forked from Nixius/authelia
254 lines
13 KiB
YAML
254 lines
13 KiB
YAML
services:
|
|
mariadb:
|
|
image: mariadb:latest
|
|
environment:
|
|
MYSQL_ROOT_PASSWORD: dev_authelia_root
|
|
MYSQL_DATABASE: authelia
|
|
MYSQL_USER: authelia
|
|
MYSQL_PASSWORD: authelia
|
|
volumes:
|
|
- mariadb_data:/var/lib/mysql
|
|
networks:
|
|
- authelia_dev
|
|
healthcheck:
|
|
test: [ "CMD", "/usr/local/bin/healthcheck.sh", "--su-mysql", "--connect", "--innodb_initialized" ]
|
|
start_period: 30s
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 5
|
|
|
|
redis:
|
|
image: redis:latest
|
|
command: redis-server --appendonly yes
|
|
volumes:
|
|
- redis_data:/data
|
|
networks:
|
|
- authelia_dev
|
|
healthcheck:
|
|
test: [ "CMD", "redis-cli", "ping" ]
|
|
start_period: 10s
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 3
|
|
|
|
lldap:
|
|
image: nitnelave/lldap:latest
|
|
volumes:
|
|
- lldap_data:/data
|
|
environment:
|
|
- LLDAP_JWT_SECRET=I2sNvGvhzZlTJWPfNL9MBPFGhyG/gWU5wHz6wFsIC3I=
|
|
- LLDAP_LDAP_USER_PASS=/ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0=
|
|
- LLDAP_LDAP_BASE_DN=dc=a250,dc=ca
|
|
- PUID=33
|
|
- PGID=33
|
|
networks:
|
|
- authelia_dev
|
|
deploy:
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.lldap.rule=Host(`bc.a250.ca`) && PathPrefix(`/admin/lldap`)"
|
|
- "traefik.http.routers.lldap.middlewares=strip-lldap@swarm"
|
|
- "traefik.http.middlewares.strip-lldap.stripprefix.prefixes=/admin/lldap"
|
|
- "traefik.http.routers.lldap.entrypoints=websecure"
|
|
- "traefik.http.routers.lldap.tls=true"
|
|
- "traefik.http.services.lldap.loadbalancer.server.port=17170"
|
|
healthcheck:
|
|
test: [ "CMD", "curl", "-f", "http://localhost:17170/health" ]
|
|
start_period: 10s
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 3
|
|
|
|
authelia:
|
|
image: git.nixc.us/a250/authelia:dev-authelia
|
|
user: root
|
|
command:
|
|
- sh
|
|
- -c
|
|
- |
|
|
mkdir -p /run/secrets
|
|
echo "$${IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET}" > /run/secrets/IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
|
|
echo "$${STORAGE_ENCRYPTION_KEY}" > /run/secrets/STORAGE_ENCRYPTION_KEY
|
|
echo "$${SESSION_SECRET}" > /run/secrets/SESSION_SECRET
|
|
echo "$${NOTIFIER_SMTP_PASSWORD}" > /run/secrets/NOTIFIER_SMTP_PASSWORD
|
|
echo "$${AUTHENTICATION_BACKEND_LDAP_PASSWORD}" > /run/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD
|
|
echo "$${IDENTITY_PROVIDERS_OIDC_HMAC_SECRET}" > /run/secrets/IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
|
|
echo "$${IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY}" > /run/secrets/IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY
|
|
echo "$${IDENTITY_PROVIDERS_OIDC_JWKS_KEY}" > /run/secrets/IDENTITY_PROVIDERS_OIDC_JWKS_KEY
|
|
echo "$${CLIENT_SECRET_HEADSCALE}" > /run/secrets/CLIENT_SECRET_HEADSCALE
|
|
echo "$${CLIENT_SECRET_HEADADMIN}" > /run/secrets/CLIENT_SECRET_HEADADMIN
|
|
echo "$${CLIENT_SECRET_PORTAINER}" > /run/secrets/CLIENT_SECRET_PORTAINER
|
|
echo "$${CLIENT_SECRET_GITEA}" > /run/secrets/CLIENT_SECRET_GITEA
|
|
{ echo 'access_control:'; echo ' default_policy: deny'; echo ' rules:'; echo ' - domain: bc.a250.ca'; echo ' policy: bypass'; echo ' resources:'; echo " - '^/login(/.*)?$$'"; echo ' - domain: bc.a250.ca'; echo ' policy: bypass'; echo ' resources:'; echo " - '^/$$'"; echo " - '^/subscribe/?$$'"; echo " - '^/success(/|\\?.*)?$$'"; echo " - '^/webhook/stripe/?$$'"; echo " - '^/resend-reset/?$$'"; echo " - '^/health/?$$'"; echo " - '^/version/?$$'"; echo ' - domain: bc.a250.ca'; echo ' policy: one_factor'; echo ' resources:'; echo " - '^/activate/?$$'"; echo " - '^/dashboard/?$$'"; echo ' - domain: bc.a250.ca'; echo ' subject:'; echo ' - group:customers'; echo ' policy: two_factor'; echo ' resources:'; echo " - '^/portal/?$$'"; echo " - '^/resubscribe/?$$'"; echo " - '^/stack-manage/?$$'"; echo " - '^/i/[a-z0-9-]+(/.*)?$$'"; echo ' - domain: bc.a250.ca'; echo ' policy: bypass'; echo ' resources:'; echo " - '^/admin/lldap(/.*)?$$'"; echo " - '^/whoami(/.*)?$$'"; echo ' - domain: bc.a250.ca'; echo ' policy: deny'; } > /config/configuration.acl.yml
|
|
exec authelia --config=/config/configuration.server.yml --config=/config/configuration.ldap.yml --config=/config/configuration.acl.yml --config=/config/configuration.notifier.yml --config=/config/configuration.identity.providers.yml --config=/config/configuration.oidc.clients.yml
|
|
environment:
|
|
AUTHELIA_SERVER_ADDRESS: tcp://0.0.0.0:9091/login
|
|
X_AUTHELIA_EMAIL: authelia@a250.ca
|
|
X_AUTHELIA_SITE_NAME: a250.ca
|
|
X_AUTHELIA_CONFIG_FILTERS: template
|
|
X_AUTHELIA_LDAP_DOMAIN: dc=a250,dc=ca
|
|
TRAEFIK_DOMAIN: bc.a250.ca
|
|
IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: DoXL9Z1aCrXQ3Ylc2J9MWLO8QeseI8W6F91R0lS0SIE=
|
|
STORAGE_ENCRYPTION_KEY: DvbtMjsNDIC3eqtNaPtdHm/f07dtlHREgieDStTu9NA=
|
|
SESSION_SECRET: DoXL9Z1aCrXQ3Ylc2J9MWLO8QeseI8W6F91R0lS0SIE=
|
|
NOTIFIER_SMTP_PASSWORD: 8P7ah6U5ZjbQ2Faaw1fJoehxJrMOslCu
|
|
AUTHENTICATION_BACKEND_LDAP_PASSWORD: /ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0=
|
|
IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: Pq5+dkrmh04daeSEPEXGq6JniiPsgJ6nHBi/ettUGLSKcuZtnaw3em8/BCXn2iFhUqTRdLSeCiWMbo+oEl/ZYA==
|
|
IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: |
|
|
-----BEGIN PRIVATE KEY-----
|
|
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC0JC4jaDhdqk3U
|
|
0yDwAh5JVQR84htkPY0Trf5VQYNnBhglo2CqRm6jwjzfOJLBruCUokbG5wJL+OU8
|
|
zDm3aQAhF0xWPEr1ad1U+fIezdF4pZ0fDHVAG9MYTwZYD8iYQclVhoKA8M6/gT15
|
|
QHq0Fzfgf4U5dmsNH2CWiFi+TAWQ85bxLiXchTnRkoyZ445xBqCuthJyvvUtrZrl
|
|
dCAcnNJ6kdGypXwqAuOGrRDz1g9cv52aoJC0k747EnMcmm1HEuR2zGXyw2RM+Sbu
|
|
GrUhLk2vCE448zKXuJGEckalMn2yBfaf5RsZYC9j7SwB0ehyNk5Bn4tKuPt38C7T
|
|
wWkIoI/DAgMBAAECggEAAIQB/2cmK8GrC14dwAVUu0NoPRTgnMulHCNPxERPV5Va
|
|
4fCy/CNlE0iHdODsLdKN7gVkGOAPnGwP+LnIIh0Sbp9q2bkk3C/IMTZ6wCY5E64i
|
|
e85E7HQOVjytRfjb/on7RSianKF6PG4Z4PKTgPFE30c+K5XwZIJse/UHKM3kgWLp
|
|
exKVvYyKDrERunDJqZbYsxSnixk8TavOWFHkpk0wHYvxso6a7jQfEjDWh3N7lduj
|
|
RlaesSO+NJrZDq44zbyJNsFjh4DsNITdBwYXERPUS33Dp+IlrD2SeQMtMBtz+7Ha
|
|
Pd8jMpx8Fw/S3CnjSYRRzDj5Z21EfspfoO6v1ULA0QKBgQDyQejBS7QNwNRIcnhO
|
|
b6TVOPmqcOL9gR/mkC4VmWFvf4pTA69OOuU/gHeF6+J40Z4tuFggHMoPmZuPi9AL
|
|
GSp2UZQHYa7BxTk7XxESflF/8HzgbtFtK/0dUp1l2JN26qha+djQADFFPNWs8abX
|
|
wpbKfjPqLzwR8K5kCtbd3WWDrwKBgQC+XDajJ6I4k9hwfYDxb35UkNFjboK4NfTY
|
|
u5Eiz1NhbqqkNV8idZhadJfnbgIAymqr9Yf9M9ncAbuUhCDI2r/VL1CLMx/y/DGH
|
|
RxlXWq4sArG1xpR1Muc9W8tTT9cf9XDMmuL81wYccXGqv3RpYQM/VtYIRSWvC0HE
|
|
FxZCGPa2LQKBgHlg1IGksH4Dk1kJIYYLIgdDGLRxAwoI3DblHnHr+4ml2WRmgDst
|
|
/xamAzyyRzJJtHsr1duhEQxn5i0x2/bzkPbfQM/B/ZFQg7BfnWoqqCL2F1tLqtqM
|
|
I7HBZuNUc+4s/FU4wYzVy9no9RZFrVaFRJAIU3KOYAaNFJNDawyWlPo5AoGARe6C
|
|
c/W/dqF5xfmVQR0Af/ijs6+Jfjr0NBrT+sHHk+ef8Ktaw8IHslNa6r5TJg82mO2e
|
|
g7pksppAWxMfKCqUhrDXGgwyFIXpfBT2jkzV530l4+2L5HJK2RO74mNWWHtGcSQF
|
|
d3VW3WQfqeaj0YK+Oqqf/nHIokG0a2E/4BBjshECgYAnlU2Fl7uI1lQBbWsckaQ9
|
|
EVeSDtrRvNuER0Eh3WFni2affOqB9qAZXNfCZ/goFJoNgk4fww0OqmewX9Y18/3a
|
|
vsrm7L7OKFFlM6vmIG1nPX/s5l++mkMe+qRd4B7C4NSF0bzJlweTozQFDp+prp1y
|
|
SHERk3EUdAZn7yyIISd/Qg==
|
|
-----END PRIVATE KEY-----
|
|
IDENTITY_PROVIDERS_OIDC_JWKS_KEY: mbfKKlpQ5QEzrmBCCcOg7yubDBKZtKCAiL7rGtVdMq/hpCorO+Qiei2fKbB/xieDS3BIg5BMza5fZm5w0hMiNA==
|
|
CLIENT_SECRET_HEADSCALE: t4Hvp6DnpA0T+0ePbdx8lPIAujFMrkjEnx5aMQkMFiA=
|
|
CLIENT_SECRET_HEADADMIN: RAxwkJxwMBSYkaA0r+D5qZdEFIrVEZJbigOPtkCBED8=
|
|
CLIENT_SECRET_PORTAINER: t4Hvp6DnpA0T+0ePbdx8lPIAujFMrkjEnx5aMQkMFiA=
|
|
CLIENT_SECRET_GITEA: t4Hvp6DnpA0T+0ePbdx8lPIAujFMrkjEnx5aMQkMFiA=
|
|
volumes:
|
|
- authelia_data:/data
|
|
networks:
|
|
- authelia_dev
|
|
deploy:
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.authelia.rule=Host(`bc.a250.ca`) && PathPrefix(`/login`)"
|
|
- "traefik.http.routers.authelia.entrypoints=websecure"
|
|
- "traefik.http.routers.authelia.tls=true"
|
|
- "traefik.http.services.authelia.loadbalancer.server.port=9091"
|
|
- "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/login/api/authz/forward-auth?rd=https://bc.a250.ca/login/"
|
|
- "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
|
|
- "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
|
|
healthcheck:
|
|
test: [ "CMD-SHELL", "/usr/bin/wget --spider --quiet http://localhost:9091/login/api/health || exit 1" ]
|
|
start_period: 15s
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
|
|
traefik:
|
|
image: traefik:v3.1
|
|
command:
|
|
- "--api.insecure=true"
|
|
- "--providers.swarm=true"
|
|
- "--providers.swarm.endpoint=unix:///var/run/docker.sock"
|
|
- "--providers.swarm.watch=true"
|
|
- "--providers.swarm.exposedbydefault=false"
|
|
- "--providers.swarm.network=atlas_authelia_dev"
|
|
- "--entrypoints.web.address=:80"
|
|
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
|
|
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
|
|
- "--entrypoints.websecure.address=:443"
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
- "8080:8080"
|
|
volumes:
|
|
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
|
networks:
|
|
- authelia_dev
|
|
deploy:
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.traefik-dashboard.rule=Host(`bc.a250.ca`) && PathPrefix(`/admin/traefik`)"
|
|
- "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
|
|
- "traefik.http.routers.traefik-dashboard.tls=true"
|
|
- "traefik.http.routers.traefik-dashboard.service=traefik-api"
|
|
- "traefik.http.routers.traefik-dashboard.middlewares=strip-traefik@swarm"
|
|
- "traefik.http.middlewares.strip-traefik.stripprefix.prefixes=/admin/traefik"
|
|
- "traefik.http.services.traefik-api.loadbalancer.server.port=8080"
|
|
|
|
ss-atlas:
|
|
image: atlas-ss-atlas:latest
|
|
environment:
|
|
- STRIPE_SECRET_KEY=${STRIPE_SECRET_KEY:-sk_test_placeholder}
|
|
- STRIPE_WEBHOOK_SECRET=${STRIPE_WEBHOOK_SECRET:-whsec_placeholder}
|
|
- STRIPE_PRICE_ID=${STRIPE_PRICE_ID:-}
|
|
- STRIPE_PRICE_ID_FREE=${STRIPE_PRICE_ID_FREE:-}
|
|
- STRIPE_PRICE_ID_YEAR=${STRIPE_PRICE_ID_YEAR:-}
|
|
- STRIPE_PRICE_ID_MONTH_100=${STRIPE_PRICE_ID_MONTH_100:-}
|
|
- STRIPE_PRICE_ID_MONTH_200=${STRIPE_PRICE_ID_MONTH_200:-}
|
|
- STRIPE_PAYMENT_LINK=${STRIPE_PAYMENT_LINK:-}
|
|
- FREE_TIER_LIMIT=${FREE_TIER_LIMIT:-10}
|
|
- YEAR_TIER_LIMIT=${YEAR_TIER_LIMIT:-50}
|
|
- MAX_SIGNUPS=${MAX_SIGNUPS:-0}
|
|
- LLDAP_URL=ldap://lldap:3890
|
|
- LLDAP_ADMIN_DN=uid=admin,ou=people,dc=a250,dc=ca
|
|
- LLDAP_ADMIN_PASSWORD=/ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0=
|
|
- LLDAP_BASE_DN=dc=a250,dc=ca
|
|
- LLDAP_HTTP_URL=http://lldap:17170
|
|
- DOCKER_HOST=unix:///var/run/docker.sock
|
|
- APP_URL=https://bc.a250.ca
|
|
- AUTHELIA_URL=https://bc.a250.ca/login
|
|
- AUTHELIA_INTERNAL_URL=http://authelia:9091/login
|
|
- TRAEFIK_DOMAIN=bc.a250.ca
|
|
- TRAEFIK_NETWORK=authelia_dev
|
|
- CUSTOMER_DOMAIN=bc.a250.ca
|
|
- TEMPLATE_PATH=/app/templates
|
|
- ARCHIVE_PATH=/archives
|
|
- LANDING_TAGLINE=${LANDING_TAGLINE:-Your own workspace, ready in minutes.}
|
|
- LANDING_FEATURES=${LANDING_FEATURES:-Dedicated environment|Secure single sign-on|Automatic provisioning|Manage subscription anytime}
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- atlas_archives:/archives
|
|
networks:
|
|
- authelia_dev
|
|
deploy:
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.ss-atlas.rule=Host(`bc.a250.ca`)"
|
|
- "traefik.http.routers.ss-atlas.entrypoints=websecure"
|
|
- "traefik.http.routers.ss-atlas.tls=true"
|
|
- "traefik.http.routers.ss-atlas.priority=1"
|
|
- "traefik.http.routers.ss-atlas.middlewares=authelia-auth@swarm"
|
|
- "traefik.http.services.ss-atlas.loadbalancer.server.port=8080"
|
|
|
|
whoami:
|
|
image: traefik/whoami
|
|
networks:
|
|
- authelia_dev
|
|
deploy:
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.whoami.rule=Host(`bc.a250.ca`) && PathPrefix(`/whoami`)"
|
|
- "traefik.http.routers.whoami.entrypoints=websecure"
|
|
- "traefik.http.routers.whoami.tls=true"
|
|
- "traefik.http.routers.whoami.middlewares=strip-whoami@swarm,authelia-auth@swarm"
|
|
- "traefik.http.middlewares.strip-whoami.stripprefix.prefixes=/whoami"
|
|
- "traefik.http.services.whoami.loadbalancer.server.port=80"
|
|
|
|
networks:
|
|
authelia_dev:
|
|
driver: overlay
|
|
attachable: true
|
|
|
|
volumes:
|
|
mariadb_data:
|
|
redis_data:
|
|
authelia_data:
|
|
lldap_data:
|
|
atlas_archives:
|