commit 519335d856a8cbb1f8d6510d52983edb249628f4 Author: Quang Khai Nguyen Date: Wed Apr 15 05:00:04 2026 +0000 Initial commit: working state diff --git a/authelia/config/assets/logo.png b/authelia/config/assets/logo.png new file mode 100644 index 0000000..75db1e0 Binary files /dev/null and b/authelia/config/assets/logo.png differ diff --git a/authelia/config/configuration.yml b/authelia/config/configuration.yml new file mode 100644 index 0000000..7f4fbc9 --- /dev/null +++ b/authelia/config/configuration.yml @@ -0,0 +1,119 @@ +server: + host: 0.0.0.0 + port: 9091 + asset_path: /config/assets/ + +log: + level: info + +# This is where your session cookie lives +session: + name: authelia_session + domain: quangkhai.ch # CHANGE THIS + same_site: lax + secret: "VeNuocNuocVe26!" # Generate a random string + expiration: 1h + inactivity: 5m + +# For local testing, we store users in a YAML file +authentication_backend: + file: + path: /config/users_database.yml + +# Where Authelia remembers who is logged in +storage: + local: + path: /config/db.sqlite3 + encryption_key: "BichDao2761!2761!2761!" # Generate a random string + +# How Traefik knows who can go where +access_control: + default_policy: deny + rules: + - domain: "auth.quangkhai.ch" + policy: bypass + - domain: "*.quangkhai.ch" + policy: one_factor + +# Required for password resets and 2FA emails +# For testing, this just logs emails to a file instead of sending them +notifier: + filesystem: + filename: /config/emails.txt + +identity_validation: + reset_password: + jwt_secret: "pAN9YQfbwLvjhbK0ti2iNAl9RU9S96VL" # This fixes your current error + +identity_providers: + oidc: + jwks: + - key_id: 'main-key' + algorithm: 'RS256' + key: | + -----BEGIN PRIVATE KEY----- + MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDKFMW0cNbQJq0h + r+e8Hl8gV4M33A/6q0ByJBGWOsVicV3LaCwcGEwXMOMqOfFtSSJ1TiCx6hxM029o + uxss+zBSCMNGHVan5ewE6xQsnzkDQdKxw3ygk2Y0TINbEKpwLQIhAtwYyu7lR5aB + stJjVYb/Efzp/loIwe6/X7TYNqwo5Xf946de7xEtYwPaBFajvv+vwOK0XqfIZ7MK + t+GvOYb0IlgmgpDEh8pHc+o4CS7pd8X9IueZnI3f3vR90E6HNXLOuz6GA/Ud0uiX + U4LKKW2pmIHW1X+WIPI9B7a2EnSNU/5vPW+If+eTDwV87SsfvGSK/16NEBc/65tg + fyqoOABJVYgrDAo3GuUF8aZj4tkigrCorrtTY4ZPgTZZPoCkhwJpgkB10kn2N3sr + xgf8eVb/pnCDWeLCdIqdhhnX0W8+ds7itX3DhwK95ozcij+I8P+AI+PUDKSAcMHe + x09tALiSg5KmjZRHgIdGnmFSp2heLw2Ikx0AngAMkVjm9Pf0Nb8mGPVrJ3OkrV1w + fJf2hoy/W/Xj/CiSKZgTMy8gcscdpnn0/ghXJe2R1Rp4eLJNJ0mtzOodZbTqVhGg + HjQEDkwUcBIAuUDvk3WMP2JBIqBHuK6GJ3/IPWwfV4XK5SAgOHUW7nXAbd1f2o6y + UdpDIWcWObJhlO3q0SPCOavxI0rSAwIDAQABAoICAEn3WHY3ZylBPtW5wSSGKWN5 + JLppfh/OVwRwV0+Zq23g+Ofe9WZDLna+mid2lfvebRJqymTUwA8OxRSch9HrD0C3 + nGIpkvJZog4azYOXtBKRIUGXwCI2UY6LAvluHDR7BPB4T39zqAWcMma+wWtCfusV + 9nDffKz/7xd1PIh3WoSNmWIA1d5Vuv/V4i8Gr3+4BXabL1+91cPw0QP3UlAEynTJ + rWJLIBoPaebFctGX6ufhw0JoaEU9nGB5BxyWBmhPE/q/Zp8/C5UjAaeCFblReKY/ + ACdWdiDJZmEYVbRHBQpF2Dd3UT+xMV4OfX/Af6xaFKMb3cvcO+ZVosWrRj3UYaXP + MZ7fW+J9f4SlLxaxQp3U+uO0VXykAo1oXRKO3rgLIsP/aQabRs+VkZ8BdwGkqQoq + uuHEJOZJLXfJbunYONyrS02rZLCJ6ajR4rF5MRTnGbKsqroMOfjSQhJAcwYhocSy + 2wBq0McLYrMz0aTjtHhB/qngrpzcWAn8PouPg5pAKi5sYukClAYBzVYkpi6yT0rk + Mc/kXnwkAj2wfwaHpA1jEUp2WWNEZtqtIWuc7Fx9riXaklmtK36YK4YX+KST3eA2 + pZWHU7GuXcdT2zXjpIWO4tUxqWMhNhV1svxVA8kW8tmzSiS74ZQ/JJf0ZP8p6rzz + 8TkYkC3MQP05fyF3guvhAoIBAQDWcQAW6v+bKcOQfNwpqXrYF6NKtEGkiNr11k5X + qeGMG4sbP2ZvcCrFtGit13QlAvnPNG+PPOyl4iQ14qJ3aB9SLAPPYh12j7QL7CyU + unWrdFFrB3ac/EVvmbnYbnOBVLUlb1/GZkoQAksm+jpNi+VNiUXgQtRXgp+uMeAu + JpAInLPdMpA/QLI/xotKya5HulJYPPDdxffIej8QZ44pdsRdMX1Kr25YIdfSneaL + q/+d2piURQL2MenDYknUHFzdYTcE+k4hLpcRF20AjpHh1dI70mgEcSQ7ZZ4g03Tn + TAgufzzHEV40MsqzRJyecmZ2Du7H+3TDdX03Z9NoP+Rm8eiHAoIBAQDxPov6FkZ3 + ujY/p6yv/ofePhaaL5zOwCPgK3ZkB3ryE//NyTPhk4raeix1UDdwblTF+j9CJVF+ + tMH65W0GrAQTxlWK8aT4Iu03GFlCzPCFjEYBKMpNQBpuXVP9uHqUQ/6dcoNgKSV6 + qRyF0n2Xs57C9qpv/2Fj72CiAT/p9Yd7VZn9w5DewQGl8dJDOBHw5Scus6fLNBxA + mwO0KtTZ6c0btNYLf+izDOvIuouKVIjv0HWPeF0Tonc/zgxb8xBIlUZMFPa24R2e + 2KlH717XU2OmhOe/RIwTLEw9erEWdU3W3QsjCiQXtGZGOq8caHbeuG13dEcrcXHd + XWflvN6E5DWlAoIBAQC3eKci9J0NHIZ+MNYNrzuzd0X2vJMNOypb+6e7yVV4knhK + L8xsvANcdCa71gNBR3KEndB1NSMkKn/guq9WineBzrbT0JZ0wi7BpKff+EiFEVg3 + woLxfcXK3jPrwVSB6v+xr8C59vqXB99U0fLgNjlSRYjLf2I+HTyRxYqQ8d16ANjD + AGf6NlhLyIuUyUmbhQa/CCTtGlwN4sniNzeiskL/mUAhjkdSkGIfiYmfJuHlJQo2 + kXUfP0VKLeYM3Nd3cZ2pXJ9MNJh7vxc7yr92AYOGO1dTtZnSV/cbDtCOtLarUaGm + kG2RK4PSLXny9t5DVDNoVvRn5zXjGan/H+tDSOYxAoIBAQCph8HIanT02EgdLZDe + UOlcFZe+nKz+YeoUM5bMLrGIguNl0voBkLSoWej6O/fpq68pPXXM3vrJJu+WiDm4 + 0ZM/7kXZEX1T3v+CkzrPBcQUpYHgeLDJ3r10R2OpzkVeAfZg4MNQBTpQW50uscAO + pmxwJ/WYJQhkuSjYUDaBDEk8M+i2ewNIdqvY2PpgwHtjJTYGzLuiwikEgar1po/T + 30iDKu6sQCPgB7l+YxGCkWt107F5tCT8klRo4zyuNT6BM12mQ6ko1UQCh9FWOvIU + MYa603UkZWBmbN/a6GigFqkv0EBuTEcW3XBt8/lw5jx6wXIz2uPUtLFG1cgYm0Ro + cRL9AoIBAQDUNHK6/5AHOcIWI3c/tdvmQZO5Tc710NjIZRGrVzUYqZyCqfza3F0s + 8+PXZ+hiaq10MN05Pe+coa2aTDu0WNSakEZLvMseCRbBhvMebQxJtE+33Bz+nQwG + Q0bULzGM3vdPyu94vTPsWZnig2O56ooZmmWnhwWRzRXYi/S91h9HSBcbpt+ITMJd + sMIHdegQy6ozUSjp9ctXAMGkeAp0fiMOXubVEHri2w6vG2HbMYIRKt2kYlW2GE15 + VH4OjYTkdm0vzMREd3F5Y+5MHu5tnp4BHuKeU2QY9AjFG4XafaRZ8kaECtzmW2F/ + F9hsZX2RVgZ8jEegKbkIrEwAdfeIeDTI + -----END PRIVATE KEY----- + clients: + - id: gitea + description: Gitea Self-Hosted Git + secret: '$argon2id$v=19$m=65536,t=3,p=4$7jFW+gDdYzZFb1sLiFWrmw$+QRLY295XCR+dcYs/NLTvP30luloaqZpXFLc6d2DRZU' # Erzeugt mit: authelia crypto hash generate argon2 + public: false + authorization_policy: 'one_factor' # oder 'two_factor' + redirect_uris: + - https://gitea.quangkhai.ch/user/oauth2/authelia/callback + scopes: + - openid + - profile + - email + - groups + userinfo_signed_response_alg: 'none' diff --git a/authelia/config/db.sqlite3 b/authelia/config/db.sqlite3 new file mode 100644 index 0000000..4c923e8 Binary files /dev/null and b/authelia/config/db.sqlite3 differ diff --git a/authelia/config/emails.txt b/authelia/config/emails.txt new file mode 100644 index 0000000..e69de29 diff --git a/authelia/config/users_database.yml b/authelia/config/users_database.yml new file mode 100644 index 0000000..1c03f7b --- /dev/null +++ b/authelia/config/users_database.yml @@ -0,0 +1,17 @@ +users: + admin: + displayname: "Admin User" + password: "$argon2id$v=19$m=65536,t=3,p=4$IoJjIPmtn81rI0te8lV5Yw$tptaXFfI1NOsPctEzyAYiRblzFNsWgbS9Gh160OkoqQ" + # The above is 'password' hashed. Change it later via the UI! + email: qngkhai.nguyen@gmail.com + groups: + - admins + - dev + quangkhai: + displayname: "Quang Khai Nguyen" + password: "$argon2id$v=19$m=65536,t=3,p=4$IoJjIPmtn81rI0te8lV5Yw$tptaXFfI1NOsPctEzyAYiRblzFNsWgbS9Gh160OkoqQ" + # The above is 'password' hashed. Change it later via the UI! + email: qngkhai.nguyen@gmail.com + groups: + - admins + - dev diff --git a/authelia/docker-compose.yml b/authelia/docker-compose.yml new file mode 100644 index 0000000..28c1536 --- /dev/null +++ b/authelia/docker-compose.yml @@ -0,0 +1,28 @@ +networks: + proxy_tier: + name: proxy_tier + external: true + +services: + authelia: + image: authelia/authelia:latest + container_name: authelia + volumes: + - ./config:/config + networks: + - proxy_tier + environment: + - TZ=UTC + restart: unless-stopped + labels: + - "traefik.enable=true" + # The URL where you will actually log in + - "traefik.http.routers.authelia.rule=Host(`auth.quangkhai.ch`)" + - "traefik.http.routers.authelia.entrypoints=websecure" + - "traefik.http.routers.authelia.tls.certresolver=myresolver" + - "traefik.http.services.authelia.loadbalancer.server.port=9091" + +# --- ADD THESE THREE LINES BELOW --- + - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/" + - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true" + - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" diff --git a/prometheus/docker-compose.yml b/prometheus/docker-compose.yml new file mode 100755 index 0000000..814e3c5 --- /dev/null +++ b/prometheus/docker-compose.yml @@ -0,0 +1,78 @@ + + +volumes: + prometheus_data: {} + grafana_data: {} + influxdb_data: {} + +networks: + front-tier: + back-tier: + proxy_tier: + name: proxy_tier + external: true + +services: + + fritz-exporter: + image: pdreker/fritz_exporter:2 + container_name: fritz-exporter + restart: always + environment: + FRITZ_HOSTNAME: '192.168.178.1' + FRITZ_USERNAME: 'fritz9297' + FRITZ_PASSWORD: 'VeNuocNuocVe26!' + ports: + - "9787:9787" + networks: + - back-tier + + prometheus: + image: prom/prometheus:latest + volumes: + - ./prometheus/:/etc/prometheus/ + - prometheus_data:/prometheus + - ./web.yml:/etc/config/web.yml + command: + - '--config.file=/etc/prometheus/prometheus.yml' + - '--storage.tsdb.path=/prometheus' + - '--web.console.libraries=/usr/share/prometheus/console_libraries' + - '--web.console.templates=/usr/share/prometheus/consoles' +# - '--web.config.file=/etc/config/web.yml' + ports: + - 9090:9090 + networks: + - back-tier + restart: always +# deploy: +# placement: +# constraints: +# - node.hostname == ${HOSTNAME} + + grafana: + image: grafana/grafana + user: "472" + depends_on: + - prometheus + ports: + - 3300:3000 + expose: + - "3000" + volumes: + - grafana_data:/var/lib/grafana + - ./grafana/provisioning/:/etc/grafana/provisioning/ + env_file: + - ./grafana/config.monitoring + networks: + - back-tier + - front-tier + - proxy_tier + restart: always + labels: + - "traefik.enable=true" + # HTTP to HTTPS Redirect + - "traefik.http.routers.grafana.entrypoints=websecure" + - "traefik.http.routers.grafana.rule=Host(`grafana.quangkhai.ch`)" + - "traefik.http.routers.grafana.tls.certresolver=myresolver" + - "traefik.http.services.grafana.loadbalancer.server.port=3000" + - "traefik.docker.network=proxy_tier" diff --git a/prometheus/prometheus/prometheus.yml b/prometheus/prometheus/prometheus.yml new file mode 100755 index 0000000..ba54cad --- /dev/null +++ b/prometheus/prometheus/prometheus.yml @@ -0,0 +1,53 @@ +# my global config +global: + scrape_interval: 15s # By default, scrape targets every 15 seconds. + evaluation_interval: 15s # By default, scrape targets every 15 seconds. + # scrape_timeout is set to the global default (10s). + + # Attach these labels to any time series or alerts when communicating with + # external systems (federation, remote storage, Alertmanager). + external_labels: + monitor: 'my-project' + +# Load and evaluate rules in this file every 'evaluation_interval' seconds. +rule_files: + - 'alert.rules' + # - "first.rules" + # - "second.rules" + +# alert +alerting: + alertmanagers: + - scheme: http + static_configs: + - targets: + - "alertmanager:9093" + +# A scrape configuration containing exactly one endpoint to scrape: +# Here it's Prometheus itself. +scrape_configs: + # The job name is added as a label `job=` to any timeseries scraped from this config. + # Override the global default and scrape targets + - job_name: 'fritz-exporter' + scrape_interval: 15s + static_configs: + - targets: ['fritz-exporter:9787'] + + + - job_name: 'cadvisor' + + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 15s + + static_configs: + - targets: ['192.168.1.7:8080'] + labels: + room: 'serverroom' + host: 'olivia' + + - job_name: node + static_configs: + - targets: ['192.168.1.7:9100'] + labels: + room: 'serverroom' + host: 'olivia' diff --git a/traefik/docker-compose.yaml b/traefik/docker-compose.yaml new file mode 100644 index 0000000..4e7e4f5 --- /dev/null +++ b/traefik/docker-compose.yaml @@ -0,0 +1,46 @@ +services: + traefik: + image: traefik:v3.6 + container_name: traefik + command: + #- "--api.dashboard=true" + - "--api.insecure=true" + - "--providers.docker=true" + - "--providers.docker.exposedbydefault=false" + +# - "--entrypoints.https.address=:443" + + # Entrypoints + - "--entrypoints.web.address=:80" + - "--entrypoints.websecure.address=:443" + - "--entrypoints.mqtt-secure.address=:8883" + # Global HTTP -> HTTPS Redirection + - "--entrypoints.web.http.redirections.entryPoint.to=websecure" + - "--entrypoints.web.http.redirections.entryPoint.scheme=https" + # Certificates Resolution (Let's Encrypt) + - "--certificatesresolvers.myresolver.acme.httpchallenge=true" + - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web" + - "--certificatesresolvers.myresolver.acme.email=olivia@quangkhai.ch" + - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json" + - "--certificatesresolvers.myresolver.acme.tlschallenge=true" + ports: + - "80:80" + - "443:443" + - "8080:8080" # Traefik Dashboard + - "8883:8883" # MQTT TLS + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - ./letsencrypt:/letsencrypt + networks: + - proxy_tier + labels: + # THE MIDDLEWARE DEFINITION + - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/" + - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true" + - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" + + +networks: + proxy_tier: + name: proxy_tier + external: true