added SSO, Migration to Cloudflare Domain

docker/data/homepage/services.yaml

@@ -107,7 +107,7 @@
 
     - Gitea:
         icon: gitea.png
-        href: http://git.kotori-waifu
+        href: https://git.kotori-waifu
         description: Git Version Control
 
     - Vaultwarden:

docker/stacks/00-core/authelia/configuration.yml

@@ -0,0 +1,44 @@
+server:
+  host: 0.0.0.0
+  port: 9091
+
+log:
+  level: debug
+
+theme: dark
+
+totp:
+  issuer: authelia.com
+
+authentication_backend:
+  file:
+    path: /config/users.yml
+
+access_control:
+  default_policy: deny
+  rules:
+    # Bypass authentication for local LAN requests
+    - domain: "*.kotori-waifu.cc"
+      networks:
+        - 192.168.0.0/16
+        - 10.0.0.0/8
+        - 172.16.0.0/12
+      policy: bypass
+    # Require 2FA for external requests
+    - domain: "*.kotori-waifu.cc"
+      policy: two_factor
+
+session:
+  name: authelia_session
+  domain: kotori-waifu.cc
+  secret: '${SESSION_SECRET}'
+  expiration: 3600
+  inactivity: 1000
+
+storage:
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  filesystem:
+    filename: /config/notification.txt

docker/stacks/00-core/authelia/docker-compose.yml

@@ -0,0 +1,25 @@
+services:
+  authelia:
+    image: authelia/authelia:latest
+    container_name: authelia
+    volumes:
+      - /opt/homelab/data/authelia:/config
+      - ./configuration.yml:/config/configuration.yml:ro
+      - ./users.yml:/config/users.yml:ro
+    networks:
+      - proxy_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.authelia.rule=Host(`auth.kotori-waifu.cc`)"
+      - "traefik.http.routers.authelia.tls.certresolver=cloudflare"
+      - "traefik.http.services.authelia.loadbalancer.server.port=9091"
+      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth"
+      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
+    restart: unless-stopped
+    env_file:
+      - .env
+
+networks:
+  proxy_net:
+    external: true

docker/stacks/00-core/authelia/users.yml

@@ -0,0 +1,10 @@
+users:
+  kotori:
+    displayname: "Kotori"
+    # To generate a password hash, use docker run authelia/authelia:latest authelia crypto hash generate argon2 --password 'yourpassword'
+    # Default is 'kotori'
+    password: "$argon2id$v=19$m=65536,t=3,p=4$R9730030W0Nud7Xq+8qBsg$eP9t0+3/n/S2nUq9YfB6i7x9n/8k8hH1G/1Y5Zt/u+Y"
+    email: admin@kotori-waifu.cc
+    groups:
+      - admins
+      - dev

docker/stacks/00-core/gitea/docker-compose.yml

@@ -8,7 +8,7 @@ services:
       - GITEA__database__NAME=gitea
       - GITEA__database__USER=gitea
       - GITEA__database__PASSWD=${DB_PASS}
-      - GITEA__server__ROOT_URL=https://git.kotori-waifu
+      - GITEA__server__ROOT_URL=https://git.kotori-waifu.cc
       - GITEA__server__SSH_PORT=2222
       - GITEA__server__LFS_START_SERVER=true
       - GITEA__actions__ENABLED=true
@@ -23,9 +23,10 @@ services:
       - "2222:2222"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.gitea.rule=Host(`git.kotori-waifu`)"
+      - "traefik.http.routers.gitea.rule=Host(`git.kotori-waifu.cc`)"
       - "traefik.http.routers.gitea.entrypoints=websecure"
       - "traefik.http.routers.gitea.tls=true"
+      - "traefik.http.routers.gitea.tls.certresolver=cloudflare"
       - "traefik.http.services.gitea.loadbalancer.server.port=3000"
       - "traefik.docker.network=proxy_net"
     restart: unless-stopped

docker/stacks/00-core/traefik/.env

@@ -0,0 +1,2 @@
+CF_DNS_API_TOKEN=cfut_7dfJCWj0xn9wlEsnQxEAsPWQZdzGv7GFGrbaWVgI716ae0bb
+ACME_EMAIL=lucas-conrad67@gmx.net

docker/stacks/00-core/traefik/docker-compose.yml

@@ -2,6 +2,8 @@ services:
  traefik:
    image: traefik:latest
    container_name: traefik
+   env_file:
+     - .env
    user: root # Ensure access to docker.sock
    command:
      - "--api.insecure=true"
@@ -11,14 +13,21 @@ services:
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--log.level=DEBUG"
+     - "--certificatesresolvers.cloudflare.acme.dnschallenge=true"
+     - "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
+     # - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+     - "--certificatesresolvers.cloudflare.acme.email=${ACME_EMAIL:-admin@kotori-waifu.cc}"
+     - "--certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json"
    environment:
      - DOCKER_API_VERSION=1.44
+     - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
    ports:
      - "80:80"
      - "443:443"
      - "8085:8080" # Traefik dashboard (moved from 8080)
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
+     - ./letsencrypt:/letsencrypt
    networks:
      - proxy_net
    restart: unless-stopped

docker/stacks/01-apps/bookstack/docker-compose.yml

@@ -24,7 +24,9 @@ services:
       - proxy_net
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.bookstack.rule=Host(`bookstack.kotori-waifu`) || Host(`kotoribs.kotori-waifu`) || Host(`bs.kotori-waifu.cc`)"
+      - "traefik.http.routers.bookstack.rule=Host(`bookstack.kotori-waifu.cc`) || Host(`bs.kotori-waifu.cc`)"
+      - "traefik.http.routers.bookstack.tls.certresolver=cloudflare"
+      - "traefik.http.routers.bookstack.middlewares=authelia@docker"
       - "traefik.http.services.bookstack.loadbalancer.server.port=80"
       - "traefik.docker.network=proxy_net"
     restart: unless-stopped

docker/stacks/01-apps/mealie/docker-compose.yml

@@ -19,7 +19,8 @@ services:
       - proxy_net
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.mealie.rule=Host(`mealie.kotori-waifu`) || Host(`mealie.kotori-waifu.cc`)"
+      - "traefik.http.routers.mealie.rule=Host(`mealie.kotori-waifu.cc`)"
+      - "traefik.http.routers.mealie.tls.certresolver=cloudflare"
       - "traefik.http.services.mealie.loadbalancer.server.port=9000"
     restart: unless-stopped
 

docker/stacks/01-apps/vaultwarden/docker-compose.yml

@@ -14,9 +14,10 @@ services:
       - proxy_net
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.vaultwarden.rule=Host(`vault.kotori-waifu`)"
+      - "traefik.http.routers.vaultwarden.rule=Host(`vault.kotori-waifu.cc`)"
       - "traefik.http.routers.vaultwarden.entrypoints=websecure"
       - "traefik.http.routers.vaultwarden.tls=true"
+      - "traefik.http.routers.vaultwarden.tls.certresolver=cloudflare"
       - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
 
 networks:

docker/stacks/02-media/immich-app/docker-compose.yml

@@ -32,7 +32,9 @@ services:
       - proxy_net
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.immich.rule=Host(`immich.kotori-waifu`) || Host(`immich.kotori-waifu.cc`)"
+      - "traefik.http.routers.immich.rule=Host(`immich.kotori-waifu.cc`)"
+      - "traefik.http.routers.immich.tls.certresolver=cloudflare"
+      - "traefik.http.routers.immich.middlewares=authelia@docker"
       - "traefik.http.services.immich.loadbalancer.server.port=2283"
       - "traefik.docker.network=proxy_net"
     restart: unless-stopped

docker/stacks/02-media/media-stack/docker-compose.yml

@@ -25,10 +25,12 @@ services:
       - proxy_net
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.torrent.rule=Host(`torrent.kotori-waifu`)"
+      - "traefik.http.routers.torrent.rule=Host(`torrent.kotori-waifu.cc`)"
+      - "traefik.http.routers.torrent.tls.certresolver=cloudflare"
       - "traefik.http.routers.torrent.service=torrent"
       - "traefik.http.services.torrent.loadbalancer.server.port=8080"
-      - "traefik.http.routers.prowlarr.rule=Host(`prowlarr.kotori-waifu`)"
+      - "traefik.http.routers.prowlarr.rule=Host(`prowlarr.kotori-waifu.cc`)"
+      - "traefik.http.routers.prowlarr.tls.certresolver=cloudflare"
       - "traefik.http.routers.prowlarr.service=prowlarr"
       - "traefik.http.services.prowlarr.loadbalancer.server.port=9696"
     restart: unless-stopped
@@ -77,7 +79,8 @@ services:
       - proxy_net
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.radarr.rule=Host(`radarr.kotori-waifu`)"
+      - "traefik.http.routers.radarr.rule=Host(`radarr.kotori-waifu.cc`)"
+      - "traefik.http.routers.radarr.tls.certresolver=cloudflare"
       - "traefik.http.services.radarr.loadbalancer.server.port=7878"
     restart: unless-stopped
 
@@ -97,7 +100,8 @@ services:
       - proxy_net
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.sonarr.rule=Host(`sonarr.kotori-waifu`)"
+      - "traefik.http.routers.sonarr.rule=Host(`sonarr.kotori-waifu.cc`)"
+      - "traefik.http.routers.sonarr.tls.certresolver=cloudflare"
       - "traefik.http.services.sonarr.loadbalancer.server.port=8989"
     restart: unless-stopped
 
@@ -119,7 +123,8 @@ services:
       - proxy_net
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.kotori-waifu`) || Host(`jellyfin.kotori-waifu.cc`)"
+      - "traefik.http.routers.jellyfin.rule=Host(`jellyfin.kotori-waifu.cc`)"
+      - "traefik.http.routers.jellyfin.tls.certresolver=cloudflare"
       - "traefik.http.services.jellyfin.loadbalancer.server.port=8096"
     restart: unless-stopped
 
@@ -140,7 +145,9 @@ services:
       - proxy_net
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.seerr.rule=Host(`jellyseer.kotori-waifu`) || Host(`seer.kotori-waifu.cc`)"
+      - "traefik.http.routers.seerr.rule=Host(`jellyseer.kotori-waifu.cc`) || Host(`seer.kotori-waifu.cc`)"
+      - "traefik.http.routers.seerr.tls.certresolver=cloudflare"
+      - "traefik.http.routers.seerr.middlewares=authelia@docker"
       - "traefik.http.services.seerr.loadbalancer.server.port=5055"
     restart: unless-stopped
 
@@ -210,7 +217,8 @@ services:
       - proxy_net
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.komga.rule=Host(`goon.kotori-waifu`)"
+      - "traefik.http.routers.komga.rule=Host(`goon.kotori-waifu.cc`)"
+      - "traefik.http.routers.komga.tls.certresolver=cloudflare"
       - "traefik.http.services.komga.loadbalancer.server.port=25600"
     restart: unless-stopped