Added multiple services

homelab/README.md

@@ -3,3 +3,11 @@
 
 # Configure caddy cloudflare
 Find instructions on [caddy-dns cloudflare](https://github.com/caddy-dns/cloudflare)
+
+# Services
+| Name | Use | Domain | Auth |
+| --- | --- | --- | --- |
+| Adguard | DNS | https://adguard.timo.bmrs.nl/ | local | 
+| Caddy | Reverse proxy | - | - |
+| Forgejo | Git | https://git.timo.bmrs.nl/ | Openid |
+| Ldap | User directory | https://ldap.timo.bmrs.nl/ | - |

homelab/authelia/.gitignore

@@ -0,0 +1 @@
+keys/

homelab/authelia/README.md

@@ -0,0 +1,2 @@
+- Follow [This](https://www.authelia.com/configuration/identity-providers/openid-connect/provider/) guide for generating keys
+- Store the keys in the /keys directory

homelab/authelia/config/.gitignore

@@ -1,2 +0,0 @@
-db.sqlite3
-notifications.txt

homelab/authelia/config/configuration.yml

@@ -632,9 +632,30 @@ access_control:
 
   rules:
     ## Rules applied to everyone
-    - domain: '*.timo.bmrs.nl'
+    - domain: 'auth.timo.bmrs.nl'
+      policy: 'bypass'
+    
+    - domain: 'adguard.timo.bmrs.nl'
+      policy: 'two_factor'
+      subject: 'group:adguard'
+
+    - domain: 'bitwarden.timo.bmrs.nl'
+      policy: 'two_factor'
+
+    - domain: 'git.timo.bmrs.nl'
+      policy: 'bypass'
+
+    - domain: 'home.timo.bmrs.nl'
       policy: 'one_factor'
 
+    - domain: 'ldap.timo.bmrs.nl'
+      policy: 'two_factor'
+      subject: 'group:admin'
+
+    - domain: 'uptime.timo.bmrs.nl'
+      policy: 'bypass'
+
+
     ## Domain Regex examples. Generally we recommend just using a standard domain.
     # - domain_regex: '^(?P<User>\w+)\.example\.com$'
     #   policy: 'one_factor'
@@ -1138,39 +1159,35 @@ notifier:
 ##
 ## Identity Providers
 ##
-# identity_providers:
+identity_providers:
 
   ##
   ## OpenID Connect (Identity Provider)
   ##
   ## It's recommended you read the documentation before configuration of this section:
   ## https://www.authelia.com/c/oidc
-  # oidc:
+  oidc:
     ## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
     ## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets
-    # hmac_secret: 'this_is_a_secret_abc123abc123abc'
+    hmac_secret: $HMAC_SECRET
 
     ## The JWK's issuer option configures multiple JSON Web Keys. It's required that at least one of the JWK's
     ## configured has the RS256 algorithm. For RSA keys (RS or PS) the minimum is a 2048 bit key.
-    # jwks:
+    jwks:
-    # -
+      -       
         ## Key ID embedded into the JWT header for key matching. Must be an alphanumeric string with 7 or less characters.
         ## This value is automatically generated if not provided. It's recommended to not configure this.
-      # key_id: 'example'
+        # key_id: 'exmple'
 
         ## The key algorithm used with this key.
-      # algorithm: 'RS256'
+        algorithm: 'RS256'
 
         ## The key use expected with this key. Currently only 'sig' is supported.
-      # use: 'sig'
+        use: 'sig'
 
         ## Required Private Key in PEM DER form.
-      # key: |
+        key: |
-        # -----BEGIN RSA PRIVATE KEY-----
+          {{- fileContent "/keys/private.pem" | nindent 10 }}
-        # ...
-        # -----END RSA PRIVATE KEY-----
-
-
         ## Optional matching certificate chain in PEM DER form that matches the key. All certificates within the chain
         ## must be valid and current, and from top to bottom each certificate must be signed by the subsequent one.
         # certificate_chain: |
@@ -1182,18 +1199,18 @@ notifier:
           # -----END CERTIFICATE-----
 
     ## Enables additional debug messages.
-    # enable_client_debug_messages: false
+    enable_client_debug_messages: false
 
     ## SECURITY NOTICE: It's not recommended changing this option and values below 8 are strongly discouraged.
-    # minimum_parameter_entropy: 8
+    minimum_parameter_entropy: 8
 
     ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it set to 'never'
     ## for security reasons.
-    # enforce_pkce: 'public_clients_only'
+    enforce_pkce: 'public_clients_only'
 
     ## SECURITY NOTICE: It's not recommended changing this option. We encourage you to read the documentation and fully
     ## understanding it before enabling this option.
-    # enable_jwt_access_token_stateless_introspection: false
+    enable_jwt_access_token_stateless_introspection: false
 
