forked from Nixius/authelia
254 lines
10 KiB
YAML
254 lines
10 KiB
YAML
services:
|
|
mariadb:
|
|
image: mariadb:latest
|
|
container_name: authelia_mariadb
|
|
environment:
|
|
MYSQL_ROOT_PASSWORD: dev_authelia_root
|
|
MYSQL_DATABASE: authelia
|
|
MYSQL_USER: authelia
|
|
MYSQL_PASSWORD: authelia
|
|
volumes:
|
|
- mariadb_data:/var/lib/mysql
|
|
# No ports exposed - internal only
|
|
networks:
|
|
- authelia_dev
|
|
healthcheck:
|
|
test: [ "CMD", "/usr/local/bin/healthcheck.sh", "--su-mysql", "--connect", "--innodb_initialized" ]
|
|
start_period: 30s
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 5
|
|
|
|
redis:
|
|
image: redis:latest
|
|
container_name: authelia_redis
|
|
command: redis-server --appendonly yes
|
|
volumes:
|
|
- redis_data:/data
|
|
# No ports exposed - internal only
|
|
networks:
|
|
- authelia_dev
|
|
healthcheck:
|
|
test: [ "CMD", "redis-cli", "ping" ]
|
|
start_period: 10s
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 3
|
|
|
|
lldap:
|
|
image: nitnelave/lldap:latest
|
|
container_name: lldap_lldap
|
|
volumes:
|
|
- lldap_data:/data
|
|
environment:
|
|
- LLDAP_JWT_SECRET=I2sNvGvhzZlTJWPfNL9MBPFGhyG/gWU5wHz6wFsIC3I=
|
|
- LLDAP_LDAP_USER_PASS=/ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0=
|
|
- LLDAP_LDAP_BASE_DN=dc=a250,dc=ca
|
|
- PUID=33
|
|
- PGID=33
|
|
ports:
|
|
# Only expose web UI for manual testing
|
|
- "17170:17170" # Web interface port
|
|
networks:
|
|
- authelia_dev
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.lldap.rule=Host(`lldap.bc.a250.ca`)"
|
|
- "traefik.http.routers.lldap.entrypoints=web"
|
|
- "traefik.http.services.lldap.loadbalancer.server.port=17170"
|
|
healthcheck:
|
|
test: [ "CMD", "curl", "-f", "http://localhost:17170/health" ]
|
|
start_period: 10s
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 3
|
|
|
|
authelia:
|
|
build:
|
|
context: ./docker/authelia/
|
|
dockerfile: Dockerfile
|
|
image: git.nixc.us/a250/authelia:dev-authelia
|
|
container_name: authelia_dev_main
|
|
user: root
|
|
command:
|
|
- sh
|
|
- -c
|
|
- |
|
|
# Create the secrets directory and populate with environment variables
|
|
mkdir -p /run/secrets
|
|
echo "$${IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET}" > /run/secrets/IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
|
|
echo "$${STORAGE_ENCRYPTION_KEY}" > /run/secrets/STORAGE_ENCRYPTION_KEY
|
|
echo "$${SESSION_SECRET}" > /run/secrets/SESSION_SECRET
|
|
echo "$${NOTIFIER_SMTP_PASSWORD}" > /run/secrets/NOTIFIER_SMTP_PASSWORD
|
|
echo "$${AUTHENTICATION_BACKEND_LDAP_PASSWORD}" > /run/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD
|
|
echo "$${IDENTITY_PROVIDERS_OIDC_HMAC_SECRET}" > /run/secrets/IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
|
|
echo "$${IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY}" > /run/secrets/IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY
|
|
echo "$${IDENTITY_PROVIDERS_OIDC_JWKS_KEY}" > /run/secrets/IDENTITY_PROVIDERS_OIDC_JWKS_KEY
|
|
echo "$${CLIENT_SECRET_HEADSCALE}" > /run/secrets/CLIENT_SECRET_HEADSCALE
|
|
echo "$${CLIENT_SECRET_HEADADMIN}" > /run/secrets/CLIENT_SECRET_HEADADMIN
|
|
echo "$${CLIENT_SECRET_PORTAINER}" > /run/secrets/CLIENT_SECRET_PORTAINER
|
|
echo "$${CLIENT_SECRET_GITEA}" > /run/secrets/CLIENT_SECRET_GITEA
|
|
|
|
# Override configuration for local dev
|
|
printf "notifier:\n filesystem:\n filename: /data/notification.txt\n" > /config/configuration.notifier.yml
|
|
printf "access_control:\n default_policy: bypass\n rules:\n - domain: [\"*.bc.a250.ca\", \"bc.a250.ca\"]\n policy: bypass\n" > /config/configuration.acl.yml
|
|
|
|
# Start Authelia with dev overrides
|
|
exec authelia \
|
|
--config=/config/configuration.server.yml \
|
|
--config=/config/configuration.ldap.yml \
|
|
--config=/config/configuration.acl.yml \
|
|
--config=/config/configuration.notifier.yml \
|
|
--config=/config/configuration.identity.providers.yml \
|
|
--config=/config/configuration.oidc.clients.yml
|
|
environment:
|
|
# Template environment variables
|
|
X_AUTHELIA_EMAIL: authelia@a250.ca
|
|
X_AUTHELIA_SITE_NAME: a250.ca
|
|
X_AUTHELIA_CONFIG_FILTERS: template
|
|
X_AUTHELIA_LDAP_DOMAIN: dc=a250,dc=ca
|
|
TRAEFIK_DOMAIN: bc.a250.ca
|
|
# Development secrets for templates
|
|
IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: DoXL9Z1aCrXQ3Ylc2J9MWLO8QeseI8W6F91R0lS0SIE=
|
|
STORAGE_ENCRYPTION_KEY: DvbtMjsNDIC3eqtNaPtdHm/f07dtlHREgieDStTu9NA=
|
|
SESSION_SECRET: DoXL9Z1aCrXQ3Ylc2J9MWLO8QeseI8W6F91R0lS0SIE=
|
|
NOTIFIER_SMTP_PASSWORD: 8P7ah6U5ZjbQ2Faaw1fJoehxJrMOslCu
|
|
AUTHENTICATION_BACKEND_LDAP_PASSWORD: /ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0=
|
|
IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: Pq5+dkrmh04daeSEPEXGq6JniiPsgJ6nHBi/ettUGLSKcuZtnaw3em8/BCXn2iFhUqTRdLSeCiWMbo+oEl/ZYA==
|
|
IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: |
|
|
-----BEGIN PRIVATE KEY-----
|
|
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC0JC4jaDhdqk3U
|
|
0yDwAh5JVQR84htkPY0Trf5VQYNnBhglo2CqRm6jwjzfOJLBruCUokbG5wJL+OU8
|
|
