elfateh/launchpad-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CrowdSec configuration and update docker-compose for integration

Browse Source
This commit is contained in:
Mohmmed Elfateh Sabry
2025-08-11 01:09:41 +03:00
parent fe90ceed2e
commit 9a39b12b11
3 changed files with 19 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
authelia/configuration.yml
View File

@@ -1,19 +1,19 @@
# authelia/configuration.yml # authelia/configuration.yml
# Authelia v4 configuration for: auth.gate.3launchpad.com # Authelia v4 for: auth.gate.3launchpad.com
# Behind Traefik (forward-auth), Redis for sessions, SQLite storage. # Behind Traefik (forward-auth), Redis sessions, SQLite storage.
# ⚠️ Replace all "changeme_*" values or (better) override via env vars:
# AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY
######################################################### #########################################################
# Server & Logging # Server & Logging
######################################################### #########################################################
server: server:
address: "tcp://0.0.0.0:9091" # Traefik talks to this address: "tcp://0.0.0.0:9091"
buffers: buffers:
read: 4096 read: 4096
write: 4096 write: 4096
log: log:
level: info level: info
theme: auto theme: auto
# Where to send users if they hit a protected resource without a Referer # Where to send users if they hit a protected resource without a Referer
@@ -22,7 +22,7 @@ default_redirection_url: "https://traefik.gate.3launchpad.com/"
######################################################### #########################################################
# Secrets (use env vars in production) # Secrets (use env vars in production)
######################################################### #########################################################
# Prefer setting via Docker env: # Prefer env vars:
# AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY # AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY
jwt_secret: "changeme_jwt_secret" jwt_secret: "changeme_jwt_secret"
@@ -32,7 +32,6 @@ jwt_secret: "changeme_jwt_secret"
authentication_backend: authentication_backend:
file: file:
path: /config/users_database.yml path: /config/users_database.yml
# New hashes should be argon2id. Use: `authelia crypto hash generate argon2`
password: password:
algorithm: argon2id algorithm: argon2id
iterations: 3 iterations: 3
@@ -42,17 +41,14 @@ authentication_backend:
key_length: 32 key_length: 32
######################################################### #########################################################
# Access Control (who can access what) # Access Control
######################################################### #########################################################
access_control: access_control:
default_policy: deny default_policy: deny
rules: rules:
# Public status page
- domain: "status.gate.3launchpad.com" - domain: "status.gate.3launchpad.com"
policy: bypass policy: bypass
# Admin-only, require 2FA
- domain: "traefik.gate.3launchpad.com" - domain: "traefik.gate.3launchpad.com"
subject: ["group:admins"] subject: ["group:admins"]
policy: two_factor policy: two_factor
@@ -61,14 +57,12 @@ access_control:
subject: ["group:admins"] subject: ["group:admins"]
policy: two_factor policy: two_factor
# Admin/Devs with 1FA for these tools
- domain_regex: "(grafana|prometheus|umami)\\.gate\\.3launchpad\\.com" - domain_regex: "(grafana|prometheus|umami)\\.gate\\.3launchpad\\.com"
subject: subject:
- "group:admins" - "group:admins"
- "group:devs" - "group:devs"
policy: one_factor policy: one_factor
# Catch-all for any other subdomain under *.gate.3launchpad.com -> authenticated users
- domain: "*.gate.3launchpad.com" - domain: "*.gate.3launchpad.com"
subject: subject:
- "group:users" - "group:users"
@@ -81,17 +75,15 @@ access_control:
######################################################### #########################################################
session: session:
name: authelia_session name: authelia_session
domain: "gate.3launchpad.com" # cookie scope (covers *.gate.3launchpad.com) domain: "gate.3launchpad.com"
same_site: Lax same_site: lax # <- fixed (was 'Lax')
expiration: 1h expiration: 1h
inactivity: 30m inactivity: 30m
remember_me_duration: 1M remember_me_duration: 1M # deprecated but auto-mapped; safe to keep
# secret can be overridden by env AUTHELIA_SESSION_SECRET
secret: "changeme_session_secret" secret: "changeme_session_secret"
redis: redis:
host: redis host: redis
port: 6379 port: 6379
# tls: false
######################################################### #########################################################
# Regulation (anti-bruteforce) # Regulation (anti-bruteforce)
@@ -105,48 +97,21 @@ regulation:
# Storage (SQLite on persistent volume) # Storage (SQLite on persistent volume)
######################################################### #########################################################
storage: storage:
encryption_key: "changeme_storage_key" # override via AUTHELIA_STORAGE_ENCRYPTION_KEY encryption_key: "changeme_storage_key"
local: local:
path: /config/db.sqlite3 path: /config/db.sqlite3
######################################################### #########################################################
# Notifier (choose one) # Notifier
######################################################### #########################################################
# For testing/dev: writes emails to a file
notifier: notifier:
filesystem: filesystem:
filename: /config/notification.txt filename: /config/notification.txt
# For production, comment the block above and use SMTP:
# notifier:
# smtp:
# address: "smtp.gmail.com:587"
# username: "no-reply@3launchpad.com"
# # password via env: AUTHELIA_NOTIFIER_SMTP_PASSWORD
# sender: "3Launchpad Auth <no-reply@3launchpad.com>"
# subject: "[3Launchpad] {title}"
# startup_check_address: "you@3launchpad.com"
# disable_require_tls: false
# tls:
# server_name: "smtp.gmail.com"
# skip_verify: false
######################################################### #########################################################
# TOTP / Duo / WebAuthn (2FA) # 2FA: TOTP
######################################################### #########################################################
totp: totp:
issuer: "3launchpad.com" issuer: "3launchpad.com"
period: 30 period: 30
skew: 1 skew: 1
webauthn:
disable: false
timeout: 60s
display_name: "3Launchpad Gateway"
relying_party_id: "gate.3launchpad.com"
# If you plan to use Duo Push in the future:
# duo_api:
# hostname: api-XXXXXXXX.duosecurity.com
# integration_key: YOUR_IKEY
# # secret_key via env: AUTHELIA_DUO_API_SECRET_KEY

4
crowdsec/config.yaml Normal file
View File

@@ -0,0 +1,4 @@
# minimal override to expose LAPI to other containers
api:
server:
listen_uri: 0.0.0.0:8080

1
docker-compose.yml
View File

@@ -204,6 +204,7 @@ services:
COLLECTIONS: "crowdsecurity/traefik crowdsecurity/linux" COLLECTIONS: "crowdsecurity/traefik crowdsecurity/linux"
volumes: volumes:
- crowdsec_data:/var/lib/crowdsec/data - crowdsec_data:/var/lib/crowdsec/data
- ./crowdsec/config.yaml:/etc/crowdsec/config.yaml:ro
- ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
- traefik_logs:/var/log/traefik:ro - traefik_logs:/var/log/traefik:ro
networks: [traefik_proxy] networks: [traefik_proxy]