diff --git a/.env b/.env index 4210ada..5b96cb3 100644 --- a/.env +++ b/.env @@ -4,6 +4,8 @@ DIR=/srv/docker DOMAIN=milvert.com DOMAIN_PEEK=peekskog.se +SECRETSDIR=/home/simon/repo/Docker/secrets + CLOUDFLARE_IPS=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32 LOCAL_IPS=127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..940527b --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +librespeed/config/log/* +**/[Ll]ogs +**/[Ll]og diff --git a/authelia/configuration.yml b/authelia/configuration.yml new file mode 100644 index 0000000..4ae9685 --- /dev/null +++ b/authelia/configuration.yml @@ -0,0 +1,106 @@ +############################################################### +# Authelia configuration # +############################################################### + +server.host: 0.0.0.0 +server.port: 9091 +log: + level: info + +# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE +# I used this site to generate the secret: https://www.grc.com/passwords.htm +#jwt_secret: SECRET_GOES_HERE # use docker secret file instead AUTHELIA_JWT_SECRET_FILE + +# https://docs.authelia.com/configuration/miscellaneous.html#default-redirection-url +default_redirection_url: https://authelia.milvert.com + +totp: + issuer: authelia.com + period: 30 + skew: 1 + +# Enable the following for Duo Push Notification support +# https://www.authelia.com/docs/features/2fa/push-notifications.html +#duo_api: +# hostname: api-123456789.example.com +# integration_key: ABCDEF +# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE +# secret_key: # use docker secret file instead AUTHELIA_DUO_API_SECRET_KEY_FILE + +authentication_backend: + file: + path: /config/users_database.yml + # customize passwords based on https://docs.authelia.com/configuration/authentication/file.html + password: + algorithm: argon2id + iterations: 1 + salt_length: 16 + parallelism: 8 + memory: 1024 # blocks this much of the RAM. Tune this. + +# https://docs.authelia.com/configuration/access-control.html +access_control: + default_policy: deny + rules: + # Rules applied to everyone + - domain: authelia.milvert.com + policy: bypass +# - domain: radarr.example.com +# policy: bypass +# subject: "group:admins" +# resources: +# - "^/api/.*$" +# - domain: "*.example.com" +# policy: one_factor + - domain: "*.milvert.com" + policy: two_factor + - domain: "milvert.com" + policy: two_factor + +session: + name: authelia_session + # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE + # Used a different secret, but the same site as jwt_secret above. + # secret: SECRET_GOES_HERE # use docker secret file instead AUTHELIA_SESSION_SECRET_FILE + expiration: 3600 # 1 hour + inactivity: 1800 # 30 min + domain: milvert.com # Should match whatever your root protected domain is + +# Optional. Can improve performance on a busy system. If not enabled, session info is stored in memory. +# redis: +# host: redis +# port: 6379 + # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE + # password: authelia + +regulation: + max_retries: 3 + find_time: 120 + ban_time: 300 + +storage: + +# For local storage, uncomment lines below and comment out mysql. https://docs.authelia.com/configuration/storage/sqlite.html +#local: + #path: /config/db.sqlite3 + postgres: + # MySQL allows running multiple authelia instances. Create database and enter details below. + host: postgres + port: 5432 + database: authelia + username: authelia + # Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html + # password: use docker secret file instead AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE + +notifier: + disable_startup_check: false + #smtp: + #username: SMTP_USERNAME + # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE + # password: # use docker secret file instead AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE + #host: SMTP_HOST + #port: 587 #465 + #sender: SENDER_EMAIL + # For testing purpose, notifications can be sent in a file. Be sure map the volume in docker-compose. + filesystem: + filename: /tmp/authelia/notification.txt diff --git a/authelia/users_database.yml b/authelia/users_database.yml new file mode 100644 index 0000000..94ffd1f --- /dev/null +++ b/authelia/users_database.yml @@ -0,0 +1,8 @@ +users: + simon: + displayname: "Simon Milvert" + password: "$argon2id$v=19$m=65536,t=3,p=4$a/EFVtykPGlbBXR0bsS2xw$AfqJHwoJK+iEtvbsCR9l5kCDC3DviHpjRCxijyET1o8" + email: simon@milvert.com + groups: + - admins + - dev diff --git a/docker-compose.database.yml b/docker-compose.database.yml index 70f5105..30c0275 100644 --- a/docker-compose.database.yml +++ b/docker-compose.database.yml @@ -103,8 +103,8 @@ services: labels: - diun.enable=true - "traefik.enable=true" - - "traefik.http.middlewares.webpg-mid.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.1/24" - - "traefik.http.routers.webpg-secure.middlewares=webpg-mid" + # - "traefik.http.middlewares.webpg-mid.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.1/24" + #- "traefik.http.routers.webpg-secure.middlewares=webpg-mid" - "traefik.http.routers.webpg-secure.entrypoints=web-secure" - "traefik.http.routers.webpg-secure.rule=Host(`webpg.${DOMAIN}`)" - "traefik.http.routers.webpg-secure.tls.certresolver=milvert_dns" diff --git a/docker-compose.service.yml b/docker-compose.service.yml index 4e35d5f..aa135da 100644 --- a/docker-compose.service.yml +++ b/docker-compose.service.yml @@ -11,7 +11,7 @@ services: max-file: "3" networks: - backend - image: koenkk/zigbee2mqtt:1.30.1 + image: koenkk/zigbee2mqtt:1.30.4 restart: always volumes: - ./zigbee_home_2:/app/data @@ -29,7 +29,7 @@ services: - "traefik.http.routers.zighome-secure.entrypoints=web-secure" - "traefik.http.routers.zighome-secure.rule=Host(`zig2.${DOMAIN}`)" - "traefik.http.routers.zighome-secure.tls.certresolver=milvert_dns" - - "traefik.http.routers.zighome-secure.middlewares=auth@file" + - "traefik.http.routers.zighome-secure.middlewares=chain-authelia@file" - "traefik.http.routers.zighome-secure.tls=true" zigbee2mqtt: @@ -41,7 +41,7 @@ services: max-file: "5" networks: - backend - image: koenkk/zigbee2mqtt:1.30.1 + image: koenkk/zigbee2mqtt:1.30.4 restart: always volumes: - ${DIR}/zigbee2matt:/app/data @@ -60,7 +60,7 @@ services: - "traefik.http.routers.zig1-secure.entrypoints=web-secure" - "traefik.http.routers.zig1-secure.rule=Host(`zig1.${DOMAIN}`)" - "traefik.http.routers.zig1-secure.tls.certresolver=milvert_dns" - - "traefik.http.routers.zig1-secure.middlewares=auth@file" + - "traefik.http.routers.zig1-secure.middlewares=chain-authelia@file" - "traefik.http.routers.zig1-secure.tls=true" grafana: @@ -84,6 +84,7 @@ services: - "traefik.enable=true" - "traefik.http.routers.grafana-secure.entrypoints=web-secure" - "traefik.http.routers.grafana-secure.rule=Host(`data.${DOMAIN}`)" + - "traefik.http.routers.grafana-secure.middlewares=chain-no-auth@file" - "traefik.http.routers.grafana-secure.tls.certresolver=milvert_dns" - "traefik.http.routers.grafana-secure.tls=true" @@ -125,6 +126,7 @@ services: - "traefik.http.routers.influx-secure.entryPoints=web-secure" - "traefik.http.routers.influx-secure.tls.certresolver=milvert_dns" - "traefik.http.routers.influx-secure.tls=true" + - "traefik.http.routers.influx-secure.middlewares=chain-no-auth@file" #- "traefik.http.middlewares.webpg-mid.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.1/24" # - "traefik.http.routers.influx-secure.middlewares=localNetwork@file" @@ -188,6 +190,7 @@ services: - "traefik.http.routers.gitea-secure.rule=Host(`gitea.${DOMAIN}`)" - "traefik.http.routers.gitea-secure.tls.certresolver=milvert_dns" - "traefik.http.routers.gitea-secure.tls=true" + - "traefik.http.routers.gitea-secure.middlewares=chain-no-auth@file" mqtt: @@ -300,7 +303,7 @@ services: - diun.enable=true pihole: - image: pihole/pihole:2023.02.1 + image: pihole/pihole:2023.03.1 container_name: pihole ports: - "53:53/tcp" @@ -326,6 +329,8 @@ services: backend: backend_macvlan: ipv4_address: 10.0.0.201 + pihole_net: + ipv4_address: 10.0.5.3 labels: - diun.enable=true - "traefik.enable=true" @@ -336,6 +341,7 @@ services: - "traefik.http.routers.pihole-secure.rule=Host(`pihole.${DOMAIN}`)" - "traefik.http.routers.pihole-secure.tls.certresolver=milvert_dns" - "traefik.http.routers.pihole-secure.tls=true" + - "traefik.http.routers.pihole-secure.middlewares=chain-no-auth@file" networks: frontend: @@ -349,3 +355,8 @@ networks: ipam: config: - subnet: 10.0.0.200/27 + pihole_net: + driver: bridge + ipam: + config: + - subnet: 10.0.5.0/29 diff --git a/docker-compose.web.yml b/docker-compose.web.yml index 9292254..fc7057d 100644 --- a/docker-compose.web.yml +++ b/docker-compose.web.yml @@ -40,6 +40,8 @@ services: - "traefik.http.routers.whoami-secure.rule=Host(`whoami.${DOMAIN}`)" - "traefik.http.routers.whoami-secure.tls.certresolver=milvert_dns" - "traefik.http.routers.whoami-secure.tls=true" + # - "traefik.http.routers.whoami-secure.middlewares=no-chain-auth@file" + - "traefik.http.routers.whoami-secure.middlewares=chain-authelia@file" ttrss: # A container that exposes an API to show its IP address diff --git a/docker-compose.yml b/docker-compose.yml index 34350ad..c3f041d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,35 @@ -version: '3' +version: "3.9" + +secrets: + authelia_jwt_secret: + file: $SECRETSDIR/authelia_jwt_secret + authelia_session_secret: + file: $SECRETSDIR/authelia_session_secret + authelia_storage_postgres_password: + file: $SECRETSDIR/authelia_storage_postgres_password + authelia_storage_encryption_key_file: + file: $SECRETSDIR/authelia_storage_encryption_key_file + authelia_notifier_smtp_password: + file: $SECRETSDIR/authelia_notifier_smtp_password + authelia_duo_api_secret_key: + file: $SECRETSDIR/authelia_duo_api_secret_key + + +########################### EXTENSION FIELDS ########################## +# Helps eliminate repetition of sections +# More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228 +####################################################################### +x-environment: &default-tz-puid-pgid + - TZ=$TZ + - PUID=$PUID + - PGID=$PGID + +x-common-keys-monitoring: &common-keys-monitoring + networks: + - backend + security_opt: + - no-new-privileges:true + restart: always services: @@ -29,20 +60,198 @@ services: # So that Traefik can listen to the Docker events - /var/run/docker.sock:/var/run/docker.sock - ./traefik.yml:/etc/traefik/traefik.yml - #- ./traefik:/rules + - ./traefik:/rules - ./static_config.yml:/etc/traefik/static_config.yml # - "./log.json:/etc/traefik/log.json" #- ./acme.json:/acme.json - ./letsencrypt/acme.json:/letsencrypt/acme.json - ${DIR}/traefik/log:/log environment: - CF_API_EMAIL: simon@milvert.com - CF_API_KEY: 48d9ae3752afb6e73d99d23c432ba8e38b24c + - CF_API_EMAIL=simon@milvert.com + - CF_API_KEY=48d9ae3752afb6e73d99d23c432ba8e38b24c + - CLOUDFLARE_IPS + - LOCAL_IPS labels: - diun.enable=true + - "traefik.http.routers.zighome-secure.middlewares=chain-authelia@file" dns: - 8.8.8.8 + authelia: + image: authelia/authelia:4 + container_name: authelia + volumes: + - ./authelia:/config + - ./notify.txt:/tmp/authelia/notification.txt + networks: + - backend + - frontend + ports: + # The HTTP port + - "9091:9091" + environment: + - TZ=$TZ + - PUID=$PUID + - PGID=$PGID + - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret + - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret + - AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE=/run/secrets/authelia_storage_postgres_password + #- AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password + - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key + - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key_file + labels: + - diun.enable=true + - "traefik.enable=true" + - "traefik.http.routers.authelia.entrypoints=web-secure" + - "traefik.http.routers.authelia.rule=Host(`authelia.