zDm3aQAhF0xWPEr1ad1U+fIezdF4pZ0fDHVAG9MYTwZYD8iYQclVhoKA8M6/gT15
|
|
QHq0Fzfgf4U5dmsNH2CWiFi+TAWQ85bxLiXchTnRkoyZ445xBqCuthJyvvUtrZrl
|
|
dCAcnNJ6kdGypXwqAuOGrRDz1g9cv52aoJC0k747EnMcmm1HEuR2zGXyw2RM+Sbu
|
|
GrUhLk2vCE448zKXuJGEckalMn2yBfaf5RsZYC9j7SwB0ehyNk5Bn4tKuPt38C7T
|
|
wWkIoI/DAgMBAAECggEAAIQB/2cmK8GrC14dwAVUu0NoPRTgnMulHCNPxERPV5Va
|
|
4fCy/CNlE0iHdODsLdKN7gVkGOAPnGwP+LnIIh0Sbp9q2bkk3C/IMTZ6wCY5E64i
|
|
e85E7HQOVjytRfjb/on7RSianKF6PG4Z4PKTgPFE30c+K5XwZIJse/UHKM3kgWLp
|
|
exKVvYyKDrERunDJqZbYsxSnixk8TavOWFHkpk0wHYvxso6a7jQfEjDWh3N7lduj
|
|
RlaesSO+NJrZDq44zbyJNsFjh4DsNITdBwYXERPUS33Dp+IlrD2SeQMtMBtz+7Ha
|
|
Pd8jMpx8Fw/S3CnjSYRRzDj5Z21EfspfoO6v1ULA0QKBgQDyQejBS7QNwNRIcnhO
|
|
b6TVOPmqcOL9gR/mkC4VmWFvf4pTA69OOuU/gHeF6+J40Z4tuFggHMoPmZuPi9AL
|
|
GSp2UZQHYa7BxTk7XxESflF/8HzgbtFtK/0dUp1l2JN26qha+djQADFFPNWs8abX
|
|
wpbKfjPqLzwR8K5kCtbd3WWDrwKBgQC+XDajJ6I4k9hwfYDxb35UkNFjboK4NfTY
|
|
u5Eiz1NhbqqkNV8idZhadJfnbgIAymqr9Yf9M9ncAbuUhCDI2r/VL1CLMx/y/DGH
|
|
RxlXWq4sArG1xpR1Muc9W8tTT9cf9XDMmuL81wYccXGqv3RpYQM/VtYIRSWvC0HE
|
|
FxZCGPa2LQKBgHlg1IGksH4Dk1kJIYYLIgdDGLRxAwoI3DblHnHr+4ml2WRmgDst
|
|
/xamAzyyRzJJtHsr1duhEQxn5i0x2/bzkPbfQM/B/ZFQg7BfnWoqqCL2F1tLqtqM
|
|
I7HBZuNUc+4s/FU4wYzVy9no9RZFrVaFRJAIU3KOYAaNFJNDawyWlPo5AoGARe6C
|
|
c/W/dqF5xfmVQR0Af/ijs6+Jfjr0NBrT+sHHk+ef8Ktaw8IHslNa6r5TJg82mO2e
|
|
g7pksppAWxMfKCqUhrDXGgwyFIXpfBT2jkzV530l4+2L5HJK2RO74mNWWHtGcSQF
|
|
d3VW3WQfqeaj0YK+Oqqf/nHIokG0a2E/4BBjshECgYAnlU2Fl7uI1lQBbWsckaQ9
|
|
EVeSDtrRvNuER0Eh3WFni2affOqB9qAZXNfCZ/goFJoNgk4fww0OqmewX9Y18/3a
|
|
vsrm7L7OKFFlM6vmIG1nPX/s5l++mkMe+qRd4B7C4NSF0bzJlweTozQFDp+prp1y
|
|
SHERk3EUdAZn7yyIISd/Qg==
|
|
-----END PRIVATE KEY-----
|
|
IDENTITY_PROVIDERS_OIDC_JWKS_KEY: mbfKKlpQ5QEzrmBCCcOg7yubDBKZtKCAiL7rGtVdMq/hpCorO+Qiei2fKbB/xieDS3BIg5BMza5fZm5w0hMiNA==
|
|
CLIENT_SECRET_HEADSCALE: t4Hvp6DnpA0T+0ePbdx8lPIAujFMrkjEnx5aMQkMFiA=
|
|
CLIENT_SECRET_HEADADMIN: RAxwkJxwMBSYkaA0r+D5qZdEFIrVEZJbigOPtkCBED8=
|
|
CLIENT_SECRET_PORTAINER: t4Hvp6DnpA0T+0ePbdx8lPIAujFMrkjEnx5aMQkMFiA=
|
|
CLIENT_SECRET_GITEA: t4Hvp6DnpA0T+0ePbdx8lPIAujFMrkjEnx5aMQkMFiA=
|
|
volumes:
|
|
- authelia_data:/data
|
|
ports:
|
|
- "9091:9091"
|
|
networks:
|
|
- authelia_dev
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.authelia.rule=Host(`login.bc.a250.ca`)"
|
|
- "traefik.http.routers.authelia.entrypoints=web"
|
|
- "traefik.http.services.authelia.loadbalancer.server.port=9091"
|
|
- "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia_dev_main:9091/api/verify?rd=http://login.bc.a250.ca/"
|
|
