Added authelia

.env

@@ -4,6 +4,8 @@ DIR=/srv/docker
 DOMAIN=milvert.com
 DOMAIN_PEEK=peekskog.se
 
+SECRETSDIR=/home/simon/repo/Docker/secrets
+
 CLOUDFLARE_IPS=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32
 LOCAL_IPS=127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
 

.gitignore

@@ -0,0 +1,3 @@
+librespeed/config/log/*
+**/[Ll]ogs
+**/[Ll]og

authelia/configuration.yml

@@ -0,0 +1,106 @@
+###############################################################
+#                   Authelia configuration                    #
+###############################################################
+
+server.host: 0.0.0.0
+server.port: 9091
+log:
+  level: info
+
+# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
+# I used this site to generate the secret: https://www.grc.com/passwords.htm
+#jwt_secret: SECRET_GOES_HERE # use docker secret file instead AUTHELIA_JWT_SECRET_FILE
+
+# https://docs.authelia.com/configuration/miscellaneous.html#default-redirection-url
+default_redirection_url: https://authelia.milvert.com
+
+totp:
+  issuer: authelia.com
+  period: 30
+  skew: 1
+
+# Enable the following for Duo Push Notification support
+# https://www.authelia.com/docs/features/2fa/push-notifications.html
+#duo_api:
+#  hostname: api-123456789.example.com
+#  integration_key: ABCDEF
+#  # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
+#  secret_key: # use docker secret file instead AUTHELIA_DUO_API_SECRET_KEY_FILE
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+    # customize passwords based on https://docs.authelia.com/configuration/authentication/file.html
+    password:
+      algorithm: argon2id
+      iterations: 1
+      salt_length: 16
+      parallelism: 8
+      memory: 1024 # blocks this much of the RAM. Tune this.
+
+# https://docs.authelia.com/configuration/access-control.html
+access_control:
+  default_policy: deny
+  rules:
+    # Rules applied to everyone
+    - domain: authelia.milvert.com
+      policy: bypass
+#    - domain: radarr.example.com
+#      policy: bypass
+#      subject: "group:admins"
+#      resources:
+#      - "^/api/.*$"
+#    - domain: "*.example.com"
+#      policy: one_factor
+    - domain: "*.milvert.com"
+      policy: two_factor
+    - domain: "milvert.com"
+      policy: two_factor
+
+session:
+  name: authelia_session
+  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
+  # Used a different secret, but the same site as jwt_secret above.
+  # secret: SECRET_GOES_HERE # use docker secret file instead AUTHELIA_SESSION_SECRET_FILE
+  expiration: 3600 # 1 hour
+  inactivity: 1800 # 30 min
+  domain: milvert.com # Should match whatever your root protected domain is
+
+# Optional. Can improve performance on a busy system. If not enabled, session info is stored in memory.
+#  redis:
+#    host: redis
+#    port: 6379
+    # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
+    # password: authelia
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+storage:
+
+# For local storage, uncomment lines below and comment out mysql. https://docs.authelia.com/configuration/storage/sqlite.html
+#local:
+  #path: /config/db.sqlite3
+  postgres:
+  # MySQL allows running multiple authelia instances. Create database and enter details below.
+    host: postgres
+    port: 5432
+    database: authelia
+    username: authelia
+    # Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
+    # password: use docker secret file instead AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE
+
+notifier:
+  disable_startup_check: false
+  #smtp:
+    #username: SMTP_USERNAME
+    # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
+    # password: # use docker secret file instead AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
+    #host: SMTP_HOST
+    #port: 587 #465
+    #sender: SENDER_EMAIL
+  # For testing purpose, notifications can be sent in a file. Be sure map the volume in docker-compose.
+  filesystem:
+    filename: /tmp/authelia/notification.txt

authelia/users_database.yml

@@ -0,0 +1,8 @@
+users:
+  simon:
+    displayname: "Simon Milvert"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$a/EFVtykPGlbBXR0bsS2xw$AfqJHwoJK+iEtvbsCR9l5kCDC3DviHpjRCxijyET1o8"
+    email: simon@milvert.com
+    groups:
+      - admins
+      - dev

docker-compose.database.yml

@@ -103,8 +103,8 @@ services:
     labels:
       - diun.enable=true
       - "traefik.enable=true"
-      - "traefik.http.middlewares.webpg-mid.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.1/24"
+      #      - "traefik.http.middlewares.webpg-mid.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.1/24"
-      - "traefik.http.routers.webpg-secure.middlewares=webpg-mid"
+      #- "traefik.http.routers.webpg-secure.middlewares=webpg-mid"
       - "traefik.http.routers.webpg-secure.entrypoints=web-secure"
       - "traefik.http.routers.webpg-secure.rule=Host(`webpg.${DOMAIN}`)"
       - "traefik.http.routers.webpg-secure.tls.certresolver=milvert_dns"

docker-compose.service.yml

@@ -11,7 +11,7 @@ services:
         max-file: "3"
     networks:
       - backend
-    image: koenkk/zigbee2mqtt:1.30.1
+    image: koenkk/zigbee2mqtt:1.30.4
     restart: always
     volumes:
       - ./zigbee_home_2:/app/data
@@ -29,7 +29,7 @@ services:
       - "traefik.http.routers.zighome-secure.entrypoints=web-secure"
       - "traefik.http.routers.zighome-secure.rule=Host(`zig2.${DOMAIN}`)"
       - "traefik.http.routers.zighome-secure.tls.certresolver=milvert_dns"
-      - "traefik.http.routers.zighome-secure.middlewares=auth@file"
+      - "traefik.http.routers.zighome-secure.middlewares=chain-authelia@file"
       - "traefik.http.routers.zighome-secure.tls=true"
 
   zigbee2mqtt:
@@ -41,7 +41,7 @@ services:
         max-file: "5"
     networks:
       - backend
-    image: koenkk/zigbee2mqtt:1.30.1
+    image: koenkk/zigbee2mqtt:1.30.4
     restart: always
     volumes:
       - ${DIR}/zigbee2matt:/app/data
@@ -60,7 +60,7 @@ services:
       - "traefik.http.routers.zig1-secure.entrypoints=web-secure"
       - "traefik.http.routers.zig1-secure.rule=Host(`zig1.${DOMAIN}`)"
       - "traefik.http.routers.zig1-secure.tls.certresolver=milvert_dns"
-      - "traefik.http.routers.zig1-secure.middlewares=auth@file"
+      - "traefik.http.routers.zig1-secure.middlewares=chain-authelia@file"
       - "traefik.http.routers.zig1-secure.tls=true"
 
   grafana:
@@ -84,6 +84,7 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.grafana-secure.entrypoints=web-secure"
       - "traefik.http.routers.grafana-secure.rule=Host(`data.${DOMAIN}`)"
+      - "traefik.http.routers.grafana-secure.middlewares=chain-no-auth@file"
       - "traefik.http.routers.grafana-secure.tls.certresolver=milvert_dns"
       - "traefik.http.routers.grafana-secure.tls=true"
 
@@ -125,6 +126,7 @@ services:
       - "traefik.http.routers.influx-secure.entryPoints=web-secure"
       - "traefik.http.routers.influx-secure.tls.certresolver=milvert_dns"
       - "traefik.http.routers.influx-secure.tls=true"
+      - "traefik.http.routers.influx-secure.middlewares=chain-no-auth@file"
       #- "traefik.http.middlewares.webpg-mid.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.1/24"
       # - "traefik.http.routers.influx-secure.middlewares=localNetwork@file"
 
@@ -188,6 +190,7 @@ services:
       - "traefik.http.routers.gitea-secure.rule=Host(`gitea.${DOMAIN}`)"
       - "traefik.http.routers.gitea-secure.tls.certresolver=milvert_dns"
       - "traefik.http.routers.gitea-secure.tls=true"
+      - "traefik.http.routers.gitea-secure.middlewares=chain-no-auth@file"
 
