Authelia: introduce to protect system services

2025-05-07 11:23:22 +03:00
parent 41fac2c4f9
commit a77fefcded
6 changed files with 3718 additions and 16 deletions
--- a/files/authelia/configuration.yml
+++ b/files/authelia/configuration.yml
--- a/files/authelia/docker-compose.yml.j2
+++ b/files/authelia/docker-compose.yml.j2
@ -0,0 +1,15 @@
+services:
+
+  authelia_app:
+    container_name: 'authelia_app'
+    image: 'docker.io/authelia/authelia:4.39.1'
+    user: '{{  user_create_result.uid }}:{{ user_create_result.group }}'
+    restart: 'unless-stopped'
+    networks:
+      - "{{ web_proxy_network }}"
+    volumes:
+      - "{{ config_dir }}:/config"
+
+networks:
+  {{ web_proxy_network }}:
+    external: true
--- a/files/authelia/users.yml
+++ b/files/authelia/users.yml
@ -0,0 +1,24 @@
+$ANSIBLE_VAULT;1.1;AES256
+66646631323832323465333132316165363434656531343331363563623132333562643164336534
+3362346337613232373461373965623662346661396535330a393061623061313633356161373565
+62346666633339663730346637323738336338653763393462653466646135313632393762376661
+6466343264353132660a393765636438623933613830313166653036313363616133653863613664
+65613765393838626165386366363930663466313931653764306565623234326163636265656238
+34366138386237646133643433333434363837346231306139363034393239626665653965353632
+65383965363936653361303561373763666462366630333834636532346664616538653261386265
+34373961373564646537383031356466306561393731646662326163366564306361323137366530
+63663766366330616130386233623866333230306539663663613937396464343836333633373931
+37343831333331656637326163633636613030653138333139356332623032346537653166333432
+37383938613837383163336138363039373630343737333532376365653834336364626461336232
+63663733663139326235346230613963626537373631653533666230343563346535656334333363
+61623835653130646166353135376633663037636439343533323133313036646661393336346136
+66633666636434373263376237306530393132323930653864343939643535663161316564336266
+62623638363062343362323438623438643230353262653562313830376133353566396130386335
+62343630633866643831613566633132313332333763306461343965656466666336393637386365
+39623534323462633161373332353231316133366464373738366262666334386638313739623961
+38386434616430326238623563356230343438373261663339643732333461333534373634343131
+34393263356332633136353461323833306636396636323964383631663233653936643132316163
+62613236393436326261366632306634653462646562323161343463666561663737613738303565
+36373538643561663364633337383637343233343866396134363639386335333965646639393630
+36393566333864333366386465343735616639623836336566353136616563356464383738316364
+623839366161633366653464656539306230
--- a/files/caddyproxy/Caddyfile.j2
+++ b/files/caddyproxy/Caddyfile.j2
@ -6,22 +6,6 @@
 }

 # -------------------------------------------------------------------
-# Netdata service
-# -------------------------------------------------------------------
-
-status.vakhrushev.me, :29999 {
-    tls anwinged@ya.ru
-
-    reverse_proxy {
-        to netdata:19999
-    }
-
-    basicauth / {
-       {{ netdata.login }} {{ netdata.password_hash }}
-    }
-}
-
-# -------------------------------------------------------------------
 # Applications
 # -------------------------------------------------------------------

@ -34,6 +18,23 @@ vakhrushev.me {
 }

 auth.vakhrushev.me {
+    tls anwinged@ya.ru
+    
+    reverse_proxy authelia_app:9091
+}
+
+status.vakhrushev.me, :29999 {
+    tls anwinged@ya.ru
+
+    forward_auth authelia_app:9091 {
+        uri /api/authz/forward-auth
+        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+    }
+
+    reverse_proxy netdata:19999
+}
+
+git.vakhrushev.me {
    tls anwinged@ya.ru

    reverse_proxy {