- "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
|
|
- "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
|
|
depends_on:
|
|
redis:
|
|
condition: service_healthy
|
|
mariadb:
|
|
condition: service_healthy
|
|
lldap:
|
|
condition: service_healthy
|
|
healthcheck:
|
|
test: [ "CMD-SHELL", "/usr/bin/wget --spider --quiet http://localhost:9091/api/health || exit 1" ]
|
|
start_period: 15s
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
|
|
traefik:
|
|
image: traefik:v3.1
|
|
container_name: authelia_traefik
|
|
command:
|
|
- "--api.insecure=true"
|
|
- "--providers.docker=true"
|
|
- "--providers.docker.exposedbydefault=false"
|
|
- "--entrypoints.web.address=:80"
|
|
ports:
|
|
- "80:80"
|
|
- "8080:8080"
|
|
volumes:
|
|
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
|
networks:
|
|
- authelia_dev
|
|
|
|
ss-atlas:
|
|
build:
|
|
context: ./docker/ss-atlas/
|
|
dockerfile: Dockerfile
|
|
container_name: atlas_ss_app
|
|
environment:
|
|
- STRIPE_SECRET_KEY=${STRIPE_SECRET_KEY:-sk_test_placeholder}
|
|
- STRIPE_WEBHOOK_SECRET=${STRIPE_WEBHOOK_SECRET:-whsec_placeholder}
|
|
- STRIPE_PRICE_ID=${STRIPE_PRICE_ID:-price_placeholder}
|
|
- LLDAP_URL=ldap://lldap_lldap:3890
|
|
- LLDAP_ADMIN_DN=uid=admin,ou=people,dc=a250,dc=ca
|
|
- LLDAP_ADMIN_PASSWORD=/ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0=
|
|
- LLDAP_BASE_DN=dc=a250,dc=ca
|
|
- DOCKER_HOST=unix:///var/run/docker.sock
|
|
- APP_URL=http://app.bc.a250.ca
|
|
- AUTHELIA_URL=http://login.bc.a250.ca
|
|
- TRAEFIK_DOMAIN=bc.a250.ca
|
|
- TRAEFIK_NETWORK=authelia_dev
|
|
- TEMPLATE_PATH=/app/templates
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
networks:
|
|
- authelia_dev
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.ss-atlas.rule=Host(`app.bc.a250.ca`)"
|
|
- "traefik.http.routers.ss-atlas.entrypoints=web"
|
|
- "traefik.http.services.ss-atlas.loadbalancer.server.port=8080"
|
|
depends_on:
|
|
lldap:
|
|
condition: service_healthy
|
|
authelia:
|
|
condition: service_healthy
|
|
|
|
whoami:
|
|
image: traefik/whoami
|
|
container_name: authelia_whoami
|
|
networks:
|
|
- authelia_dev
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.whoami.rule=Host(`whoami.bc.a250.ca`)"
|
|
- "traefik.http.routers.whoami.entrypoints=web"
|
|
- "traefik.http.routers.whoami.middlewares=authelia-auth@docker"
|
|
|
|
networks:
|
|
authelia_dev:
|
|
driver: bridge
|
|
|
|
volumes:
|
|
mariadb_data:
|
|
driver: local
|
|
redis_data:
|
|
driver: local
|
|
authelia_data:
|
|
driver: local
|
|
lldap_data:
|
|
driver: local
|