feat!: Add Authelia for authentication and Redis for session storage

- Introduced Redis service for session management with health checks. - Added Authelia service for user authentication with necessary environment variables. - Configured Traefik to use Authelia as middleware for various services. - Created Authelia configuration file with session, storage, and access control settings. - Added user database for Authelia with an example admin user.
2025-04-25 17:33:09 +08:00
parent cf78372b71
commit 8a52e6894f
5 changed files with 438 additions and 180 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -25,6 +25,51 @@ services:
      test: ["CMD", "traefik", "healthcheck", "--ping"]
      interval: 30s
      retries: 10
+  redis:
+    image: redis:alpine
+    container_name: redis
+    restart: always
+    environment:
+      - REDIS_PASSWORD=${AUTHELIA_REDIS_PASSWORD}
+    command: ["redis-server", "--requirepass", "$$REDIS_PASSWORD"] # Use $$ to escape $ for compose
+    volumes:
+      - ${CONFIG_ROOT:-.}/redis:/data:Z
+    healthcheck:
+      test: ["CMD", "redis-cli", "-a", "$$REDIS_PASSWORD", "ping"] # Use $$ to escape $ for compose
+      interval: 5s
+      timeout: 3s
+      retries: 5
+  authelia:
+    image: authelia/authelia:latest
+    container_name: authelia
+    restart: always
+    volumes:
+      - ${CONFIG_ROOT:-.}/authelia:/config:Z
+    environment:
+      - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
+      - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
+      - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
+      - AUTHELIA_REDIS_PASSWORD=${AUTHELIA_REDIS_PASSWORD}
+      - AUTHELIA_SESSION_DOMAIN=${AUTHELIA_SESSION_DOMAIN}
+      - AUTHELIA_DEFAULT_REDIRECT_URL=${AUTHELIA_DEFAULT_REDIRECT_URL}
+      - TZ=${TIMEZONE}
+    labels:
+      - traefik.enable=true
+      # Rule for Authelia portal itself (handles internal paths like /api, /logout etc.)
+      - traefik.http.routers.authelia.rule=Host(`${HOSTNAME}`)
+      - traefik.http.routers.authelia.entrypoints=web
+      - traefik.http.routers.authelia.priority=100 # High priority to catch root path
+      - traefik.http.services.authelia.loadbalancer.server.port=9091
+      # Define the forwardAuth middleware
+      - traefik.http.middlewares.authelia-auth.forwardAuth.address=http://authelia:9091/api/verify?rd=https://${HOSTNAME}/
+      - traefik.http.middlewares.authelia-auth.forwardAuth.trustForwardHeader=true
+      - traefik.http.middlewares.authelia-auth.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
+      # Homepage labels for Authelia itself (optional, but can be nice)
+      - homepage.group=Security
+      - homepage.name=Authelia
+      - homepage.icon=authelia.png # You might need to add this icon
+      - homepage.href=https://${HOSTNAME}/ # Link to the login portal
+      - homepage.description=Authentication Portal
  sonarr:
    image: lscr.io/linuxserver/sonarr
    container_name: sonarr
@@ -44,6 +89,7 @@ services:
      - traefik.enable=true
      - traefik.http.routers.sonarr.rule=PathPrefix(`/sonarr`)
      - traefik.http.routers.sonarr.entrypoints=web
+      - traefik.http.routers.sonarr.middlewares=authelia-auth@docker
      - traefik.http.services.sonarr.loadbalancer.server.port=8989
      - homepage.group=Media
      - homepage.name=Sonarr
@@ -73,6 +119,7 @@ services:
      - traefik.enable=true
      - traefik.http.routers.radarr.rule=PathPrefix(`/radarr`)
      - traefik.http.routers.radarr.entrypoints=web
+      - traefik.http.routers.radarr.middlewares=authelia-auth@docker
      - traefik.http.services.radarr.loadbalancer.server.port=7878
      - homepage.group=Media
      - homepage.name=Radarr
@@ -102,6 +149,7 @@ services:
      - traefik.enable=true
      - traefik.http.routers.lidarr.rule=PathPrefix(`/lidarr`)
      - traefik.http.routers.lidarr.entrypoints=web
+      - traefik.http.routers.lidarr.middlewares=authelia-auth@docker
      - traefik.http.services.lidarr.loadbalancer.server.port=8686
      - homepage.group=Media
      - homepage.name=Lidarr
@@ -131,8 +179,9 @@ services:
      retries: 10
    labels:
      - traefik.enable=true
-      - traefik.http.routers.bazarr.rule=Host(`${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}`) && PathPrefix(`/bazarr`)
+      - traefik.http.routers.bazarr.rule=PathPrefix(`/bazarr`)
      - traefik.http.routers.bazarr.entrypoints=web
+      - traefik.http.routers.bazarr.middlewares=authelia-auth@docker
      - traefik.http.services.bazarr.loadbalancer.server.port=6767
      - homepage.group=Download
      - homepage.name=Bazarr
@@ -168,7 +217,7 @@ services:
      - traefik.http.routers.jellyseerr.rule=PathPrefix(`/jellyseerr`)
      - traefik.http.routers.jellyseerr.entrypoints=web
      - traefik.http.services.jellyseerr.loadbalancer.server.port=5055
-      - traefik.http.routers.jellyseerr.middlewares=jellyseerr-stripprefix,jellyseerr-rewrite,jellyseerr-rewriteHeaders
+      - traefik.http.routers.jellyseerr.middlewares=jellyseerr-stripprefix,jellyseerr-rewrite,jellyseerr-rewriteHeaders,authelia-auth@docker
      - traefik.http.middlewares.jellyseerr-stripprefix.stripPrefix.prefixes=/jellyseerr
      - traefik.http.middlewares.jellyseerr-rewriteHeaders.plugin.rewriteHeaders.rewrites[0].header=location
      - traefik.http.middlewares.jellyseerr-rewriteHeaders.plugin.rewriteHeaders.rewrites[0].regex=^/(.+)$
@@ -241,6 +290,7 @@ services:
      - traefik.enable=true
      - traefik.http.routers.prowlarr.rule=PathPrefix(`/prowlarr`)
      - traefik.http.routers.prowlarr.entrypoints=web
+      - traefik.http.routers.prowlarr.middlewares=authelia-auth@docker
      - traefik.http.services.prowlarr.loadbalancer.server.port=9696
      - homepage.group=Download
      - homepage.name=Prowlarr
@@ -264,6 +314,7 @@ services:
      - traefik.enable=true
      - traefik.http.routers.flaresolverr.rule=PathPrefix(`/flaresolverr`)
      - traefik.http.routers.flaresolverr.entrypoints=web
+      - traefik.http.routers.flaresolverr.middlewares=authelia-auth@docker
      - traefik.http.services.flaresolverr.loadbalancer.server.port=8191
    profiles:
      - flaresolverr
@@ -289,10 +340,10 @@ services:
      retries: 10
    labels:
      - traefik.enable=true
-      - traefik.http.routers.qbittorrent.rule=Host(`${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}`) && PathPrefix(`/qbittorrent`)
+      - traefik.http.routers.qbittorrent.rule=PathPrefix(`/qbittorrent`)
      - traefik.http.routers.qbittorrent.entrypoints=web
      - traefik.http.services.qbittorrent.loadbalancer.server.port=8080
-      - traefik.http.routers.qbittorrent.middlewares=qbittorrent-strip-slash,qbittorrent-stripprefix
+      - traefik.http.routers.qbittorrent.middlewares=qbittorrent-strip-slash,qbittorrent-stripprefix,authelia-auth@docker
      # https://github.com/qbittorrent/qBittorrent/issues/5693#issuecomment-552146296
      - traefik.http.middlewares.qbittorrent-stripprefix.stripPrefix.prefixes=/qbittorrent
      # https://community.traefik.io/t/middleware-to-add-the-if-needed/1895/19
@@ -340,6 +391,7 @@ services:
      - traefik.enable=true
      - traefik.http.routers.sabnzbd.rule=PathPrefix(`/sabnzbd`) # Simplified rule
      - traefik.http.routers.sabnzbd.entrypoints=web
+      - traefik.http.routers.sabnzbd.middlewares=authelia-auth@docker
      - traefik.http.services.sabnzbd.loadbalancer.server.port=8080
      - homepage.group=Download
      - homepage.name=Sabnzbd
@@ -375,6 +427,7 @@ services:
      - traefik.enable=true
      - traefik.http.routers.jellyfin.rule=PathPrefix(`/jellyfin`)
      - traefik.http.routers.jellyfin.entrypoints=web
+      - traefik.http.routers.jellyfin.middlewares=authelia-auth@docker
      - traefik.http.services.jellyfin.loadbalancer.server.port=8096
      - homepage.group=Media
      - homepage.name=Jellyfin
@@ -403,8 +456,8 @@ services:
      - traefik.http.middlewares.calibre-headers.headers.customRequestHeaders.X-Scheme=https
      - traefik.http.middlewares.calibre-headers.headers.customRequestHeaders.X-Script-Name=/calibre
      - traefik.http.middlewares.calibre-stripprefixregex.stripPrefixRegex.regex=/calibre
-      - traefik.http.routers.calibre.middlewares=calibre-headers,calibre-stripprefixregex
-      - traefik.http.routers.calibre.rule=Host(`${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}`) && PathPrefix(`/calibre`)
+      - traefik.http.routers.calibre.middlewares=calibre-headers,calibre-stripprefixregex,authelia-auth@docker
+      - traefik.http.routers.calibre.rule=PathPrefix(`/calibre`)
      - traefik.http.routers.calibre.entrypoints=web
      - traefik.http.services.calibre.loadbalancer.server.port=8083
      - homepage.group=Media
@@ -478,11 +531,18 @@ services:
      [sh, -c, "cp -n /app/config/tpl/*.yaml /app/config && node server.js"]
    labels:
      - traefik.enable=true
-      # Change path to /home and use specific Tailscale host
-      - traefik.http.routers.homepage.rule=Host(`${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}`) && PathPrefix(`/home`)
+      # Rule for homepage, now at /home, needs auth
+      - traefik.http.routers.homepage.rule=Host(`${HOSTNAME}`) && PathPrefix(`/home`)
      - traefik.http.routers.homepage.entrypoints=web
-      # Authelia middleware will be added in a later commit
-      - traefik.http.services.homepage.loadbalancer.server.port=3000
+      - traefik.http.routers.homepage.priority=10 # Lower priority than Authelia's root rule
+      - traefik.http.middlewares.homepage-stripprefix.stripPrefix.prefixes=/home
+      - traefik.http.routers.homepage.middlewares=homepage-stripprefix,authelia-auth@docker
+      # Homepage's own labels for discovery (unchanged)
+      - homepage.group=Dashboard
+      - homepage.name=Homepage
+      - homepage.icon=homepage.png
+      - homepage.href=/home # Update link to new path
+      - homepage.description=Service Dashboard
  watchtower:
    image: ghcr.io/containrrr/watchtower:latest
    container_name: watchtower