Initial commit: working state

2026-04-15 05:00:04 +00:00
commit 519335d856
9 changed files with 341 additions and 0 deletions
@@ -0,0 +1,119 @@
+server:
+  host: 0.0.0.0
+  port: 9091
+  asset_path: /config/assets/
+
+log:
+  level: info
+
+# This is where your session cookie lives
+session:
+  name: authelia_session
+  domain: quangkhai.ch # CHANGE THIS
+  same_site: lax
+  secret: "VeNuocNuocVe26!" # Generate a random string
+  expiration: 1h
+  inactivity: 5m
+
+# For local testing, we store users in a YAML file
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+
+# Where Authelia remembers who is logged in
+storage:
+  local:
+    path: /config/db.sqlite3
+  encryption_key: "BichDao2761!2761!2761!" # Generate a random string
+
+# How Traefik knows who can go where
+access_control:
+  default_policy: deny
+  rules:
+    - domain: "auth.quangkhai.ch"
+      policy: bypass
+    - domain: "*.quangkhai.ch"
+      policy: one_factor
+
+# Required for password resets and 2FA emails
+# For testing, this just logs emails to a file instead of sending them
+notifier:
+  filesystem:
+    filename: /config/emails.txt
+
+identity_validation:
+  reset_password:
+    jwt_secret: "pAN9YQfbwLvjhbK0ti2iNAl9RU9S96VL" # This fixes your current error
+
+identity_providers:
+  oidc:
+    jwks:
+      - key_id: 'main-key'
+        algorithm: 'RS256'
+        key: |
+          -----BEGIN PRIVATE KEY-----
+          MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDKFMW0cNbQJq0h
+          r+e8Hl8gV4M33A/6q0ByJBGWOsVicV3LaCwcGEwXMOMqOfFtSSJ1TiCx6hxM029o
+          uxss+zBSCMNGHVan5ewE6xQsnzkDQdKxw3ygk2Y0TINbEKpwLQIhAtwYyu7lR5aB
+          stJjVYb/Efzp/loIwe6/X7TYNqwo5Xf946de7xEtYwPaBFajvv+vwOK0XqfIZ7MK
+          t+GvOYb0IlgmgpDEh8pHc+o4CS7pd8X9IueZnI3f3vR90E6HNXLOuz6GA/Ud0uiX
+          U4LKKW2pmIHW1X+WIPI9B7a2EnSNU/5vPW+If+eTDwV87SsfvGSK/16NEBc/65tg
+          fyqoOABJVYgrDAo3GuUF8aZj4tkigrCorrtTY4ZPgTZZPoCkhwJpgkB10kn2N3sr
+          xgf8eVb/pnCDWeLCdIqdhhnX0W8+ds7itX3DhwK95ozcij+I8P+AI+PUDKSAcMHe
+          x09tALiSg5KmjZRHgIdGnmFSp2heLw2Ikx0AngAMkVjm9Pf0Nb8mGPVrJ3OkrV1w
+          fJf2hoy/W/Xj/CiSKZgTMy8gcscdpnn0/ghXJe2R1Rp4eLJNJ0mtzOodZbTqVhGg
+          HjQEDkwUcBIAuUDvk3WMP2JBIqBHuK6GJ3/IPWwfV4XK5SAgOHUW7nXAbd1f2o6y
+          UdpDIWcWObJhlO3q0SPCOavxI0rSAwIDAQABAoICAEn3WHY3ZylBPtW5wSSGKWN5
+          JLppfh/OVwRwV0+Zq23g+Ofe9WZDLna+mid2lfvebRJqymTUwA8OxRSch9HrD0C3
