diff --git a/docker/data/homepage/services.yaml b/docker/data/homepage/services.yaml index a7ee27d..cbd6aa9 100644 --- a/docker/data/homepage/services.yaml +++ b/docker/data/homepage/services.yaml @@ -107,7 +107,7 @@ - Gitea: icon: gitea.png - href: http://git.kotori-waifu + href: https://git.kotori-waifu description: Git Version Control - Vaultwarden: diff --git a/docker/stacks/00-core/authelia/configuration.yml b/docker/stacks/00-core/authelia/configuration.yml new file mode 100644 index 0000000..1e32f0b --- /dev/null +++ b/docker/stacks/00-core/authelia/configuration.yml @@ -0,0 +1,44 @@ +server: + host: 0.0.0.0 + port: 9091 + +log: + level: debug + +theme: dark + +totp: + issuer: authelia.com + +authentication_backend: + file: + path: /config/users.yml + +access_control: + default_policy: deny + rules: + # Bypass authentication for local LAN requests + - domain: "*.kotori-waifu.cc" + networks: + - 192.168.0.0/16 + - 10.0.0.0/8 + - 172.16.0.0/12 + policy: bypass + # Require 2FA for external requests + - domain: "*.kotori-waifu.cc" + policy: two_factor + +session: + name: authelia_session + domain: kotori-waifu.cc + secret: '${SESSION_SECRET}' + expiration: 3600 + inactivity: 1000 + +storage: + local: + path: /config/db.sqlite3 + +notifier: + filesystem: + filename: /config/notification.txt diff --git a/docker/stacks/00-core/authelia/docker-compose.yml b/docker/stacks/00-core/authelia/docker-compose.yml new file mode 100644 index 0000000..5d80c77 --- /dev/null +++ b/docker/stacks/00-core/authelia/docker-compose.yml @@ -0,0 +1,25 @@ +services: + authelia: + image: authelia/authelia:latest + container_name: authelia + volumes: + - /opt/homelab/data/authelia:/config + - ./configuration.yml:/config/configuration.yml:ro + - ./users.yml:/config/users.yml:ro + networks: + - proxy_net + labels: + - "traefik.enable=true" + - "traefik.http.routers.authelia.rule=Host(`auth.kotori-waifu.cc`)" + - "traefik.http.routers.authelia.tls.certresolver=cloudflare" + - "traefik.http.services.authelia.loadbalancer.server.port=9091" + - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth" + - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true" + - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" + restart: unless-stopped + env_file: + - .env + +networks: + proxy_net: + external: true diff --git a/docker/stacks/00-core/authelia/users.yml b/docker/stacks/00-core/authelia/users.yml new file mode 100644 index 0000000..e018156 --- /dev/null +++ b/docker/stacks/00-core/authelia/users.yml @@ -0,0 +1,10 @@ +users: + kotori: + displayname: "Kotori" + # To generate a password hash, use docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'yourpassword' + # Default is 'kotori' + password: "$argon2id$v=19$m=65536,t=3,p=4$R9730030W0Nud7Xq+8qBsg$eP9t0+3/n/S2nUq9YfB6i7x9n/8k8hH1G/1Y5Zt/u+Y" + email: admin@kotori-waifu.cc + groups: + - admins + - dev diff --git a/docker/stacks/00-core/gitea/docker-compose.yml b/docker/stacks/00-core/gitea/docker-compose.yml index 643e72a..e94e3cf 100644 --- a/docker/stacks/00-core/gitea/docker-compose.yml +++ b/docker/stacks/00-core/gitea/docker-compose.yml @@ -8,7 +8,7 @@ services: - GITEA__database__NAME=gitea - GITEA__database__USER=gitea - GITEA__database__PASSWD=${DB_PASS} - - GITEA__server__ROOT_URL=https://git.kotori-waifu + - GITEA__server__ROOT_URL=https://git.kotori-waifu.cc - GITEA__server__SSH_PORT=2222 - GITEA__server__LFS_START_SERVER=true - GITEA__actions__ENABLED=true @@ -23,9 +23,10 @@ services: - "2222:2222" labels: - "traefik.enable=true" - - "traefik.http.routers.gitea.rule=Host(`git.kotori-waifu`)" + - "traefik.http.routers.gitea.rule=Host(`git.kotori-waifu.cc`)" - "traefik.http.routers.gitea.entrypoints=websecure" - "traefik.http.routers.gitea.tls=true" + - "traefik.http.routers.gitea.tls.certresolver=cloudflare" - "traefik.http.services.gitea.loadbalancer.server.port=3000" - "traefik.docker.network=proxy_net" restart: unless-stopped diff --git a/docker/stacks/00-core/traefik/.env b/docker/stacks/00-core/traefik/.env new file mode 100644 index 0000000..911d62e --- /dev/null +++ b/docker/stacks/00-core/traefik/.env @@ -0,0 +1,2 @@ +CF_DNS_API_TOKEN=cfut_7dfJCWj0xn9wlEsnQxEAsPWQZdzGv7GFGrbaWVgI716ae0bb +ACME_EMAIL=lucas-conrad67@gmx.net \ No newline at end of file diff --git a/docker/stacks/00-core/traefik/docker-compose.yml b/docker/stacks/00-core/traefik/docker-compose.yml index 24b588f..70a9cb3 100644 --- a/docker/stacks/00-core/traefik/docker-compose.yml +++ b/docker/stacks/00-core/traefik/docker-compose.yml @@ -2,6 +2,8 @@ services: traefik: image: traefik:latest container_name: traefik + env_file: + - .env user: root # Ensure access to docker.sock command: - "--api.insecure=true" @@ -11,14 +13,21 @@ services: - "--entrypoints.web.address=:80" - "--entrypoints.websecure.address=:443" - "--log.level=DEBUG" + - "--certificatesresolvers.cloudflare.acme.dnschallenge=true" + - "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare" + # - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" + - "--certificatesresolvers.cloudflare.acme.email=${ACME_EMAIL:-admin@kotori-waifu.cc}" + - "--certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json" environment: - DOCKER_API_VERSION=1.44 + - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN} ports: - "80:80" - "443:443" - "8085:8080" # Traefik dashboard (moved from 8080) volumes: - /var/run/docker.sock:/var/run/docker.sock:ro + - ./letsencrypt:/letsencrypt networks: - proxy_net restart: unless-stopped diff --git a/docker/stacks/01-apps/bookstack/docker-compose.yml b/docker/stacks/01-apps/bookstack/docker-compose.yml index f1bc23a..03e01b1 100644 --- a/docker/stacks/01-apps/bookstack/docker-compose.yml +++ b/docker/stacks/01-apps/bookstack/docker-compose.yml @@ -24,7 +24,9 @@ services: - proxy_net labels: - "traefik.enable=true" - - "traefik.http.routers.bookstack.rule=Host(`bookstack.kotori-waifu`) || Host(`kotoribs.kotori-waifu`) || Host(`bs.kotori-waifu.cc`)" + - "traefik.http.routers.bookstack.rule=Host(`bookstack.kotori-waifu.cc`) || Host(`bs.kotori-waifu.cc`)" + - "traefik.http.routers.bookstack.tls.certresolver=cloudflare" + - "traefik.http.routers.bookstack.middlewares=authelia@docker" - "traefik.http.services.bookstack.loadbalancer.server.port=80" - "traefik.docker.network=proxy_net" restart: unless-stopped diff --git a/docker/stacks/01-apps/mealie/docker-compose.yml b/docker/stacks/01-apps/mealie/docker-compose.yml index 30cde16..44f65a3 100644 --- a/docker/stacks/01-apps/mealie/docker-compose.yml +++ b/docker/stacks/01-apps/mealie/docker-compose.yml @@ -19,7 +19,8 @@ services: - proxy_net labels: - "traefik.enable=true" - - "traefik.http.routers.mealie.rule=Host(`mealie.kotori-waifu`) || Host(`mealie.kotori-waifu.cc`)" + - "traefik.http.routers.mealie.rule=Host(`mealie.kotori-waifu.cc`)" + - "traefik.http.routers.mealie.tls.certresolver=cloudflare" - "traefik.http.services.mealie.loadbalancer.server.port=9000" restart: unless-stopped diff --git a/docker/stacks/01-apps/vaultwarden/docker-compose.yml b/docker/stacks/01-apps/vaultwarden/docker-compose.yml index f2ecc75..95a1e2c 100644 --- a/docker/stacks/01-apps/vaultwarden/docker-compose.yml +++ b/docker/stacks/01-apps/vaultwarden/docker-compose.yml @@ -14,9 +14,10 @@ services: - proxy_net labels: - "traefik.enable=true" - - "traefik.http.routers.vaultwarden.rule=Host(`vault.kotori-waifu`)" + - "traefik.http.routers.vaultwarden.rule=Host(`vault.kotori-waifu.cc`)" - "traefik.http.routers.vaultwarden.entrypoints=websecure" - "traefik.http.routers.vaultwarden.tls=true" + - "traefik.http.routers.vaultwarden.tls.certresolver=cloudflare" - "traefik.http.services.vaultwarden.loadbalancer.server.port=80" networks: diff --git a/docker/stacks/02-media/immich-app/docker-compose.yml b/docker/stacks/02-media/immich-app/docker-compose.yml index b6a9691..2959ca8 100644 --- a/docker/stacks/02-media/immich-app/docker-compose.yml +++ b/docker/stacks/02-media/immich-app/docker-compose.yml @@ -32,7 +32,9 @@ services: - proxy_net labels: - "traefik.enable=true" - - "traefik.http.routers.immich.rule=Host(`immich.kotori-waifu`) || Host(`immich.kotori-waifu.cc`)" + - "traefik.http.routers.immich.rule=Host(`immich.kotori-waifu.cc`)" + - "traefik.http.routers.immich.tls.certresolver=cloudflare" + - "traefik.http.routers.immich.middlewares=authelia@docker" - "traefik.http.services.immich.loadbalancer.server.port=2283" - "traefik.docker.network=proxy_net" restart: unless-stopped diff --git a/docker/stacks/02-media/media-stack/docker-compose.yml b/docker/stacks/02-media/media-stack/docker-compose.yml index ecb4b66..5a1dc5d 100644 --- a/docker/stacks/02-media/media-stack/docker-compose.yml +++ b/docker/stacks/02-media/media-stack/docker-compose.yml @@ -25,10 +25,12 @@ services: - proxy_net labels: - "traefik.enable=true" - - "traefik.http.routers.torrent.rule=Host(`torrent.kotori-waifu`)" + - "traefik.http.routers.torrent.rule=Host(`torrent.kotori-waifu.cc`)" + - "traefik.http.routers.torrent.tls.certresolver=cloudflare" - "traefik.http.routers.torrent.service=torrent" - "traefik.http.services.torrent.loadbalancer.server.port=8080" - - "traefik.http.routers.prowlarr.rule=Host(`prowlarr.kotori-waifu`)" + - "traefik.http.routers.prowlarr.rule=Host(`prowlarr.kotori-waifu.cc`)" + - "traefik.http.routers.prowlarr.tls.certresolver=cloudflare" - "traefik.http.routers.prowlarr.service=prowlarr" - "traefik.http.services.prowlarr.loadbalancer.server.port=9696" restart: unless-stopped @@ -77,7 +79,8 @@ services: - proxy_net labels: - "traefik.enable=true" - - "traefik.http.routers.radarr.rule=Host(`radarr.kotori-waifu`)" + - "traefik.http.routers.radarr.rule=Host(`radarr.kotori-waifu.cc`)" + - "traefik.http.routers.radarr.tls.certresolver=cloudflare" - "traefik.http.services.radarr.loadbalancer.server.port=7878" restart: unless-stopped @@ -97,7 +100,8 @@ services: - proxy_net labels: - "traefik.enable=true" - - "traefik.http.routers.sonarr.rule=Host(`sonarr.kotori-waifu`)" + - "traefik.http.routers.sonarr.rule=Host(`sonarr.kotori-waifu.cc`)" + - "traefik.http.routers.sonarr.tls.certresolver=cloudflare" - "traefik.http.services.sonarr.loadbalancer.server.port=8989" restart: unless-stopped @@ -119,7 +123,8 @@ services: - proxy_net labels: - "traefik.enable=true" - - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.kotori-waifu`) || Host(`jellyfin.kotori-waifu.cc`)" + - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.kotori-waifu.cc`)" + - "traefik.http.routers.jellyfin.tls.certresolver=cloudflare" - "traefik.http.services.jellyfin.loadbalancer.server.port=8096" restart: unless-stopped @@ -140,7 +145,9 @@ services: - proxy_net labels: - "traefik.enable=true" - - "traefik.http.routers.seerr.rule=Host(`jellyseer.kotori-waifu`) || Host(`seer.kotori-waifu.cc`)" + - "traefik.http.routers.seerr.rule=Host(`jellyseer.kotori-waifu.cc`) || Host(`seer.kotori-waifu.cc`)" + - "traefik.http.routers.seerr.tls.certresolver=cloudflare" + - "traefik.http.routers.seerr.middlewares=authelia@docker" - "traefik.http.services.seerr.loadbalancer.server.port=5055" restart: unless-stopped @@ -210,7 +217,8 @@ services: - proxy_net labels: - "traefik.enable=true" - - "traefik.http.routers.komga.rule=Host(`goon.kotori-waifu`)" + - "traefik.http.routers.komga.rule=Host(`goon.kotori-waifu.cc`)" + - "traefik.http.routers.komga.tls.certresolver=cloudflare" - "traefik.http.services.komga.loadbalancer.server.port=25600" restart: unless-stopped