diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fb58dee --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.env +data diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..96daa83 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,100 @@ +--- +services: + authentik-server: + image: ghcr.io/goauthentik/server:${AK_VERSION} + restart: unless-stopped + command: server + depends_on: + - postgresql + - redis + environment: + - AUTHENTIK_POSTGRESQL__HOST=postgresql + - AUTHENTIK_POSTGRESQL__NAME=${PG_NAME} + - AUTHENTIK_POSTGRESQL__USER=${PG_USER} + - AUTHENTIK_POSTGRESQL__PASSWORD=${PG_PASS} + - AUTHENTIK_REDIS__HOST=redis + - AUTHENTIK_SECRET_KEY=${AK_KEY} + labels: + - traefik.enable=${TRAEFIK_ENABLED} + - traefik.docker.network=${TRAEFIK_NETWORK} + ### Section HTTP + - traefik.http.routers.http-${TRAEFIK_ROUTER}.entrypoints=http + # redirect to HTTPS only + - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=http-to-https + - traefik.http.routers.http-${TRAEFIK_ROUTER}.rule=${TRAEFIK_MATCHRULE} + ### Section HTTPS + - traefik.http.routers.https-${TRAEFIK_ROUTER}.entrypoints=https + # configure the exposed service + - traefik.http.routers.https-${TRAEFIK_ROUTER}.rule=${TRAEFIK_MATCHRULE} + # of course, enable TLS and it's certificate provider + - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls=${TRAEFIK_TLSENABLED} + - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls.certresolver=${TRAEFIK_CERTRESOLVER} + # specify a service so a custom port can be used + - traefik.http.services.${TRAEFIK_SERVICE}.loadbalancer.server.port=${TRAEFIK_SERVICE_PORT} + networks: + - internal + - traefik + volumes: + - ${AK_DATA}/media:/media + - ${AK_DATA}/templates:/templates + + authentik-worker: + image: ghcr.io/goauthentik/server:${AK_VERSION} + restart: unless-stopped + command: worker + depends_on: + - postgresql + - redis + environment: + - AUTHENTIK_POSTGRESQL__HOST=postgresql + - AUTHENTIK_POSTGRESQL__NAME=${PG_NAME} + - AUTHENTIK_POSTGRESQL__USER=${PG_USER} + - AUTHENTIK_POSTGRESQL__PASSWORD=${PG_PASS} + - AUTHENTIK_REDIS__HOST=redis + - AUTHENTIK_SECRET_KEY=${AK_KEY} + networks: + - internal + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ${AK_DATA}/media:/media + - ${AK_DATA}/certs:/certs + - ${AK_DATA}/templates:/templates + + postgresql: + image: docker.io/library/postgres:${PG_VERSION} + restart: unless-stopped + environment: + - POSTGRES_DB=${PG_NAME} + - POSTGRES_USER=${PG_USER} + - POSTGRES_PASSWORD=${PG_PASS} + healthcheck: + test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] + start_period: 20s + interval: 30s + retries: 5 + timeout: 5s + networks: + - internal + volumes: + - ${PG_DATA}:/var/lib/postgresql/data + + redis: + image: docker.io/library/redis:${REDIS_VERSION} + command: --save 60 1 --loglevel warning + restart: unless-stopped + healthcheck: + test: ["CMD-SHELL", "redis-cli ping | grep PONG"] + start_period: 20s + interval: 30s + retries: 5 + timeout: 3s + networks: + - internal + volumes: + - ${REDIS_DATA}:/data + +networks: + internal: + traefik: + external: true + name: ${TRAEFIK_NETWORK} diff --git a/env.example b/env.example new file mode 100644 index 0000000..bfff886 --- /dev/null +++ b/env.example @@ -0,0 +1,25 @@ +# Træfik +TRAEFIK_ENABLED=true +TRAEFIK_CERTRESOLVER=letsencrypt +TRAEFIK_NETWORK=traefik +TRAEFIK_MATCHRULE=Host(`authentik.example.com`) +TRAEFIK_ROUTER=authentik_example_com +TRAEFIK_SERVICE=authentik_example_com +TRAEFIK_SERVICE_PORT=9000 +TRAEFIK_TLSENABLED=true + +# Authentik +AK_VERSION=2024.8.2 +AK_DATA=./data/authentik +AK_KEY=Q84uAEeVCqsqTF108uHXmfBIdD+vWwm4p0+oebgB077TE1AE5szdSZWDujH3xbBhDkqoxWwEIh4cKg0C + +# PostgreSQL +PG_VERSION=16-alpine +PG_DATA=./data/postgres +PG_NAME=authentik +PG_USER=authentik +PG_PASS=P4ssw0rd! + +# Redis +REDIS_VERSION=7-alpine +REDIS_DATA=./data/redis