73 lines
3.2 KiB
YAML
73 lines
3.2 KiB
YAML
services:
|
|
server:
|
|
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG}
|
|
restart: unless-stopped
|
|
command: server
|
|
env_file:
|
|
- .env
|
|
secrets:
|
|
- SECRET_KEY
|
|
- DB_PASS
|
|
volumes:
|
|
- ./media:/media
|
|
- ./custom-templates:/templates
|
|
networks:
|
|
- mgmt
|
|
- backend
|
|
labels:
|
|
- traefik.enable=true
|
|
- traefik.http.routers.$SUBDOMAIN.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
|
|
- traefik.http.routers.$SUBDOMAIN.tls=true
|
|
- traefik.http.routers.$SUBDOMAIN.entrypoints=web,websecure
|
|
- traefik.http.routers.$SUBDOMAIN.tls.certresolver=cloudflare
|
|
- traefik.http.middlewares.$SUBDOMAIN.headers.SSLRedirect=true
|
|
- traefik.http.middlewares.$SUBDOMAIN.headers.STSSeconds=315360000
|
|
- traefik.http.middlewares.$SUBDOMAIN.headers.browserXSSFilter=true
|
|
- traefik.http.middlewares.$SUBDOMAIN.headers.contentTypeNosniff=true
|
|
- traefik.http.middlewares.$SUBDOMAIN.headers.forceSTSHeader=true
|
|
- traefik.http.middlewares.$SUBDOMAIN.headers.SSLHost=${DOMAIN_NAME}
|
|
- traefik.http.middlewares.$SUBDOMAIN.headers.STSIncludeSubdomains=true
|
|
- traefik.http.middlewares.$SUBDOMAIN.headers.STSPreload=true
|
|
- traefik.http.middlewares.$SUBDOMAIN.headers.frameDeny=true
|
|
- traefik.http.routers.$SUBDOMAIN.middlewares=$SUBDOMAIN@docker
|
|
- traefik.http.routers.$SUBDOMAIN.service=$SUBDOMAIN
|
|
- traefik.http.services.$SUBDOMAIN.loadbalancer.server.port=9000
|
|
- traefik.docker.network=mgmt
|
|
# ForwardAuth middleware definition
|
|
- "traefik.http.middlewares.authentik-forwardauth.forwardauth.address=http://authentik-server-1:9000/outpost.goauthentik.io/auth/traefik"
|
|
- "traefik.http.middlewares.authentik-forwardauth.forwardauth.trustForwardHeader=true"
|
|
- "traefik.http.middlewares.authentik-forwardauth.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
|
|
# Outpost router for /outpost.goauthentik.io paths
|
|
- "traefik.http.routers.authentik-outpost.rule=Host(`authentik.jojops.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
|
|
- "traefik.http.routers.authentik-outpost.rule=HostRegexp(`{$SUBDOMAIN:[a-z0-9-]+}.$DOMAIN_NAME`) && PathPrefix(`/outpost.goauthentik.io/`)"
|
|
- "traefik.http.routers.authentik-outpost.entrypoints=websecure"
|
|
- "traefik.http.routers.authentik-outpost.tls=true"
|
|
- "traefik.http.routers.authentik-outpost.priority=15"
|
|
- "traefik.http.routers.authentik-outpost.service=authentik"
|
|
worker:
|
|
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG}
|
|
restart: unless-stopped
|
|
command: worker
|
|
env_file:
|
|
- .env
|
|
secrets:
|
|
- SECRET_KEY
|
|
- DB_PASS
|
|
user: root
|
|
networks:
|
|
- backend
|
|
volumes:
|
|
# - /var/run/docker.sock:/var/run/docker.sock # Optional, only if using external outposts
|
|
- ./media:/media
|
|
- ./certs:/certs
|
|
- ./custom-templates:/templates
|
|
networks:
|
|
mgmt:
|
|
external: true
|
|
backend:
|
|
external: true
|
|
secrets:
|
|
SECRET_KEY:
|
|
file: .secrets/SECRET_KEY
|
|
DB_PASS:
|
|
file: .secrets/DB_PASS |