From 1d8142dae2788b3cb6b3f5305e4ada8888d51392 Mon Sep 17 00:00:00 2001
From: Marko Korhonen <marko@korhonen.cc>
Date: Tue, 15 Nov 2022 22:06:06 +0200
Subject: [PATCH] Refactor authentik setup and enable it on more services

---
 docker/authentik/authentik.toml           | 64 +++++++++++++++++++++
 docker/authentik/docker-compose.toml      | 69 +++++++++++++++++------
 docker/homeautomation/docker-compose.toml |  9 +--
 docker/traefik/docker-compose.toml        |  4 +-
 4 files changed, 121 insertions(+), 25 deletions(-)
 create mode 100644 docker/authentik/authentik.toml

diff --git a/docker/authentik/authentik.toml b/docker/authentik/authentik.toml
new file mode 100644
index 00000000..4bba2c6e
--- /dev/null
+++ b/docker/authentik/authentik.toml
@@ -0,0 +1,64 @@
+[services.redis]
+image = "docker.io/library/redis:alpine"
+command = "--save 60 1 --loglevel warning"
+restart = "unless-stopped"
+volumes = ["redis:/data"]
+
+[services.redis.healthcheck]
+test = ["CMD-SHELL", "redis-cli ping | grep PONG"]
+start_period = "20s"
+interval = "30s"
+retries = 5
+timeout = "3s"
+
+[services.server]
+image = "${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.1}"
+restart = "unless-stopped"
+command = "server"
+volumes = [
+  "/docker/authentik/media:/media",
+  "/docker/authentik/custom-templates:/templates",
+  "/docker/authentik/geoip:/geoip",
+]
+env_file = [".env"]
+ports = [
+  "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000",
+  "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443",
+]
+
+[services.server.environment]
+AUTHENTIK_REDIS__HOST = "redis"
+AUTHENTIK_POSTGRESQL__HOST = "postgresql"
+AUTHENTIK_POSTGRESQL__USER = "${PG_USER:-authentik}"
+AUTHENTIK_POSTGRESQL__NAME = "${PG_DB:-authentik}"
+AUTHENTIK_POSTGRESQL__PASSWORD = "${PG_PASS}"
+
+[services.worker]
+image = "${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.1}"
+restart = "unless-stopped"
+command = "worker"
+user = "root"
+volumes = [
+  "./media:/media",
+  "./certs:/certs",
+  "/var/run/docker.sock:/var/run/docker.sock",
+  "./custom-templates:/templates",
+  "geoip:/geoip",
+]
+env_file = [".env"]
+
+[services.worker.environment]
+AUTHENTIK_REDIS__HOST = "redis"
+AUTHENTIK_POSTGRESQL__HOST = "postgresql"
+AUTHENTIK_POSTGRESQL__USER = "${PG_USER:-authentik}"
+AUTHENTIK_POSTGRESQL__NAME = "${PG_DB:-authentik}"
+AUTHENTIK_POSTGRESQL__PASSWORD = "${PG_PASS}"
+
+[services.geoipupdate]
+image = "maxmindinc/geoipupdate:latest"
+volumes = ["geoip:/usr/share/GeoIP"]
+env_file = [".env"]
+
+[services.geoipupdate.environment]
+GEOIPUPDATE_EDITION_IDS = "GeoLite2-City"
+GEOIPUPDATE_FREQUENCY = "8"
diff --git a/docker/authentik/docker-compose.toml b/docker/authentik/docker-compose.toml
index 912a319e..e8999e7c 100644
--- a/docker/authentik/docker-compose.toml
+++ b/docker/authentik/docker-compose.toml
@@ -1,19 +1,26 @@
-[services]
-
 [services.redis]
-container_name = "redis-authentik"
 image = "redis:alpine"
-restart = "unless-stopped"
+container_name = "authentik-redis"
 networks = ["authentik"]
+restart = "unless-stopped"
+volumes = ["/docker/authentik/redis:/data"]
 
-[services.authentik]
+[services.redis.healthcheck]
+test = ["CMD-SHELL", "redis-cli ping | grep PONG"]
+start_period = "20s"
+interval = "30s"
+retries = 5
+timeout = "3s"
+
+[services.server]
+image = "ghcr.io/goauthentik/server:latest"
 container_name = "authentik"
-image = "goauthentik.io/server:latest"
 restart = "unless-stopped"
 command = "server"
 volumes = [
   "/docker/authentik/media:/media",
   "/docker/authentik/custom-templates:/templates",
+  "/docker/authentik/geoip:/geoip",
 ]
 env_file = [".env"]
 networks = ["authentik", "postgres", "proxy"]
@@ -25,34 +32,60 @@ labels = [
   "traefik.http.routers.authentik-redirect.middlewares=http2https@file",
   "traefik.http.routers.authentik.entrypoints=https",
   "traefik.http.routers.authentik.middlewares=secHeaders@file,compress@file",
+  "traefik.http.routers.authentik-rtr-outpost.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.korhonen.cc`) && PathPrefix(`/outpost.goauthentik.io/`)",
   "traefik.http.routers.authentik.rule=Host(`sso.korhonen.cc`)",
   "traefik.http.routers.authentik.service=authentik",
   "traefik.http.services.authentik.loadbalancer.server.port=9000",
 ]
 
