#0000 - Add initial project setup with configs, user db, and Docker Compose

This commit adds the foundational setup for the project, including docker-compose.yml, .env.dist, users_database.yml.dist, and Authelia configurations. It also includes the MIT license and a README with installation instructions and usage. The .gitignore file has been updated to exclude sensitive files.

.env.dist

@@ -0,0 +1,32 @@
+# Automated Certificate Management Environment (ACME) email address.
+# This is used for certificate-related notifications and recovery purposes.
+# Example: ACME_EMAIL='your-email@example.com'
+ACME_EMAIL='CHANGEME'
+
+# Flag to enable or disable the Traefik dashboard.
+# Values: true or false
+ENABLE_TRAEFIK_DASHBOARD=true
+
+# Fully Qualified Domain Name (FQDN) for the Traefik dashboard.
+# Example: TRAEFIK_DASHBOARD_FQDN='traefik.example.com'
+TRAEFIK_DASHBOARD_FQDN='traefik.example.com'
+
+# IPs you can trust to forward headers. Useful if your application is behind Cloudflare, for example.
+# Add IPs as a comma-separated list.
+TRUSTED_IPS='10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7,173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32'
+
+# Fully Qualified Domain Name (FQDN) for Authelia, a multi-factor authentication system.
+# Example: AUTHELIA_FQDN='auth.example.com'
+AUTHELIA_FQDN='auth.example.com'
+
+# Root password for MySQL.
+# Note: This is a sensitive value; ensure to change it to a secure password.
+MYSQL_ROOT_PASSWORD='CHANGEME'
+
+# The name of the database to be used by Authelia.
+# Example: MYSQL_DATABASE='authelia'
+MYSQL_DATABASE='authelia'
+
+# Absolute path where MySQL backups will be stored.
+# Example: MYSQL_BACKUP_PATH='/some/absolute/path'
+MYSQL_BACKUP_PATH='/some/absolute/path'

.gitignore

@@ -0,0 +1,2 @@
+.env
+authelia/*.yml

LICENCE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Guillaume 'B.B.' Van Hemmen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1,2 +1,85 @@
-# traefik-authelia
+# Traefik Authelia
 
+## Introduction
+
+This project sets up a Traefik reverse proxy with support for Authelia using Docker Compose. Traefik is a modern HTTP
+reverse proxy and load balancer that makes deploying microservices and integrating them with your existing
+infrastructure easy. Authelia is an open-source authentication and authorization server that provides 2FA (two-factor
+authentication) and SSO (single sign-on) capabilities, adding an additional layer of security to your services.
+
+## Table of Contents
+
+- [Introduction](#introduction)
+- [Prerequisites](#prerequisites)
+- [Installation](#installation)
+- [Usage](#usage)
+- [Protecting Other Services](#protecting-other-services)
+- [License](#license)
+
+## Prerequisites
+
+- Docker: Make sure Docker is installed and running on your system.
+- Docker Compose: You also need Docker Compose to orchestrate the container setup.
+
+## Installation
+
+1. Clone the repository:
+
+    ```bash
+    git clone https://git.van-hemmen.com/GuillaumeHemmen-DockerCompose-Infra/traefik-authelia.git
+    cd traefik-authelia
+    ```
+
+2. Copy the environment variable template:
+
+    ```bash
+    cp .env.dist .env
+    ```
+
+3. Customize the `.env` file as necessary for your environment.
+
+4. Copy the Authelia configuration template:
+
+   ```bash
+   cp ./authelia/configuration.yml.dist ./authelia/configuration.yml
+   ```
+
+5. Customize the `./authelia/configuration.yml` file as necessary for your environment.
+
+6. Copy the Authelia user database template:
+
+   ```bash
+   cp ./authelia/users_database.yml.dist ./authelia/users_database.yml
+   ```
+
+7. Customize the `./authelia/users_database.yml` file as necessary for your environment. See
+   the [official documentation](https://www.authelia.com/reference/guides/passwords/) for more information.
+
+8. Create the `acme.json` file and grant it the proper rights:
+
+   ```bash
+   touch ../acme.json && chmod 600 ../acme.json
+   ```
+
+## Usage
+
+1. Start the Traefik service with Docker Compose:
+
+    ```bash
+    docker compose up -d
+    ```
+
+2. You can now start adding your services and configure Traefik to reverse proxy to them.
+
+## Protecting Other Services
+
+To protect other services using this instance of Traefik and Authelia, simply add the following label to their
+`docker-compose.yml` configuration:
+
+```yml
+      - 'traefik.http.routers.<serviceName>.middlewares=authelia@docker'
+```
+
+## License
+
+This project is licensed under the terms of the MIT license. See the [LICENSE](LICENSE) file for details.

