diff --git a/homelab/Caddyfile b/homelab/Caddyfile index 6a2552e..a3b5e12 100644 --- a/homelab/Caddyfile +++ b/homelab/Caddyfile @@ -1,12 +1,30 @@ { email neale@woozle.org + #debug +} + +(authelia) { + uri /api/verify?rd=https://auth.woozle.org/ + copy_headers Remote-User Remote-Groups Remote-Name Remote-Email } (restricted-access) { - forward_auth simpleauth:8080 { - uri / - copy_headers X-Simpleauth-Token + @noauth header !Authorization + handle @noauth { + forward_auth authelia:9091 { + import authelia + } } + handle { + forward_auth authelia:9091 { + import authelia + header_up Proxy-Authorization {header.authorization} + } + } +} + +auth.woozle.org { + reverse_proxy authelia:9091 } git.woozle.org { diff --git a/homelab/Corefile b/homelab/Corefile index 3edf2e6..33368bb 100644 --- a/homelab/Corefile +++ b/homelab/Corefile @@ -1,7 +1,7 @@ . { bind lan hosts { - 192.168.86.2 sweetums.woozle.org deergrove.woozle.org drive.woozle.org git.woozle.org ancestry.woozle.org media.woozle.org + 192.168.86.2 sweetums.woozle.org deergrove.woozle.org drive.woozle.org git.woozle.org ancestry.woozle.org media.woozle.org auth.woozle.org fallthrough } forward . 8.8.8.8 diff --git a/homelab/authelia.yaml b/homelab/authelia.yaml new file mode 100644 index 0000000..5cd0d65 --- /dev/null +++ b/homelab/authelia.yaml @@ -0,0 +1,20 @@ +log: + level: trace # error, warn, [info], debug, trace +authentication_backend: + password_reset: + disable: true + file: + path: /run/secrets/users.yaml +totp: + issuer: woozle.org +session: + domain: woozle.org + same_site: strict +storage: + local: + path: /srv/sys/authelia/db.sqlite3 +access_control: + default_policy: one_factor +notifier: + filesystem: + filename: /run/emails.txt diff --git a/homelab/docker-compose.yaml b/homelab/docker-compose.yaml index ef7bd5a..5f0b452 100644 --- a/homelab/docker-compose.yaml +++ b/homelab/docker-compose.yaml @@ -41,30 +41,24 @@ services: extra_hosts: - host.docker.internal:host-gateway - simpleauth: - image: git.woozle.org/neale/simpleauth - command: - - -secret - - /run/secrets/simpleauth.key - secrets: - - passwd - - simpleauth.key - - jellyfin: - image: jellyfin/jellyfin + authelia: + image: authelia/authelia environment: - TZ: US/Mountain + AUTHELIA_JWT_SECRET_FILE: /run/secrets/jwt.secret + AUTHELIA_SESSION_SECRET_FILE: /run/secrets/session.secret + AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/storage.secret + secrets: + - jwt.secret + - session.secret + - storage.secret + - users.yaml + configs: + - source: authelia.yaml + target: /config/configuration.yml volumes: - type: bind - source: /srv/sys/jellyfin/config - target: /config - - type: bind - source: /srv/sys/jellyfin/cache - target: /cache - - type: bind - source: /srv/media - target: /srv/media - read_only: true + source: /srv/sys/authelia + target: /srv/sys/authelia plex: image: ghcr.io/linuxserver/plex:1.29.2 @@ -293,10 +287,10 @@ configs: name: dave.yaml-v3 Corefile: file: Corefile - name: Corefile-v3 + name: Corefile-v4 Caddyfile: file: Caddyfile - name: Caddyfile-v88 + name: Caddyfile-v101 index.html: file: www/index.html name: index.html-v36 @@ -312,6 +306,9 @@ configs: deergrove.png: file: www/deergrove.png name: deergrove.png-v1 + authelia.yaml: + file: authelia.yaml + name: authelia.yaml-v6 secrets: passwd: @@ -329,6 +326,18 @@ secrets: forgejo.ini: file: secrets/forgejo.ini name: forgejo.ini-v1 + jwt.secret: + file: secrets/jwt.secret + name: jwt.secret-v1 + storage.secret: + file: secrets/storage.secret + name: storage.secret-v1 + session.secret: + file: secrets/session.secret + name: session.secret-v1 + users.yaml: + file: secrets/users.yaml + name: users.yaml-v2 networks: hostnet: diff --git a/homelab/unused/jellyfin.yaml b/homelab/unused/jellyfin.yaml index 8411daf..70a602d 100644 --- a/homelab/unused/jellyfin.yaml +++ b/homelab/unused/jellyfin.yaml @@ -1,47 +1,363 @@ version: "3.8" services: - jellyfin: - image: ghcr.io/linuxserver/jellyfin:latest + coredns: + image: coredns/coredns + networks: + - hostnet + configs: + - source: Corefile + target: /Corefile + + caddy: + image: caddy:2-alpine ports: - - target: 8096 - published: 8096 - - target: 7359 - published: 7359 - protocol: udp - - target: 1900 - published: 1900 - protocol: udp + - target: 443 + published: 443 + mode: host + - target: 80 + published: 80 + mode: host + volumes: + - type: bind + source: /srv + target: /srv + read_only: true + - type: bind + source: /srv/sys/caddy + target: /data/caddy + configs: + - source: Caddyfile + target: /etc/caddy/Caddyfile + - source: index.html + target: /www/index.html + - source: index.mjs + target: /www/index.mjs + - source: deergrove.png + target: /www/deergrove.png + - source: index.css + target: /www/index.css + - source: browser.html + target: /browser.html + extra_hosts: + - host.docker.internal:host-gateway + + authelia: + image: authelia/authelia + environment: + AUTHELIA_JWT_SECRET_FILE: /run/secrets/jwt.secret + AUTHELIA_SESSION_SECRET_FILE: /run/secrets/session.secret + AUTHELIA_STORAGE_ENCRYPTION_FILE: /run/secrets/storage.secret + secrets: + - jwt.secret + - session.secret + - storage.secret + - users.yaml + configs: + - source: authelia.yaml + target: /config/configuration.yml + volumes: + - type: bind + source: /srv/sys/authelia + target: /srv/sys/authelia + + jellyfin: + image: jellyfin/jellyfin environment: TZ: US/Mountain volumes: - type: bind - source: /mnt/ext/srv/jellyfin + source: /srv/sys/jellyfin/config target: /config - type: bind - source: /media - target: /media + source: /srv/sys/jellyfin/cache + target: /cache + - type: bind + source: /srv/media + target: /srv/media read_only: true + + plex: + image: ghcr.io/linuxserver/plex:1.29.2 + networks: + - hostnet + environment: + TZ: US/Mountain + VERSION: public + volumes: + - type: bind + source: /srv/sys/plex + target: /config + - type: bind + source: /srv + target: /srv + read_only: true + + transmission: + image: lscr.io/linuxserver/transmission + volumes: + - type: bind + source: /srv/sys/transmission + target: /config + - type: bind + source: /srv/incoming + target: /srv/incoming + networks: + - hostnet + + sonarr: + image: lscr.io/linuxserver/sonarr + extra_hosts: + - host.docker.internal:host-gateway + volumes: + - type: bind + source: /srv/sys/sonarr + target: /config + - type: bind + source: /srv/media/tv + target: /srv/media/tv + - type: bind + source: /srv/incoming + target: /srv/incoming + radarr: + image: lscr.io/linuxserver/radarr + extra_hosts: + - host.docker.internal:host-gateway + volumes: + - type: bind + source: /srv/sys/radarr + target: /config + - type: bind + source: /srv/media/movies + target: /srv/media/movies + - type: bind + source: /srv/incoming + target: /srv/incoming + lidarr: + image: lscr.io/linuxserver/lidarr + extra_hosts: + - host.docker.internal:host-gateway + volumes: + - type: bind + source: /srv/sys/lidarr + target: /config + - type: bind + source: /srv/media/music + target: /srv/media/music + - type: bind + source: /srv/incoming + target: /srv/incoming + readarr: + image: lscr.io/linuxserver/readarr:develop + extra_hosts: + - host.docker.internal:host-gateway + volumes: + - type: bind + source: /srv/sys/readarr + target: /config + - type: bind + source: /srv/media/books + target: /srv/media/books + - type: bind + source: /srv/media/audiobooks + target: /srv/media/audiobooks + - type: bind + source: /srv/incoming + target: /srv/incoming + prowlarr: + image: lscr.io/linuxserver/prowlarr:latest + extra_hosts: + - host.docker.internal:host-gateway + volumes: + - type: bind + source: /srv/sys/prowlarr + target: /config + + nzbget: + image: lscr.io/linuxserver/nzbget + volumes: + - type: bind + source: /srv/sys/nzbget + target: /config + - type: bind + source: /srv/incoming + target: /srv/incoming + + forgejo: + image: codeberg.org/forgejo/forgejo:1.18-rootless + secrets: + - source: forgejo.ini + target: /etc/gitea/app.ini + uid: "1000" + gid: "1000" + mode: 0400 + volumes: + - type: bind + source: /srv/sys/forgejo + target: /data + - type: bind + source: /etc/timezone + target: /etc/timezone + read_only: true + - type: bind + source: /etc/localtime + target: /etc/localtime + read_only: true + + atlas: + image: ctassisf/ripe-atlas-alpine:arm64v8 + volumes: + - type: bind + source: /srv/sys/atlas/etc + target: /var/atlas-probe/etc + - type: bind + source: /srv/sys/atlas/status + target: /var/atlas-probe/status + + geneweb: + image: ravermeister/geneweb + volumes: + - type: bind + source: /srv/sys/geneweb/etc + target: /usr/local/share/geneweb/etc + - type: bind + source: /srv/sys/geneweb/share/data + target: /usr/local/share/geneweb/share/data + - type: bind + source: /srv/sys/geneweb/log + target: /usr/local/share/geneweb/log + + samba: + image: dperson/samba + volumes: + - type: bind + source: /srv + target: /srv bind: propagation: rslave - - type: bind - source: /dev/video10 - target: /dev/video10 - - type: bind - source: /dev/video11 - target: /dev/video11 - - type: bind - source: /dev/video12 - target: /dev/video12 - - type: bind - source: /dev/video13 - target: /dev/video13 - - type: bind - source: /dev/video14 - target: /dev/video14 - - type: bind - source: /dev/video15 - target: /dev/video15 - - type: bind - source: /dev/video16 - target: /dev/video16 + environment: + NMBD: enable + RECYCLE: disable + USERID: 911 + GROUPID: 911 + # name;path;browse;readonly;guest + SHARE1: drive;/srv;yes;no;no + SHARE2: retropie;/srv/media/games/retropie;yes;yes;yes + env_file: + - secrets/samba-users.env + ports: + - published: 139 + target: 139 + - published: 445 + target: 445 + + webdav: + image: micromata/dave + volumes: + - type: bind + source: /srv + target: /data + configs: + - source: dave.yaml + target: /config/config.yaml + user: "911:911" + + ddns: + image: qmcgaw/ddns-updater + dns: + - 1.1.1.1 + volumes: + - type: bind + source: /srv/sys/ddns-updater + target: /updater/data + + tunnel: + deploy: + replicas: 0 + image: lscr.io/linuxserver/openssh-server + user: abc + entrypoint: + - /usr/bin/ssh + - -N + - -R 172.17.0.1:5880:caddy:80 # 172.17.0.1 = docker host IP + - -R :5822:host.docker.internal:22 + - -o ServerAliveInterval=30 + - core@melville.woozle.org + extra_hosts: + - host.docker.internal:host-gateway + secrets: + - source: tunnel + target: /config/.ssh/id_rsa + uid: "911" + gid: "911" + mode: 0600 + - source: known_hosts + target: /config/.ssh/known_hosts + uid: "911" + gid: "911" + mode: 0600 + + +configs: + dave.yaml: + file: dave.yaml + name: dave.yaml-v3 + Corefile: + file: Corefile + name: Corefile-v3 + Caddyfile: + file: Caddyfile + name: Caddyfile-v89 + index.html: + file: www/index.html + name: index.html-v36 + index.mjs: + file: www/index.mjs + name: index.mjs-v1 + index.css: + file: www/index.css + name: index.css-v1 + browser.html: + file: www/browser.html + name: browser.html-v3 + deergrove.png: + file: www/deergrove.png + name: deergrove.png-v1 + authelia.yaml: + file: authelia.yaml + name: authelia.yaml-v1 + +secrets: + passwd: + file: secrets/passwd + name: passwd-v2 + simpleauth.key: + file: secrets/simpleauth.key + name: simpleauth.key-v1 + tunnel: + file: secrets/tunnel + name: tunnel-v1 + known_hosts: + file: secrets/known_hosts + name: known_hosts-v1 + forgejo.ini: + file: secrets/forgejo.ini + name: forgejo.ini-v1 + jwt.secret: + file: secrets/jwt.secret + name: jwt.secret-v1 + storage.secret: + file: secrets/storage.secret + name: storage.secret-v1 + session.secret: + file: secrets/session.secret + name: session.secret-v1 + users.yaml: + file: secrets/users.yaml + name: users.yaml-v1 + +networks: + hostnet: + external: true + name: host +