diff --git a/0_skeleton/docker-compose.yml b/0_skeleton/docker-compose.yml index bf8e87b..c7a1112 100644 --- a/0_skeleton/docker-compose.yml +++ b/0_skeleton/docker-compose.yml @@ -32,7 +32,7 @@ services: # - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads # - traefik.docker.network=proxy # # Part for optional traefik middlewares - # - traefik.http.routers.CHANGEME.middlewares=local-ipwhitelist@file,basic-auth@file + # - traefik.http.routers.CHANGEME.middlewares=authelia@file,local-ipwhitelist@file,basic-auth@file #networks: # proxy: diff --git a/README.md b/README.md index 82aa4e1..f9614d4 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,9 @@ docker compose up - [Nginx Proxy Manager](examples/nginx-proxy-manager) - Nginx Proxy Manager is an easy way to accomplish reverse proxying hosts with SSL termination. - [Caddy](examples/caddy) - The Caddy web server is an extensible, cross-platform, open-source web server written in Go. Caddy obtains and renews TLS certificates for your sites automatically. +### Identity Providers / Single Sign On +- [Authelia](examples/authelia) - Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for reverse proxies by allowing, denying, or redirecting requests. Recommended to combine with [Traefik](examples/traefik). + ### Virtual Private Network (VPN) - [wg-easy](examples/wg-easy) - The easiest way to install & manage WireGuard on any Linux host. All-in-one deployment of a WireGuard VPN network service + web management UI. - [WireGuard](examples/wireguard) - WireGuard by Linuxserver.io is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. @@ -140,6 +143,7 @@ docker compose up - [Answer](examples/answer) - An open-source knowledge-based community software. You can use it quickly to build Q&A community for your products, customers, teams, and more. - [Obsidian-Gitsync-Perlite](https://github.com/l4rm4nd/Obsidian-Gitsync-Perlite) - Continuously sync Obsidian markdown notes from GitHub and publish it for the webs. - [Obsidian-Remote](examples/obsidian-remote) - This docker image allows you to run obsidian in docker as a container and access it via your web browser. +- [Memos](examples/memos) - An open-source, self-hosted memo hub with knowledge management and social networking. ### Analytics - [Matomo](examples/matomo) - Matomo is the leading Free/Libre open analytics platform. @@ -173,6 +177,7 @@ docker compose up - [Answer](examples/answer) - An open-source knowledge-based community software. You can use it quickly to build Q&A community for your products, customers, teams, and more. - [Obsidian-Remote](examples/obsidian-remote) - This docker image allows you to run obsidian in docker as a container and access it via your web browser. - [Obsidian-Gitsync-Perlite](https://github.com/l4rm4nd/Obsidian-Gitsync-Perlite) - Continuously sync Obsidian markdown notes from GitHub and publish it for the webs. +- [Memos](examples/memos) - An open-source, self-hosted memo hub with knowledge management and social networking. ### Finance - [TRSync](examples/trsync) - Django web frontend for pytr to download all Trade Republic depot data. @@ -190,3 +195,9 @@ docker compose up ## Star History [![Star History Chart](https://api.star-history.com/svg?repos=Haxxnet/Compose-Examples&type=Date)](https://star-history.com/#Haxxnet/Compose-Examples&Date) + +## Join the community! + + + + diff --git a/examples/authelia/README.md b/examples/authelia/README.md new file mode 100644 index 0000000..b2d73c2 --- /dev/null +++ b/examples/authelia/README.md @@ -0,0 +1,9 @@ +# References + +- https://github.com/authelia/authelia +- https://www.youtube.com/watch?v=u6H-Qwf4nZA&t=1314s +- https://docs.technotim.live/posts/authelia-traefik/ + +# Notes + +You have to put the configuration files in the directory `config` to your Docker volume bind mount. diff --git a/examples/authelia/config/configuration.yml b/examples/authelia/config/configuration.yml new file mode 100644 index 0000000..d5b084b --- /dev/null +++ b/examples/authelia/config/configuration.yml @@ -0,0 +1,82 @@ +--- +############################################################### +# Authelia configuration # +############################################################### + +server: + host: 0.0.0.0 + port: 9091 +log: + level: debug + +theme: dark + +# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE +jwt_secret: a_very_important_secret +default_redirection_url: https://auth.example.com # replace with your domain name +totp: + issuer: authelia.com + +# duo_api: +# hostname: api-123456789.example.com +# integration_key: ABCDEF +# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE +# secret_key: 1234567890abcdefghifjkl + +authentication_backend: + file: + path: /config/users_database.yml + password: + algorithm: argon2id + iterations: 1 + salt_length: 16 + parallelism: 8 + memory: 64 + +access_control: + default_policy: deny + rules: + # Rules applied to everyone + # chose from bypass, one_factor and two_factor + - domain: public.example.com + policy: bypass + - domain: subdomain1.example.com + policy: one_factor + - domain: subdomain2.example.com + policy: two_factor + +session: + name: authelia_session + # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE + secret: unsecure_session_secret + expiration: 3600 # 1 hour + inactivity: 300 # 5 minutes + domain: example.com # Should match whatever your root protected domain is + + redis: + host: authelia-redis + port: 6379 + # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE + # password: authelia + +regulation: + max_retries: 3 + find_time: 120 + ban_time: 300 + +storage: + encryption_key: a_very_important_secret # Now required + local: + path: /config/db.sqlite3 + +notifier: + # smtp: + # username: test + # # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE + # password: password + # host: mail.example.com + # port: 25 + # sender: admin@example.com + filesystem: + filename: /config/notifications.txt +... diff --git a/examples/authelia/config/users_database.yml b/examples/authelia/config/users_database.yml new file mode 100644 index 0000000..835e5f8 --- /dev/null +++ b/examples/authelia/config/users_database.yml @@ -0,0 +1,19 @@ +--- +############################################################### +# Users Database # +############################################################### + +# This file can be used if you do not have an LDAP set up. + +# List of users +users: + yourUsername: # define here your username + disabled: false + displayname: "My Authelia User" + # Password is authelia + password: "$argon2id$v=19$m=65536,t=3,p=4$mTOaOa3MOexX7JQ02BdXzw$OzAxTnSPEnahQgIi+y4QPP5/xYIQ8uEWDYW+vlupeTM" # generate a secure hash with: $ docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'password' + email: authelia@example.com + groups: + - admins + - dev +... diff --git a/examples/authelia/docker-compose.yml b/examples/authelia/docker-compose.yml new file mode 100644 index 0000000..3789102 --- /dev/null +++ b/examples/authelia/docker-compose.yml @@ -0,0 +1,39 @@ +version: '3.3' + +services: + authelia: + image: authelia/authelia + container_name: authelia + volumes: + - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/authelia/config:/config + networks: + - proxy + labels: + - 'traefik.enable=true' + - 'traefik.http.routers.authelia.rule=Host(`auth.example.com`)' # replace with your domain name + - 'traefik.http.routers.authelia.entrypoints=https' + - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth?authelia_url=https://auth.example.com' # replace with your domain name + - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true' + - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length + expose: + - 9091 + restart: unless-stopped + environment: + - TZ=Europe/Berlin + + redis: + image: redis:alpine + container_name: authelia-redis + volumes: + - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/authelia/redis:/data + networks: + - proxy + expose: + - 6379 + restart: unless-stopped + environment: + - TZ=Europe/Berlin + +networks: + proxy: + external: true diff --git a/examples/grafana-monitoring/Grafana_Dashboard_Template.json b/examples/grafana-monitoring/Grafana_Dashboard_Template.json index 7f28a65..ed0f7d7 100644 --- a/examples/grafana-monitoring/Grafana_Dashboard_Template.json +++ b/examples/grafana-monitoring/Grafana_Dashboard_Template.json @@ -1413,7 +1413,7 @@ { "targetBlank": true, "title": "Link", - "url": "https://bitwarden.lrvt.de" + "url": "https://example.com" } ], "options": { @@ -1795,7 +1795,7 @@ { "targetBlank": true, "title": "Link", - "url": "https://bitwarden.lrvt.de" + "url": "https://example.com" } ], "options": { diff --git a/examples/memos/README.md b/examples/memos/README.md new file mode 100644 index 0000000..fecb061 --- /dev/null +++ b/examples/memos/README.md @@ -0,0 +1,3 @@ +# References + +- https://github.com/usememos/memos diff --git a/examples/memos/docker-compose.yml b/examples/memos/docker-compose.yml new file mode 100644 index 0000000..82c4cc6 --- /dev/null +++ b/examples/memos/docker-compose.yml @@ -0,0 +1,23 @@ +version: "3.0" + +services: + memos: + image: neosmemo/memos:latest + container_name: memos + volumes: + - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/memos/data:/var/opt/memos + ports: + - 5230:5230 + #networks: + # - proxy + #labels: + # - traefik.enable=true + # - traefik.http.routers.memos.rule=Host(`memosservice.example.com`) + # - traefik.http.services.memos.loadbalancer.server.port=5230 + # - traefik.docker.network=proxy + # # Part for optional traefik middlewares + # - traefik.http.routers.memos.middlewares=local-ipwhitelist@file,basic-auth@file + +#networks: +# proxy: +# external: true \ No newline at end of file diff --git a/examples/traefik/fileConfig.yml b/examples/traefik/fileConfig.yml index 4d4345a..8c4bed6 100644 --- a/examples/traefik/fileConfig.yml +++ b/examples/traefik/fileConfig.yml @@ -44,7 +44,7 @@ http: # Only Allow Local networks local-ipwhitelist: ipWhiteList: - sourceRange: + sourceRange: - 127.0.0.1/32 # localhost - 10.0.0.0/8 # private class A - 172.16.0.0/12 # private class B @@ -77,7 +77,18 @@ http: stsSeconds: 63072000 # HTTP-Strict-Transport-Security (HSTS) stsPreload: true # HTTP-Strict-Transport-Security (HSTS) #contentSecurityPolicy: "block-all-mixed-content" # Content-Security-Policy (CSP) - + + # Authelia guard + authelia: + forwardauth: + address: http://authelia:9091/api/verify?rd=https://auth.example.com/ # replace example.com with your domain name + trustForwardHeader: true + authResponseHeaders: + - Remote-User + - Remote-Groups + - Remote-Name + - Remote-Email + # rate limiting rate-limit: rateLimit: