Add CrowdSec configuration and update docker-compose for integration

authelia/configuration.yml

@@ -1,19 +1,19 @@
 # authelia/configuration.yml
-# Authelia v4 configuration for: auth.gate.3launchpad.com
-# Behind Traefik (forward-auth), Redis for sessions, SQLite storage.
-# ⚠️ Replace all "changeme_*" values or (better) override via env vars:
-#    AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY
+# Authelia v4 for: auth.gate.3launchpad.com
+# Behind Traefik (forward-auth), Redis sessions, SQLite storage.
 
 #########################################################
 # Server & Logging
 #########################################################
 server:
-  address: "tcp://0.0.0.0:9091"   # Traefik talks to this
+  address: "tcp://0.0.0.0:9091"
   buffers:
     read: 4096
     write: 4096
+
 log:
   level: info
+
 theme: auto
 
 # Where to send users if they hit a protected resource without a Referer
@@ -22,8 +22,8 @@ default_redirection_url: "https://traefik.gate.3launchpad.com/"
 #########################################################
 # Secrets (use env vars in production)
 #########################################################
-# Prefer setting via Docker env:
-#   AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY
+# Prefer env vars:
+# AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY
 jwt_secret: "changeme_jwt_secret"
 
 #########################################################
@@ -32,7 +32,6 @@ jwt_secret: "changeme_jwt_secret"
 authentication_backend:
   file:
     path: /config/users_database.yml
-    # New hashes should be argon2id. Use: `authelia crypto hash generate argon2`
     password:
       algorithm: argon2id
       iterations: 3
@@ -42,17 +41,14 @@ authentication_backend:
       key_length: 32
 
 #########################################################
-# Access Control (who can access what)
+# Access Control
 #########################################################
 access_control:
   default_policy: deny
-
   rules:
-    # Public status page
     - domain: "status.gate.3launchpad.com"
       policy: bypass
 
-    # Admin-only, require 2FA
     - domain: "traefik.gate.3launchpad.com"
       subject: ["group:admins"]
       policy: two_factor
@@ -61,14 +57,12 @@ access_control:
       subject: ["group:admins"]
       policy: two_factor
 
-    # Admin/Devs with 1FA for these tools
     - domain_regex: "(grafana|prometheus|umami)\\.gate\\.3launchpad\\.com"
       subject:
         - "group:admins"
         - "group:devs"
       policy: one_factor
 
-    # Catch-all for any other subdomain under *.gate.3launchpad.com -> authenticated users
     - domain: "*.gate.3launchpad.com"
       subject:
         - "group:users"
@@ -81,17 +75,15 @@ access_control:
 #########################################################
 session:
   name: authelia_session
-  domain: "gate.3launchpad.com"   # cookie scope (covers *.gate.3launchpad.com)
-  same_site: Lax
+  domain: "gate.3launchpad.com"
+  same_site: lax            # <- fixed (was 'Lax')
   expiration: 1h
   inactivity: 30m
-  remember_me_duration: 1M
-  # secret can be overridden by env AUTHELIA_SESSION_SECRET
+  remember_me_duration: 1M  # deprecated but auto-mapped; safe to keep
   secret: "changeme_session_secret"
   redis:
     host: redis
     port: 6379
-    # tls: false
 
 #########################################################
 # Regulation (anti-bruteforce)
@@ -105,48 +97,21 @@ regulation:
 # Storage (SQLite on persistent volume)
 #########################################################
 storage:
-  encryption_key: "changeme_storage_key"    # override via AUTHELIA_STORAGE_ENCRYPTION_KEY
+  encryption_key: "changeme_storage_key"
   local:
     path: /config/db.sqlite3
 
 #########################################################
-# Notifier (choose one)
+# Notifier
 #########################################################
-# For testing/dev: writes emails to a file
 notifier:
   filesystem:
     filename: /config/notification.txt
 
-# For production, comment the block above and use SMTP:
-# notifier:
-#   smtp:
-#     address: "smtp.gmail.com:587"
-#     username: "no-reply@3launchpad.com"
-#     # password via env: AUTHELIA_NOTIFIER_SMTP_PASSWORD
-#     sender: "3Launchpad Auth <no-reply@3launchpad.com>"
-#     subject: "[3Launchpad] {title}"
-#     startup_check_address: "you@3launchpad.com"
-#     disable_require_tls: false
-#     tls:
-#       server_name: "smtp.gmail.com"
-#       skip_verify: false
-
 #########################################################
-# TOTP / Duo / WebAuthn (2FA)
+# 2FA: TOTP
 #########################################################
 totp:
   issuer: "3launchpad.com"
   period: 30
   skew: 1
-
-webauthn:
-  disable: false
-  timeout: 60s
-  display_name: "3Launchpad Gateway"
-  relying_party_id: "gate.3launchpad.com"
-
-# If you plan to use Duo Push in the future:
-# duo_api:
-#   hostname: api-XXXXXXXX.duosecurity.com
-#   integration_key: YOUR_IKEY
-#   # secret_key via env: AUTHELIA_DUO_API_SECRET_KEY

crowdsec/config.yaml

@@ -0,0 +1,4 @@
+# minimal override to expose LAPI to other containers
+api:
+  server:
+    listen_uri: 0.0.0.0:8080

docker-compose.yml

@@ -204,6 +204,7 @@ services:
       COLLECTIONS: "crowdsecurity/traefik crowdsecurity/linux"
     volumes:
       - crowdsec_data:/var/lib/crowdsec/data
+      - ./crowdsec/config.yaml:/etc/crowdsec/config.yaml:ro
       - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
       - traefik_logs:/var/log/traefik:ro
     networks: [traefik_proxy]