Merge branch 'Haxxnet:main' into main

0_skeleton/docker-compose.yml

@@ -32,7 +32,7 @@ services:
     #  - traefik.http.middlewares.limit.buffering.memResponseBodyBytes=50000000 # optional, only necessary for enabled file uploads    
     #  - traefik.docker.network=proxy
     #  # Part for optional traefik middlewares
-    #  - traefik.http.routers.CHANGEME.middlewares=local-ipwhitelist@file,basic-auth@file
+    #  - traefik.http.routers.CHANGEME.middlewares=authelia@file,local-ipwhitelist@file,basic-auth@file
 
 #networks:
 #  proxy:

README.md

@@ -55,6 +55,9 @@ docker compose up
 - [Nginx Proxy Manager](examples/nginx-proxy-manager) - Nginx Proxy Manager is an easy way to accomplish reverse proxying hosts with SSL termination.
 - [Caddy](examples/caddy) - The Caddy web server is an extensible, cross-platform, open-source web server written in Go. Caddy obtains and renews TLS certificates for your sites automatically.
 
+### Identity Providers / Single Sign On
+- [Authelia](examples/authelia) - Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for reverse proxies by allowing, denying, or redirecting requests. Recommended to combine with [Traefik](examples/traefik).
+
 ### Virtual Private Network (VPN)
 - [wg-easy](examples/wg-easy) - The easiest way to install & manage WireGuard on any Linux host. All-in-one deployment of a WireGuard VPN network service + web management UI.
 - [WireGuard](examples/wireguard) - WireGuard by Linuxserver.io is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.
@@ -140,6 +143,7 @@ docker compose up
 - [Answer](examples/answer) - An open-source knowledge-based community software. You can use it quickly to build Q&A community for your products, customers, teams, and more.
 - [Obsidian-Gitsync-Perlite](https://github.com/l4rm4nd/Obsidian-Gitsync-Perlite) - Continuously sync Obsidian markdown notes from GitHub and publish it for the webs.
 - [Obsidian-Remote](examples/obsidian-remote) - This docker image allows you to run obsidian in docker as a container and access it via your web browser.
+- [Memos](examples/memos) - An open-source, self-hosted memo hub with knowledge management and social networking.
 
 ### Analytics
 - [Matomo](examples/matomo) - Matomo is the leading Free/Libre open analytics platform.
@@ -173,6 +177,7 @@ docker compose up
 - [Answer](examples/answer) - An open-source knowledge-based community software. You can use it quickly to build Q&A community for your products, customers, teams, and more.
 - [Obsidian-Remote](examples/obsidian-remote) - This docker image allows you to run obsidian in docker as a container and access it via your web browser.
 - [Obsidian-Gitsync-Perlite](https://github.com/l4rm4nd/Obsidian-Gitsync-Perlite) - Continuously sync Obsidian markdown notes from GitHub and publish it for the webs.
+- [Memos](examples/memos) - An open-source, self-hosted memo hub with knowledge management and social networking.
 
 ### Finance
 - [TRSync](examples/trsync) - Django web frontend for pytr to download all Trade Republic depot data.
@@ -190,3 +195,9 @@ docker compose up
 
 ## Star History
 [![Star History Chart](https://api.star-history.com/svg?repos=Haxxnet/Compose-Examples&type=Date)](https://star-history.com/#Haxxnet/Compose-Examples&Date)
+
+## Join the community!
+
+<a href="https://github.com/Haxxnet/Compose-Examples/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=Haxxnet/Compose-Examples" />
+</a>

examples/authelia/README.md

@@ -0,0 +1,9 @@
+# References
+
+- https://github.com/authelia/authelia
+- https://www.youtube.com/watch?v=u6H-Qwf4nZA&t=1314s
+- https://docs.technotim.live/posts/authelia-traefik/
+
+# Notes
+
+You have to put the configuration files in the directory `config` to your Docker volume bind mount.

examples/authelia/config/configuration.yml

@@ -0,0 +1,82 @@
+---
+###############################################################
+#                   Authelia configuration                    #
+###############################################################
+
+server:
+  host: 0.0.0.0
+  port: 9091
+log:
+  level: debug
+
+theme: dark
+
+# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
+jwt_secret: a_very_important_secret
+default_redirection_url: https://auth.example.com # replace with your domain name
+totp:
+  issuer: authelia.com
+
+# duo_api:
+#  hostname: api-123456789.example.com
+#  integration_key: ABCDEF
+#  # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
+#  secret_key: 1234567890abcdefghifjkl
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+    password:
+      algorithm: argon2id
+      iterations: 1
+      salt_length: 16
+      parallelism: 8
+      memory: 64
+
+access_control:
+  default_policy: deny
+  rules:
+    # Rules applied to everyone
+    # chose from bypass, one_factor and two_factor
+    - domain: public.example.com
+      policy: bypass
+    - domain: subdomain1.example.com
+      policy: one_factor
+    - domain: subdomain2.example.com
+      policy: two_factor
+
+session:
+  name: authelia_session
+  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
+  secret: unsecure_session_secret
+  expiration: 3600  # 1 hour
+  inactivity: 300  # 5 minutes
+  domain: example.com  # Should match whatever your root protected domain is
+
+  redis:
+    host: authelia-redis
+    port: 6379
+    # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
+    # password: authelia
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+storage:
+  encryption_key: a_very_important_secret # Now required
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  # smtp:
+  #   username: test
+  #   # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
+  #   password: password
+  #   host: mail.example.com
+  #   port: 25
+  #   sender: admin@example.com
+  filesystem:
+    filename: /config/notifications.txt
+...

examples/authelia/config/users_database.yml

@@ -0,0 +1,19 @@
+---
+###############################################################
+#                         Users Database                      #
+###############################################################
+
+# This file can be used if you do not have an LDAP set up.
+
+# List of users
+users:
+  yourUsername:  # define here your username
+    disabled: false
+    displayname: "My Authelia User"
+    # Password is authelia
+    password: "$argon2id$v=19$m=65536,t=3,p=4$mTOaOa3MOexX7JQ02BdXzw$OzAxTnSPEnahQgIi+y4QPP5/xYIQ8uEWDYW+vlupeTM"  # generate a secure hash with: $ docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'password'
+    email: authelia@example.com
+    groups:
+      - admins
+      - dev
+...

examples/authelia/docker-compose.yml

@@ -0,0 +1,39 @@
+version: '3.3'
+
+services:
+  authelia:
+    image: authelia/authelia
+    container_name: authelia
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/authelia/config:/config
+    networks:
+      - proxy
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.authelia.rule=Host(`auth.example.com`)'  # replace with your domain name
+      - 'traefik.http.routers.authelia.entrypoints=https'
+      - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth?authelia_url=https://auth.example.com'  # replace with your domain name
+      - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
+      - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'  # yamllint disable-line rule:line-length
+    expose:
+      - 9091
+    restart: unless-stopped
+    environment:
+      - TZ=Europe/Berlin
+
+  redis:
+    image: redis:alpine
+    container_name: authelia-redis
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/authelia/redis:/data
+    networks:
+      - proxy
+    expose:
+      - 6379
+    restart: unless-stopped
+    environment:
+      - TZ=Europe/Berlin
+
+networks:
+   proxy:
+      external: true

examples/grafana-monitoring/Grafana_Dashboard_Template.json

@@ -1413,7 +1413,7 @@
         {
           "targetBlank": true,
           "title": "Link",
-          "url": "https://bitwarden.lrvt.de"
+          "url": "https://example.com"
         }
       ],
       "options": {
@@ -1795,7 +1795,7 @@
         {
           "targetBlank": true,
           "title": "Link",
-          "url": "https://bitwarden.lrvt.de"
+          "url": "https://example.com"
         }
       ],
       "options": {

examples/memos/README.md

@@ -0,0 +1,3 @@
+# References
+
+- https://github.com/usememos/memos

examples/memos/docker-compose.yml

@@ -0,0 +1,23 @@
+version: "3.0"
+
+services:
+  memos:
+    image: neosmemo/memos:latest
+    container_name: memos
+    volumes:
+      - ${DOCKER_VOLUME_STORAGE:-/mnt/docker-volumes}/memos/data:/var/opt/memos
+    ports:
+      - 5230:5230
+    #networks:
+    #  - proxy
+    #labels:
+    #  - traefik.enable=true
+    #  - traefik.http.routers.memos.rule=Host(`memosservice.example.com`)
+    #  - traefik.http.services.memos.loadbalancer.server.port=5230
+    #  - traefik.docker.network=proxy
+    #  # Part for optional traefik middlewares
+    #  - traefik.http.routers.memos.middlewares=local-ipwhitelist@file,basic-auth@file
+
+#networks:
+#  proxy:
+#    external: true

examples/traefik/fileConfig.yml

@@ -78,6 +78,17 @@ http:
         stsPreload: true # HTTP-Strict-Transport-Security (HSTS)
         #contentSecurityPolicy: "block-all-mixed-content" # Content-Security-Policy (CSP)
 
+    # Authelia guard
+    authelia:
+      forwardauth:
+        address: http://authelia:9091/api/verify?rd=https://auth.example.com/  # replace example.com with your domain name
+        trustForwardHeader: true
+        authResponseHeaders:
+          - Remote-User
+          - Remote-Groups
+          - Remote-Name
+          - Remote-Email
+
     # rate limiting
     rate-limit:
       rateLimit: