From b0d760c3abed565b16fe6446f24c75873d0ffced Mon Sep 17 00:00:00 2001
From: Keith Solomon <keith@vincentdesign.ca>
Date: Sat, 6 Dec 2025 13:41:33 -0600
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8feature:=20Add=20basic=20Traefik/Authe?=
 =?UTF-8?q?lia=20support=20files?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 assets/files/authelia/configuration.yml  | 88 ++++++++++++++++++++++
 assets/files/authelia/users_database.yml |  9 +++
 assets/files/traefik/.env.example        |  9 +++
 assets/files/traefik/traefik-stack.yml   | 93 +++++++++++++++++++++++
 assets/files/traefik/traefik.yml         | 95 ++++++++++++++++++++++++
 5 files changed, 294 insertions(+)
 create mode 100644 assets/files/authelia/configuration.yml
 create mode 100644 assets/files/authelia/users_database.yml
 create mode 100644 assets/files/traefik/.env.example
 create mode 100644 assets/files/traefik/traefik-stack.yml
 create mode 100644 assets/files/traefik/traefik.yml

diff --git a/assets/files/authelia/configuration.yml b/assets/files/authelia/configuration.yml
new file mode 100644
index 0000000..f47f95b
--- /dev/null
+++ b/assets/files/authelia/configuration.yml
@@ -0,0 +1,88 @@
+---
+theme: dark
+
+server:
+  address: tcp://0.0.0.0:9091
+  buffers:
+    read: 65536
+    write: 65536
+
+access_control:
+  default_policy: deny
+  networks:
+    - name: internal
+      networks:
+        - 192.168.2.0/24
+  rules:
+    - domain: "*.yourdomain.com"
+      policy: bypass
+      networks:
+        - internal
+    - domain: "*.yourdomain.com"
+      policy: one_factor
+
+log:
+  level: info
+  file_path: /logs/authelia.log
+  format: json
+  keep_stdout: true
+
+#default_redirection_url: https://auth.yourdomain.com
+
+totp:
+  issuer: authelia.com
+
+identity_validation:
+  reset_password:
+    jwt_secret: "{{ env `AUTHELIA_JWT_SECRET` }}"
+
+# docker run authelia/authelia:latest authelia crypto hash generate argon2 -i 1 -p 8 -v argon2id --password 'yourpassword'
+authentication_backend:
+  refresh_interval: 5m
+  file:
+    path: /config/users_database.yml
+    password:
+      algorithm: argon2id
+      iterations: 1
+      salt_length: 16
+      parallelism: 8
+      memory: 64
+
+session:
+  name: authelia_session
+  secret: "{{ env `AUTHELIA_SESSION_SECRET` }}"
+  inactivity: 5d   # 5 days
+  expiration: 30d  # 30 days
+  remember_me: 60d # 60 days
+  cookies:
+    - domain: 'yourdomain.com'
+      authelia_url: 'https://auth.yourdomain.com'
+      default_redirection_url: 'https://yourdomain.com'
+      name: 'authelia_session'
+      inactivity: 5d   # 5 days
+      expiration: 30d  # 30 days
+      remember_me: 60d # 60 days
+
+regulation:
+  max_retries: 5
+  find_time: 120m
+  ban_time: 300m
+
+storage:
+  encryption_key: "{{ env `AUTHELIA_STORAGE_ENCRYPTION_KEY` }}}"
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  smtp:
+    address: submission://smtp.gmail.com:587
+    username: "{{ env `AUTHELIA_NOTIFIER_USERNAME` }}"
+    password: "{{ env `AUTHELIA_NOTIFIER_PASSWORD` }}"
+    sender: ksolomon+authelia@gmail.com
+
+ntp:
+  address: time.cloudflare.com:123
+  version: 3
+  max_desync: 3s
+  disable_startup_check: false
+  disable_failure: false
diff --git a/assets/files/authelia/users_database.yml b/assets/files/authelia/users_database.yml
new file mode 100644
index 0000000..d01cfcc
--- /dev/null
+++ b/assets/files/authelia/users_database.yml
@@ -0,0 +1,9 @@
+users:
+  user:
+    disabled: false
+    displayname: 'Your Name'
+    # to generate, run docker run authelia/authelia:latest authelia crypto hash generate argon2 -i 1 -p 8 -v argon2id --password your-password
+    password: 'your-hashed-password-here'
+    email: 'your-email@yourdomain.com'
+    groups:
+      - 'admins'
diff --git a/assets/files/traefik/.env.example b/assets/files/traefik/.env.example
new file mode 100644
index 0000000..c9961e2
--- /dev/null
+++ b/assets/files/traefik/.env.example
@@ -0,0 +1,9 @@
+CLOUDFLARE_API_KEY=your_cloudflare_api_key_here
+CLOUDFLARE_EMAIL=your_cloudflare_email_here
+
+# Gebnerate these secrets using openssl rand -hex 64
+AUTHELIA_SESSION_SECRET=your_session_secret_here
+AUTHELIA_STORAGE_ENCRYPTION_KEY=your_storage_encryption_key_here
+AUTHELIA_JWT_SECRET=your_jwt_secret_here
+AUTHELIA_NOTIFIER_USERNAME=your_email_here
+AUTHELIA_NOTIFIER_PASSWORD=your_email_app_password_here
diff --git a/assets/files/traefik/traefik-stack.yml b/assets/files/traefik/traefik-stack.yml
new file mode 100644
index 0000000..6a701be
--- /dev/null
+++ b/assets/files/traefik/traefik-stack.yml
@@ -0,0 +1,93 @@
+services:
+  traefik:
+    container_name: Traefik
+    image: traefik:latest
+    restart: always
+
+    networks:
+      traefik_macvlan:
+        ipv4_address: 192.168.2.253   # Traefik's LAN IP
+      proxy: {}
+
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./traefik/traefik.yml:/traefik.yml:ro
+      - ./traefik/config:/traefik_config
+      - ./traefik/cert:/traefik_cert
+      - ./traefik/logs:/logs
+
+    environment:
+      - TZ=America/Winnipeg
+      - CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY}
+      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
+
+    labels:
+      - "traefik.enable=true"
+
+      # Dashboard (behind Authelia)
+      - "traefik.http.routers.traefik.rule=Host(`tfk.yourdomain.com`)"
+      - "traefik.http.routers.traefik.entrypoints=https"
+      - "traefik.http.routers.traefik.tls.certresolver=cloudflare"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.routers.traefik.middlewares=authelia@docker"
+
+  authelia:
+    container_name: Authelia
+    restart: always
+    image: authelia/authelia:latest
+
+    networks:
+      - proxy
+
+    volumes:
+      - ./authelia/config:/config
+      - ./authelia/secrets:/secrets:ro
+      - ./authelia/logs:/var/log/authelia
+
+    environment:
+      - TZ=America/Winnipeg
+      - X_AUTHELIA_CONFIG_FILTERS=template
+      - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
+      - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
+      - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
+
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy"
+      - "traefik.http.routers.authelia.rule=Host(`auth.yourdomain.com`)"
+      - "traefik.http.routers.authelia.entrypoints=https"
+      - "traefik.http.routers.authelia.tls.certresolver=cloudflare"
+
+      - "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth"
+      - "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true"
+      - "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
+
+  traefik-gui:
+    container_name: Traefik-GUI
+    restart: always
+    image: ghcr.io/rahn-it/traefik-gui:master
+
+    networks:
+      - proxy
+
+    volumes:
+      - ./traefik-gui/db:/app/db
+      - ./traefik/config:/app/traefik
+
+    environment:
+      - TZ=America/Winnipeg
+
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy"
+      - "traefik.http.routers.traefik-gui.rule=Host(`tfk-admin.yourdomain.com`)"
+      - "traefik.http.routers.traefik-gui.entrypoints=https"
+      - "traefik.http.routers.traefik-gui.tls.certresolver=cloudflare"
+      - "traefik.http.routers.traefik-gui.middlewares=authelia@docker"
+
+networks:
+  traefik_macvlan:
+    external: true
+  proxy:
+    name: proxy
+    driver: bridge
diff --git a/assets/files/traefik/traefik.yml b/assets/files/traefik/traefik.yml
new file mode 100644
index 0000000..910cf7a
--- /dev/null
+++ b/assets/files/traefik/traefik.yml
@@ -0,0 +1,95 @@
+global:
+  # Send anonymous usage data
+  sendAnonymousUsage: true
+  checkNewVersion: true
+
+api:
+  dashboard: true
+  debug: true
+  disableDashboardAd: true
+
+log:
+  filePath: "/logs/logfile.log"
+  level: INFO
+  format: common
+
+accessLog:
+  filePath: "/logs/access.log"
+  # bufferingSize: 20
+  fields:
+    defaultMode: keep
+    names:
+      StartUTC: drop
+
+entryPoints:
+  http:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: https
+          scheme: https
+          permanent: true
+
+  https:
+    address: ":443"
+    http:
+      tls:
+        # Generate a wildcard domain certificate
+        certResolver: cloudflare
+
+        domains:
+          - main: '*.yourdomain.com'
+
+    forwardedHeaders:
+      trustedIPs:
+        - "173.245.48.0/20"
+        - "103.21.244.0/22"
+        - "103.22.200.0/22"
+        - "103.31.4.0/22"
+        - "141.101.64.0/18"
+        - "108.162.192.0/18"
+        - "190.93.240.0/20"
+        - "188.114.96.0/20"
+        - "197.234.240.0/22"
+        - "198.41.128.0/17"
+        - "162.158.0.0/15"
+        - "104.16.0.0/13"
+        - "104.24.0.0/14"
+        - "172.64.0.0/13"
+        - "131.0.72.0/22"
+        - "2400:cb00::/32"
+        - "2606:4700::/32"
+        - "2803:f800::/32"
+        - "2405:b500::/32"
+        - "2405:8100::/32"
+        - "2a06:98c0::/29"
+        - "2c0f:f248::/32"
+
+serversTransport:
+  insecureSkipVerify: true
+
+providers:
+  providersThrottleDuration: 2s
+
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+    watch: true
+    network: proxy
+
+  file:
+    directory: "/traefik_config"
+    watch: true
+
+certificatesResolvers:
+  cloudflare:
+    acme:
+      email: ksolomon@gmail.com
+      storage: /traefik_cert/acme.json
+
+      dnsChallenge:
+        provider: cloudflare
+        resolvers:
+          - "1.1.1.1:53"
+          - "1.0.0.1:53"