version: '3.7' x-authelia-env: &authelia-env X_AUTHELIA_EMAIL: authelia@nixc.us X_AUTHELIA_SITE_NAME: ATLAS # X_AUTHELIA_DUO_HOSTNAME: my_duo_hostname X_AUTHELIA_CONFIG_FILTERS: template X_AUTHELIA_LDAP_DOMAIN: dc=nixc,dc=us TRAEFIK_DOMAIN: nixc.us # CONFIG: /home/deleted-porcupine/docker-configs networks: default: driver: overlay traefik: external: true ad: external: true services: authelia: image: git.nixc.us/nixius/authelia:staging-authelia command: - "authelia" - "--config=/config/configuration.server.yml" - "--config=/config/configuration.ldap.yml" - "--config=/config/configuration.acl.yml" - "--config=/config/configuration.identity.providers.yml" - "--config=/config/configuration.oidc.clients.yml" environment: <<: *authelia-env # volumes: # - /mnt/tank/persist/nixc.us/authelia/staging/config:/config networks: - traefik - default - ad deploy: placement: constraints: ## - node.labels.role == db - node.hostname == ingress.nixc.us # - node.labels.mac-rack == true labels: - "us.nixc.autodeploy=true" ## https://www.staging-authelia_authelia.com/docs/deployment/supported-proxies/traefik2.x.html - 'traefik.enable=true' - 'traefik.http.routers.staging-authelia_authelia.tls=true' - "traefik.http.services.staging-authelia_authelia.loadbalancer.server.port=9091" - 'traefik.http.routers.staging-authelia_authelia.rule=Host(`staging.login.nixc.us`)' - 'traefik.http.routers.staging-authelia_authelia.entrypoints=websecure' - "traefik.http.routers.staging-authelia_authelia.tls.certresolver=letsencryptresolver" - "traefik.http.routers.staging-authelia_authelia.service=authelia_authelia" - "traefik.docker.network=traefik" ## Authelia recommendations - 'traefik.http.middlewares.staging-authelia_authelia.forwardauth.address=http://authelia_authelia:9091/api/verify?rd=https://login.nixc.us/' - 'traefik.http.middlewares.staging-authelia_authelia.forwardauth.trustForwardHeader=true' - 'traefik.http.middlewares.staging-authelia_authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email' - 'traefik.http.middlewares.staging-authelia-basic.forwardauth.address=http://authelia_authelia:9091/api/verify?auth=basic' - 'traefik.http.middlewares.staging-authelia-basic.forwardauth.trustForwardHeader=true' - 'traefik.http.middlewares.staging-authelia-basic.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email' redis: image: git.nixc.us/nixius/authelia:staging-redis # command: redis-server --appendonly yes deploy: replicas: 1 placement: constraints: ## - node.labels.role == db - node.hostname == ingress.nixc.us # - node.labels.mac-rack == true # preferences: # - spread: node.id labels: - traefik.enable=false - "us.nixc.autodeploy=true" volumes: - /mnt/tank/persist/nixc.us/authelia/staging/redis:/data networks: - default mariadb: image: git.nixc.us/nixius/authelia:staging-mariadb # restart: always environment: MYSQL_ROOT_PASSWORD: authelia MYSQL_DATABASE: authelia MYSQL_USER: authelia MYSQL_PASSWORD: authelia volumes: - '/mnt/tank/persist/nixc.us/authelia/staging/db:/var/lib/mysql' deploy: replicas: 1 placement: constraints: ## - node.labels.role == db - node.hostname == ingress.nixc.us # - node.labels.mac-rack == true # placement: # constraints: # - node.role == manager # preferences: # - spread: node.id labels: - traefik.enable=false - "us.nixc.autodeploy=true" networks: - default