@simplehomelab/deployrr 6.0.0-rc3

package/apps/core/authelia/compose.yml

@@ -0,0 +1,45 @@
+services:
+  # Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication
+  authelia:
+    container_name: authelia
+    image: authelia/authelia:${AUTHELIA_VERSION_PIN}
+    security_opt:
+      - no-new-privileges:true
+    restart: unless-stopped
+    profiles: ["core", "all"]
+    networks:
+      - default
+      - traefik_proxy
+    depends_on:
+      authelia-redis:
+        condition: service_healthy
+    # ports:
+    #   - "$AUTHELIA_PORT:9091"
+    volumes:
+      - $DOCKERDIR/appdata/authelia:/config
+    environment:
+      - TZ=$TZ
+      - PUID=$PUID
+      - PGID=$PGID
+      - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret
+      - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret
+      - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key
+      # - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password
+      # - AUTHELIA_SESSION_REDIS_PASSWORD_FILE=/run/secrets/authelia_session_redis_password
+      # - AUTHELIA_DUO_API_INTEGRATION_KEY_FILE=/run/secrets/authelia_duo_api_integration_key
+      # - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key
+    secrets:
+      - authelia_jwt_secret
+      - authelia_storage_encryption_key
+      - authelia_session_secret
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.authelia-rtr.entrypoints=websecure-internal,websecure-external"
+      - "traefik.http.routers.authelia-rtr.rule=Host(`authelia.$DOMAINNAME_1`)"
+      ## Middlewares
+      - "traefik.http.routers.authelia-rtr.middlewares=chain-no-auth@file" # Should be chain-no-auth and not chain-authelia
+      ## HTTP Services
+      - "traefik.http.routers.authelia-rtr.service=authelia-svc"
+      - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"
+    # DOCKER-LABELS-PLACEHOLDER

package/apps/core/authelia/files/chain-authelia.yml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    chain-authelia:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-authelia

package/apps/core/authelia/files/configuration.yml

@@ -0,0 +1,100 @@
+###############################################################
+#                   Authelia configuration                    #
+###############################################################
+
+server:
+  address: tcp://0.0.0.0:9091/
+  buffers:
+    read: 4096
+    write: 4096
+  endpoints:
+    enable_pprof: false
+    enable_expvars: false
+  disable_healthcheck: false
+  tls:
+    key: ""
+    certificate: ""
+
+# https://www.authelia.com/configuration/miscellaneous/logging/
+log:
+  level: info
+  format: text
+  file_path: /config/authelia.log
+  keep_stdout: true
+
+# https://www.authelia.com/configuration/second-factor/time-based-one-time-password/
+totp:
+  issuer: example.com
+  period: 30
+  skew: 1
+
+# AUTHELIA_DUO_PLACEHOLDER
+
+# https://www.authelia.com/reference/guides/passwords/
+authentication_backend:
+  password_reset:
+    disable: false
+  refresh_interval: 5m
+  file:
+    path: /config/users.yml
+    password:
+      algorithm: argon2id
+      iterations: 1
+      salt_length: 16
+      parallelism: 8
+      memory: 256 # blocks this much of the RAM
+
+# https://www.authelia.com/overview/authorization/access-control/
+access_control:
+  default_policy: deny
+  rules:
+    # - domain:
+    #     - "*.example.com"
+    #     - "example.com"
+    #   policy: bypass
+    #   networks: # bypass authentication for local networks
+    #     - 10.0.0.0/8
+    #     - 192.168.0.0/16
+    #     - 172.16.0.0/12
+    - domain:
+        - "*.example.com"
+        - "example.com"
+      policy: two_factor
+
+# https://www.authelia.com/configuration/session/introduction/
+session:
+  name: authelia_session
+  same_site: lax
+  expiration: 7h
+  inactivity: 5m
+  remember_me: 1M
+  cookies:
+    - domain: 'example.com'
+      authelia_url: 'https://authelia.example.com'
+      default_redirection_url: 'https://example.com'
+  redis:
+    host: authelia-redis
+    port: 6379
+    database_index: 0
+    maximum_active_connections: 10
+    minimum_idle_connections: 0
+
+# https://www.authelia.com/configuration/security/regulation/
+regulation:
+  max_retries: 3
+  find_time: 10m
+  ban_time: 12h
+
+# https://www.authelia.com/configuration/storage/introduction/
+storage:
+  # For local storage, uncomment lines below and comment out mysql. https://docs.authelia.com/configuration/storage/sqlite.html
+  # This is good for the beginning. If you have a busy site then switch to other databases.
+  local:
+   path: /config/db.sqlite3
+
+# https://www.authelia.com/configuration/notifications/introduction/
+notifier:
+  disable_startup_check: false
+  # For testing purposes, notifications can be sent in a file. Be sure to map the volume in docker-compose.
+  filesystem:
+    filename: /config/notifications.txt

