Update Authelia access control rules and SMTP configuration; modify Traefik labels for consistency

2025-12-02 04:04:56 +01:00
parent 58cc1b1e92
commit a5cd34d9ab
2 changed files with 74 additions and 71 deletions
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -18,6 +18,10 @@ access_control:
  rules:
    - domain: 'pgadmin.test.3launchpad.com'
      policy: 'two_factor'
+    - domain: 'beszel.test.3launchpad.com'
+      policy: 'two_factor'
+    - domain: 'traefik.test.3launchpad.com'
+      policy: 'two_factor'
    - domain: '*.test.3launchpad.com'
      policy: 'one_factor'

@@ -36,10 +40,16 @@ storage:

 notifier:
  disable_startup_check: true
+  # Configure SMTP for production email notifications
+  # For testing, you can use filesystem notifier instead:
+  # filesystem:
+  #   filename: /config/notification.txt
  smtp:
-    address: 'smtp://localhost:25'
-    username: 'authelia'
-    sender: 'authelia@example.com'
+    address: 'submissions://smtp.gmail.com:465'
+    username: 'your-email@gmail.com'
+    sender: 'Authelia <noreply@3launchpad.com>'
+    # For Gmail, use an App Password (not your regular password)
+    # Generate at: https://myaccount.google.com/apppasswords

 identity_validation:
  reset_password: {}
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -97,34 +97,31 @@ services:
      - --log.level=INFO
      - --metrics.prometheus=true
    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/run/docker.sock:/var/rundocker.sock:ro
      - traefik_letsencrypt:/letsencrypt
      - traefik_logs:/var/log/traefik
    labels:
-      - traefik.enable=true
+      - "traefik.enable=true"

-      # Reusable security headers
-      - traefik.http.middlewares.security-headers.headers.stsSeconds=31536000
-      - traefik.http.middlewares.security-headers.headers.stsIncludeSubdomains=true
-      - traefik.http.middlewares.security-headers.headers.stsPreload=true
-      - traefik.http.middlewares.security-headers.headers.browserXssFilter=true
-      - traefik.http.middlewares.security-headers.headers.contentTypeNosniff=true
-      - traefik.http.middlewares.security-headers.headers.referrerPolicy=no-referrer-when-downgrade
-
-      # # Basic Auth middleware
-      # - traefik.http.middlewares.basic-auth.basicauth.users=${BASIC_AUTH_USERS}
+      # Reusable security headers middleware
+      - "traefik.http.middlewares.security-headers.headers.stsSeconds=31536000"
+      - "traefik.http.middlewares.security-headers.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.security-headers.headers.stsPreload=true"
+      - "traefik.http.middlewares.security-headers.headers.browserXssFilter=true"
+      - "traefik.http.middlewares.security-headers.headers.contentTypeNosniff=true"
+      - "traefik.http.middlewares.security-headers.headers.referrerPolicy=no-referrer-when-downgrade"

      # Authelia middleware
-      - traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth
-      - traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true
-      - traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name
+      - "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth"
+      - "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true"
+      - "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name"

      # Traefik dashboard (protected)
-      - traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_PREFIX}.${DOMAIN}`)
-      - traefik.http.routers.traefik.entrypoints=websecure
-      - traefik.http.routers.traefik.tls.certresolver=le
-      - traefik.http.routers.traefik.service=api@internal
-      - traefik.http.routers.traefik.middlewares=authelia@docker,security-headers
+      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - "traefik.http.routers.traefik.tls.certresolver=le"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.routers.traefik.middlewares=authelia@docker,security-headers@docker"
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/ping"]
      interval: 30s
@@ -160,11 +157,12 @@ services:
    depends_on:
      - authelia-db
    labels:
-      - traefik.enable=true
-      - traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN_PREFIX}.${DOMAIN}`)
-      - traefik.http.routers.authelia.entrypoints=websecure
-      - traefik.http.routers.authelia.tls.certresolver=le
-      - traefik.http.services.authelia.loadbalancer.server.port=9091
+      - "traefik.enable=true"
+      - "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.authelia.entrypoints=websecure"
+      - "traefik.http.routers.authelia.tls.certresolver=le"
+      - "traefik.http.routers.authelia.middlewares=security-headers@docker"
+      - "traefik.http.services.authelia.loadbalancer.server.port=9091"

  ## ─────────────────────────────────────────────
  ## Authelia Database — PostgreSQL
@@ -200,12 +198,12 @@ services:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data
    labels:
-      - traefik.enable=true
-      - traefik.http.routers.portainer.rule=Host(`portainer.${DOMAIN_PREFIX}.${DOMAIN}`)
-      - traefik.http.routers.portainer.entrypoints=websecure
-      - traefik.http.routers.portainer.tls.certresolver=le
-      - traefik.http.routers.portainer.middlewares=security-headers
-      - traefik.http.services.portainer.loadbalancer.server.port=9000
+      - "traefik.enable=true"
+      - "traefik.http.routers.portainer.rule=Host(`portainer.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.portainer.entrypoints=websecure"
+      - "traefik.http.routers.portainer.tls.certresolver=le"
+      - "traefik.http.routers.portainer.middlewares=security-headers@docker"
+      - "traefik.http.services.portainer.loadbalancer.server.port=9000"

  ## ─────────────────────────────────────────────
  ## Uptime Kuma — status page / checks
@@ -218,12 +216,12 @@ services:
      - uptime_kuma_data:/app/data
    networks: [traefik_proxy]
    labels:
-      - traefik.enable=true
-      - traefik.http.routers.kuma.rule=Host(`uptime.${DOMAIN_PREFIX}.${DOMAIN}`)
-      - traefik.http.routers.kuma.entrypoints=websecure
-      - traefik.http.routers.kuma.tls.certresolver=le
-      - traefik.http.routers.kuma.middlewares=security-headers
-      - traefik.http.services.kuma.loadbalancer.server.port=3001
+      - "traefik.enable=true"
+      - "traefik.http.routers.kuma.rule=Host(`uptime.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.kuma.entrypoints=websecure"
+      - "traefik.http.routers.kuma.tls.certresolver=le"
+      - "traefik.http.routers.kuma.middlewares=security-headers@docker"
+      - "traefik.http.services.kuma.loadbalancer.server.port=3001"

  ## ─────────────────────────────────────────────
  ## Umami — web analytics
@@ -240,14 +238,14 @@ services:
    depends_on:
      - umami-db
    labels:
-      - traefik.enable=true
-      - traefik.http.routers.umami.rule=Host(`umami.${DOMAIN_PREFIX}.${DOMAIN}`)
-      - traefik.http.routers.umami.entrypoints=websecure
-      - traefik.http.routers.umami.tls.certresolver=le
-      - traefik.http.routers.umami.middlewares=security-headers
-      - traefik.http.services.umami.loadbalancer.server.port=3000
+      - "traefik.enable=true"
+      - "traefik.http.routers.umami.rule=Host(`umami.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.umami.entrypoints=websecure"
+      - "traefik.http.routers.umami.tls.certresolver=le"
+      - "traefik.http.routers.umami.middlewares=security-headers@docker"
+      - "traefik.http.services.umami.loadbalancer.server.port=3000"
    healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3000"]
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:3000"]
      interval: 30s
      timeout: 10s
      retries: 3
@@ -295,12 +293,12 @@ services:
    volumes:
      - pgadmin_data:/var/lib/pgadmin
    labels:
-      - traefik.enable=true
-      - traefik.http.routers.pgadmin.rule=Host(`pgadmin.${DOMAIN_PREFIX}.${DOMAIN}`)
-      - traefik.http.routers.pgadmin.entrypoints=websecure
-      - traefik.http.routers.pgadmin.tls.certresolver=le
-      - traefik.http.routers.pgadmin.middlewares=security-headers
-      - traefik.http.services.pgadmin.loadbalancer.server.port=80
+      - "traefik.enable=true"
+      - "traefik.http.routers.pgadmin.rule=Host(`pgadmin.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.pgadmin.entrypoints=websecure"
+      - "traefik.http.routers.pgadmin.tls.certresolver=le"
+      - "traefik.http.routers.pgadmin.middlewares=security-headers@docker"
+      - "traefik.http.services.pgadmin.loadbalancer.server.port=80"
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:80"]
      interval: 30s
@@ -319,18 +317,12 @@ services:
    volumes:
      - beszel_data:/beszel_data
    labels:
-      - traefik.enable=true
-      - traefik.http.routers.beszel.rule=Host(`beszel.${DOMAIN_PREFIX}.${DOMAIN}`)
-      - traefik.http.routers.beszel.entrypoints=websecure
-      - traefik.http.routers.beszel.tls.certresolver=le
-      - traefik.http.routers.beszel.middlewares=security-headers
-      - traefik.http.services.beszel.loadbalancer.server.port=8090
-    healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8090"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-      start_period: 40s
+      - "traefik.enable=true"
+      - "traefik.http.routers.beszel.rule=Host(`beszel.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.beszel.entrypoints=websecure"
+      - "traefik.http.routers.beszel.tls.certresolver=le"
+      - "traefik.http.routers.beszel.middlewares=security-headers@docker"
+      - "traefik.http.services.beszel.loadbalancer.server.port=8090"

  ## ─────────────────────────────────────────────
  ## Gitea — self-hosted Git service
@@ -348,6 +340,7 @@ services:
      - GITEA__database__NAME=${GITEA_DB_NAME}
      - GITEA__database__USER=${GITEA_DB_USER}
      - GITEA__database__PASSWD=${GITEA_DB_PASSWORD}
+      - GITEA__database__SSL_MODE=disable
      - GITEA__server__DOMAIN=git.${DOMAIN_PREFIX}.${DOMAIN}
      - GITEA__server__SSH_DOMAIN=git.${DOMAIN_PREFIX}.${DOMAIN}
      - GITEA__server__ROOT_URL=https://git.${DOMAIN_PREFIX}.${DOMAIN}/
@@ -364,12 +357,12 @@ services:
    depends_on:
      - gitea-db
    labels:
-      - traefik.enable=true
-      - traefik.http.routers.gitea.rule=Host(`git.${DOMAIN_PREFIX}.${DOMAIN}`)
-      - traefik.http.routers.gitea.entrypoints=websecure
-      - traefik.http.routers.gitea.tls.certresolver=le
-      - traefik.http.routers.gitea.middlewares=security-headers
-      - traefik.http.services.gitea.loadbalancer.server.port=3000
+      - "traefik.enable=true"
+      - "traefik.http.routers.gitea.rule=Host(`git.${DOMAIN_PREFIX}.${DOMAIN}`)"
+      - "traefik.http.routers.gitea.entrypoints=websecure"
+      - "traefik.http.routers.gitea.tls.certresolver=le"
+      - "traefik.http.routers.gitea.middlewares=security-headers@docker"
+      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3000/api/healthz"]
      interval: 30s