Initial commit: working state

2026-04-15 05:00:04 +00:00
commit 519335d856
9 changed files with 341 additions and 0 deletions
@@ -0,0 +1,119 @@
+server:
+  host: 0.0.0.0
+  port: 9091
+  asset_path: /config/assets/
+
+log:
+  level: info
+
+# This is where your session cookie lives
+session:
+  name: authelia_session
+  domain: quangkhai.ch # CHANGE THIS
+  same_site: lax
+  secret: "VeNuocNuocVe26!" # Generate a random string
+  expiration: 1h
+  inactivity: 5m
+
+# For local testing, we store users in a YAML file
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+
+# Where Authelia remembers who is logged in
+storage:
+  local:
+    path: /config/db.sqlite3
+  encryption_key: "BichDao2761!2761!2761!" # Generate a random string
+
+# How Traefik knows who can go where
+access_control:
+  default_policy: deny
+  rules:
+    - domain: "auth.quangkhai.ch"
+      policy: bypass
+    - domain: "*.quangkhai.ch"
+      policy: one_factor
+
+# Required for password resets and 2FA emails
+# For testing, this just logs emails to a file instead of sending them
+notifier:
+  filesystem:
+    filename: /config/emails.txt
+
+identity_validation:
+  reset_password:
+    jwt_secret: "pAN9YQfbwLvjhbK0ti2iNAl9RU9S96VL" # This fixes your current error
+
+identity_providers:
+  oidc:
+    jwks:
+      - key_id: 'main-key'
+        algorithm: 'RS256'
+        key: |
+          -----BEGIN PRIVATE KEY-----
+          MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDKFMW0cNbQJq0h
+          r+e8Hl8gV4M33A/6q0ByJBGWOsVicV3LaCwcGEwXMOMqOfFtSSJ1TiCx6hxM029o
+          uxss+zBSCMNGHVan5ewE6xQsnzkDQdKxw3ygk2Y0TINbEKpwLQIhAtwYyu7lR5aB
+          stJjVYb/Efzp/loIwe6/X7TYNqwo5Xf946de7xEtYwPaBFajvv+vwOK0XqfIZ7MK
+          t+GvOYb0IlgmgpDEh8pHc+o4CS7pd8X9IueZnI3f3vR90E6HNXLOuz6GA/Ud0uiX
+          U4LKKW2pmIHW1X+WIPI9B7a2EnSNU/5vPW+If+eTDwV87SsfvGSK/16NEBc/65tg
+          fyqoOABJVYgrDAo3GuUF8aZj4tkigrCorrtTY4ZPgTZZPoCkhwJpgkB10kn2N3sr
+          xgf8eVb/pnCDWeLCdIqdhhnX0W8+ds7itX3DhwK95ozcij+I8P+AI+PUDKSAcMHe
+          x09tALiSg5KmjZRHgIdGnmFSp2heLw2Ikx0AngAMkVjm9Pf0Nb8mGPVrJ3OkrV1w
+          fJf2hoy/W/Xj/CiSKZgTMy8gcscdpnn0/ghXJe2R1Rp4eLJNJ0mtzOodZbTqVhGg
+          HjQEDkwUcBIAuUDvk3WMP2JBIqBHuK6GJ3/IPWwfV4XK5SAgOHUW7nXAbd1f2o6y
+          UdpDIWcWObJhlO3q0SPCOavxI0rSAwIDAQABAoICAEn3WHY3ZylBPtW5wSSGKWN5
+          JLppfh/OVwRwV0+Zq23g+Ofe9WZDLna+mid2lfvebRJqymTUwA8OxRSch9HrD0C3
+          nGIpkvJZog4azYOXtBKRIUGXwCI2UY6LAvluHDR7BPB4T39zqAWcMma+wWtCfusV
+          9nDffKz/7xd1PIh3WoSNmWIA1d5Vuv/V4i8Gr3+4BXabL1+91cPw0QP3UlAEynTJ
