Added authelia, caddy and adguard

This commit is contained in:
xeovalyte 2024-10-13 17:05:00 +02:00
parent 70b8527b2b
commit c948a1136e
No known key found for this signature in database
17 changed files with 1596 additions and 9 deletions

2
homelab/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
secrets/
.env

5
homelab/README.md Normal file
View File

@ -0,0 +1,5 @@
# Create proxy network
`docker network create proxy`
# Configure caddy cloudflare
Find instructions on [caddy-dns cloudflare](https://github.com/caddy-dns/cloudflare)

View File

@ -0,0 +1,21 @@
services:
adguardhome:
image: adguard/adguardhome:latest
container_name: adguardhome
restart: unless-stopped
ports:
- 53:53/tcp
- 53:53/udp
# - 80:3000 # Only use during setup
volumes:
- work:/opt/adguardhome/work
- conf:/opt/adguardhome/conf
volumes:
work:
conf:
networks:
default:
name: proxy
external: true

2
homelab/authelia/config/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
db.sqlite3
notifications.txt

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,35 @@
services:
authelia:
image: authelia/authelia:latest
container_name: authelia
restart: unless-stopped
volumes:
- ./config:/config
depends_on:
- lldap
environment:
JWT_SECRET: ${AUTHELIA_JWT_SECRET}
SESSION_SECRET: ${AUTHELIA_SESSION_SECRET}
STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ${LLDAP_ADMIN_PASSWORD}
lldap:
image: lldap/lldap:latest
container_name: lldap
restart: unless-stopped
volumes:
- data_lldap:/data
environment:
LLDAP_JWT_SECRET: ${LLDAP_JWT_SECRET}
LLDAP_KEY_SEED: ${LLDAP_KEY_SEED}
LLDAP_LDAP_BASE_DN: dc=bmrs,dc=nl
LLDAP_LDAP_USER_PASS: ${LLDAP_ADMIN_PASSWORD}
volumes:
data_lldap:
networks:
default:
name: proxy
external: true

8
homelab/caddy/Dockerfile Normal file
View File

@ -0,0 +1,8 @@
FROM caddy:2.8-builder AS builder
RUN xcaddy build \
--with github.com/caddy-dns/cloudflare
FROM caddy:2.8
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

2
homelab/caddy/README.md Normal file
View File

@ -0,0 +1,2 @@
# Caddy reverse proxy
Follow [this](https://github.com/caddy-dns/cloudflare) to obtain secrets

View File

@ -0,0 +1,16 @@
localhost {
respond "Hello world!"
}
*.timo.bmrs.nl timo.bmrs.nl {
tls {
dns cloudflare {
zone_token {env.CF_ZONE_TOKEN}
api_token {env.CF_API_TOKEN}
}
resolvers 1.1.1.1
}
import routes/*
}

View File

@ -0,0 +1,9 @@
@adguard host adguard.timo.bmrs.nl
handle @adguard {
forward_auth authelia:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy adguardhome:3000
}

View File

@ -0,0 +1,9 @@
@ldap host ldap.timo.bmrs.nl
handle @ldap {
reverse_proxy lldap:17170
}
@authelia host auth.timo.bmrs.nl
handle @authelia {
reverse_proxy authelia:9091
}

View File

@ -1,6 +1,6 @@
services: services:
caddy: caddy:
image: caddy:2.8 build: .
container_name: caddy container_name: caddy
restart: unless-stopped restart: unless-stopped
cap_add: cap_add:
@ -10,10 +10,18 @@ services:
- 443:443 - 443:443
- 443:443/udp - 443:443/udp
volumes: volumes:
- caddy_data:/data - data:/data
- caddy_config:/config - config:/config
- ./caddyfiles:/etc/caddy/ - ./caddyfiles:/etc/caddy/
environment:
CF_ZONE_TOKEN: ${CF_ZONE_TOKEN}
CF_API_TOKEN: ${CF_API_TOKEN}
volumes: volumes:
caddy_data: data:
caddy_config: config:
networks:
default:
name: proxy
external: true

View File

@ -37,7 +37,11 @@
# Enable ssh # Enable ssh
services.openssh.enable = true; services.openssh.enable = true;
boot.kernelPackages = pkgs.linuxPackages_latest; # Forward ports
networking.firewall = {
allowedTCPPorts = [ 80 443 53 ];
allowedUDPPorts = [ 53 ];
};
system.stateVersion = "24.05"; system.stateVersion = "24.05";

View File

@ -0,0 +1,39 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ohci_pci" "ehci_pci" "virtio_pci" "ahci" "usbhid" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/649666ff-db85-4666-86d0-c088732505d6";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A157-F96E";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/f8c0a59c-7e1a-4eb7-960e-20ba65fec156"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s8.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View File

@ -1,4 +1,4 @@
{ ... }: { pkgs, ... }:
{ {
virtualisation.docker = { virtualisation.docker = {
@ -10,4 +10,13 @@
}; };
users.users.xeovalyte.extraGroups = [ "docker" ]; users.users.xeovalyte.extraGroups = [ "docker" ];
security.wrappers = {
docker-rootlesskit = {
owner = "root";
group = "root";
capabilities = "cap_net_bind_service+ep";
source = "${pkgs.rootlesskit}/bin/rootlesskit";
};
};
} }

View File

@ -3,7 +3,7 @@
{ {
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 53317 3000 24800 ]; allowedTCPPorts = [ ];
allowedUDPPorts = [ 53317 24800 ]; allowedUDPPorts = [ ];
}; };
} }