From 2fadb08c727e231627a8d237b63edcacb8367726 Mon Sep 17 00:00:00 2001 From: aki Date: Sat, 26 Apr 2025 01:32:13 +0800 Subject: [PATCH] feat(auth): Add additional service authentication settings in .env.example and update docker-compose.yml for conditional middlewares --- .env.example | 16 ++++++++++++ docker-compose.yml | 62 ++++++++++++++++------------------------------ 2 files changed, 38 insertions(+), 40 deletions(-) diff --git a/.env.example b/.env.example index b9d30f2..78c0e23 100644 --- a/.env.example +++ b/.env.example @@ -14,6 +14,22 @@ GROUP_ID=1000 # Your local timezone (e.g., America/New_York, Europe/London, Asia/Manila). See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones TIMEZONE="America/New_York" +# --- Authentication Settings --- +# Control which services require Authelia authentication (true/false) +# Set to 'false' to disable authentication for specific services +AUTH_SONARR=true +AUTH_RADARR=true +AUTH_BAZARR=true +AUTH_PROWLARR=true +AUTH_JELLYSEERR=true +AUTH_QBITTORRENT=true +AUTH_LIDARR=true +AUTH_JELLYFIN=false +AUTH_HOMEPAGE=true +AUTH_FLARESOLVERR=true +AUTH_SABNZBD=true +AUTH_CALIBRE=true + # --- Host Paths --- # Base directory on host for storing service configuration files. '.' stores them in subdirectories within the project folder. CONFIG_ROOT="." diff --git a/docker-compose.yml b/docker-compose.yml index 0929679..993798c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -13,14 +13,11 @@ services: - --experimental.plugins.rewrite-body.version=v1.2.0 - --experimental.plugins.rewriteHeaders.modulename=github.com/XciD/traefik-plugin-rewrite-headers - --experimental.plugins.rewriteHeaders.version=v0.0.3 - network_mode: service:tailscale # Add this line - # ports: # Remove this section - # - "80:80" - # - "443:443" + - --providers.docker.network=docker-compose-nas + - --providers.docker.endpoint=unix:///var/run/docker.sock + network_mode: service:tailscale volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - # extra_hosts: # Remove this section - # - host.docker.internal:172.17.0.1 healthcheck: test: ["CMD", "traefik", "healthcheck", "--ping"] interval: 30s @@ -31,11 +28,11 @@ services: restart: always environment: - REDIS_PASSWORD=${AUTHELIA_REDIS_PASSWORD} - command: ["redis-server", "--requirepass", "${AUTHELIA_REDIS_PASSWORD}"] # Use actual password variable + command: ["redis-server", "--requirepass", "${AUTHELIA_REDIS_PASSWORD}"] volumes: - ${CONFIG_ROOT:-.}/redis:/data:Z healthcheck: - test: ["CMD", "redis-cli", "-a", "${AUTHELIA_REDIS_PASSWORD}", "ping"] # Use actual password variable + test: ["CMD", "redis-cli", "-a", "${AUTHELIA_REDIS_PASSWORD}", "ping"] interval: 5s timeout: 3s retries: 5 @@ -47,27 +44,21 @@ services: volumes: - ${CONFIG_ROOT:-.}/authelia:/config:Z environment: - # Core secrets - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET} - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET} - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY} - AUTHELIA_SESSION_REDIS_PASSWORD=${AUTHELIA_REDIS_PASSWORD} - # Only environment variable needed for identity validation - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET=${AUTHELIA_JWT_SECRET} - # Timezone - TZ=${TIMEZONE} labels: - traefik.enable=true - # Rule for Authelia portal itself (handles internal paths like /api, /logout