Per model auth

docker-compose.premapp.premd.yml

@@ -17,7 +17,8 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.premd.rule=PathPrefix(`/premd`)"
       - "traefik.http.middlewares.premd-strip-prefix.stripprefix.prefixes=/premd"
-      - "traefik.http.routers.premd.middlewares=premd-strip-prefix"
+      - "traefik.http.routers.premd.middlewares=auth,premd-strip-prefix"
+      - "traefik.http.middlewares.auth.forwardauth.address=http://authd:8080/auth/verify"
     ports:
       - "8084:8000"
     restart: unless-stopped
@@ -36,8 +37,6 @@ services:
       - "traefik.http.routers.premapp-http.rule=PathPrefix(`/`)"
       - "traefik.http.routers.premapp-http.entrypoints=web"
       - "traefik.http.services.premapp.loadbalancer.server.port=8080"
-      - "traefik.http.middlewares.mybasicauth.basicauth.users=${BASIC_AUTH_CREDENTIALS}"
-      - "traefik.http.routers.premapp-http.middlewares=mybasicauth"
     ports:
       - "8085:8080"
     restart: unless-stopped

docker-compose.premg.yml

@@ -33,7 +33,8 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.dnsd.rule=PathPrefix(`/dnsd`)"
       - "traefik.http.middlewares.dnsd-strip-prefix.stripprefix.prefixes=/dnsd"
-      - "traefik.http.routers.dnsd.middlewares=dnsd-strip-prefix"
+      - "traefik.http.routers.dnsd.middlewares=dnsd-strip-prefix,auth"
+      - "traefik.http.middlewares.auth.forwardauth.address=http://authd:8080/auth/verify"
     depends_on:
       - dnsd-db-pg
       - authd
@@ -53,7 +54,7 @@ services:
     environment:
       POSTGRES_USER: ${POSTGRES_USER}
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
-      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_DB: ${DNSD_POSTGRES_DB}
     volumes:
       - dnsd-pg-data:/var/lib/postgresql/data
     restart: unless-stopped
@@ -63,10 +64,37 @@ services:
     image: ${PREMG_AUTHD_IMAGE}
     networks:
       - prem-gateway
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.authd.rule=PathPrefix(`/authd`)"
+      - "traefik.http.routers.authd.middlewares=authd-strip-prefix"
+      - "traefik.http.middlewares.authd-strip-prefix.stripprefix.prefixes=/authd"
+    environment:
+      PREM_GATEWAY_AUTH_ROOT_API_KEY: ${PREM_GATEWAY_AUTH_ROOT_API_KEY}
+      PREM_GATEWAY_AUTH_ADMIN_USER: ${PREM_GATEWAY_AUTH_ADMIN_USER}
+      PREM_GATEWAY_AUTH_ADMIN_PASS: ${PREM_GATEWAY_AUTH_ADMIN_PASS}
+      PREM_GATEWAY_AUTH_DB_HOST: authd-db-pg
+    depends_on:
+      - authd-db-pg
     ports:
       - "8081:8080"
     restart: unless-stopped
 
+  authd-db-pg:
+    container_name: authd-db-pg
+    image: postgres:14.7
+    networks:
+      - prem-gateway
+    ports:
+      - "5433:5432"
+    environment:
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      POSTGRES_DB: ${AUTHD_POSTGRES_DB}
+    volumes:
+      - authd-pg-data:/var/lib/postgresql/data
+    restart: unless-stopped
+
   controllerd:
     container_name: controllerd
     image: ${PREMG_CONTROLLERD_IMAGE}
@@ -79,7 +107,6 @@ services:
     user: root
     environment:
       LETSENCRYPT_PROD: ${LETSENCRYPT_PROD}
-      SERVICES: ${SERVICES}
     restart: unless-stopped
 
 networks:
@@ -88,4 +115,5 @@ networks:
 
 volumes:
   dnsd-pg-data:
-  traefik-letsencrypt:
+  traefik-letsencrypt:
+  authd-pg-data:

install.sh

@@ -301,19 +301,26 @@ POSTGRES_PASSWORD=$(openssl rand -base64 8)
 echo "POSTGRES_PASSWORD=$POSTGRES_PASSWORD" > $ORIGINAL_HOME/prem/secrets
 
 # Export the generated password as an environment variable
+export POSTGRES_USER=root
 export POSTGRES_PASSWORD
+export DNSD_POSTGRES_DB=dnsd-db
+export AUTHD_POSTGRES_DB=authd-db
 export LETSENCRYPT_PROD=true
-export SERVICES=premd,premapp
-export POSTGRES_USER=root
-export POSTGRES_PASSWORD=secret
-export POSTGRES_DB=dnsd-db
 # Generate a random password for the basic auth user
-BASIC_AUTH_USER="admin"
-BASIC_AUTH_PASS=$(openssl rand -base64 4)
-HASH=$(openssl passwd -apr1 $BASIC_AUTH_PASS)
-BASIC_AUTH_CREDENTIALS="$BASIC_AUTH_USER:$HASH"
-echo "BASIC_AUTH_CREDS=$BASIC_AUTH_USER/$BASIC_AUTH_PASS" >> $ORIGINAL_HOME/prem/secrets
-export BASIC_AUTH_CREDENTIALS
+ADMIN_USERNAME="admin"
+ADMIN_PASSWORD=$(openssl rand -base64 4)
+ROOT_API_KEY=$(openssl rand -base64 8)
+
+PREM_GATEWAY_AUTH_ADMIN_USER=$ADMIN_USERNAME
+PREM_GATEWAY_AUTH_ADMIN_PASS=$ADMIN_PASSWORD
+PREM_GATEWAY_AUTH_ROOT_API_KEY=$ROOT_API_KEY
+export PREM_GATEWAY_AUTH_ADMIN_USER
+export PREM_GATEWAY_AUTH_ADMIN_PASS
+export PREM_GATEWAY_AUTH_ROOT_API_KEY
+
+echo "ADMIN_USERNAME=$ADMIN_USERNAME" >> $ORIGINAL_HOME/prem/secrets
+echo "ADMIN_PASSWORD=$ADMIN_PASSWORD" >> $ORIGINAL_HOME/prem/secrets
+echo "ROOT_API_KEY=$ROOT_API_KEY" >> $ORIGINAL_HOME/prem/secrets
 
 echo ""
 echo "🏁 Starting Prem..."
@@ -351,8 +358,8 @@ done
 echo -e "🎉 Congratulations! Your Prem instance is ready to use"
 echo ""
 echo "Please visit http://$(curl -4s https://ifconfig.io) to get started."
-echo "Basic auth user: $BASIC_AUTH_USER"
-echo "Basic auth pass: $BASIC_AUTH_PASS"
+echo "Admin user: $ADMIN_USERNAME"
+echo "Admin pass: $ADMIN_PASSWORD"
 echo ""
 echo "You secrets are stored in $ORIGINAL_HOME/prem/secrets"
 echo "ie. cat $ORIGINAL_HOME/prem/secrets"