+          nGIpkvJZog4azYOXtBKRIUGXwCI2UY6LAvluHDR7BPB4T39zqAWcMma+wWtCfusV
+          9nDffKz/7xd1PIh3WoSNmWIA1d5Vuv/V4i8Gr3+4BXabL1+91cPw0QP3UlAEynTJ
+          rWJLIBoPaebFctGX6ufhw0JoaEU9nGB5BxyWBmhPE/q/Zp8/C5UjAaeCFblReKY/
+          ACdWdiDJZmEYVbRHBQpF2Dd3UT+xMV4OfX/Af6xaFKMb3cvcO+ZVosWrRj3UYaXP
+          MZ7fW+J9f4SlLxaxQp3U+uO0VXykAo1oXRKO3rgLIsP/aQabRs+VkZ8BdwGkqQoq
+          uuHEJOZJLXfJbunYONyrS02rZLCJ6ajR4rF5MRTnGbKsqroMOfjSQhJAcwYhocSy
+          2wBq0McLYrMz0aTjtHhB/qngrpzcWAn8PouPg5pAKi5sYukClAYBzVYkpi6yT0rk
+          Mc/kXnwkAj2wfwaHpA1jEUp2WWNEZtqtIWuc7Fx9riXaklmtK36YK4YX+KST3eA2
+          pZWHU7GuXcdT2zXjpIWO4tUxqWMhNhV1svxVA8kW8tmzSiS74ZQ/JJf0ZP8p6rzz
+          8TkYkC3MQP05fyF3guvhAoIBAQDWcQAW6v+bKcOQfNwpqXrYF6NKtEGkiNr11k5X
+          qeGMG4sbP2ZvcCrFtGit13QlAvnPNG+PPOyl4iQ14qJ3aB9SLAPPYh12j7QL7CyU
+          unWrdFFrB3ac/EVvmbnYbnOBVLUlb1/GZkoQAksm+jpNi+VNiUXgQtRXgp+uMeAu
+          JpAInLPdMpA/QLI/xotKya5HulJYPPDdxffIej8QZ44pdsRdMX1Kr25YIdfSneaL
+          q/+d2piURQL2MenDYknUHFzdYTcE+k4hLpcRF20AjpHh1dI70mgEcSQ7ZZ4g03Tn
+          TAgufzzHEV40MsqzRJyecmZ2Du7H+3TDdX03Z9NoP+Rm8eiHAoIBAQDxPov6FkZ3
+          ujY/p6yv/ofePhaaL5zOwCPgK3ZkB3ryE//NyTPhk4raeix1UDdwblTF+j9CJVF+
+          tMH65W0GrAQTxlWK8aT4Iu03GFlCzPCFjEYBKMpNQBpuXVP9uHqUQ/6dcoNgKSV6
+          qRyF0n2Xs57C9qpv/2Fj72CiAT/p9Yd7VZn9w5DewQGl8dJDOBHw5Scus6fLNBxA
+          mwO0KtTZ6c0btNYLf+izDOvIuouKVIjv0HWPeF0Tonc/zgxb8xBIlUZMFPa24R2e
+          2KlH717XU2OmhOe/RIwTLEw9erEWdU3W3QsjCiQXtGZGOq8caHbeuG13dEcrcXHd
+          XWflvN6E5DWlAoIBAQC3eKci9J0NHIZ+MNYNrzuzd0X2vJMNOypb+6e7yVV4knhK
+          L8xsvANcdCa71gNBR3KEndB1NSMkKn/guq9WineBzrbT0JZ0wi7BpKff+EiFEVg3
+          woLxfcXK3jPrwVSB6v+xr8C59vqXB99U0fLgNjlSRYjLf2I+HTyRxYqQ8d16ANjD
+          AGf6NlhLyIuUyUmbhQa/CCTtGlwN4sniNzeiskL/mUAhjkdSkGIfiYmfJuHlJQo2
+          kXUfP0VKLeYM3Nd3cZ2pXJ9MNJh7vxc7yr92AYOGO1dTtZnSV/cbDtCOtLarUaGm
+          kG2RK4PSLXny9t5DVDNoVvRn5zXjGan/H+tDSOYxAoIBAQCph8HIanT02EgdLZDe
+          UOlcFZe+nKz+YeoUM5bMLrGIguNl0voBkLSoWej6O/fpq68pPXXM3vrJJu+WiDm4
+          0ZM/7kXZEX1T3v+CkzrPBcQUpYHgeLDJ3r10R2OpzkVeAfZg4MNQBTpQW50uscAO
+          pmxwJ/WYJQhkuSjYUDaBDEk8M+i2ewNIdqvY2PpgwHtjJTYGzLuiwikEgar1po/T
+          30iDKu6sQCPgB7l+YxGCkWt107F5tCT8klRo4zyuNT6BM12mQ6ko1UQCh9FWOvIU
+          MYa603UkZWBmbN/a6GigFqkv0EBuTEcW3XBt8/lw5jx6wXIz2uPUtLFG1cgYm0Ro
+          cRL9AoIBAQDUNHK6/5AHOcIWI3c/tdvmQZO5Tc710NjIZRGrVzUYqZyCqfza3F0s
+          8+PXZ+hiaq10MN05Pe+coa2aTDu0WNSakEZLvMseCRbBhvMebQxJtE+33Bz+nQwG
+          Q0bULzGM3vdPyu94vTPsWZnig2O56ooZmmWnhwWRzRXYi/S91h9HSBcbpt+ITMJd
+          sMIHdegQy6ozUSjp9ctXAMGkeAp0fiMOXubVEHri2w6vG2HbMYIRKt2kYlW2GE15
+          VH4OjYTkdm0vzMREd3F5Y+5MHu5tnp4BHuKeU2QY9AjFG4XafaRZ8kaECtzmW2F/
+          F9hsZX2RVgZ8jEegKbkIrEwAdfeIeDTI
+          -----END PRIVATE KEY-----
+    clients:
+      - id: gitea
+        description: Gitea Self-Hosted Git
+        secret: '$argon2id$v=19$m=65536,t=3,p=4$7jFW+gDdYzZFb1sLiFWrmw$+QRLY295XCR+dcYs/NLTvP30luloaqZpXFLc6d2DRZU' # Erzeugt mit: authelia crypto hash generate argon2
+        public: false
+        authorization_policy: 'one_factor' # oder 'two_factor'
+        redirect_uris:
+          - https://gitea.quangkhai.ch/user/oauth2/authelia/callback
+        scopes:
+          - openid
+          - profile
+          - email
+          - groups
+        userinfo_signed_response_alg: 'none'
@@ -0,0 +1,17 @@
+users:
+  admin:
+    displayname: "Admin User"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$IoJjIPmtn81rI0te8lV5Yw$tptaXFfI1NOsPctEzyAYiRblzFNsWgbS9Gh160OkoqQ" 
+    # The above is 'password' hashed. Change it later via the UI!
+    email: qngkhai.nguyen@gmail.com
+    groups:
+      - admins
+      - dev
+  quangkhai:
+    displayname: "Quang Khai Nguyen"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$IoJjIPmtn81rI0te8lV5Yw$tptaXFfI1NOsPctEzyAYiRblzFNsWgbS9Gh160OkoqQ"
+    # The above is 'password' hashed. Change it later via the UI!
+    email: qngkhai.nguyen@gmail.com
+    groups:
+      - admins
+      - dev
@@ -0,0 +1,28 @@
+networks:
+  proxy_tier:
+    name: proxy_tier
+    external: true
+
+services:
+  authelia:
+    image: authelia/authelia:latest
+    container_name: authelia
+    volumes:
+      - ./config:/config
+    networks:
+      - proxy_tier
+    environment:
+      - TZ=UTC
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      # The URL where you will actually log in
+      - "traefik.http.routers.authelia.rule=Host(`auth.quangkhai.ch`)"
+      - "traefik.http.routers.authelia.entrypoints=websecure"
+      - "traefik.http.routers.authelia.tls.certresolver=myresolver"
+      - "traefik.http.services.authelia.loadbalancer.server.port=9091"
+
+# --- ADD THESE THREE LINES BELOW ---
+      - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/"
+      - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"