27 changed files with 81 additions and 3083 deletions
--- a/homelab/README.md
+++ b/homelab/README.md
@ -3,11 +3,3 @@
 # Configure caddy cloudflare
 Find instructions on [caddy-dns cloudflare](https://github.com/caddy-dns/cloudflare)
 # Services
 | Name | Use | Domain | Auth |
 | --- | --- | --- | --- |
 | Adguard | DNS | https://adguard.timo.bmrs.nl/ | local | 
 | Caddy | Reverse proxy | - | - |
 | Forgejo | Git | https://git.timo.bmrs.nl/ | Openid |
 | Ldap | User directory | https://ldap.timo.bmrs.nl/ | - |
--- a/homelab/authelia/.gitignore
+++ b/homelab/authelia/.gitignore
@ -1 +0,0 @@
 keys/
--- a/homelab/authelia/README.md
+++ b/homelab/authelia/README.md
@ -1,2 +0,0 @@
 - Follow [This](https://www.authelia.com/configuration/identity-providers/openid-connect/provider/) guide for generating keys
 - Store the keys in the /keys directory
--- a/homelab/authelia/config/.gitignore
+++ b/homelab/authelia/config/.gitignore
@ -0,0 +1,2 @@
 db.sqlite3
 notifications.txt
--- a/homelab/authelia/config/configuration.yml
+++ b/homelab/authelia/config/configuration.yml
@ -632,30 +632,9 @@ access_control:
  rules:
    ## Rules applied to everyone
-    - domain: 'auth.timo.bmrs.nl'
+    - domain: '*.timo.bmrs.nl'
      policy: 'bypass'
    - domain: 'adguard.timo.bmrs.nl'
      policy: 'two_factor'
      subject: 'group:adguard'
    - domain: 'bitwarden.timo.bmrs.nl'
      policy: 'two_factor'
    - domain: 'git.timo.bmrs.nl'
      policy: 'bypass'
    - domain: 'home.timo.bmrs.nl'
      policy: 'one_factor'
    - domain: 'ldap.timo.bmrs.nl'
      policy: 'two_factor'
      subject: 'group:admin'
    - domain: 'uptime.timo.bmrs.nl'
      policy: 'bypass'
    ## Domain Regex examples. Generally we recommend just using a standard domain.
    # - domain_regex: '^(?P<User>\w+)\.example\.com$'
    #   policy: 'one_factor'
@ -1159,35 +1138,39 @@ notifier:
 ##
 ## Identity Providers
 ##
-identity_providers:
+# identity_providers:
  ##
  ## OpenID Connect (Identity Provider)
  ##
  ## It's recommended you read the documentation before configuration of this section:
  ## https://www.authelia.com/c/oidc
-  oidc:
+  # oidc:
    ## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
    ## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets
-    hmac_secret: $HMAC_SECRET
+    # hmac_secret: 'this_is_a_secret_abc123abc123abc'
    ## The JWK's issuer option configures multiple JSON Web Keys. It's required that at least one of the JWK's
    ## configured has the RS256 algorithm. For RSA keys (RS or PS) the minimum is a 2048 bit key.
-    jwks:
+    # jwks:
-      -       
+    # -
      ## Key ID embedded into the JWT header for key matching. Must be an alphanumeric string with 7 or less characters.
      ## This value is automatically generated if not provided. It's recommended to not configure this.
-        # key_id: 'exmple'
+      # key_id: 'example'
      ## The key algorithm used with this key.
-        algorithm: 'RS256'
+      # algorithm: 'RS256'
      ## The key use expected with this key. Currently only 'sig' is supported.
-        use: 'sig'
+      # use: 'sig'
