144 lines
4.0 KiB
YAML
144 lines
4.0 KiB
YAML
---
|
|
|
|
x-env: &env
|
|
- AUTHENTIK_POSTGRESQL__PASSWORD
|
|
- AUTHENTIK_POSTGRESQL__USER
|
|
- AUTHENTIK_POSTGRESQL__NAME
|
|
- AUTHENTIK_POSTGRESQL__HOST
|
|
- AUTHENTIK_REDIS__HOST
|
|
- AUTHENTIK_ERROR_REPORTING__ENABLED
|
|
- AUTHENTIK_SECRET_KEY= #file:///run/secrets/secret_key
|
|
- AK_ADMIN_TOKEN= #file:///run/secrets/admin_token
|
|
- AK_ADMIN_PASS= #file:///run/secrets/admin_pass
|
|
- AUTHENTIK_EMAIL__HOST
|
|
- AUTHENTIK_EMAIL__PORT
|
|
- AUTHENTIK_EMAIL__USERNAME
|
|
- AUTHENTIK_EMAIL__PASSWORD
|
|
- AUTHENTIK_EMAIL__USE_TLS
|
|
- AUTHENTIK_EMAIL__USE_SSL
|
|
- AUTHENTIK_EMAIL__TIMEOUT
|
|
- AUTHENTIK_EMAIL__FROM
|
|
- AUTHENTIK_LOG_LEVEL
|
|
|
|
|
|
version: '3.8'
|
|
services:
|
|
app:
|
|
image: ghcr.io/goauthentik/server:2022.8.2
|
|
command: server
|
|
# secrets:
|
|
# - db_password
|
|
# - admin_pass
|
|
# - admin_token
|
|
# - secret_key
|
|
volumes:
|
|
- media:/media
|
|
- custom-templates:/templates
|
|
networks:
|
|
- internal
|
|
- proxy
|
|
healthcheck:
|
|
test: ["CMD", "curl", "-f", "localhost:9000/-/health/live/"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 10
|
|
start_period: 1m
|
|
environment: *env
|
|
deploy:
|
|
update_config:
|
|
failure_action: rollback
|
|
order: start-first
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.docker.network=proxy"
|
|
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=9000"
|
|
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
|
|
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
|
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
|
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
|
|
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
|
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
|
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
|
|
- "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
|
|
- "coop-cloud.${STACK_NAME}.version=0.4.0+2022.8.2"
|
|
|
|
worker:
|
|
image: ghcr.io/goauthentik/server:2022.8.2
|
|
command: worker
|
|
# secrets:
|
|
# - db_password
|
|
# - admin_pass
|
|
# - admin_token
|
|
# - secret_key
|
|
networks:
|
|
- internal
|
|
- proxy
|
|
user: root
|
|
volumes:
|
|
- backups:/backups
|
|
- media:/media
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
- custom-templates:/templates
|
|
environment: *env
|
|
|
|
db:
|
|
image: postgres:12.12-alpine
|
|
# secrets:
|
|
# - db_password
|
|
volumes:
|
|
- database:/var/lib/postgresql/data
|
|
networks:
|
|
- internal
|
|
healthcheck:
|
|
test: ["CMD", "pg_isready"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 10
|
|
start_period: 1m
|
|
environment:
|
|
- POSTGRES_PASSWORD
|
|
- POSTGRES_USER
|
|
- POSTGRES_DB
|
|
deploy:
|
|
labels:
|
|
backupbot.backup: "true"
|
|
backupbot.backup.pre-hook: "mkdir -p /tmp/backup/ && PGPASSWORD=${POSTGRES_PASSWORD} pg_dump -U ${POSTGRES_USER} ${POSTGRES_DB} > /tmp/backup/backup.sql"
|
|
backupbot.backup.post-hook: "rm -rf /tmp/backup"
|
|
backupbot.backup.path: "/tmp/backup/"
|
|
|
|
redis:
|
|
image: redis:7.0.4-alpine
|
|
networks:
|
|
- internal
|
|
healthcheck:
|
|
test: ["CMD", "redis-cli","ping"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 10
|
|
start_period: 1m
|
|
|
|
# secrets:
|
|
# db_password:
|
|
# external: true
|
|
# name: ${STACK_NAME}_db_password
|
|
# secret_key:
|
|
# external: true
|
|
# name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
|
|
# admin_token:
|
|
# external: true
|
|
# name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}
|
|
# admin_pass:
|
|
# external: true
|
|
# name: ${STACK_NAME}_admin_pass_${SECRET_ADMIN_PASS_VERSION}
|
|
|
|
networks:
|
|
proxy:
|
|
external: true
|
|
internal:
|
|
|
|
volumes:
|
|
backups:
|
|
media:
|
|
custom-templates:
|
|
database:
|