${DOMAIN}`)" + - "traefik.http.services.authelia-service.loadbalancer.server.port=9091" + - "traefik.http.routers.authelia.tls.certresolver=milvert_dns" + - "traefik.http.routers.authelia.tls=true" + - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth?authelia_url=https://authelia.${DOMAIN}" # yamllint disable-line rule:line-length + - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true" + - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" # yamllint disable-line rule:line-length + secrets: + - authelia_jwt_secret + - authelia_session_secret + - authelia_storage_postgres_password + - authelia_notifier_smtp_password + - authelia_duo_api_secret_key + - authelia_storage_encryption_key_file + + +######################### DATABASE ############################ +# +# DATABASE +# +############################################################### + + db: + image: mariadb:10.5.6 + container_name: mariaDB + logging: + driver: "json-file" + options: + max-size: "5m" + max-file: "3" + restart: always + networks: + - backend + volumes: + - ${DIR}/database:/var/lib/mysql:rw + ports: + - "3307:3306" + labels: + - diun.enable=true + - "traefik.enable=false" + environment: + - PUID=${UID} + - PGID=${GID} + - TZ=${TZ} + - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} + - MYSQL_USER=${MYSQL_USERNAME} + - MYSQL_PASSWORD=${MYSQL_PASSWORD} + + web_db: + image: adminer + container_name: adminer + logging: + driver: "json-file" + options: + max-size: "5m" + max-file: "3" + restart: always + networks: + - backend + labels: + - diun.enable=true + - "traefik.enable=true" + - "traefik.http.middlewares.webdb-mid.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.1/24" + - "traefik.http.routers.webdb-secure.middlewares=webdb-mid" + - "traefik.http.routers.webdb-secure.entrypoints=web-secure" + - "traefik.http.routers.webdb-secure.rule=Host(`webdb.${DOMAIN}`)" + - "traefik.http.routers.webdb-secure.tls.certresolver=milvert_dns" + - "traefik.http.routers.webdb-secure.tls=true" + - "traefik.http.services.webdb-service.loadbalancer.server.port=8080" + depends_on: + - db + environment: + - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} + - MYSQL_USER=${MYSQL_USERNAME} + - MYSQL_PASSWORD=${MYSQL_PASSWORD} + - PMA_ARBITRARY=1 + + postgres: + image: postgres:15 + container_name: postgres + logging: + driver: "json-file" + options: + max-size: "5m" + max-file: "3" + restart: always + networks: + - backend + volumes: + - ${DIR}/database_pg/data:/var/lib/postgresql/data + labels: + - diun.enable=true + - "traefik.enable=false" + environment: + - PUID=${UID} + - PGID=${GID} + - TZ=${TZ} + - POSTGRES_USER=${POSTGRES_USER} + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + + + pgadmin: + container_name: pgadmin_container + image: dpage/pgadmin4 + logging: + driver: "json-file" + options: + max-size: "5m" + max-file: "3" + environment: + PUID: ${UID} + PGID: ${GID} + TZ: ${TZ} + PGADMIN_DEFAULT_EMAIL: ${PGADMIN_DEFAULT_EMAIL} + PGADMIN_DEFAULT_PASSWORD: ${PGADMIN_DEFAULT_PASSWORD} + volumes: + - ${DIR}/database_pg/pgadmin:/root/.pgadmin + networks: + - backend + restart: unless-stopped + depends_on: + - postgres + labels: + - diun.enable=true + - "traefik.enable=true" + #- "traefik.http.middlewares.webpg-mid.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.1/24" + # # # - "traefik.http.routers.webpg-secure.middlewares=webpg-mid" + - "traefik.http.routers.webpg-secure.entrypoints=web-secure" + - "traefik.http.routers.webpg-secure.rule=Host(`webpg.${DOMAIN}`)" + - "traefik.http.routers.webpg-secure.tls.certresolver=milvert_dns" + - "traefik.http.routers.webpg-secure.tls=true" + #- "traefik.http.services.webpg-service.loadbalancer.server.port=8080" + + redis: + image: redis:7.0-alpine + container_name: redis + logging: + driver: "json-file" + options: + max-size: "5m" + max-file: "3" + restart: always + networks: + - backend + volumes: + - ${DIR}/redis:/var/lib/redis + #entrypoint: redis-server --appendonly yes --requirepass $REDIS_PASSWORD --maxmemory 512mb --maxmemory-policy allkeys-lru + labels: + - diun.enable=true networks: frontend: external: true diff --git a/traefik.yml b/traefik.yml index d044c0c..149ee0c 100644 --- a/traefik.yml +++ b/traefik.yml @@ -7,11 +7,12 @@ providers: exposedbydefault: false file: - filename: "/etc/traefik/static_config.yml" + # filename: "/etc/traefik/static_config.yml" + directory: /rules watch: true log: - level: error + level: info #filePath: "/log/info.log" # format: json @@ -59,22 +60,19 @@ certificatesResolvers: - "1.1.1.1:53" - "8.8.8.8:53" -http: - middlewares: - redirect: - redirectScheme: - scheme: https - whitelist: - ipWhiteList: - sourceRange: - - "127.0.0.1/32" - - "10.0.0.1/32" entryPoints: web: address: ":80" + forwardedHeaders: + trustedIPs: [ 173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32,127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12] web-secure: address: ":443" + forwardedHeaders: + trustedIPs: [ 173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32,127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12] + proxyProtocol: + trustedIPs: [ 173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32,127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12] + influx: address: ":8086" mqtt_http: @@ -85,15 +83,3 @@ entryPoints: address: ":8883" -tls: - options: - default: - minVersion: VersionTLS12 - sniStrict : true - cipherSuites: - - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 diff --git a/traefik/middleware-chains.yml b/traefik/middleware-chains.yml new file mode 100644 index 0000000..3c36463 --- /dev/null +++ b/traefik/middleware-chains.yml @@ -0,0 +1,27 @@ +http: + middlewares: + chain-no-auth: + chain: + middlewares: + - middlewares-rate-limit + - middlewares-compress + - middlewares-secure-headers + - middlewares-https-redirectscheme + + chain-auth: + chain: + middlewares: + - middlewares-basic-auth + - middlewares-rate-limit + - middlewares-compress + - middlewares-secure-headers + - middlewares-https-redirectscheme + + chain-authelia: + chain: + middlewares: + - middlewares-rate-limit + - middlewares-https-redirectscheme + - middlewares-secure-headers + - middlewares-authelia + - middlewares-compress diff --git a/traefik/middleware.yml b/traefik/middleware.yml index 3b3db06..2b263d0 100644 --- a/traefik/middleware.yml +++ b/traefik/middleware.yml @@ -1,5 +1,6 @@ http: middlewares: + redirect: redirectScheme: permanent: true @@ -14,41 +15,54 @@ http: headers: frameDeny: true # sslRedirect: true - accessControlAllowMethods: - - GET - - OPTIONS - - PUT - accessControlMaxAge: 100 - hostsProxyHeaders: - - "X-Forwarded-Host" - stsSeconds: 63072000 + browserXssFilter: true + contentTypeNosniff: true + forceSTSHeader: true stsIncludeSubdomains: true stsPreload: true - forceSTSHeader: true - # customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME_CLOUD_SERVER"}}" #CSP takes care of this but may be needed for organizr. + stsSeconds: 155520011 customFrameOptionsValue: SAMEORIGIN - contentTypeNosniff: true - browserXssFilter: true - # sslForceHost: true # add sslHost to all of the services - # sslHost: "{{env "DOMAINNAME_CLOUD_SERVER"}}" - referrerPolicy: "same-origin" - permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()" - customResponseHeaders: - X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," - server: "" - # https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732 - # X-Forwarded-Proto: "https" + referrerPolicy: no-referrer + auth: basicAuth: users: - "admin:$apr1$iQ9pYbK/$gOLcycC6KlzqpcfJidjQC0" - "simon:$apr1$y0b/lK3y$ixUTipKjte/2L9I5NWk7O0" + realm: "Traefik 2 Basic Auth" + localNetwork: ipWhiteList: sourceRange: - "127.0.0.1/32" - "10.0.0.1/8" + middlewares-https-redirectscheme: + redirectScheme: + scheme: https + permanent: true + + middlewares-basic-auth: + basicAuth: + users: + - "admin:$apr1$iQ9pYbK/$gOLcycC6KlzqpcfJidjQC0" + - "simon:$apr1$y0b/lK3y$ixUTipKjte/2L9I5NWk7O0" + # usersFile: "/run/secrets/htpasswd" #be sure to mount the volume through docker-compose.yml + realm: "Traefik 2 Basic Auth" + + middlewares-authelia: + forwardAuth: + address: "http://authelia:9091/api/verify?rd=https://authelia.milvert.com" + trustForwardHeader: true + authResponseHeaders: + - "Remote-User" + - "Remote-Groups" + + middlewares-rate-limit: + rateLimit: + average: 100 + burst: 50 + middlewares-compress: compress: {} @@ -60,3 +74,31 @@ http: memRequestBodyBytes: 2097152 memResponseBodyBytes: 2097152 retryExpression: "IsNetworkError() && Attempts() <= 2" + + + middlewares-secure-headers: + headers: + accessControlAllowMethods: + - GET + - OPTIONS + - PUT + accessControlMaxAge: 100 + hostsProxyHeaders: + - "X-Forwarded-Host" + stsSeconds: 63072000 + stsIncludeSubdomains: true + stsPreload: true + forceSTSHeader: true + # customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME_CLOUD_SERVER"}}" #CSP takes care of this but may be needed for organizr. + customFrameOptionsValue: "allow-from https://milvert.com" #CSP takes care of this but may be needed for organizr. + contentTypeNosniff: true + browserXssFilter: true + # sslForceHost: true # add sslHost to all of the services + # sslHost: "{{env "DOMAINNAME_CLOUD_SERVER"}}" + referrerPolicy: "same-origin" + permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()" + customResponseHeaders: + X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex," + server: "" + # https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732 + # X-Forwarded-Proto: "https" diff --git a/traefik/static_config.yml b/traefik/static_config.yml index 4f28554..9a03fe4 100644 --- a/traefik/static_config.yml +++ b/traefik/static_config.yml @@ -34,12 +34,12 @@ http: tls: certResolver: milvert_dns middlewares: - - auth + - chain-authelia redirecttohttps: rule: "HostRegexp(`{host:.+}`)" middlewares: - - httpsredirect + - middlewares-https-redirectscheme service: noop entryPoints: - web diff --git a/traefik/tls-opts.yml b/traefik/tls-opts.yml index df38411..500ae85 100644 --- a/traefik/tls-opts.yml +++ b/traefik/tls-opts.yml @@ -1,6 +1,6 @@ tls: options: - tls-opts: + default: minVersion: VersionTLS12 cipherSuites: - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 diff --git a/zigbee2mqtt/configuration.yaml b/zigbee2mqtt/configuration.yaml index 6192a1a..c2e3f90 100644 --- a/zigbee2mqtt/configuration.yaml +++ b/zigbee2mqtt/configuration.yaml @@ -85,8 +85,6 @@ devices: friendly_name: ute_short_strip '0x0017880108a0bc09': friendly_name: matrum_hörn - '0xbc33acfffea767f3': - friendly_name: '0xbc33acfffea767f3' '0x000b57fffe915dbf': friendly_name: billy_liten '0x0017880109c0930e': diff --git a/zigbee_home_2/configuration_home_2.yaml b/zigbee_home_2/configuration_home_2.yaml index 259e01d..8060e90 100644 --- a/zigbee_home_2/configuration_home_2.yaml +++ b/zigbee_home_2/configuration_home_2.yaml @@ -10,7 +10,7 @@ mqtt: version: 4 client_id: zig2 advanced: - log_level: error + log_level: info pan_id: 6755 network_key: - 252 @@ -81,8 +81,6 @@ devices: friendly_name: Vrum taklampa 4 '0xec1bbdfffe9cd2ef': friendly_name: Vrum taklampa 5 - '0x847127fffebe9e0d': - friendly_name: sensor/m003 '0x00158d0006795697': friendly_name: sensor/inne/hall/th008 '0x00158d000678e562': @@ -131,9 +129,11 @@ devices: '0x1c34f1fffed1d1ea': friendly_name: mormor_malla_3 '0x385b44fffe117342': - friendly_name: 'Julgran ' + friendly_name: Växtpump '0x040d84fffe8b00b0': friendly_name: matrum_fönster_2 + '0x847127fffebe9e0d': + friendly_name: '0x847127fffebe9e0d' groups: '0': friendly_name: default_0