Authelia:      https://auth.gate.${{ secrets.DOMAIN }}"
          echo "Grafana:       https://grafana.gate.${{ secrets.DOMAIN }}"
          echo "Prometheus:    https://prometheus.gate.${{ secrets.DOMAIN }}"
          echo "Umami:         https://umami.gate.${{ secrets.DOMAIN }}"
--- a/authelia/README.md
+++ b/authelia/README.md
@@ -1,237 +0,0 @@
 # Authelia Setup Guide
 This guide walks you through setting up Authelia authentication for your Launchpad Gateway.
 ## Overview
 Authelia provides:
 - 🔐 **Single Sign-On (SSO)** for all your services
 - 🛡️ **Two-Factor Authentication (2FA)** with TOTP/WebAuthn
 - 🌐 **Forward Authentication** integration with Traefik
 - 👥 **User Management** with file-based or LDAP backends
 - 📧 **Email Notifications** for password resets and 2FA setup
 ## Quick Start
 ### 1. Run the Setup Script
 **Windows (PowerShell):**
 ```powershell
 .\setup-authelia.ps1
 ```
 **Linux/macOS (Bash):**
 ```bash
 chmod +x setup-authelia.sh
 ./setup-authelia.sh
 ```
 ### 2. Configure Your Environment
 Edit `.env` file with your actual values:
 ```env
 DOMAIN=your-domain.com
 TZ=America/New_York
 ACME_EMAIL=admin@your-domain.com
 AUTHELIA_JWT_SECRET=your_generated_jwt_secret
 AUTHELIA_SESSION_SECRET=your_generated_session_secret
 ```
 ### 3. Update Authelia Configuration
 Edit `authelia/configuration.yml`:
 - Replace all instances of `example.com` with your actual domain
 - Update SMTP settings if you want email notifications
 - Adjust access control rules as needed
 ### 4. Set Up Users
 Edit `authelia/users_database.yml`:
 - Change the default password for `admin` user
 - Add your own users
 - Generate password hashes using:
  ```bash
  docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'your-password'
  ```
 ### 5. Start Services
 ```bash
 docker-compose up -d
 ```
 ## Access URLs
 After setup, your services will be available at:
 - **Authelia Portal**: `https://auth.gate.YOUR_DOMAIN`
 - **Traefik Dashboard**: `https://traefik.gate.YOUR_DOMAIN` (requires authentication)
 - **Portainer**: `https://portainer.gate.YOUR_DOMAIN` (requires authentication)
 - **Uptime Kuma**: `https://uptime.gate.YOUR_DOMAIN` (requires authentication)
 ## Default Credentials
 **⚠️ CHANGE THESE IMMEDIATELY!**
 - **Username**: `admin`
 - **Password**: `authelia`
 ## Configuration Files
 ### `authelia/configuration.yml`
 Main Authelia configuration with:
 - Server settings
 - Authentication backend (file-based by default)
 - Access control rules
 - Session configuration
 - TOTP/WebAuthn settings
 ### `authelia/users_database.yml`
 User database when using file-based authentication:
 - User credentials (hashed passwords)
 - User groups
 - Email addresses
 - Display names
 ## Access Control Rules
 The default configuration includes:
 - **Bypass**: Authelia portal itself
 - **Two-Factor**: Admin services (Traefik, Portainer) for `admins` group
 - **One-Factor**: Other services for any authenticated user
 ### Example Rules
 ```yaml
 access_control:
  rules:
    # Public access
    - domain: 'public.gate.example.com'
      policy: 'bypass'
    # Admin-only with 2FA
    - domain: 
        - 'traefik.gate.example.com'
        - 'portainer.gate.example.com'
      policy: 'two_factor'
      subject:
        - 'group:admins'
    # Authenticated users
    - domain: '*.gate.example.com'
      policy: 'one_factor'
 ```
 ## Adding New Protected Services
 To protect a new service with Authelia:
 1. Add the service to your `docker-compose.yml`
 2. Add the Authelia middleware to the service labels:
   ```yaml
   labels:
     - traefik.http.routers.myservice.middlewares=authelia,security-headers
   ```
 ## SMTP Configuration
 For email notifications (password reset, 2FA setup), configure SMTP in `configuration.yml`:
 ```yaml
 notifier:
  smtp:
    address: 'smtp://smtp.gmail.com:587'
    username: 'your-email@gmail.com'
    password: 'your-app-password'
    sender: 'Authelia <noreply@your-domain.com>'
 ```
 ## Troubleshooting
 ### Common Issues
 1. **"middleware authelia@docker not found"**
   - Ensure Authelia container is running
   - Check that middleware is defined in Authelia labels
 2. **Login page not loading**
   - Verify DNS resolves to your server
   - Check SSL certificate is valid
   - Ensure Authelia container is healthy
 3. **Authentication fails**
   - Check user exists in `users_database.yml`
   - Verify password hash is correct
   - Check Authelia logs: `docker-compose logs authelia`
 ### Logs
 Check Authelia logs:
 ```bash
 docker-compose logs -f authelia
 ```
 Check Traefik logs:
 ```bash
 docker-compose logs -f traefik
 ```
 ## Security Considerations
 1. **Change Default Passwords**: Update all default credentials immediately
 2. **Use Strong Secrets**: Generate cryptographically secure JWT and session secrets
 3. **Enable 2FA**: Configure TOTP or WebAuthn for sensitive services
 4. **Regular Updates**: Keep Authelia and other containers updated
 5. **Monitor Logs**: Regularly review authentication logs
 6. **Backup Configuration**: Keep secure backups of your configuration files
 ## Advanced Configuration
 ### LDAP Integration
 To use LDAP instead of file-based authentication, update `configuration.yml`:
 ```yaml
 authentication_backend:
  ldap:
    implementation: 'custom'
    address: 'ldap://your-ldap-server:389'
    base_dn: 'dc=example,dc=com'
    # ... additional LDAP settings
 ```
 ### External Database
 To use PostgreSQL or MySQL instead of SQLite:
 ```yaml
 storage:
  postgres:
    address: 'tcp://postgres:5432'
    database: 'authelia'
    username: 'authelia'
    password: 'your-password'
 ```
 ### OIDC Provider
 To use Authelia as an OIDC provider for other applications:
 ```yaml
 identity_providers:
  oidc:
    hmac_secret: 'your-hmac-secret'
    issuer_private_key: |
      -----BEGIN RSA PRIVATE KEY-----
      ...
      -----END RSA PRIVATE KEY-----
    clients:
      - id: 'myapp'
        secret: 'hashed-client-secret'
        redirect_uris:
          - 'https://myapp.example.com/callback'
 ```
 ## Support
 - [Authelia Documentation](https://www.authelia.com/)
 - [Traefik Integration Guide](https://www.authelia.com/integration/proxies/traefik/)
 - [Community Discord](https://discord.gg/authelia)
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -1,103 +0,0 @@
 ---
 # Minimal validated Authelia configuration
 server:
  address: 'tcp://:9091'
  endpoints:
    authz:
      forward-auth:
        implementation: 'ForwardAuth'
 log:
  level: 'info'
  format: 'text'
 theme: 'light'
 identity_validation:
  reset_password:
    jwt_secret: '${AUTHELIA_JWT_SECRET}'
 totp:
  disable_reuse_security_policy: false
  issuer: 'Authelia'
  algorithm: 'sha1'
  digits: 6
  period: 30
  skew: 1
  secret_size: 32
 webauthn:
  disable: false
  display_name: 'Authelia'
  attestation_conveyance_preference: 'indirect'
  selection_criteria:
    user_verification: 'preferred'
  timeout: '60s'
 authentication_backend:
  password_reset:
    disable: false
    custom_url: ''
  refresh_interval: '5m'
  file:
    path: '/config/users_database.yml'
    watch: false
    search:
      email: false
      case_insensitive: false
    password:
      algorithm: 'argon2'
      argon2:
        variant: 'argon2id'
        iterations: 3
        memory: 65536
        parallelism: 4
        key_length: 32
        salt_length: 16
 access_control:
  default_policy: 'two_factor'
  networks:
    - name: 'internal'
      networks:
        - '10.0.0.0/8'
        - '172.16.0.0/12'
        - '192.168.0.0/16'
  rules:
    - domain: 'auth.gate.3launchpad.com'
      policy: 'bypass'
    - domain:
        - 'traefik.gate.3launchpad.com'
        - 'portainer.gate.3launchpad.com'
      policy: 'two_factor'
      subject:
        - 'group:admins'
    - domain: '*.gate.3launchpad.com'
      policy: 'one_factor'
 session:
  name: 'authelia_session'
  secret: '${AUTHELIA_SESSION_SECRET}'
  expiration: 1h
  inactivity: 5m
  remember_me: 1M
  cookies:
    - domain: 'gate.3launchpad.com'
      authelia_url: 'https://auth.gate.3launchpad.com'
      default_redirection_url: 'https://gate.3launchpad.com'
 regulation:
  max_retries: 3
  find_time: '2m'
  ban_time: '5m'
 storage:
  encryption_key: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}'
  local:
    path: '/config/db.sqlite3'
 notifier:
  disable_startup_check: false
  filesystem:
    filename: '/config/notification.txt'
--- a/authelia/users_database.yml
+++ b/authelia/users_database.yml
@@ -1,33 +0,0 @@
 ---
 # Users Database
 # This file can be used if you do not have an LDAP set up.
 users:
  # User: admin
  # Password: authelia (this is the default, CHANGE IT!)
  # Groups: admins, dev
  admin:
    disabled: false
    displayname: "Administrator"
    password: "$argon2id$v=19$m=65536,t=3,p=4$2SnGOL1xXgWpTNOWBQlzow$UOUhz5sJXvQY3G2u/Af0Q4v/xK+RMJ5oCQ5nJaI3u0I"
    email: admin@example.com
    groups:
      - admins
      - dev
  # User: user
  # Password: password (CHANGE THIS!)
  # Groups: dev
  user:
    disabled: false
    displayname: "Regular User"
    password: "$argon2id$v=19$m=65536,t=3,p=4$2SnGOL1xXgWpTNOWBQlzow$eYGKYBDNGQOBJBj7ExFVSSUzEbqJpJp8GlJ2X5QbO0I"
    email: user@example.com
    groups:
      - dev
 # To generate password hashes, you can use:
 # docker run --rm authelia/authelia:latest authelia crypto hash generate --help
 # 
 # Example:
 # docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'your-password-here'
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,8 +4,6 @@
 networks:
  traefik_proxy:
    name: traefik_proxy
  internal:
    name: internal
 volumes:
  traefik_letsencrypt:
@@ -80,12 +78,15 @@ services:
      - traefik.http.middlewares.security-headers.headers.referrerPolicy=no-referrer-when-downgrade
      - traefik.http.middlewares.security-headers.headers.frameDeny=true
      # Basic Auth middleware
      - traefik.http.middlewares.basic-auth.basicauth.users=${BASIC_AUTH_USERS}
      # Traefik dashboard (protected)
      - traefik.http.routers.traefik.rule=Host(`traefik.gate.${DOMAIN}`)
      - traefik.http.routers.traefik.entrypoints=websecure
      - traefik.http.routers.traefik.tls.certresolver=le
      - traefik.http.routers.traefik.service=api@internal
-      - traefik.http.routers.traefik.middlewares=security-headers
+      - traefik.http.routers.traefik.middlewares=basic-auth,security-headers
  ## ─────────────────────────────────────────────
  ## Portainer — Docker control plane
@@ -103,44 +104,9 @@ services:
      - traefik.http.routers.portainer.rule=Host(`portainer.gate.${DOMAIN}`)
      - traefik.http.routers.portainer.entrypoints=websecure
      - traefik.http.routers.portainer.tls.certresolver=le
-      - traefik.http.routers.portainer.middlewares=authelia,security-headers
+      - traefik.http.routers.portainer.middlewares=basic-auth,security-headers
      - traefik.http.services.portainer.loadbalancer.server.port=9000
  ## ─────────────────────────────────────────────
  ## Authelia — authentication and authorization
  ## ─────────────────────────────────────────────
  authelia:
    image: authelia/authelia:latest
    container_name: authelia
    restart: unless-stopped
    networks: [traefik_proxy, internal]
    volumes:
      - ./authelia:/config
    environment:
      TZ: "${TZ}"
      AUTHELIA_JWT_SECRET: "${AUTHELIA_JWT_SECRET}"
      AUTHELIA_SESSION_SECRET: "${AUTHELIA_SESSION_SECRET}"
      AUTHELIA_STORAGE_ENCRYPTION_KEY: "${AUTHELIA_STORAGE_ENCRYPTION_KEY}"
      DOMAIN: "${DOMAIN}"
    healthcheck:
      test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:9091/api/health || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 5
      start_period: 60s
    labels:
      - traefik.enable=true
      - traefik.http.routers.authelia.rule=Host(`auth.gate.${DOMAIN}`)
      - traefik.http.routers.authelia.entrypoints=websecure
      - traefik.http.routers.authelia.tls.certresolver=le
      - traefik.http.routers.authelia.middlewares=security-headers
      - traefik.http.services.authelia.loadbalancer.server.port=9091
      # ForwardAuth middleware for protecting other services
      - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth
      - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
      - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name
  ## ─────────────────────────────────────────────
  ## Uptime Kuma — status page / checks
  ## ─────────────────────────────────────────────
@@ -156,5 +122,5 @@ services:
      - traefik.http.routers.kuma.rule=Host(`uptime.gate.${DOMAIN}`)
      - traefik.http.routers.kuma.entrypoints=websecure
      - traefik.http.routers.kuma.tls.certresolver=le
-      - traefik.http.routers.kuma.middlewares=authelia,security-headers
+      - traefik.http.routers.kuma.middlewares=basic-auth,security-headers
      - traefik.http.services.kuma.loadbalancer.server.port=3001