      ## Required Private Key in PEM DER form.
-        key: |
+      # key: |
-          {{- fileContent "/keys/private.pem" | nindent 10 }}
+        # -----BEGIN RSA PRIVATE KEY-----
        # ...
        # -----END RSA PRIVATE KEY-----
      ## Optional matching certificate chain in PEM DER form that matches the key. All certificates within the chain
      ## must be valid and current, and from top to bottom each certificate must be signed by the subsequent one.
      # certificate_chain: |
@ -1199,18 +1182,18 @@ identity_providers:
        # -----END CERTIFICATE-----
    ## Enables additional debug messages.
-    enable_client_debug_messages: false
+    # enable_client_debug_messages: false
    ## SECURITY NOTICE: It's not recommended changing this option and values below 8 are strongly discouraged.
-    minimum_parameter_entropy: 8
+    # minimum_parameter_entropy: 8
    ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it set to 'never'
    ## for security reasons.
-    enforce_pkce: 'public_clients_only'
+    # enforce_pkce: 'public_clients_only'
    ## SECURITY NOTICE: It's not recommended changing this option. We encourage you to read the documentation and fully
    ## understanding it before enabling this option.
-    enable_jwt_access_token_stateless_introspection: false
+    # enable_jwt_access_token_stateless_introspection: false
    ## The signing algorithm used for signing the discovery and metadata responses. An issuer JWK with a matching
    ## algorithm must be available when configured. Most clients completely ignore this and it has a performance cost.
@ -1222,68 +1205,68 @@ identity_providers:
    ## Authorization Policies which can be utilized by clients. The 'policy_name' is an arbitrary value that you pick
    ## which is utilized as the value for the 'authorization_policy' on the client.
-    authorization_policies:
+    # authorization_policies:
-      forgejo:
+      # policy_name:
-        default_policy: 'deny'
+        # default_policy: 'two_factor'
-        rules:
+        # rules:
-          - policy: 'two_factor'
+          # - policy: 'one_factor'
-            subject: 'group:forgejo'
+          #   subject: 'group:services'
    ## The lifespans configure the expiration for these token types in the duration common syntax. In addition to this
    ## syntax the lifespans can be customized per-client.
-    lifespans:
+    # lifespans:
      ## Configures the default/fallback lifespan for given token types. This behaviour applies to all clients and all
      ## grant types but you can override this behaviour using the custom lifespans.
-      access_token: '1 hour'
+      # access_token: '1 hour'
-      authorize_code: '1 minute'
+      # authorize_code: '1 minute'
-      id_token: '1 hour'
+      # id_token: '1 hour'
-      refresh_token: '90 minutes'
+      # refresh_token: '90 minutes'
    ## Cross-Origin Resource Sharing (CORS) settings.
-    cors:
+    # cors:
      ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
-      endpoints:
+      # endpoints:
-         - 'authorization'
+        #  - 'authorization'
-         - 'pushed-authorization-request'
+        #  - 'pushed-authorization-request'
-         - 'token'
+        #  - 'token'
-         - 'revocation'
+        #  - 'revocation'
-         - 'introspection'
+        #  - 'introspection'
-         - 'userinfo'
+        #  - 'userinfo'
      ## List of allowed origins.
      ## Any origin with https is permitted unless this option is configured or the
      ## allowed_origins_from_client_redirect_uris option is enabled.
-      allowed_origins:
+      # allowed_origins:
-        - 'https://timo.bmrs.nl'
+        # - 'https://example.com'
      ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
      ## provided they have the scheme http or https and do not have the hostname of localhost.
-      allowed_origins_from_client_redirect_uris: false
+      # allowed_origins_from_client_redirect_uris: false
    ## Clients is a list of known clients and their configuration.
-    clients:
+    # clients:
-      -
+      # -
        ## The Client ID is the OAuth 2.0 and OpenID Connect 1.0 Client ID which is used to link an application to a
        ## configuration.
-        client_id: '{{ env "CLIENT_ID_FORGEJO" }}'
+        # client_id: 'myapp'
        ## The description to show to users when they end up on the consent screen. Defaults to the ID above.
-        client_name: 'Forgejo'
+        # client_name: 'My Application'
        ## The client secret is a shared secret between Authelia and the consumer of this client.
        # yamllint disable-line rule:line-length
-        client_secret: '{{ env "CLIENT_SECRET_FORGEJO" }}'
+        # client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
        ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
        ## necessary. It is critical to read the documentation for more information.
        # sector_identifier_uri: 'https://example.com/sector.json'
        ## Sets the client to public. This should typically not be set, please see the documentation for usage.
-        public: false
+        # public: false
        ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
-        redirect_uris:
+        # redirect_uris:
-          - 'https://git.timo.bmrs.nl/user/oauth2/Authelia/callback'
+          # - 'https://oidc.example.com:8080/oauth2/callback'
        ## Request URI's specifies a list of valid case-sensitive TLS-secured URIs for this client for use as
        ## URIs to fetch Request Objects.
@ -1294,10 +1277,11 @@ identity_providers:
        # audience: []
        ## Scopes this client is allowed to request.
-        scopes:
+        # scopes:
-          - 'openid'
+          # - 'openid'
-          - 'email'
+          # - 'groups'
-          - 'profile'
+          # - 'email'
          # - 'profile'
        ## Grant Types configures which grants this client can obtain.
        ## It's not recommended to define this unless you know what you're doing.
@ -1316,7 +1300,7 @@ identity_providers:
        ## The policy to require for this client; one_factor or two_factor. Can also be the key names for the
        ## authorization policies section.
-        authorization_policy: 'forgejo'
+        # authorization_policy: 'two_factor'
        ## The custom lifespan name to use for this client. This must be configured independent of the client before
        ## utilization. Custom lifespans are reusable similar to authorization policies.
@ -1342,7 +1326,7 @@ identity_providers:
        ## The permitted client authentication method for the Token Endpoint for this client.
        ## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it
        ## defaults to 'none' per the specifications.
-        token_endpoint_auth_method: 'client_secret_basic'
+        # token_endpoint_auth_method: 'client_secret_basic'
        ## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
        ## the 'client_secret_jwt' or 'private_key_jwt' token_endpoint_auth_method.
@ -1384,7 +1368,7 @@ identity_providers:
        ## The signing algorithm used for User Info responses. An issuer JWK with a matching algorithm must be
        ## available. Has no effect if userinfo_signing_key_id is configured.
-        userinfo_signed_response_alg: 'none'
+        # userinfo_signed_response_alg: 'none'
        ## The signing key id used for User Info responses. An issuer JWK with a matching key id must be available when
        ## configured.
--- a/homelab/authelia/config/notification.txt
+++ b/homelab/authelia/config/notification.txt
--- a/homelab/authelia/docker-compose.yml
+++ b/homelab/authelia/docker-compose.yml
@ -3,21 +3,15 @@ services:
    image: authelia/authelia:latest
    container_name: authelia
    restart: unless-stopped
    volumes:
      - ./config:/config
    depends_on:
      - lldap
    volumes:
      - ./config/configuration.yml:/config/configuration.yml
      - ./config/keys:/keys
      - data_authelia:/config
    environment:
      X_AUTHELIA_CONFIG_FILTERS: template
      JWT_SECRET: ${AUTHELIA_JWT_SECRET}
      SESSION_SECRET: ${AUTHELIA_SESSION_SECRET}
      STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ${LLDAP_ADMIN_PASSWORD}
      HMAC_SECRET: ${AUTHELIA_HMAC_SECRET}
      CLIENT_SECRET_FORGEJO: ${AUTHELIA_CLIENT_SECRET_FORGEJO}
      CLIENT_ID_FORGEJO: ${AUTHELIA_CLIENT_ID_FORGEJO}
  lldap:
    image: lldap/lldap:latest
@ -33,7 +27,6 @@ services:
 volumes:
  data_lldap:
  data_authelia:
 networks:
  default:
--- a/homelab/caddy/caddyfiles/Caddyfile
+++ b/homelab/caddy/caddyfiles/Caddyfile
@ -12,10 +12,5 @@ localhost {
 		resolvers 1.1.1.1
 	}
 	forward_auth authelia:9091 {
 		uri /api/authz/forward-auth
 		copy_headers Remote-User Remote-Groups Remote-Email Remote-Name		
 	}
 	import routes/*
 }
--- a/homelab/caddy/caddyfiles/routes/adguard
+++ b/homelab/caddy/caddyfiles/routes/adguard
@ -1,4 +1,9 @@
@adguard host adguard.timo.bmrs.nl
 handle @adguard {
 	forward_auth authelia:9091 {
 		uri /api/authz/forward-auth
 		copy_headers Remote-User Remote-Groups Remote-Email Remote-Name		
 	}
 	reverse_proxy adguardhome:3000
 }
--- a/homelab/caddy/caddyfiles/routes/forgejo
+++ b/homelab/caddy/caddyfiles/routes/forgejo
@ -1,4 +0,0 @@
@forgejo host git.timo.bmrs.nl
 handle @forgejo {
 	reverse_proxy forgejo:3000
 }
--- a/homelab/caddy/caddyfiles/routes/homepage
+++ b/homelab/caddy/caddyfiles/routes/homepage
@ -1,4 +0,0 @@
@homepage host home.timo.bmrs.nl
 handle @homepage {
 	reverse_proxy homepage:3000
 }
--- a/homelab/caddy/caddyfiles/routes/uptime-kuma
+++ b/homelab/caddy/caddyfiles/routes/uptime-kuma
@ -1,4 +0,0 @@
@uptime-kuma host uptime.timo.bmrs.nl
 handle @uptime-kuma {
 	reverse_proxy uptime-kuma:3001
 }
--- a/homelab/caddy/caddyfiles/routes/vaultwarden
+++ b/homelab/caddy/caddyfiles/routes/vaultwarden
@ -1,4 +0,0 @@
@vaultwarden host bitwarden.timo.bmrs.nl
 handle @vaultwarden {
 	reverse_proxy vaultwarden:80
 }
--- a/homelab/caddy/docker-compose.yml
+++ b/homelab/caddy/docker-compose.yml
@ -16,16 +16,12 @@ services:
    environment:
      CF_ZONE_TOKEN: ${CF_ZONE_TOKEN}
      CF_API_TOKEN: ${CF_API_TOKEN}
    networks:
      proxy:
        aliases:
          - auth.timo.bmrs.nl
 volumes:
  data:
  config:
 networks:
-  proxy:
+  default:
    name: proxy
    external: true
--- a/homelab/forgejo/config/app.ini
+++ b/homelab/forgejo/config/app.ini
--- a/homelab/forgejo/docker-compose.yml
+++ b/homelab/forgejo/docker-compose.yml
@ -1,40 +0,0 @@
 services:
  forgejo:
    image: codeberg.org/forgejo/forgejo:9
    container_name: forgejo
    restart: unless-stopped
    depends_on:
      - db
    ports:
      - 222:22
    volumes:
      - data:/data
      - ./config/app.ini:/etc/forgejo/app.ini
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro 
    environment:
      FORGEJO__database__DB_TYPE: postgres
      FORGEJO__database__HOST: "db:5432"
      FORGEJO__database__NAME: forgejo
      FORGEJO__database__USER: forgejo
      FORGEJO__database__PASSWD: ${DB_PASSWORD}
  db:
    image: postgres:14
    container_name: forgejo-db
    restart: unless-stopped
    volumes:
      - data_db:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: forgejo
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGES_DB: forgejo
 volumes:
  data:
  data_db:
 networks:
  default:
    name: proxy
    external: true
--- a/homelab/homepage/config/.gitignore
+++ b/homelab/homepage/config/.gitignore
@ -1 +0,0 @@
 logs/
--- a/homelab/homepage/config/bookmarks.yaml
+++ b/homelab/homepage/config/bookmarks.yaml
@ -1,3 +0,0 @@
 ---
 # For configuration options and examples, please see:
 # https://gethomepage.dev/configs/bookmarks
--- a/homelab/homepage/config/custom.js
+++ b/homelab/homepage/config/custom.js
--- a/homelab/homepage/config/docker.yaml
+++ b/homelab/homepage/config/docker.yaml
@ -1,10 +0,0 @@
 ---
 # For configuration options and examples, please see:
 # https://gethomepage.dev/configs/docker/
 # my-docker:
 #   host: 127.0.0.1
 #   port: 2375
 docker:
  socket: /var/run/docker.sock
--- a/homelab/homepage/config/kubernetes.yaml
