ATLAS/stack.production.yml

x-authelia-env: &authelia-env
  X_AUTHELIA_EMAIL: authelia@a250.ca
  X_AUTHELIA_SITE_NAME: ATLAS
  X_AUTHELIA_CONFIG_FILTERS: template
  X_AUTHELIA_LDAP_DOMAIN: dc=a250,dc=ca
  TRAEFIK_DOMAIN: bc.a250.ca

secrets:
  AUTHENTICATION_BACKEND_LDAP_PASSWORD:
    external: true
  IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET:
    external: true
  # TEMPORARILY DISABLED - OIDC provider disabled
  # IDENTITY_PROVIDERS_OIDC_HMAC_SECRET:
  #   external: true
  # IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY:
  #   external: true
  # IDENTITY_PROVIDERS_OIDC_JWKS_KEY:
  #   external: true
  NOTIFIER_SMTP_PASSWORD:
    external: true
  SESSION_SECRET:
    external: true
  STORAGE_ENCRYPTION_KEY:
    external: true
  # TEMPORARILY DISABLED - OAuth clients disabled
  # CLIENT_SECRET_HEADSCALE:
  #   external: true
  # CLIENT_SECRET_HEADADMIN:
  #   external: true
  # CLIENT_SECRET_PORTAINER:
  #   external: true
  # TEMPORARILY DISABLED - Gitea OAuth (not ready yet)
  # CLIENT_SECRET_GITEA:
  #   external: true

networks:
  default:
    driver: overlay
  traefik:
    external: true
  ad:
    external: true

volumes:
  authelia_config:
    driver: local
  authelia_assets:
    driver: local
  authelia_redis_data:
    driver: local
  authelia_mariadb_data:
    driver: local
  lldap_data:
    driver: local

services:
  authelia:
    image: git.nixc.us/a250/authelia:production-authelia
    command:
      - authelia
      - --config=/config/configuration.server.yml
      - --config=/config/configuration.ldap.yml
      - --config=/config/configuration.acl.yml
      - --config=/config/configuration.notifier.yml
    secrets:
      - AUTHENTICATION_BACKEND_LDAP_PASSWORD
      - IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
      # - IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
      # - IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY
      # - IDENTITY_PROVIDERS_OIDC_JWKS_KEY
      - NOTIFIER_SMTP_PASSWORD
      - SESSION_SECRET
      - STORAGE_ENCRYPTION_KEY
      # - CLIENT_SECRET_HEADSCALE
      # - CLIENT_SECRET_HEADADMIN
      # - CLIENT_SECRET_PORTAINER
    environment: *authelia-env
    dns:
      - 1.1.1.1 # Cloudflare
      - 9.9.9.9 # Quad9
    volumes:
      # - authelia_config:/config:rw
      - authelia_assets:/config/assets:rw
    networks:
      - traefik
      - default
      - ad
    deploy:
      update_config:
        order: start-first
        failure_action: rollback
        parallelism: 1
      restart_policy:
        condition: on-failure
      replicas: 1
      labels:
        us.a250.autodeploy: "true"
        homepage.group: Infrastructure
        homepage.name: Authelia
        homepage.href: https://login.bc.a250.ca
        homepage.description: ATLAS
        traefik.enable: "true"
        traefik.docker.network: traefik
        traefik.http.routers.authelia_authelia.rule: Host(`login.bc.a250.ca`)
        traefik.http.routers.authelia_authelia.entrypoints: web
        traefik.http.routers.authelia_authelia.service: authelia_authelia
        traefik.http.services.authelia_authelia.loadbalancer.server.port: 9091
        traefik.http.middlewares.authelia_authelia.forwardauth.address: http://authelia_authelia:9091/api/verify?rd=https://login.bc.a250.ca/
        traefik.http.middlewares.authelia_authelia.forwardauth.trustForwardHeader: "true"
        traefik.http.middlewares.authelia_authelia.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email
        traefik.http.middlewares.authelia-basic.forwardauth.address: http://authelia_authelia:9091/api/verify?auth=basic
        traefik.http.middlewares.authelia-basic.forwardauth.trustForwardHeader: "true"
        traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders: Remote-User,Remote-Groups,Remote-Name,Remote-Email
    # healthcheck:
    #   test: ["CMD", "nc", "-z", "localhost", "9091"]
    #   start_period: 30s
    #   interval: 30s
    #   timeout: 10s
    #   retries: 3
    logging:
      driver: json-file
      options:
        max-size: 10m
        max-file: "3"

  redis:
    image: git.nixc.us/a250/authelia:production-redis
    command: redis-server --appendonly yes
    volumes:
      - authelia_redis_data:/data:rw
    networks:
      - default
    deploy:
      update_config:
        order: start-first
        failure_action: rollback
        parallelism: 1
      restart_policy:
        condition: on-failure
      replicas: 1
      labels:
        us.a250.autodeploy: "true"
        traefik.enable: "false"
    # healthcheck:
    #   test: ["CMD", "redis-cli", "ping"]
    #   start_period: 10s
    #   interval: 30s
    #   timeout: 5s
    #   retries: 3
    logging:
      driver: json-file
      options:
        max-size: 10m
        max-file: "3"

  lldap:
    image: nitnelave/lldap:latest
    volumes:
      - lldap_data:/data
    environment:
      LLDAP_JWT_SECRET: I2sNvGvhzZlTJWPfNL9MBPFGhyG/gWU5wHz6wFsIC3I=
      LLDAP_LDAP_USER_PASS: /ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0=
      LLDAP_LDAP_BASE_DN: dc=a250,dc=ca
    networks:
      - default
    deploy:
      restart_policy:
        condition: on-failure
      replicas: 1
    logging:
      driver: json-file
      options:
        max-size: 10m
        max-file: "3"

  mariadb:
    image: git.nixc.us/a250/authelia:production-mariadb
    environment:
      MYSQL_ROOT_PASSWORD: authelia
      MYSQL_DATABASE: authelia
      MYSQL_USER: authelia
      MYSQL_PASSWORD: authelia
    volumes:
      - authelia_mariadb_data:/var/lib/mysql:rw
    networks:
      - default
    deploy:
      update_config:
        order: start-first
        failure_action: rollback
        parallelism: 1
      restart_policy:
        condition: on-failure
      replicas: 1
      labels:
        us.a250.autodeploy: "true"
        traefik.enable: "false"
    # healthcheck:
    #   test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "authelia", "-pauthelia"]
    #   start_period: 15s
    #   interval: 30s
    #   timeout: 10s
    #   retries: 3
    logging:
      driver: json-file
      options:
        max-size: 10m
        max-file: "3"