From 1d8142dae2788b3cb6b3f5305e4ada8888d51392 Mon Sep 17 00:00:00 2001 From: Marko Korhonen Date: Tue, 15 Nov 2022 22:06:06 +0200 Subject: [PATCH] Refactor authentik setup and enable it on more services --- docker/authentik/authentik.toml | 64 +++++++++++++++++++++ docker/authentik/docker-compose.toml | 69 +++++++++++++++++------ docker/homeautomation/docker-compose.toml | 9 +-- docker/traefik/docker-compose.toml | 4 +- 4 files changed, 121 insertions(+), 25 deletions(-) create mode 100644 docker/authentik/authentik.toml diff --git a/docker/authentik/authentik.toml b/docker/authentik/authentik.toml new file mode 100644 index 00000000..4bba2c6e --- /dev/null +++ b/docker/authentik/authentik.toml @@ -0,0 +1,64 @@ +[services.redis] +image = "docker.io/library/redis:alpine" +command = "--save 60 1 --loglevel warning" +restart = "unless-stopped" +volumes = ["redis:/data"] + +[services.redis.healthcheck] +test = ["CMD-SHELL", "redis-cli ping | grep PONG"] +start_period = "20s" +interval = "30s" +retries = 5 +timeout = "3s" + +[services.server] +image = "${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.1}" +restart = "unless-stopped" +command = "server" +volumes = [ + "/docker/authentik/media:/media", + "/docker/authentik/custom-templates:/templates", + "/docker/authentik/geoip:/geoip", +] +env_file = [".env"] +ports = [ + "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000", + "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443", +] + +[services.server.environment] +AUTHENTIK_REDIS__HOST = "redis" +AUTHENTIK_POSTGRESQL__HOST = "postgresql" +AUTHENTIK_POSTGRESQL__USER = "${PG_USER:-authentik}" +AUTHENTIK_POSTGRESQL__NAME = "${PG_DB:-authentik}" +AUTHENTIK_POSTGRESQL__PASSWORD = "${PG_PASS}" + +[services.worker] +image = "${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.1}" +restart = "unless-stopped" +command = "worker" +user = "root" +volumes = [ + "./media:/media", + "./certs:/certs", + "/var/run/docker.sock:/var/run/docker.sock", + "./custom-templates:/templates", + "geoip:/geoip", +] +env_file = [".env"] + +[services.worker.environment] +AUTHENTIK_REDIS__HOST = "redis" +AUTHENTIK_POSTGRESQL__HOST = "postgresql" +AUTHENTIK_POSTGRESQL__USER = "${PG_USER:-authentik}" +AUTHENTIK_POSTGRESQL__NAME = "${PG_DB:-authentik}" +AUTHENTIK_POSTGRESQL__PASSWORD = "${PG_PASS}" + +[services.geoipupdate] +image = "maxmindinc/geoipupdate:latest" +volumes = ["geoip:/usr/share/GeoIP"] +env_file = [".env"] + +[services.geoipupdate.environment] +GEOIPUPDATE_EDITION_IDS = "GeoLite2-City" +GEOIPUPDATE_FREQUENCY = "8" diff --git a/docker/authentik/docker-compose.toml b/docker/authentik/docker-compose.toml index 912a319e..e8999e7c 100644 --- a/docker/authentik/docker-compose.toml +++ b/docker/authentik/docker-compose.toml @@ -1,19 +1,26 @@ -[services] - [services.redis] -container_name = "redis-authentik" image = "redis:alpine" -restart = "unless-stopped" +container_name = "authentik-redis" networks = ["authentik"] +restart = "unless-stopped" +volumes = ["/docker/authentik/redis:/data"] -[services.authentik] +[services.redis.healthcheck] +test = ["CMD-SHELL", "redis-cli ping | grep PONG"] +start_period = "20s" +interval = "30s" +retries = 5 +timeout = "3s" + +[services.server] +image = "ghcr.io/goauthentik/server:latest" container_name = "authentik" -image = "goauthentik.io/server:latest" restart = "unless-stopped" command = "server" volumes = [ "/docker/authentik/media:/media", "/docker/authentik/custom-templates:/templates", + "/docker/authentik/geoip:/geoip", ] env_file = [".env"] networks = ["authentik", "postgres", "proxy"] @@ -25,34 +32,60 @@ labels = [ "traefik.http.routers.authentik-redirect.middlewares=http2https@file", "traefik.http.routers.authentik.entrypoints=https", "traefik.http.routers.authentik.middlewares=secHeaders@file,compress@file", + "traefik.http.routers.authentik-rtr-outpost.