+++ b/homelab/homepage/config/kubernetes.yaml
@ -1,2 +0,0 @@
 ---
 # sample kubernetes config
--- a/homelab/homepage/config/services.yaml
+++ b/homelab/homepage/config/services.yaml
@ -1,55 +0,0 @@
 ---
 # For configuration options and examples, please see:
 # https://gethomepage.dev/configs/services
 - Primary Services:
    - Adguard:
        href: https://adguard.timo.bmrs.nl/
        description: DNS
        icon: adguard-home
        server: docker
        container: adguardhome
        widget:
            type: adguard
            url: http://adguardhome:3000
            username: xeovalyte
            password: {{HOMEPAGE_VAR_ADGUARD_PASSWORD}}
    - Forgejo:
        href: https://git.timo.bmrs.nl/
        description: Git
        icon: forgejo
        server: docker
        container: forgejo
    - Uptime Kuma:
        href: https://uptime.timo.bmrs.nl/
        description: Uptime monitoring
        icon: uptime-kuma
        server: docker
        container: uptime-kuma
    - Vaultwarden:
        href: https://bitwarden.timo.bmrs.nl/
        description: Password manager
        icon: bitwarden
        server: docker
        container: vaultwarden
 - Backend Services:
    - Authelia:
        description: SSO
        icon: authelia
        server: docker
        container: authelia
    - Caddy:
        description: Reverse proxy
        icon: caddy
        server: docker
        container: caddy
    - LLDAP:
        description: Active directory
        server: docker
        container: lldap
--- a/homelab/homepage/config/settings.yaml
+++ b/homelab/homepage/config/settings.yaml
@ -1,21 +0,0 @@
 ---
 # For configuration options and examples, please see:
 # https://gethomepage.dev/configs/settings
 providers:
  openweathermap: openweathermapapikey
  weatherapi: weatherapiapikey
 title: Xeovalyte's Dashboard
 color: slate
 headerStyle: boxedWidgets
 layout:
  Primary Services:
    style: row
    columns: 3
  Backend Services:
    style: row
    columns: 4
--- a/homelab/homepage/config/widgets.yaml
+++ b/homelab/homepage/config/widgets.yaml
@ -1,12 +0,0 @@
 ---
 # For configuration options and examples, please see:
 # https://gethomepage.dev/configs/service-widgets
 - resources:
    cpu: true
    memory: true
    disk: /
 - search:
    provider: duckduckgo
    target: _blank
--- a/homelab/homepage/docker-compose.yml
+++ b/homelab/homepage/docker-compose.yml
@ -1,19 +0,0 @@
 services:
  homepage:
    image: ghcr.io/gethomepage/homepage:latest
    container_name: homepage
    restart: unless-stopped
    volumes:
      - ./config:/app/config
      - logs:/app/config/logs
      - /run/user/1000/docker.sock:/var/run/docker.sock
    environment:
      HOMEPAGE_VAR_ADGUARD_PASSWORD: $ADGUARD_PASSWORD
 volumes:
  logs:
 networks:
  default:
    name: proxy
    external: true
--- a/homelab/uptime-kuma/docker-compose.yml
+++ b/homelab/uptime-kuma/docker-compose.yml
@ -1,15 +0,0 @@
 services:
  uptime-kuma:
    image: louislam/uptime-kuma:1
    container_name: uptime-kuma
    restart: unless-stopped
    volumes:
      - data:/app/data
 volumes:
  data:
 networks:
  default:
    name: proxy
    external: true
--- a/homelab/vaultwarden/docker-compose.yml
+++ b/homelab/vaultwarden/docker-compose.yml
@ -1,17 +0,0 @@
 services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    volumes:
      - data:/data
    environment:
      SIGNUPS_ALLOWED: "true"
 volumes:
  data:
 networks:
  default:
    name: proxy
    external: true
		`@ -1,2 +0,0 @@`
			`- Follow [This](https://www.authelia.com/configuration/identity-providers/openid-connect/provider/) guide for generating keys`
			`- Store the keys in the /keys directory`