etc.) - traefik.http.routers.authelia.rule=PathPrefix(`/`) - traefik.http.routers.authelia.entrypoints=web - - traefik.http.routers.authelia.priority=100 # High priority to catch root path + - traefik.http.routers.authelia.priority=100 - traefik.http.services.authelia.loadbalancer.server.port=9091 - # Define the forwardAuth middleware - traefik.http.middlewares.authelia-auth.forwardAuth.address=http://authelia:9091/api/verify?rd=https://${APP_HOSTNAME}/ - traefik.http.middlewares.authelia-auth.forwardAuth.trustForwardHeader=true - traefik.http.middlewares.authelia-auth.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email - # Homepage labels for Authelia itself - homepage.group=Security - homepage.name=Authelia - homepage.icon=authelia.png @@ -92,8 +83,11 @@ services: - traefik.enable=true - traefik.http.routers.sonarr.rule=PathPrefix(`/sonarr`) - traefik.http.routers.sonarr.entrypoints=web - - traefik.http.routers.sonarr.middlewares=authelia-auth@docker + - traefik.http.routers.sonarr.middlewares=${AUTH_SONARR:-true} - traefik.http.services.sonarr.loadbalancer.server.port=8989 + # Add conditional middlewares + - traefik.http.middlewares.true.chain.middlewares=authelia-auth@docker + - traefik.http.middlewares.false.chain.middlewares= - homepage.group=Media - homepage.name=Sonarr - homepage.icon=sonarr.png @@ -122,7 +116,7 @@ services: - traefik.enable=true - traefik.http.routers.radarr.rule=PathPrefix(`/radarr`) - traefik.http.routers.radarr.entrypoints=web - - traefik.http.routers.radarr.middlewares=authelia-auth@docker + - traefik.http.routers.radarr.middlewares=${AUTH_RADARR:-true} - traefik.http.services.radarr.loadbalancer.server.port=7878 - homepage.group=Media - homepage.name=Radarr @@ -184,7 +178,7 @@ services: - traefik.enable=true - traefik.http.routers.bazarr.rule=PathPrefix(`/bazarr`) - traefik.http.routers.bazarr.entrypoints=web - - traefik.http.routers.bazarr.middlewares=authelia-auth@docker + - traefik.http.routers.bazarr.middlewares=${AUTH_BAZARR:-true} - traefik.http.services.bazarr.loadbalancer.server.port=6767 - homepage.group=Download - homepage.name=Bazarr @@ -335,8 +329,6 @@ services: - ${DOWNLOAD_ROOT}:/data/torrents:Z restart: always healthcheck: - # Container may fail if the PIA's token expired, so mark as unhealthy when there is no internet connection - # see: https://github.com/qdm12/gluetun/issues/641#issuecomment-933856220 test: ["CMD", "curl", "--fail", "http://127.0.0.1:8080", "https://google.com"] interval: 30s @@ -347,13 +339,10 @@ services: - traefik.http.routers.qbittorrent.entrypoints=web - traefik.http.services.qbittorrent.loadbalancer.server.port=8080 - traefik.http.routers.qbittorrent.middlewares=qbittorrent-strip-slash,qbittorrent-stripprefix,authelia-auth@docker - # https://github.com/qbittorrent/qBittorrent/issues/5693#issuecomment-552146296 - traefik.http.middlewares.qbittorrent-stripprefix.stripPrefix.prefixes=/qbittorrent - # https://community.traefik.io/t/middleware-to-add-the-if-needed/1895/19 - traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.regex=(^.*\/qbittorrent$$) - traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.replacement=$$1/ - traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.permanent=false - #- com.centurylinklabs.watchtower.depends-on=/vpn - homepage.group=Download - homepage.name=qBittorrent - homepage.icon=qbittorrent.png @@ -392,7 +381,7 @@ services: restart: always labels: - traefik.enable=true - - traefik.http.routers.sabnzbd.rule=PathPrefix(`/sabnzbd`) # Simplified rule + - traefik.http.routers.sabnzbd.rule=PathPrefix(`/sabnzbd`) - traefik.http.routers.sabnzbd.entrypoints=web - traefik.http.routers.sabnzbd.middlewares=authelia-auth@docker - traefik.http.services.sabnzbd.loadbalancer.server.port=8080 @@ -523,7 +512,6 @@ services: - HOMEPAGE_VAR_WEATHER_LONG=${HOMEPAGE_VAR_WEATHER_LONG} - HOMEPAGE_VAR_WEATHER_TIME=${TIMEZONE} - HOMEPAGE_VAR_WEATHER_UNIT=${HOMEPAGE_VAR_WEATHER_UNIT} - # Explicitly allow the hostname constructed from Tailscale variables - HOMEPAGE_ALLOWED_HOSTS=${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN} volumes: - ${CONFIG_ROOT:-.}/homepage:/app/config:Z @@ -534,17 +522,15 @@ services: [sh, -c, "cp -n /app/config/tpl/*.yaml /app/config && node server.js"] labels: - traefik.enable=true - # Rule for homepage, now at /home, needs auth - traefik.http.routers.homepage.rule=PathPrefix(`/home`) - traefik.http.routers.homepage.entrypoints=web - - traefik.http.routers.homepage.priority=10 # Lower priority than Authelia's root rule + - traefik.http.routers.homepage.priority=10 - traefik.http.middlewares.homepage-stripprefix.stripPrefix.prefixes=/home - traefik.http.routers.homepage.middlewares=homepage-stripprefix,authelia-auth@docker - # Homepage's own labels for discovery (unchanged) - homepage.group=Dashboard - homepage.name=Homepage - homepage.icon=homepage.png - - homepage.href=/home # Update link to new path + - homepage.href=/home - homepage.description=Service Dashboard watchtower: image: ghcr.io/containrrr/watchtower:latest @@ -565,23 +551,22 @@ services: tailscale: image: tailscale/tailscale:latest container_name: tailscale - hostname: ${TAILSCALE_HOSTNAME:-tailscale-nas} # Hostname for Tailscale access + hostname: ${TAILSCALE_HOSTNAME:-tailscale-nas} environment: - TS_AUTHKEY: ${TAILSCALE_AUTHKEY} # Needs to be set in .env - TS_EXTRA_ARGS: "--advertise-tags=${TAILSCALE_TAGS:-tag:nas}" # Keep tags if desired + TS_AUTHKEY: ${TAILSCALE_AUTHKEY} + TS_EXTRA_ARGS: "--advertise-tags=${TAILSCALE_TAGS:-tag:nas}" TS_STATE_DIR: "/var/lib/tailscale" TS_USERSPACE: "false" - # Switch to enable Funnel (public access) or Serve (Tailnet only) ENABLE_FUNNEL_HTTPS: ${ENABLE_FUNNEL_HTTPS:-false} volumes: - - ${CONFIG_ROOT:-.}/tailscale/state:/var/lib/tailscale:Z # Persist state - - /var/run/docker.sock:/var/run/docker.sock # Optional, keep if needed + - ${CONFIG_ROOT:-.}/tailscale/state:/var/lib/tailscale:Z + - /var/run/docker.sock:/var/run/docker.sock devices: - /dev/net/tun:/dev/net/tun cap_add: - NET_ADMIN - NET_RAW - extra_hosts: # Add this section + extra_hosts: - host.docker.internal:172.17.0.1 restart: always command: @@ -605,8 +590,6 @@ services: done echo " Tailscaled is running." - # --- Start Tailscale Funnel/Serve --- - # Check the ENABLE_FUNNEL_HTTPS variable if [ "${ENABLE_FUNNEL_HTTPS}" = "true" ]; then echo "ENABLE_FUNNEL_HTTPS is true. Setting up Funnel -> http://localhost:80..." tailscale funnel --bg http://localhost:80 @@ -616,10 +599,9 @@ services: tailscale serve --bg http://localhost:80 echo "Tailscale Serve configured." fi - # --- End Tailscale Funnel/Serve --- echo "Tailscale forwarding configured. Container will remain running." - wait # Wait indefinitely for background processes + wait networks: default: