diff --git a/authelia/configuration.yml b/authelia/configuration.yml index 853588c..31d760f 100644 --- a/authelia/configuration.yml +++ b/authelia/configuration.yml @@ -1,19 +1,19 @@ # authelia/configuration.yml -# Authelia v4 configuration for: auth.gate.3launchpad.com -# Behind Traefik (forward-auth), Redis for sessions, SQLite storage. -# ⚠️ Replace all "changeme_*" values or (better) override via env vars: -# AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY +# Authelia v4 for: auth.gate.3launchpad.com +# Behind Traefik (forward-auth), Redis sessions, SQLite storage. ######################################################### # Server & Logging ######################################################### server: - address: "tcp://0.0.0.0:9091" # Traefik talks to this + address: "tcp://0.0.0.0:9091" buffers: read: 4096 write: 4096 + log: level: info + theme: auto # Where to send users if they hit a protected resource without a Referer @@ -22,8 +22,8 @@ default_redirection_url: "https://traefik.gate.3launchpad.com/" ######################################################### # Secrets (use env vars in production) ######################################################### -# Prefer setting via Docker env: -# AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY +# Prefer env vars: +# AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY jwt_secret: "changeme_jwt_secret" ######################################################### @@ -32,7 +32,6 @@ jwt_secret: "changeme_jwt_secret" authentication_backend: file: path: /config/users_database.yml - # New hashes should be argon2id. Use: `authelia crypto hash generate argon2` password: algorithm: argon2id iterations: 3 @@ -42,17 +41,14 @@ authentication_backend: key_length: 32 ######################################################### -# Access Control (who can access what) +# Access Control ######################################################### access_control: default_policy: deny - rules: - # Public status page - domain: "status.gate.3launchpad.com" policy: bypass - # Admin-only, require 2FA - domain: "traefik.gate.3launchpad.com" subject: ["group:admins"] policy: two_factor @@ -61,14 +57,12 @@ access_control: subject: ["group:admins"] policy: two_factor - # Admin/Devs with 1FA for these tools - domain_regex: "(grafana|prometheus|umami)\\.gate\\.3launchpad\\.com" subject: - "group:admins" - "group:devs" policy: one_factor - # Catch-all for any other subdomain under *.gate.3launchpad.com -> authenticated users - domain: "*.gate.3launchpad.com" subject: - "group:users" @@ -81,17 +75,15 @@ access_control: ######################################################### session: name: authelia_session - domain: "gate.3launchpad.com" # cookie scope (covers *.gate.3launchpad.com) - same_site: Lax + domain: "gate.3launchpad.com" + same_site: lax # <- fixed (was 'Lax') expiration: 1h inactivity: 30m - remember_me_duration: 1M - # secret can be overridden by env AUTHELIA_SESSION_SECRET + remember_me_duration: 1M # deprecated but auto-mapped; safe to keep secret: "changeme_session_secret" redis: host: redis port: 6379 - # tls: false ######################################################### # Regulation (anti-bruteforce) @@ -105,48 +97,21 @@ regulation: # Storage (SQLite on persistent volume) ######################################################### storage: - encryption_key: "changeme_storage_key" # override via AUTHELIA_STORAGE_ENCRYPTION_KEY + encryption_key: "changeme_storage_key" local: path: /config/db.sqlite3 ######################################################### -# Notifier (choose one) +# Notifier ######################################################### -# For testing/dev: writes emails to a file notifier: filesystem: filename: /config/notification.txt -# For production, comment the block above and use SMTP: -# notifier: -# smtp: -# address: "smtp.gmail.com:587" -# username: "no-reply@3launchpad.com" -# # password via env: AUTHELIA_NOTIFIER_SMTP_PASSWORD -# sender: "3Launchpad Auth " -# subject: "[3Launchpad] {title}" -# startup_check_address: "you@3launchpad.com" -# disable_require_tls: false -# tls: -# server_name: "smtp.gmail.com" -# skip_verify: false - ######################################################### -# TOTP / Duo / WebAuthn (2FA) +# 2FA: TOTP ######################################################### totp: issuer: "3launchpad.com" period: 30 skew: 1 - -webauthn: - disable: false - timeout: 60s - display_name: "3Launchpad Gateway" - relying_party_id: "gate.3launchpad.com" - -# If you plan to use Duo Push in the future: -# duo_api: -# hostname: api-XXXXXXXX.duosecurity.com -# integration_key: YOUR_IKEY -# # secret_key via env: AUTHELIA_DUO_API_SECRET_KEY diff --git a/crowdsec/config.yaml b/crowdsec/config.yaml new file mode 100644 index 0000000..c48a4c2 --- /dev/null +++ b/crowdsec/config.yaml @@ -0,0 +1,4 @@ +# minimal override to expose LAPI to other containers +api: + server: + listen_uri: 0.0.0.0:8080 diff --git a/docker-compose.yml b/docker-compose.yml index c424b84..142dedd 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -204,6 +204,7 @@ services: COLLECTIONS: "crowdsecurity/traefik crowdsecurity/linux" volumes: - crowdsec_data:/var/lib/crowdsec/data + - ./crowdsec/config.yaml:/etc/crowdsec/config.yaml:ro - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro - traefik_logs:/var/log/traefik:ro networks: [traefik_proxy]