Update stack.production.yml

2025-06-03 21:17:13 -04:00 · 2025-06-03 21:17:13 -04:00 · aa364b9637
parent cce185d0b4
commit aa364b9637
1 changed files with 67 additions and 41 deletions
--- a/stack.production.yml
+++ b/stack.production.yml
@ -1,12 +1,9 @@
-version: '3.7'
 x-authelia-env: &authelia-env
-  X_AUTHELIA_EMAIL: "authelia@nixc.us"
+  X_AUTHELIA_EMAIL: authelia@nixc.us
  X_AUTHELIA_SITE_NAME: ATLAS
-  # X_AUTHELIA_DUO_HOSTNAME: my_duo_hostname
  X_AUTHELIA_CONFIG_FILTERS: template
  X_AUTHELIA_LDAP_DOMAIN: dc=nixc,dc=us
  TRAEFIK_DOMAIN: nixc.us
-  # CONFIG: /home/deleted-porcupine/docker-configs

 secrets:
  AUTHENTICATION_BACKEND_LDAP_PASSWORD:
@ -37,6 +34,7 @@ networks:
    external: true
  ad:
    external: true
+
 services:
  authelia:
    image: git.nixc.us/nixius/authelia:production-authelia
@ -51,79 +49,107 @@ services:
      - NOTIFIER_SMTP_PASSWORD
      - SESSION_SECRET
      - STORAGE_ENCRYPTION_KEY
-    environment:
-      <<: *authelia-env
+    environment: *authelia-env
    dns:
-      - 1.1.1.1
-      - 9.9.9.9
+      - 1.1.1.1 # Cloudflare
+      - 9.9.9.9 # Quad9
+    volumes:
+      - /mnt/tank/persist/nixc.us/authelia/production/config:/config:rw
    networks:
      - traefik
      - default
      - ad
    deploy:
+      update_config:
+        order: start-first
+        failure_action: rollback
+        parallelism: 1
+      restart_policy:
+        condition: on-failure
+      replicas: 1
      placement:
        constraints:
-##          - node.labels.role == db
          - node.hostname == ingress.nixc.us
-#          - node.labels.mac-rack == true
      labels:
+        us.nixc.autodeploy: "true"
        homepage.group: Infrastructure
        homepage.name: Authelia
        homepage.href: https://login.nixc.us
        homepage.description: ATLAS
        traefik.enable: "true"
-        traefik.http.routers.authelia_authelia.rule: Host(`login.nixc.us`)
-        traefik.http.routers.authelia_authelia.entryPoints: websecure
-        traefik.http.routers.authelia_authelia.service: "authelia_authelia"
-        traefik.http.routers.authelia_authelia.tls.certresolver: "letsencryptresolver"
-        traefik.http.services.authelia_authelia.loadbalancer.server.port: "9091"
-        traefik.http.routers.authelia_authelia.tls: "true"
-        traefik.http.middlewares.authelia_authelia.forwardAuth.address: http://authelia:9091/api/authz/forward-auth
        traefik.docker.network: traefik
+        traefik.http.routers.authelia_authelia.rule: Host(`login.nixc.us`)
+        traefik.http.routers.authelia_authelia.entrypoints: websecure
+        traefik.http.routers.authelia_authelia.tls: "true"
+        traefik.http.routers.authelia_authelia.tls.certresolver: letsencryptresolver
+        traefik.http.routers.authelia_authelia.service: authelia_authelia
+        traefik.http.services.authelia_authelia.loadbalancer.server.port: 9091
+        traefik.http.middlewares.authelia_authelia.forwardauth.address: http://authelia_authelia:9091/api/verify?rd=https://login.nixc.us/
+        traefik.http.middlewares.authelia_authelia.forwardauth.trustForwardHeader: "true"
+        traefik.http.middlewares.authelia_authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email
+        traefik.http.middlewares.authelia-basic.forwardauth.address: http://authelia_authelia:9091/api/verify?auth=basic
+        traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader: "true"
+        traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email
+    logging:
+      driver: json-file
+      options:
+        max-size: 10m
+        max-file: "3"
+
  redis:
    image: git.nixc.us/nixius/authelia:production-redis
-    # command: redis-server --appendonly yes
+    command: redis-server --appendonly yes
+    volumes:
+      - /mnt/tank/persist/nixc.us/authelia/production/redis:/data:rw
+    networks:
+      - default
    deploy:
+      update_config:
+        order: start-first
+        failure_action: rollback
+        parallelism: 1
+      restart_policy:
+        condition: on-failure
      replicas: 1
      placement:
        constraints:
-##          - node.labels.role == db
          - node.hostname == ingress.nixc.us
-#          - node.labels.mac-rack == true
-#        preferences:
-#          - spread: node.id
      labels:
-        - traefik.enable=false
-        - "us.nixc.autodeploy=true"
-    volumes:
-      - /mnt/tank/persist/nixc.us/authelia/production/redis:/data
-    networks:
-      - default
+        us.nixc.autodeploy: "true"
+        traefik.enable: "false"
+    logging:
+      driver: json-file
+      options:
+        max-size: 10m
+        max-file: "3"

  mariadb:
    image: git.nixc.us/nixius/authelia:production-mariadb
-    # restart: always
    environment:
      MYSQL_ROOT_PASSWORD: authelia
      MYSQL_DATABASE: authelia
      MYSQL_USER: authelia
      MYSQL_PASSWORD: authelia
    volumes:
-      - '/mnt/tank/persist/nixc.us/authelia/production/db:/var/lib/mysql'
+      - /mnt/tank/persist/nixc.us/authelia/production/db:/var/lib/mysql:rw
+    networks:
+      - default
    deploy:
+      update_config:
+        order: start-first
+        failure_action: rollback
+        parallelism: 1
+      restart_policy:
+        condition: on-failure
      replicas: 1
      placement:
        constraints:
-##          - node.labels.role == db
          - node.hostname == ingress.nixc.us
-#          - node.labels.mac-rack == true
-    # placement:
-    #   constraints:
-    #     - node.role == manager
-    #   preferences:
-    #     - spread: node.id
      labels:
-        - traefik.enable=false
-        - "us.nixc.autodeploy=true"
-    networks:
-      - default
+        us.nixc.autodeploy: "true"
+        traefik.enable: "false"
+    logging:
+      driver: json-file
+      options:
+        max-size: 10m
+        max-file: "3"