services: add Authelia

authelia/authelia.env

@@ -0,0 +1,4 @@
+TZ=Europe/Paris
+AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/config/secrets/smtp
+AUTHELIA_JWT_SECRET_FILE=/config/secrets/jwt
+AUTHELIA_SESSION_SECRET_FILE=/config/secrets/session

authelia/configuration.yml

@@ -0,0 +1,49 @@
+host: 0.0.0.0
+port: 9091
+log_level: debug
+# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
+#jwt_secret: a_very_important_secret
+default_redirection_url: https://belanyi.fr
+totp:
+  issuer: authelia.belanyi.fr
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+    password:
+      algorithm: argon2id
+      iterations: 1
+      salt_length: 16
+      parallelism: 8
+      memory: 1024
+
+access_control:
+  default_policy: two_factor
+  rules:
+    # Declare domain and policy for an override
+
+session:
+  name: authelia_session
+  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
+  #secret: unsecure_session_secret
+  expiration: 3600 # 1 hour
+  inactivity: 300 # 5 minutes
+  domain: belanyi.fr # Should match whatever your root protected domain is
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+storage:
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  smtp:
+    username: brunobelanyi@gmail.com
+    # Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
+    #password: yourapppassword
+    sender: authelia@belanyi.fr
+    host: smtp.gmail.com
+    port: 587

authelia/users_database.yml

@@ -0,0 +1,8 @@
+users:
+  Ambroisie:
+    displayname: "Bruno BELANYI"
+    password: "$argon2id$v=19$m=1048576,p=8$IcNVZ732CMoCSof6$h5zBFhd3t1d9Mx11uW+BahR6kGAaN59RQZwW9i3Nq9Q"
+    email: brunobelanyi@gmail.com
+    groups:
+      - admins
+      - dev

docker-compose.yml

@@ -15,6 +15,17 @@ services:
       - 80:80
       - 443:443
 
+  authelia:
+    image: authelia/authelia
+    container_name: authelia
+    restart: unless-stopped
+    env_file:
+      - ./authelia/authelia.env
+    volumes:
+      - ./authelia:/config
+    expose:
+      - 9091
+
   freshrss:
     image: linuxserver/freshrss
     container_name: freshrss

letsencrypt/nginx/proxy-confs/authelia.subdomain.conf

@@ -0,0 +1,27 @@
+# make sure that your dns has a cname set for authelia
+# the default authelia-server and authelia-location confs included with letsencrypt rely on
+# subfolder proxy at "/authelia" and enabling of this proxy conf is not necessary.
+# But if you'd like to use authelia via subdomain, you can enable this proxy and set up your own
+# authelia-server and authelia-location confs as described in authelia docs.
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name auth.*;
+
+    include /config/nginx/ssl.conf;
+
+    client_max_body_size 0;
+
+    location / {
+
+        include /config/nginx/proxy.conf;
+        resolver 127.0.0.11 valid=30s;
+        set $upstream_app authelia;
+        set $upstream_port 9091;
+        set $upstream_proto http;
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+
+    }
+}