3.9 KiB
Authelia with Traefik (ATLAS) Authentication Traffic LDAP Application Security
Introduction
This setup serves as a boilerplate for deploying Authelia with Traefik, aimed at simplifying authentication traffic and application security. It's designed to be easily cloneable for quick integration into your existing deployment environments. Future iterations may incorporate LLDAP directly into this repository.
Installation
To get started with ATLAS, follow these steps:
- Clone this repository to your local machine.
- Integrate the cloned repository into your deployment by adjusting the environment variables as necessary.
- Once configured, the system supports both OIDC and the use of Docker container labels for Traefik to manage routing and authentication requests.
Usage
This project is equipped to handle authentication through OIDC and to work seamlessly with Traefik for managing web traffic. After setting up, users will be able to leverage these functionalities to secure their applications.
Deployment Cases
Headplane (Headscale UI)
For deploying the Headscale UI, known as Headplane, apply the following labels in your Docker container configuration:
labels:
us.nixc.autodeploy: "true"
traefik.enable: "true"
traefik.http.routers.production-headscale_webui.tls: "true"
traefik.http.services.production-headscale_webui.loadbalancer.server.port: "3000"
traefik.http.routers.production-headscale_webui.rule: "Host(`headscale.nixc.us`) && PathPrefix(`/admin`)"
traefik.http.routers.production-headscale_webui.entrypoints: "websecure"
traefik.http.routers.production-headscale_webui.tls.certresolver: "letsencryptresolver"
traefik.http.routers.production-headscale_webui.service: "production-headscale_webui"
traefik.docker.network: "traefik"
Headscale (Server)
For deploying the Headscale server, use the following labels:
labels:
us.nixc.autodeploy: "true"
traefik.enable: "true"
traefik.http.routers.production-headscale_headscale.rule: "Host(`headscale.nixc.us`)"
traefik.http.routers.production-headscale_headscale.entrypoints: "websecure"
traefik.http.routers.production-headscale_headscale.tls: "true"
traefik.http.routers.production-headscale_headscale.tls.certresolver: "letsencryptresolver"
traefik.http.routers.production-headscale_headscale.service: "production-headscale_headscale"
traefik.http.services.production-headscale_headscale.loadbalancer.server.port: "8080"
traefik.docker.network: "traefik"
Generic Web Service
For a generic web service, such as TubeSync, configure with these labels:
labels:
traefik.enable: "true"
traefik.http.routers.production_tubesync.tls: "true"
traefik.http.services.production_tubesync.loadbalancer.server.port: "4848"
traefik.http.routers.production_tubesync.rule: "Host(`tubesync.nixc.us`)"
traefik.http.routers.production_tubesync.entrypoints: "websecure"
traefik.http.routers.production_tubesync.tls.certresolver: "letsencryptresolver"
traefik.http.routers.production_tubesync.service: "production_tubesync"
traefik.docker.network: "traefik"
traefik.http.routers.production_tubesync.middlewares: "authelia_authelia@docker"
Requirements
- Docker
- Authelia
- Gitea
- Woodpecker-CI
- Traefik
- Headscale (utilizes OIDC)
Reporting Issues & Feature Requests
If you encounter any issues or would like to suggest improvements, please feel free to reach out via email or Discord.
Acknowledgments
For information on the technologies used within this project, such as Authelia, Traefik, Gitea, Woodpecker-CI, and Headscale, please consult their respective project pages through Google or Bing.
Generate Headscale client secret.
docker exec -it authelia authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
The digest goes in the CLIENT_SECRET_HEADSCALE file and the random password is used in the headscale container config.yml file