     ## The signing algorithm used for signing the discovery and metadata responses. An issuer JWK with a matching
     ## algorithm must be available when configured. Most clients completely ignore this and it has a performance cost.
@@ -1205,68 +1222,68 @@ notifier:
 
     ## Authorization Policies which can be utilized by clients. The 'policy_name' is an arbitrary value that you pick
     ## which is utilized as the value for the 'authorization_policy' on the client.
-    # authorization_policies:
+    authorization_policies:
-      # policy_name:
+      forgejo:
-        # default_policy: 'two_factor'
+        default_policy: 'deny'
-        # rules:
+        rules:
-          # - policy: 'one_factor'
+          - policy: 'two_factor'
-          #   subject: 'group:services'
+            subject: 'group:forgejo'
 
     ## The lifespans configure the expiration for these token types in the duration common syntax. In addition to this
     ## syntax the lifespans can be customized per-client.
-    # lifespans:
+    lifespans:
       ## Configures the default/fallback lifespan for given token types. This behaviour applies to all clients and all
       ## grant types but you can override this behaviour using the custom lifespans.
-      # access_token: '1 hour'
+      access_token: '1 hour'
-      # authorize_code: '1 minute'
+      authorize_code: '1 minute'
-      # id_token: '1 hour'
+      id_token: '1 hour'
-      # refresh_token: '90 minutes'
+      refresh_token: '90 minutes'
 
     ## Cross-Origin Resource Sharing (CORS) settings.
-    # cors:
+    cors:
       ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
-      # endpoints:
+      endpoints:
-        #  - 'authorization'
+         - 'authorization'
-        #  - 'pushed-authorization-request'
+         - 'pushed-authorization-request'
-        #  - 'token'
+         - 'token'
-        #  - 'revocation'
+         - 'revocation'
-        #  - 'introspection'
+         - 'introspection'
-        #  - 'userinfo'
+         - 'userinfo'
 
       ## List of allowed origins.
       ## Any origin with https is permitted unless this option is configured or the
       ## allowed_origins_from_client_redirect_uris option is enabled.
-      # allowed_origins:
+      allowed_origins:
-        # - 'https://example.com'
+        - 'https://timo.bmrs.nl'
 
       ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
       ## provided they have the scheme http or https and do not have the hostname of localhost.
-      # allowed_origins_from_client_redirect_uris: false
+      allowed_origins_from_client_redirect_uris: false
 
     ## Clients is a list of known clients and their configuration.
-    # clients:
+    clients:
-      # -
+      -
         ## The Client ID is the OAuth 2.0 and OpenID Connect 1.0 Client ID which is used to link an application to a
         ## configuration.
-        # client_id: 'myapp'
+        client_id: '{{ env "CLIENT_ID_FORGEJO" }}'
 
         ## The description to show to users when they end up on the consent screen. Defaults to the ID above.
-        # client_name: 'My Application'
+        client_name: 'Forgejo'
 
         ## The client secret is a shared secret between Authelia and the consumer of this client.
         # yamllint disable-line rule:line-length
-        # client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
+        client_secret: '{{ env "CLIENT_SECRET_FORGEJO" }}'
 
         ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
         ## necessary. It is critical to read the documentation for more information.
         # sector_identifier_uri: 'https://example.com/sector.json'
 
         ## Sets the client to public. This should typically not be set, please see the documentation for usage.
-        # public: false
+        public: false
 
         ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
-        # redirect_uris:
+        redirect_uris:
-          # - 'https://oidc.example.com:8080/oauth2/callback'
+          - 'https://git.timo.bmrs.nl/user/oauth2/Authelia/callback'
 
         ## Request URI's specifies a list of valid case-sensitive TLS-secured URIs for this client for use as
         ## URIs to fetch Request Objects.
@@ -1277,11 +1294,10 @@ notifier:
         # audience: []
 
         ## Scopes this client is allowed to request.
-        # scopes:
+        scopes:
-          # - 'openid'
+          - 'openid'
-          # - 'groups'
+          - 'email'
-          # - 'email'
+          - 'profile'
-          # - 'profile'
 
         ## Grant Types configures which grants this client can obtain.
         ## It's not recommended to define this unless you know what you're doing.
@@ -1300,7 +1316,7 @@ notifier:
 
         ## The policy to require for this client; one_factor or two_factor. Can also be the key names for the
         ## authorization policies section.
-        # authorization_policy: 'two_factor'
+        authorization_policy: 'forgejo'
 
