From d6355221993a4888c7461ae3f4e22bcbb029c9a0 Mon Sep 17 00:00:00 2001 From: jack Date: Thu, 26 Mar 2026 22:50:41 +0700 Subject: [PATCH] feat: remove Authelia, protect dashboard with basic auth MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Authelia was unused overhead — only traefik-dashboard and plane /god-mode/ were behind it. Dashboard now uses traefik-auth (basic auth). /god-mode/ uses rate-limit-strict only. Removes: authelia + authelia-redis containers, authelia-internal network, authelia_data volume, authelia router/service/forwardAuth middleware. Co-Authored-By: Claude Sonnet 4.6 --- roles/services/defaults/main.yml | 4 +- .../services/templates/docker-compose.yml.j2 | 40 ------------------- roles/services/templates/env.j2 | 3 -- .../templates/traefik/dynamic/routes.yml.j2 | 27 +------------ 4 files changed, 3 insertions(+), 71 deletions(-) diff --git a/roles/services/defaults/main.yml b/roles/services/defaults/main.yml index f193434..fb67020 100644 --- a/roles/services/defaults/main.yml +++ b/roles/services/defaults/main.yml @@ -26,7 +26,5 @@ alertmanager_image: "prom/alertmanager:v0.28.1" # https://hub loki_image: "grafana/loki:3.4.3" # https://hub.docker.com/r/grafana/loki/tags promtail_image: "grafana/promtail:3.4.3" # https://hub.docker.com/r/grafana/promtail/tags crowdsec_image: "crowdsecurity/crowdsec:v1.6.8" # https://hub.docker.com/r/crowdsecurity/crowdsec/tags -authelia_image: "authelia/authelia:4.38" # https://hub.docker.com/r/authelia/authelia/tags -redis_image: "redis:7-alpine" # shared with plane-redis -authelia_admin_user: "admin" +redis_image: "redis:7-alpine" uptime_kuma_image: "louislam/uptime-kuma:1" # https://hub.docker.com/r/louislam/uptime-kuma/tags diff --git a/roles/services/templates/docker-compose.yml.j2 b/roles/services/templates/docker-compose.yml.j2 index 6f52cb8..756ee18 100644 --- a/roles/services/templates/docker-compose.yml.j2 +++ b/roles/services/templates/docker-compose.yml.j2 @@ -26,10 +26,6 @@ networks: monitoring: driver: bridge internal: true - authelia-internal: - driver: bridge - internal: true - volumes: forgejo_data: forgejo_db_data: @@ -42,7 +38,6 @@ volumes: grafana_data: loki_data: crowdsec_data: - authelia_data: uptime_kuma_data: services: @@ -527,41 +522,6 @@ services: - /var/log/syslog:/var/log/syslog:ro - # ── Authelia: 2FA SSO portal ─────────────────────────────────────────────── - # Защищает: Traefik dashboard, Plane /god-mode/ - # Вход: логин + пароль + TOTP (Google Authenticator) - authelia: - image: {{ authelia_image }} - container_name: authelia - restart: unless-stopped - depends_on: - - authelia-redis - networks: - - backend - - authelia-internal - volumes: - - authelia_data:/config - - {{ services_root }}/authelia/configuration.yml:/config/configuration.yml:ro - - {{ services_root }}/authelia/users.yml:/config/users.yml:ro - environment: - - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET} - - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET} - - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_KEY} - - TZ=UTC - healthcheck: - test: ["CMD", "wget", "-qO-", "http://localhost:9091/api/health"] - interval: 30s - timeout: 5s - retries: 3 - - authelia-redis: - image: {{ redis_image }} - container_name: authelia-redis - restart: unless-stopped - networks: - - authelia-internal - command: redis-server --appendonly yes --maxmemory 64mb --maxmemory-policy allkeys-lru - # ── Discord Bot ──────────────────────────────────────────────────────────── # Infrastructure management bot: /status /logs /restart /deploy /metrics /backup # Image is built and pushed by the discord-bot repo CI/CD diff --git a/roles/services/templates/env.j2 b/roles/services/templates/env.j2 index 925d696..04f2ece 100644 --- a/roles/services/templates/env.j2 +++ b/roles/services/templates/env.j2 @@ -9,9 +9,6 @@ DOMAIN_PLANE={{ domain_plane }} DOMAIN_TRAEFIK={{ domain_traefik }} FORGEJO_RUNNER_TOKEN={{ forgejo_runner_token }} GRAFANA_ADMIN_PASSWORD={{ grafana_admin_password }} -AUTHELIA_JWT_SECRET={{ authelia_jwt_secret }} -AUTHELIA_SESSION_SECRET={{ authelia_session_secret }} -AUTHELIA_STORAGE_KEY={{ authelia_storage_key }} CROWDSEC_BOUNCER_KEY={{ crowdsec_bouncer_key }} # Cloudflare DNS-01 ACME challenge CF_DNS_API_TOKEN={{ cloudflare_dns_api_token }} diff --git a/roles/services/templates/traefik/dynamic/routes.yml.j2 b/roles/services/templates/traefik/dynamic/routes.yml.j2 index 6626cb0..72dc9d0 100644 --- a/roles/services/templates/traefik/dynamic/routes.yml.j2 +++ b/roles/services/templates/traefik/dynamic/routes.yml.j2 @@ -21,7 +21,7 @@ http: tls: certresolver: letsencrypt service: api@internal - middlewares: [authelia@docker, rate-limit-strict] + middlewares: [traefik-auth, rate-limit-strict] forgejo: rule: "Host(`{{ domain_git }}`)" @@ -53,7 +53,7 @@ http: tls: certresolver: letsencrypt service: plane-admin - middlewares: [authelia@docker, rate-limit-strict] + middlewares: [rate-limit-strict] priority: 10 plane-spaces: @@ -73,14 +73,6 @@ http: service: grafana middlewares: [rate-limit-default] - authelia: - rule: "Host(`{{ domain_auth }}`)" - entrypoints: [websecure] - tls: - certresolver: letsencrypt - service: authelia - middlewares: [rate-limit-strict] - uptime-kuma: rule: "Host(`{{ domain_status }}`)" entrypoints: [websecure] @@ -145,11 +137,6 @@ http: servers: - url: "http://grafana:3000" - authelia: - loadBalancer: - servers: - - url: "http://authelia:9091" - uptime-kuma: loadBalancer: servers: @@ -216,13 +203,3 @@ http: users: - "{{ traefik_dashboard_htpasswd }}" - # ── Authelia ForwardAuth ─────────────────────────────────────────────── - authelia: - forwardAuth: - address: "http://authelia:9091/api/verify?rd=https://{{ domain_auth }}" - trustForwardHeader: true - authResponseHeaders: - - Remote-User - - Remote-Groups - - Remote-Email - - Remote-Name