TrueNAS/docker-apps
TrueNAS/docker-apps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a8a4d24f53
docker-apps/authentik/stacks/compose.yml
Chris d067d5f1f7 first commit
2025-04-03 22:57:52 +02:00

249 lines
8.0 KiB
YAML
Raw Blame History

###############################################################
# ------------------------------
# -- authentik (Identity Provider / SSO)
# -- Updated/Created 2024-July-02
# Authentik configuration: https://docs.goauthentik.io/docs/installation/configuration
# ------------------------------
name: authentik # Project Name
###############################################################
# Networks
###############################################################
networks:
socket_proxy:
driver: bridge
driver_opts:
com.docker.network.bridge.name: "br-authentik_sx"
traefik-net:
external: true
authentik-net:
external: true
###############################################################
# Docker Secrets
# Owner (default): root:root
# Recommend Set Owner to match container user Example: UID=1100, GID=1100
# Permissions of files & directory on host to: 0400 (-r--)
###############################################################
secrets:
## Authentik
authentik_postgresql_database:
file: ${SECRETSDIR}/authentik_postgresql_database
authentik_postgresql_username:
file: ${SECRETSDIR}/authentik_postgresql_username
authentik_postgresql_password:
file: ${SECRETSDIR}/authentik_postgresql_password
authentik_secret_key:
file: ${SECRETSDIR}/authentik_secret_key
smtp_username:
file: ${SECRETSDIR}/smtp_username
smtp_password:
file: ${SECRETSDIR}/smtp_password
## GeoIP
geoip_account_id:
file: ${SECRETSDIR}/geoip_account_id
geoip_license_key:
file: ${SECRETSDIR}/geoip_license_key
##############################################################################
services:
# Use the embedded outpost (2021.8.1+) instead of the seperate Forward Auth / Proxy Provider container
server:
image: ghcr.io/goauthentik/server:latest
restart: unless-stopped
env_file: .server.env
environment:
- AUTHENTIK_REDIS__HOST=authentik_redis
- AUTHENTIK_POSTGRESQL__HOST=authentik_postgresql
command: server
user: ${PUID}:${PGID}
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
networks:
socket_proxy: {}
authentik-net: {}
traefik-net:
aliases: ["authentik_server"] # keep the same as forwardAuth address (hostname) in traefik middlewares "forwardAuth-authentik.yml"
secrets:
- authentik_postgresql_database
- authentik_postgresql_username
- authentik_postgresql_password
- authentik_secret_key
volumes:
- "${DATADIR}/appdata/media:/media"
- "${DATADIR}/appdata/custom-templates:/templates"
- "${DATADIR}/appdata/geoip/data:/geoip"
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
## HTTP Routers
- "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)"
## Individual Application forwardAuth regex (catch any subdomain using individual application forwardAuth)
- "traefik.http.routers.${APPLICATION_NAME}-output-rtr.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.${DOMAINNAME}`) && PathPrefix(`/outpost.goauthentik.io/`)"
## HTTP Services
- "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
- "traefik.http.services.${APPLICATION_NAME}-svc.loadBalancer.server.port=${WEBUI_PORT}"
worker:
image: ghcr.io/goauthentik/server:latest
restart: unless-stopped
env_file: .worker.env
environment:
- DOCKER_HOST=tcp://authentik_socket-proxy:2375 # Use this if you have Socket Proxy enabled.
- AUTHENTIK_REDIS__HOST=authentik_redis
- AUTHENTIK_POSTGRESQL__HOST=authentik_postgresql
user: ${PUID}:${PGID}
command: worker
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
networks:
- authentik-net
- socket_proxy
secrets:
- authentik_postgresql_database
- authentik_postgresql_username
- authentik_postgresql_password
- authentik_secret_key
- smtp_username
- smtp_password
volumes:
- "${DATADIR}/appdata/media:/media"
- "${DATADIR}/appdata/custom-templates:/templates"
- "${DATADIR}/appdata/geoip/data:/geoip"
# - /var/run/docker.sock:/var/run/docker.sock # Uncomment if NOT using socket-proxy
#- "${DATADIR}/appdata/traefik/cert_export:/certs:ro" # If NOT using reverse proxy, manually map in certificates
postgresql:
image: postgres:16-alpine
shm_size: 128mb # https://hub.docker.com/_/postgres
restart: unless-stopped
env_file: .postgresql.env
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
networks:
authentik-net:
aliases: ["authentik_postgresql"]
volumes:
- "${DATADIR}/pgdata:/var/lib/postgresql/data"
secrets:
- authentik_postgresql_database
- authentik_postgresql_username
# Generate the password with openssl rand 36 | base64 -w 0
- authentik_postgresql_password
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
networks:
authentik-net:
aliases: ["authentik_redis"]
volumes:
- "${DATADIR}/appdata/redis/data:/data"
# geoipupdate:
# image: ghcr.io/maxmind/geoipupdate:latest
# container_name: geoipupdate
# restart: unless-stopped
# user: ${PUID}:${PGID}
# volumes:
# - "${DATADIR}/appdata/geoip/data:/usr/share/GeoIP"
# networks:
# - authentik-net
# secrets:
# - geoip_account_id
# - geoip_license_key
# environment:
# - GEOIPUPDATE_EDITION_IDS
# - GEOIPUPDATE_FREQUENCY
# - GEOIPUPDATE_ACCOUNT_ID_FILE
# - GEOIPUPDATE_LICENSE_KEY_FILE
# - TZ
socket-proxy:
image: tecnativa/docker-socket-proxy:0.2.0 #0.1.2
restart: unless-stopped
env_file: .socket-proxy.env
security_opt:
- no-new-privileges=true
networks:
socket_proxy:
aliases: ["authentik_socket-proxy"]
privileged: true # true for VM. false for unprivileged LXC container.
# ports:
# - "127.0.0.1:2375:2375"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
image: traefik/whoami:latest
# container_name: whoami
restart: unless-stopped
security_opt:
- no-new-privileges=true
networks:
- traefik-net
environment:
- TZ
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
## HTTP Routers
- "traefik.http.routers.whoami-rtr.rule=Host(`whoami.${DOMAINNAME}`)"
whoami-individual:
image: traefik/whoami:latest
restart: unless-stopped
security_opt:
- no-new-privileges:true
depends_on:
- server
- worker
networks:
- traefik-net
environment:
- TZ
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
## HTTP Routers
- "traefik.http.routers.whoami-individual-rtr.rule=Host(`whoami-individual.${DOMAINNAME}`)"
## attach AUTHENTIK forwardauth middlewares to router; comment out if not using authentik
- "traefik.http.routers.whoami-individual-rtr.middlewares=forwardAuth-authentik@file"
whoami-catchall:
image: traefik/whoami:latest
restart: unless-stopped
security_opt:
- no-new-privileges:true
depends_on:
- server
- worker
networks:
- traefik-net
environment:
- TZ
labels:
- traefik.enable=true
- traefik.docker.network=traefik-net
## HTTP Routers
- "traefik.http.routers.whoami-catchall-rtr.rule=Host(`whoami-catchall.${DOMAINNAME}`)"
## attach AUTHENTIK forwardauth middlewares to router; comment out if not using authentik
- "traefik.http.routers.whoami-catchall-rtr.middlewares=forwardAuth-authentik@file"
Reference in New Issue View Git Blame Copy Permalink