Update Authelia access control rules and SMTP configuration; modify Traefik labels for consistency
This commit is contained in:
elfateh4
@@ -18,6 +18,10 @@ access_control:
|
|||||||
rules:
|
rules:
|
||||||
- domain: 'pgadmin.test.3launchpad.com'
|
- domain: 'pgadmin.test.3launchpad.com'
|
||||||
policy: 'two_factor'
|
policy: 'two_factor'
|
||||||
|
- domain: 'beszel.test.3launchpad.com'
|
||||||
|
policy: 'two_factor'
|
||||||
|
- domain: 'traefik.test.3launchpad.com'
|
||||||
|
policy: 'two_factor'
|
||||||
- domain: '*.test.3launchpad.com'
|
- domain: '*.test.3launchpad.com'
|
||||||
policy: 'one_factor'
|
policy: 'one_factor'
|
||||||
|
|
||||||
@@ -36,10 +40,16 @@ storage:
|
|||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
disable_startup_check: true
|
disable_startup_check: true
|
||||||
|
# Configure SMTP for production email notifications
|
||||||
|
# For testing, you can use filesystem notifier instead:
|
||||||
|
# filesystem:
|
||||||
|
# filename: /config/notification.txt
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://localhost:25'
|
address: 'submissions://smtp.gmail.com:465'
|
||||||
username: 'authelia'
|
username: 'your-email@gmail.com'
|
||||||
sender: 'authelia@example.com'
|
sender: 'Authelia <noreply@3launchpad.com>'
|
||||||
|
# For Gmail, use an App Password (not your regular password)
|
||||||
|
# Generate at: https://myaccount.google.com/apppasswords
|
||||||
|
|
||||||
identity_validation:
|
identity_validation:
|
||||||
reset_password: {}
|
reset_password: {}
|
||||||
|
|||||||
@@ -97,34 +97,31 @@ services:
|
|||||||
- --log.level=INFO
|
- --log.level=INFO
|
||||||
- --metrics.prometheus=true
|
- --metrics.prometheus=true
|
||||||
volumes:
|
volumes:
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
- /var/run/docker.sock:/var/rundocker.sock:ro
|
||||||
- traefik_letsencrypt:/letsencrypt
|
- traefik_letsencrypt:/letsencrypt
|
||||||
- traefik_logs:/var/log/traefik
|
- traefik_logs:/var/log/traefik
|
||||||
labels:
|
labels:
|
||||||
- traefik.enable=true
|
- "traefik.enable=true"
|
||||||
|
|
||||||
# Reusable security headers
|
# Reusable security headers middleware
|
||||||
- traefik.http.middlewares.security-headers.headers.stsSeconds=31536000
|
- "traefik.http.middlewares.security-headers.headers.stsSeconds=31536000"
|
||||||
- traefik.http.middlewares.security-headers.headers.stsIncludeSubdomains=true
|
- "traefik.http.middlewares.security-headers.headers.stsIncludeSubdomains=true"
|
||||||
- traefik.http.middlewares.security-headers.headers.stsPreload=true
|
- "traefik.http.middlewares.security-headers.headers.stsPreload=true"
|
||||||
- traefik.http.middlewares.security-headers.headers.browserXssFilter=true
|
- "traefik.http.middlewares.security-headers.headers.browserXssFilter=true"
|
||||||
- traefik.http.middlewares.security-headers.headers.contentTypeNosniff=true
|
- "traefik.http.middlewares.security-headers.headers.contentTypeNosniff=true"
|
||||||
- traefik.http.middlewares.security-headers.headers.referrerPolicy=no-referrer-when-downgrade
|
- "traefik.http.middlewares.security-headers.headers.referrerPolicy=no-referrer-when-downgrade"
|
||||||
|
|
||||||
# # Basic Auth middleware
|
|
||||||
# - traefik.http.middlewares.basic-auth.basicauth.users=${BASIC_AUTH_USERS}
|
|
||||||
|
|
||||||
