version: '3.7' x-authelia-env: &authelia-env X_AUTHELIA_EMAIL: authelia@nixc.us X_AUTHELIA_SITE_NAME: ATLAS # X_AUTHELIA_DUO_HOSTNAME: my_duo_hostname X_AUTHELIA_CONFIG_FILTERS: template X_AUTHELIA_LDAP_DOMAIN: dc=nixc,dc=us TRAEFIK_DOMAIN: nixc.us # CONFIG: /home/deleted-porcupine/docker-configs secrets: AUTHENTICATION_BACKEND_LDAP_PASSWORD: external: true CLIENT_SECRET_HEADSCALE: external: true IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: external: true IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: external: true IDENTITY_PROVIDERS_OIDC_JWKS_KEY: external: true IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: external: true NOTIFIER_SMTP_PASSWORD: external: true SESSION_SECRET: external: true STORAGE_ENCRYPTION_KEY: external: true networks: default: driver: overlay traefik: external: true ad: external: true services: authelia: image: git.nixc.us/nixius/authelia:production-authelia secrets: - AUTHENTICATION_BACKEND_LDAP_PASSWORD - CLIENT_SECRET_HEADSCALE - IDENTITY_PROVIDERS_OIDC_HMAC_SECRET - IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY - IDENTITY_PROVIDERS_OIDC_JWKS_KEY - IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET - NOTIFIER_SMTP_PASSWORD - SESSION_SECRET - STORAGE_ENCRYPTION_KEY environment: <<: *authelia-env networks: - traefik - default - ad deploy: placement: constraints: ## - node.labels.role == db - node.hostname == ingress.nixc.us # - node.labels.mac-rack == true labels: - "us.nixc.autodeploy=true" - 'traefik.enable=true' - 'traefik.http.routers.authelia_authelia.tls=true' - "traefik.http.services.authelia_authelia.loadbalancer.server.port=9091" - 'traefik.http.routers.authelia_authelia.rule=Host(`login.nixc.us`)' - 'traefik.http.routers.authelia_authelia.entrypoints=websecure' - "traefik.http.routers.authelia_authelia.tls.certresolver=letsencryptresolver" - "traefik.http.routers.authelia_authelia.service=authelia_authelia" - "traefik.docker.network=traefik" ## Authelia recommendations - 'traefik.http.middlewares.authelia_authelia.forwardauth.address=http://authelia_authelia:9091/api/verify?rd=https://login.nixc.us/' - 'traefik.http.middlewares.authelia_authelia.forwardauth.trustForwardHeader=true' - 'traefik.http.middlewares.authelia_authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email' - 'traefik.http.middlewares.authelia-basic.forwardauth.address=http://authelia_authelia:9091/api/verify?auth=basic' - 'traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader=true' - 'traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email' redis: image: git.nixc.us/nixius/authelia:production-redis # command: redis-server --appendonly yes deploy: replicas: 1 placement: constraints: ## - node.labels.role == db - node.hostname == ingress.nixc.us # - node.labels.mac-rack == true # preferences: # - spread: node.id labels: - traefik.enable=false - "us.nixc.autodeploy=true" volumes: - /mnt/tank/persist/nixc.us/authelia/production/redis:/data networks: - default mariadb: image: git.nixc.us/nixius/authelia:production-mariadb # restart: always environment: MYSQL_ROOT_PASSWORD: authelia MYSQL_DATABASE: authelia MYSQL_USER: authelia MYSQL_PASSWORD: authelia volumes: - '/mnt/tank/persist/nixc.us/authelia/production/db:/var/lib/mysql' deploy: replicas: 1 placement: constraints: ## - node.labels.role == db - node.hostname == ingress.nixc.us # - node.labels.mac-rack == true # placement: # constraints: # - node.role == manager # preferences: # - spread: node.id labels: - traefik.enable=false - "us.nixc.autodeploy=true" networks: - default