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.korhonen.cc`) && PathPrefix(`/outpost.goauthentik.io/`)", "traefik.http.routers.authentik.rule=Host(`sso.korhonen.cc`)", "traefik.http.routers.authentik.service=authentik", "traefik.http.services.authentik.loadbalancer.server.port=9000", ] -[services.authentik-worker] +[services.worker] +image = "ghcr.io/goauthentik/server:latest" container_name = "authentik-worker" -image = "${AUTHENTIK_IMAGE:-goauthentik.io/server}:${AUTHENTIK_TAG:-2021.10.4}" restart = "unless-stopped" command = "worker" -networks = ["authentik", "postgres"] user = "root" volumes = [ "/docker/authentik/backups:/backups", + "/docker/authentik/custom-templates:/templates", + "/docker/authentik/geoip:/geoip", "/docker/authentik/media:/media", "/var/run/docker.sock:/var/run/docker.sock", - "/docker/authentik/custom-templates:/templates", -] -environment = [ - "AUTHENTIK_POSTGRESQL__HOST", - "AUTHENTIK_POSTGRESQL__USER", - "AUTHENTIK_POSTGRESQL__NAME", - "AUTHENTIK_POSTGRESQL__PASSWORD", - "AUTHENTIK_SECRET_KEY", ] env_file = [".env"] +networks = ["authentik", "postgres"] + +[services.geoipupdate] +image = "maxmindinc/geoipupdate:latest" +container_name = "authentik-geoipupdate" +restart = "unless-stopped" +networks = ["authentik"] +volumes = ["/docker/authentik/geoip:/usr/share/GeoIP"] +env_file = [".env"] + +[services.geoipupdate.environment] +GEOIPUPDATE_EDITION_IDS = "GeoLite2-City" +GEOIPUPDATE_FREQUENCY = "8" + +[services.whoami-test] +image = "traefik/whoami" +container_name = "whoami-test" +restart = "unless-stopped" +security_opt = ["no-new-privileges:true"] +networks = ["proxy"] +environment = ["TZ"] +labels = [ + "traefik.enable=true", + "traefik.docker.network=proxy", + "traefik.http.routers.whoami-test-redirect.entrypoints=http", + "traefik.http.routers.whoami-test-redirect.rule=Host(`whoami-test.korhonen.cc`)", + "traefik.http.routers.whoami-test-redirect.middlewares=http2https@file", + "traefik.http.routers.whoami-test.entrypoints=https", + "traefik.http.routers.whoami-test.middlewares=secHeaders@file,compress@file,authentik@file", + "traefik.http.routers.whoami-test.rule=Host(`whoami-test.korhonen.cc`)", + "traefik.http.routers.whoami-test.service=whoami-test", + "traefik.http.services.whoami-test.loadbalancer.server.port=80", +] -[networks] [networks.authentik] external = true diff --git a/docker/homeautomation/docker-compose.toml b/docker/homeautomation/docker-compose.toml index d85f6200..6f124c3c 100644 --- a/docker/homeautomation/docker-compose.toml +++ b/docker/homeautomation/docker-compose.toml @@ -1,5 +1,3 @@ -[services] - [services.home-assistant] container_name = "home-assistant" image = "homeassistant/home-assistant" @@ -10,7 +8,7 @@ volumes = [ "/etc/localtime:/etc/localtime:ro", ] restart = "unless-stopped" -networks = ["homeautomation", "postgres", "proxy"] +networks = ["homeautomation", "postgres", "proxy", "authentik"] ports = ["8123:8123", "8300:8300"] extra_hosts = ["host.docker.internal:host-gateway"] depends_on = ["mosquitto"] @@ -21,7 +19,7 @@ labels = [ "traefik.http.routers.home-assistant-redirect.rule=Host(`home.korhonen.cc`)", "traefik.http.routers.home-assistant-redirect.middlewares=http2https@file", "traefik.http.routers.home-assistant.entrypoints=https", - "traefik.http.routers.home-assistant.middlewares=secHeaders@file,compress@file", + "traefik.http.routers.home-assistant.middlewares=secHeaders@file,compress@file,authentik@file", "traefik.http.routers.home-assistant.rule=Host(`home.korhonen.cc`)", "traefik.http.routers.home-assistant.service=home-assistant", "traefik.http.services.home-assistant.loadbalancer.server.port=8123", @@ -68,3 +66,6 @@ external = true [networks.proxy] external = true + +[networks.authentik] +external = true diff --git a/docker/traefik/docker-compose.toml b/docker/traefik/docker-compose.toml index e6dc1e78..08bfdf99 100644 --- a/docker/traefik/docker-compose.toml +++ b/docker/traefik/docker-compose.toml @@ -22,10 +22,8 @@ labels = [ "traefik.http.routers.redirect.rule=Host(`traefik.korhonen.cc`)", "traefik.http.routers.redirect.middlewares=http2https@file", "traefik.http.routers.dashboard.entrypoints=https", - "traefik.http.routers.dashboard.middlewares=secHeaders@file,compress@file", + "traefik.http.routers.dashboard.middlewares=secHeaders@file,compress@file,authentik@file", "traefik.http.routers.dashboard.rule=Host(`traefik.korhonen.cc`)", - "traefik.http.middlewares.dashboard-auth.basicauth.usersfile=/dashboard-users", - "traefik.http.routers.dashboard.middlewares=dashboard-auth", "traefik.http.routers.dashboard.service=api@internal", ]