authelia/configuration.yml.dist

@@ -0,0 +1,125 @@
+###############################################################
+#                   Authelia configuration                    #
+###############################################################
+
+# config setup following https://www.smarthomebeginner.com/docker-authelia-tutorial/
+
+theme: auto
+
+server:
+  host: 0.0.0.0
+  port: 9091
+
+log:
+  level: warn
+
+# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
+jwt_secret: CHANGEME
+
+# https://docs.authelia.com/configuration/miscellaneous.html#default-redirection-url
+default_redirection_url: https://CHANGEME
+
+totp:
+  issuer: authelia.com
+  period: 30
+  skew: 1
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+    password:
+      algorithm: argon2id
+      iterations: 1
+      salt_length: 16
+      parallelism: 8
+      memory: 1024 # blocks this much of the RAM. Tune this.
+
+access_control:
+  default_policy: deny
+  rules:
+    - domain: CHANGEME
+      policy: bypass
+    - domain:
+        - '*.CHANGEME'
+      policy: two_factor
+
+session:
+  name: authelia_session
+  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
+  secret: CHANGEME
+  expiration: 3600 # 1 hour
+  inactivity: 300 # 5 minutes
+  domain: CHANGEME # Should match whatever your root protected domain is
+  redis:
+    host: redis
+    port: 6379
+    # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
+    # password: authelia
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+notifier:
+  # For testing purposes, notifications can be sent in a file. Be sure to map the volume in docker-compose.
+  #  filesystem:
+  #    filename: /config/notification.txt
+  smtp:
+    ## The SMTP host to connect to.
+    host: CHANGEME
+
+    ## The port to connect to the SMTP host on.
+    port: 465
+
+    ## The connection timeout.
+    timeout: 5s
+
+    ## The username used for SMTP authentication.
+    username: CHANGEME
+
+    ## The password used for SMTP authentication.
+    ## Can also be set using a secret: https://www.authelia.com/c/secrets
+    password: CHANGEME
+
+      ## The sender is used to is used for the MAIL FROM command and the FROM header.
+    ## If this is not defined and the username is an email, we use the username as this value. This can either be just
+    ## an email address or the RFC5322 'Name <email address>' format.
+    sender: "Authelia <noreply@CHANGEME>"
+
+    ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
+    identifier: CHANGEME
+
+    ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
+    subject: "[Authelia] {title}"
+
+    ## This address is used during the startup check to verify the email configuration is correct.
+    ## It's not important what it is except if your email server only allows local delivery.
+    startup_check_address: CHANGEME
+
+    ## By default we require some form of TLS. This disables this check though is not advised.
+    disable_require_tls: false
+
+    ## Disables sending HTML formatted emails.
+    disable_html_emails: false
+
+    tls:
+      ## The server subject name to check the servers certificate against during the validation process.
+      ## This option is not required if the certificate has a SAN which matches the host option.
+      server_name: CHANGEME
+
+      ## Minimum TLS version for the connection.
+      minimum_version: TLS1.2
+
+      ## Maximum TLS version for the connection.
+      maximum_version: TLS1.3
+
+storage:
+  encryption_key: CHANGEME
+  mysql:
+    host: mariadb-service
+    port: 3306
+    database: authelia
+    username: root
+    # Password can also be set using the env variables AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE
+    password: CHANGEME # use docker secret file instead AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE

authelia/users_database.yml.dist

@@ -0,0 +1,9 @@
+users:
+  john:
+    disabled: false
+    displayname: "John Doe"
+    password: '$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM'
+    email: john@example.com
+    groups:
+      - admins
+      - dev

docker-compose.yml

@@ -0,0 +1,146 @@
+networks:
+  network:
+    name: traefik_network
+
+volumes:
+  redis:
+  mysql_data:
+
+services:
+
+  reverse-proxy:
+    image: traefik:v3.1 # The official Traefik docker image
+    command:
+      - '--api=true'
+      - '--api.dashboard=${ENABLE_TRAEFIK_DASHBOARD:-false}'
+      - '--api.insecure=false'
+      - '--global.sendAnonymousUsage=false'
+      - '--global.checkNewVersion=false'
+      - '--log=true'
+      - '--log.level=WARN'
+      - '--providers.docker=true' # Enabling docker provider
+      - '--providers.docker.exposedbydefault=false' # Do not expose containers unless explicitly told so
+      - '--entrypoints.web.address=:80' # Traefik will listen to incoming request on the port 80 (HTTP)
+      - '--entrypoints.web.http.redirections.entrypoint.to=websecure'
+      - '--entrypoints.web.http.redirections.entrypoint.scheme=https'
+      ## Please see the Forwarded Header Trust section of the Authelia Traefik Integration documentation.
+      - '--entryPoints.web.forwardedHeaders.trustedips=${TRUSTED_IPS:-}'
+      - '--entryPoints.web.proxyProtocol.trustedips=${TRUSTED_IPS:-}'
+      - '--entryPoints.web.forwardedHeaders.insecure=false'
+      - '--entryPoints.web.proxyProtocol.insecure=false'
+      - '--entrypoints.websecure.address=:443'  # Traefik will listen to incoming request on the port 443 (HTTPS)
+      ## Please see the Forwarded Header Trust section of the Authelia Traefik Integration documentation.
+      - '--entryPoints.websecure.forwardedHeaders.trustedips=${TRUSTED_IPS:-}'
+      - '--entryPoints.websecure.proxyProtocol.trustedips=${TRUSTED_IPS:-}'
+      - '--entryPoints.websecure.forwardedHeaders.insecure=false'
+      - '--entryPoints.websecure.proxyProtocol.insecure=false'
+      - '--certificatesresolvers.myresolver.acme.httpchallenge=true' # Enable a http challenge named 'myresolver'
+      - '--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web' # Tell it to use our predefined entrypoint named 'web'
+      - '--certificatesresolvers.myresolver.acme.email=${ACME_EMAIL}' # The email to provide to let's encrypt
+      - '--certificatesresolvers.myresolver.acme.storage=/acme.json' # Tell to store the certificate on a path under our volume
+    networks:
+      - network
+    ports:
+      - target: 80
+        published: 80
+        mode: host
+      - target: 443
+        published: 443
+        mode: host
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock # So that Traefik can listen to the Docker events
+      - ../acme.json:/acme.json
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.traefik-api.rule=Host(`${TRAEFIK_DASHBOARD_FQDN}`)'
+      - 'traefik.http.routers.traefik-api.entryPoints=websecure'
+      - 'traefik.http.routers.traefik-api.service=api@internal'
+      - "traefik.http.routers.traefik-api.tls.certresolver=myresolver"
+      - "traefik.http.services.traefik-api.loadbalancer.server.port=8080"
+      - 'traefik.http.routers.traefik-api.middlewares=authelia@docker'
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: 5s
+
+  # from https://www.authelia.com/integration/proxies/traefik/
+  authelia:
+    image: authelia/authelia:4
+    depends_on:
+      - mariadb-service
+      - redis
+    networks:
+      - network
+    volumes:
+      - ./authelia:/config
+    environment:
+      TZ: "Europe/Paris"
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.authelia.rule=Host(`${AUTHELIA_FQDN}`)'
+      - 'traefik.http.routers.authelia.entryPoints=websecure'
+      - 'traefik.http.routers.authelia.tls=true'
+      - "traefik.http.routers.authelia.tls.certresolver=myresolver"
+      - 'traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https%3A%2F%2F${AUTHELIA_FQDN}%2F'
+      - 'traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true'
+      - 'traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
+      - 'traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia:9091/api/verify?auth=basic'
+      - 'traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true'
+      - 'traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
+
+  mariadb-service:
+    image: mariadb:11
+    environment:
+      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
+      MYSQL_DATABASE: ${MYSQL_DATABASE}
+    volumes:
+      - mysql_data:/var/lib/mysql
+    networks:
+      - network
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: 5s
+
+  mysql-cron-backup:
+    image: fradelg/mysql-cron-backup:1.13.1
+    networks:
+      - network
+    depends_on:
+      - mariadb-service
+    volumes:
+      - ${MYSQL_BACKUP_PATH}:/backup
+    environment:
+      - MYSQL_HOST=mariadb-service
+      - MYSQL_USER=root
+      - MYSQL_PASS=${MYSQL_ROOT_PASSWORD}
+      - MAX_BACKUPS=365
+      - INIT_BACKUP=1
+      # Every day at 03:00
+      - CRON_TIME=0 3 * * *
+      # Make it small
+      - GZIP_LEVEL=9
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: 5s
+
+  redis:
+    image: redis:7-alpine
+    networks:
+      - network
+    volumes:
+      - redis:/data
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: 5s
+    healthcheck:
+      test: [ "CMD", "redis-cli", "ping" ]
+      interval: 1s
+      timeout: 5s
+      retries: 10