package/apps/core/authelia/files/middlewares-authelia.yml

@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    middlewares-authelia:
+      forwardAuth:
+        address: "http://authelia:9091/api/verify?rd=https://authelia.{{env "DOMAINNAME_1"}}"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "Remote-User"
+          - "Remote-Groups"

package/apps/core/authelia/files/users.yml

@@ -0,0 +1,15 @@
+###############################################################
+#                         Users Database                      #
+###############################################################
+
+# This file can be used if you do not have an LDAP set up.
+
+# List of users
+users:
+  AUTHELIA_USERNAME:
+    disabled: false
+    displayname: "AUTHELIA_USER_DISPLAY_NAME"
+    email: AUTHELIA_USER_EMAIL
+    password: AUTHELIA_HASHED_PASSWORD
+    groups:
+      - admins

package/apps/core/authelia/manifest.json

@@ -0,0 +1,156 @@
+{
+  "$schema": "../../../manifest-schema.json",
+  "version": "1.2",
+
+  "app": {
+    "sname": "authelia",
+    "pname": "Authelia",
+    "descriptionShort": "Open-source Access/Identity Provider",
+    "icon": "sh-authelia",
+    "category": "core"
+  },
+
+  "deployment": {
+    "type": "multicontainer",
+    "compose": "compose.yml",
+    "webui": true,
+    "port": 9091,
+    "protocol": "https"
+  },
+
+  "dependencies": [
+    {
+      "sname": "authelia-redis",
+      "pname": "Authelia Redis",
+      "compose": "authelia-redis.yml",
+      "installOrder": 1,
+      "waitForHealthy": true,
+      "description": "Redis session store for Authelia"
+    }
+  ],
+
+  "requirements": {
+    "prerequisites": ["prerequisites", "socket_proxy_running", "traefik_production", "traefik_running", "hybrid_mode"],
+    "apps": ["socket-proxy", "traefik"]
+  },
+
+  "files": [
+    {
+      "source": "files/configuration.yml",
+      "destination": "$DOCKER_FOLDER/appdata/authelia/configuration.yml",
+      "backup": true
+    },
+    {
+      "source": "files/users.yml",
+      "destination": "$DOCKER_FOLDER/appdata/authelia/users.yml",
+      "backup": true
+    },
+    {
+      "source": "files/middlewares-authelia.yml",
+      "destination": "$DOCKER_FOLDER/appdata/traefik3/rules/$HOSTNAME/middlewares-authelia.yml",
+      "backup": false
+    },
+    {
+      "source": "files/chain-authelia.yml",
+      "destination": "$DOCKER_FOLDER/appdata/traefik3/rules/$HOSTNAME/chain-authelia.yml",
+      "backup": false
+    }
+  ],
+
+  "placeholders": {
+    "config": {
+      "configuration.yml": {
+        "example.com": "$DOMAINNAME_1"
+      },
+      "users.yml": {
+        "AUTHELIA_USERNAME": "$AUTHELIA_USERNAME",
+        "AUTHELIA_USER_DISPLAY_NAME": "$AUTHELIA_USER_DISPLAY_NAME",
+        "AUTHELIA_HASHED_PASSWORD": "$AUTHELIA_HASHED_PASSWORD",
+        "AUTHELIA_USER_EMAIL": "$AUTHELIA_USER_EMAIL"
+      }
+    }
+  },
+
+  "traefik": {
+    "supported": true,
+    "subdomain": "authelia",
+    "chain": "chain-no-auth",
+    "middlewares": ["middlewares-authelia.yml", "chain-authelia.yml"]
+  },
+
+  "dashboard": {
+    "enabled": true,
+    "location": "other",
+    "showStats": true,
+    "portVariable": null
+  },
+
+  "env": {
+    "variables": [
+      {
+        "name": "AUTHELIA_VERSION_PIN",
+        "type": "string",
+        "default": "latest",
+        "prompt": false,
+        "required": true
+      },
+      {
+        "name": "AUTHELIA_USERNAME",
+        "type": "string",
+        "default": "",
+        "prompt": true,
+        "required": true,
+        "promptText": "Enter/edit Authelia Username:"
+      },
+      {
+        "name": "AUTHELIA_USER_DISPLAY_NAME",
+        "type": "string",
+        "default": "",
+        "prompt": true,
+        "required": true,
+        "promptText": "Enter/edit Authelia User Display Name (use underscore in place of space):"
+      },
+      {
+        "name": "AUTHELIA_USER_EMAIL",
+        "type": "string",
+        "default": "",
+        "prompt": true,
+        "required": true,
+        "promptText": "Enter/edit Authelia User Email.\n\nIt can be anything because we won't actually be using email for device validation:"
+      }
+    ],
+    "secrets": [
+      {
+        "name": "authelia_text_password",
+        "type": "password",
+        "generateDefault": true,
+        "generateLength": 16,
+        "promptText": "Enter a strong password or use the suggested random password (note it down):"
+      },
+      {
+        "name": "authelia_jwt_secret",
+        "type": "random",
+        "generateDefault": true,
+        "generateLength": 64
+      },
+      {
+        "name": "authelia_session_secret",
+        "type": "random",
+        "generateDefault": true,
+        "generateLength": 64
+      },
+      {
+        "name": "authelia_storage_encryption_key",
+        "type": "random",
+        "generateDefault": true,
+        "generateLength": 64
+      }
+    ]
+  },
+
+  "status": {
+    "file": "05_authelia_status",
+    "successMessage": "Authelia Setup Completed",
+    "telemetryAction": "authelia"
+  }
+}

package/apps/core/authentik/authentik-postgresql.yml

@@ -0,0 +1,26 @@
+services:
+  # Authentik PostgreSQL - Dedicated Database for Authentik
+  authentik-postgresql:
+    container_name: authentik-postgresql
+    image: postgres:${AUTHENTIKPOSTGRESQL_VERSION_PIN}
+    security_opt:
+      - no-new-privileges:true
+    restart: unless-stopped
+    profiles: ["core", "all"]
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d authentik -U authentik_db_user"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    networks:
+      - default
+    volumes:
+      - $DOCKERDIR/appdata/authentik-postgresql:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_DB=authentik
+      - POSTGRES_USER=authentik_db_user
+      - POSTGRES_PASSWORD_FILE=/run/secrets/authentik_postgresql_password
+    secrets:
+      - authentik_postgresql_password
+    # DOCKER-LABELS-PLACEHOLDER

package/apps/core/authentik/authentik-worker.yml

@@ -0,0 +1,37 @@
+services:
+  authentik-worker:
+    image: ghcr.io/goauthentik/server:${AUTHENTIKWORKER_VERSION_PIN}
+    container_name: authentik-worker
+    security_opt:
+      - no-new-privileges:true
+    restart: unless-stopped
+    profiles: ["core", "all"]
+    networks:
+      - default
+      - traefik_proxy
+      - socket_proxy
+    command: worker
+    user: ${PUID}:${PGID}
+    depends_on:
+      authentik-postgresql:
+        condition: service_healthy
+      authentik:
+        condition: service_healthy
+    environment:
+      - DOCKER_HOST=${DOCKER_HOST}
+      - AUTHENTIK_POSTGRESQL__HOST=authentik-postgresql
+      - AUTHENTIK_POSTGRESQL__NAME=authentik
+      - AUTHENTIK_POSTGRESQL__USER=authentik_db_user
+      - AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD}
+      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
+      - AUTHENTIK_LOG_LEVEL=info # debug, info, warning, error, trace
+      - AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
+      - AUTHENTIK_DISABLE_UPDATE_CHECK=false
+      - AUTHENTIK_ERROR_REPORTING__ENABLED=false
+    secrets:
+      - authentik_postgresql_password
+      - authentik_secret_key
+    volumes:
+      - $DOCKERDIR/appdata/authentik/media:/media
+      - $DOCKERDIR/appdata/authentik/custom-templates:/templates
+    # DOCKER-LABELS-PLACEHOLDER

package/apps/core/authentik/compose.yml

@@ -0,0 +1,51 @@
+services:
+  authentik:
+    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION_PIN}
+    container_name: authentik
+    security_opt:
+      - no-new-privileges:true
+    restart: unless-stopped
+    profiles: [ "core", "all" ]
+    networks:
+      - default
+      - traefik_proxy
+    command: server
+    user: ${PUID}:${PGID}
+    depends_on:
+      authentik-postgresql:
+        condition: service_healthy
+    healthcheck:
+      test: [ "CMD", "ak", "healthcheck" ]
+      start_period: 60s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    environment:
+      - AUTHENTIK_POSTGRESQL__HOST=authentik-postgresql
+      - AUTHENTIK_POSTGRESQL__NAME=authentik
+      - AUTHENTIK_POSTGRESQL__USER=authentik_db_user
+      - AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD}
+      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
+      - AUTHENTIK_LOG_LEVEL=info # debug, info, warning, error, trace
+      - AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
+      - AUTHENTIK_DISABLE_UPDATE_CHECK=false
+      - AUTHENTIK_ERROR_REPORTING__ENABLED=false
+    secrets:
+      - authentik_postgresql_password
+      - authentik_secret_key
+    volumes:
+      - $DOCKERDIR/appdata/authentik/media:/media
+      - $DOCKERDIR/appdata/authentik/custom-templates:/templates
+    labels:
+      - "traefik.enable=true"
+      # HTTP Routers
+      - "traefik.http.routers.authentik-rtr.entrypoints=websecure-internal,websecure-external"
+      - "traefik.http.routers.authentik-rtr.rule=Host(`authentik.$DOMAINNAME_1`)"
+      # Middlewares
+      - "traefik.http.routers.authentik-rtr.middlewares=chain-no-auth@file"
+      # Individual Application forwardAuth regex (catch any subdomain using individual application forwardAuth)
+      - "traefik.http.routers.authentik-output-rtr.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.${DOMAINNAME_1}`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      # HTTP Services
+      - "traefik.http.routers.authentik-rtr.service=authentik-svc"
+      - "traefik.http.services.authentik-svc.loadbalancer.server.port=9000"
+    # DOCKER-LABELS-PLACEHOLDER

package/apps/core/authentik/files/chain-authentik.yml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    chain-authentik:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-secure-headers
+          - middlewares-authentik

package/apps/core/authentik/files/middlewares-authentik.yml

@@ -0,0 +1,19 @@
+http:
+  middlewares:
+  # https://github.com/goauthentik/authentik/issues/2366
+    middlewares-authentik:
+      forwardAuth:
+        address: "http://authentik:9000/outpost.goauthentik.io/auth/traefik"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-groups
+          - X-authentik-email
+          - X-authentik-name
+          - X-authentik-uid
+          - X-authentik-jwt
+          - X-authentik-meta-jwks
+          - X-authentik-meta-outpost
+          - X-authentik-meta-provider
+          - X-authentik-meta-app
+          - X-authentik-meta-version

package/apps/core/authentik/manifest.json

@@ -0,0 +1,117 @@
+{
+  "$schema": "../../../manifest-schema.json",
+  "version": "1.2",
+
+  "app": {
+    "sname": "authentik",
+    "pname": "Authentik",
+    "descriptionShort": "Open-source Access/Identity Provider",
+    "icon": "sh-authentik",
+    "category": "core"
+  },
+
+  "deployment": {
+    "type": "multicontainer",
+    "compose": "compose.yml",
+    "webui": true,
+    "port": 9000,
+    "protocol": "https"
+  },
+
+  "dependencies": [
+    {
+      "sname": "authentik-postgresql",
+      "pname": "Authentik PostgreSQL",
+      "compose": "authentik-postgresql.yml",
+      "installOrder": 1,
+      "waitForHealthy": true,
+      "description": "Dedicated PostgreSQL database for Authentik"
+    },
+    {
+      "sname": "authentik-worker",
+      "pname": "Authentik Worker",
+      "compose": "authentik-worker.yml",
+      "installOrder": 3,
+      "waitForHealthy": false,
+      "description": "Background task processor for Authentik"
+    }
+  ],
+
+  "requirements": {
+    "prerequisites": ["prerequisites", "socket_proxy_running", "traefik_production", "traefik_running", "hybrid_mode"],
+    "apps": ["socket-proxy", "traefik"]
+  },
+
+  "files": [
+    {
+      "source": "files/middlewares-authentik.yml",
+      "destination": "$DOCKER_FOLDER/appdata/traefik3/rules/$HOSTNAME/middlewares-authentik.yml",
+      "backup": false
+    },
+    {
+      "source": "files/chain-authentik.yml",
+      "destination": "$DOCKER_FOLDER/appdata/traefik3/rules/$HOSTNAME/chain-authentik.yml",
+      "backup": false
+    }
+  ],
+
+  "traefik": {
+    "supported": true,
+    "subdomain": "authentik",
+    "chain": "chain-no-auth",
+    "middlewares": ["middlewares-authentik.yml", "chain-authentik.yml"]
+  },
+
+  "dashboard": {
+    "enabled": true,
+    "location": "other",
+    "showStats": true,
+    "portVariable": null
+  },
+
+  "env": {
+    "variables": [
+      {
+        "name": "AUTHENTIK_VERSION_PIN",
+        "type": "string",
+        "default": "latest",
+        "prompt": false,
+        "required": true
+      },
+      {
+        "name": "AUTHENTIK_POSTGRESQL__PASSWORD",
+        "type": "string",
+        "default": "file:///run/secrets/authentik_postgresql_password",
+        "prompt": false,
+        "required": true
+      },
+      {
+        "name": "AUTHENTIK_SECRET_KEY",
+        "type": "string",
+        "default": "file:///run/secrets/authentik_secret_key",
+        "prompt": false,
+        "required": true
+      }
+    ],
+    "secrets": [
+      {
+        "name": "authentik_postgresql_password",
+        "type": "random",
+        "generateDefault": true,
+        "generateLength": 60
+      },
+      {
+        "name": "authentik_secret_key",
+        "type": "random",
+        "generateDefault": true,
+        "generateLength": 60
+      }
+    ]
+  },
+
+  "status": {
+    "file": "05_authentik_status",
+    "successMessage": "Authentik Setup Completed",
+    "telemetryAction": "authentik"
+  }
+}

package/apps/core/crowdsec/compose.yml

@@ -0,0 +1,23 @@
+services:
+  # CrowdSec - Open-source & Collaborative IPS
+  crowdsec:
+    image: crowdsecurity/crowdsec
+    container_name: crowdsec
+    security_opt:
+      - no-new-privileges:true
+    restart: unless-stopped
+    profiles: ["core", "all"]
+    networks:
+      - default
+    ports:
+      - "$CROWDSEC_PORT:8080"
+    environment:
+      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/iptables crowdsecurity/linux crowdsecurity/sshd"
+      GID: $PGID
+      CUSTOM_HOSTNAME: $HOSTNAME
+    volumes:
+      - $DOCKERDIR/logs/$HOSTNAME:/logs/$HOSTNAME:ro
+      - /var/log:/var/log:ro
+      - $DOCKERDIR/appdata/crowdsec/data:/var/lib/crowdsec/data
+      - $DOCKERDIR/appdata/crowdsec/config:/etc/crowdsec
+    # DOCKER-LABELS-PLACEHOLDER

package/apps/core/crowdsec/files/acquis-traefik.yaml

@@ -0,0 +1,4 @@
+filenames:
+  - /logs/HOSTNAME-PLACEHOLDER/traefik/*.log
+labels:
+  type: traefik

package/apps/core/crowdsec/files/acquis.yaml

@@ -0,0 +1,8 @@
+filenames:
+  # - /var/log/auth.log
+  # - /var/log/syslog
+  # - /var/log/kern.log
+  # - /var/log/ufw.log
+  # - /var/log/mail.log
+labels:
+  type: syslog

package/apps/core/crowdsec/files/crowdsec-firewall-bouncer.yaml

@@ -0,0 +1,46 @@
+mode: iptables
+pid_dir: /var/run/
+update_frequency: 10s
+daemonize: true
+log_mode: file
+log_dir: /var/log/
+log_level: info
+log_compression: true
+log_max_size: 100
+log_max_backups: 3
+log_max_age: 30
+api_url: http://localhost:CROWDSEC-PORT-PLACEHOLDER/
+api_key: CROWDSEC-API-KEY-PLACEHOLDER
+insecure_skip_verify: false
+disable_ipv6: true
+deny_action: DROP
+deny_log: true
+supported_decisions_types:
+  - ban
+#to change log prefix
+deny_log_prefix: "[CSFB_BLOCK] "
+#to change the blacklists name
+blacklists_ipv4: crowdsec-blacklists
+blacklists_ipv6: crowdsec6-blacklists
+#if present, insert rule in those chains
+iptables_chains:
+  - INPUT
+#  - FORWARD
+  - DOCKER-USER
+
+## nftables
+nftables:
+  ipv4:
+    enabled: true
+    set-only: false
+    table: crowdsec
+    chain: crowdsec-chain
+  ipv6:
+    enabled: true
+    set-only: false
+    table: crowdsec6
+    chain: crowdsec6-chain
+# packet filter
+pf:
+  # an empty string disables the anchor
+  anchor_name: ""