#6

Uses Crowdsec

Co-authored-by: Copilot <copilot@github.com>

authelia/config/configuration.yml

@@ -117,15 +117,3 @@ identity_providers:
           - email
           - groups
         userinfo_signed_response_alg: 'none'
-      - id: grafana
-        description: Grafana via Authelia
-        secret: '$argon2id$v=19$m=65536,t=3,p=4$IoJjIPmtn81rI0te8lV5Yw$tptaXFfI1NOsPctEzyAYiRblzFNsWgbS9Gh160OkoqQ'
-        public: false
-        authorization_policy: one_factor
-        redirect_uris:
-          - https://grafana.quangkhai.ch/login/generic_oauth
-        scopes:
-          - openid
-          - profile
-          - email
-        userinfo_signed_response_alg: 'none'        

deploy.sh

@@ -1,28 +0,0 @@
-#!/bin/bash
-
-# Deploy Authelia configuration
-# Copies all files from authelia folder to /home/quangkhai/authelia
-
-set -e
-
-SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/authelia" && pwd)"
-DEST_DIR="/home/quangkhai/authelia"
-
-echo "Starting deployment..."
-echo "Source: $SOURCE_DIR"
-echo "Destination: $DEST_DIR"
-
-# Create destination directory if it doesn't exist
-if [ ! -d "$DEST_DIR" ]; then
-    echo "Creating destination directory: $DEST_DIR"
-    mkdir -p "$DEST_DIR"
-fi
-
-# Copy all files
-echo "Copying files..."
-cp -rv "$SOURCE_DIR"/* "$DEST_DIR/"
-
-echo "✓ Deployment completed successfully!"
-echo "Files copied to: $DEST_DIR"
-
-

prometheus/grafana/config.monitoring

@@ -1,25 +0,0 @@
-GF_SERVER_ROOT_URL=https://grafana.quangkhai.ch
-GF_AUTH_ANONYMOUS_ENABLED=false
-GF_AUTH_DISABLE_LOGIN_FORM=true
-
-GF_AUTH_GENERIC_OAUTH_ENABLED=true
-GF_AUTH_GENERIC_OAUTH_NAME=Authelia
-GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true
-GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana
-GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=VeNuocNuocVe26!
-GF_AUTH_GENERIC_OAUTH_SCOPES="openid profile email"
-GF_AUTH_GENERIC_OAUTH_USE_ID_TOKEN=true
-
-GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://auth.quangkhai.ch/api/oidc/authorization
-GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://auth.quangkhai.ch/api/oidc/token
-GF_AUTH_GENERIC_OAUTH_API_URL=https://auth.quangkhai.ch/api/oidc/userinfo
-
-# 2. Map the ID (used for login)
-# Many OIDC providers use 'preferred_username' or 'sub'
-GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username
-
-# 3. Map the Email
-GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH=email
-
-# 4. Map the Name (optional, but good for profile)
-GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=name

traefik/crowdsec/acquis.yaml

@@ -0,0 +1,4 @@
+filenames:
+  - /var/log/traefik/access.log
+labels:
+  type: traefik

traefik/docker-compose.yaml

@@ -2,11 +2,17 @@ services:
   traefik:
     image: traefik:v3.6
     container_name: traefik
+    depends_on:
+      - crowdsec
     command:
       - "--api.dashboard=true"
       - "--api.insecure=false"
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
+      - "--experimental.plugins.crowdsec-bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
+      - "--experimental.plugins.crowdsec-bouncer.version=v1.4.2"
+      - "--accesslog=true"
+      - "--accesslog.filepath=/var/log/traefik/access.log"
 
 #      - "--entrypoints.https.address=:443"
 
@@ -14,6 +20,7 @@ services:
       - "--entrypoints.web.address=:80"
       - "--entrypoints.websecure.address=:443"
       - "--entrypoints.mqtt-secure.address=:8883"
+      - "--entrypoints.websecure.http.middlewares=crowdsec@docker"
       # Global HTTP -> HTTPS Redirection
       - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
       - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
@@ -31,6 +38,7 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./letsencrypt:/letsencrypt
+      - ./logs:/var/log/traefik
     networks:
       - proxy_tier
     restart: unless-stopped
@@ -40,21 +48,48 @@ services:
       timeout: 10s
       retries: 3
       start_period: 5s
-    resources:
-      limits:
-        cpus: '2'
-        memory: 512M
-      reservations:
-        cpus: '1'
-        memory: 256M
+    deploy:
+      resources:
+        limits:
+          cpus: '2'
+          memory: 512M
+        reservations:
+          cpus: '1'
+          memory: 256M
     labels:
       # THE MIDDLEWARE DEFINITION
       - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/"
       - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
       - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
+      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.enabled=true"
+      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.logLevel=INFO"
+      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecMode=live"
+      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiHost=crowdsec:8080"
+      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiScheme=http"
+      - "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiKey=${CROWDSEC_BOUNCER_KEY:-change-me}"
+
+  crowdsec:
+    image: crowdsecurity/crowdsec:latest
+    container_name: crowdsec
+    environment:
+      - TZ=UTC
+      - COLLECTIONS=crowdsecurity/traefik
+      - BOUNCER_KEY_TRAEFIK=${CROWDSEC_BOUNCER_KEY:-change-me}
+    volumes:
+      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
+      - ./logs:/var/log/traefik:ro
+      - crowdsec-db:/var/lib/crowdsec/data
+      - crowdsec-config:/etc/crowdsec
+    networks:
+      - proxy_tier
+    restart: unless-stopped
 
 
 networks:
   proxy_tier:
     name: proxy_tier
     external: true
+
+volumes:
+  crowdsec-db:
+  crowdsec-config: