services: mariadb: image: mariadb:latest environment: MYSQL_ROOT_PASSWORD: dev_authelia_root MYSQL_DATABASE: authelia MYSQL_USER: authelia MYSQL_PASSWORD: authelia volumes: - mariadb_data:/var/lib/mysql networks: - authelia_dev healthcheck: test: [ "CMD", "/usr/local/bin/healthcheck.sh", "--su-mysql", "--connect", "--innodb_initialized" ] start_period: 30s interval: 30s timeout: 10s retries: 5 redis: image: redis:latest command: redis-server --appendonly yes volumes: - redis_data:/data networks: - authelia_dev healthcheck: test: [ "CMD", "redis-cli", "ping" ] start_period: 10s interval: 30s timeout: 5s retries: 3 lldap: image: nitnelave/lldap:latest volumes: - lldap_data:/data environment: - LLDAP_JWT_SECRET=I2sNvGvhzZlTJWPfNL9MBPFGhyG/gWU5wHz6wFsIC3I= - LLDAP_LDAP_USER_PASS=/ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0= - LLDAP_LDAP_BASE_DN=dc=a250,dc=ca - PUID=33 - PGID=33 networks: - authelia_dev deploy: labels: - "traefik.enable=true" - "traefik.http.routers.lldap.rule=Host(`lldap.bc.a250.ca`)" - "traefik.http.routers.lldap.entrypoints=websecure" - "traefik.http.routers.lldap.tls=true" - "traefik.http.services.lldap.loadbalancer.server.port=17170" healthcheck: test: [ "CMD", "curl", "-f", "http://localhost:17170/health" ] start_period: 10s interval: 30s timeout: 5s retries: 3 authelia: image: git.nixc.us/a250/authelia:dev-authelia user: root command: - sh - -c - | mkdir -p /run/secrets echo "$${IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET}" > /run/secrets/IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET echo "$${STORAGE_ENCRYPTION_KEY}" > /run/secrets/STORAGE_ENCRYPTION_KEY echo "$${SESSION_SECRET}" > /run/secrets/SESSION_SECRET echo "$${NOTIFIER_SMTP_PASSWORD}" > /run/secrets/NOTIFIER_SMTP_PASSWORD echo "$${AUTHENTICATION_BACKEND_LDAP_PASSWORD}" > /run/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD echo "$${IDENTITY_PROVIDERS_OIDC_HMAC_SECRET}" > /run/secrets/IDENTITY_PROVIDERS_OIDC_HMAC_SECRET echo "$${IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY}" > /run/secrets/IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY echo "$${IDENTITY_PROVIDERS_OIDC_JWKS_KEY}" > /run/secrets/IDENTITY_PROVIDERS_OIDC_JWKS_KEY echo "$${CLIENT_SECRET_HEADSCALE}" > /run/secrets/CLIENT_SECRET_HEADSCALE echo "$${CLIENT_SECRET_HEADADMIN}" > /run/secrets/CLIENT_SECRET_HEADADMIN echo "$${CLIENT_SECRET_PORTAINER}" > /run/secrets/CLIENT_SECRET_PORTAINER echo "$${CLIENT_SECRET_GITEA}" > /run/secrets/CLIENT_SECRET_GITEA { echo 'access_control:'; echo ' default_policy: deny'; echo ' rules:'; echo ' - domain: login.bc.a250.ca'; echo ' policy: bypass'; echo ' - domain: app.bc.a250.ca'; echo ' policy: bypass'; echo ' resources:'; echo " - '^/$$'"; echo " - '^/subscribe$$'"; echo " - '^/success(\\?.*)?$$'"; echo " - '^/webhook/stripe$$'"; echo " - '^/resend-reset$$'"; echo " - '^/health$$'"; echo " - '^/version$$'"; echo ' - domain: app.bc.a250.ca'; echo ' policy: one_factor'; echo ' resources:'; echo " - '^/dashboard$$'"; echo " - '^/activate$$'"; echo " - '^/portal$$'"; echo " - '^/resubscribe$$'"; echo " - '^/stack-manage$$'"; echo ' - domain:'; echo ' - lldap.bc.a250.ca'; echo ' - whoami.bc.a250.ca'; echo ' policy: bypass'; echo ' - domain: "{user}.bc.a250.ca"'; echo ' policy: two_factor'; echo ' - domain: "*.bc.a250.ca"'; echo ' policy: deny'; } > /config/configuration.acl.yml exec authelia --config=/config/configuration.server.yml --config=/config/configuration.ldap.yml --config=/config/configuration.acl.yml --config=/config/configuration.notifier.yml --config=/config/configuration.identity.providers.yml --config=/config/configuration.oidc.clients.yml environment: X_AUTHELIA_EMAIL: authelia@a250.ca X_AUTHELIA_SITE_NAME: a250.ca X_AUTHELIA_CONFIG_FILTERS: template X_AUTHELIA_LDAP_DOMAIN: dc=a250,dc=ca TRAEFIK_DOMAIN: bc.a250.ca IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: DoXL9Z1aCrXQ3Ylc2J9MWLO8QeseI8W6F91R0lS0SIE= STORAGE_ENCRYPTION_KEY: DvbtMjsNDIC3eqtNaPtdHm/f07dtlHREgieDStTu9NA= SESSION_SECRET: DoXL9Z1aCrXQ3Ylc2J9MWLO8QeseI8W6F91R0lS0SIE= NOTIFIER_SMTP_PASSWORD: 8P7ah6U5ZjbQ2Faaw1fJoehxJrMOslCu AUTHENTICATION_BACKEND_LDAP_PASSWORD: /ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0= IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: Pq5+dkrmh04daeSEPEXGq6JniiPsgJ6nHBi/ettUGLSKcuZtnaw3em8/BCXn2iFhUqTRdLSeCiWMbo+oEl/ZYA== IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: | -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC0JC4jaDhdqk3U 0yDwAh5JVQR84htkPY0Trf5VQYNnBhglo2CqRm6jwjzfOJLBruCUokbG5wJL+OU8 zDm3aQAhF0xWPEr1ad1U+fIezdF4pZ0fDHVAG9MYTwZYD8iYQclVhoKA8M6/gT15 QHq0Fzfgf4U5dmsNH2CWiFi+TAWQ85bxLiXchTnRkoyZ445xBqCuthJyvvUtrZrl dCAcnNJ6kdGypXwqAuOGrRDz1g9cv52aoJC0k747EnMcmm1HEuR2zGXyw2RM+Sbu GrUhLk2vCE448zKXuJGEckalMn2yBfaf5RsZYC9j7SwB0ehyNk5Bn4tKuPt38C7T wWkIoI/DAgMBAAECggEAAIQB/2cmK8GrC14dwAVUu0NoPRTgnMulHCNPxERPV5Va 4fCy/CNlE0iHdODsLdKN7gVkGOAPnGwP+LnIIh0Sbp9q2bkk3C/IMTZ6wCY5E64i e85E7HQOVjytRfjb/on7RSianKF6PG4Z4PKTgPFE30c+K5XwZIJse/UHKM3kgWLp exKVvYyKDrERunDJqZbYsxSnixk8TavOWFHkpk0wHYvxso6a7jQfEjDWh3N7lduj RlaesSO+NJrZDq44zbyJNsFjh4DsNITdBwYXERPUS33Dp+IlrD2SeQMtMBtz+7Ha Pd8jMpx8Fw/S3CnjSYRRzDj5Z21EfspfoO6v1ULA0QKBgQDyQejBS7QNwNRIcnhO b6TVOPmqcOL9gR/mkC4VmWFvf4pTA69OOuU/gHeF6+J40Z4tuFggHMoPmZuPi9AL GSp2UZQHYa7BxTk7XxESflF/8HzgbtFtK/0dUp1l2JN26qha+djQADFFPNWs8abX wpbKfjPqLzwR8K5kCtbd3WWDrwKBgQC+XDajJ6I4k9hwfYDxb35UkNFjboK4NfTY u5Eiz1NhbqqkNV8idZhadJfnbgIAymqr9Yf9M9ncAbuUhCDI2r/VL1CLMx/y/DGH RxlXWq4sArG1xpR1Muc9W8tTT9cf9XDMmuL81wYccXGqv3RpYQM/VtYIRSWvC0HE FxZCGPa2LQKBgHlg1IGksH4Dk1kJIYYLIgdDGLRxAwoI3DblHnHr+4ml2WRmgDst /xamAzyyRzJJtHsr1duhEQxn5i0x2/bzkPbfQM/B/ZFQg7BfnWoqqCL2F1tLqtqM I7HBZuNUc+4s/FU4wYzVy9no9RZFrVaFRJAIU3KOYAaNFJNDawyWlPo5AoGARe6C c/W/dqF5xfmVQR0Af/ijs6+Jfjr0NBrT+sHHk+ef8Ktaw8IHslNa6r5TJg82mO2e g7pksppAWxMfKCqUhrDXGgwyFIXpfBT2jkzV530l4+2L5HJK2RO74mNWWHtGcSQF d3VW3WQfqeaj0YK+Oqqf/nHIokG0a2E/4BBjshECgYAnlU2Fl7uI1lQBbWsckaQ9 EVeSDtrRvNuER0Eh3WFni2affOqB9qAZXNfCZ/goFJoNgk4fww0OqmewX9Y18/3a vsrm7L7OKFFlM6vmIG1nPX/s5l++mkMe+qRd4B7C4NSF0bzJlweTozQFDp+prp1y SHERk3EUdAZn7yyIISd/Qg== -----END PRIVATE KEY----- IDENTITY_PROVIDERS_OIDC_JWKS_KEY: mbfKKlpQ5QEzrmBCCcOg7yubDBKZtKCAiL7rGtVdMq/hpCorO+Qiei2fKbB/xieDS3BIg5BMza5fZm5w0hMiNA== CLIENT_SECRET_HEADSCALE: t4Hvp6DnpA0T+0ePbdx8lPIAujFMrkjEnx5aMQkMFiA= CLIENT_SECRET_HEADADMIN: RAxwkJxwMBSYkaA0r+D5qZdEFIrVEZJbigOPtkCBED8= CLIENT_SECRET_PORTAINER: t4Hvp6DnpA0T+0ePbdx8lPIAujFMrkjEnx5aMQkMFiA= CLIENT_SECRET_GITEA: t4Hvp6DnpA0T+0ePbdx8lPIAujFMrkjEnx5aMQkMFiA= volumes: - authelia_data:/data