# Authelia middleware
|
# Authelia middleware
|
||||||
- traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth
|
- "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth"
|
||||||
- traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true
|
- "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true"
|
||||||
- traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name
|
- "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name"
|
||||||
|
|
||||||
# Traefik dashboard (protected)
|
# Traefik dashboard (protected)
|
||||||
- traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_PREFIX}.${DOMAIN}`)
|
- "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN_PREFIX}.${DOMAIN}`)"
|
||||||
- traefik.http.routers.traefik.entrypoints=websecure
|
- "traefik.http.routers.traefik.entrypoints=websecure"
|
||||||
- traefik.http.routers.traefik.tls.certresolver=le
|
- "traefik.http.routers.traefik.tls.certresolver=le"
|
||||||
- traefik.http.routers.traefik.service=api@internal
|
- "traefik.http.routers.traefik.service=api@internal"
|
||||||
- traefik.http.routers.traefik.middlewares=authelia@docker,security-headers
|
- "traefik.http.routers.traefik.middlewares=authelia@docker,security-headers@docker"
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/ping"]
|
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/ping"]
|
||||||
interval: 30s
|
interval: 30s
|
||||||
@@ -160,11 +157,12 @@ services:
|
|||||||
depends_on:
|
depends_on:
|
||||||
- authelia-db
|
- authelia-db
|
||||||
labels:
|
labels:
|
||||||
- traefik.enable=true
|
- "traefik.enable=true"
|
||||||
- traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN_PREFIX}.${DOMAIN}`)
|
- "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN_PREFIX}.${DOMAIN}`)"
|
||||||
- traefik.http.routers.authelia.entrypoints=websecure
|
- "traefik.http.routers.authelia.entrypoints=websecure"
|
||||||
- traefik.http.routers.authelia.tls.certresolver=le
|
- "traefik.http.routers.authelia.tls.certresolver=le"
|
||||||
- traefik.http.services.authelia.loadbalancer.server.port=9091
|
- "traefik.http.routers.authelia.middlewares=security-headers@docker"
|
||||||
|
- "traefik.http.services.authelia.loadbalancer.server.port=9091"
|
||||||
|
|
||||||
## ─────────────────────────────────────────────
|
## ─────────────────────────────────────────────
|
||||||
## Authelia Database — PostgreSQL
|
## Authelia Database — PostgreSQL
|
||||||
@@ -200,12 +198,12 @@ services:
|
|||||||
- /var/run/docker.sock:/var/run/docker.sock
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
- portainer_data:/data
|
- portainer_data:/data
|
||||||
labels:
|
labels:
|
||||||
- traefik.enable=true
|
- "traefik.enable=true"
|
||||||
- traefik.http.routers.portainer.rule=Host(`portainer.${DOMAIN_PREFIX}.${DOMAIN}`)
|
- "traefik.http.routers.portainer.rule=Host(`portainer.${DOMAIN_PREFIX}.${DOMAIN}`)"
|
||||||
- traefik.http.routers.portainer.entrypoints=websecure
|
- "traefik.http.routers.portainer.entrypoints=websecure"
|
||||||
- traefik.http.routers.portainer.tls.certresolver=le
|
- "traefik.http.routers.portainer.tls.certresolver=le"
|
||||||
- traefik.http.routers.portainer.middlewares=security-headers
|
- "traefik.http.routers.portainer.middlewares=security-headers@docker"
|
||||||
- traefik.http.services.portainer.loadbalancer.server.port=9000
|
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
|
||||||
|
|
||||||
## ─────────────────────────────────────────────
|
## ─────────────────────────────────────────────
|
||||||
## Uptime Kuma — status page / checks
|
## Uptime Kuma — status page / checks
|
||||||
@@ -218,12 +216,12 @@ services:
|
|||||||
- uptime_kuma_data:/app/data
|
- uptime_kuma_data:/app/data
|
||||||
networks: [traefik_proxy]
|
networks: [traefik_proxy]
|
||||||
labels:
|
labels:
|
||||||
- traefik.enable=true
|
- "traefik.enable=true"
|
||||||
- traefik.http.routers.kuma.rule=Host(`uptime.${DOMAIN_PREFIX}.${DOMAIN}`)
|
- "traefik.http.routers.kuma.rule=Host(`uptime.${DOMAIN_PREFIX}.${DOMAIN}`)"
|
||||||
- traefik.http.routers.kuma.entrypoints=websecure
|
- "traefik.http.routers.kuma.entrypoints=websecure"
|
||||||
- traefik.http.routers.kuma.tls.certresolver=le
|
- "traefik.http.routers.kuma.tls.certresolver=le"
|
||||||
- traefik.http.routers.kuma.middlewares=security-headers
|
- "traefik.http.routers.kuma.middlewares=security-headers@docker"
|
||||||
- traefik.http.services.kuma.loadbalancer.server.port=3001
|
- "traefik.http.services.kuma.loadbalancer.server.port=3001"
|
||||||
|
|
||||||
## ─────────────────────────────────────────────
|
## ─────────────────────────────────────────────
|
||||||
## Umami — web analytics
|
## Umami — web analytics
|
||||||
@@ -240,14 +238,14 @@ services:
|
|||||||
depends_on:
|
depends_on:
|
||||||
- umami-db
|
- umami-db
|
||||||
labels:
|
labels:
|
||||||
- traefik.enable=true
|
- "traefik.enable=true"
|
||||||
- traefik.http.routers.umami.rule=Host(`umami.${DOMAIN_PREFIX}.${DOMAIN}`)
|
- "traefik.http.routers.umami.rule=Host(`umami.${DOMAIN_PREFIX}.${DOMAIN}`)"
|
||||||
- traefik.http.routers.umami.entrypoints=websecure
|
- "traefik.http.routers.umami.entrypoints=websecure"
|
||||||
- traefik.http.routers.umami.tls.certresolver=le
|
- "traefik.http.routers.umami.tls.certresolver=le"
|
||||||
- traefik.http.routers.umami.middlewares=security-headers
|
- "traefik.http.routers.umami.middlewares=security-headers@docker"
|
||||||
- traefik.http.services.umami.loadbalancer.server.port=3000
|
- "traefik.http.services.umami.loadbalancer.server.port=3000"
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3000"]
|
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:3000"]
|
||||||
interval: 30s
|
interval: 30s
|
||||||
timeout: 10s
|
timeout: 10s
|
||||||
retries: 3
|
retries: 3
|
||||||
@@ -295,12 +293,12 @@ services:
|
|||||||
volumes:
|
volumes:
|
||||||
- pgadmin_data:/var/lib/pgadmin
|
- pgadmin_data:/var/lib/pgadmin
|
||||||
labels:
|
labels:
|
||||||
- traefik.enable=true
|
- "traefik.enable=true"
|
||||||
- traefik.http.routers.pgadmin.rule=Host(`pgadmin.${DOMAIN_PREFIX}.${DOMAIN}`)
|
- "traefik.http.routers.pgadmin.rule=Host(`pgadmin.${DOMAIN_PREFIX}.${DOMAIN}`)"
|
||||||
- traefik.http.routers.pgadmin.entrypoints=websecure
|
- "traefik.http.routers.pgadmin.entrypoints=websecure"
|
||||||
- traefik.http.routers.pgadmin.tls.certresolver=le
|
- "traefik.http.routers.pgadmin.tls.certresolver=le"
|
||||||
- traefik.http.routers.pgadmin.middlewares=security-headers
|
- "traefik.http.routers.pgadmin.middlewares=security-headers@docker"
|
||||||
- traefik.http.services.pgadmin.loadbalancer.server.port=80
|
- "traefik.http.services.pgadmin.loadbalancer.server.port=80"
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:80"]
|
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:80"]
|
||||||
interval: 30s
|
interval: 30s
|
||||||
@@ -319,18 +317,12 @@ services:
|
|||||||
volumes:
|
volumes:
|
||||||
- beszel_data:/beszel_data
|
- beszel_data:/beszel_data
|
||||||
labels:
|
labels:
|
||||||
- traefik.enable=true
|
- "traefik.enable=true"
|
||||||
- traefik.http.routers.beszel.rule=Host(`beszel.${DOMAIN_PREFIX}.${DOMAIN}`)
|
- "traefik.http.routers.beszel.rule=Host(`beszel.${DOMAIN_PREFIX}.${DOMAIN}`)"
|
||||||
- traefik.http.routers.beszel.entrypoints=websecure
|
- "traefik.http.routers.beszel.entrypoints=websecure"
|
||||||
- traefik.http.routers.beszel.tls.certresolver=le
|
- "traefik.http.routers.beszel.tls.certresolver=le"
|
||||||
- traefik.http.routers.beszel.middlewares=security-headers
|
- "traefik.http.routers.beszel.middlewares=security-headers@docker"
|
||||||
- traefik.http.services.beszel.loadbalancer.server.port=8090
|
- "traefik.http.services.beszel.loadbalancer.server.port=8090"
|
||||||
healthcheck:
|
|
||||||
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8090"]
|
|
||||||
interval: 30s
|
|
||||||
timeout: 10s
|
|
||||||
retries: 3
|
|
||||||
start_period: 40s
|
|
||||||
|
|
||||||
## ─────────────────────────────────────────────
|
## ─────────────────────────────────────────────
|
||||||
## Gitea — self-hosted Git service
|
## Gitea — self-hosted Git service
|
||||||
@@ -348,6 +340,7 @@ services:
|
|||||||
- GITEA__database__NAME=${GITEA_DB_NAME}
|
- GITEA__database__NAME=${GITEA_DB_NAME}
|
||||||
- GITEA__database__USER=${GITEA_DB_USER}
|
- GITEA__database__USER=${GITEA_DB_USER}
|
||||||
- GITEA__database__PASSWD=${GITEA_DB_PASSWORD}
|
- GITEA__database__PASSWD=${GITEA_DB_PASSWORD}
|
||||||
|
- GITEA__database__SSL_MODE=disable
|
||||||
- GITEA__server__DOMAIN=git.${DOMAIN_PREFIX}.${DOMAIN}
|
- GITEA__server__DOMAIN=git.${DOMAIN_PREFIX}.${DOMAIN}
|
||||||
- GITEA__server__SSH_DOMAIN=git.${DOMAIN_PREFIX}.${DOMAIN}
|
- GITEA__server__SSH_DOMAIN=git.${DOMAIN_PREFIX}.${DOMAIN}
|
||||||
- GITEA__server__ROOT_URL=https://git.${DOMAIN_PREFIX}.${DOMAIN}/
|
- GITEA__server__ROOT_URL=https://git.${DOMAIN_PREFIX}.${DOMAIN}/
|
||||||
@@ -364,12 +357,12 @@ services:
|
|||||||
depends_on:
|
depends_on:
|
||||||
- gitea-db
|
- gitea-db
|
||||||
labels:
|
labels:
|
||||||
- traefik.enable=true
|
- "traefik.enable=true"
|
||||||
- traefik.http.routers.gitea.rule=Host(`git.${DOMAIN_PREFIX}.${DOMAIN}`)
|
- "traefik.http.routers.gitea.rule=Host(`git.${DOMAIN_PREFIX}.${DOMAIN}`)"
|
||||||
- traefik.http.routers.gitea.entrypoints=websecure
|
- "traefik.http.routers.gitea.entrypoints=websecure"
|
||||||
- traefik.http.routers.gitea.tls.certresolver=le
|
- "traefik.http.routers.gitea.tls.certresolver=le"
|
||||||
- traefik.http.routers.gitea.middlewares=security-headers
|
- "traefik.http.routers.gitea.middlewares=security-headers@docker"
|
||||||
- traefik.http.services.gitea.loadbalancer.server.port=3000
|
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD", "curl", "-f", "http://localhost:3000/api/healthz"]
|
test: ["CMD", "curl", "-f", "http://localhost:3000/api/healthz"]
|
||||||
interval: 30s
|
interval: 30s
|
||||||
|
|||||||
Reference in New Issue
Block a user