72 lines
2.7 KiB
YAML
72 lines
2.7 KiB
YAML
|
# authelia — SSO / 2FA / OIDC provider as a Tailscale sidecar (NO WAN presence).
|
||
|
|
#
|
||
|
|
# Storage → shared Postgres, sessions → shared Redis, mail → shared SMTP relay,
|
||
|
|
# all over the tailnet via MagicDNS. The portal (auth.infinidim.net) and any
|
||
|
|
# forward-auth-protected vhosts are wired on the main box Caddy — see
|
||
|
|
# caddy-forward-auth.snippet.
|
||
|
|
#
|
||
|
|
# Prereq: the `authelia` Postgres role/db (see README). Bring up: docker compose up -d
|
||
|
|
|
||
|
|
name: authelia
|
||
|
|
|
||
|
|
services:
|
||
|
|
|
||
|
|
ts-authelia:
|
||
|
|
image: tailscale/tailscale:latest
|
||
|
|
hostname: ${AUTHELIA_MAGIC_NAME}
|
||
|
|
environment:
|
||
|
|
TS_AUTHKEY: ${TS_OAUTH_CLIENT_SECRET}?ephemeral=true
|
||
|
|
TS_EXTRA_ARGS: --advertise-tags=tag:authelia
|
||
|
|
TS_HOSTNAME: ${AUTHELIA_MAGIC_NAME}
|
||
|
|
TS_ACCEPT_DNS: "true"
|
||
|
|
TS_AUTH_ONCE: "true"
|
||
|
|
TS_USERSPACE: "false"
|
||
|
|
TS_ENABLE_HEALTH_CHECK: "true"
|
||
|
|
TS_LOCAL_ADDR_PORT: "127.0.0.1:9002"
|
||
|
|
dns: [1.1.1.1, 1.0.0.1]
|
||
|
|
devices:
|
||
|
|
- /dev/net/tun:/dev/net/tun
|
||
|
|
cap_add:
|
||
|
|
- NET_ADMIN
|
||
|
|
- NET_RAW
|
||
|
|
healthcheck:
|
||
|
|
test: ["CMD", "wget", "-qO-", "http://127.0.0.1:9002/healthz"]
|
||
|
|
interval: 10s
|
||
|
|
timeout: 5s
|
||
|
|
retries: 6
|
||
|
|
start_period: 30s
|
||
|
|
restart: unless-stopped
|
||
|
|
|
||
|
|
authelia:
|
||
|
|
image: authelia/authelia:4.39.20
|
||
|
|
network_mode: "service:ts-authelia"
|
||
|
|
environment:
|
||
|
|
X_AUTHELIA_CONFIG: /config/configuration.yml
|
||
|
|
# Secrets + infra hosts via env so configuration.yml stays commit-safe and
|
||
|
|
# free of hardcoded MagicDNS names. Env overrides win over the yml.
|
||
|
|
AUTHELIA_SESSION_SECRET: ${AUTHELIA_SESSION_SECRET}
|
||
|
|
AUTHELIA_STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
|
||
|
|
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: ${AUTHELIA_JWT_SECRET}
|
||
|
|
AUTHELIA_STORAGE_POSTGRES_ADDRESS: tcp://${DB_MAGIC_NAME}.${TS_TAILNET}:5432
|
||
|
|
AUTHELIA_STORAGE_POSTGRES_DATABASE: ${AUTHELIA_DB_NAME}
|
||
|
|
AUTHELIA_STORAGE_POSTGRES_USERNAME: ${AUTHELIA_DB_USER}
|
||
|
|
AUTHELIA_STORAGE_POSTGRES_PASSWORD: ${AUTHELIA_DB_PASSWORD}
|
||
|
|
AUTHELIA_SESSION_REDIS_HOST: ${REDIS_MAGIC_NAME}.${TS_TAILNET}
|
||
|
|
AUTHELIA_SESSION_REDIS_PORT: "6379"
|
||
|
|
AUTHELIA_SESSION_REDIS_DATABASE_INDEX: ${AUTHELIA_REDIS_DB}
|
||
|
|
AUTHELIA_NOTIFIER_SMTP_ADDRESS: submission://${SMTP_HOST}:${SMTP_PORT}
|
||
|
|
AUTHELIA_NOTIFIER_SMTP_USERNAME: ${SMTP_USER}
|
||
|
|
AUTHELIA_NOTIFIER_SMTP_PASSWORD: ${SMTP_PASSWORD}
|
||
|
|
AUTHELIA_NOTIFIER_SMTP_SENDER: ${AUTHELIA_SMTP_SENDER}
|
||
|
|
volumes:
|
||
|
|
- ./config/configuration.yml:/config/configuration.yml:ro
|
||
|
|
- ./config/users_database.yml:/config/users_database.yml:ro
|
||
|
|
- authelia-data:/data
|
||
|
|
depends_on:
|
||
|
|
ts-authelia:
|
||
|
|
condition: service_healthy
|
||
|
|
restart: unless-stopped
|
||
|
|
|
||
|
|
volumes:
|
||
|
|
authelia-data:
|