networks: - authelia_dev deploy: labels: - "traefik.enable=true" - "traefik.http.routers.authelia.rule=Host(`login.bc.a250.ca`)" - "traefik.http.routers.authelia.entrypoints=websecure" - "traefik.http.routers.authelia.tls=true" - "traefik.http.services.authelia.loadbalancer.server.port=9091" - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.bc.a250.ca/" - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true" - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" healthcheck: test: [ "CMD-SHELL", "/usr/bin/wget --spider --quiet http://localhost:9091/api/health || exit 1" ] start_period: 15s interval: 30s timeout: 10s retries: 3 traefik: image: traefik:v3.1 command: - "--api.insecure=true" - "--providers.swarm=true" - "--providers.swarm.endpoint=unix:///var/run/docker.sock" - "--providers.swarm.watch=true" - "--providers.swarm.exposedbydefault=false" - "--providers.swarm.network=atlas_authelia_dev" - "--entrypoints.web.address=:80" - "--entrypoints.web.http.redirections.entrypoint.to=websecure" - "--entrypoints.web.http.redirections.entrypoint.scheme=https" - "--entrypoints.websecure.address=:443" ports: - "80:80" - "443:443" - "8080:8080" volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" networks: - authelia_dev deploy: labels: - "traefik.enable=true" - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.bc.a250.ca`)" - "traefik.http.routers.traefik-dashboard.entrypoints=websecure" - "traefik.http.routers.traefik-dashboard.tls=true" - "traefik.http.routers.traefik-dashboard.service=traefik-api" - "traefik.http.services.traefik-api.loadbalancer.server.port=8080" ss-atlas: image: atlas-ss-atlas:latest environment: - STRIPE_SECRET_KEY=${STRIPE_SECRET_KEY:-sk_test_placeholder} - STRIPE_WEBHOOK_SECRET=${STRIPE_WEBHOOK_SECRET:-whsec_placeholder} - STRIPE_PRICE_ID=${STRIPE_PRICE_ID:-price_placeholder} - LLDAP_URL=ldap://lldap:3890 - LLDAP_ADMIN_DN=uid=admin,ou=people,dc=a250,dc=ca - LLDAP_ADMIN_PASSWORD=/ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0= - LLDAP_BASE_DN=dc=a250,dc=ca - LLDAP_HTTP_URL=http://lldap:17170 - DOCKER_HOST=unix:///var/run/docker.sock - APP_URL=https://app.bc.a250.ca - AUTHELIA_URL=https://login.bc.a250.ca - AUTHELIA_INTERNAL_URL=http://authelia:9091 - TRAEFIK_DOMAIN=bc.a250.ca - TRAEFIK_NETWORK=authelia_dev - CUSTOMER_DOMAIN=app.a250.ca - TEMPLATE_PATH=/app/templates - ARCHIVE_PATH=/archives volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - atlas_archives:/archives networks: - authelia_dev deploy: labels: - "traefik.enable=true" - "traefik.http.routers.ss-atlas.rule=Host(`app.bc.a250.ca`)" - "traefik.http.routers.ss-atlas.entrypoints=websecure" - "traefik.http.routers.ss-atlas.tls=true" - "traefik.http.routers.ss-atlas.middlewares=authelia-auth@swarm" - "traefik.http.services.ss-atlas.loadbalancer.server.port=8080" whoami: image: traefik/whoami networks: - authelia_dev deploy: labels: - "traefik.enable=true" - "traefik.http.routers.whoami.rule=Host(`whoami.bc.a250.ca`)" - "traefik.http.routers.whoami.entrypoints=websecure" - "traefik.http.routers.whoami.tls=true" - "traefik.http.routers.whoami.middlewares=authelia-auth@swarm" networks: authelia_dev: driver: overlay attachable: true volumes: mariadb_data: redis_data: authelia_data: lldap_data: atlas_archives: