quangkhai/deployments
1
1
Fork 0
Code Issues 3 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: quangkhai/deployments:main
Branches Tags
quangkhai/deployments:main quangkhai/deployments:feature/issue-6-add-crowdsec quangkhai/deployments:feature/grafana_openid
..
pull from: quangkhai/deployments:feature/issue-6-add-crowdsec
Branches Tags
quangkhai/deployments:feature/issue-6-add-crowdsec quangkhai/deployments:main quangkhai/deployments:feature/grafana_openid

4 Commits

Author SHA1 Message Date
ue87775 2a4d174ba3 Add ping to traefik 2026-04-27 09:10:01 +02:00
ue87775 9d7b722462 fix Grafana Authelia 2026-04-27 09:09:46 +02:00
ue87775 7da39198f8 #6 
Uses Crowdsec

Co-authored-by: Copilot <copilot@github.com>
 2026-04-24 10:17:03 +02:00
ue87775 dd22d6fe13 Deployment Script 2026-04-15 14:40:58 +02:00
6 changed files with 48 additions and 84 deletions
Expand all files Collapse all files
authelia/config/configuration.yml
-12
View File
@@ -117,15 +117,3 @@ identity_providers:
- email
- groups
userinfo_signed_response_alg: 'none'
- id: grafana
description: Grafana via Authelia
secret: '$argon2id$v=19$m=65536,t=3,p=4$IoJjIPmtn81rI0te8lV5Yw$tptaXFfI1NOsPctEzyAYiRblzFNsWgbS9Gh160OkoqQ'
public: false
authorization_policy: one_factor
redirect_uris:
- https://grafana.quangkhai.ch/login/generic_oauth
scopes:
- openid
- profile
- email
userinfo_signed_response_alg: 'none'
deploy.sh
-28
View File
@@ -1,28 +0,0 @@
#!/bin/bash
# Deploy Authelia configuration
# Copies all files from authelia folder to /home/quangkhai/authelia
set -e
SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/authelia" && pwd)"
DEST_DIR="/home/quangkhai/authelia"
echo "Starting deployment..."
echo "Source: $SOURCE_DIR"
echo "Destination: $DEST_DIR"
# Create destination directory if it doesn't exist
if [ ! -d "$DEST_DIR" ]; then
echo "Creating destination directory: $DEST_DIR"
mkdir -p "$DEST_DIR"
fi
# Copy all files
echo "Copying files..."
cp -rv "$SOURCE_DIR"/* "$DEST_DIR/"
echo "✓ Deployment completed successfully!"
echo "Files copied to: $DEST_DIR"
prometheus/docker-compose.yml
+1
View File
@@ -110,4 +110,5 @@ services:
- "traefik.http.routers.grafana.rule=Host(`grafana.quangkhai.ch`)"
- "traefik.http.routers.grafana.tls.certresolver=myresolver"
- "traefik.http.services.grafana.loadbalancer.server.port=3000"
- "traefik.http.routers.grafana.middlewares=authelia-auth@docker"
- "traefik.docker.network=proxy_tier"
prometheus/grafana/config.monitoring
-37
View File
@@ -1,37 +0,0 @@
GF_SERVER_ROOT_URL=https://grafana.quangkhai.ch
GF_AUTH_ANONYMOUS_ENABLED=false
GF_AUTH_DISABLE_LOGIN_FORM=true
GF_AUTH_GENERIC_OAUTH_ENABLED=true
GF_AUTH_GENERIC_OAUTH_NAME=Authelia
GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP=true
GF_AUTH_GENERIC_OAUTH_CLIENT_ID=grafana
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=VeNuocNuocVe26!
GF_AUTH_GENERIC_OAUTH_SCOPES="openid profile email"
GF_AUTH_GENERIC_OAUTH_USE_ID_TOKEN=true
GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://auth.quangkhai.ch/api/oidc/authorization
GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://auth.quangkhai.ch/api/oidc/token
GF_AUTH_GENERIC_OAUTH_API_URL=https://auth.quangkhai.ch/api/oidc/userinfo
# 2. Map the ID (used for login)
# Many OIDC providers use 'preferred_username' or 'sub'
GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH=preferred_username
# 3. Map the Email
GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH=email
# 4. Map the Name (optional, but good for profile)
GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH=name
# Example mapping:
# If 'groups' contains 'admin', make them 'Admin'.
# If 'groups' contains 'editor', make them 'Editor'.
# Otherwise, default to 'Viewer'.
#GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(groups[*], 'admins') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"
# Sets the default role for ALL OAuth users
GF_AUTH_GENERIC_OAUTH_AUTO_ASSIGN_ORG_ROLE=Admin
GF_USERS_AUTO_ASSIGN_ORG_ROLE=Admin
# Tell Grafana NOT to try and sync roles from the OIDC claims
GF_AUTH_GENERIC_OAUTH_SKIP_ORG_ROLE_SYNC=true
GF_LOG_LEVEL=debug
traefik/crowdsec/acquis.yaml
+4
View File
@@ -0,0 +1,4 @@
filenames:
- /var/log/traefik/access.log
labels:
type: traefik
traefik/docker-compose.yaml
+43 -7
View File
@@ -2,11 +2,18 @@ services:
traefik:
image: traefik:v3.6
container_name: traefik
depends_on:
- crowdsec
command:
- "--api.dashboard=true"
- "--api.insecure=false"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--ping=true"
- "--experimental.plugins.crowdsec-bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
- "--experimental.plugins.crowdsec-bouncer.version=v1.4.2"
- "--accesslog=true"
- "--accesslog.filepath=/var/log/traefik/access.log"
# - "--entrypoints.https.address=:443"
@@ -14,6 +21,7 @@ services:
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.mqtt-secure.address=:8883"
- "--entrypoints.websecure.http.middlewares=crowdsec@docker"
# Global HTTP -> HTTPS Redirection
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
@@ -31,6 +39,7 @@ services:
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
- ./logs:/var/log/traefik
networks:
- proxy_tier
restart: unless-stopped
@@ -40,21 +49,48 @@ services:
timeout: 10s
retries: 3
start_period: 5s
resources:
limits:
cpus: '2'
memory: 512M
reservations:
cpus: '1'
memory: 256M
deploy:
resources:
limits:
cpus: '2'
memory: 512M
reservations:
cpus: '1'
memory: 256M
labels:
# THE MIDDLEWARE DEFINITION
- "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.quangkhai.ch/"
- "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.enabled=true"
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.logLevel=INFO"
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecMode=live"
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiHost=crowdsec:8080"
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiScheme=http"
- "traefik.http.middlewares.crowdsec.plugin.crowdsec-bouncer.crowdsecLapiKey=${CROWDSEC_BOUNCER_KEY:-change-me}"
crowdsec:
image: crowdsecurity/crowdsec:latest
container_name: crowdsec
environment:
- TZ=UTC
- COLLECTIONS=crowdsecurity/traefik
- BOUNCER_KEY_TRAEFIK=${CROWDSEC_BOUNCER_KEY:-change-me}
volumes:
- ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
- ./logs:/var/log/traefik:ro
- crowdsec-db:/var/lib/crowdsec/data
- crowdsec-config:/etc/crowdsec
networks:
- proxy_tier
restart: unless-stopped
networks:
proxy_tier:
name: proxy_tier
external: true
volumes:
crowdsec-db:
crowdsec-config: