elfateh/launchpad-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Authelia configuration and user database; remove Prometheus and Grafana services

Browse Source
This commit is contained in:
Mohmmed Elfateh Sabry
2025-08-11 13:10:30 +03:00
parent ac0691835a
commit dc7871c9ec
6 changed files with 556 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.env.example
View File

@@ -9,6 +9,18 @@ TZ=Your/Timezone
# Your email address for Let's Encrypt certificate notifications # Your email address for Let's Encrypt certificate notifications
ACME_EMAIL=admin@your-domain.com ACME_EMAIL=admin@your-domain.com
## Authelia Configuration
# Generate with: openssl rand -hex 32
AUTHELIA_JWT_SECRET=your_jwt_secret_here_at_least_32_chars_generate_this
AUTHELIA_SESSION_SECRET=your_session_secret_here_at_least_32_chars_generate_this
# SMTP Configuration for Authelia (optional)
AUTHELIA_SMTP_HOST=smtp.gmail.com
AUTHELIA_SMTP_PORT=587
AUTHELIA_SMTP_USER=your_email@gmail.com
AUTHELIA_SMTP_PASS=your_app_password
AUTHELIA_SMTP_FROM=Authelia <noreply@your-domain.com>
## Umami (PostgreSQL) ## Umami (PostgreSQL)
# Database user for Umami analytics # Database user for Umami analytics
UMAMI_DB_USER=umami UMAMI_DB_USER=umami

237
authelia/README.md Normal file
View File

@@ -0,0 +1,237 @@
# Authelia Setup Guide
This guide walks you through setting up Authelia authentication for your Launchpad Gateway.
## Overview
Authelia provides:
- 🔐 **Single Sign-On (SSO)** for all your services
- 🛡️ **Two-Factor Authentication (2FA)** with TOTP/WebAuthn
- 🌐 **Forward Authentication** integration with Traefik
- 👥 **User Management** with file-based or LDAP backends
- 📧 **Email Notifications** for password resets and 2FA setup
## Quick Start
### 1. Run the Setup Script
**Windows (PowerShell):**
```powershell
.\setup-authelia.ps1
```
**Linux/macOS (Bash):**
```bash
chmod +x setup-authelia.sh
./setup-authelia.sh
```
### 2. Configure Your Environment
Edit `.env` file with your actual values:
```env
DOMAIN=your-domain.com
TZ=America/New_York
ACME_EMAIL=admin@your-domain.com
AUTHELIA_JWT_SECRET=your_generated_jwt_secret
AUTHELIA_SESSION_SECRET=your_generated_session_secret
```
### 3. Update Authelia Configuration
Edit `authelia/configuration.yml`:
- Replace all instances of `example.com` with your actual domain
- Update SMTP settings if you want email notifications
- Adjust access control rules as needed
### 4. Set Up Users
Edit `authelia/users_database.yml`:
- Change the default password for `admin` user
- Add your own users
- Generate password hashes using:
```bash
docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'your-password'
```
### 5. Start Services
```bash
docker-compose up -d
```
## Access URLs
After setup, your services will be available at:
- **Authelia Portal**: `https://auth.gate.YOUR_DOMAIN`
- **Traefik Dashboard**: `https://traefik.gate.YOUR_DOMAIN` (requires authentication)
- **Portainer**: `https://portainer.gate.YOUR_DOMAIN` (requires authentication)
- **Uptime Kuma**: `https://uptime.gate.YOUR_DOMAIN` (requires authentication)
## Default Credentials
**⚠️ CHANGE THESE IMMEDIATELY!**
- **Username**: `admin`
- **Password**: `authelia`
## Configuration Files
### `authelia/configuration.yml`
Main Authelia configuration with:
- Server settings
- Authentication backend (file-based by default)
- Access control rules
- Session configuration
- TOTP/WebAuthn settings
### `authelia/users_database.yml`
User database when using file-based authentication:
- User credentials (hashed passwords)
- User groups
- Email addresses
- Display names
## Access Control Rules
The default configuration includes:
- **Bypass**: Authelia portal itself
- **Two-Factor**: Admin services (Traefik, Portainer) for `admins` group
- **One-Factor**: Other services for any authenticated user
### Example Rules
```yaml
access_control:
rules:
# Public access
- domain: 'public.gate.example.com'
policy: 'bypass'
# Admin-only with 2FA
- domain:
- 'traefik.gate.example.com'
- 'portainer.gate.example.com'
policy: 'two_factor'
subject:
- 'group:admins'
# Authenticated users
- domain: '*.gate.example.com'
policy: 'one_factor'
```
## Adding New Protected Services
To protect a new service with Authelia:
1. Add the service to your `docker-compose.yml`
2. Add the Authelia middleware to the service labels:
```yaml
labels:
- traefik.http.routers.myservice.middlewares=authelia,security-headers
```
## SMTP Configuration
For email notifications (password reset, 2FA setup), configure SMTP in `configuration.yml`:
```yaml
notifier:
smtp:
address: 'smtp://smtp.gmail.com:587'
username: 'your-email@gmail.com'
password: 'your-app-password'
sender: 'Authelia <noreply@your-domain.com>'
```
## Troubleshooting
### Common Issues
1. **"middleware authelia@docker not found"**
- Ensure Authelia container is running
- Check that middleware is defined in Authelia labels
2. **Login page not loading**
- Verify DNS resolves to your server
- Check SSL certificate is valid
- Ensure Authelia container is healthy
3. **Authentication fails**
- Check user exists in `users_database.yml`
- Verify password hash is correct
- Check Authelia logs: `docker-compose logs authelia`
### Logs
Check Authelia logs:
```bash
docker-compose logs -f authelia
```
Check Traefik logs:
```bash
docker-compose logs -f traefik
```
## Security Considerations
1. **Change Default Passwords**: Update all default credentials immediately
2. **Use Strong Secrets**: Generate cryptographically secure JWT and session secrets
3. **Enable 2FA**: Configure TOTP or WebAuthn for sensitive services
4. **Regular Updates**: Keep Authelia and other containers updated
5. **Monitor Logs**: Regularly review authentication logs
6. **Backup Configuration**: Keep secure backups of your configuration files
## Advanced Configuration
### LDAP Integration
To use LDAP instead of file-based authentication, update `configuration.yml`:
```yaml
authentication_backend:
ldap:
implementation: 'custom'
address: 'ldap://your-ldap-server:389'
base_dn: 'dc=example,dc=com'
# ... additional LDAP settings
```
### External Database
To use PostgreSQL or MySQL instead of SQLite:
```yaml
storage:
postgres:
address: 'tcp://postgres:5432'
database: 'authelia'
username: 'authelia'
password: 'your-password'
```
### OIDC Provider
To use Authelia as an OIDC provider for other applications:
```yaml
identity_providers:
oidc:
hmac_secret: 'your-hmac-secret'
issuer_private_key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
clients:
- id: 'myapp'
secret: 'hashed-client-secret'
redirect_uris:
- 'https://myapp.example.com/callback'
```
## Support
- [Authelia Documentation](https://www.authelia.com/)
- [Traefik Integration Guide](https://www.authelia.com/integration/proxies/traefik/)
- [Community Discord](https://discord.gg/authelia)

247
authelia/configuration.yml Normal file
View File

@@ -0,0 +1,247 @@
---
# Authelia Configuration File
## Server Configuration
server:
## Server options
address: 'tcp://:9091'
asset_path: '/config/assets/'
## Endpoints
endpoints:
authz:
forward-auth:
implementation: 'ForwardAuth'
## Log Configuration
log:
level: 'info'
format: 'text'
## Theme Configuration
theme: 'light'
## JWT Secret
jwt_secret: '5812e26c776947f2fae8a9cc80605e59a895b7b6df573af284a4c3db9115411c'
## Default Redirection URL
default_redirection_url: 'https://3launchpad.com'
## TOTP Configuration
totp:
disable_reuse_security_policy: false
issuer: 'Authelia'
algorithm: 'sha1'
digits: 6
period: 30
skew: 1
secret_size: 32
## WebAuthn Configuration
webauthn:
disable: false
display_name: 'Authelia'
attestation_conveyance_preference: 'indirect'
user_verification: 'preferred'
timeout: '60s'
## Duo Push API Configuration (optional)
# duo_api:
# hostname: 'api-123456789.duosecurity.com'
# integration_key: 'ABCDEF'
# secret_key: 'GHIJKLMNOPQRSTUVWXYZ'
## Authentication Backend Configuration
authentication_backend:
## Password Reset
password_reset:
disable: false
custom_url: ''
## Refresh Interval
refresh_interval: '5m'
## LDAP Configuration (uncomment and configure if using LDAP)
# ldap:
# implementation: 'custom'
# address: 'ldap://127.0.0.1:389'
# timeout: '5s'
# start_tls: false
# skip_verify: false
# base_dn: 'dc=example,dc=com'
# username_attribute: 'uid'
# additional_users_dn: 'ou=users'
# users_filter: '(&({username_attribute}={input})(objectClass=person))'
# additional_groups_dn: 'ou=groups'
# groups_filter: '(&(member={dn})(objectclass=groupOfNames))'
# group_name_attribute: 'cn'
# mail_attribute: 'mail'
# display_name_attribute: 'displayName'
# user: 'cn=admin,dc=example,dc=com'
# password: 'password'
## File Configuration
file:
path: '/config/users_database.yml'
watch: false
search:
email: false
case_insensitive: false
password:
algorithm: 'argon2'
argon2:
variant: 'argon2id'
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
## Access Control Configuration
access_control:
## Default Policy
default_policy: 'deny'
## Networks (optional, for IP-based rules)
networks:
- name: 'internal'
networks:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
## Rules
rules:
## Authelia itself
- domain: 'auth.gate.3la'
policy: 'bypass'
## Admin access
- domain:
- 'traefik.gate.3launchpad.com'
- 'portainer.gate.3launchpad.com'
policy: 'two_factor'
subject:
- 'group:admins'
## General protected services
- domain: '*.gate.3launchpad.com'
policy: 'one_factor'
## Session Configuration
session:
## Session Name
name: 'authelia_session'
## Session Domain
domain: 'gate.3launchpad.com'
## Session Secret
secret: 'dcc8a066488b44cf185777f12a56bc0540bce2b3034e0b77c6118a9545dac831'
## Session Expiration
expiration: '1h'
inactivity: '5m'
## Remember Me
remember_me_duration: '1M'
## Cookies Configuration
cookies:
- domain: 'gate.3launchpad.com'
authelia_url: 'https://auth.gate.3launchpad.com'
default_redirection_url: 'https://gate.3launchpad.com'
## Redis Configuration (uncomment if using Redis)
# redis:
# host: 'redis'
# port: 6379
# password: ''
# database_index: 0
# maximum_active_connections: 8
# minimum_idle_connections: 0
## Regulation Configuration
regulation:
max_retries: 3
find_time: '2m'
ban_time: '5m'
## Storage Configuration
storage:
## Database Engine
local:
path: '/config/db.sqlite3'
## MySQL Configuration (alternative to local)
# mysql:
# address: 'tcp://mysql:3306'
# database: 'authelia'
# username: 'authelia'
# password: 'password'
# timeout: '5s'
## PostgreSQL Configuration (alternative to local)
# postgres:
# address: 'tcp://postgres:5432'
# database: 'authelia'
# schema: 'public'
# username: 'authelia'
# password: 'password'
# timeout: '5s'
# ssl:
# mode: 'disable'
## Notification Configuration
notifier:
## Disable Startup Check
disable_startup_check: false
## File System Notifier (for development/testing)
filesystem:
filename: '/config/notification.txt'
## SMTP Configuration (for production)
# smtp:
# address: 'smtp://mail.example.com:587'
# username: 'authelia@example.com'
# password: 'password'
# sender: 'Authelia <authelia@example.com>'
# identifier: 'authelia'
# subject: '[Authelia] {title}'
# startup_check_address: 'test@authelia.com'
# disable_require_tls: false
# disable_html_emails: false
# disable_starttls: false
# tls:
# skip_verify: false
# minimum_version: 'TLS1.2'
# maximum_version: 'TLS1.3'
## Identity Providers Configuration (optional)
# identity_providers:
# oidc:
# hmac_secret: 'GENERATE_RANDOM_HMAC_SECRET'
# issuer_private_key: |
# -----BEGIN RSA PRIVATE KEY-----
# ...
# -----END RSA PRIVATE KEY-----
# access_token_lifespan: '1h'
# authorize_code_lifespan: '1m'
# id_token_lifespan: '1h'
# refresh_token_lifespan: '90m'
# enable_client_debug_messages: false
# clients:
# - id: 'myapp'
# description: 'My Application'
# secret: '$pbkdf2-sha512$310000$...'
# public: false
# authorization_policy: 'two_factor'
# redirect_uris:
# - 'https://myapp.example.com/callback'
# scopes:
# - 'openid'
# - 'profile'
# - 'email'
# - 'groups'
# userinfo_signing_algorithm: 'none'

33
authelia/users_database.yml Normal file
View File

@@ -0,0 +1,33 @@
---
# Users Database
# This file can be used if you do not have an LDAP set up.
users:
# User: admin
# Password: authelia (this is the default, CHANGE IT!)
# Groups: admins, dev
admin:
disabled: false
displayname: "Administrator"
password: "$argon2id$v=19$m=65536,t=3,p=4$2SnGOL1xXgWpTNOWBQlzow$UOUhz5sJXvQY3G2u/Af0Q4v/xK+RMJ5oCQ5nJaI3u0I"
email: admin@example.com
groups:
- admins
- dev
# User: user
# Password: password (CHANGE THIS!)
# Groups: dev
user:
disabled: false
displayname: "Regular User"
password: "$argon2id$v=19$m=65536,t=3,p=4$2SnGOL1xXgWpTNOWBQlzow$eYGKYBDNGQOBJBj7ExFVSSUzEbqJpJp8GlJ2X5QbO0I"
email: user@example.com
groups:
- dev
# To generate password hashes, you can use:
# docker run --rm authelia/authelia:latest authelia crypto hash generate --help
#
# Example:
# docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'your-password-here'

102
docker-compose.yml
View File

@@ -4,8 +4,6 @@
networks: networks:
traefik_proxy: traefik_proxy:
name: traefik_proxy name: traefik_proxy
monitoring:
name: monitoring
internal: internal:
name: internal name: internal
@@ -13,8 +11,6 @@ volumes:
traefik_letsencrypt: traefik_letsencrypt:
traefik_logs: traefik_logs:
portainer_data: portainer_data:
prometheus_data:
grafana_data:
uptime_kuma_data: uptime_kuma_data:
######################## ########################
@@ -32,7 +28,7 @@ services:
ports: ports:
- "80:80" - "80:80"
- "443:443" - "443:443"
networks: [traefik_proxy, monitoring] networks: [traefik_proxy]
environment: environment:
TZ: "${TZ}" TZ: "${TZ}"
command: command:
@@ -59,10 +55,6 @@ services:
# (Alt) Use TLS-ALPN-01 if port 80 is blocked: # (Alt) Use TLS-ALPN-01 if port 80 is blocked:
# - --certificatesresolvers.le.acme.tlschallenge=true # - --certificatesresolvers.le.acme.tlschallenge=true
# Metrics (Prometheus)
- --metrics.prometheus=true
- --metrics.prometheus.addrouterslabels=true
# Global timeouts for slow backends # Global timeouts for slow backends
- --serversTransport.forwardingTimeouts.dialTimeout=30s - --serversTransport.forwardingTimeouts.dialTimeout=30s
- --serversTransport.forwardingTimeouts.responseHeaderTimeout=60s - --serversTransport.forwardingTimeouts.responseHeaderTimeout=60s
@@ -111,9 +103,33 @@ services:
- traefik.http.routers.portainer.rule=Host(`portainer.gate.${DOMAIN}`) - traefik.http.routers.portainer.rule=Host(`portainer.gate.${DOMAIN}`)
- traefik.http.routers.portainer.entrypoints=websecure - traefik.http.routers.portainer.entrypoints=websecure
- traefik.http.routers.portainer.tls.certresolver=le - traefik.http.routers.portainer.tls.certresolver=le
- traefik.http.routers.portainer.middlewares=security-headers - traefik.http.routers.portainer.middlewares=authelia,security-headers
- traefik.http.services.portainer.loadbalancer.server.port=9000 - traefik.http.services.portainer.loadbalancer.server.port=9000
## ─────────────────────────────────────────────
## Authelia — authentication and authorization
## ─────────────────────────────────────────────
authelia:
image: authelia/authelia:latest
container_name: authelia
restart: unless-stopped
networks: [traefik_proxy, internal]
volumes:
- ./authelia:/config
environment:
TZ: "${TZ}"
labels:
- traefik.enable=true
- traefik.http.routers.authelia.rule=Host(`auth.gate.${DOMAIN}`)
- traefik.http.routers.authelia.entrypoints=websecure
- traefik.http.routers.authelia.tls.certresolver=le
- traefik.http.routers.authelia.middlewares=security-headers
# ForwardAuth middleware for protecting other services
- traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth
- traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name
## ───────────────────────────────────────────── ## ─────────────────────────────────────────────
## Uptime Kuma — status page / checks ## Uptime Kuma — status page / checks
## ───────────────────────────────────────────── ## ─────────────────────────────────────────────
@@ -129,69 +145,5 @@ services:
- traefik.http.routers.kuma.rule=Host(`uptime.gate.${DOMAIN}`) - traefik.http.routers.kuma.rule=Host(`uptime.gate.${DOMAIN}`)
- traefik.http.routers.kuma.entrypoints=websecure - traefik.http.routers.kuma.entrypoints=websecure
- traefik.http.routers.kuma.tls.certresolver=le - traefik.http.routers.kuma.tls.certresolver=le
- traefik.http.routers.kuma.middlewares=security-headers - traefik.http.routers.kuma.middlewares=authelia,security-headers
- traefik.http.services.kuma.loadbalancer.server.port=3001 - traefik.http.services.kuma.loadbalancer.server.port=3001
## ─────────────────────────────────────────────
## Prometheus + exporters + Grafana
## ─────────────────────────────────────────────
prometheus:
image: prom/prometheus:latest
container_name: prometheus
restart: unless-stopped
networks: [monitoring, traefik_proxy]
volumes:
- prometheus_data:/prometheus
- ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
labels:
- traefik.enable=true
- traefik.http.routers.prom.rule=Host(`prometheus.gate.${DOMAIN}`)
- traefik.http.routers.prom.entrypoints=websecure
- traefik.http.routers.prom.tls.certresolver=le
- traefik.http.routers.prom.middlewares=security-headers
- traefik.http.services.prom.loadbalancer.server.port=9090
cadvisor:
image: gcr.io/cadvisor/cadvisor:latest
container_name: cadvisor
restart: unless-stopped
networks: [monitoring]
devices:
- /dev/kmsg:/dev/kmsg
volumes:
- /:/rootfs:ro
- /var/run:/var/run:ro
- /sys:/sys:ro
- /var/lib/docker/:/var/lib/docker:ro
node-exporter:
image: prom/node-exporter:latest
container_name: node-exporter
restart: unless-stopped
networks: [monitoring]
pid: host
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /:/rootfs:ro
command: ["--path.rootfs=/rootfs"]
grafana:
image: grafana/grafana-oss:latest
container_name: grafana
restart: unless-stopped
networks: [traefik_proxy, monitoring]
environment:
GF_SECURITY_ADMIN_USER: "${GRAFANA_ADMIN_USER}"
GF_SECURITY_ADMIN_PASSWORD: "${GRAFANA_ADMIN_PASS}"
GF_SERVER_ROOT_URL: https://grafana.gate.${DOMAIN}
TZ: "${TZ}"
volumes:
- grafana_data:/var/lib/grafana
labels:
- traefik.enable=true
- traefik.http.routers.grafana.rule=Host(`grafana.gate.${DOMAIN}`)
- traefik.http.routers.grafana.entrypoints=websecure
- traefik.http.routers.grafana.tls.certresolver=le
- traefik.http.routers.grafana.middlewares=security-headers
- traefik.http.services.grafana.loadbalancer.server.port=3000

16
prometheus/prometheus.yml
View File

@@ -1,16 +0,0 @@
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'prometheus'
static_configs:
- targets: ['prometheus:9090']
- job_name: 'traefik'
metrics_path: /metrics
static_configs:
- targets: ['traefik:8080']
- job_name: 'cadvisor'
static_configs:
- targets: ['cadvisor:8080']
- job_name: 'node-exporter'
static_configs:
- targets: ['node-exporter:9100']