         ## The custom lifespan name to use for this client. This must be configured independent of the client before
         ## utilization. Custom lifespans are reusable similar to authorization policies.
@@ -1326,7 +1342,7 @@ notifier:
         ## The permitted client authentication method for the Token Endpoint for this client.
         ## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it
         ## defaults to 'none' per the specifications.
-        # token_endpoint_auth_method: 'client_secret_basic'
+        token_endpoint_auth_method: 'client_secret_basic'
 
         ## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
         ## the 'client_secret_jwt' or 'private_key_jwt' token_endpoint_auth_method.
@@ -1368,7 +1384,7 @@ notifier:
 
         ## The signing algorithm used for User Info responses. An issuer JWK with a matching algorithm must be
         ## available. Has no effect if userinfo_signing_key_id is configured.
-        # userinfo_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
 
         ## The signing key id used for User Info responses. An issuer JWK with a matching key id must be available when
         ## configured.

homelab/authelia/docker-compose.yml

@@ -3,15 +3,21 @@ services:
     image: authelia/authelia:latest
     container_name: authelia
     restart: unless-stopped
-    volumes:
-      - ./config:/config
     depends_on:
       - lldap
+    volumes:
+      - ./config/configuration.yml:/config/configuration.yml
+      - ./config/keys:/keys
+      - data_authelia:/config
     environment:
+      X_AUTHELIA_CONFIG_FILTERS: template
       JWT_SECRET: ${AUTHELIA_JWT_SECRET}
       SESSION_SECRET: ${AUTHELIA_SESSION_SECRET}
       STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
       AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ${LLDAP_ADMIN_PASSWORD}
+      HMAC_SECRET: ${AUTHELIA_HMAC_SECRET}
+      CLIENT_SECRET_FORGEJO: ${AUTHELIA_CLIENT_SECRET_FORGEJO}
+      CLIENT_ID_FORGEJO: ${AUTHELIA_CLIENT_ID_FORGEJO}
 
   lldap:
     image: lldap/lldap:latest
@@ -27,6 +33,7 @@ services:
 
 volumes:
   data_lldap:
+  data_authelia:
 
 networks:
   default:

homelab/caddy/caddyfiles/Caddyfile

@@ -12,5 +12,10 @@ localhost {
 		resolvers 1.1.1.1
 	}
 
+	forward_auth authelia:9091 {
+		uri /api/authz/forward-auth
+		copy_headers Remote-User Remote-Groups Remote-Email Remote-Name		
+	}
+
 	import routes/*
 }

homelab/caddy/caddyfiles/routes/adguard

@@ -1,9 +1,4 @@
 @adguard host adguard.timo.bmrs.nl
 handle @adguard {
-	forward_auth authelia:9091 {
-		uri /api/authz/forward-auth
-		copy_headers Remote-User Remote-Groups Remote-Email Remote-Name		
-	}
-
 	reverse_proxy adguardhome:3000
 }

homelab/caddy/caddyfiles/routes/forgejo

@@ -0,0 +1,4 @@
+@forgejo host git.timo.bmrs.nl
+handle @forgejo {
+	reverse_proxy forgejo:3000
+}

homelab/caddy/caddyfiles/routes/homepage

@@ -0,0 +1,4 @@
+@homepage host home.timo.bmrs.nl
+handle @homepage {
+	reverse_proxy homepage:3000
+}

homelab/caddy/caddyfiles/routes/uptime-kuma

@@ -0,0 +1,4 @@
+@uptime-kuma host uptime.timo.bmrs.nl
+handle @uptime-kuma {
+	reverse_proxy uptime-kuma:3001
+}

homelab/caddy/caddyfiles/routes/vaultwarden

@@ -0,0 +1,4 @@
+@vaultwarden host bitwarden.timo.bmrs.nl
+handle @vaultwarden {
+	reverse_proxy vaultwarden:80
+}

homelab/caddy/docker-compose.yml

@@ -16,12 +16,16 @@ services:
     environment:
       CF_ZONE_TOKEN: ${CF_ZONE_TOKEN}
       CF_API_TOKEN: ${CF_API_TOKEN}
+    networks:
+      proxy:
+        aliases:
+          - auth.timo.bmrs.nl
 
 volumes:
   data:
   config:
 
 networks:
-  default:
+  proxy:
     name: proxy
     external: true

homelab/forgejo/docker-compose.yml

@@ -0,0 +1,40 @@
+services:
+  forgejo:
+    image: codeberg.org/forgejo/forgejo:9
+    container_name: forgejo
+    restart: unless-stopped
+    depends_on:
+      - db
+    ports:
+      - 222:22
+    volumes:
+      - data:/data
+      - ./config/app.ini:/etc/forgejo/app.ini
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro 
+    environment:
+      FORGEJO__database__DB_TYPE: postgres
+      FORGEJO__database__HOST: "db:5432"
+      FORGEJO__database__NAME: forgejo
+      FORGEJO__database__USER: forgejo
+      FORGEJO__database__PASSWD: ${DB_PASSWORD}
+  
+  db:
+    image: postgres:14
+    container_name: forgejo-db
+    restart: unless-stopped
+    volumes:
+      - data_db:/var/lib/postgresql/data
+    environment:
+      POSTGRES_USER: forgejo
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGES_DB: forgejo
+
+volumes:
+  data:
+  data_db:
+
+networks:
+  default:
+    name: proxy
+    external: true

homelab/homepage/config/.gitignore

@@ -0,0 +1 @@
+logs/

homelab/homepage/config/bookmarks.yaml

@@ -0,0 +1,3 @@
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/configs/bookmarks

homelab/homepage/config/docker.yaml

@@ -0,0 +1,10 @@
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/configs/docker/
+
+# my-docker:
+#   host: 127.0.0.1
+#   port: 2375
+
+docker:
+  socket: /var/run/docker.sock

homelab/homepage/config/kubernetes.yaml

@@ -0,0 +1,2 @@
+---
+# sample kubernetes config

homelab/homepage/config/services.yaml

@@ -0,0 +1,55 @@
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/configs/services
+
+- Primary Services:
+    - Adguard:
+        href: https://adguard.timo.bmrs.nl/
+        description: DNS
+        icon: adguard-home
+        server: docker
+        container: adguardhome
+        widget:
+            type: adguard
+            url: http://adguardhome:3000
+            username: xeovalyte
+            password: {{HOMEPAGE_VAR_ADGUARD_PASSWORD}}
+
+    - Forgejo:
+        href: https://git.timo.bmrs.nl/
+        description: Git
+        icon: forgejo
+        server: docker
+        container: forgejo
+
+    - Uptime Kuma:
+        href: https://uptime.timo.bmrs.nl/
+        description: Uptime monitoring
+        icon: uptime-kuma
+        server: docker
+        container: uptime-kuma
+
+    - Vaultwarden:
+        href: https://bitwarden.timo.bmrs.nl/
+        description: Password manager
+        icon: bitwarden
+        server: docker
+        container: vaultwarden
+
+- Backend Services:
+    - Authelia:
+        description: SSO
+        icon: authelia
+        server: docker
+        container: authelia
+    
+    - Caddy:
+        description: Reverse proxy
+        icon: caddy
+        server: docker
+        container: caddy
+
+    - LLDAP:
+        description: Active directory
+        server: docker
+        container: lldap

homelab/homepage/config/settings.yaml

@@ -0,0 +1,21 @@
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/configs/settings
+
+providers:
+  openweathermap: openweathermapapikey
+  weatherapi: weatherapiapikey
+
+title: Xeovalyte's Dashboard
+color: slate
+
+headerStyle: boxedWidgets
+
+layout:
+  Primary Services:
+    style: row
+    columns: 3
+
+  Backend Services:
+    style: row
+    columns: 4

homelab/homepage/config/widgets.yaml

@@ -0,0 +1,12 @@
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/configs/service-widgets
+
+- resources:
+    cpu: true
+    memory: true
+    disk: /
+
+- search:
+    provider: duckduckgo
+    target: _blank

homelab/homepage/docker-compose.yml

@@ -0,0 +1,19 @@
+services:
+  homepage:
+    image: ghcr.io/gethomepage/homepage:latest
+    container_name: homepage
+    restart: unless-stopped
+    volumes:
+      - ./config:/app/config
+      - logs:/app/config/logs
+      - /run/user/1000/docker.sock:/var/run/docker.sock
+    environment:
+      HOMEPAGE_VAR_ADGUARD_PASSWORD: $ADGUARD_PASSWORD
+
+volumes:
+  logs:
+
+networks:
+  default:
+    name: proxy
+    external: true

homelab/uptime-kuma/docker-compose.yml

@@ -0,0 +1,15 @@
+services:
+  uptime-kuma:
+    image: louislam/uptime-kuma:1
+    container_name: uptime-kuma
+    restart: unless-stopped
+    volumes:
+      - data:/app/data
+
+volumes:
+  data:
+
+networks:
+  default:
+    name: proxy
+    external: true

homelab/vaultwarden/docker-compose.yml

@@ -0,0 +1,17 @@
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    container_name: vaultwarden
+    restart: unless-stopped
+    volumes:
+      - data:/data
+    environment:
+      SIGNUPS_ALLOWED: "true"
+
+volumes:
+  data:
+
+networks:
+  default:
+    name: proxy
+    external: true