forked from Nixius/authelia
191 lines
8.1 KiB
YAML
191 lines
8.1 KiB
YAML
services:
|
|
atlas-postgres:
|
|
image: postgres:16-alpine
|
|
environment:
|
|
POSTGRES_DB: atlas
|
|
POSTGRES_USER: atlas
|
|
POSTGRES_PASSWORD: atlas
|
|
volumes:
|
|
- atlas_postgres_data:/var/lib/postgresql/data
|
|
networks:
|
|
- atlas_internal
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U atlas -d atlas"]
|
|
start_period: 10s
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 5
|
|
|
|
authentik-postgres:
|
|
image: postgres:16-alpine
|
|
environment:
|
|
POSTGRES_DB: authentik
|
|
POSTGRES_USER: authentik
|
|
POSTGRES_PASSWORD: authentik
|
|
volumes:
|
|
- authentik_postgres_data:/var/lib/postgresql/data
|
|
networks:
|
|
- atlas_internal
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U authentik -d authentik"]
|
|
start_period: 10s
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 5
|
|
|
|
authentik-redis:
|
|
image: redis:7-alpine
|
|
command: redis-server --save 60 1 --loglevel warning
|
|
volumes:
|
|
- authentik_redis_data:/data
|
|
networks:
|
|
- atlas_internal
|
|
|
|
authentik-server:
|
|
image: ghcr.io/goauthentik/server:latest
|
|
command: server
|
|
environment:
|
|
AUTHENTIK_SECRET_KEY: change-me-before-production
|
|
AUTHENTIK_REDIS__HOST: authentik-redis
|
|
AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
|
|
AUTHENTIK_POSTGRESQL__USER: authentik
|
|
AUTHENTIK_POSTGRESQL__NAME: authentik
|
|
AUTHENTIK_POSTGRESQL__PASSWORD: authentik
|
|
AUTHENTIK_BOOTSTRAP_PASSWORD: change-me-before-production
|
|
AUTHENTIK_BOOTSTRAP_TOKEN: change-me-before-production
|
|
AUTHENTIK_BOOTSTRAP_EMAIL: admin@a250.ca
|
|
volumes:
|
|
- authentik_media:/media
|
|
- authentik_templates:/templates
|
|
networks:
|
|
- atlas_internal
|
|
- traefik
|
|
deploy:
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.docker.network=traefik"
|
|
- "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
|
|
- "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
|
|
- "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
|
|
- "traefik.http.routers.authentik.rule=Host(`app.a250.ca`) && (PathPrefix(`/outpost.goauthentik.io/`) || PathPrefix(`/if/`) || PathPrefix(`/flows/`) || PathPrefix(`/application/`) || PathPrefix(`/source/`) || PathPrefix(`/api/`) || PathPrefix(`/static/`) || PathPrefix(`/media/`) || PathPrefix(`/ws/`))"
|
|
- "traefik.http.routers.authentik.entrypoints=websecure"
|
|
- "traefik.http.routers.authentik.tls=true"
|
|
- "traefik.http.routers.authentik.tls.certresolver=letsencryptresolver"
|
|
- "traefik.http.routers.authentik.priority=100"
|
|
- "traefik.http.routers.authentik-oauth.rule=Host(`app.a250.ca`) && (PathPrefix(`/flows/`) || PathPrefix(`/application/`) || PathPrefix(`/source/`) || PathPrefix(`/api/`) || PathPrefix(`/static/`) || PathPrefix(`/media/`) || PathPrefix(`/ws/`))"
|
|
- "traefik.http.routers.authentik-oauth.entrypoints=websecure"
|
|
- "traefik.http.routers.authentik-oauth.tls=true"
|
|
- "traefik.http.routers.authentik-oauth.tls.certresolver=letsencryptresolver"
|
|
- "traefik.http.routers.authentik-oauth.priority=200"
|
|
- "traefik.http.routers.authentik-oauth.service=authentik"
|
|
- "traefik.http.services.authentik.loadbalancer.server.port=9000"
|
|
|
|
authentik-worker:
|
|
image: ghcr.io/goauthentik/server:latest
|
|
command: worker
|
|
environment:
|
|
AUTHENTIK_SECRET_KEY: change-me-before-production
|
|
AUTHENTIK_REDIS__HOST: authentik-redis
|
|
AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
|
|
AUTHENTIK_POSTGRESQL__USER: authentik
|
|
AUTHENTIK_POSTGRESQL__NAME: authentik
|
|
AUTHENTIK_POSTGRESQL__PASSWORD: authentik
|
|
user: root
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
- authentik_media:/media
|
|
- authentik_templates:/templates
|
|
networks:
|
|
- atlas_internal
|
|
|
|
ss-atlas:
|
|
image: git.nixc.us/a250/ss-atlas:production
|
|
environment:
|
|
- STRIPE_SECRET_KEY=sk_test_51T6uRBRfasa3uSsu1EwvRHaGKhWopjeBz15aDACaI3ectJ1przHIKTX2DAqJu7DDtsBMhIuRiyVf0MY9ivtUvzk800kEZ5advL
|
|
- STRIPE_WEBHOOK_SECRET=whsec_placeholder
|
|
- STRIPE_PRICE_ID=price_1T6v8dRfasa3uSsuCWmIC0Fn
|
|
- STRIPE_PRICE_ID_FREE=price_1T7NOURfasa3uSsuEpbKAD1h
|
|
- STRIPE_PRICE_ID_YEAR=price_1T7NOURfasa3uSsu3fB9ivyn
|
|
- STRIPE_PRICE_ID_MONTH_100=price_1T7NOVRfasa3uSsuEaxzMNno
|
|
- STRIPE_PRICE_ID_MONTH_200=price_1T7NOVRfasa3uSsucQRRlPCi
|
|
- STRIPE_PAYMENT_LINK=
|
|
- FREE_TIER_LIMIT=10
|
|
- YEAR_TIER_LIMIT=50
|
|
- MAX_SIGNUPS=0
|
|
- DOCKER_HOST=unix:///var/run/docker.sock
|
|
- APP_URL=https://app.a250.ca
|
|
- IDENTITY_URL=https://app.a250.ca/if/user/
|
|
- DATABASE_URL=postgres://atlas:atlas@atlas-postgres:5432/atlas?sslmode=disable
|
|
- TRAEFIK_DOMAIN=app.a250.ca
|
|
- TRAEFIK_NETWORK=traefik
|
|
- TRAEFIK_DOCKER_NETWORK=traefik
|
|
- CUSTOMER_DOMAIN=app.a250.ca
|
|
- TEMPLATE_PATH=/app/templates
|
|
- ARCHIVE_PATH=/archives
|
|
- LANDING_TAGLINE=Your own workspace, ready in minutes.
|
|
- LANDING_FEATURES=Dedicated environment|Secure single sign-on|Automatic provisioning|Manage subscription anytime
|
|
- ADMIN_SECRET=
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- atlas_archives:/archives
|
|
networks:
|
|
- atlas_internal
|
|
- traefik
|
|
deploy:
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.docker.network=traefik"
|
|
- "traefik.http.routers.ss-atlas.rule=Host(`app.a250.ca`)"
|
|
- "traefik.http.routers.ss-atlas.entrypoints=websecure"
|
|
- "traefik.http.routers.ss-atlas.tls=true"
|
|
- "traefik.http.routers.ss-atlas.tls.certresolver=letsencryptresolver"
|
|
- "traefik.http.routers.ss-atlas.priority=1"
|
|
- "traefik.http.routers.ss-atlas.service=ss-atlas"
|
|
- "traefik.http.routers.ss-atlas-protected.rule=Host(`app.a250.ca`) && (PathPrefix(`/checkout`) || PathPrefix(`/subscribe`) || PathPrefix(`/activate`) || PathPrefix(`/dashboard`) || PathPrefix(`/link-stripe-customer`) || PathPrefix(`/portal`) || PathPrefix(`/resubscribe`) || PathPrefix(`/stack-manage`))"
|
|
- "traefik.http.routers.ss-atlas-protected.entrypoints=websecure"
|
|
- "traefik.http.routers.ss-atlas-protected.tls=true"
|
|
- "traefik.http.routers.ss-atlas-protected.tls.certresolver=letsencryptresolver"
|
|
- "traefik.http.routers.ss-atlas-protected.priority=20"
|
|
- "traefik.http.routers.ss-atlas-protected.middlewares=authentik@swarm"
|
|
- "traefik.http.routers.ss-atlas-protected.service=ss-atlas"
|
|
- "traefik.http.services.ss-atlas.loadbalancer.server.port=8080"
|
|
- "traefik.http.routers.ss-atlas-instance.rule=Host(`app.a250.ca`) && PathPrefix(`/i/`)"
|
|
- "traefik.http.routers.ss-atlas-instance.entrypoints=websecure"
|
|
- "traefik.http.routers.ss-atlas-instance.tls=true"
|
|
- "traefik.http.routers.ss-atlas-instance.tls.certresolver=letsencryptresolver"
|
|
- "traefik.http.routers.ss-atlas-instance.priority=15"
|
|
- "traefik.http.routers.ss-atlas-instance.middlewares=authentik@swarm"
|
|
- "traefik.http.routers.ss-atlas-instance.service=ss-atlas"
|
|
|
|
whoami:
|
|
image: traefik/whoami
|
|
networks:
|
|
- atlas_internal
|
|
- traefik
|
|
deploy:
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.docker.network=traefik"
|
|
- "traefik.http.routers.whoami.rule=Host(`app.a250.ca`) && PathPrefix(`/whoami`)"
|
|
- "traefik.http.routers.whoami.entrypoints=websecure"
|
|
- "traefik.http.routers.whoami.tls=true"
|
|
- "traefik.http.routers.whoami.tls.certresolver=letsencryptresolver"
|
|
- "traefik.http.routers.whoami.middlewares=strip-whoami@swarm,authentik@swarm"
|
|
- "traefik.http.middlewares.strip-whoami.stripprefix.prefixes=/whoami"
|
|
- "traefik.http.services.whoami.loadbalancer.server.port=80"
|
|
|
|
networks:
|
|
atlas_internal:
|
|
driver: overlay
|
|
attachable: true
|
|
traefik:
|
|
external: true
|
|
|
|
volumes:
|
|
atlas_archives:
|
|
atlas_postgres_data:
|
|
authentik_postgres_data:
|
|
authentik_redis_data:
|
|
authentik_media:
|
|
authentik_templates:
|