-[services.authentik-worker]
+[services.worker]
+image = "ghcr.io/goauthentik/server:latest"
 container_name = "authentik-worker"
-image = "${AUTHENTIK_IMAGE:-goauthentik.io/server}:${AUTHENTIK_TAG:-2021.10.4}"
 restart = "unless-stopped"
 command = "worker"
-networks = ["authentik", "postgres"]
 user = "root"
 volumes = [
   "/docker/authentik/backups:/backups",
+  "/docker/authentik/custom-templates:/templates",
+  "/docker/authentik/geoip:/geoip",
   "/docker/authentik/media:/media",
   "/var/run/docker.sock:/var/run/docker.sock",
-  "/docker/authentik/custom-templates:/templates",
-]
-environment = [
-  "AUTHENTIK_POSTGRESQL__HOST",
-  "AUTHENTIK_POSTGRESQL__USER",
-  "AUTHENTIK_POSTGRESQL__NAME",
-  "AUTHENTIK_POSTGRESQL__PASSWORD",
-  "AUTHENTIK_SECRET_KEY",
 ]
 env_file = [".env"]
+networks = ["authentik", "postgres"]
+
+[services.geoipupdate]
+image = "maxmindinc/geoipupdate:latest"
+container_name = "authentik-geoipupdate"
+restart = "unless-stopped"
+networks = ["authentik"]
+volumes = ["/docker/authentik/geoip:/usr/share/GeoIP"]
+env_file = [".env"]
+
+[services.geoipupdate.environment]
+GEOIPUPDATE_EDITION_IDS = "GeoLite2-City"
+GEOIPUPDATE_FREQUENCY = "8"
+
+[services.whoami-test]
+image = "traefik/whoami"
+container_name = "whoami-test"
+restart = "unless-stopped"
+security_opt = ["no-new-privileges:true"]
+networks = ["proxy"]
+environment = ["TZ"]
+labels = [
+  "traefik.enable=true",
+  "traefik.docker.network=proxy",
+  "traefik.http.routers.whoami-test-redirect.entrypoints=http",
+  "traefik.http.routers.whoami-test-redirect.rule=Host(`whoami-test.korhonen.cc`)",
+  "traefik.http.routers.whoami-test-redirect.middlewares=http2https@file",
+  "traefik.http.routers.whoami-test.entrypoints=https",
+  "traefik.http.routers.whoami-test.middlewares=secHeaders@file,compress@file,authentik@file",
+  "traefik.http.routers.whoami-test.rule=Host(`whoami-test.korhonen.cc`)",
+  "traefik.http.routers.whoami-test.service=whoami-test",
+  "traefik.http.services.whoami-test.loadbalancer.server.port=80",
+]
 
-[networks]
 
 [networks.authentik]
 external = true
diff --git a/docker/homeautomation/docker-compose.toml b/docker/homeautomation/docker-compose.toml
index d85f6200..6f124c3c 100644
--- a/docker/homeautomation/docker-compose.toml
+++ b/docker/homeautomation/docker-compose.toml
@@ -1,5 +1,3 @@
-[services]
-
 [services.home-assistant]
 container_name = "home-assistant"
 image = "homeassistant/home-assistant"
@@ -10,7 +8,7 @@ volumes = [
   "/etc/localtime:/etc/localtime:ro",
 ]
 restart = "unless-stopped"
-networks = ["homeautomation", "postgres", "proxy"]
+networks = ["homeautomation", "postgres", "proxy", "authentik"]
 ports = ["8123:8123", "8300:8300"]
 extra_hosts = ["host.docker.internal:host-gateway"]
 depends_on = ["mosquitto"]
@@ -21,7 +19,7 @@ labels = [
   "traefik.http.routers.home-assistant-redirect.rule=Host(`home.korhonen.cc`)",
   "traefik.http.routers.home-assistant-redirect.middlewares=http2https@file",
   "traefik.http.routers.home-assistant.entrypoints=https",
-  "traefik.http.routers.home-assistant.middlewares=secHeaders@file,compress@file",
+  "traefik.http.routers.home-assistant.middlewares=secHeaders@file,compress@file,authentik@file",
   "traefik.http.routers.home-assistant.rule=Host(`home.korhonen.cc`)",
   "traefik.http.routers.home-assistant.service=home-assistant",
   "traefik.http.services.home-assistant.loadbalancer.server.port=8123",
@@ -68,3 +66,6 @@ external = true
 
 [networks.proxy]
 external = true
+
+[networks.authentik]
+external = true
diff --git a/docker/traefik/docker-compose.toml b/docker/traefik/docker-compose.toml
index e6dc1e78..08bfdf99 100644
--- a/docker/traefik/docker-compose.toml
+++ b/docker/traefik/docker-compose.toml
@@ -22,10 +22,8 @@ labels = [
   "traefik.http.routers.redirect.rule=Host(`traefik.korhonen.cc`)",
   "traefik.http.routers.redirect.middlewares=http2https@file",
   "traefik.http.routers.dashboard.entrypoints=https",
-  "traefik.http.routers.dashboard.middlewares=secHeaders@file,compress@file",
+  "traefik.http.routers.dashboard.middlewares=secHeaders@file,compress@file,authentik@file",
   "traefik.http.routers.dashboard.rule=Host(`traefik.korhonen.cc`)",
-  "traefik.http.middlewares.dashboard-auth.basicauth.usersfile=/dashboard-users",
-  "traefik.http.routers.dashboard.middlewares=dashboard-auth",
   "traefik.http.routers.dashboard.service=api@internal",
 ]