From dc7871c9ec89bf0516c1921e0daa7febacda7502 Mon Sep 17 00:00:00 2001 From: Mohmmed Elfateh Sabry <59346303+elfateh4@users.noreply.github.com> Date: Mon, 11 Aug 2025 13:10:30 +0300 Subject: [PATCH] Add Authelia configuration and user database; remove Prometheus and Grafana services --- .env.example | 12 ++ authelia/README.md | 237 ++++++++++++++++++++++++++++++++++ authelia/configuration.yml | 247 ++++++++++++++++++++++++++++++++++++ authelia/users_database.yml | 33 +++++ docker-compose.yml | 102 ++++----------- prometheus/prometheus.yml | 16 --- 6 files changed, 556 insertions(+), 91 deletions(-) create mode 100644 authelia/README.md create mode 100644 authelia/configuration.yml create mode 100644 authelia/users_database.yml delete mode 100644 prometheus/prometheus.yml diff --git a/.env.example b/.env.example index 862c37a..db93ff1 100644 --- a/.env.example +++ b/.env.example @@ -9,6 +9,18 @@ TZ=Your/Timezone # Your email address for Let's Encrypt certificate notifications ACME_EMAIL=admin@your-domain.com +## Authelia Configuration +# Generate with: openssl rand -hex 32 +AUTHELIA_JWT_SECRET=your_jwt_secret_here_at_least_32_chars_generate_this +AUTHELIA_SESSION_SECRET=your_session_secret_here_at_least_32_chars_generate_this + +# SMTP Configuration for Authelia (optional) +AUTHELIA_SMTP_HOST=smtp.gmail.com +AUTHELIA_SMTP_PORT=587 +AUTHELIA_SMTP_USER=your_email@gmail.com +AUTHELIA_SMTP_PASS=your_app_password +AUTHELIA_SMTP_FROM=Authelia + ## Umami (PostgreSQL) # Database user for Umami analytics UMAMI_DB_USER=umami diff --git a/authelia/README.md b/authelia/README.md new file mode 100644 index 0000000..461a1c8 --- /dev/null +++ b/authelia/README.md @@ -0,0 +1,237 @@ +# Authelia Setup Guide + +This guide walks you through setting up Authelia authentication for your Launchpad Gateway. + +## Overview + +Authelia provides: +- 🔐 **Single Sign-On (SSO)** for all your services +- 🛡️ **Two-Factor Authentication (2FA)** with TOTP/WebAuthn +- 🌐 **Forward Authentication** integration with Traefik +- 👥 **User Management** with file-based or LDAP backends +- 📧 **Email Notifications** for password resets and 2FA setup + +## Quick Start + +### 1. Run the Setup Script + +**Windows (PowerShell):** +```powershell +.\setup-authelia.ps1 +``` + +**Linux/macOS (Bash):** +```bash +chmod +x setup-authelia.sh +./setup-authelia.sh +``` + +### 2. Configure Your Environment + +Edit `.env` file with your actual values: +```env +DOMAIN=your-domain.com +TZ=America/New_York +ACME_EMAIL=admin@your-domain.com +AUTHELIA_JWT_SECRET=your_generated_jwt_secret +AUTHELIA_SESSION_SECRET=your_generated_session_secret +``` + +### 3. Update Authelia Configuration + +Edit `authelia/configuration.yml`: +- Replace all instances of `example.com` with your actual domain +- Update SMTP settings if you want email notifications +- Adjust access control rules as needed + +### 4. Set Up Users + +Edit `authelia/users_database.yml`: +- Change the default password for `admin` user +- Add your own users +- Generate password hashes using: + ```bash + docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'your-password' + ``` + +### 5. Start Services + +```bash +docker-compose up -d +``` + +## Access URLs + +After setup, your services will be available at: +- **Authelia Portal**: `https://auth.gate.YOUR_DOMAIN` +- **Traefik Dashboard**: `https://traefik.gate.YOUR_DOMAIN` (requires authentication) +- **Portainer**: `https://portainer.gate.YOUR_DOMAIN` (requires authentication) +- **Uptime Kuma**: `https://uptime.gate.YOUR_DOMAIN` (requires authentication) + +## Default Credentials + +**⚠️ CHANGE THESE IMMEDIATELY!** +- **Username**: `admin` +- **Password**: `authelia` + +## Configuration Files + +### `authelia/configuration.yml` +Main Authelia configuration with: +- Server settings +- Authentication backend (file-based by default) +- Access control rules +- Session configuration +- TOTP/WebAuthn settings + +### `authelia/users_database.yml` +User database when using file-based authentication: +- User credentials (hashed passwords) +- User groups +- Email addresses +- Display names + +## Access Control Rules + +The default configuration includes: +- **Bypass**: Authelia portal itself +- **Two-Factor**: Admin services (Traefik, Portainer) for `admins` group +- **One-Factor**: Other services for any authenticated user + +### Example Rules + +```yaml +access_control: + rules: + # Public access + - domain: 'public.gate.example.com' + policy: 'bypass' + + # Admin-only with 2FA + - domain: + - 'traefik.gate.example.com' + - 'portainer.gate.example.com' + policy: 'two_factor' + subject: + - 'group:admins' + + # Authenticated users + - domain: '*.gate.example.com' + policy: 'one_factor' +``` + +## Adding New Protected Services + +To protect a new service with Authelia: + +1. Add the service to your `docker-compose.yml` +2. Add the Authelia middleware to the service labels: + ```yaml + labels: + - traefik.http.routers.myservice.middlewares=authelia,security-headers + ``` + +## SMTP Configuration + +For email notifications (password reset, 2FA setup), configure SMTP in `configuration.yml`: + +```yaml +notifier: + smtp: + address: 'smtp://smtp.gmail.com:587' + username: 'your-email@gmail.com' + password: 'your-app-password' + sender: 'Authelia ' +``` + +## Troubleshooting + +### Common Issues + +1. **"middleware authelia@docker not found"** + - Ensure Authelia container is running + - Check that middleware is defined in Authelia labels + +2. **Login page not loading** + - Verify DNS resolves to your server + - Check SSL certificate is valid + - Ensure Authelia container is healthy + +3. **Authentication fails** + - Check user exists in `users_database.yml` + - Verify password hash is correct + - Check Authelia logs: `docker-compose logs authelia` + +### Logs + +Check Authelia logs: +```bash +docker-compose logs -f authelia +``` + +Check Traefik logs: +```bash +docker-compose logs -f traefik +``` + +## Security Considerations + +1. **Change Default Passwords**: Update all default credentials immediately +2. **Use Strong Secrets**: Generate cryptographically secure JWT and session secrets +3. **Enable 2FA**: Configure TOTP or WebAuthn for sensitive services +4. **Regular Updates**: Keep Authelia and other containers updated +5. **Monitor Logs**: Regularly review authentication logs +6. **Backup Configuration**: Keep secure backups of your configuration files + +## Advanced Configuration + +### LDAP Integration + +To use LDAP instead of file-based authentication, update `configuration.yml`: + +```yaml +authentication_backend: + ldap: + implementation: 'custom' + address: 'ldap://your-ldap-server:389' + base_dn: 'dc=example,dc=com' + # ... additional LDAP settings +``` + +### External Database + +To use PostgreSQL or MySQL instead of SQLite: + +```yaml +storage: + postgres: + address: 'tcp://postgres:5432' + database: 'authelia' + username: 'authelia' + password: 'your-password' +``` + +### OIDC Provider + +To use Authelia as an OIDC provider for other applications: + +```yaml +identity_providers: + oidc: + hmac_secret: 'your-hmac-secret' + issuer_private_key: | + -----BEGIN RSA PRIVATE KEY----- + ... + -----END RSA PRIVATE KEY----- + clients: + - id: 'myapp' + secret: 'hashed-client-secret' + redirect_uris: + - 'https://myapp.example.com/callback' +``` + +## Support + +- [Authelia Documentation](https://www.authelia.com/) +- [Traefik Integration Guide](https://www.authelia.com/integration/proxies/traefik/) +- [Community Discord](https://discord.gg/authelia) diff --git a/authelia/configuration.yml b/authelia/configuration.yml new file mode 100644 index 0000000..2574a57 --- /dev/null +++ b/authelia/configuration.yml @@ -0,0 +1,247 @@ +--- +# Authelia Configuration File + +## Server Configuration +server: + ## Server options + address: 'tcp://:9091' + asset_path: '/config/assets/' + + ## Endpoints + endpoints: + authz: + forward-auth: + implementation: 'ForwardAuth' + +## Log Configuration +log: + level: 'info' + format: 'text' + +## Theme Configuration +theme: 'light' + +## JWT Secret +jwt_secret: '5812e26c776947f2fae8a9cc80605e59a895b7b6df573af284a4c3db9115411c' + +## Default Redirection URL +default_redirection_url: 'https://3launchpad.com' + +## TOTP Configuration +totp: + disable_reuse_security_policy: false + issuer: 'Authelia' + algorithm: 'sha1' + digits: 6 + period: 30 + skew: 1 + secret_size: 32 + +## WebAuthn Configuration +webauthn: + disable: false + display_name: 'Authelia' + attestation_conveyance_preference: 'indirect' + user_verification: 'preferred' + timeout: '60s' + +## Duo Push API Configuration (optional) +# duo_api: +# hostname: 'api-123456789.duosecurity.com' +# integration_key: 'ABCDEF' +# secret_key: 'GHIJKLMNOPQRSTUVWXYZ' + +## Authentication Backend Configuration +authentication_backend: + ## Password Reset + password_reset: + disable: false + custom_url: '' + + ## Refresh Interval + refresh_interval: '5m' + + ## LDAP Configuration (uncomment and configure if using LDAP) + # ldap: + # implementation: 'custom' + # address: 'ldap://127.0.0.1:389' + # timeout: '5s' + # start_tls: false + # skip_verify: false + # base_dn: 'dc=example,dc=com' + # username_attribute: 'uid' + # additional_users_dn: 'ou=users' + # users_filter: '(&({username_attribute}={input})(objectClass=person))' + # additional_groups_dn: 'ou=groups' + # groups_filter: '(&(member={dn})(objectclass=groupOfNames))' + # group_name_attribute: 'cn' + # mail_attribute: 'mail' + # display_name_attribute: 'displayName' + # user: 'cn=admin,dc=example,dc=com' + # password: 'password' + + ## File Configuration + file: + path: '/config/users_database.yml' + watch: false + search: + email: false + case_insensitive: false + password: + algorithm: 'argon2' + argon2: + variant: 'argon2id' + iterations: 3 + memory: 65536 + parallelism: 4 + key_length: 32 + salt_length: 16 + +## Access Control Configuration +access_control: + ## Default Policy + default_policy: 'deny' + + ## Networks (optional, for IP-based rules) + networks: + - name: 'internal' + networks: + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + + ## Rules + rules: + ## Authelia itself + - domain: 'auth.gate.3la' + policy: 'bypass' + + ## Admin access + - domain: + - 'traefik.gate.3launchpad.com' + - 'portainer.gate.3launchpad.com' + policy: 'two_factor' + subject: + - 'group:admins' + + ## General protected services + - domain: '*.gate.3launchpad.com' + policy: 'one_factor' + +## Session Configuration +session: + ## Session Name + name: 'authelia_session' + + ## Session Domain + domain: 'gate.3launchpad.com' + + ## Session Secret + secret: 'dcc8a066488b44cf185777f12a56bc0540bce2b3034e0b77c6118a9545dac831' + + ## Session Expiration + expiration: '1h' + inactivity: '5m' + + ## Remember Me + remember_me_duration: '1M' + + ## Cookies Configuration + cookies: + - domain: 'gate.3launchpad.com' + authelia_url: 'https://auth.gate.3launchpad.com' + default_redirection_url: 'https://gate.3launchpad.com' + + ## Redis Configuration (uncomment if using Redis) + # redis: + # host: 'redis' + # port: 6379 + # password: '' + # database_index: 0 + # maximum_active_connections: 8 + # minimum_idle_connections: 0 + +## Regulation Configuration +regulation: + max_retries: 3 + find_time: '2m' + ban_time: '5m' + +## Storage Configuration +storage: + ## Database Engine + local: + path: '/config/db.sqlite3' + + ## MySQL Configuration (alternative to local) + # mysql: + # address: 'tcp://mysql:3306' + # database: 'authelia' + # username: 'authelia' + # password: 'password' + # timeout: '5s' + + ## PostgreSQL Configuration (alternative to local) + # postgres: + # address: 'tcp://postgres:5432' + # database: 'authelia' + # schema: 'public' + # username: 'authelia' + # password: 'password' + # timeout: '5s' + # ssl: + # mode: 'disable' + +## Notification Configuration +notifier: + ## Disable Startup Check + disable_startup_check: false + + ## File System Notifier (for development/testing) + filesystem: + filename: '/config/notification.txt' + + ## SMTP Configuration (for production) + # smtp: + # address: 'smtp://mail.example.com:587' + # username: 'authelia@example.com' + # password: 'password' + # sender: 'Authelia ' + # identifier: 'authelia' + # subject: '[Authelia] {title}' + # startup_check_address: 'test@authelia.com' + # disable_require_tls: false + # disable_html_emails: false + # disable_starttls: false + # tls: + # skip_verify: false + # minimum_version: 'TLS1.2' + # maximum_version: 'TLS1.3' + +## Identity Providers Configuration (optional) +# identity_providers: +# oidc: +# hmac_secret: 'GENERATE_RANDOM_HMAC_SECRET' +# issuer_private_key: | +# -----BEGIN RSA PRIVATE KEY----- +# ... +# -----END RSA PRIVATE KEY----- +# access_token_lifespan: '1h' +# authorize_code_lifespan: '1m' +# id_token_lifespan: '1h' +# refresh_token_lifespan: '90m' +# enable_client_debug_messages: false +# clients: +# - id: 'myapp' +# description: 'My Application' +# secret: '$pbkdf2-sha512$310000$...' +# public: false +# authorization_policy: 'two_factor' +# redirect_uris: +# - 'https://myapp.example.com/callback' +# scopes: +# - 'openid' +# - 'profile' +# - 'email' +# - 'groups' +# userinfo_signing_algorithm: 'none' diff --git a/authelia/users_database.yml b/authelia/users_database.yml new file mode 100644 index 0000000..33bdf4e --- /dev/null +++ b/authelia/users_database.yml @@ -0,0 +1,33 @@ +--- +# Users Database +# This file can be used if you do not have an LDAP set up. + +users: + # User: admin + # Password: authelia (this is the default, CHANGE IT!) + # Groups: admins, dev + admin: + disabled: false + displayname: "Administrator" + password: "$argon2id$v=19$m=65536,t=3,p=4$2SnGOL1xXgWpTNOWBQlzow$UOUhz5sJXvQY3G2u/Af0Q4v/xK+RMJ5oCQ5nJaI3u0I" + email: admin@example.com + groups: + - admins + - dev + + # User: user + # Password: password (CHANGE THIS!) + # Groups: dev + user: + disabled: false + displayname: "Regular User" + password: "$argon2id$v=19$m=65536,t=3,p=4$2SnGOL1xXgWpTNOWBQlzow$eYGKYBDNGQOBJBj7ExFVSSUzEbqJpJp8GlJ2X5QbO0I" + email: user@example.com + groups: + - dev + +# To generate password hashes, you can use: +# docker run --rm authelia/authelia:latest authelia crypto hash generate --help +# +# Example: +# docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'your-password-here' diff --git a/docker-compose.yml b/docker-compose.yml index 5f59d9c..c4e61e4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,8 +4,6 @@ networks: traefik_proxy: name: traefik_proxy - monitoring: - name: monitoring internal: name: internal @@ -13,8 +11,6 @@ volumes: traefik_letsencrypt: traefik_logs: portainer_data: - prometheus_data: - grafana_data: uptime_kuma_data: ######################## @@ -32,7 +28,7 @@ services: ports: - "80:80" - "443:443" - networks: [traefik_proxy, monitoring] + networks: [traefik_proxy] environment: TZ: "${TZ}" command: @@ -59,10 +55,6 @@ services: # (Alt) Use TLS-ALPN-01 if port 80 is blocked: # - --certificatesresolvers.le.acme.tlschallenge=true - # Metrics (Prometheus) - - --metrics.prometheus=true - - --metrics.prometheus.addrouterslabels=true - # Global timeouts for slow backends - --serversTransport.forwardingTimeouts.dialTimeout=30s - --serversTransport.forwardingTimeouts.responseHeaderTimeout=60s @@ -111,9 +103,33 @@ services: - traefik.http.routers.portainer.rule=Host(`portainer.gate.