services: atlas-postgres: image: postgres:16-alpine environment: POSTGRES_DB: atlas POSTGRES_USER: atlas POSTGRES_PASSWORD: atlas volumes: - atlas_postgres_data:/var/lib/postgresql/data networks: - atlas_internal healthcheck: test: ["CMD-SHELL", "pg_isready -U atlas -d atlas"] start_period: 10s interval: 30s timeout: 5s retries: 5 authentik-postgres: image: postgres:16-alpine environment: POSTGRES_DB: authentik POSTGRES_USER: authentik POSTGRES_PASSWORD: authentik volumes: - authentik_postgres_data:/var/lib/postgresql/data networks: - atlas_internal healthcheck: test: ["CMD-SHELL", "pg_isready -U authentik -d authentik"] start_period: 10s interval: 30s timeout: 5s retries: 5 authentik-redis: image: redis:7-alpine command: redis-server --save 60 1 --loglevel warning volumes: - authentik_redis_data:/data networks: - atlas_internal authentik-server: image: ghcr.io/goauthentik/server:latest command: server environment: AUTHENTIK_SECRET_KEY: change-me-before-production AUTHENTIK_REDIS__HOST: authentik-redis AUTHENTIK_POSTGRESQL__HOST: authentik-postgres AUTHENTIK_POSTGRESQL__USER: authentik AUTHENTIK_POSTGRESQL__NAME: authentik AUTHENTIK_POSTGRESQL__PASSWORD: authentik AUTHENTIK_BOOTSTRAP_PASSWORD: change-me-before-production AUTHENTIK_BOOTSTRAP_TOKEN: change-me-before-production AUTHENTIK_BOOTSTRAP_EMAIL: admin@a250.ca volumes: - authentik_media:/media - authentik_templates:/templates networks: - atlas_internal - traefik deploy: labels: - "traefik.enable=true" - "traefik.docker.network=traefik" - "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik" - "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true" - "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid" - "traefik.http.routers.authentik.rule=Host(`app.a250.ca`) && (PathPrefix(`/outpost.goauthentik.io/`) || PathPrefix(`/if/`) || PathPrefix(`/flows/`) || PathPrefix(`/application/`) || PathPrefix(`/source/`) || PathPrefix(`/api/`) || PathPrefix(`/static/`) || PathPrefix(`/media/`) || PathPrefix(`/ws/`))" - "traefik.http.routers.authentik.entrypoints=websecure" - "traefik.http.routers.authentik.tls=true" - "traefik.http.routers.authentik.tls.certresolver=letsencryptresolver" - "traefik.http.routers.authentik.priority=100" - "traefik.http.routers.authentik-oauth.rule=Host(`app.a250.ca`) && (PathPrefix(`/flows/`) || PathPrefix(`/application/`) || PathPrefix(`/source/`) || PathPrefix(`/api/`) || PathPrefix(`/static/`) || PathPrefix(`/media/`) || PathPrefix(`/ws/`))" - "traefik.http.routers.authentik-oauth.entrypoints=websecure" - "traefik.http.routers.authentik-oauth.tls=true" - "traefik.http.routers.authentik-oauth.tls.certresolver=letsencryptresolver" - "traefik.http.routers.authentik-oauth.priority=200" - "traefik.http.routers.authentik-oauth.service=authentik" - "traefik.http.services.authentik.loadbalancer.server.port=9000" authentik-worker: image: ghcr.io/goauthentik/server:latest command: worker environment: AUTHENTIK_SECRET_KEY: change-me-before-production AUTHENTIK_REDIS__HOST: authentik-redis AUTHENTIK_POSTGRESQL__HOST: authentik-postgres AUTHENTIK_POSTGRESQL__USER: authentik AUTHENTIK_POSTGRESQL__NAME: authentik AUTHENTIK_POSTGRESQL__PASSWORD: authentik user: root volumes: - /var/run/docker.sock:/var/run/docker.sock - authentik_media:/media - authentik_templates:/templates networks: - atlas_internal ss-atlas: image: git.nixc.us/a250/ss-atlas:production environment: - STRIPE_SECRET_KEY=sk_test_51T6uRBRfasa3uSsu1EwvRHaGKhWopjeBz15aDACaI3ectJ1przHIKTX2DAqJu7DDtsBMhIuRiyVf0MY9ivtUvzk800kEZ5advL - STRIPE_WEBHOOK_SECRET=whsec_placeholder - STRIPE_PRICE_ID=price_1T6v8dRfasa3uSsuCWmIC0Fn - STRIPE_PRICE_ID_FREE=price_1T7NOURfasa3uSsuEpbKAD1h - STRIPE_PRICE_ID_YEAR=price_1T7NOURfasa3uSsu3fB9ivyn - STRIPE_PRICE_ID_MONTH_100=price_1T7NOVRfasa3uSsuEaxzMNno - STRIPE_PRICE_ID_MONTH_200=price_1T7NOVRfasa3uSsucQRRlPCi - STRIPE_PAYMENT_LINK= - FREE_TIER_LIMIT=10 - YEAR_TIER_LIMIT=50 - MAX_SIGNUPS=0 - DOCKER_HOST=unix:///var/run/docker.sock - APP_URL=https://app.a250.ca - IDENTITY_URL=https://app.a250.ca/if/user/ - DATABASE_URL=postgres://atlas:atlas@atlas-postgres:5432/atlas?sslmode=disable - TRAEFIK_DOMAIN=app.a250.ca - TRAEFIK_NETWORK=traefik - TRAEFIK_DOCKER_NETWORK=traefik - CUSTOMER_DOMAIN=app.a250.ca - TEMPLATE_PATH=/app/templates - ARCHIVE_PATH=/archives - LANDING_TAGLINE=Your own workspace, ready in minutes. - LANDING_FEATURES=Dedicated environment|Secure single sign-on|Automatic provisioning|Manage subscription anytime - ADMIN_SECRET= volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - atlas_archives:/archives networks: - atlas_internal - traefik deploy: labels: - "traefik.enable=true" - "traefik.docker.network=traefik" - "traefik.http.routers.ss-atlas.rule=Host(`app.a250.ca`)" - "traefik.http.routers.ss-atlas.entrypoints=websecure" - "traefik.http.routers.ss-atlas.tls=true" - "traefik.http.routers.ss-atlas.tls.certresolver=letsencryptresolver" - "traefik.http.routers.ss-atlas.priority=1" - "traefik.http.routers.ss-atlas.service=ss-atlas" - "traefik.http.routers.ss-atlas-protected.rule=Host(`app.a250.ca`) && (PathPrefix(`/checkout`) || PathPrefix(`/subscribe`) || PathPrefix(`/activate`) || PathPrefix(`/dashboard`) || PathPrefix(`/link-stripe-customer`) || PathPrefix(`/portal`) || PathPrefix(`/resubscribe`) || PathPrefix(`/stack-manage`))" - "traefik.http.routers.ss-atlas-protected.entrypoints=websecure" - "traefik.http.routers.ss-atlas-protected.tls=true" - "traefik.http.routers.ss-atlas-protected.tls.certresolver=letsencryptresolver" - "traefik.http.routers.ss-atlas-protected.priority=20" - "traefik.http.routers.ss-atlas-protected.middlewares=authentik@swarm" - "traefik.http.routers.ss-atlas-protected.service=ss-atlas" - "traefik.http.services.ss-atlas.loadbalancer.server.port=8080" - "traefik.http.routers.ss-atlas-instance.rule=Host(`app.a250.ca`) && PathPrefix(`/i/`)" - "traefik.http.routers.ss-atlas-instance.entrypoints=websecure" - "traefik.http.routers.ss-atlas-instance.tls=true" - "traefik.http.routers.ss-atlas-instance.tls.certresolver=letsencryptresolver" - "traefik.http.routers.ss-atlas-instance.priority=15" - "traefik.http.routers.ss-atlas-instance.middlewares=authentik@swarm" - "traefik.http.routers.ss-atlas-instance.service=ss-atlas" whoami: image: traefik/whoami networks: - atlas_internal - traefik deploy: labels: - "traefik.enable=true" - "traefik.docker.network=traefik" - "traefik.http.routers.whoami.rule=Host(`app.a250.ca`) && PathPrefix(`/whoami`)" - "traefik.http.routers.whoami.entrypoints=websecure" - "traefik.http.routers.whoami.tls=true" - "traefik.http.routers.whoami.tls.certresolver=letsencryptresolver" - "traefik.http.routers.whoami.middlewares=strip-whoami@swarm,authentik@swarm" - "traefik.http.middlewares.strip-whoami.stripprefix.prefixes=/whoami" - "traefik.http.services.whoami.loadbalancer.server.port=80" networks: atlas_internal: driver: overlay attachable: true traefik: external: true volumes: atlas_archives: atlas_postgres_data: authentik_postgres_data: authentik_redis_data: authentik_media: authentik_templates: