provision.sh

@@ -0,0 +1 @@
+ANSIBLE_VAULT_PASSWORD_FILE=(pass show ansible-homelab | psub) vagrant provision

roles/authelia/templates/authelia.conf.j2

@@ -1,5 +1,6 @@
 server {
     listen 80;
+    server_name auth.{{ base_domain }};
     return 301 https://$host$request_uri;
 }
 

roles/authelia/templates/configuration.yml.j2

@@ -28,8 +28,10 @@ access_control:
   default_policy: deny
   rules:
     - domain:
+      - "{{ base_domain }}"
+      - "*.{{ base_domain }}"
       - "keycloak.{{ base_domain }}"
-      policy: one_factor
+      policy: deny
 session:
   name: authelia_session
   secret: somerandomsecret

roles/nginx/templates/snippets/proxy.conf.j2

@@ -27,6 +27,9 @@ proxy_buffers 64 256k;
 # If behind reverse proxy, forwards the correct IP
 set_real_ip_from 10.0.0.0/8;
 set_real_ip_from 172.16.0.0/12;
+set_real_ip_from 172.17.0.0/16;
+set_real_ip_from 172.18.0.0/16;
+set_real_ip_from 172.19.0.0/16;
 set_real_ip_from 192.168.0.0/16;
 set_real_ip_from fc00::/7;
 real_ip_header X-Forwarded-For;