 
   mqtt:
@@ -300,7 +303,7 @@ services:
       - diun.enable=true
 
   pihole:
-    image: pihole/pihole:2023.02.1
+    image: pihole/pihole:2023.03.1
     container_name: pihole
     ports:
       - "53:53/tcp"
@@ -326,6 +329,8 @@ services:
       backend:
       backend_macvlan:
         ipv4_address: 10.0.0.201
+      pihole_net:
+        ipv4_address: 10.0.5.3
     labels:
       - diun.enable=true
       - "traefik.enable=true"
@@ -336,6 +341,7 @@ services:
       - "traefik.http.routers.pihole-secure.rule=Host(`pihole.${DOMAIN}`)"
       - "traefik.http.routers.pihole-secure.tls.certresolver=milvert_dns"
       - "traefik.http.routers.pihole-secure.tls=true"
+      - "traefik.http.routers.pihole-secure.middlewares=chain-no-auth@file"
 
 networks:
   frontend:
@@ -349,3 +355,8 @@ networks:
     ipam:
       config:
         - subnet: 10.0.0.200/27
+  pihole_net:
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 10.0.5.0/29

docker-compose.web.yml

@@ -40,6 +40,8 @@ services:
       - "traefik.http.routers.whoami-secure.rule=Host(`whoami.${DOMAIN}`)"
       - "traefik.http.routers.whoami-secure.tls.certresolver=milvert_dns"
       - "traefik.http.routers.whoami-secure.tls=true"
+      #  - "traefik.http.routers.whoami-secure.middlewares=no-chain-auth@file"
+      - "traefik.http.routers.whoami-secure.middlewares=chain-authelia@file"
 
   ttrss:
     # A container that exposes an API to show its IP address

docker-compose.yml

@@ -1,4 +1,35 @@
-version: '3'
+version: "3.9"
+
+secrets:
+  authelia_jwt_secret:
+    file: $SECRETSDIR/authelia_jwt_secret
+  authelia_session_secret:
+    file: $SECRETSDIR/authelia_session_secret
+  authelia_storage_postgres_password:
+    file: $SECRETSDIR/authelia_storage_postgres_password
+  authelia_storage_encryption_key_file:
+    file: $SECRETSDIR/authelia_storage_encryption_key_file
+  authelia_notifier_smtp_password:
+    file: $SECRETSDIR/authelia_notifier_smtp_password
+  authelia_duo_api_secret_key:
+    file: $SECRETSDIR/authelia_duo_api_secret_key
+
+
+########################### EXTENSION FIELDS ##########################
+# Helps eliminate repetition of sections
+# More Info on how to use this: https://github.com/htpcBeginner/docker-traefik/pull/228
+#######################################################################
+x-environment: &default-tz-puid-pgid
+  - TZ=$TZ
+  - PUID=$PUID
+  - PGID=$PGID
+
+x-common-keys-monitoring: &common-keys-monitoring
+  networks:
+    - backend
+  security_opt:
+    - no-new-privileges:true
+  restart: always
 
 services:
 
@@ -29,20 +60,198 @@ services:
       # So that Traefik can listen to the Docker events
       - /var/run/docker.sock:/var/run/docker.sock
       - ./traefik.yml:/etc/traefik/traefik.yml
-      #- ./traefik:/rules
+      - ./traefik:/rules
       - ./static_config.yml:/etc/traefik/static_config.yml
         #      - "./log.json:/etc/traefik/log.json"
         #- ./acme.json:/acme.json
       - ./letsencrypt/acme.json:/letsencrypt/acme.json
       - ${DIR}/traefik/log:/log
     environment:
-      CF_API_EMAIL: simon@milvert.com
+      - CF_API_EMAIL=simon@milvert.com
-      CF_API_KEY:   48d9ae3752afb6e73d99d23c432ba8e38b24c
+      - CF_API_KEY=48d9ae3752afb6e73d99d23c432ba8e38b24c
+      - CLOUDFLARE_IPS
+      - LOCAL_IPS
     labels:
       - diun.enable=true
+      - "traefik.http.routers.zighome-secure.middlewares=chain-authelia@file"
     dns:
       - 8.8.8.8
 
+  authelia:
+    image: authelia/authelia:4
+    container_name: authelia
+    volumes:
+      - ./authelia:/config
+      - ./notify.txt:/tmp/authelia/notification.txt
+    networks:
+      - backend
+      - frontend
+    ports:
+      # The HTTP port
+      - "9091:9091"
+    environment:
+      - TZ=$TZ
+      - PUID=$PUID
+      - PGID=$PGID
+      - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret
+      - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret
+      - AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE=/run/secrets/authelia_storage_postgres_password
+      #- AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password
+      - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key
+      - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key_file
+    labels:
+      - diun.enable=true
+      - "traefik.enable=true"
+      - "traefik.http.routers.authelia.entrypoints=web-secure"
+      - "traefik.http.routers.authelia.rule=Host(`authelia.${DOMAIN}`)"
+      - "traefik.http.services.authelia-service.loadbalancer.server.port=9091"
+      - "traefik.http.routers.authelia.tls.certresolver=milvert_dns"
+      - "traefik.http.routers.authelia.tls=true"
+      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth?authelia_url=https://authelia.${DOMAIN}"  # yamllint disable-line rule:line-length
+      - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"  # yamllint disable-line rule:line-length
+    secrets:
+      - authelia_jwt_secret
+      - authelia_session_secret
+      - authelia_storage_postgres_password
+      - authelia_notifier_smtp_password
+      - authelia_duo_api_secret_key
+      - authelia_storage_encryption_key_file
+
+
+######################### DATABASE ############################
+#
+#  DATABASE
+#
+###############################################################
+
+  db:
+    image: mariadb:10.5.6
+    container_name: mariaDB
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "5m"
+        max-file: "3"
+    restart: always
+    networks:
+      - backend
+    volumes:
+      - ${DIR}/database:/var/lib/mysql:rw
+    ports:
+      - "3307:3306"
+    labels:
+      - diun.enable=true
+      - "traefik.enable=false"
+    environment:
+      - PUID=${UID}
+      - PGID=${GID}
+      - TZ=${TZ}
+      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
+      - MYSQL_USER=${MYSQL_USERNAME}
+      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
+
+  web_db:
+    image: adminer
+    container_name: adminer
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "5m"
+        max-file: "3"
+    restart: always
+    networks:
+      - backend
+    labels:
+      - diun.enable=true
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.webdb-mid.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.1/24"
+      - "traefik.http.routers.webdb-secure.middlewares=webdb-mid"
+      - "traefik.http.routers.webdb-secure.entrypoints=web-secure"
+      - "traefik.http.routers.webdb-secure.rule=Host(`webdb.${DOMAIN}`)"
+      - "traefik.http.routers.webdb-secure.tls.certresolver=milvert_dns"
+      - "traefik.http.routers.webdb-secure.tls=true"
+      - "traefik.http.services.webdb-service.loadbalancer.server.port=8080"
+    depends_on:
+      - db
+    environment:
+      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
+      - MYSQL_USER=${MYSQL_USERNAME}
+      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
+      - PMA_ARBITRARY=1
+
+  postgres:
+    image: postgres:15
+    container_name: postgres
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "5m"
+        max-file: "3"
+    restart: always
+    networks:
+      - backend
+    volumes:
+      - ${DIR}/database_pg/data:/var/lib/postgresql/data
+    labels:
+      - diun.enable=true
+      - "traefik.enable=false"
+    environment:
+      - PUID=${UID}
+      - PGID=${GID}
+      - TZ=${TZ}
+      - POSTGRES_USER=${POSTGRES_USER}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+
+
+  pgadmin:
+    container_name: pgadmin_container
+    image: dpage/pgadmin4
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "5m"
+        max-file: "3"
+    environment:
+      PUID: ${UID}
+      PGID: ${GID}
+      TZ: ${TZ}
+      PGADMIN_DEFAULT_EMAIL: ${PGADMIN_DEFAULT_EMAIL}
+      PGADMIN_DEFAULT_PASSWORD: ${PGADMIN_DEFAULT_PASSWORD}
+    volumes:
+      - ${DIR}/database_pg/pgadmin:/root/.pgadmin
+    networks:
+      - backend
+    restart: unless-stopped
+    depends_on:
+      - postgres
+    labels:
+      - diun.enable=true
+      - "traefik.enable=true"
+      #- "traefik.http.middlewares.webpg-mid.ipwhitelist.sourcerange=127.0.0.1/32, 10.0.0.1/24"
+      # # # - "traefik.http.routers.webpg-secure.middlewares=webpg-mid"
+      - "traefik.http.routers.webpg-secure.entrypoints=web-secure"
+      - "traefik.http.routers.webpg-secure.rule=Host(`webpg.${DOMAIN}`)"
+      - "traefik.http.routers.webpg-secure.tls.certresolver=milvert_dns"
+      - "traefik.http.routers.webpg-secure.tls=true"
+      #- "traefik.http.services.webpg-service.loadbalancer.server.port=8080"
+
+  redis:
+    image: redis:7.0-alpine
+    container_name: redis
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "5m"
+        max-file: "3"
+    restart: always
+    networks:
+      - backend
+    volumes:
+        - ${DIR}/redis:/var/lib/redis
+        #entrypoint: redis-server --appendonly yes --requirepass $REDIS_PASSWORD --maxmemory 512mb --maxmemory-policy allkeys-lru
+    labels:
+      - diun.enable=true
 networks:
   frontend:
     external: true

traefik.yml

@@ -7,11 +7,12 @@ providers:
     exposedbydefault: false
 
   file:
-    filename: "/etc/traefik/static_config.yml"
+    # filename: "/etc/traefik/static_config.yml"
+    directory: /rules
     watch: true
 
 log:
-  level: error
+  level: info
   #filePath: "/log/info.log"
   #  format: json
 
@@ -59,22 +60,19 @@ certificatesResolvers:
           - "1.1.1.1:53"
           - "8.8.8.8:53"
 
-http:
-  middlewares:
-    redirect:
-      redirectScheme:
-        scheme: https
-    whitelist:
-      ipWhiteList:
-        sourceRange:
-          - "127.0.0.1/32"
-          - "10.0.0.1/32"
 
 entryPoints:
   web:
    address: ":80"
+   forwardedHeaders:
+      trustedIPs: [ 173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32,127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12]
   web-secure:
    address: ":443"
+   forwardedHeaders:
+      trustedIPs: [ 173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32,127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12]
+   proxyProtocol:
+      trustedIPs: [ 173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32,127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12]
+      
   influx:
    address: ":8086"
   mqtt_http:
@@ -85,15 +83,3 @@ entryPoints:
    address: ":8883"
 
 
-tls:
-  options:
-    default:
-      minVersion: VersionTLS12
-      sniStrict : true
-      cipherSuites:
-        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

traefik/middleware-chains.yml

@@ -0,0 +1,27 @@
+http:
+  middlewares:
+    chain-no-auth:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-compress
+          - middlewares-secure-headers
+          - middlewares-https-redirectscheme
+
+    chain-auth:
+      chain:
+        middlewares:
+          - middlewares-basic-auth
+          - middlewares-rate-limit
+          - middlewares-compress
+          - middlewares-secure-headers
+          - middlewares-https-redirectscheme
+
+    chain-authelia:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-https-redirectscheme
+          - middlewares-secure-headers
+          - middlewares-authelia
+          - middlewares-compress

traefik/middleware.yml

@@ -1,5 +1,6 @@
 http:
   middlewares:
+
     redirect:
       redirectScheme:
         permanent: true
@@ -14,41 +15,54 @@ http:
       headers:
         frameDeny: true
         #  sslRedirect: true
-       accessControlAllowMethods:
+        browserXssFilter: true
-          - GET
+        contentTypeNosniff: true
-          - OPTIONS
+        forceSTSHeader: true
-          - PUT
-        accessControlMaxAge: 100
-        hostsProxyHeaders:
-          - "X-Forwarded-Host"
-        stsSeconds: 63072000
         stsIncludeSubdomains: true
         stsPreload: true
-        forceSTSHeader: true
+        stsSeconds: 155520011
-        # customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME_CLOUD_SERVER"}}" #CSP takes care of this but may be needed for organizr.
         customFrameOptionsValue: SAMEORIGIN
-        contentTypeNosniff: true
+        referrerPolicy: no-referrer
-        browserXssFilter: true
+
-        # sslForceHost: true # add sslHost to all of the services
-        # sslHost: "{{env "DOMAINNAME_CLOUD_SERVER"}}"
-        referrerPolicy: "same-origin"
-        permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
-        customResponseHeaders:
-          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
-          server: ""
-          # https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732
-          # X-Forwarded-Proto: "https"
     auth:
       basicAuth:
         users:
           - "admin:$apr1$iQ9pYbK/$gOLcycC6KlzqpcfJidjQC0"
           - "simon:$apr1$y0b/lK3y$ixUTipKjte/2L9I5NWk7O0"
+        realm: "Traefik 2 Basic Auth"
+
     localNetwork:
       ipWhiteList:
         sourceRange:
           - "127.0.0.1/32"
           - "10.0.0.1/8"
 
+    middlewares-https-redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
+    middlewares-basic-auth:
+      basicAuth:
+        users:
+          - "admin:$apr1$iQ9pYbK/$gOLcycC6KlzqpcfJidjQC0"
+          - "simon:$apr1$y0b/lK3y$ixUTipKjte/2L9I5NWk7O0"
+          # usersFile: "/run/secrets/htpasswd" #be sure to mount the volume through docker-compose.yml
+        realm: "Traefik 2 Basic Auth"
+
+    middlewares-authelia:
+      forwardAuth:
+        address: "http://authelia:9091/api/verify?rd=https://authelia.milvert.com"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "Remote-User"
+          - "Remote-Groups"
+
+    middlewares-rate-limit:
+      rateLimit:
+        average: 100
+        burst: 50
+
     middlewares-compress:
       compress: {}
 
@@ -60,3 +74,31 @@ http:
         memRequestBodyBytes: 2097152
         memResponseBodyBytes: 2097152
         retryExpression: "IsNetworkError() && Attempts() <= 2"
+
+
+    middlewares-secure-headers:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+        accessControlMaxAge: 100
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        stsSeconds: 63072000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        forceSTSHeader: true
+        # customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME_CLOUD_SERVER"}}" #CSP takes care of this but may be needed for organizr.
+        customFrameOptionsValue: "allow-from https://milvert.com" #CSP takes care of this but may be needed for organizr.
+        contentTypeNosniff: true
+        browserXssFilter: true
+        # sslForceHost: true # add sslHost to all of the services
+        # sslHost: "{{env "DOMAINNAME_CLOUD_SERVER"}}"
+        referrerPolicy: "same-origin"
+        permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
+          server: ""
+          # https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732
+          # X-Forwarded-Proto: "https"

traefik/static_config.yml

@@ -34,12 +34,12 @@ http:
       tls:
        certResolver: milvert_dns
       middlewares:
-        - auth
+        - chain-authelia
 
     redirecttohttps:
       rule: "HostRegexp(`{host:.+}`)"
       middlewares:
-        - httpsredirect
+        - middlewares-https-redirectscheme
       service: noop
       entryPoints:
          - web

traefik/tls-opts.yml

@@ -1,6 +1,6 @@
 tls:
   options:
-    tls-opts:
+    default:
       minVersion: VersionTLS12
       cipherSuites:
         - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

zigbee2mqtt/configuration.yaml

@@ -85,8 +85,6 @@ devices:
     friendly_name: ute_short_strip
   '0x0017880108a0bc09':
     friendly_name: matrum_hörn
-  '0xbc33acfffea767f3':
-    friendly_name: '0xbc33acfffea767f3'
   '0x000b57fffe915dbf':
     friendly_name: billy_liten
   '0x0017880109c0930e':

zigbee_home_2/configuration_home_2.yaml

@@ -10,7 +10,7 @@ mqtt:
   version: 4
   client_id: zig2
 advanced:
-  log_level: error
+  log_level: info
   pan_id: 6755
   network_key:
     - 252
@@ -81,8 +81,6 @@ devices:
     friendly_name: Vrum taklampa 4
   '0xec1bbdfffe9cd2ef':
     friendly_name: Vrum taklampa 5
-  '0x847127fffebe9e0d':
-    friendly_name: sensor/m003
   '0x00158d0006795697':
     friendly_name: sensor/inne/hall/th008
   '0x00158d000678e562':
@@ -131,9 +129,11 @@ devices:
   '0x1c34f1fffed1d1ea':
     friendly_name: mormor_malla_3
   '0x385b44fffe117342':
-    friendly_name: 'Julgran '
+    friendly_name: Växtpump
   '0x040d84fffe8b00b0':
     friendly_name: matrum_fönster_2
+  '0x847127fffebe9e0d':
+    friendly_name: '0x847127fffebe9e0d'
 groups:
   '0':
     friendly_name: default_0