+          rWJLIBoPaebFctGX6ufhw0JoaEU9nGB5BxyWBmhPE/q/Zp8/C5UjAaeCFblReKY/
+          ACdWdiDJZmEYVbRHBQpF2Dd3UT+xMV4OfX/Af6xaFKMb3cvcO+ZVosWrRj3UYaXP
+          MZ7fW+J9f4SlLxaxQp3U+uO0VXykAo1oXRKO3rgLIsP/aQabRs+VkZ8BdwGkqQoq
+          uuHEJOZJLXfJbunYONyrS02rZLCJ6ajR4rF5MRTnGbKsqroMOfjSQhJAcwYhocSy
+          2wBq0McLYrMz0aTjtHhB/qngrpzcWAn8PouPg5pAKi5sYukClAYBzVYkpi6yT0rk
+          Mc/kXnwkAj2wfwaHpA1jEUp2WWNEZtqtIWuc7Fx9riXaklmtK36YK4YX+KST3eA2
+          pZWHU7GuXcdT2zXjpIWO4tUxqWMhNhV1svxVA8kW8tmzSiS74ZQ/JJf0ZP8p6rzz
+          8TkYkC3MQP05fyF3guvhAoIBAQDWcQAW6v+bKcOQfNwpqXrYF6NKtEGkiNr11k5X
+          qeGMG4sbP2ZvcCrFtGit13QlAvnPNG+PPOyl4iQ14qJ3aB9SLAPPYh12j7QL7CyU
+          unWrdFFrB3ac/EVvmbnYbnOBVLUlb1/GZkoQAksm+jpNi+VNiUXgQtRXgp+uMeAu
+          JpAInLPdMpA/QLI/xotKya5HulJYPPDdxffIej8QZ44pdsRdMX1Kr25YIdfSneaL
+          q/+d2piURQL2MenDYknUHFzdYTcE+k4hLpcRF20AjpHh1dI70mgEcSQ7ZZ4g03Tn
+          TAgufzzHEV40MsqzRJyecmZ2Du7H+3TDdX03Z9NoP+Rm8eiHAoIBAQDxPov6FkZ3
+          ujY/p6yv/ofePhaaL5zOwCPgK3ZkB3ryE//NyTPhk4raeix1UDdwblTF+j9CJVF+
+          tMH65W0GrAQTxlWK8aT4Iu03GFlCzPCFjEYBKMpNQBpuXVP9uHqUQ/6dcoNgKSV6
+          qRyF0n2Xs57C9qpv/2Fj72CiAT/p9Yd7VZn9w5DewQGl8dJDOBHw5Scus6fLNBxA
+          mwO0KtTZ6c0btNYLf+izDOvIuouKVIjv0HWPeF0Tonc/zgxb8xBIlUZMFPa24R2e
+          2KlH717XU2OmhOe/RIwTLEw9erEWdU3W3QsjCiQXtGZGOq8caHbeuG13dEcrcXHd
+          XWflvN6E5DWlAoIBAQC3eKci9J0NHIZ+MNYNrzuzd0X2vJMNOypb+6e7yVV4knhK
+          L8xsvANcdCa71gNBR3KEndB1NSMkKn/guq9WineBzrbT0JZ0wi7BpKff+EiFEVg3
+          woLxfcXK3jPrwVSB6v+xr8C59vqXB99U0fLgNjlSRYjLf2I+HTyRxYqQ8d16ANjD
+          AGf6NlhLyIuUyUmbhQa/CCTtGlwN4sniNzeiskL/mUAhjkdSkGIfiYmfJuHlJQo2
+          kXUfP0VKLeYM3Nd3cZ2pXJ9MNJh7vxc7yr92AYOGO1dTtZnSV/cbDtCOtLarUaGm
+          kG2RK4PSLXny9t5DVDNoVvRn5zXjGan/H+tDSOYxAoIBAQCph8HIanT02EgdLZDe
+          UOlcFZe+nKz+YeoUM5bMLrGIguNl0voBkLSoWej6O/fpq68pPXXM3vrJJu+WiDm4
+          0ZM/7kXZEX1T3v+CkzrPBcQUpYHgeLDJ3r10R2OpzkVeAfZg4MNQBTpQW50uscAO
+          pmxwJ/WYJQhkuSjYUDaBDEk8M+i2ewNIdqvY2PpgwHtjJTYGzLuiwikEgar1po/T
+          30iDKu6sQCPgB7l+YxGCkWt107F5tCT8klRo4zyuNT6BM12mQ6ko1UQCh9FWOvIU
+          MYa603UkZWBmbN/a6GigFqkv0EBuTEcW3XBt8/lw5jx6wXIz2uPUtLFG1cgYm0Ro
+          cRL9AoIBAQDUNHK6/5AHOcIWI3c/tdvmQZO5Tc710NjIZRGrVzUYqZyCqfza3F0s
+          8+PXZ+hiaq10MN05Pe+coa2aTDu0WNSakEZLvMseCRbBhvMebQxJtE+33Bz+nQwG
+          Q0bULzGM3vdPyu94vTPsWZnig2O56ooZmmWnhwWRzRXYi/S91h9HSBcbpt+ITMJd
+          sMIHdegQy6ozUSjp9ctXAMGkeAp0fiMOXubVEHri2w6vG2HbMYIRKt2kYlW2GE15
+          VH4OjYTkdm0vzMREd3F5Y+5MHu5tnp4BHuKeU2QY9AjFG4XafaRZ8kaECtzmW2F/
+          F9hsZX2RVgZ8jEegKbkIrEwAdfeIeDTI
+          -----END PRIVATE KEY-----
+    clients:
+      - id: gitea
+        description: Gitea Self-Hosted Git
+        secret: '$argon2id$v=19$m=65536,t=3,p=4$7jFW+gDdYzZFb1sLiFWrmw$+QRLY295XCR+dcYs/NLTvP30luloaqZpXFLc6d2DRZU' # Erzeugt mit: authelia crypto hash generate argon2
+        public: false
+        authorization_policy: 'one_factor' # oder 'two_factor'
+        redirect_uris:
+          - https://gitea.quangkhai.ch/user/oauth2/authelia/callback
+        scopes:
+          - openid
+          - profile
+          - email
+          - groups
+        userinfo_signed_response_alg: 'none'
@@ -0,0 +1,17 @@
+users:
+  admin:
+    displayname: "Admin User"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$IoJjIPmtn81rI0te8lV5Yw$tptaXFfI1NOsPctEzyAYiRblzFNsWgbS9Gh160OkoqQ" 
+    # The above is 'password' hashed. Change it later via the UI!
+    email: qngkhai.nguyen@gmail.com
+    groups:
+      - admins
+      - dev
+  quangkhai:
+    displayname: "Quang Khai Nguyen"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$IoJjIPmtn81rI0te8lV5Yw$tptaXFfI1NOsPctEzyAYiRblzFNsWgbS9Gh160OkoqQ"
+    # The above is 'password' hashed. Change it later via the UI!
+    email: qngkhai.nguyen@gmail.com
+    groups:
+      - admins
+      - dev
@@ -0,0 +1,28 @@
+networks:
+  proxy_tier:
+    name: proxy_tier
+    external: true
+
+services:
+  authelia:
+    image: authelia/authelia:latest
+    container_name: authelia
+    volumes:
+      - ./config:/config
+    networks:
+      - proxy_tier
+    environment:
+      - TZ=UTC
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      # The URL where you will actually log in
+      - "traefik.http.routers.authelia.rule=Host(`auth.quangkhai.ch`)"
+      - "traefik.http.routers.authelia.entrypoints=websecure"
+      - "traefik.http.routers.authelia.tls.certresolver=myresolver"
+      - "traefik.http.services.authelia.loadbalancer.server.port=9091"
+
+# --- ADD THESE THREE LINES BELOW ---
+      - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/"
+      - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
@@ -0,0 +1,78 @@
+
+
+volumes:
+    prometheus_data: {}
+    grafana_data: {}
+    influxdb_data: {}
+
+networks:
+  front-tier:
+  back-tier:
+  proxy_tier:
+    name: proxy_tier
+    external: true
+
+services:
+
+  fritz-exporter:
+    image: pdreker/fritz_exporter:2
+    container_name: fritz-exporter
+    restart: always
+    environment:
+      FRITZ_HOSTNAME: '192.168.178.1'
+      FRITZ_USERNAME: 'fritz9297'
+      FRITZ_PASSWORD: 'VeNuocNuocVe26!'
+    ports:
+      - "9787:9787"
+    networks:
+      - back-tier
+
+  prometheus:
+    image: prom/prometheus:latest
+    volumes:
+      - ./prometheus/:/etc/prometheus/
+      - prometheus_data:/prometheus
+      - ./web.yml:/etc/config/web.yml
+    command:
+      - '--config.file=/etc/prometheus/prometheus.yml'
+      - '--storage.tsdb.path=/prometheus'
+      - '--web.console.libraries=/usr/share/prometheus/console_libraries'
+      - '--web.console.templates=/usr/share/prometheus/consoles'
+#      - '--web.config.file=/etc/config/web.yml'
+    ports:
+      - 9090:9090
+    networks:
+      - back-tier
+    restart: always
+#    deploy:
+#      placement:
+#        constraints:
+#          - node.hostname == ${HOSTNAME}
+
+  grafana:
+    image: grafana/grafana
+    user: "472"
+    depends_on:
+      - prometheus
+    ports:
+      - 3300:3000
+    expose:
+      - "3000"
+    volumes:
+      - grafana_data:/var/lib/grafana
+      - ./grafana/provisioning/:/etc/grafana/provisioning/
+    env_file:
+      - ./grafana/config.monitoring
+    networks:
+      - back-tier
+      - front-tier
+      - proxy_tier
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      # HTTP to HTTPS Redirect
+      - "traefik.http.routers.grafana.entrypoints=websecure"
+      - "traefik.http.routers.grafana.rule=Host(`grafana.quangkhai.ch`)"
+      - "traefik.http.routers.grafana.tls.certresolver=myresolver"
+      - "traefik.http.services.grafana.loadbalancer.server.port=3000"
+      - "traefik.docker.network=proxy_tier"
@@ -0,0 +1,53 @@
+# my global config
+global:
+  scrape_interval:     15s # By default, scrape targets every 15 seconds.
+  evaluation_interval: 15s # By default, scrape targets every 15 seconds.
+  # scrape_timeout is set to the global default (10s).
+
+  # Attach these labels to any time series or alerts when communicating with
+  # external systems (federation, remote storage, Alertmanager).
+  external_labels:
+      monitor: 'my-project'
+
+# Load and evaluate rules in this file every 'evaluation_interval' seconds.
+rule_files:
+  - 'alert.rules'
+  # - "first.rules"
+  # - "second.rules"
+
+# alert
+alerting:
+  alertmanagers:
+  - scheme: http
+    static_configs:
+    - targets:
+      - "alertmanager:9093"
+
+# A scrape configuration containing exactly one endpoint to scrape:
+# Here it's Prometheus itself.
+scrape_configs:
+  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
+    # Override the global default and scrape targets 
+  - job_name: 'fritz-exporter'
+    scrape_interval: 15s
+    static_configs:
+    - targets: ['fritz-exporter:9787']
+
+
+  - job_name: 'cadvisor'
+
+    # Override the global default and scrape targets from this job every 5 seconds.
+    scrape_interval: 15s
+
+    static_configs:
+    - targets: ['192.168.1.7:8080']
+      labels:
+        room: 'serverroom'
+        host: 'olivia'
+
+  - job_name: node
+    static_configs:
+         - targets: ['192.168.1.7:9100']
+           labels:
+             room: 'serverroom'
+             host: 'olivia'
@@ -0,0 +1,46 @@
+services:
+  traefik:
+    image: traefik:v3.6
+    container_name: traefik
+    command:
+      #- "--api.dashboard=true"
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+
+#      - "--entrypoints.https.address=:443"
+
+      # Entrypoints
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+      - "--entrypoints.mqtt-secure.address=:8883"
+      # Global HTTP -> HTTPS Redirection
+      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
+      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
+      # Certificates Resolution (Let's Encrypt)
+      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
+      - "--certificatesresolvers.myresolver.acme.email=olivia@quangkhai.ch"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8080:8080"   # Traefik Dashboard
+      - "8883:8883"   # MQTT TLS
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./letsencrypt:/letsencrypt
+    networks:
+      - proxy_tier
+    labels:
+      # THE MIDDLEWARE DEFINITION
+      - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/"
+      - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
+
+
+networks:
+  proxy_tier:
+    name: proxy_tier
+    external: true