${DOMAIN}`) - traefik.http.routers.portainer.entrypoints=websecure - traefik.http.routers.portainer.tls.certresolver=le - - traefik.http.routers.portainer.middlewares=security-headers + - traefik.http.routers.portainer.middlewares=authelia,security-headers - traefik.http.services.portainer.loadbalancer.server.port=9000 + ## ───────────────────────────────────────────── + ## Authelia — authentication and authorization + ## ───────────────────────────────────────────── + authelia: + image: authelia/authelia:latest + container_name: authelia + restart: unless-stopped + networks: [traefik_proxy, internal] + volumes: + - ./authelia:/config + environment: + TZ: "${TZ}" + labels: + - traefik.enable=true + - traefik.http.routers.authelia.rule=Host(`auth.gate.${DOMAIN}`) + - traefik.http.routers.authelia.entrypoints=websecure + - traefik.http.routers.authelia.tls.certresolver=le + - traefik.http.routers.authelia.middlewares=security-headers + + # ForwardAuth middleware for protecting other services + - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth + - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true + - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name + ## ───────────────────────────────────────────── ## Uptime Kuma — status page / checks ## ───────────────────────────────────────────── @@ -129,69 +145,5 @@ services: - traefik.http.routers.kuma.rule=Host(`uptime.gate.${DOMAIN}`) - traefik.http.routers.kuma.entrypoints=websecure - traefik.http.routers.kuma.tls.certresolver=le - - traefik.http.routers.kuma.middlewares=security-headers + - traefik.http.routers.kuma.middlewares=authelia,security-headers - traefik.http.services.kuma.loadbalancer.server.port=3001 - - ## ───────────────────────────────────────────── - ## Prometheus + exporters + Grafana - ## ───────────────────────────────────────────── - prometheus: - image: prom/prometheus:latest - container_name: prometheus - restart: unless-stopped - networks: [monitoring, traefik_proxy] - volumes: - - prometheus_data:/prometheus - - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro - labels: - - traefik.enable=true - - traefik.http.routers.prom.rule=Host(`prometheus.gate.${DOMAIN}`) - - traefik.http.routers.prom.entrypoints=websecure - - traefik.http.routers.prom.tls.certresolver=le - - traefik.http.routers.prom.middlewares=security-headers - - traefik.http.services.prom.loadbalancer.server.port=9090 - - cadvisor: - image: gcr.io/cadvisor/cadvisor:latest - container_name: cadvisor - restart: unless-stopped - networks: [monitoring] - devices: - - /dev/kmsg:/dev/kmsg - volumes: - - /:/rootfs:ro - - /var/run:/var/run:ro - - /sys:/sys:ro - - /var/lib/docker/:/var/lib/docker:ro - - node-exporter: - image: prom/node-exporter:latest - container_name: node-exporter - restart: unless-stopped - networks: [monitoring] - pid: host - volumes: - - /proc:/host/proc:ro - - /sys:/host/sys:ro - - /:/rootfs:ro - command: ["--path.rootfs=/rootfs"] - - grafana: - image: grafana/grafana-oss:latest - container_name: grafana - restart: unless-stopped - networks: [traefik_proxy, monitoring] - environment: - GF_SECURITY_ADMIN_USER: "${GRAFANA_ADMIN_USER}" - GF_SECURITY_ADMIN_PASSWORD: "${GRAFANA_ADMIN_PASS}" - GF_SERVER_ROOT_URL: https://grafana.gate.${DOMAIN} - TZ: "${TZ}" - volumes: - - grafana_data:/var/lib/grafana - labels: - - traefik.enable=true - - traefik.http.routers.grafana.rule=Host(`grafana.gate.${DOMAIN}`) - - traefik.http.routers.grafana.entrypoints=websecure - - traefik.http.routers.grafana.tls.certresolver=le - - traefik.http.routers.grafana.middlewares=security-headers - - traefik.http.services.grafana.loadbalancer.server.port=3000 diff --git a/prometheus/prometheus.yml b/prometheus/prometheus.yml deleted file mode 100644 index 548ad02..0000000 --- a/prometheus/prometheus.yml +++ /dev/null @@ -1,16 +0,0 @@ -global: - scrape_interval: 15s -scrape_configs: - - job_name: 'prometheus' - static_configs: - - targets: ['prometheus:9090'] - - job_name: 'traefik' - metrics_path: /metrics - static_configs: - - targets: ['traefik:8080'] - - job_name: 'cadvisor' - static_configs: - - targets: ['cadvisor:8080'] - - job_name: 'node-exporter' - static_configs: - - targets: ['node-exporter:9100']